asf-tooling opened a new issue, #1024: URL: https://github.com/apache/tooling-trusted-releases/issues/1024
**ASVS Level(s):** [L1] **Description:** ### Summary The SSH server (`atr/ssh.py`) is a significant authentication entry point that accepts public key authentication from GitHub workflow processes. The authentication security documentation does not address this authentication surface at all. Unlimited authentication attempts are possible against SSH server at the application layer. Auditors and operators cannot assess SSH authentication surface protections. GitHub Issue #723 acknowledges this gap but open issues do not substitute for documentation. ### Details Affected locations: - `security/ASVS/audit_guidance/authentication-security.md`: No SSH authentication section - `atr/ssh.py` SSHServer.connection_made, SSHServer.begin_auth, SSHServer.validate_public_key: Undocumented authentication surface The SSH server is a complete authentication pathway that is not documented in the authentication security documentation. ### Recommended Remediation Add a dedicated 'SSH Authentication' section to authentication-security.md documenting: 1. **Authentication mechanism:** Public key only, 20-minute TTL 2. **Anti-automation controls:** Key-based authentication, logging 3. **Current limitations:** No connection-level rate limiting tracked in Issue #723, expected to be enforced at network/firewall layer 4. **Monitoring:** Failed SSH authentication attempts ```markdown ## SSH Authentication The ATR application provides an SSH server for automated release artifact uploads from GitHub Actions workflows. ### Authentication Mechanism - Public key authentication only (no password authentication) - Workflow-specific SSH keys with 20-minute TTL - Keys are generated per-workflow and stored in database - Authentication validates key against database records ### Anti-Automation Controls - Key-based authentication prevents brute force password attacks - All authentication attempts are logged - Rate limiting is expected at network/firewall layer (Issue #723) ### Current Limitations - No application-level connection rate limiting (tracked in Issue #723) - Relies on network/firewall layer for connection throttling ### Monitoring - Failed SSH authentication attempts are logged - Connection attempts are tracked for operational visibility ``` ### Acceptance Criteria - [ ] SSH authentication is documented in authentication-security.md - [ ] Documentation covers authentication mechanism and controls - [ ] Current limitations are explicitly stated - [ ] GitHub Issue #723 is referenced - [ ] Unit test verifying the fix ### References - Source reports: L1:6.1.1.md - Related findings: FINDING-004, FINDING-126 - ASVS sections: 6.1.1 ### Priority Medium --- --- **Triage notes:** documentation - audit_guidance add info about the purpose of docs in audit_guidance, also add public docs about SSH auth -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
