tlssh/README
By Thomas Habets [email protected] 2010-2019
What is it?
It's like SSH but based on TLS. And you only log in using client
certificates, never usernames or passwords.
Why?
I often find that OpenSSH is too big, has too many features that can
subvert security. Yet it doesn't have the features that I want.
I wanted a minimal crypto layer on top of the SSL crypto model.
Compared to OpenSSH
Pros:
- TCP-MD5
- Write contents of local file as if I typed it (not done yet, but
OpenSSH don't want it)
- xmodem file xfer (not done yet)
- TLS is the only manner of authentication = only thing security
depends on (besides kernel, firmware and hardware that are all out of scope)
- CA model. Server can have VeriSign signed server cert.
- Expiring & revoking keys (OpenSSH certificates have this now)
- Can store private keys in TPM.
Cons:
- Less portable
- Less tested
- Less audited
- Fewer features (channels, etc). This is on purpose.
- Requires CA
- SSL data structs are pure madness, odds of OpenSSL being perfect
when parsing them is less than 100%
Where can I get it?
http://github.com/ThomasHabets/tlssh
git clone git://github.com/ThomasHabets/tlssh.git
Installing
See the INSTALL.md
file.
Notes
Send questions/suggestions/patches/rants/0days to [email protected]