dropbear and new host keys?

Joakim Tjernlund Joakim.Tjernlund at infinera.com
Fri Dec 20 00:29:20 AWST 2019


On Mon, 2019-12-16 at 22:16 +0800, Matt Johnston wrote:
> 
> > On Fri 13/12/2019, at 2:14 am, Joakim Tjernlund <Joakim.Tjernlund at infinera.com> wrote:
> > 
> > On Thu, 2019-12-12 at 18:34 +0100, Hans Harder wrote:
> > > >  The bigger issue here is why not reread keys at every new session? That seems to like the right thing to do in any case?
> > > 
> > > Performance...
> 
> I don't _think_ there would be any performance problem reloading key files for each session - compared with the key exchange it's not compute intensive. It's better to keep it simple rather than introduce cache invalidation by file timestamps where it isn't needed. I'd been considering moving non-inetd dropbear to use fork/self-exec instead of plain fork() for improved address space randomisation, that would probably require loading keys each time too.
> 
> That said if I were in the same situation I'd just run "kill `cat /var/run/dropbear.pid; service dropbear start" or similar when writing keyfiles - job done.
> 

Well, these days people wants to regen both host keys and certificates every now and then. I think the community would appreciate
if dropbear picked up new keys automatically without being forced to an inetd model. You already have an option to generate keys
on the fly(-R)

 Jocke


More information about the Dropbear mailing list