Playing with TinySSH on FreeBSD and OS X

Posted in Research Security -

TinySSH is a new small SSH server using state-of-the-art encryption using the TweetNaCL cryptographic library. It piqued my interest as it claims to be an easily configured and auditable SSH server with new cryptographic primitives and has no dependency on OpenSSL. Its development target is Debian, but since it has limited dependencies it is not hard to get it to run on other systems. This post has some notes on how to get things up and running on a FreeBSD server and an OS X client.

Server installation on FreeBSD

The TinySSH installation instructions are pretty clear, and explain what the two steps do. Examining what is actually going on shows that the author does not use the power of Makefiles. He basically uses them to call shell scripts directly.

The compilation step needs a small adjustment if you’re using a modern FreeBSD system, since these do not come with gcc anymore but instead use clang. This is easily fixed by editing the default-cc file and just doing a replace.

The installation step is a little more messy, by default it installs the binaries in /usr/sbin and the configuration in /etc/tinyssh, neither of which conforms to FreeBSD standards. I performed the installation step manually.

Finally we have to make the server available from the outside. I chose to use the inetd method, and I added the following line to /etc/inetd to make it listen on port 22:

Client installation on OS X

The default OpenSSH on OS X is ancient, and does not have the right options available for TinySSH’s modern cryptography. This means that you cannot connect to the TinySSH server. I use Homebrew for package management and have used the instructions here to update OpenSSH. Summarized:

It is best to logout and log back in to make sure that the SSH_AUTH_SOCK variable is updated properly. Then we need to generate a key that will work with the modern crypto in TinySSH:

Make sure that you have the public key part installed on your server in .ssh/authorized_keys, and then you can ssh into your new SSH-server, use -v flags to get debug output like so:

Written by