Re: Bug#1059618: ITP: ssh3 -- faster and rich secure shell using HTTP/3

[Bastian Blank <waldi@debian.org>]

On Fri, Dec 29, 2023 at 11:30:14AM +0100, Simon Josefsson wrote:
> * Package name    : ssh3

This package name is clearly not acceptable.  SSH is a well known name
and this project is completely unrelated to it.

So this is an accademic project.  I would question that it actually
solves the same problem as SSH does.

The paper might also be missleading.  They compare session setup time,
but don't even describe the used parameters.  They don't describe a way
to use real authentication, instead they just refer to HTTP, which does
not specify anything equivalent to what SSH uses by default.

> - Significantly faster session establishment

Questionable.

> - New HTTP authentication methods such as OAuth 2.0 and OpenID Connect
>   in addition to classical SSH authentication

In addition?  I don't see any way to use authentication similar to SSH
in this.  But maybe just show where I can use sk-ssh-ed25519@openssh.com
authentication, which is a modern one, with this.

> - Robustness to port scanning attacks: your SSH3 server can be made
>   invisible to other Internet users

You still have a HTTP listener that can be seen.

Bastian

-- 
It would be illogical to assume that all conditions remain stable.
		-- Spock, "The Enterprise Incident", stardate 5027.3