Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Simon Josefsson]

Bastian Blank  writes:

> On Fri, Dec 29, 2023 at 11:30:14AM +0100, Simon Josefsson wrote:
>> * Package name: ssh3
>
> This package name is clearly not acceptable.  SSH is a well known name
> and this project is completely unrelated to it.

Agreed.  Packagers have settled on using 'soh' for the name, see:

https://github.com/francoismichel/ssh3/issues/79
https://github.com/francoismichel/ssh3/pull/96

Once 0.1.5 is released, I will try to update the package to use the new
name.  It doesn't seem to collide with anything in Debian, as far as I
can tell.  It would be nice to have confirmation other distributions are
going to use the same name, but I think we have that in the discussion
above.  Thoughts?

Hyperbole in package descriptions are common, the current text is from
the upstream authors and I think it makes sense to copy that in the
package description.  If you can think of some improvement, consider
submitting a patch: https://salsa.debian.org/go-team/packages/ssh3

/Simon


signature.asc
Description: PGP signature

Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Bastian Blank]

On Fri, Dec 29, 2023 at 11:30:14AM +0100, Simon Josefsson wrote:
> * Package name: ssh3

This package name is clearly not acceptable.  SSH is a well known name
and this project is completely unrelated to it.

So this is an accademic project.  I would question that it actually
solves the same problem as SSH does.

The paper might also be missleading.  They compare session setup time,
but don't even describe the used parameters.  They don't describe a way
to use real authentication, instead they just refer to HTTP, which does
not specify anything equivalent to what SSH uses by default.

> - Significantly faster session establishment

Questionable.

> - New HTTP authentication methods such as OAuth 2.0 and OpenID Connect
>   in addition to classical SSH authentication

In addition?  I don't see any way to use authentication similar to SSH
in this.  But maybe just show where I can use sk-ssh-ed25...@openssh.com
authentication, which is a modern one, with this.

> - Robustness to port scanning attacks: your SSH3 server can be made
>   invisible to other Internet users

You still have a HTTP listener that can be seen.

Bastian

-- 
It would be illogical to assume that all conditions remain stable.
-- Spock, "The Enterprise Incident", stardate 5027.3

Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Marvin Renich]

* Jonathan Kamens  [231230 14:39]:
> I think even "ssh-h3" is a confusing and frankly impudent name. The
> creator of this new package appears to be intentionally trying to use
> the ubiquity of the ssh "brand" to their benefit. This brand confusion
> can only harm end users and I do not think Debian should facilitate
> it.
> 
> Even something as simple as naming it h3sh would have avoided the
> brand confusion while communicating the purpose of the package. This
> does not appear to be a case of "unknowing infringement." It appears
> to be intentional.
> 
> Regardless of whether or not that's so, it is harmful and should be fixed.

No argument from me there.  The point was that if upstream does not
rename the project or executable, the package name does not need to
match the executable or even the upstream project name.

...Marvin

Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[rhys]

Based on this:  https://news.ycombinator.com/item?id=38664729

I would say that others have come to the same conclusion.  Even the post title 
literally says it's not really "SSHv3" but rather SSHv2 using a different 
transport mechanism.

A package name that reflects THAT might be appropriate - like 
'golang-ssh2-tunnel' or some such thing (long but descriptive package names 
don't bother me) - but I absolutely agree that calling it "ssh3" is misleading 
and inappropriate.

--J

> On Dec 30, 2023, at 13:31, Jonathan Kamens  wrote:
> 
> I think even "ssh-h3" is a confusing and frankly impudent name. The creator 
> of this new package appears to be intentionally trying to use the ubiquity of 
> the ssh "brand" to their benefit. This brand confusion can only harm end 
> users and I do not think Debian should facilitate it.
> 
> Even something as simple as naming it h3sh would have avoided the brand 
> confusion while communicating the purpose of the package. This does not 
> appear to be a case of "unknowing infringement." It appears to be intentional.
> 
> Regardless of whether or not that's so, it is harmful and should be fixed.
> 
> Jik
> 
> 
> On December 30, 2023 2:02:56 PM EST, Marvin Renich  wrote:
>> * Simon Josefsson  [231230 11:54]:
>>> One alternative that was suggested was to call the package something
>>> else in Debian.  'golang-ssh3'?  'go-ssh3'?  Still somewhat problematic
>>> as long as the 'ssh3' name is in there.
>> 
>> There is no reason the package (source and binary) can't be named ssh-h3
>> even if the binary is not renamed.  I would not keep the "ssh3" part in
>> the package name.
>> 
>> ...Marvin
>> 
> 
> -- 
> Sent from my phone. Please excuse brevity and autocorrect errors.

Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Jonathan Kamens]

I think even "ssh-h3" is a confusing and frankly impudent name. The creator of 
this new package appears to be intentionally trying to use the ubiquity of the 
ssh "brand" to their benefit. This brand confusion can only harm end users and 
I do not think Debian should facilitate it.

Even something as simple as naming it h3sh would have avoided the brand 
confusion while communicating the purpose of the package. This does not appear 
to be a case of "unknowing infringement." It appears to be intentional.

Regardless of whether or not that's so, it is harmful and should be fixed.

Jik

On December 30, 2023 2:02:56 PM EST, Marvin Renich  wrote:
>* Simon Josefsson  [231230 11:54]:
>> One alternative that was suggested was to call the package something
>> else in Debian.  'golang-ssh3'?  'go-ssh3'?  Still somewhat problematic
>> as long as the 'ssh3' name is in there.
>
>There is no reason the package (source and binary) can't be named ssh-h3
>even if the binary is not renamed.  I would not keep the "ssh3" part in
>the package name.
>
>...Marvin
>

-- 
Sent from my phone. Please excuse brevity and autocorrect errors.

Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Marvin Renich]

* Simon Josefsson  [231230 11:54]:
> One alternative that was suggested was to call the package something
> else in Debian.  'golang-ssh3'?  'go-ssh3'?  Still somewhat problematic
> as long as the 'ssh3' name is in there.

There is no reason the package (source and binary) can't be named ssh-h3
even if the binary is not renamed.  I would not keep the "ssh3" part in
the package name.

...Marvin

Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Emmanuel Arias]

[snip]


I agree - as the Debian OpenSSH maintainer, I'm concerned that this will
cause a new source of user confusion because people will think "ah,
ssh3, that must be better than ssh" (which indeed seems to have been a

This was my first think

[snip]

--
cheers,
Emmanuel Arias

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁  eam...@debian.org
 ⢿⡄⠘⠷⠚⠋⠀  OpenPGP: 13796755BBC72BB8ABE2AEB5 FA9DEC5DE11C63F1
 ⠈⠳⣄

Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Simon Josefsson]

Colin Watson  writes:

> On Sat, Dec 30, 2023 at 12:13:28AM +0100, Philipp Kern wrote:
>> On 29.12.23 11:30, Simon Josefsson wrote:
>> > SSH3 is a complete revisit of the SSH protocol, mapping its semantics on
>> > top of the HTTP mechanisms. In a nutshell, SSH3 uses QUIC+TLS1.3 for
>> > secure channel establishment and the HTTP Authorization mechanisms for
>> > user authentication. Among others, SSH3 allows the following
>> > improvements:
>> 
>> I feel like SSH3 is an unfortunate name. The program claims "SSH3 stands for
>> the concatenation of SSH and H3." - well sure, but you're also reusing the
>> name of an existing protocol and bump its version. ssh-h3?
>
> I agree - as the Debian OpenSSH maintainer, I'm concerned that this will
> cause a new source of user confusion because people will think "ah,
> ssh3, that must be better than ssh" (which indeed seems to have been a
> deliberate marketing choice by this project) and not realize that it's a
> largely incompatible thing.  Not to mention the way that it parses
> OpenSSH configuration files, which may work today but I doubt OpenSSH
> offers any guarantees that it won't make changes that will break this
> independent parser in future.

I share these concerns, so I'll delay the upload for now.  I'm hoping
upstream will rename the project to something less confusing.

> I also feel that something security-critical like this that's labelled
> by upstream as "still experimental" probably shouldn't be in a Debian
> release.  Maybe it should be kept in Debian experimental for the time
> being?

Sounds good if nothing happens on the naming front in the next
weeks/months.  Let's wait and see a bit.

One alternative that was suggested was to call the package something
else in Debian.  'golang-ssh3'?  'go-ssh3'?  Still somewhat problematic
as long as the 'ssh3' name is in there.

/Simon


signature.asc
Description: PGP signature

Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Colin Watson]

On Sat, Dec 30, 2023 at 12:13:28AM +0100, Philipp Kern wrote:
> On 29.12.23 11:30, Simon Josefsson wrote:
> > SSH3 is a complete revisit of the SSH protocol, mapping its semantics on
> > top of the HTTP mechanisms. In a nutshell, SSH3 uses QUIC+TLS1.3 for
> > secure channel establishment and the HTTP Authorization mechanisms for
> > user authentication. Among others, SSH3 allows the following
> > improvements:
> 
> I feel like SSH3 is an unfortunate name. The program claims "SSH3 stands for
> the concatenation of SSH and H3." - well sure, but you're also reusing the
> name of an existing protocol and bump its version. ssh-h3?

I agree - as the Debian OpenSSH maintainer, I'm concerned that this will
cause a new source of user confusion because people will think "ah,
ssh3, that must be better than ssh" (which indeed seems to have been a
deliberate marketing choice by this project) and not realize that it's a
largely incompatible thing.  Not to mention the way that it parses
OpenSSH configuration files, which may work today but I doubt OpenSSH
offers any guarantees that it won't make changes that will break this
independent parser in future.

I also feel that something security-critical like this that's labelled
by upstream as "still experimental" probably shouldn't be in a Debian
release.  Maybe it should be kept in Debian experimental for the time
being?

-- 
Colin Watson (he/him)  [cjwat...@debian.org]

Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Simon Josefsson]

Packaging of SSH3 is available here:

https://salsa.debian.org/go-team/packages/ssh3
https://salsa.debian.org/jas/ssh3/

Thanks to the Salsa CI/CD pipeline there is an aptly repository
available for easy testing, if anyone would like to experiment or help.

Below you can find a snippet how you can test the SSH3 client and server
via Debian packages, for password and public key authentication, in a
safe container using podman.  I have only tested this on my laptop that
runs Trisquel, but should hopefully be portable.

I am delaying upload to Debian for a while to see if upstream reaches a
conclusion around naming.  I think the name 'ssh3' is unfortunate and
distracts from the effort. See:
.

/Simon

sudo apt install podman
podman run -it --hostname myhost.example --rm debian:unstable
cd
apt update
apt dist-upgrade -y
apt install -y ca-certificates
echo "deb [trusted=yes] 
https://salsa.debian.org/jas/ssh3/-/jobs/5094673/artifacts/raw/aptly unstable 
main" | tee /etc/apt/sources.list.d/ssh3.list
apt update
apt install -y ssh3

apt install -y ssl-cert # creates snakeoil key/cert

passwd # set a test password for 'root' e.g. 'foo'

ssh3-server -cert /etc/ssl/certs/ssl-cert-snakeoil.pem -key 
/etc/ssl/private/ssl-cert-snakeoil.key -enable-password-login -url-path /myurl 
-v &

ssh3 -v -insecure -use-password myhost.example/myurl
# type 'foo' at the prompt, and on successful connection type 'exit' to log out

apt install -y openssh-client # for ssh-keygen
ssh-keygen -t ed25519 -P "" -f /root/.ssh/id_ed25519
cat /root/.ssh/id_ed25519.pub > /root/.ssh3/authorized_identities
ssh3 -v -insecure -privkey /root/.ssh/id_ed25519 myhost.example/myurl
# on successful connection type 'exit' to log out


signature.asc
Description: PGP signature

Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Simon Josefsson]

Philipp Kern  writes:

> On 29.12.23 11:30, Simon Josefsson wrote:
>> Package: wnpp
>> Severity: wishlist
>> X-Debbugs-Cc: debian-devel@lists.debian.org, debian...@lists.debian.org
>> * Package name: ssh3
>>Version : 0.1.4
>>Upstream Contact: François Michel
>> * URL : https://github.com/francoismichel/ssh3
>> * License : Apache-2.0
>>Programming Lang: Go
>>Description : faster and rich secure shell using HTTP/3
>> SSH3 is a complete revisit of the SSH protocol, mapping its
>> semantics on
>> top of the HTTP mechanisms. In a nutshell, SSH3 uses QUIC+TLS1.3 for
>> secure channel establishment and the HTTP Authorization mechanisms for
>> user authentication. Among others, SSH3 allows the following
>> improvements:
>
> I feel like SSH3 is an unfortunate name. The program claims "SSH3
> stands for the concatenation of SSH and H3." - well sure, but you're
> also reusing the name of an existing protocol and bump its
> version. ssh-h3?
>
> Both the paper and the project are very new - so there should not be
> that many things referring to it yet.

I agree the name is unfortunate.  There are discussions with upstream in
https://github.com/francoismichel/ssh3/issues/79 and via emails.

I have packaging in https://salsa.debian.org/go-team/packages/ssh3 but I
will hold of uploading to NEW until some time has past to see if we
there will be a rename, and to give it more time for testing.  I have
managed to install the packages and start a server and make a client
connection to it.

/Simon


signature.asc
Description: PGP signature

Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Philipp Kern]

On 29.12.23 11:30, Simon Josefsson wrote:

Package: wnpp
Severity: wishlist
X-Debbugs-Cc: debian-devel@lists.debian.org, debian...@lists.debian.org

* Package name: ssh3
   Version : 0.1.4
   Upstream Contact: François Michel
* URL : https://github.com/francoismichel/ssh3
* License : Apache-2.0
   Programming Lang: Go
   Description : faster and rich secure shell using HTTP/3

SSH3 is a complete revisit of the SSH protocol, mapping its semantics on
top of the HTTP mechanisms. In a nutshell, SSH3 uses QUIC+TLS1.3 for
secure channel establishment and the HTTP Authorization mechanisms for
user authentication. Among others, SSH3 allows the following
improvements:


I feel like SSH3 is an unfortunate name. The program claims "SSH3 stands 
for the concatenation of SSH and H3." - well sure, but you're also 
reusing the name of an existing protocol and bump its version. ssh-h3?


Both the paper and the project are very new - so there should not be 
that many things referring to it yet.


Kind regards
Philipp Kern

Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Simon Josefsson]

Package: wnpp
Severity: wishlist
X-Debbugs-Cc: debian-devel@lists.debian.org, debian...@lists.debian.org

* Package name: ssh3
  Version : 0.1.4
  Upstream Contact: François Michel
* URL : https://github.com/francoismichel/ssh3
* License : Apache-2.0
  Programming Lang: Go
  Description : faster and rich secure shell using HTTP/3

SSH3 is a complete revisit of the SSH protocol, mapping its semantics on
top of the HTTP mechanisms. In a nutshell, SSH3 uses QUIC+TLS1.3 for
secure channel establishment and the HTTP Authorization mechanisms for
user authentication. Among others, SSH3 allows the following
improvements:

- Significantly faster session establishment

- New HTTP authentication methods such as OAuth 2.0 and OpenID Connect
  in addition to classical SSH authentication

- Robustness to port scanning attacks: your SSH3 server can be made
  invisible to other Internet users

- UDP port forwarding in addition to classical TCP port forwarding

- All the features allowed by the modern QUIC protocol: including
  connection migration (soon) and multipath connections

I hope this package can be maintained in the Debian Go Packaging Team.


signature.asc
Description: PGP signature