Publish threat model and refresh native v1 docs
Add docs/THREAT_MODEL.md deriving a publishable threat model from NATIVE_V1_SPEC.md sections 4-6: assets, in/out-of-scope attackers, security properties vs SSH (including where Dosh aims to exceed it), cryptographic building blocks as implemented, and an honest accepted-residual-risks / known-gaps section. Refresh docs/PUBLIC_READINESS.md: feature matrix now reflects native auth, host-key trust, authorized_keys policy, doctor, and -L/-R/-D forwarding; add a per-item "Native v1 verification checklist status" table mapping spec section 16 to done/in-progress/pending from code. Update README.md status with a native v1 section and honest claim posture pointing to THREAT_MODEL.md. Annotate NATIVE_V1_SPEC.md with a v1 status block summarizing milestone progress. Point SPEC.md security model and header at native auth and the threat model. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -267,3 +267,33 @@ resident PTY server, encrypted UDP bootstrap attach, UDP resume, sealed UDP atta
|
||||
tickets, client ACKs, server retransmit bookkeeping, sliding replay protection,
|
||||
server-side `vt100` screen snapshots/diffs, a hardened user systemd unit, an install
|
||||
script, Docker SSH benchmark gates, CI, and protocol/integration tests.
|
||||
|
||||
### Native v1
|
||||
|
||||
Beyond the SSH-bootstrap core, native v1 (`docs/NATIVE_V1_SPEC.md`) is substantially
|
||||
implemented and aims to replace the day-to-day `ssh host` workflow on Dosh-installed
|
||||
servers:
|
||||
|
||||
- **Native UDP auth** with X25519 key exchange, transcript-bound Ed25519 user auth
|
||||
via ssh-agent or an encrypted OpenSSH key, ChaCha20-Poly1305 transport, and
|
||||
`authorized_keys` policy enforcement (`from=`, `no-port-forwarding`, `permitopen=`;
|
||||
unsupported options fail closed).
|
||||
- **Dosh host-key trust**: pinned `known_hosts`, `dosh trust [--remove|--replace]`,
|
||||
TOFU only when explicitly enabled, and hard-fail on host-key mismatch.
|
||||
- **TCP forwarding**: local `-L`, remote `-R` (loopback bind by default), dynamic
|
||||
SOCKS5 `-D`, forward-only `-N`, and background `-f`, with per-stream flow control so
|
||||
bulk transfers do not lag the terminal.
|
||||
- **Diagnostics**: `dosh doctor host` for config/auth/UDP/forwarding-policy checks.
|
||||
|
||||
Native auth is **opt-in alongside SSH fallback** (`auth_preference = "native,ssh"`):
|
||||
the native authenticated path is tried first and falls back to SSH bootstrap
|
||||
explicitly when native auth is disabled, unavailable, or rejected. It never silently
|
||||
degrades to an unauthenticated mode.
|
||||
|
||||
Native v1 is **not yet fully verified**. Per-IP token-bucket rate limiting, protocol
|
||||
VERSION negotiation hardening, fuzzing in CI, ECDSA/RSA user keys, and an external
|
||||
security review are still open. See `docs/THREAT_MODEL.md` for the published threat
|
||||
model and accepted residual risks, and the "Native v1 verification checklist status"
|
||||
table in `docs/PUBLIC_READINESS.md` for the item-by-item state. Dosh does not yet
|
||||
claim a fully verified SSH replacement; its defensible claim remains fast encrypted
|
||||
native attach/reconnect with SSH-equivalent transport security and SSH fallback.
|
||||
|
||||
Reference in New Issue
Block a user