So basically I'm writing a ground up OpenSSH replacement (with my own protocol) because hanging your entire security model on "People will probably do a good job verifying TOFU host keys" is absurd when it is so possible to do very good password authenticated key exchange without storing any more password-equivalent data than hosts already do,
Also because port is -p in ssh and -P in scp and scp doesn't take flags after positional arguments, so basically burn it all to the fucking ground.
Also you should be able to do inline file transfers from an ssh session without reauthenticating.
I'm on my third ground-up rewrite because I keep learning fucktons of shit every time I rewrite it and it keeps getting better and better.
(To be clear, you extremely still do host keys. You just don't roll over & give away cleartext if someone's sloppy with 'em one time.)
@jennamagius wait i'm like 90% sure ssh does pfs
@CobaltVelvet It does! Perfect Forward Secrecy makes it so that if someone gets the private key for a host key they can't use it to decrypt earlier captured traffic,
But what I'm talking about is if the attacker completely impersonates the server at connection time and the user says "Accept this host key? yes"
Specifically: https://github.com/jtesta/ssh-mitm gets you plaintext passwords when it pops.
@jennamagius oh right
And like... memory safety, I guess >.>