Expand native auth and benchmark gates
This commit is contained in:
@@ -81,7 +81,7 @@ dosh-server
|
||||
client table per session
|
||||
encrypted UDP protocol
|
||||
tiny SSH-invoked dosh-auth helper mode
|
||||
persistent sessions (persist_sessions, default on): each shell runs in a
|
||||
persistent sessions (persist_sessions, currently opt-in): each shell runs in a
|
||||
detached per-session holder process; the server adopts its PTY master fd via
|
||||
SCM_RIGHTS and re-adopts it after a restart, so sessions survive crash/upgrade
|
||||
|
||||
@@ -197,9 +197,9 @@ Benchmark the ControlMaster-backed SSH bootstrap path:
|
||||
target/release/dosh-bench --server user@host --controlmaster --iterations 3
|
||||
```
|
||||
|
||||
Run the Docker OpenSSH benchmark gate used by CI. It checks both cold SSH bootstrap
|
||||
and ControlMaster-backed SSH bootstrap against a containerized `sshd` plus resident
|
||||
`dosh-server`:
|
||||
Run the Docker OpenSSH benchmark gate used by CI. It checks cold SSH bootstrap,
|
||||
ControlMaster-backed SSH bootstrap, native cold auth after one-time `dosh trust`,
|
||||
and cached attach against a containerized `sshd` plus resident `dosh-server`:
|
||||
|
||||
```bash
|
||||
make bench-docker-ssh
|
||||
@@ -211,12 +211,12 @@ Run the same Docker comparison with Mosh installed in the benchmark container:
|
||||
make bench-docker-mosh
|
||||
```
|
||||
|
||||
That prints `ssh_true_ms`, `dosh_attach_ms`, and `mosh_start_true_ms` under the same
|
||||
container, key, DNS, and network path. It also prints `dosh_cached_attach_ms`, which
|
||||
is the real Dosh fast path after the first SSH-authenticated bootstrap has issued an
|
||||
attach ticket. See `docs/PUBLIC_READINESS.md` before using the numbers publicly;
|
||||
Dosh's current strongest claim is fast attach/reconnect, not full Mosh feature
|
||||
parity yet.
|
||||
That prints `ssh_true_ms`, `dosh_attach_ms`, `dosh_cold_native_ms`,
|
||||
`dosh_cached_attach_ms`, and, for the Mosh target, `mosh_start_true_ms` under the
|
||||
same container, key, DNS, and network path. `dosh_cached_attach_ms` is the real Dosh
|
||||
fast path after the first authentication has issued an attach ticket. See
|
||||
`docs/PUBLIC_READINESS.md` before using the numbers publicly; Dosh's current
|
||||
strongest claim is fast attach/reconnect, not full Mosh feature parity yet.
|
||||
|
||||
The CI workflow includes an optional remote benchmark job. It runs when
|
||||
`DOSH_BENCH_HOST`, `DOSH_BENCH_USER`, and `DOSH_BENCH_SSH_KEY` repository secrets are
|
||||
@@ -281,10 +281,10 @@ Beyond the SSH-bootstrap core, native v1 (`docs/NATIVE_V1_SPEC.md`) is substanti
|
||||
implemented and aims to replace the day-to-day `ssh host` workflow on Dosh-installed
|
||||
servers:
|
||||
|
||||
- **Native UDP auth** with X25519 key exchange, transcript-bound Ed25519 user auth
|
||||
via ssh-agent or an encrypted OpenSSH key, ChaCha20-Poly1305 transport, and
|
||||
`authorized_keys` policy enforcement (`from=`, `no-port-forwarding`, `permitopen=`;
|
||||
unsupported options fail closed).
|
||||
- **Native UDP auth** with X25519 key exchange; transcript-bound Ed25519, ECDSA
|
||||
P-256, and RSA-SHA2 user auth via ssh-agent or OpenSSH identity files;
|
||||
ChaCha20-Poly1305 transport; and `authorized_keys` policy enforcement (`from=`,
|
||||
`no-port-forwarding`, `permitopen=`; unsupported options fail closed).
|
||||
- **Dosh host-key trust**: pinned `known_hosts`, `dosh trust [--remove|--replace]`,
|
||||
TOFU only when explicitly enabled, and hard-fail on host-key mismatch.
|
||||
- **TCP forwarding**: local `-L`, remote `-R` (loopback bind by default), dynamic
|
||||
@@ -303,10 +303,11 @@ the native authenticated path is tried first and falls back to SSH bootstrap
|
||||
explicitly when native auth is disabled, unavailable, or rejected. It never silently
|
||||
degrades to an unauthenticated mode.
|
||||
|
||||
Native v1 is **not yet fully verified**. Per-IP token-bucket rate limiting, protocol
|
||||
VERSION negotiation hardening, fuzzing in CI, ECDSA/RSA user keys, and an external
|
||||
security review are still open. See `docs/THREAT_MODEL.md` for the published threat
|
||||
model and accepted residual risks, and the "Native v1 verification checklist status"
|
||||
table in `docs/PUBLIC_READINESS.md` for the item-by-item state. Dosh does not yet
|
||||
claim a fully verified SSH replacement; its defensible claim remains fast encrypted
|
||||
native attach/reconnect with SSH-equivalent transport security and SSH fallback.
|
||||
Native v1 is **not yet fully verified**. Protocol VERSION compatibility policy,
|
||||
long-running sleep/roaming soak tests, adversarial forwarding/network tests, deeper
|
||||
fuzzing, and an external security review are still open. See `docs/THREAT_MODEL.md`
|
||||
for the published threat model and accepted residual risks, and the "Native v1
|
||||
verification checklist status" table in `docs/PUBLIC_READINESS.md` for the
|
||||
item-by-item state. Dosh does not yet claim a fully verified SSH replacement; its
|
||||
defensible claim remains fast encrypted native attach/reconnect with SSH-equivalent
|
||||
transport security and SSH fallback.
|
||||
|
||||
Reference in New Issue
Block a user