I managed to get time for some hacking this weekend.
News for the 0.9.10 release
Fixed bug that caused buffered output to be lost at channel
close.
Experimental SRP support.
New program srp-gen.
Improved the hex dumps in debug output.
Some details on the SRP stuff is in
http://www.lysator.liu.se/~nisse/lsh/doc/srp-spec.nroff and
http://srp.stanford.edu.
Basically, you can create a password verifier and store it at
~/.lsh/srp-verifier, for instance by running
srp-gen -o ~/.lsh/srp-verifier
If you remember the password, and both server and client are started
with --srp-keyexchange, you can log in in a reasonably secure way
using *only* the password, without knowing any host keys or
fingerprints.
The verifier should be kept secret; anyone who can read the verifier
can
(i) mount a dictionary attack on the SRP password
(ii) impersonate the server, i.e. mount a MITM attack on all future
connections that use SRP and and the same user and password.
http://www.lysator.liu.se/~nisse/archive/lsh-0.9.10.tar.gz
ftp://ftp.lysator.liu.se/pub/security/lsh/lsh-0.9.10.tar.gz
Happy hacking,
/Niels
