I have worked in the past on IPsec and integration of crypto algs into
wire protocols. I wanted to experiment with openssh, adding post-quantum
key exchanges and extra session (symmetric) crypto algs to it.
I sort of hit a wall trying to figure out how the openssh login phase
passed through session keys to the rest of the system. Fork hell.
I was just getting into Go ('golang') at the time, so I thought to
myself, "self, why don't you try writing your *own* secure shell in
pure Go, it might be a great learning experience!". Well, it was, and
the result is _xs_, the eXperimental Secure shell. I think it's pretty
darn nifty, and now use it full-time on my servers *instead* of ssh.
Go has a really great crypto library, and its structural typing system
made it quite easy to implement and/or integrate new crypto algs into
the program. It's easier to build than ssh, and I would argue is also
much easier to understand (source code is under 5% total SLOCC compared
to that of openssh, which is written in C).
It should also benefit from the built-in security of Go's safe runtime
(much less likelihood of buffer overflows and such).
Project is here, fetchable via 'go get':
(Use git clone https://gogs.blitter.com/RLabs/xs)
Latest release v0.9.12-2 Sun, 27 Oct 2024
Changelog:
v0.9.12-2
- Fixes for MSYS2 and CYGWIN build; removed mintty_wrapper.sh
v0.9.11
- [BREAKING CHANGE] Addition of WHIRLPOOL hash algo
v0.9.10
- Refresh go mod info (build issues)
v0.9.9
- Minor Release moving authtoken file from $HOME to $HOME/.config/xs
v0.9.8
- Addition of max bounds for chaff, rekey intervals; rekey interval 25% random jitter
v0.9.7
- Addition of optional cipher/hmac remodulation on rekeys and bounds-check on min chaff/rekey interval
v0.9.6
- Rekeying Support