Skip to content

Commit 482980b

Browse files
committed
docs: refresh SSH transport description for supervisor-initiated relay
Updates user-facing docs to match the connect/exec transport change: - `docs/security/best-practices.mdx` — SSH tunnel section now describes traffic riding the sandbox's mTLS session (transport auth) plus a short-lived session token scoped to the sandbox (authorization), with the sandbox's sshd bound to a local Unix socket rather than a TCP port. Removes the stale mention of the NSSH1 HMAC handshake. - `docs/observability/logging.mdx` — example OCSF shorthand lines for SSH:LISTEN / SSH:OPEN updated to reflect the current emit shape (no peer endpoint on the Unix-socket listener, no NSSH1 auth tag).
1 parent bcea46b commit 482980b

2 files changed

Lines changed: 4 additions & 4 deletions

File tree

docs/observability/logging.mdx

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -134,13 +134,13 @@ Proxy and SSH servers ready:
134134

135135
```text
136136
OCSF NET:LISTEN [INFO] 10.200.0.1:3128
137-
OCSF SSH:LISTEN [INFO] 0.0.0.0:2222
137+
OCSF SSH:LISTEN [INFO]
138138
```
139139

140-
An SSH handshake accepted, one event per connection:
140+
An SSH connection accepted (one event per invocation, arriving over the supervisor's Unix socket, so there is no network peer address to log):
141141

142142
```text
143-
OCSF SSH:OPEN [INFO] ALLOWED 10.42.0.52:42706 [auth:NSSH1]
143+
OCSF SSH:OPEN [INFO] ALLOWED
144144
```
145145

146146
A process launched inside the sandbox:

docs/security/best-practices.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -251,7 +251,7 @@ OpenShell generates a cluster CA at bootstrap and distributes it through Kuberne
251251

252252
### SSH Tunnel Authentication
253253

254-
SSH connections to sandboxes pass through the gateway's HTTP CONNECT tunnel with token-based authentication and HMAC-SHA256 handshake verification (NSSH1 protocol).
254+
SSH connections to sandboxes travel through the gateway over the sandbox's existing mTLS session. On top of the gateway's transport authentication (mTLS by default), each SSH connect call also carries a short-lived session token scoped to a specific sandbox. The sandbox never exposes an SSH port on the network — its SSH daemon listens on a local Unix socket that only the sandbox's own supervisor process can reach.
255255

256256
| Aspect | Detail |
257257
|---|---|

0 commit comments

Comments
 (0)