parasite

Security

TLS Certificate Pinning (TOFU)

All client-agent connections use TLS. On first connection to a new agent, the client stores the server certificate’s SHA-256 fingerprint:

~/.parasite/pinned_certs/<host>:<port>.sha256

On subsequent connections, the fingerprint is verified. A mismatch (potential MITM) rejects the connection with a clear error. This is the Trust On First Use model — the same approach used by SSH.

The agent auto-generates a self-signed certificate on first run, stored in ~/.parasite/agent-cert.pem and ~/.parasite/agent-key.pem.

SSH Credential Protection

SSH passwords are passed to sshpass via environment variable (SSHPASS), not command-line arguments:

cmd.env("SSHPASS", password);
cmd.args(["-e", "ssh", ...]);

This prevents password exposure in ps aux or /proc/*/cmdline.

SSH Host Key Verification

SSH connections use StrictHostKeyChecking=accept-new with a dedicated known hosts file:

~/.parasite/known_hosts

This accepts new hosts automatically (like TOFU) but rejects changed host keys, preventing MITM attacks on known hosts.

Path Traversal Protection

The agent validates all file operation paths:

1. Resolves ~ and ~/ to $HOME
2. Canonicalizes to resolve .. and symlinks
3. Rejects paths outside $HOME
4. Prevents deletion of $HOME itself

fn validate_path(raw: &str) -> Result<PathBuf, String> {
    let canonical = fs::canonicalize(&resolved)?;
    if !canonical.starts_with(&home_canonical) {
        return Err("Access denied: path outside home directory");
    }
    Ok(canonical)
}

For paths that don’t exist yet (e.g., DirCreate), the parent directory is validated instead.

Error Sanitization

The agent sanitizes error messages before sending them to the client, preventing internal path or system information leakage:

fn sanitize_error(e: &io::Error) -> String {
    match e.kind() {
        NotFound => "Path not found",
        PermissionDenied => "Permission denied",
        AlreadyExists => "Already exists",
        _ => "Operation failed",
    }
}

Full error details are logged server-side with tracing::warn!.

SSH Socket Security

SSH control sockets are stored in a user-owned directory with restricted permissions:

~/.parasite/sockets/ctrl-<hash>

The sockets/ directory is created with 0o700 permissions, preventing access by other users on the system.

Authentication

Agent authentication uses a random token generated on first run. The token is:

• Stored at ~/.parasite/agent-token
• Transmitted during the TLS handshake (already encrypted)
• Validated with constant-time comparison to prevent timing attacks