Hey all, So I do some development based on openssh and I'm trying to think of some new projects that might extend the functionality, feature set, user workflow, performance, etc of ssh. So open ended question: Do any of you have a wish list of things you'd like to see in ssh? Mostly I'm just curious to see what the larger community is thinking of rather than being driven entirely by what I think is cool. Chris
I asked for x448 key exchange support in 2017, and even offered to write the code for it. The devs didn't want it, citing that they'd rather add support quantum-resistant exchanges instead. Eventually we got sntrup761x25519-sha512 at openssh.com, which provides 128-bit of symmetric security. I'd like sntrup761x448-sha512 at openssh.com, which would provide ~256 bits of symmetric security. -- Joseph S. Testa II Founder & Principal Security Consultant Positron Security
Some time ago I made a proposal to add a mechanism that would allow a hook to be executed whenever an unsuccessful login attempt was made: https://bugzilla.mindrot.org/show_bug.cgi?id=3384. The idea was to manage a blacklist to lock out hosts that repeatedly attempted to login by trying common passwords. Unfortunately, I could not get much attention and gave up on it. Thomas Am 18.10.23 um 19:13 schrieb Chris Rapier:> Hey all, > > So I do some development based on openssh and I'm trying to think of > some new projects that might extend the functionality, feature set, user > workflow, performance, etc of ssh. > > So open ended question: > > Do any of you have a wish list of things you'd like to see in ssh? > > > Mostly I'm just curious to see what the larger community is thinking of > rather than being driven entirely by what I think is cool. > > > Chris > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Chris Rapier wrote in <9b9c0475-7c4f-468a-b6bf-7921fb5e276c at psc.edu>: |So I do some development based on openssh and I'm trying to think of |some new projects that might extend the functionality, feature set, user |workflow, performance, etc of ssh. Despite my own two year old SIGUSR1 for ssh-agent that i rebase all the time. SSH over UDP (or "any other non-stream", or "auto-connection-re- establish" protocol). I do not know how it can work for you all if you have internet access via wlan; maybe ipsec is also an option, i do not use it as i am afraid of the setup (on all end points; there is that interesting thing for OpenBSD, but i never heard anything real again -- and OpenBSD only of course), and WireGuard does this really nicely! Yes i am thankful for the UDP based WireGuard, it improved my SSH experience tremendously, as eventual "reconnections" are not seen by OpenSSH at all, it is only the timeouts that keep on ticking. As WG also then bypasses the normal FILTER firewall once a connection is established, i can use super strict firewalling rules on the freely chosen ports WG listens on. This did not work out with plain SSH even with ControlMaster as after connection break you, well, have to re-establish a TCP connection, thus counting against the limit. (I mean i do have a port-knocking thing that whitelists me for 30 seconds, NOW, before it only could remove all occurrances of the remote IP from all firewall lists. Now i simply can thereafter use WG (wg show XX dump) to whitelist in an early "table" any client that successfully connected (in the last X seconds). What a relieve!) Now the only thing that remains is that ~60 second connection limit for OpenBSD downloads on their main server, since with 64KBit you cannot even download the openssh ball within. Thank you. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
Chris Rapier wrote:> Hey all, > > So I do some development based on openssh and I'm trying to think of some new projects that might extend the functionality, feature set, user workflow, > performance, etc of ssh. > > So open ended question: > > Do any of you have a wish list of things you'd like to see in ssh?Integration of linemode support. I got it working once https://github.com/hyc/OpenSSH-LINEMODE but there seems to be no interest in merging the work. It's still valuable when connecting over mobile data and other high latency networks. I get it that the majority of developers in the US aren't exposed to such networks these days, but they're still very much a reality in the rest of the world. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
> Do any of you have a wish list of things you'd like to see in ssh? > > > Mostly I'm just curious to see what the larger community is thinking > of rather than being driven entirely by what I think is cool.My ?0,02: - https://marc.info/?t=169442622800001&r=1&w=2 - IIRC the ControlMaster stuff doesn't remember for _which_ client a port forwarding was done, so it can't remove it when this client quits. That might arguably be more of a bugfix, though. - Also, when having a session open via ControlMaster, ~# won't list connections from _other_ clients, neither port forwardings. Having more menu options in ~? to see the forwardings, stop them, and wasn't there an option to _add_ forwardings to established connections?
There are various requests related to extending GSS support (and patches present in RHEL/Fedora, Debian/Ubuntu etc) but it was rejected by upstream several months ago. On Wed, Oct 18, 2023 at 7:17?PM Chris Rapier <rapier at psc.edu> wrote:> > Hey all, > > So I do some development based on openssh and I'm trying to think of > some new projects that might extend the functionality, feature set, user > workflow, performance, etc of ssh. > > So open ended question: > > Do any of you have a wish list of things you'd like to see in ssh? > > > Mostly I'm just curious to see what the larger community is thinking of > rather than being driven entirely by what I think is cool. > > > Chris > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >-- Dmitry Belyavskiy
Hi Chris, On 18/10/2023 19:13, Chris Rapier wrote:> Do any of you have a wish list of things you'd like to see in ssh?get Roumen Petrovs pkissh implementation merged and maintained upstream I know this is a huge page with little chances to get accepted, but I'd like to mention this, because it has been on my personal wish list for a long time. Sure, I can install pkissh, but if it were upstream, another 5-10 years later, it would probably arrive in the distributions and get used widely. Martin -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5924 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20231023/923c9ce5/attachment-0001.p7s>
Hey Chris, On Wed, 2023-10-18 at 13:13 -0400, Chris Rapier wrote:> Do any of you have a wish list of things you'd like to see in ssh?Meanwhile, a lot of parts have to work together for SSH to work as desired: ssh-client, ssh-agent, gpg-agent, scdaemon, sshd, pam, .... As an admin who works with SSH all day in a company whose employees do everything via SSH, I would like to see better debug options in the entire stack with the long-term goal of being able to evaluate them automatically with some data format (json, yaml). Sshd and ssh-agent cannot be switched to 'debug' mode afterwards without shooting yourself in the foot. It would be nice if there were better ways to find out why something didn't work. For example, we've had corporate firewalls that discarded certain handshake packets and it was really hard to get the idea of what was going wrong in the first place. ESC~# B?rn L?ssig
On Wed, 18 Oct 2023, at 19:13, Chris Rapier wrote:> Hey all, > > So I do some development based on openssh and I'm trying to think of > some new projects that might extend the functionality, feature set, user > workflow, performance, etc of ssh. > > So open ended question: > > Do any of you have a wish list of things you'd like to see in ssh?Line rate ssh. Like if I have a 10G pipe I should be able to push 10G through without spending significant effort tweaking it for this specific transfer. I know this is partially wishful thinking but I?d like it to be easier. This might be QUIC or some other UDP layer, or it might be something else entirely. ssh is my go to tool for shifting almost anything from one place to another, except where I?m limited by single tcp streams. A+ Dave