Some bugixes to run on for Mac OS X #28
Conversation
2 similar comments
| @@ -69,9 +69,11 @@ protected function createResponse( | |||
| $kexAlgo = new $kexAlgo(); | |||
| $message = \fpoirotte\Pssht\Messages\KEXDH\INIT::unserialize($decoder); | |||
|
|
|||
| if (!$message->getQ()->isValid()) { | |||
There was a problem hiding this comment.
Why did you have to change that line?
|
Thanks for your words and your patch. While the second change is obviously required (I missed a variable rename while refactoring the code), I don't understand your other change (in src/Handlers/KEXDH/INIT.php). Could you please explain why it was necessary? |
|
Hi, when i uncomment it, i can't connect with |
I forgot to rename that variable while refactoring some code, leading to errors about undefined variables being used. See also #28.
|
OK, I temporarily disabled the check but plan to change the code later to include a proper fix. This however leaves some users vulnerable (those who use Elliptic Curve Diffie-Hellman, aka. ECDH) as invalid public keys could be used. Given that this project is mainly a toy and not intended for production use, it's a risk I'm willing to take for now. |
|
I agree, this should only be a temporary fix, especially as it opens some vulnerabilities! We really hope, that this project will switch to a stable and secure version as soon as possible, because it would perfectly fit to provide a secure shell for our application server. So, on the one hand, if we can provide you some help, feel free to give us a hint :) On the other hand, it'll be helpful if there'll be something like a roadmap with tasks that have to be solved! And again, projects like this are great enrichment for the PHP ecosystem 👍 |
|
And before i forget: It'll be really helpful if you could tag this version :) |
v0.1.1 ~~~~~~ * [#28] Temporarily fix Diffie–Hellman key exchange by disabling public key validation for Elliptic Curve Diffie–Hellman. This code will be revisited later on as it currently represents a possible security threat when ECDH is used. * Improve README (installation instruction, changelog). * Change the default ``pssht.xml`` so that it accepts connections from the same user as the one starting the server (prior to this change, it used an hardcoded username).
|
I just released version 0.1.1 which includes this fix as well as various other improvements. Hope this makes it easier for you. The roadmap for the project is defined as a series of milestones (see https://github.com/fpoirotte/pssht/milestones), but as you can see, the current milestone is way overdue. |
|
Hi François, thanks, thats awesome! I'll checkout the new version and the roadmap tomorrow :) Cheers Tim Wagner Telefon +49-8031-221055-0 TechDivision GmbH MAGENTO GOLD PARTNER
|
Hi, i tried to run the server on Mac OS X Yosemite and found some problems. After some fixes, it finally work. Very interesting project, congratulations!!!! We think about using it in our application server after some testing :)