What mechanisms does ssh-agent use to keep unlocked private keys secure in memory?
https://stackoverflow.com//questions/9650410
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm working on a library to make quick access to KeepassX database files easier for power users. Right now the application is so short-lived in memory that security around the unencrypted KeePass database is not a huge concern.
However, I'd like to add the ability to hold the database unlocked for a period of time in the background, similar to the way the KeepassX GUI does. This would allow immediate query of passwords without being prompted for the master password. This means there would be sort of daemon process that holds the database in memory and communicates with a client.
It seems that the security implications of this are similar to that of ssh-agent, and I'm wondering if anyone 'round these parts is familiar with how that project approaches the long-term secure storage of sensitive data (namely, unlocked SSH private keys).
Solution
Perhaps this will help: Man: mlock(2)
Note that UNIX domain sockets are somewhat more secure then Internet domain sockets since they can only be reached from local host and access to them can be further constrained to specific users and groups (using chown and chgrp and, of course, chmod).
