Add release evidence and audit packet
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
This commit is contained in:
@@ -0,0 +1,75 @@
|
||||
# Dosh Native v1 Audit Packet
|
||||
|
||||
This is the handoff checklist for an external security review.
|
||||
|
||||
## Scope
|
||||
|
||||
Review the security properties of Dosh native v1:
|
||||
|
||||
- Native UDP authentication and key exchange
|
||||
- Host key trust and known-host mismatch behavior
|
||||
- Authorized key parsing and policy enforcement
|
||||
- Transport encryption, replay protection, rekeying, resume, and stale packet handling
|
||||
- Attach ticket sealing/opening
|
||||
- TCP forwarding and agent forwarding authorization boundaries
|
||||
- Parser robustness for untrusted wire/config data
|
||||
|
||||
Primary files:
|
||||
|
||||
- `src/native.rs`
|
||||
- `src/protocol.rs`
|
||||
- `src/auth.rs`
|
||||
- `src/ssh_agent.rs`
|
||||
- `src/bin/dosh-client.rs`
|
||||
- `src/bin/dosh-server.rs`
|
||||
- `src/config.rs`
|
||||
- `tests/parser_robustness.rs`
|
||||
- `tests/protocol_auth.rs`
|
||||
- `tests/hostile_network.rs`
|
||||
- `tests/integration_smoke.rs`
|
||||
- `fuzz/fuzz_targets/*`
|
||||
|
||||
Primary docs:
|
||||
|
||||
- `docs/NATIVE_V1_SPEC.md`
|
||||
- `docs/THREAT_MODEL.md`
|
||||
- `docs/PROTOCOL_VERSIONING.md`
|
||||
- `docs/PUBLIC_READINESS.md`
|
||||
- `docs/RELEASE_EVIDENCE_2026-06-20.md`
|
||||
|
||||
## Required Reviewer Questions
|
||||
|
||||
1. Is the native handshake transcript complete enough to bind client/server keys,
|
||||
requested session, mode, env, and forwarding permissions?
|
||||
2. Are host-key trust transitions fail-closed, especially unknown vs mismatch vs
|
||||
explicit TOFU?
|
||||
3. Are authorized-key options parsed conservatively enough, and are unsupported
|
||||
options rejected safely?
|
||||
4. Can replayed, reordered, delayed, stale, or cross-epoch packets affect terminal
|
||||
input or forwarded streams more than once?
|
||||
5. Does key rotation preserve confidentiality without creating split-brain epoch
|
||||
states?
|
||||
6. Do attach tickets create any bearer-token replay or privilege-extension issue?
|
||||
7. Can UDP endpoint migration be abused for hijack or reflection?
|
||||
8. Are local/remote/dynamic TCP forwarding and agent forwarding gated correctly by
|
||||
client opt-in, server config, and authorized-key options?
|
||||
9. Are parser and packet-size limits sufficient against malicious inputs?
|
||||
10. Are there any unsafe assumptions in process/session persistence or holder
|
||||
adoption?
|
||||
|
||||
## Current Local Evidence
|
||||
|
||||
As of 2026-06-20:
|
||||
|
||||
- `cargo test`: `153 passed, 1 ignored`
|
||||
- `make soak-local`: passed 30-minute sleep/roaming soak
|
||||
- `make fuzz-smoke`: passed all configured fuzz targets for 20s each
|
||||
- `make bench-docker-mosh`: passed SSH, ControlMaster, native, cached, and Mosh
|
||||
comparison gates
|
||||
|
||||
## Explicit Non-Claims Before Audit
|
||||
|
||||
- No claim of generic SSH protocol replacement.
|
||||
- No claim of full Mosh compatibility.
|
||||
- No claim that native v1 is externally audited.
|
||||
- No claim that Windows server support is production-ready.
|
||||
@@ -0,0 +1,122 @@
|
||||
# Dosh Release Evidence - 2026-06-20
|
||||
|
||||
Code benchmarked: `b44ff8e Improve release and benchmark tooling`
|
||||
|
||||
Environment:
|
||||
|
||||
- Host: local homelab runner
|
||||
- Benchmark harness: `make bench-docker-mosh`
|
||||
- Container SSH server: OpenSSH 9.6p1 on Ubuntu
|
||||
- Same container, key, DNS, loopback, and Dosh server path for all Docker samples
|
||||
|
||||
## Release Artifacts
|
||||
|
||||
Generated locally with:
|
||||
|
||||
```bash
|
||||
sh scripts/package-release.sh
|
||||
```
|
||||
|
||||
Artifacts:
|
||||
|
||||
| artifact | sha256 |
|
||||
| --- | --- |
|
||||
| `dosh-linux-x86_64.tar.gz` | `f421ee56aac61892c9e152d2ef018cf95eb35dec2ca1b2b5cc82eeb1fcc12911` |
|
||||
| `dosh-0.1.0-linux-x86_64.tar.gz` | `f421ee56aac61892c9e152d2ef018cf95eb35dec2ca1b2b5cc82eeb1fcc12911` |
|
||||
|
||||
The installer verifies `<artifact>.sha256` when the sidecar is published.
|
||||
|
||||
## Docker SSH/Mosh Benchmark
|
||||
|
||||
Command:
|
||||
|
||||
```bash
|
||||
make bench-docker-mosh
|
||||
```
|
||||
|
||||
### Cold SSH Bootstrap
|
||||
|
||||
| metric | n | min ms | median ms | p95 ms | mean ms | max ms |
|
||||
| --- | ---: | ---: | ---: | ---: | ---: | ---: |
|
||||
| `ssh_true_ms` | 3 | 216.58 | 220.27 | 224.64 | 220.66 | 225.12 |
|
||||
| `dosh_attach_ms` | 3 | 232.37 | 235.56 | 239.13 | 235.82 | 239.53 |
|
||||
|
||||
Raw samples:
|
||||
|
||||
- `ssh_true_ms`: [216.58, 220.27, 225.12]
|
||||
- `dosh_attach_ms`: [235.56, 232.37, 239.53]
|
||||
|
||||
Gate: `dosh_attach_ms avg 235.82ms <= ssh avg 220.66ms + 500.00ms`
|
||||
|
||||
### ControlMaster SSH Bootstrap
|
||||
|
||||
| metric | n | min ms | median ms | p95 ms | mean ms | max ms |
|
||||
| --- | ---: | ---: | ---: | ---: | ---: | ---: |
|
||||
| `ssh_true_ms` | 3 | 7.29 | 7.50 | 47.51 | 22.25 | 51.95 |
|
||||
| `dosh_attach_ms` | 3 | 16.62 | 17.01 | 17.77 | 17.16 | 17.85 |
|
||||
|
||||
Raw samples:
|
||||
|
||||
- `ssh_true_ms`: [51.95, 7.29, 7.50]
|
||||
- `dosh_attach_ms`: [17.01, 16.62, 17.85]
|
||||
|
||||
Gate: `dosh_attach_ms avg 17.16ms <= ssh avg 22.25ms + 500.00ms`
|
||||
|
||||
### Native Cold Auth
|
||||
|
||||
| metric | n | min ms | median ms | p95 ms | mean ms | max ms |
|
||||
| --- | ---: | ---: | ---: | ---: | ---: | ---: |
|
||||
| `ssh_true_ms` | 5 | 215.72 | 222.68 | 227.05 | 221.32 | 227.82 |
|
||||
| `dosh_cold_native_ms` | 5 | 8.63 | 8.84 | 9.16 | 8.88 | 9.23 |
|
||||
|
||||
Raw samples:
|
||||
|
||||
- `ssh_true_ms`: [216.40, 223.99, 227.82, 222.68, 215.72]
|
||||
- `dosh_cold_native_ms`: [8.84, 8.63, 9.23, 8.88, 8.84]
|
||||
|
||||
Gate: `dosh_cold_native_ms avg 8.88ms <= ssh avg 221.32ms + 0.00ms`
|
||||
|
||||
### Cached Attach
|
||||
|
||||
| metric | n | min ms | median ms | p95 ms | mean ms | max ms |
|
||||
| --- | ---: | ---: | ---: | ---: | ---: | ---: |
|
||||
| `dosh_cached_attach_ms` | 10 | 8.07 | 8.96 | 9.83 | 8.98 | 9.84 |
|
||||
|
||||
Raw samples:
|
||||
|
||||
- `dosh_cached_attach_ms`: [8.07, 9.09, 9.02, 8.66, 8.71, 8.90, 8.45, 9.84, 9.25, 9.82]
|
||||
|
||||
Gate: `dosh_cached_attach_ms avg 8.98ms <= 25.00ms`
|
||||
|
||||
### Mosh Comparison
|
||||
|
||||
| metric | n | min ms | median ms | p95 ms | mean ms | max ms |
|
||||
| --- | ---: | ---: | ---: | ---: | ---: | ---: |
|
||||
| `ssh_true_ms` | 3 | 216.48 | 218.93 | 219.49 | 218.32 | 219.55 |
|
||||
| `dosh_attach_ms` | 3 | 229.59 | 233.00 | 233.31 | 231.98 | 233.35 |
|
||||
| `mosh_start_true_ms` | 3 | 527.13 | 563.34 | 573.09 | 554.89 | 574.18 |
|
||||
|
||||
Raw samples:
|
||||
|
||||
- `ssh_true_ms`: [219.55, 216.48, 218.93]
|
||||
- `dosh_attach_ms`: [233.00, 229.59, 233.35]
|
||||
- `mosh_start_true_ms`: [563.34, 527.13, 574.18]
|
||||
|
||||
## Soak And Fuzz Evidence
|
||||
|
||||
- `cargo test`: `153 passed, 1 ignored`
|
||||
- `make soak-local`: `sleep_roaming_soak_30m ... ok`, finished in `1803.54s`
|
||||
- `make fuzz-smoke`: passed all configured targets for 20s each:
|
||||
`packet_decode`, `from_body`, `authorized_keys`, `known_hosts`,
|
||||
`handshake_structs`, `attach_ticket`
|
||||
|
||||
## Public Claim Boundary
|
||||
|
||||
This evidence supports:
|
||||
|
||||
- Dosh cached attach and native auth are much faster than cold SSH/Mosh startup in
|
||||
this benchmark environment.
|
||||
- Dosh remains mosh-shaped, not mosh-compatible.
|
||||
- Dosh does not claim generic SSH replacement compatibility.
|
||||
- Native v1 security still needs external review before making hard public security
|
||||
claims.
|
||||
Reference in New Issue
Block a user