https://gitlab.synchro.net/main/sbbs/-/commit/09b1b9276f83c99f943e5e48
Added Files:
src/ssh/api-design-4254.md audit-4250.md audit-4251.md audit-4252.md audit-4253.md audit-4254.md ssh-chan.c ssh-chan.h
Modified Files:
src/ssh/CMakeLists.txt README.md client.c deucessh.h src/ssh/kex/dh-gex-sha256.c src/ssh/key_algo/rsa-sha2-256.c rsa-sha2-256.h src/ssh/server.c ssh-arch.c ssh-auth.c ssh-auth.h ssh-conn.c ssh-conn.h ssh-trans.c ssh-trans.h
Log Message:
DeuceSSH: RFC conformance audits (4250-4254), auth overhaul, connection layer

RFC conformance audits for all five core SSH RFCs with fixes:
- Rekeying: auto-rekey at 2^28 packets / 1 GiB / 1 hour, peer-initiated
rekey handling, application-layer send blocking during rekey window
- Transport: name-list validation (trailing comma, 64-char limit),
version string US-ASCII check, SSH-1.99 recognition, DH e/f range
validation, SSH_MSG_UNIMPLEMENTED responses, global request handling
- RSA-SHA2-256: full sign/pubkey/haskey for server-side host keys
- Channel: close/EOF tracking (idempotent), window overflow protection

Authentication overhaul (RFC 4252):
- Public key auth client-side
- Keyboard-interactive callback API (replaces hardcoded password answer)
- Password change support (PASSWD_CHANGEREQ, client and server)
- Banner callback, server-side auth loop with callbacks

Connection layer (RFC 4254):
- Demux thread: single thread dispatches to per-channel buffers
- Session channels: stream-based poll/read/write with signal sync
- Raw channels: message-based poll/read/write (no partial I/O)
- Client: session_open_shell/exec, channel_open_subsystem
- Server: session_accept, session_accept_channel (callback-driven
setup with pty-req/env/shell/exec dispatch), channel_accept_raw
- Auto-reject forbidden channel types (x11, forwarding, etc.)
- Exit status, extended data, window-change callback, window replenish

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---
￭ Synchronet ￭ Vertrauen ￭ Home of Synchronet ￭ [vert/cvs/bbs].synchro.net