OpenSSH/Development

< OpenSSH

It is possible to advance OpenSSH through donations of hardware or money. See the OpenSSH project web site at www.openssh.org for details.

OpenSSH is a volunteer project with the goal of making quality software. In that way it relies upon hardware and cash donations to keep the project rolling. Funds are needed for daily operation to cover network line subscriptions and electrical costs. If 2 dollars were given for every download of the OpenSSH source code in 2015 from the master site, ignoring the mirrors, or if a penny was donated for every pf or OpenSSH installed with a mainstream operating system or phone in 2015^[1], then funding goals for the year would be met. Hardware is needed for development and porting to new architectures and platforms always requires new hardware.

OpenSSH is currently developed by two teams. The first team works providing code that is as clean, simple and secure as possible as part of the OpenBSD project. The second team works using this core version and ports it to a great many other operating systems. Thus there are two development tracks, the OpenBSD core and the portable version. The work is all done in countries that permit export of cryptography.

Use the Source, Luke

The main development branch of OpenSSH is part of the OpenBSD project. So the "-current" branch of OpenBSD, available as source code, is where to look for current activity.

The source code for the portable releases of OpenSSH are published using anonymous CVS, so no password is needed to download source from the read-only repository. It is provided and maintained by Damien Miller. Nightly, bleeding-edge snapshots of OpenSSH itself are publicly available from its own CVS tree. Use a mirror when possible.

 
export CVSROOT=anoncvs@anoncvs.mindrot.org:/cvs
export CVS_RSH=/usr/bin/ssh
cvs get openssh

The fingerprint for the key used by the OpenSSH source code repository, as of this writing, is:

2048 SHA256:UNyCGjDDKB8hPDhrgMRAID6F53TyECEgnMmBN/4ZbuY anoncvs.mindrot.org (RSA)

We ask anyone wishing to report security bugs in OpenSSH to please use the contact address given in the source and to practice responsible disclosure.

libssh

libssh is an independent project that provides a multiplatform C library implementing the SSHv2 and SSHv1 protocols for client and server implementations. With libssh, developers can remotely execute programs, transfer files and use a secure and transparent tunnel for your remote applications.

libssh is available under LGPL 2.1 license, on the web page https://www.libssh.org/

Features:

Key Exchange Methods: curve25519-sha256@libssh.org, ecdh-sha2-nistp256, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1
Hostkey Types: ecdsa-sha2-nistp256, ssh-dss, ssh-rsa
Ciphers: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc, des-cbc-ssh1, blowfish-cbc
Compression Schemes: zlib, zlib@openssh.com, none
MAC hashes: hmac-sha1, none
Authentication: none, password, public-key, hostbased, keyboard-interactive, gssapi-with-mic
Channels: shell, exec (incl. SCP wrapper), direct-tcpip, subsystem, auth-agent-req@openssh.com
Global Requests: tcpip-forward, forwarded-tcpip
Channel Requests: x11, pty, exit-status, signal, exit-signal, keepalive@openssh.com, auth-agent-req@openssh.com
Subsystems: sftp(version 3), publickey(version 2), OpenSSH Extensions
SFTP: statvfs@openssh.com, fstatvfs@openssh.com
Thread-safe: Just don’t share sessions
Non-blocking: it can be used both blocking and non-blocking
Your sockets: the app hands over the socket, or uses libssh sockets
OpenSSL or gcrypt: builds with either

Additional Features:

Client and server support
SSHv2 and SSHv1 protocol support
Supports Linux, UNIX, BSD, Solaris, OS/2 and Windows
Full API documentation and a tutorial
Automated test cases with nightly tests
Event model based on poll(2), or a poll(2)-emulation.

libssh2

libssh2 is another independent project providing a lean C library implementing the SSH2 protocol for embedding specific SSH capabilities into other tools. It has a stable, well-documented API for working on the client side with the different SSH subsystems: Session, Userauth, Channel, SFTP, and Public Key. The API can be set to either blocking or non-blocking. The code uses strict name spaces, is C89-compatible and builds using regular GNU Autotools.

libssh2 is available under a modified BSD license. The functions are each documented in their own manual pages. The project web site contains the documentation, source code and examples: http://www.libssh2.org/

There is a mailing list for libssh2 in addition to an IRC channel. The project is small, low-key and, as true to the spirit of the Internet, a meritocracy. Hundreds of specific functions allow specific activities and components to be cherry-picked and added to an application:

Shell and SFTP sessions
Port forwarding
Password, public-key, host-based keys, and keyboard-interactive authentication methods.
Key Exchange Methods diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
Host Key Types: ssh-rsa and ssh-dss
Ciphers: aes256-cbc (rijndael-cbc@lysator.liu.se), aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, or without a cipher.
Compression Scheme zlib or without compression
Message Authentication Code (MAC) algorithms for hashes: hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160 (hmac-ripemd160@openssh.com), or none at all
Channels: Shell, Exec – including the SCP wrapper, direct TCP/IP, subsystem
- Channel Requests: x11, pty
Subsystems: sftp version 3, public-key version 2
Thread-safe, blocking or non-blocking API
Your sockets: the app hands over the socket, calls select() etc.
Builds with either OpenSSL or gcrypt

See also the library libcurl which supports SFTP and SCP URLs.

Thrussh

Thrussh is an SSH library written in Rust and available under the Apache License version 2.0. It is a full implementation of the SSH 2 protocol. The only non-Rust part is the crypto backend, which uses ring instead. It is designed to work on any platform and to use asynchronous I/O. The project web site contains the documentation, source code, and examples. The code is accessible using darcs:

darcs get https://pijul.org/thrussh

It is not an implementation of an actual server or client, but instead contains all the elements needed to write custom clients and servers using Rust.

Other language bindings for the SSH protocols

What follows is a list of additional independent resources by programming language:

Perl

Net::SSH2: a wrapper module for libssh2.
Net::SSH::Perl: a full SSH/SFTP implementation in pure Perl. Unfortunately this module is not being maintained any more and has several open bugs. Also, installing it can be a daunting task due to some of its dependencies.
Net::OpenSSH: a wrapper for OpenSSH binaries and other handy programs (scp, rsync, sshfs). It uses OpenSSH multiplexing feature in order to reuse connections.
Net::OpenSSH::Parallel a module build on top of Net::OpenSSH that allows to transfer files and run programs on several machines in parallel efficiently.
SSH::Batch another module build on top of Net::OpenSSH that allows to run programs on several hosts in parallel.
Net::SSH::Expect: this module uses Expect to drive interactive shell sessions run on top of SSH.
Net::SSH: a simple wrapper around any SSH client. It does not support password authentication and is very slow as it establishes a new SSH connection for every remote program invoked.
Net::SCP and Net::SCP::Expect: modules wrapping the scp program. Note that Net::SSH2, Net::SSH::Perl and Net::OpenSSH already support file transfers via scp natively.
Net::SFTP::Foreign: a full SFTP client written in Perl with lots of bells and whistles. By default is uses ssh to connect to the remote machines but it can also run on top of Net::SSH2 and Net::OpenSSH.
GRID::Machine, IPC::PerlSSH and SSH::RPC: these modules allow to distribute and run Perl code on remote machines through SSH.

JSch - a pure Java implementation of SSH2.

http://www.jcraft.com/jsch/

References

↑ "The OpenBSD Foundation 2016 Fundraising Campaign". The OpenBSD Foundation. 2016. http://www.openbsdfoundation.org/campaign2016.html. Retrieved 2016-03-07.

OpenSSH

Overview • Why Encryption • Protocols • Implementations • Clients • Client Configuration • Server • Patterns • Utilities • Third Party • Logging • Development
Cookbook: Remote Processes • Tunnels • Automated Backup • File Transfer with SFTP • Public Key Authentication • Host-based Authentication • Load Balancing • Multiplexing • Proxies and Jump Hosts

This article is issued from Wikibooks. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.