Xpra: Ticket #2790: Usage of SSH

Hi Thanks for Xpra, it is very useful. This is just a short comment/request, nothing urgent or new. A while ago, I noticed Xpra started using paramiko by default. Ok, I thought, what is paramiko? I looked it up and find it is a python implementation of SSH. I checked its security history, and find it has had some severe CVE's in recent years. Without digging in further, it doesn't look like a good security history compared to OpenSSH, which I use regularly for internet-facing server and client on Linux. So the request is for Xpra in the future to never drop the ability to use OpenSSH directly (such as using "--ssh=ssh"). It is ok for OpenSSH to not be the default, just an available option. Thanks

Mon, 01 Jun 2020 04:09:31 GMT - Antoine Martin: status changed; resolution set

There is no plan to drop openssh support.

As for the security of paramiko, it is nowhere near as bad as you make it sound. Here's the full list of CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-17787/product_id-44430/Paramiko-Paramiko.html. There are only 2 in total, none in the last 18 months, and none that affects paramiko when used as a client library.

Mon, 01 Jun 2020 11:44:16 GMT - srh:

Thanks for the info.

Is paramiko used in Xpra on the server-side?

Mon, 01 Jun 2020 14:27:35 GMT - Antoine Martin:

Is paramiko used in Xpra on the server-side?

wiki/SSH, #1920.

Sat, 23 Jan 2021 06:00:56 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2790