openssh-portable VS Mosh

Unless I'm misunderstanding what this is about RFC5647 merely points out that the sequence number is included as AAD due to RFC4253 requirements. The [email protected] specification is not exactly the most rigorous thing I've ever seen (https://github.com/openssh/openssh-portable/blob/master/PROT...) but reading it, the sequence number is only included in the IV, and not as AAD, which directly runs afoul of the RFC4253 section 6.4 requirement for it to be included in the MAC.

The key layout is described in https://github.com/openssh/openssh-portable/blob/master/PROT... and you can view it pretty easily via

cat private_key_here | head -n -1 | tail -n +2 | base64 -d | xxd

One I created in 2016 is using aes256-cbc with bcrypt for the kdf, which isn't awful at all.

Interestingly, it looks like ssh-agent disables core dumps[1], but I don't see similar usage for sshd

1: https://github.com/openssh/openssh-portable/blob/694150ad927...

There's a current pull request for adding AF_UNIX support, which should make all kinds of exciting forwarding possible, since it will make it easy to proxy ssh connections through an arbitrary local process which can do anything to forward the data to the remote end.

https://github.com/openssh/openssh-portable/pull/431

OpenSSH server (allows connecting to containers)

It doesn't, at least not for generic/unmodified cryptographic applications.

WebAuthN signatures are of a very specific challenge/response format that applications need to explicitly support. For example, SSH had to add new key and signature formats [1] to support it.

Theoretically, a blockchain/cryptocurrency application could adopt the WebAuthN signature format as its canonical or an alternative signature format, but I'm not aware of any popular one having done so.

[1] https://github.com/openssh/openssh-portable/blob/master/PROT...

I just tested it and looked at the code briefly; the client fortunately does seem to remove all keys not provided by the server: https://github.com/openssh/openssh-portable/blob/36c6c3eff5e...

It seems like at least a `known_hosts` compromise would be "self-healing" after connecting to the legitimate github.com server once.

And OpenVAS and OpenSSH and OpenBSD and OpenNN and OpenAFS and on and on and on

If you haven’t already, and I know this doesn’t hold up for GUI emacs or vim, but consider running them through https://mosh.org/

FWIW, I wouldn't try to parse escape sequences "directly" from the input bytestream -- it's easy to end up with annoying bugs. Longer-term it's probably better to separate the logic e.g.:

- First step (for a UTF-8-input terminal emulator) means "lexing" the input bytestream as UTF-8 into a stream of USVs, which involves some subtleties (https://github.com/mobile-shell/mosh/blob/master/src/termina...).

- Second step is to run the DEC parser/FSM logic on the sequence of USVs, which is independent of the escape sequences (https://vt100.net/emu/dec_ansi_parser ; https://github.com/mobile-shell/mosh/blob/master/src/termina...).

- And then the third step is for the terminal to execute the "dispatch"/"execute"/etc. actions coming from the FSM, which is where the escape sequences and control chars get implemented (https://github.com/mobile-shell/mosh/blob/master/src/termina...).

Without this separation, it's easier to end up with bugs where, e.g., a UTF-8 sequence or an ANSI escape sequence is treated differently when it's split between multiple read() calls vs. all in one call.

Btw, you can use mosh to hide the latency of SSH. https://mosh.org/

I've been using Kitty's SSH features for as long as I can remember but I recently setup Mosh and I really like how it doesn't drop connections and supports roaming.

I am surprised many people write about ssh into a server. Mosh[1] feels more responsive and it also supports longer sessions.

[1] - https://mosh.org/

Also they support Mosh which I install on my servers. It's way better than plain ssh when you're on mobile networks and wifi, especially with connections that are unreliable or bandwidth-constrained.

I’ve recently been experimenting with MoSH (Mobile Shell). Basically think SSH but with UDP - so more resilient to shoddy network conditions, roaming access points, etc.

If it is not for production (e.g. running as a daemon or a server) and you only care about the development, another ad-hoc way is using screen/tmus-like software incl. byobu, and combine it with mosh.