Security Assessment Q&A

[jkwmoore]

Hi Nathan & contributors,

I've been asked by the infosec team (University of Sheffield) to get in contact with you so we can approve the use of WinSSH pageant for our users as part of the implementation of security controls on our HPC clusters (WinSSH pageant should significantly simplify the user experience when used with Smallstep SSH certificates.)

Can we use discussions to do some Q&A or can you provide me a contact email I could use to forward over some questions we have? If possible, they'd like if you could fill in a form for them.

Thanks,
James.

[ndbeals]

Wow, I'm pleased to learn there are organizations looking to use this tool! Thanks for explaining your use-case too

Can we use discussions to do some Q&A

Absolutely! feel free to open then as needed.

or can you provide me a contact email I could use to forward over some questions we have?

Sure: nathan.beals1+winssh(at)gmail(dot)com, hopefully that obfuscation is good enough to avoid the bot spam

If possible, they'd like if you could fill in a form for them.

I can probably do that.

[jkwmoore]

I've tried to pare down the form to be less corporate / removed any inappropriate bits into the following questions:

• Is it possible to get a general architecture diagram of how WinSSH Pageant talks from/to clients and the OpenSSH agent?

(I think there's some concern about what types of risks may be present here in general as well as in terms of possible crypto analysis and eventual private key derivation after numerous authentications.)

• Is it possible to get a architectural diagram showing the flow/processes which go into approving/signing off code into WinSSH Pageant from a risk / security management point of view?

(e.g. patch management: Dependabot, supply chain protection: signed commits, PR approval policy, contributors must have MFA etc...) .

• Have any risk assessments, security audits / code audits been carried out on WinSSH Pageant?

• Are there any frameworks, specific standards, frameworks or methodologies you and the contributors use/follow or are certified in which align with best practice for security?

• Do you have any security related policies documents we could see?

---

Some of our infosec folks had a look at the repo and one dependency has concerned us a bit as it has been depreciated (go-difflib).

Can you comment on how it is being used and / or whether it could be replaced or mitigated? (This does currently appear to be version/checksum pinned fortunately but looking at the dependency chain this would be a big ask.)

winssh-pageant --> github.com/Microsoft/go-winio v0.5.2 --> github.com/sirupsen/logrus v1.9.0 --> github.com/stretchr/testify --> github.com/pmezard/go-difflib v1.0.0