tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: cgd and remote keys



On 1199411587 seconds since the Beginning of the UNIX epoch
Curt Sampson wrote:
>

>On 2007-12-31 17:16 +0000 (Mon), David Holland wrote:
>
>> This suggests that the mechanism inside cgdconfig should maybe be a
>> simple callout, so that different key-fetching scripts can be used.
>
>On 2007-12-31 22:39 +0100 (Mon), Hubert Feyrer wrote:
>
>> Maybe use a command that prints the key to stdout, then use something like 
>> "ssh server cat keyfile"?
>
>Ah, now this idea makes good sense; just add to cgdconfig a keying
>scheme that uses the result of an arbitrary shell command as the key
>material. Then you could use ftp(1), ssh(1), netcat(1), or whatever else
>you liked. You could even use Alan Barrett's idea of starting a web
>server that waits for someone to enter the key.
>
>Is there any downside to this?

I had been meaning to put a callout mechanism in there for quite some
time.  I just did.

My original thought was to use GSSAPI but that unfortunately doesn't
have the forward secrecy properties that I desired.

The callout mechanism just popen(3)s a specified command and reads
stdout from it as a bag of bits.  This gives you the flexibility
to do what you like as well as combine said bag of bits with the
other bags of bits that the other keygen mechanisms give you...

--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/


Home | Main Index | Thread Index | Old Index