EXCEPTIONS

When using exceptions in commands like do_request_service, when should
we use the passed in exception handler, and when should we use the
handler in the connection struct? Perhaps we should not have any
connection->e handler at all?

  
S-EXPRESSIONS


USERS

Use real ACL:s instead of the authorized keys hack. Implement a
general user-database abstraction. Also have a look at 'Pluggable Non
Interactive Authentication Modules' at
http://www.msu.ru/pniam/pniam.html.


CHARSETS

The conversion from UTF8->unicode->latin1 doesn't handle accented
characters properly. Probably needs a complete rewrite.


CONFIGURATION

Figure out what configuration files we need. 


LOGGING

Use syslog to log server startup, shutdown, and user authentication.
Update utmp (users currently logged in), wtmp (record of logins) and lastlog
(last login time).
Use tcpwrapper's libwrap to log connections and perform access control.


ALLOCATION

Not all packet consumers free processed packets properly.

Have the allocator initialize all objects automatically.

Better typechecking of non-heap objects. To do this one would also
need valid isa-pointers in classes (as classes are statically
allocated). If this is done properly, the meta feature could also be
cleaned up a little.

Consider adding reference counts to strings.


CHANNELS

Consider which errors can occur in the channel callback functions;
they are probably somewhat different from errors in higher levels. For
instance, writing to a file associated with a channel may fail. In
that case, the channel should be closed, but the connection should not
die. 

Implement window-change requests.


FREENESS

It might be safer to remove patent-encumbered code like IDEA code from the
regular lsh distribution, and make it available separately (this approach is
taken with GnuPG).

scsh is not free software. Olin Shivers (one of the scsh copyright owners)
has indicated he is willing to free it, but currently he has no time to
handle the paperwork. 


CONTROL LANGUAGE

Improve the tail recursiveness of builtin functions.


FORWARDING

Implement other types of forwarding; X, ssh-agent, UDP, etc.

Review the naming of functions in tcpforward.c; it appears a little
inconsistent. 


RANDOMNESS

Get a decent source of random (the current version will fall back to a
really poorly seeded generator if /dev/urandom is not available). Two
main alternatives are Werner Koch's code in GnuPG, and Peter Gutmann's
libcrypt. Even on systems with /dev/random, it might be suboptimal to
use it directly.


DENIAL OF SERVICE

Implement some limit on the amount of data that may be buffered for
write on a connection. When the limit is exceeded, the connection
should be dropped. The problem: if a client connects and sends a lot
of packets, without ever reading anything from its socket, the server
will eventually run out of memory.


BUILD ISSUES

make distclean doesn't work, it fails in src/symmetric because it
tries to rebuild desdata.o.

Have autoconf automatically add -I $prefix/include and -L $prefix/lib ?

Change configure.in and acinclude.m4 to use LDFLAGS for all -L and -R
options, not LIBS.

Remaking Makefile.am from subdirectories probably cd:s to the wrong
place, when building outside of the source tree.


MISC

Try to find out why read() sometimes returns -1 and sets errno==EPIPE,
on sparc-linux, 2.0.33, redhat-5.1, glibc.
Note: Debian's sparc port uses glibc2.1, rather than 2.0; maybe Red Hat does
too? Quite a lot of things have changed between 2.0 and 2.1; this might well
be a documented feature of 2.1.

"lsh" is already used as the name of a shell (included in Debian;
Description: Baby Shell for Novices with DOS compatible commands). Perhaps
we need to change our name?

Make it cleaner wrt. more gcc warnings.

Fix desTest.c to use proper declarations of its function pointers, and
have autoconf check for rusage().

It seems that it is a little difficult to detect that an asyncronous
connect() failed; poll() indicates that both reading and writing is
possible, but write failes (with EPIPE/SIGPIPE) later. Perhaps a
linux-problem?

Perhaps some of the dh-code in publickey_crypto should be moved to
keyexchange.c?

Fix the src/symmetric/desTest program. It doesn't complain if the
desCode is compiled with empty keymap.h, parity.h and rotors.h files.

About POLLHUP:

  I've found something that can either be an io.c or a linux kernel bug.
  This time it is the poll() system call, which causes troubles. If an
  AF_UNIX connection is closed by the client, the kernel doesn't set
  POLLIN in revents, instead it sets only POLLHUP. (and therefore the io
  backend doesn't read the last zero length packet) The following patch
  solves the problem for me:
  
  -        if (fds[i].revents & POLLIN)
  -          READ_FD(fd);
  +        if (fds[i].revents & (POLLIN | POLLHUP))
  +          READ_FD(fd);
  
  jpoll.h doesn't define POLLHUP, so I added a
  
  #define POLLHUP         0
  
  line there. I seldom use poll() so I don't know what the correct
  behaviour should be, but I am afraid this is a kernel bug again.
  
  --
  Bazsi

Find out why opening /dev/ptmx failes occasionally (errno = 19, no
such device).

Add some workaround for the poll()-bug in linux/glibc-2.07 reported by
Bazsi. Hmm, this is probably not a bug. I have to find out what the
right way is to handle the poll conditions POLLERR, POLLHUP and
POLLERR. For a start, the fd-list passed to poll should include only
fd:s that we are actually interested in.

Consider removing the write-attribute from ssh_channel.

Let init_channel take enough arguments to initialize the window- and
packet-size fields properly. It's too easy to forget them.

Add const to arguments of type struct exception_handler *?

Do something reasonable in do_buffered_read() if want_read is cleared.

The supplied argp is compiled even if it isn't used.

Move miscellaneous lsh_string-functions from format.c to a separate
file.

Consider moving SPKI tuple-related functions to a separate file.

With SPKI, consider whether or not we should require any specific
order of subexpressions. The most central function for this is
sexp_get_un. 

Extend the GABA: (expr ...) constructions with a single parameter
could be used directly as a command_simple. Extend gaba.scm to do that
automatically. Extend the (exp ...) construction to take a return
type, and automatically cast the result to that type.

Add -f, to fork and exit when userauthentication is done and any
tunneling is set up.

Consider using dynamically allocated strings for exception messages.
Without this, it is impossible to use non-constant messages, for
instance messages supplied by the peer.

See if we can do without the "reason" argument to close callbacks. 

Try to unify the handling of queued channel requests and global
requests. 

Get rid of the double close loop in io_iter. Perhaps start using a
doubly linked list for fds? Add a backend-pointer to fd:s? Use an
extra stack of fds that should be closed?

If we add the backend field to lsh_fd objects, the code for listen
could also be simplified, and perhaps we can get rid of the backend
pointer in some other places as well.

Exceptions from listen are handled badly in several places. 

Write a conversion program to read and write openssh/ssh2 style public
keys.

Should lsh fail if some port forwardings fails? In particular,

  $ lsh -R... -N

is pretty useless if the server doesn't let us bind the remote port.
