#2790 closed enhancement (wontfix)
Usage of SSH
| Reported by: | srh | Owned by: | Antoine Martin |
|---|---|---|---|
| Priority: | minor | Milestone: | 4.1 |
| Component: | client | Version: | 4.0.x |
| Keywords: | Cc: |
Description
Hi
Thanks for Xpra, it is very useful. This is just a short comment/request, nothing urgent or new.
A while ago, I noticed Xpra started using paramiko by default. Ok, I thought, what is paramiko? I looked it up and find it is a python implementation of SSH. I checked its security history, and find it has had some severe CVE's in recent years. Without digging in further, it doesn't look like a good security history compared to OpenSSH, which I use regularly for internet-facing server and client on Linux.
So the request is for Xpra in the future to never drop the ability to use OpenSSH directly (such as using "--ssh=ssh"). It is ok for OpenSSH to not be the default, just an available option.
Thanks
Change History (4)
comment:1 Changed 14 months ago by
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
comment:2 Changed 14 months ago by
Thanks for the info.
Is paramiko used in Xpra on the server-side?
comment:4 Changed 6 months ago by
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2790
copyleft 2010 - 2021
There is no plan to drop openssh support.
As for the security of paramiko, it is nowhere near as bad as you make it sound.
Here's the full list of CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-17787/product_id-44430/Paramiko-Paramiko.html.
There are only 2 in total, none in the last 18 months, and none that affects paramiko when used as a client library.