glm-5.1
d85c882635
- Restrict auth methods to PUBLICKEY only (no none, password, hostbased, or keyboard-interactive advertised during negotiation) - Log all denied channel types (session, x11, forwarded-tcpip) and dangerous request types (exec, shell, subsystem, pty, env, x11, agent) - Explicitly reject all dangerous channel request handlers (exec, shell, subsystem, pty, env, x11, agent forwarding) with channel_failure responses instead of russh's default silent Ok(()) which leaves clients hanging and is a footgun if session channels are ever allowed - Explicitly reject tcpip_forward, streamlocal_forward with logged warnings - Log signal requests at debug level (harmless, no response needed) - Override handlers in both core ServerHandler and NapiServerHandler - Add tracing dependency to wraith-napi for security event logging - Set preferred algorithms explicitly (russh::Preferred::DEFAULT which uses only modern KEX/cipher/MAC algorithms)
23 lines
653 B
TOML
23 lines
653 B
TOML
[package]
|
|
name = "wraith-napi"
|
|
version.workspace = true
|
|
edition.workspace = true
|
|
license.workspace = true
|
|
description = "Node.js native addon for Wraith via napi-rs: connect() and serve() SSH tunnel functions"
|
|
repository.workspace = true
|
|
|
|
[lib]
|
|
crate-type = ["cdylib"]
|
|
|
|
[dependencies]
|
|
wraith-core = { path = "../wraith-core", features = ["tls", "iroh"] }
|
|
napi = { version = "3", features = ["async", "error_anyhow"] }
|
|
napi-derive = "3"
|
|
tokio = { version = "1", features = ["io-util", "sync", "rt", "macros", "net", "time", "signal"] }
|
|
russh = "0.49"
|
|
async-trait = "0.1"
|
|
rustls-pemfile = "2"
|
|
rustls-pki-types = "1"
|
|
iroh = "0.34"
|
|
url = "2"
|
|
tracing = "0.1" |