What mechanisms does ssh-agent use to keep unlocke

2020-07-23 06:04发布

问题:

I'm working on a library to make quick access to KeepassX database files easier for power users. Right now the application is so short-lived in memory that security around the unencrypted KeePass database is not a huge concern.

However, I'd like to add the ability to hold the database unlocked for a period of time in the background, similar to the way the KeepassX GUI does. This would allow immediate query of passwords without being prompted for the master password. This means there would be sort of daemon process that holds the database in memory and communicates with a client.

It seems that the security implications of this are similar to that of ssh-agent, and I'm wondering if anyone 'round these parts is familiar with how that project approaches the long-term secure storage of sensitive data (namely, unlocked SSH private keys).

回答1:

Perhaps this will help: Man: mlock(2)

Note that UNIX domain sockets are somewhat more secure then Internet domain sockets since they can only be reached from local host and access to them can be further constrained to specific users and groups (using chown and chgrp and, of course, chmod).