diff --git a/README.md b/README.md index cf78c53..1d04eb7 100644 --- a/README.md +++ b/README.md @@ -250,6 +250,9 @@ fast path after the first authentication has issued an attach ticket. See strongest claim is fast attach/reconnect plus native encrypted forwarding on Dosh-installed servers, not generic SSH compatibility. +The latest local release evidence is in +`docs/RELEASE_EVIDENCE_2026-06-20.md`. + Generate a publishable Markdown benchmark report: ```bash @@ -366,11 +369,12 @@ the native authenticated path is tried first and falls back to SSH bootstrap explicitly when native auth is disabled, unavailable, or rejected. It never silently degrades to an unauthenticated mode. -Native v1 is **not yet fully verified**. Long-running sleep/roaming soak evidence -and deeper fuzzing evidence are still open launch gates. See -`docs/THREAT_MODEL.md` for the published threat model and accepted residual risks, -`docs/PROTOCOL_VERSIONING.md` for the v1 versioning policy, and the "Native v1 -verification checklist status" table in `docs/PUBLIC_READINESS.md` for the -item-by-item state. Dosh does not claim generic SSH compatibility; its defensible -claim is fast encrypted native attach/reconnect and forwarding on Dosh-installed -servers with SSH bootstrap fallback. +Native v1 is **not externally audited yet**. Local 30-minute sleep/roaming soak, +fuzz-smoke, and Docker SSH/Mosh benchmark evidence is captured in +`docs/RELEASE_EVIDENCE_2026-06-20.md`. See `docs/THREAT_MODEL.md` for the +published threat model and accepted residual risks, `docs/PROTOCOL_VERSIONING.md` +for the v1 versioning policy, `docs/AUDIT_PACKET.md` for the external security +review handoff, and the "Native v1 verification checklist status" table in +`docs/PUBLIC_READINESS.md` for the item-by-item state. Dosh does not claim generic +SSH compatibility; its defensible claim is fast encrypted native attach/reconnect +and forwarding on Dosh-installed servers with SSH bootstrap fallback. diff --git a/docs/AUDIT_PACKET.md b/docs/AUDIT_PACKET.md new file mode 100644 index 0000000..ce1a8af --- /dev/null +++ b/docs/AUDIT_PACKET.md @@ -0,0 +1,75 @@ +# Dosh Native v1 Audit Packet + +This is the handoff checklist for an external security review. + +## Scope + +Review the security properties of Dosh native v1: + +- Native UDP authentication and key exchange +- Host key trust and known-host mismatch behavior +- Authorized key parsing and policy enforcement +- Transport encryption, replay protection, rekeying, resume, and stale packet handling +- Attach ticket sealing/opening +- TCP forwarding and agent forwarding authorization boundaries +- Parser robustness for untrusted wire/config data + +Primary files: + +- `src/native.rs` +- `src/protocol.rs` +- `src/auth.rs` +- `src/ssh_agent.rs` +- `src/bin/dosh-client.rs` +- `src/bin/dosh-server.rs` +- `src/config.rs` +- `tests/parser_robustness.rs` +- `tests/protocol_auth.rs` +- `tests/hostile_network.rs` +- `tests/integration_smoke.rs` +- `fuzz/fuzz_targets/*` + +Primary docs: + +- `docs/NATIVE_V1_SPEC.md` +- `docs/THREAT_MODEL.md` +- `docs/PROTOCOL_VERSIONING.md` +- `docs/PUBLIC_READINESS.md` +- `docs/RELEASE_EVIDENCE_2026-06-20.md` + +## Required Reviewer Questions + +1. Is the native handshake transcript complete enough to bind client/server keys, + requested session, mode, env, and forwarding permissions? +2. Are host-key trust transitions fail-closed, especially unknown vs mismatch vs + explicit TOFU? +3. Are authorized-key options parsed conservatively enough, and are unsupported + options rejected safely? +4. Can replayed, reordered, delayed, stale, or cross-epoch packets affect terminal + input or forwarded streams more than once? +5. Does key rotation preserve confidentiality without creating split-brain epoch + states? +6. Do attach tickets create any bearer-token replay or privilege-extension issue? +7. Can UDP endpoint migration be abused for hijack or reflection? +8. Are local/remote/dynamic TCP forwarding and agent forwarding gated correctly by + client opt-in, server config, and authorized-key options? +9. Are parser and packet-size limits sufficient against malicious inputs? +10. Are there any unsafe assumptions in process/session persistence or holder + adoption? + +## Current Local Evidence + +As of 2026-06-20: + +- `cargo test`: `153 passed, 1 ignored` +- `make soak-local`: passed 30-minute sleep/roaming soak +- `make fuzz-smoke`: passed all configured fuzz targets for 20s each +- `make bench-docker-mosh`: passed SSH, ControlMaster, native, cached, and Mosh + comparison gates + +## Explicit Non-Claims Before Audit + +- No claim of generic SSH protocol replacement. +- No claim of full Mosh compatibility. +- No claim that native v1 is externally audited. +- No claim that Windows server support is production-ready. diff --git a/docs/RELEASE_EVIDENCE_2026-06-20.md b/docs/RELEASE_EVIDENCE_2026-06-20.md new file mode 100644 index 0000000..764c7ea --- /dev/null +++ b/docs/RELEASE_EVIDENCE_2026-06-20.md @@ -0,0 +1,122 @@ +# Dosh Release Evidence - 2026-06-20 + +Code benchmarked: `b44ff8e Improve release and benchmark tooling` + +Environment: + +- Host: local homelab runner +- Benchmark harness: `make bench-docker-mosh` +- Container SSH server: OpenSSH 9.6p1 on Ubuntu +- Same container, key, DNS, loopback, and Dosh server path for all Docker samples + +## Release Artifacts + +Generated locally with: + +```bash +sh scripts/package-release.sh +``` + +Artifacts: + +| artifact | sha256 | +| --- | --- | +| `dosh-linux-x86_64.tar.gz` | `f421ee56aac61892c9e152d2ef018cf95eb35dec2ca1b2b5cc82eeb1fcc12911` | +| `dosh-0.1.0-linux-x86_64.tar.gz` | `f421ee56aac61892c9e152d2ef018cf95eb35dec2ca1b2b5cc82eeb1fcc12911` | + +The installer verifies `.sha256` when the sidecar is published. + +## Docker SSH/Mosh Benchmark + +Command: + +```bash +make bench-docker-mosh +``` + +### Cold SSH Bootstrap + +| metric | n | min ms | median ms | p95 ms | mean ms | max ms | +| --- | ---: | ---: | ---: | ---: | ---: | ---: | +| `ssh_true_ms` | 3 | 216.58 | 220.27 | 224.64 | 220.66 | 225.12 | +| `dosh_attach_ms` | 3 | 232.37 | 235.56 | 239.13 | 235.82 | 239.53 | + +Raw samples: + +- `ssh_true_ms`: [216.58, 220.27, 225.12] +- `dosh_attach_ms`: [235.56, 232.37, 239.53] + +Gate: `dosh_attach_ms avg 235.82ms <= ssh avg 220.66ms + 500.00ms` + +### ControlMaster SSH Bootstrap + +| metric | n | min ms | median ms | p95 ms | mean ms | max ms | +| --- | ---: | ---: | ---: | ---: | ---: | ---: | +| `ssh_true_ms` | 3 | 7.29 | 7.50 | 47.51 | 22.25 | 51.95 | +| `dosh_attach_ms` | 3 | 16.62 | 17.01 | 17.77 | 17.16 | 17.85 | + +Raw samples: + +- `ssh_true_ms`: [51.95, 7.29, 7.50] +- `dosh_attach_ms`: [17.01, 16.62, 17.85] + +Gate: `dosh_attach_ms avg 17.16ms <= ssh avg 22.25ms + 500.00ms` + +### Native Cold Auth + +| metric | n | min ms | median ms | p95 ms | mean ms | max ms | +| --- | ---: | ---: | ---: | ---: | ---: | ---: | +| `ssh_true_ms` | 5 | 215.72 | 222.68 | 227.05 | 221.32 | 227.82 | +| `dosh_cold_native_ms` | 5 | 8.63 | 8.84 | 9.16 | 8.88 | 9.23 | + +Raw samples: + +- `ssh_true_ms`: [216.40, 223.99, 227.82, 222.68, 215.72] +- `dosh_cold_native_ms`: [8.84, 8.63, 9.23, 8.88, 8.84] + +Gate: `dosh_cold_native_ms avg 8.88ms <= ssh avg 221.32ms + 0.00ms` + +### Cached Attach + +| metric | n | min ms | median ms | p95 ms | mean ms | max ms | +| --- | ---: | ---: | ---: | ---: | ---: | ---: | +| `dosh_cached_attach_ms` | 10 | 8.07 | 8.96 | 9.83 | 8.98 | 9.84 | + +Raw samples: + +- `dosh_cached_attach_ms`: [8.07, 9.09, 9.02, 8.66, 8.71, 8.90, 8.45, 9.84, 9.25, 9.82] + +Gate: `dosh_cached_attach_ms avg 8.98ms <= 25.00ms` + +### Mosh Comparison + +| metric | n | min ms | median ms | p95 ms | mean ms | max ms | +| --- | ---: | ---: | ---: | ---: | ---: | ---: | +| `ssh_true_ms` | 3 | 216.48 | 218.93 | 219.49 | 218.32 | 219.55 | +| `dosh_attach_ms` | 3 | 229.59 | 233.00 | 233.31 | 231.98 | 233.35 | +| `mosh_start_true_ms` | 3 | 527.13 | 563.34 | 573.09 | 554.89 | 574.18 | + +Raw samples: + +- `ssh_true_ms`: [219.55, 216.48, 218.93] +- `dosh_attach_ms`: [233.00, 229.59, 233.35] +- `mosh_start_true_ms`: [563.34, 527.13, 574.18] + +## Soak And Fuzz Evidence + +- `cargo test`: `153 passed, 1 ignored` +- `make soak-local`: `sleep_roaming_soak_30m ... ok`, finished in `1803.54s` +- `make fuzz-smoke`: passed all configured targets for 20s each: + `packet_decode`, `from_body`, `authorized_keys`, `known_hosts`, + `handshake_structs`, `attach_ticket` + +## Public Claim Boundary + +This evidence supports: + +- Dosh cached attach and native auth are much faster than cold SSH/Mosh startup in + this benchmark environment. +- Dosh remains mosh-shaped, not mosh-compatible. +- Dosh does not claim generic SSH replacement compatibility. +- Native v1 security still needs external review before making hard public security + claims.