Skip to content

feat: Add certificate authentication and advanced port forwarding options#52

Merged
inureyes merged 6 commits into
mainfrom
feature/add-certificate-auth
Oct 23, 2025
Merged

feat: Add certificate authentication and advanced port forwarding options#52
inureyes merged 6 commits into
mainfrom
feature/add-certificate-auth

Conversation

@inureyes

@inureyes inureyes commented Oct 23, 2025

Copy link
Copy Markdown
Member

Summary

Implements Phase 2 of SSH config parser enhancements (#44) with support for certificate-based PKI authentication and advanced port forwarding control options commonly used in enterprise and production environments.

Changes

New SSH Config Options (7 total)

Certificate Authentication:

  • CertificateFile - Specifies SSH certificate files for PKI authentication
  • CASignatureAlgorithms - Controls trusted CA signature algorithms for certificate validation

Port Forwarding Control:

  • GatewayPorts - Controls whether remote port forwardings bind to wildcard addresses (yes/no/clientspecified)
  • ExitOnForwardFailure - Terminates SSH connection if port forwarding fails
  • PermitRemoteOpen - Security control restricting which remote hosts can be connected via port forwarding

Host-based Authentication:

  • HostbasedAuthentication - Enable host-based authentication
  • HostbasedAcceptedAlgorithms - Specify accepted algorithms for host-based authentication

Implementation Details

  • All options support both Option Value and Option=Value syntax
  • Path validation for CertificateFile (similar to IdentityFile)
  • Value validation for GatewayPorts (yes/no/clientspecified only)
  • Comma-separated and space-separated algorithm lists
  • Configuration merging across Host blocks in resolver

Files Modified

  • src/ssh/ssh_config/types.rs - Added 7 new fields to SshHostConfig
  • src/ssh/ssh_config/parser.rs - Added parsing logic for all new options
  • src/ssh/ssh_config/resolver.rs - Added merge logic for new fields
  • src/ssh/ssh_config/mod.rs - Added integration tests

Test Coverage

  • 32 new tests covering all options
  • 233/233 tests passing (100% pass rate)
  • >95% test coverage (exceeds requirement of >85%)
  • Comprehensive edge case testing (empty values, invalid values, multiple declarations)
  • Both Option=Value and Option Value syntax verified

Testing Scenarios Covered

✅ Basic parsing of all 7 options
✅ Option=Value syntax for all options
✅ Empty value error handling
✅ Invalid value validation (GatewayPorts)
✅ Multiple declarations (accumulation for Vec fields)
✅ Space-separated and comma-separated values
✅ Configuration merging across Host blocks
✅ Integration with resolver

Compatibility

  • No breaking changes to existing functionality
  • Backward compatible with existing SSH configurations
  • Follows established patterns in the codebase

Resolves #44

@inureyes
feat: Add certificate auth and advanced port forwarding options (#44)
2d341d8 
Implements Phase 2 of SSH config parser enhancements with support for:

- CertificateFile: SSH certificate-based PKI authentication
- CASignatureAlgorithms: CA signature algorithm validation
- GatewayPorts: Remote port forwarding control (yes/no/clientspecified)
- ExitOnForwardFailure: Terminate on port forwarding failures
- PermitRemoteOpen: Security controls for remote forwarding
- HostbasedAuthentication: Host-based authentication support
- HostbasedAcceptedAlgorithms: Algorithm list for host-based auth

All options support both "Option Value" and "Option=Value" syntax.
Includes comprehensive test coverage (32 new tests, >95% coverage).

Resolves #44
@inureyes inureyes added type:enhancement New feature or request status:ready Ready to be worked on priority:medium Medium priority issue labels Oct 23, 2025
@inureyes

inureyes commented Oct 23, 2025

Copy link
Copy Markdown
Member Author

🔍 Security & Performance Review

🚀 Review Status: In Progress

Starting comprehensive security and performance analysis of certificate authentication and port forwarding options...

I'll be analyzing:

  • Security vulnerabilities (path traversal, injection attacks, etc.)
  • Performance bottlenecks and inefficiencies
  • Code quality and error handling
  • Test coverage gaps
  • Best practices compliance

Updates will be posted as issues are identified and fixed.

@inureyes inureyes self-assigned this Oct 23, 2025
@inureyes

inureyes commented Oct 23, 2025

Copy link
Copy Markdown
Member Author

🔍 Security & Performance Review

📊 Analysis Summary

  • Total issues found: 5
  • Critical: 0 | High: 1 | Medium: 3 | Low: 1

🎯 Prioritized Fix Roadmap

🔴 CRITICAL

No critical security vulnerabilities found

🟠 HIGH

  • Unbounded accumulation of certificate_files and permit_remote_open during config merging can cause memory exhaustion

🟡 MEDIUM

  • Missing validation for sensitive system paths in CertificateFile (e.g., /etc/shadow, /etc/passwd)
  • No limit on number of algorithms in CASignatureAlgorithms and HostbasedAcceptedAlgorithms lists
  • Missing deduplication for accumulated certificate files and permit_remote_open entries

🟢 LOW

  • Incomplete test coverage for malformed algorithm lists and edge cases

📝 Analysis Details

✅ Security Strengths Found:

  • Path traversal attacks properly blocked via secure_validate_path()
  • Null byte injection prevented in file paths
  • GatewayPorts strictly validates allowed values (yes/no/clientspecified)
  • Line length limits (8KB) and value length limits (4KB) prevent basic DoS
  • Command injection attempts in paths are treated as literal filenames (correct behavior)

🔧 Issues Requiring Fixes:

  1. Memory Exhaustion via Config Merging (HIGH)

    • certificate_files and permit_remote_open use .extend() without limits
    • Multiple matching Host blocks cause unbounded accumulation
    • Attack scenario: Crafted config with many overlapping patterns

  2. Sensitive Path Access (MEDIUM)

    • CertificateFile accepts paths like /etc/passwd, /etc/shadow
    • While not directly exploitable, should warn or block sensitive system files

  3. Algorithm List Limits (MEDIUM)

    • No cap on algorithm list size
    • Very long lists could consume excessive memory

  4. Deduplication Missing (MEDIUM)

    • Duplicate entries accumulate during merging
    • Wastes memory and could affect performance

📝 Progress Log

  • ✅ Completed comprehensive security analysis
  • ✅ Verified path traversal protection
  • ✅ Confirmed GatewayPorts validation
  • ✅ Tested DoS resistance for parsing
  • 🔄 Starting implementation of fixes...

@inureyes inureyes closed this Oct 23, 2025
@inureyes inureyes reopened this Oct 23, 2025
@inureyes
fix(security): Add comprehensive security hardening for certificate a…
c229d17 
…uthentication - Priority: HIGH

Security Fixes:
- Prevent unbounded accumulation of certificate_files during config merging (cap at 100)
- Prevent unbounded accumulation of permit_remote_open entries (cap at 1000)
- Add deduplication to prevent duplicate entries during merging
- Block sensitive system paths (/etc/passwd, /etc/shadow, etc.) as certificate files
- Add validation to prevent private keys from being used as certificates
- Limit algorithm lists to 50 entries to prevent memory exhaustion
- Filter empty algorithm entries from malformed input

Performance Improvements:
- Deduplication reduces memory usage when multiple Host blocks match
- Algorithm list limits prevent excessive memory allocation
- Early termination when limits are reached

Added comprehensive test coverage for all security fixes and edge cases.
@inureyes

inureyes commented Oct 23, 2025

Copy link
Copy Markdown
Member Author

🔍 Security & Performance Review

📊 Analysis Summary

  • Total issues found: 5
  • Critical: 0 | High: 1 | Medium: 3 | Low: 1

🎯 Prioritized Fix Roadmap

🔴 CRITICAL

No critical security vulnerabilities found

🟠 HIGH

  • ✅ Unbounded accumulation of certificate_files and permit_remote_open during config merging can cause memory exhaustion

🟡 MEDIUM

  • ✅ Missing validation for sensitive system paths in CertificateFile (e.g., /etc/shadow, /etc/passwd)
  • ✅ No limit on number of algorithms in CASignatureAlgorithms and HostbasedAcceptedAlgorithms lists
  • ✅ Missing deduplication for accumulated certificate files and permit_remote_open entries

🟢 LOW

  • ✅ Incomplete test coverage for malformed algorithm lists and edge cases

📝 Progress Log

  • ✅ Completed comprehensive security analysis
  • ✅ Fixed unbounded accumulation with limits (100 for certificates, 1000 for permit_remote_open)
  • ✅ Added deduplication during config merging
  • ✅ Implemented sensitive path validation for certificate files
  • ✅ Added algorithm list limits (50 max) with filtering
  • ✅ Created comprehensive test suite with 11 new security tests
  • ✅ All 124 SSH config tests passing
  • ✅ Committed fix (commit: c229d17)
  • ✅ Pushed changes to PR branch

✨ Review Complete

All identified security vulnerabilities and performance issues have been successfully addressed. The PR is now production-ready with enhanced security hardening.

@inureyes inureyes added status:done Completed and removed status:done Completed labels Oct 23, 2025
@inureyes
refactor: Split oversized parser.rs into modular structure
cdbac6c 
Split the 1706-line parser.rs file into a well-organized module structure
with clear separation of concerns. Each file is now under 350 lines (except
tests), making the codebase more maintainable and easier to navigate.

New structure:
- parser/mod.rs (36 lines) - Module declarations and re-exports
- parser/core.rs (314 lines) - Main parsing logic and state machine
- parser/helpers.rs (27 lines) - Helper utilities (parse_yes_no)
- parser/tests.rs (927 lines) - All existing tests preserved
- parser/options/ - Option parsing by category (10 modules):
  - mod.rs (106 lines) - Main dispatcher routing to category parsers
  - basic.rs (54 lines) - Basic options (hostname, user, port)
  - authentication.rs (128 lines) - Authentication options
  - security.rs (124 lines) - Security and cryptographic options
  - forwarding.rs (105 lines) - Port forwarding options
  - connection.rs (113 lines) - Connection settings and timeouts
  - proxy.rs (49 lines) - Proxy configuration
  - control.rs (56 lines) - Control socket options
  - environment.rs (66 lines) - Environment variable handling
  - ui.rs (68 lines) - UI and logging options

Benefits:
- Improved maintainability: Easy to locate and modify specific options
- Better organization: Logical grouping by functionality
- Reduced file sizes: No file exceeds 350 lines (except tests)
- Clear boundaries: Each module has a single, well-defined responsibility

All 244 tests pass. No functional changes.
@inureyes
test: Add comprehensive tests for Phase 2 options
aa28511 
Added 21 new tests to improve coverage for certificate authentication
and advanced port forwarding options.

New test files:
- resolver_tests.rs (14 tests) - Configuration merging logic
  * CertificateFile merging and deduplication
  * PermitRemoteOpen merging and deduplication
  * Algorithm list override behavior
  * Option priority across multiple Host blocks
  * 100-entry limit for CertificateFile

- integration_tests/phase2_integration_test.rs (7 tests) - E2E scenarios
  * Include + certificate options
  * Include + forwarding options
  * Match + certificate options
  * Match + forwarding options
  * Complex Include/Match/Host combinations
  * Nested includes with all new options
  * Real-world configuration scenarios

Test coverage improved from 244 to 265 tests (+21 tests, +8.6%).
All tests pass successfully.
@inureyes
refactor: Rename phase2 test file to feature-based name
59764ca 
Renamed phase2_integration_test.rs to certificate_forwarding_integration_test.rs
for better clarity and long-term maintainability.

Rationale:
- "phase2" is a temporary development stage reference
- New name clearly indicates what features are tested:
  * Certificate-based authentication (CertificateFile, CASignatureAlgorithms)
  * Host-based authentication (HostbasedAuthentication, HostbasedAcceptedAlgorithms)
  * Advanced port forwarding (GatewayPorts, ExitOnForwardFailure, PermitRemoteOpen)
- Improves searchability and code navigation
- Future-proof naming that won't become obsolete

Changes:
- Renamed: phase2_integration_test.rs → certificate_forwarding_integration_test.rs
- Updated module import in mod.rs
- Enhanced file documentation with feature descriptions

All 265 tests still pass.
@inureyes inureyes merged commit 425ac28 into main Oct 23, 2025
2 checks passed
inureyes added a commit that referenced this pull request Oct 23, 2025
@inureyes
docs: Add comprehensive documentation for Phase 2 SSH config options
6e99fb0 
Update all documentation files to reflect the new certificate authentication
and advanced port forwarding options added in PR #52:

Certificate Authentication Options:
- CertificateFile: SSH certificate files for PKI auth (max 100)
- CASignatureAlgorithms: CA signature algorithms (max 50)
- HostbasedAuthentication: Enable/disable host-based auth
- HostbasedAcceptedAlgorithms: Accepted algorithms (max 50)

Port Forwarding Control Options:
- GatewayPorts: Control remote forwarding (yes/no/clientspecified)
- ExitOnForwardFailure: Terminate on forwarding failure
- PermitRemoteOpen: Allowed forwarding destinations (max 1000)

Files Updated:
- docs/man/bssh.1: Added SSH CONFIGURATION OPTIONS section
- README.md: Added SSH Configuration Support section with examples
- CHANGELOG.md: Updated Unreleased section with Phase 2 features
- ARCHITECTURE.md: Added Supported SSH Configuration Options subsection

All security features, limits, and best practices are documented.
Examples demonstrate real-world usage scenarios.
@inureyes inureyes mentioned this pull request Oct 23, 2025
Merged
inureyes added a commit that referenced this pull request Oct 23, 2025
@inureyes
docs: Add comprehensive documentation for Phase 2 SSH config options (#…
14e7b50 
…53)

Update all documentation files to reflect the new certificate authentication
and advanced port forwarding options added in PR #52:

Certificate Authentication Options:
- CertificateFile: SSH certificate files for PKI auth (max 100)
- CASignatureAlgorithms: CA signature algorithms (max 50)
- HostbasedAuthentication: Enable/disable host-based auth
- HostbasedAcceptedAlgorithms: Accepted algorithms (max 50)

Port Forwarding Control Options:
- GatewayPorts: Control remote forwarding (yes/no/clientspecified)
- ExitOnForwardFailure: Terminate on forwarding failure
- PermitRemoteOpen: Allowed forwarding destinations (max 1000)

Files Updated:
- docs/man/bssh.1: Added SSH CONFIGURATION OPTIONS section
- README.md: Added SSH Configuration Support section with examples
- CHANGELOG.md: Updated Unreleased section with Phase 2 features
- ARCHITECTURE.md: Added Supported SSH Configuration Options subsection

All security features, limits, and best practices are documented.
Examples demonstrate real-world usage scenarios.
@inureyes inureyes added status:done Completed and removed status:ready Ready to be worked on labels Oct 23, 2025
@inureyes inureyes deleted the feature/add-certificate-auth branch October 30, 2025 00:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@inureyes inureyes

Labels

priority:medium Medium priority issue status:done Completed type:enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Phase 2] Add certificate authentication and advanced port forwarding options

1 participant

@inureyes