[darcs-devel] ssh release needed (Re: status of darcsden repo)

Ben Franksen ben.franksen at online.de
Thu Jul 2 10:29:51 UTC 2020


Am 02.07.20 um 00:40 schrieb Simon Michael:
> - Ben, ssh now depends on random 1.2+. Possibly that helps with the 
> cryptographic weakness you mentioned ?

I don't think so.

The random library was never meant to be used for cryptographical
purposes and the new version is merely (a lot) faster than previous
ones. I can't tell for sure whether the way it is used in the ssh
package is a critical weakness or not because I know very little about
cryptography in general and the ssh protocol in particular.

BTW, I am glad to hear that you are making progress with the ssh package.

> - maybe porting to hssh is the right move. I'm not sure; hssh was
> released two years later, but doesn't seem too active either, and
> would be less under our control (that can be good or bad).

It doesn't appear very active, true. Like so many other one-man projects
out there. The README says it currently supports:

Transport layer:

- `ssh-ed25519` host keys.
- Key exchange using the `curve25519-sha256 at libssh.org` algorithm.
- Encryption using the  `chacha20-poly1305 at openssh.com` algorithm.

Authentication layer:

- User authentication with `ssh-ed25519` public keys.

I think the only way to find out if it is suitable for darcsden is to
contact the auther and ask him if he is willing to accomodate us. For
instance by adding other algorithms (if we actually need them) or at
least accepting pull requests to that effect. Or by releasing more often
(there are a number of unreleased patches in the repo).

> If I
> understand things, ssh relies on the C libssh2 library (despite the
> "pure haskell" description), while hssh + cryptonite is 100% haskell,
> which arguably could makes it more cryptographically suspect.

I think you are mistaken. It is only the test code that depends on
libssh2 (which is an ssh /client/ implementation), not the server code.

Cheers
Ben

-- 
...it is impossible to speak of a depoliticized economy as the liberals
do, or of a separation between economic exploitation and political
oppression as the Marxists articulate. The basic distinction, rather, is
between power and creativity...
             -- Jonathan Nitzan and Shimshon Bichler: Capital as Power

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <http://lists.osuosl.org/pipermail/darcs-devel/attachments/20200702/36321ed7/attachment.asc>


More information about the darcs-devel mailing list