xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.

Opened 2 years ago

Closed 2 years ago

Last modified 16 months ago

#2790 closed enhancement (wontfix)

Usage of SSH

Reported by: srh Owned by: Antoine Martin
Priority: minor Milestone: 4.1
Component: client Version: 4.0.x
Keywords: Cc:


Thanks for Xpra, it is very useful. This is just a short comment/request, nothing urgent or new.
A while ago, I noticed Xpra started using paramiko by default. Ok, I thought, what is paramiko? I looked it up and find it is a python implementation of SSH. I checked its security history, and find it has had some severe CVE's in recent years. Without digging in further, it doesn't look like a good security history compared to OpenSSH, which I use regularly for internet-facing server and client on Linux.
So the request is for Xpra in the future to never drop the ability to use OpenSSH directly (such as using "--ssh=ssh"). It is ok for OpenSSH to not be the default, just an available option.

Change History (4)

comment:1 Changed 2 years ago by Antoine Martin

Resolution: wontfix
Status: newclosed

There is no plan to drop openssh support.

As for the security of paramiko, it is nowhere near as bad as you make it sound.
Here's the full list of CVEs: https://www.cvedetails.com/vulnerability-list/vendor_id-17787/product_id-44430/Paramiko-Paramiko.html.
There are only 2 in total, none in the last 18 months, and none that affects paramiko when used as a client library.

comment:2 Changed 2 years ago by srh

Thanks for the info.

Is paramiko used in Xpra on the server-side?

comment:3 Changed 2 years ago by Antoine Martin

Is paramiko used in Xpra on the server-side?

wiki/SSH, #1920.

comment:4 Changed 16 months ago by migration script

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/2790

Note: See TracTickets for help on using tickets.