xpra icon
Bug tracker and wiki

Opened 6 weeks ago

Closed 6 weeks ago

Last modified 6 weeks ago

#2790 closed enhancement (wontfix)

Usage of SSH

Reported by: srh Owned by: Antoine Martin
Priority: minor Milestone: 4.1
Component: client Version: 4.0.x
Keywords: Cc:

Description

Hi
Thanks for Xpra, it is very useful. This is just a short comment/request, nothing urgent or new.
A while ago, I noticed Xpra started using paramiko by default. Ok, I thought, what is paramiko? I looked it up and find it is a python implementation of SSH. I checked its security history, and find it has had some severe CVE's in recent years. Without digging in further, it doesn't look like a good security history compared to OpenSSH, which I use regularly for internet-facing server and client on Linux.
So the request is for Xpra in the future to never drop the ability to use OpenSSH directly (such as using "--ssh=ssh"). It is ok for OpenSSH to not be the default, just an available option.
Thanks

Change History (3)

comment:1 Changed 6 weeks ago by Antoine Martin

Resolution: wontfix
Status: newclosed

There is no plan to drop openssh support.

As for the security of paramiko, it is nowhere near as bad as you make it sound.
Here's the full list of CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-17787/product_id-44430/Paramiko-Paramiko.html.
There are only 2 in total, none in the last 18 months, and none that affects paramiko when used as a client library.

comment:2 Changed 6 weeks ago by srh

Thanks for the info.

Is paramiko used in Xpra on the server-side?

comment:3 Changed 6 weeks ago by Antoine Martin

Is paramiko used in Xpra on the server-side?

wiki/SSH, #1920.

Note: See TracTickets for help on using tickets.