I was trying to wrap ssh-keygen so that it only outputs a private key on stdout.
One constraint I’m working with is to do so as securely as possible.
For this, my starting point on Linux is to keep sensitive values in memory and use (anonymous) pipes to transfer them between processes.
(This may still be hackable, but that’s a topic for another day)
With ssh-keygen, I can pass a private key path using -f PATH, so the first thing I tried was to create a pipe, redirect it to the
parent process’s stdout, then call ssh-keygen with -f /proc/self/fd/<n> where <n> is the pipe’s write-end file descriptor.
This does get the private key on stdout, but after that ssh-keygen fails
because it tries to write a public key to /proc/self/fd/<n>.pub. A more
composable version of ssh-keygen would allow that behavior to be overwritten
by passing a private key path and public key path as two distinct options. Since that version
doesn’t exist, I need a workaround.
The most obvious thing to me is to use two named pipes, one for the private key and one for the public key.
The problem is that the private key’s named pipe is visible on the file system for all other processes running under my user.
This feels like a step backward in security.
I wish I could create a named pipe that’s only visible to a process
and its children, so that ssh-keygen can believe it’s working with files, but without exposing the private key it’s generating to other processes.