OpenBSD TODO list

This is a TODO list of OpenBSD/OpenSSH related things. It is made public in the hope that I will not lose them, and that someone else may pick one up and complete it. If you want to work on one of these, then please email me.

Last updated: 2008/07/19

OpenSSH

• Modify the old ftp-proxy to do ssh DynamicForwards, making it an automagic FTP SSH proxifier
• Figure out how to do sftp-server chrooting without opening a heap of subtle security holes or breaking our othogonality. This can be done now that dtucker@ has implemented the sshd_config ForceCommand option (update: ForceCommand is necessary but not sufficient) (2008-03-13: Implemented for OpenSSH-4.8)
• Make packet.c code queue less: let it crypt/compress/mac as it goes and ideally write too. Would reduce latency, memory & CPU consumption and make the HPN patch more palatable
• Memory consumption audit
• Faster/better MAC (UMAC/OMAC/???). The MAC is a bigger bottleneck than the cipher in some circumstances (2008-03-13: implemented last year for OpenSSH-4.7
• Make the ssh(1) exit codes meaningful
• Fix/improve connection-multiplexing:
  • Make the ~[char] escape handler work for slave connections (2008-07-19: Implemented for OpenSSH-5.1)
  • Protocol extensions for multiple X/agent forwarding (maybe)
  • Add/remove port-forwarding via the master
  • Something like David Woodhouse's ControlPersist stuff
• Some sort of hop-by-hop challenge signing/authentication for the ssh-agent protocol. Each hop could sign the challenge using its host key, so the agent could potentially verify the entire path.
• Improve the sftp client:
  • Implement Attrib caching on remote_glob() - requires "forking" the glob implementation for OpenBSD's libc and extending it with "struct stat" to save a roundtrip per filename on "ls"
  • Inter-file pipelining on upload/download
• Check OpenSSH Bugzilla for more
• Finish reviewing dtucker@'s Match patches so we can set pre-auth options there (2008-03-13: done for some time now)
• Implement CIDR address matching using code from flowd (2008-07-19: Implemented for OpenSSH-5.1)

Networking

• Sync OpenBSD libpcap BPF parser, compiler and optimiser with those from the latest tcpdump.org libpcap
• implement a tunm and bpfm device, similar to the ptm device (done: pedro@ has implemented clonable devices at c2k6)
• 802.3ad/LACP support for trunk(4) (partially done: reyk@ added the loadbalance trunk mode at c2k6)
• 802.1w Rapid Spanning Tree support for bridge(4) (2006-12-04: done by reyk@ and Andrew Thompson)
• BVI (Bridge Virtual Interface) interface type, like Cisco IOS
• Make a pf(4) NAT lookup to SOCKS/HTTP CONNECT bridge and build it into nc(1). markus@ has code to do the NAT lookup part

Crypto

• Add integrity protection to encrypted vnd(4) using a separate file of MACs, 1 per block of the original file. MAC key per block is is h(blocknum, secret). Need to think about how the MAC file is created/populated
• Import OpenSSL-0.9.8b once ECC license issues are resolved, watch out for collisions with libc for new SHA2 functions
• Keep an eye on ESTREAM to see if a ARC4-killer emerges for PRNG use. Replacement must be faster and have a stronger security guarantee
• Provable Sophie-Germain prime generator for /etc/moduli

Ports

• Port Core Security's cool Python libraries
• Make Python-2.4 the default (lots of testing needed) (done: alek@ finished this a little while ago)
• Figure out how to make ports of the new "setuptools"/.egg format that Python packages are starting to use [IMO this is a curse of a format]. (done: there is now devel/py-setuptools a MODPY_SETUPTOOLS flag to support it in Makefiles)
• Complete/commit ports of all Perl modules needed for Bugzilla (I have most of these sitting in my tree already)
• s/urandom/arandom/ in glib, firefox, thunderbird and other ports
• Commit py-setuptools port (done: see above)
• Commit py-pylons port and dependancies
• Commit Python-2.5b port
• Update graphviz port (partially done, not committed)
• Get vlc (VideoLAN client port to build the Mozilla plugin)

General/Other

• Run fuzz/stress tests, such as this one
• Set up daily benchmark tests: every day pull the latest CVS source, build and install kernel and userland, run a heap of benchmarks, plot results over time
• Implement Longhaul support for my VIA Samuel 2 processor (Linux already has it)
• Lots more that slips my mind at present...