Playing with TinySSH on FreeBSD and OS X

TinySSH is a new small SSH server using state-of-the-art encryption using the TweetNaCL cryptographic library. It piqued my interest as it claims to be an easily configured and auditable SSH server with new cryptographic primitives and has no dependency on OpenSSL. Its development target is Debian, but since it has limited dependencies it is not hard to get it to run on other systems. This post has some notes on how to get things up and running on a FreeBSD server and an OS X client.

Server installation on FreeBSD

The TinySSH installation instructions are pretty clear, and explain what the two steps do. Examining what is actually going on shows that the author does not use the power of Makefiles. He basically uses them to call shell scripts directly.

The compilation step needs a small adjustment if you’re using a modern FreeBSD system, since these do not come with gcc anymore but instead use clang. This is easily fixed by editing the default-cc file and just doing a replace.

sed -i -e 's/clang/gcc/' default-cc

The installation step is a little more messy, by default it installs the binaries in /usr/sbin and the configuration in /etc/tinyssh, neither of which conforms to FreeBSD standards. I performed the installation step manually.

# Copy binaries
sudo chmod 755 build/bin/tinysshd*
sudo chown root:wheel build/bin/tinysshd*
sudo cp build/bin/tinysshd* /usr/local/sbin

# Copy configuration files
sudo chown -R root:wheel build/etc
sudo mkdir /usr/local/etc/tinyssh
sudo cp -r build/etc /usr/local/etc/tinyssh

# Create logging directory
sudo mkdir /var/log/tinyssh

Finally we have to make the server available from the outside. I chose to use the inetd method, and I added the following line to /etc/inetd to make it listen on port 22:

ssh stream tcp nowait root /usr/local/sbin/tinysshd-inetd tinysshd-inetd /usr/local/sbin/tinysshd -v /usr/local/etc/tinyssh/sshkeydir

Client installation on OS X

The default OpenSSH on OS X is ancient, and does not have the right options available for TinySSH’s modern cryptography. This means that you cannot connect to the TinySSH server. I use Homebrew for package management and have used the instructions here to update OpenSSH. Summarized:

brew tap homebrew/dupes
brew install openssh --with-keychain-support
launchctl stop org.openbsd.ssh-agent
launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
sudo sed -i -e "s|/usr/bin/ssh-agent|/usr/local/bin/ssh-agent|" /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist

It is best to logout and log back in to make sure that the SSH_AUTH_SOCK variable is updated properly. Then we need to generate a key that will work with the modern crypto in TinySSH:

ssh-keygen -t ed25519

Make sure that you have the public key part installed on your server in .ssh/authorized_keys, and then you can ssh into your new SSH-server, use -v flags to get debug output like so:

...
debug1: identity file /Users/jeroen/.ssh/id_ed25519 type 4
debug1: identity file /Users/jeroen/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6
debug1: Remote protocol version 2.0, remote software version tinyssh_20140501experimental diqDguON
...

One comment on “Playing with TinySSH on FreeBSD and OS X

  1. Pingback: Going down an elliptically curved rabbit hole | Jeroen van der Ham – 1s and 0s .nl

Comments are closed.