Commit Graph

10 Commits

Author SHA1 Message Date
DuProcess 9a52d65beb Add opt-in, security-gated SSH-agent forwarding
Item 3: SSH-agent forwarding, double-gated (client -A/forward_agent AND server
allow_agent_forwarding) and off by default on both ends.

Wire: new ForwardingKind::Agent (appended, existing bincode discriminants
unchanged). Bumped protocol VERSION 2 -> 3 so a pre-agent peer answers with a
clear version-mismatch reject instead of a deserialize error.

Client: -A / --forward-agent flag; requires local SSH_AUTH_SOCK. Requests an
Agent forwarding during native auth (agent forwarding requires native auth) and,
on a server-initiated StreamOpen carrying the reserved @dosh-agent sentinel,
splices the stream into the local agent unix socket (separate agent_writers map,
TCP forwarding paths untouched). Rejects agent StreamOpens unless it opted in, so
a server cannot reach the agent without consent.

Server: when the client opted in and allow_agent_forwarding is set, binds a
per-session proxy unix socket (dir 0700, socket 0600) before the shell spawns,
exports its path as the session's SSH_AUTH_SOCK, and tunnels each connection back
to the client over the agent sentinel stream. Applies only to freshly spawned
shells (documented). Socket cleaned up on auth/forward failure and when the
accept loop ends. SECURITY rationale documented in comments.

Tests: 2 end-to-end integration tests (full chain identities round-trip via a
PTY-hosted client + looping fake agent; and "no -A => no proxy socket"). Docs
updated (README forwarding + disconnect-status note, spec §12.1). fmt + full test
suite green (122 tests).
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-14 11:10:44 -04:00
DuProcess 828206f757 Publish threat model and refresh native v1 docs
Add docs/THREAT_MODEL.md deriving a publishable threat model from
NATIVE_V1_SPEC.md sections 4-6: assets, in/out-of-scope attackers,
security properties vs SSH (including where Dosh aims to exceed it),
cryptographic building blocks as implemented, and an honest
accepted-residual-risks / known-gaps section.

Refresh docs/PUBLIC_READINESS.md: feature matrix now reflects native
auth, host-key trust, authorized_keys policy, doctor, and -L/-R/-D
forwarding; add a per-item "Native v1 verification checklist status"
table mapping spec section 16 to done/in-progress/pending from code.

Update README.md status with a native v1 section and honest claim
posture pointing to THREAT_MODEL.md. Annotate NATIVE_V1_SPEC.md with a
v1 status block summarizing milestone progress. Point SPEC.md security
model and header at native auth and the threat model.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-14 10:27:40 -04:00
DuProcess 80166eae15 Keep Dosh alive across stale UDP reconnects
ci / test (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-06-13 10:20:03 -04:00
DuProcess 93374162ff Measure cached Dosh attach fast path
ci / test (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-06-12 22:45:13 -04:00
DuProcess 3a38a9da80 Add public comparison benchmarks and SSH import
ci / test (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-06-12 14:27:58 -04:00
Codex 3ad8f95833 Add dosh update command
ci / test (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-06-11 09:49:53 -04:00
Codex 0eca4f1cf4 Add fresh default sessions and terminal status handling
ci / test (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-06-11 09:41:46 -04:00
Codex babfb204c3 Use installed dosh-auth path for SSH bootstrap
ci / test (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-06-11 09:03:20 -04:00
Codex 12beb04d4d Support SSH aliases in Dosh client installs
ci / test (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-06-11 08:46:24 -04:00
Codex 555d738a85 Initial Dosh implementation
ci / test (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
2026-06-11 08:42:28 -04:00