dracut-sshd
cryptoverif
| dracut-sshd | cryptoverif | |
|---|---|---|
| 7 | 1 | |
| 204 | 4 | |
| - | - | |
| 4.6 | - | |
| about 1 month ago | over 7 years ago | |
| Shell | OCaml | |
| - | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
dracut-sshd
- Tinyssh
-
home server encryption
There is also dracut-sshd, which works great for distros using - surprise - dracut.
-
Encryption with NAS Volume
Personally, I'm running OpenSuse Tumbleweed and used the graphical installer this time out of convenience. If you want to remotely unlock it over ssh, I can recommend https://github.com/gsauthof/dracut-sshd. Works pretty well.
-
I switched to MicroOS GNOME and I don't think I'm returning back to regular distributions
The only thing that prevented me from going with MicroOS during my last server install was uncertainty about how well it would handle remote unlocking of luks system encryption for which I'm using dracut-sshd.
-
Getting WiFi to Connect Early (for dracut-sshd).
I'm trying to use the dracut-sshd package on Fedora 35. The instructions only describe how to use dracut-network and networkd to get a wired internet connection during boot (for SSH to work). I'm completely unfamiliar with these so I'm not sure what to change in order to make it work with a wireless connection instead. I tried changing their example in various ways with no luck.
- Remotely unlocking headless server
-
Remote unlocking encrypted system via ssh doesn't work!
I prefer this https://github.com/gsauthof/dracut-sshd
cryptoverif
-
Tinyssh
A better question to ask would have been, why settle for just memory safety - does a formally verified sshd exist? That kind of thing seems to be implemented more in OCaml and F#, like Project Everest, which has formally verified implementations of primitives (HACL) TLS, QUIC, and Signal https://project-everest.github.io/ ... ssh is notably missing?
I had a dig and found that ssh had in fact been done 9 years ago, tho it doesn't seem to have made it to a distribution: it's an offshoot of the CryptoVerif project[1] (which is, maybe unsurprisingly, under the umbrella of the same Prosecco team at Inria who worked on Project Everest). In 2015 Bruno Blanchet and David Cadé wrote a paper "From Computationally-Proved Protocol Specifications to Implementations and Application to SSH"[2] which describes using CryptoVerif to generate an implementation of SSH from the spec; the code is in the CryptoVerif tarball, but someone's helpfully put that up on github if you want a look https://github.com/mgrabovsky/cryptoverif/tree/master/implem...
The eye opening bits in the paper (given the claims of tinyssh to be small at < 100k words):
What are some alternatives?
wireguard-initramfs - Use dropbear over wireguard.
dracut-crypt-ssh - dracut initramfs module to start dropbear sshd during boot to unlock the root filesystem with the (cryptsetup) LUKS passphrase remotely
dracut - dracut the event driven initramfs infrastructure
u-root - A fully Go userland with Linux bootloaders! u-root can create a one-binary root file system (initramfs) containing a busybox-like set of tools written in Go.
ubuntu-server-zfsbootmenu - Ubuntu zfsbootmenu install script
yubikey-full-disk-encryption - Use YubiKey to unlock a LUKS partition
zfsbootmenu - ZFS Bootloader for root-on-ZFS systems with support for snapshots and native full disk encryption
ubuntu-server-zfsbootmenu
nala