Tuesday, September 26, 2017

mod ssl - is it possible to use KeyChain / ssh-agent with apache?



There are a lots a question (and duplicates) on serverfault asking how restart Apache without the passphrase prompt.
Two solutions are proposed :




  • removing the password from the key

  • the apache directive that supply the key to Apache (SSLPassPhraseDialog)




This question is not a duplicate of the following one that deals with the two exposed answers:
SSL password on apache2 restart



For me it is the same level of security, not necessarily a bad one, but often a bad one.



I'm wondering if it is possible to use KeyChain and an ssh-agent to avoid storing a key without a password or a password in clear in a file, or if there are other alternatives.



This would allow restarting Apache without a passphrase, unless of course the server is rebooted.




Does any body successfully implemented it ?


Answer



No, unfortunately this is not possible. The SSH agent can only prove that you possess a certain private key, it has no functionality to either give access to that key or use it for decrypting a secret.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...