d51cc248e7
ci / test (push) Has been cancelled
ci / fuzz-smoke (push) Has been cancelled
ci / package-release (linux-x86_64, ubuntu-latest) (push) Has been cancelled
ci / package-release (macos-aarch64, macos-14) (push) Has been cancelled
ci / package-release (macos-x86_64, macos-13) (push) Has been cancelled
ci / package-release (windows-x86_64, windows-latest) (push) Has been cancelled
ci / remote-bench (push) Has been cancelled
76 lines
2.6 KiB
Markdown
76 lines
2.6 KiB
Markdown
# Dosh Native v1 Audit Packet
|
|
|
|
This is the handoff checklist for an external security review.
|
|
|
|
## Scope
|
|
|
|
Review the security properties of Dosh native v1:
|
|
|
|
- Native UDP authentication and key exchange
|
|
- Host key trust and known-host mismatch behavior
|
|
- Authorized key parsing and policy enforcement
|
|
- Transport encryption, replay protection, rekeying, resume, and stale packet handling
|
|
- Attach ticket sealing/opening
|
|
- TCP forwarding and agent forwarding authorization boundaries
|
|
- Parser robustness for untrusted wire/config data
|
|
|
|
Primary files:
|
|
|
|
- `src/native.rs`
|
|
- `src/protocol.rs`
|
|
- `src/auth.rs`
|
|
- `src/ssh_agent.rs`
|
|
- `src/bin/dosh-client.rs`
|
|
- `src/bin/dosh-server.rs`
|
|
- `src/config.rs`
|
|
- `tests/parser_robustness.rs`
|
|
- `tests/protocol_auth.rs`
|
|
- `tests/hostile_network.rs`
|
|
- `tests/integration_smoke.rs`
|
|
- `fuzz/fuzz_targets/*`
|
|
|
|
Primary docs:
|
|
|
|
- `docs/NATIVE_V1_SPEC.md`
|
|
- `docs/THREAT_MODEL.md`
|
|
- `docs/PROTOCOL_VERSIONING.md`
|
|
- `docs/PUBLIC_READINESS.md`
|
|
- `docs/RELEASE_EVIDENCE_2026-06-20.md`
|
|
|
|
## Required Reviewer Questions
|
|
|
|
1. Is the native handshake transcript complete enough to bind client/server keys,
|
|
requested session, mode, env, and forwarding permissions?
|
|
2. Are host-key trust transitions fail-closed, especially unknown vs mismatch vs
|
|
explicit TOFU?
|
|
3. Are authorized-key options parsed conservatively enough, and are unsupported
|
|
options rejected safely?
|
|
4. Can replayed, reordered, delayed, stale, or cross-epoch packets affect terminal
|
|
input or forwarded streams more than once?
|
|
5. Does key rotation preserve confidentiality without creating split-brain epoch
|
|
states?
|
|
6. Do attach tickets create any bearer-token replay or privilege-extension issue?
|
|
7. Can UDP endpoint migration be abused for hijack or reflection?
|
|
8. Are local/remote/dynamic TCP forwarding and agent forwarding gated correctly by
|
|
client opt-in, server config, and authorized-key options?
|
|
9. Are parser and packet-size limits sufficient against malicious inputs?
|
|
10. Are there any unsafe assumptions in process/session persistence or holder
|
|
adoption?
|
|
|
|
## Current Local Evidence
|
|
|
|
As of 2026-06-20:
|
|
|
|
- `cargo test`: `153 passed, 1 ignored`
|
|
- `make soak-local`: passed 30-minute sleep/roaming soak
|
|
- `make fuzz-smoke`: passed all configured fuzz targets for 20s each
|
|
- `make bench-docker-mosh`: passed SSH, ControlMaster, native, cached, and Mosh
|
|
comparison gates
|
|
|
|
## Explicit Non-Claims Before Audit
|
|
|
|
- No claim of generic SSH protocol replacement.
|
|
- No claim of full Mosh compatibility.
|
|
- No claim that native v1 is externally audited.
|
|
- No claim that Windows server support is production-ready.
|