Expand native auth and benchmark gates
This commit is contained in:
+17
-10
@@ -7,16 +7,22 @@
|
||||
> - Milestone 1 — host identity and trust: **done.** Host key generation, `dosh trust`,
|
||||
> `known_hosts`, and mismatch hard-fail are implemented.
|
||||
> - Milestone 2 — native user auth: **done.** `ClientHello`/`ServerHello`/`UserAuth`/
|
||||
> `AuthOk`, ssh-agent and encrypted-key Ed25519, and `authorized_keys` verification
|
||||
> exist. ECDSA/RSA user keys are still pending (Ed25519 only today).
|
||||
> `AuthOk`, ssh-agent and OpenSSH identity-file auth for Ed25519, ECDSA P-256,
|
||||
> and RSA-SHA2, plus `authorized_keys` verification, exist.
|
||||
> - Milestone 3 — default native auth: **done.** `auth_preference = "native,ssh"` is
|
||||
> the default with explicit, visible SSH fallback. Cold-auth benchmark gates are
|
||||
> pending (Track C / `BENCHMARKS.md`).
|
||||
> - Milestone 4 — forwarding: **done.** Stream mux, `-L`, `-R`, `-D`, `-N`, `-f`, and
|
||||
> per-stream flow control are implemented; hostile-network and load tests pending.
|
||||
> - Milestone 5 — hardening: **in progress.** Full per-IP token-bucket rate limiting,
|
||||
> protocol VERSION negotiation hardening, fuzzing in CI, and external review are not
|
||||
> yet complete. The threat model is published (`docs/THREAT_MODEL.md`).
|
||||
> the default with explicit, visible SSH fallback. Local and Docker benchmark gates
|
||||
> cover cached attach, SSH fallback, and native cold auth (Track C /
|
||||
> `BENCHMARKS.md`).
|
||||
> - Milestone 4 — forwarding: **implemented.** Stream mux, `-L`, `-R`, `-D`, `-N`,
|
||||
> `-f`, and per-stream flow control exist; terminal-priority/load regressions are
|
||||
> covered, and hostile-network/long-soak proof is still being expanded before parity
|
||||
> is claimed.
|
||||
> - Milestone 5 — hardening: **partly done.** Per-IP token-bucket rate limiting,
|
||||
> fail-closed protocol-version checks, parser fuzz targets, fuzz-smoke CI, scripted
|
||||
> TUI transport tests, forwarding load/priority tests, and independent persistent
|
||||
> session restart tests exist. External review, long soak, and future multi-version
|
||||
> compatibility policy are not yet complete. The threat model is published
|
||||
> (`docs/THREAT_MODEL.md`).
|
||||
> - Milestone 6 — workflow parity: **mostly done.** `dosh doctor`, host-trust
|
||||
> management, and the encrypted-key prompt flow exist; cross-OS daily-driver soak is
|
||||
> ongoing.
|
||||
@@ -124,7 +130,8 @@ Native v1 must be boring under real use:
|
||||
- A closed laptop must not kill the remote session.
|
||||
- A client crash must not kill the remote session.
|
||||
- A server restart must not kill the remote session when `persist_sessions` is on
|
||||
(the default): each session's shell runs in a detached per-session *holder*
|
||||
(currently opt-in until stress-tested): each session's shell runs in a detached
|
||||
per-session *holder*
|
||||
process whose PTY master fd the server passes back to itself via SCM_RIGHTS, so
|
||||
the shell + scrollback survive a server crash/upgrade/`systemctl restart` and a
|
||||
reattaching client lands on the same shell with its screen restored. With
|
||||
|
||||
Reference in New Issue
Block a user