dropbear and new host keys?
Matt Johnston
matt at ucc.asn.au
Mon Dec 16 22:16:59 AWST 2019
> On Fri 13/12/2019, at 2:14 am, Joakim Tjernlund <Joakim.Tjernlund at infinera.com> wrote:
>
> On Thu, 2019-12-12 at 18:34 +0100, Hans Harder wrote:
>>
>>> The bigger issue here is why not reread keys at every new session? That seems to like the right thing to do in any case?
>>
>> Performance...
I don't _think_ there would be any performance problem reloading key files for each session - compared with the key exchange it's not compute intensive. It's better to keep it simple rather than introduce cache invalidation by file timestamps where it isn't needed. I'd been considering moving non-inetd dropbear to use fork/self-exec instead of plain fork() for improved address space randomisation, that would probably require loading keys each time too.
That said if I were in the same situation I'd just run "kill `cat /var/run/dropbear.pid; service dropbear start" or similar when writing keyfiles - job done.
Cheers,
Matt
More information about the Dropbear
mailing list