Add release evidence and audit packet
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
This commit is contained in:
@@ -250,6 +250,9 @@ fast path after the first authentication has issued an attach ticket. See
|
|||||||
strongest claim is fast attach/reconnect plus native encrypted forwarding on
|
strongest claim is fast attach/reconnect plus native encrypted forwarding on
|
||||||
Dosh-installed servers, not generic SSH compatibility.
|
Dosh-installed servers, not generic SSH compatibility.
|
||||||
|
|
||||||
|
The latest local release evidence is in
|
||||||
|
`docs/RELEASE_EVIDENCE_2026-06-20.md`.
|
||||||
|
|
||||||
Generate a publishable Markdown benchmark report:
|
Generate a publishable Markdown benchmark report:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
@@ -366,11 +369,12 @@ the native authenticated path is tried first and falls back to SSH bootstrap
|
|||||||
explicitly when native auth is disabled, unavailable, or rejected. It never silently
|
explicitly when native auth is disabled, unavailable, or rejected. It never silently
|
||||||
degrades to an unauthenticated mode.
|
degrades to an unauthenticated mode.
|
||||||
|
|
||||||
Native v1 is **not yet fully verified**. Long-running sleep/roaming soak evidence
|
Native v1 is **not externally audited yet**. Local 30-minute sleep/roaming soak,
|
||||||
and deeper fuzzing evidence are still open launch gates. See
|
fuzz-smoke, and Docker SSH/Mosh benchmark evidence is captured in
|
||||||
`docs/THREAT_MODEL.md` for the published threat model and accepted residual risks,
|
`docs/RELEASE_EVIDENCE_2026-06-20.md`. See `docs/THREAT_MODEL.md` for the
|
||||||
`docs/PROTOCOL_VERSIONING.md` for the v1 versioning policy, and the "Native v1
|
published threat model and accepted residual risks, `docs/PROTOCOL_VERSIONING.md`
|
||||||
verification checklist status" table in `docs/PUBLIC_READINESS.md` for the
|
for the v1 versioning policy, `docs/AUDIT_PACKET.md` for the external security
|
||||||
item-by-item state. Dosh does not claim generic SSH compatibility; its defensible
|
review handoff, and the "Native v1 verification checklist status" table in
|
||||||
claim is fast encrypted native attach/reconnect and forwarding on Dosh-installed
|
`docs/PUBLIC_READINESS.md` for the item-by-item state. Dosh does not claim generic
|
||||||
servers with SSH bootstrap fallback.
|
SSH compatibility; its defensible claim is fast encrypted native attach/reconnect
|
||||||
|
and forwarding on Dosh-installed servers with SSH bootstrap fallback.
|
||||||
|
|||||||
@@ -0,0 +1,75 @@
|
|||||||
|
# Dosh Native v1 Audit Packet
|
||||||
|
|
||||||
|
This is the handoff checklist for an external security review.
|
||||||
|
|
||||||
|
## Scope
|
||||||
|
|
||||||
|
Review the security properties of Dosh native v1:
|
||||||
|
|
||||||
|
- Native UDP authentication and key exchange
|
||||||
|
- Host key trust and known-host mismatch behavior
|
||||||
|
- Authorized key parsing and policy enforcement
|
||||||
|
- Transport encryption, replay protection, rekeying, resume, and stale packet handling
|
||||||
|
- Attach ticket sealing/opening
|
||||||
|
- TCP forwarding and agent forwarding authorization boundaries
|
||||||
|
- Parser robustness for untrusted wire/config data
|
||||||
|
|
||||||
|
Primary files:
|
||||||
|
|
||||||
|
- `src/native.rs`
|
||||||
|
- `src/protocol.rs`
|
||||||
|
- `src/auth.rs`
|
||||||
|
- `src/ssh_agent.rs`
|
||||||
|
- `src/bin/dosh-client.rs`
|
||||||
|
- `src/bin/dosh-server.rs`
|
||||||
|
- `src/config.rs`
|
||||||
|
- `tests/parser_robustness.rs`
|
||||||
|
- `tests/protocol_auth.rs`
|
||||||
|
- `tests/hostile_network.rs`
|
||||||
|
- `tests/integration_smoke.rs`
|
||||||
|
- `fuzz/fuzz_targets/*`
|
||||||
|
|
||||||
|
Primary docs:
|
||||||
|
|
||||||
|
- `docs/NATIVE_V1_SPEC.md`
|
||||||
|
- `docs/THREAT_MODEL.md`
|
||||||
|
- `docs/PROTOCOL_VERSIONING.md`
|
||||||
|
- `docs/PUBLIC_READINESS.md`
|
||||||
|
- `docs/RELEASE_EVIDENCE_2026-06-20.md`
|
||||||
|
|
||||||
|
## Required Reviewer Questions
|
||||||
|
|
||||||
|
1. Is the native handshake transcript complete enough to bind client/server keys,
|
||||||
|
requested session, mode, env, and forwarding permissions?
|
||||||
|
2. Are host-key trust transitions fail-closed, especially unknown vs mismatch vs
|
||||||
|
explicit TOFU?
|
||||||
|
3. Are authorized-key options parsed conservatively enough, and are unsupported
|
||||||
|
options rejected safely?
|
||||||
|
4. Can replayed, reordered, delayed, stale, or cross-epoch packets affect terminal
|
||||||
|
input or forwarded streams more than once?
|
||||||
|
5. Does key rotation preserve confidentiality without creating split-brain epoch
|
||||||
|
states?
|
||||||
|
6. Do attach tickets create any bearer-token replay or privilege-extension issue?
|
||||||
|
7. Can UDP endpoint migration be abused for hijack or reflection?
|
||||||
|
8. Are local/remote/dynamic TCP forwarding and agent forwarding gated correctly by
|
||||||
|
client opt-in, server config, and authorized-key options?
|
||||||
|
9. Are parser and packet-size limits sufficient against malicious inputs?
|
||||||
|
10. Are there any unsafe assumptions in process/session persistence or holder
|
||||||
|
adoption?
|
||||||
|
|
||||||
|
## Current Local Evidence
|
||||||
|
|
||||||
|
As of 2026-06-20:
|
||||||
|
|
||||||
|
- `cargo test`: `153 passed, 1 ignored`
|
||||||
|
- `make soak-local`: passed 30-minute sleep/roaming soak
|
||||||
|
- `make fuzz-smoke`: passed all configured fuzz targets for 20s each
|
||||||
|
- `make bench-docker-mosh`: passed SSH, ControlMaster, native, cached, and Mosh
|
||||||
|
comparison gates
|
||||||
|
|
||||||
|
## Explicit Non-Claims Before Audit
|
||||||
|
|
||||||
|
- No claim of generic SSH protocol replacement.
|
||||||
|
- No claim of full Mosh compatibility.
|
||||||
|
- No claim that native v1 is externally audited.
|
||||||
|
- No claim that Windows server support is production-ready.
|
||||||
@@ -0,0 +1,122 @@
|
|||||||
|
# Dosh Release Evidence - 2026-06-20
|
||||||
|
|
||||||
|
Code benchmarked: `b44ff8e Improve release and benchmark tooling`
|
||||||
|
|
||||||
|
Environment:
|
||||||
|
|
||||||
|
- Host: local homelab runner
|
||||||
|
- Benchmark harness: `make bench-docker-mosh`
|
||||||
|
- Container SSH server: OpenSSH 9.6p1 on Ubuntu
|
||||||
|
- Same container, key, DNS, loopback, and Dosh server path for all Docker samples
|
||||||
|
|
||||||
|
## Release Artifacts
|
||||||
|
|
||||||
|
Generated locally with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sh scripts/package-release.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
Artifacts:
|
||||||
|
|
||||||
|
| artifact | sha256 |
|
||||||
|
| --- | --- |
|
||||||
|
| `dosh-linux-x86_64.tar.gz` | `f421ee56aac61892c9e152d2ef018cf95eb35dec2ca1b2b5cc82eeb1fcc12911` |
|
||||||
|
| `dosh-0.1.0-linux-x86_64.tar.gz` | `f421ee56aac61892c9e152d2ef018cf95eb35dec2ca1b2b5cc82eeb1fcc12911` |
|
||||||
|
|
||||||
|
The installer verifies `<artifact>.sha256` when the sidecar is published.
|
||||||
|
|
||||||
|
## Docker SSH/Mosh Benchmark
|
||||||
|
|
||||||
|
Command:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
make bench-docker-mosh
|
||||||
|
```
|
||||||
|
|
||||||
|
### Cold SSH Bootstrap
|
||||||
|
|
||||||
|
| metric | n | min ms | median ms | p95 ms | mean ms | max ms |
|
||||||
|
| --- | ---: | ---: | ---: | ---: | ---: | ---: |
|
||||||
|
| `ssh_true_ms` | 3 | 216.58 | 220.27 | 224.64 | 220.66 | 225.12 |
|
||||||
|
| `dosh_attach_ms` | 3 | 232.37 | 235.56 | 239.13 | 235.82 | 239.53 |
|
||||||
|
|
||||||
|
Raw samples:
|
||||||
|
|
||||||
|
- `ssh_true_ms`: [216.58, 220.27, 225.12]
|
||||||
|
- `dosh_attach_ms`: [235.56, 232.37, 239.53]
|
||||||
|
|
||||||
|
Gate: `dosh_attach_ms avg 235.82ms <= ssh avg 220.66ms + 500.00ms`
|
||||||
|
|
||||||
|
### ControlMaster SSH Bootstrap
|
||||||
|
|
||||||
|
| metric | n | min ms | median ms | p95 ms | mean ms | max ms |
|
||||||
|
| --- | ---: | ---: | ---: | ---: | ---: | ---: |
|
||||||
|
| `ssh_true_ms` | 3 | 7.29 | 7.50 | 47.51 | 22.25 | 51.95 |
|
||||||
|
| `dosh_attach_ms` | 3 | 16.62 | 17.01 | 17.77 | 17.16 | 17.85 |
|
||||||
|
|
||||||
|
Raw samples:
|
||||||
|
|
||||||
|
- `ssh_true_ms`: [51.95, 7.29, 7.50]
|
||||||
|
- `dosh_attach_ms`: [17.01, 16.62, 17.85]
|
||||||
|
|
||||||
|
Gate: `dosh_attach_ms avg 17.16ms <= ssh avg 22.25ms + 500.00ms`
|
||||||
|
|
||||||
|
### Native Cold Auth
|
||||||
|
|
||||||
|
| metric | n | min ms | median ms | p95 ms | mean ms | max ms |
|
||||||
|
| --- | ---: | ---: | ---: | ---: | ---: | ---: |
|
||||||
|
| `ssh_true_ms` | 5 | 215.72 | 222.68 | 227.05 | 221.32 | 227.82 |
|
||||||
|
| `dosh_cold_native_ms` | 5 | 8.63 | 8.84 | 9.16 | 8.88 | 9.23 |
|
||||||
|
|
||||||
|
Raw samples:
|
||||||
|
|
||||||
|
- `ssh_true_ms`: [216.40, 223.99, 227.82, 222.68, 215.72]
|
||||||
|
- `dosh_cold_native_ms`: [8.84, 8.63, 9.23, 8.88, 8.84]
|
||||||
|
|
||||||
|
Gate: `dosh_cold_native_ms avg 8.88ms <= ssh avg 221.32ms + 0.00ms`
|
||||||
|
|
||||||
|
### Cached Attach
|
||||||
|
|
||||||
|
| metric | n | min ms | median ms | p95 ms | mean ms | max ms |
|
||||||
|
| --- | ---: | ---: | ---: | ---: | ---: | ---: |
|
||||||
|
| `dosh_cached_attach_ms` | 10 | 8.07 | 8.96 | 9.83 | 8.98 | 9.84 |
|
||||||
|
|
||||||
|
Raw samples:
|
||||||
|
|
||||||
|
- `dosh_cached_attach_ms`: [8.07, 9.09, 9.02, 8.66, 8.71, 8.90, 8.45, 9.84, 9.25, 9.82]
|
||||||
|
|
||||||
|
Gate: `dosh_cached_attach_ms avg 8.98ms <= 25.00ms`
|
||||||
|
|
||||||
|
### Mosh Comparison
|
||||||
|
|
||||||
|
| metric | n | min ms | median ms | p95 ms | mean ms | max ms |
|
||||||
|
| --- | ---: | ---: | ---: | ---: | ---: | ---: |
|
||||||
|
| `ssh_true_ms` | 3 | 216.48 | 218.93 | 219.49 | 218.32 | 219.55 |
|
||||||
|
| `dosh_attach_ms` | 3 | 229.59 | 233.00 | 233.31 | 231.98 | 233.35 |
|
||||||
|
| `mosh_start_true_ms` | 3 | 527.13 | 563.34 | 573.09 | 554.89 | 574.18 |
|
||||||
|
|
||||||
|
Raw samples:
|
||||||
|
|
||||||
|
- `ssh_true_ms`: [219.55, 216.48, 218.93]
|
||||||
|
- `dosh_attach_ms`: [233.00, 229.59, 233.35]
|
||||||
|
- `mosh_start_true_ms`: [563.34, 527.13, 574.18]
|
||||||
|
|
||||||
|
## Soak And Fuzz Evidence
|
||||||
|
|
||||||
|
- `cargo test`: `153 passed, 1 ignored`
|
||||||
|
- `make soak-local`: `sleep_roaming_soak_30m ... ok`, finished in `1803.54s`
|
||||||
|
- `make fuzz-smoke`: passed all configured targets for 20s each:
|
||||||
|
`packet_decode`, `from_body`, `authorized_keys`, `known_hosts`,
|
||||||
|
`handshake_structs`, `attach_ticket`
|
||||||
|
|
||||||
|
## Public Claim Boundary
|
||||||
|
|
||||||
|
This evidence supports:
|
||||||
|
|
||||||
|
- Dosh cached attach and native auth are much faster than cold SSH/Mosh startup in
|
||||||
|
this benchmark environment.
|
||||||
|
- Dosh remains mosh-shaped, not mosh-compatible.
|
||||||
|
- Dosh does not claim generic SSH replacement compatibility.
|
||||||
|
- Native v1 security still needs external review before making hard public security
|
||||||
|
claims.
|
||||||
Reference in New Issue
Block a user