Security
Model
- Host identity:
~/.config/zuko/key. - Host ticket:
endpointa…, sensitive dial information containing the host public key and current addresses. - Client allow-list:
~/.config/zuko/authorized_clients. - Client identity: a private local key used to derive a host-scoped token.
- Saved connection state:
~/.config/zuko/hosts, iOS Keychain, or browser IndexedDB.
Connections are Iroh QUIC and end-to-end encrypted. Public relays see encrypted payloads but can observe connection metadata and traffic volume.
Current shell access requires both:
- enough ticket information to dial the host; and
- a client token present in the host’s allow-list.
The ticket alone does not authorize a shell. Keep it private anyway: it exposes reachability metadata, and storing all connection material defensively limits the effect of future protocol changes.
Trust boundaries
zuko shareis the enrollment boundary. Anyone who obtains its short code while it is active can receive connection information and register a token.- The pairing code is memorable rather than high-entropy. Argon2id slows
guessing, and the short timeout/count bound exposure; do not use
--timeout 0unattended. - The host’s config directory controls identity and authorization. Local access to those files is outside zuko’s remote threat boundary.
- Losing a paired client exposes that client’s access until it is removed from the host allow-list.
- Browser state is available to scripts on the same origin. The Labs web client should not be treated as a hardened client until it has a dedicated origin.
Rules
- Protect saved connection state and client identity together.
- Host tickets are handed out through
zuko share/claimonly. zuko hostnever prints the raw ticket.zuko sharerejects stalecurrent_ticket.zuko hostadmits only tokens inauthorized_clients.- Remove a lost client with
zuko rm <name>; usezuko resetif trust cannot be narrowed safely.
Manage trust:
zuko ls
zuko rm <name>
zuko reset # remove key/current_ticket, clear authorised clients
zuko reset --yes
After reset, restart host and re-pair clients.
Report vulnerabilities
Use GitHub Security Advisories: adonm/zuko/security/advisories/new.
Use private advisories for vulnerabilities.
Scope: src/, web/, wire protocol, handoff, service installer, and iOS app.