By Thomas Habets email@example.com 2010-2019
What is it?
It's like SSH but based on TLS. And you only log in using client certificates, never usernames or passwords.
I often find that OpenSSH is too big, has too many features that can subvert security. Yet it doesn't have the features that I want.
I wanted a minimal crypto layer on top of the SSL crypto model.
Compared to OpenSSH
- Write contents of local file as if I typed it (not done yet, but OpenSSH don't want it)
- xmodem file xfer (not done yet)
- TLS is the only manner of authentication = only thing security depends on (besides kernel, firmware and hardware that are all out of scope)
- CA model. Server can have VeriSign signed server cert.
- Expiring & revoking keys (OpenSSH certificates have this now)
- Can store private keys in TPM.
- Less portable
- Less tested
- Less audited
- Fewer features (channels, etc). This is on purpose.
- Requires CA
- SSL data structs are pure madness, odds of OpenSSL being perfect when parsing them is less than 100%
Where can I get it?
git clone git://github.com/ThomasHabets/tlssh.git
- Support for TCP MD5 in Linux is always on since 2.6.27
- Cacert.org Class 1 CRL: http://crl.cacert.org/revoke.crl
- Telnet protocol RFC: http://www.faqs.org/rfcs/rfc854.html
Send questions/suggestions/patches/rants/0days to firstname.lastname@example.org