scv-bilara 3.181.1 → 3.182.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "scv-bilara",
-  "version": "3.181.1",
+  "version": "3.182.1",
   "description": "SuttaCentral bilara-data library",
   "main": "index.js",
   "directories": {
@@ -15,7 +15,7 @@
     "log-instance": "^1.6.0",
     "memo-again": "^0.10.0",
     "merkle-json": "^2.2.0",
-    "scv-esm": "^1.115.837",
+    "scv-esm": "^1.115.836",
     "suttacentral-api": "^2.17.67",
     "tmp": "^0.2.3"
   },

package/scripts/ssh-quantum-safety.sh

@@ -0,0 +1,315 @@
+#!/bin/bash
+
+# SSH Quantum Safety Evaluation Script
+# Evaluates local computer's SSH quantum safety compliance with GitHub 2025 guidelines
+#
+# Usage:
+#   ./ssh-quantum-safety.sh                  (check system SSH capabilities only)
+#   ./ssh-quantum-safety.sh --check-certificates (also check local SSH key types)
+#   ./ssh-quantum-safety.sh --reference      (show GitHub documentation reference)
+#   ./ssh-quantum-safety.sh --intro          (show non-technical summary)
+
+check_certificates=false
+
+# Function to print intro
+print_intro() {
+    cat <<'EOF'
+## GitHub SSH Quantum Security Update - What You Need to Know
+
+**The Problem:**
+GitHub updated their security in September 2025 to protect your code
+from a future threat. Hackers could theoretically record your SSH
+connections and store them. If quantum computers become powerful enough
+(which experts expect in 10-20+ years), they could decrypt those old
+recordings and access your data. This is called a "store now, decrypt
+later" attack.
+
+**The Solution:**
+GitHub added a new, stronger type of encryption to SSH connections that
+even quantum computers won't be able to break. It's a hybrid approach
+that combines old, trusted methods with new quantum-resistant methods.
+
+**What You Need to Do:**
+This program will help you evaluate your system for safe Github access:
+
+1. It will check your OpenSSH version: ssh -V
+   - If it says 9.0 or newer: You're good. Nothing to do.
+   - If it says 8.x or older: Update OpenSSH to version 9.0 or newer
+
+2. It will verify you have the new algorithm available: ssh -Q kex
+   - Look for sntrup761x25519-sha512 in the output
+   - If it's there: ✓ You have quantum-safe protection
+   - If it's not there: Update OpenSSH
+
+3. It can (with your permission) also check your SSL certificates
+
+The script will give recommendations about any action you should take
+EOF
+}
+
+# Parse arguments
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --check-certificates)
+            check_certificates=true
+            shift
+            ;;
+        --reference)
+            cat <<'EOF'
+## GitHub SSH Quantum-Safe Change (September 2025)
+
+**Algorithm:** `sntrup761x25519-sha512`
+- Hybrid: Streamlined NTRU Prime (post-quantum) + X25519 (classical)
+- Protects against "store now, decrypt later" attacks from future quantum computers
+
+**Rollout:**
+- September 17, 2025 on GitHub.com and GitHub Enterprise Cloud
+- Excluded US region (requires FIPS-approved cryptography)
+- Included in GitHub Enterprise Server 3.19
+
+**Requirements:**
+- OpenSSH 9.0+ (automatic support)
+- Older clients fall back gracefully to existing algorithms
+
+**What You Need to Do:**
+Most users: nothing. Just verify with `ssh -Q kex` that you see the post-quantum algorithms.
+
+**See:** https://github.blog/engineering/platform-security/post-quantum-security-for-ssh-access-on-github/
+EOF
+            exit 0
+            ;;
+        --intro)
+            print_intro
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1"
+            echo "Usage: $0 [--check-certificates] [--reference] [--summary]"
+            exit 1
+            ;;
+    esac
+done
+
+set -e
+
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+BLUE='\033[0;34m'
+NC='\033[0m' # No Color
+
+# Track findings
+has_post_quantum=false
+openssh_version=""
+openssh_major=""
+openssh_minor=""
+post_quantum_algos=()
+key_types=()
+issues=()
+recommendations=()
+
+# Function to check OpenSSH version
+check_openssh_version() {
+    echo -e "${BLUE}1. OpenSSH Version${NC}"
+    local openssh_full=$(ssh -V 2>&1)
+    echo "   $openssh_full"
+
+    openssh_version=$(echo "$openssh_full" | grep -oE 'OpenSSH_[0-9.]+' | grep -oE '[0-9.]+' | head -1)
+    openssh_major=$(echo "$openssh_version" | cut -d. -f1)
+    openssh_minor=$(echo "$openssh_version" | cut -d. -f2)
+
+    if [[ $openssh_major -gt 9 ]] || [[ $openssh_major -eq 9 && $openssh_minor -ge 0 ]]; then
+        echo -e "   ${GREEN}✓ OpenSSH $openssh_version supports post-quantum algorithms${NC}"
+        has_post_quantum=true
+    else
+        echo -e "   ${RED}✗ OpenSSH $openssh_version is too old (9.0+ required)${NC}"
+        issues+=("OpenSSH version $openssh_version does not support post-quantum algorithms")
+        recommendations+=("Upgrade to OpenSSH 9.0 or newer")
+    fi
+
+    echo ""
+}
+
+# Function to check available key exchange algorithms
+check_kex_algorithms() {
+    echo -e "${BLUE}2. Available Key Exchange Algorithms${NC}"
+    local all_kex=$(ssh -Q kex)
+
+    # Check for post-quantum algorithms
+    if echo "$all_kex" | grep -q "sntrup761x25519-sha512"; then
+        post_quantum_algos+=("sntrup761x25519-sha512")
+        echo -e "   ${GREEN}✓ sntrup761x25519-sha512 (NTRU Prime hybrid)${NC}"
+    fi
+
+    if echo "$all_kex" | grep -q "mlkem768x25519-sha256"; then
+        post_quantum_algos+=("mlkem768x25519-sha256")
+        echo -e "   ${GREEN}✓ mlkem768x25519-sha256 (ML-KEM hybrid)${NC}"
+    fi
+
+    if [[ ${#post_quantum_algos[@]} -eq 0 ]]; then
+        echo -e "   ${RED}✗ No post-quantum key exchange algorithms found${NC}"
+        issues+=("No post-quantum key exchange algorithms available")
+        recommendations+=("Upgrade OpenSSH to 9.0 or newer")
+    else
+        echo -e "   ${GREEN}✓ Found ${#post_quantum_algos[@]} post-quantum algorithm(s)${NC}"
+    fi
+
+    echo ""
+}
+
+# Function to run interview mode
+run_interview() {
+    echo -e "${BLUE}=== SSH Quantum Safety Evaluation ===${NC}\n"
+
+    echo -e "${BLUE}"
+    PMT="Let's start with an introduction to this tool [ENTER]:"
+    read -p "$PMT"
+    echo -e "${NC}"
+    print_intro
+    echo ""
+
+    echo -e "${BLUE}"
+    PMT="Let's check your ssh version [ENTER]:"
+    read -p "$PMT"
+    echo -e "${NC}"
+    check_openssh_version
+    echo ""
+
+    echo -e "${BLUE}"
+    PMT="Let's check your ssh algorithms [ENTER]:"
+    read -p "$PMT"
+    echo -e "${NC}"
+    check_kex_algorithms
+    echo ""
+
+    echo -e "${BLUE}"
+    PMT="Review summary of your test results [ENTER]:"
+    read -p "$PMT"
+    echo -e "${NC}"
+    echo ""
+}
+
+# Function to check local SSH key types
+check_ssh_keys() {
+    echo -e "${BLUE}3. Local SSH Key Types${NC}"
+
+    if [[ ! -d ~/.ssh ]]; then
+        echo -e "   ${YELLOW}⚠ No ~/.ssh directory found${NC}"
+        recommendations+=("Generate SSH keys if needed")
+    else
+        key_count=0
+        has_weak_keys=false
+        has_modern_keys=false
+
+        for keyfile in ~/.ssh/*.pub; do
+            if [[ ! -f "$keyfile" ]]; then
+                continue
+            fi
+
+            key_count=$((key_count + 1))
+            key_type=$(ssh-keygen -l -f "$keyfile" 2>/dev/null | awk '{print $NF}' | tr -d '()')
+            key_name=$(basename "$keyfile")
+
+            case "$key_type" in
+                ED25519)
+                    echo -e "   ${GREEN}✓ $key_name: ED25519 (excellent)${NC}"
+                    has_modern_keys=true
+                    key_types+=("ED25519")
+                    ;;
+                ECDSA)
+                    echo -e "   ${GREEN}✓ $key_name: ECDSA (good)${NC}"
+                    has_modern_keys=true
+                    key_types+=("ECDSA")
+                    ;;
+                RSA)
+                    # Check RSA key size
+                    key_bits=$(ssh-keygen -l -f "$keyfile" 2>/dev/null | awk '{print $1}')
+                    if [[ $key_bits -ge 2048 ]]; then
+                        echo -e "   ${YELLOW}⚠ $key_name: RSA-$key_bits (acceptable but older)${NC}"
+                        key_types+=("RSA-$key_bits")
+                    else
+                        echo -e "   ${RED}✗ $key_name: RSA-$key_bits (too weak, minimum 2048)${NC}"
+                        has_weak_keys=true
+                        issues+=("RSA key $key_name is less than 2048 bits")
+                    fi
+                    ;;
+                DSA|ssh-dss)
+                    echo -e "   ${RED}✗ $key_name: DSA (DEPRECATED by GitHub)${NC}"
+                    has_weak_keys=true
+                    issues+=("DSA key $key_name is deprecated and cannot be used with GitHub")
+                    recommendations+=("Replace $key_name with ED25519 or ECDSA key")
+                    ;;
+                *)
+                    echo -e "   ${YELLOW}⚠ $key_name: Unknown type ($key_type)${NC}"
+                    ;;
+            esac
+        done
+
+        if [[ $key_count -eq 0 ]]; then
+            echo -e "   ${YELLOW}⚠ No SSH public keys found in ~/.ssh${NC}"
+            recommendations+=("Generate SSH keys: ssh-keygen -t ed25519 -C 'your_email@example.com'")
+        fi
+    fi
+
+    echo ""
+}
+
+# Run interview first
+run_interview
+
+# Call function only if --check-certificates flag was passed
+if [[ $check_certificates == true ]]; then
+    check_ssh_keys
+else
+    echo -e "${BLUE}3. Local SSH Key Types${NC}"
+    echo -e "   ${YELLOW}⚠ Not checked (use --check-certificates to enable)${NC}"
+    echo ""
+fi
+
+# 4. Summary and recommendations
+echo -e "${BLUE}Quantum Safety Assessment${NC}"
+
+if [[ ${#issues[@]} -eq 0 ]]; then
+    echo -e "   ${GREEN}✓ Full post-quantum safety compliance${NC}"
+    echo -e "   ${GREEN}✓ Your SSH setup meets GitHub 2025 guidelines${NC}"
+    safety_level="FULL"
+elif [[ $has_post_quantum == true ]]; then
+    echo -e "   ${YELLOW}⚠ Partial post-quantum safety${NC}"
+    echo -e "   ${YELLOW}Your system supports post-quantum algorithms, but has some issues${NC}"
+    safety_level="PARTIAL"
+else
+    echo -e "   ${RED}✗ No post-quantum safety${NC}"
+    safety_level="NONE"
+fi
+
+echo ""
+echo -e "${BLUE}5. Recommendations${NC}"
+
+if [[ ${#recommendations[@]} -eq 0 ]]; then
+    echo -e "   ${GREEN}✓ No action required${NC}"
+else
+    for ((i=0; i<${#recommendations[@]}; i++)); do
+        echo -e "   $((i+1)). ${recommendations[$i]}"
+    done
+fi
+
+echo ""
+echo -e "${BLUE}=== Summary ===${NC}"
+echo "OpenSSH Version:         $openssh_version"
+echo "Post-Quantum Algorithms: ${#post_quantum_algos[@]} available"
+echo "Safety Level:            $safety_level"
+echo ""
+
+if [[ ${#issues[@]} -gt 0 ]]; then
+    echo -e "${RED}Issues Found:${NC}"
+    for ((i=0; i<${#issues[@]}; i++)); do
+        echo -e "   $((i+1)). ${issues[$i]}"
+    done
+    echo ""
+fi
+
+if [[ ${#issues[@]} -eq 0 ]]; then
+    exit 0
+else
+    exit 1
+fi