Our great sponsors
-
cryptsetup-ssh-unlocker
Utility for unattended remote unlock of LUKS encrypted LVM using SSH and cryptsetup
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
dracut-sshd
Provide SSH access to initramfs early user space on Fedora and other systems that use Dracut
-
Wren
The Wren Programming Language. Wren is a small, fast, class-based concurrent scripting language.
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
A tool based on Dropbear that does exactly this, automatically.
https://github.com/ViktorStiskala/cryptsetup-ssh-unlocker
Question: when remotely unlock the boot disk via ssh, how do you make sure the boot has not been compromised and that you are not just sending the password to the bad guys?
At some point I wanted to do something with utrablue [1], to work over network rather than Bluetooth, but then it was in go and I got lazy suddenly :)
[1] https://github.com/ANSSI-FR/ultrablue
A better question to ask would have been, why settle for just memory safety - does a formally verified sshd exist? That kind of thing seems to be implemented more in OCaml and F#, like Project Everest, which has formally verified implementations of primitives (HACL) TLS, QUIC, and Signal https://project-everest.github.io/ ... ssh is notably missing?
I had a dig and found that ssh had in fact been done 9 years ago, tho it doesn't seem to have made it to a distribution: it's an offshoot of the CryptoVerif project[1] (which is, maybe unsurprisingly, under the umbrella of the same Prosecco team at Inria who worked on Project Everest). In 2015 Bruno Blanchet and David Cadé wrote a paper "From Computationally-Proved Protocol Specifications to Implementations and Application to SSH"[2] which describes using CryptoVerif to generate an implementation of SSH from the spec; the code is in the CryptoVerif tarball, but someone's helpfully put that up on github if you want a look https://github.com/mgrabovsky/cryptoverif/tree/master/implem...
The eye opening bits in the paper (given the claims of tinyssh to be small at < 100k words):
I think for these use case a SSH server in Go would be way simpler such as https://github.com/gliderlabs/ssh
Related posts
- Show HN: Wren – simple yet super extensible task management system
- Attempting each AOC in a language starting with each letter of the alphabet
- How do i do sftp in rpgle?
-
inlets-pro VS chisel-operator - a user suggested alternative
2 projects | 4 Jul 2023
- Chisel Operator - A Kubernetes operator and external load balancer/reverse proxy implementation for the Chisel tunnel server 🚀