TinySSH is a new small SSH server using state-of-the-art encryption using the TweetNaCL cryptographic library. It piqued my interest as it claims to be an easily configured and auditable SSH server with new cryptographic primitives and has no dependency on OpenSSL. Its development target is Debian, but since it has limited dependencies it is not hard to get it to run on other systems. This post has some notes on how to get things up and running on a FreeBSD server and an OS X client.
Server installation on FreeBSD
The TinySSH installation instructions are pretty clear, and explain what the two steps do. Examining what is actually going on shows that the author does not use the power of Makefiles. He basically uses them to call shell scripts directly.
The compilation step needs a small adjustment if you’re using a modern FreeBSD system, since these do not come with
gcc anymore but instead use
clang. This is easily fixed by editing the
default-cc file and just doing a replace.
sed -i -e 's/clang/gcc/' default-cc
The installation step is a little more messy, by default it installs the binaries in
/usr/sbin and the configuration in
/etc/tinyssh, neither of which conforms to FreeBSD standards. I performed the installation step manually.
# Copy binaries sudo chmod 755 build/bin/tinysshd* sudo chown root:wheel build/bin/tinysshd* sudo cp build/bin/tinysshd* /usr/local/sbin # Copy configuration files sudo chown -R root:wheel build/etc sudo mkdir /usr/local/etc/tinyssh sudo cp -r build/etc /usr/local/etc/tinyssh # Create logging directory sudo mkdir /var/log/tinyssh
Finally we have to make the server available from the outside. I chose to use the
inetd method, and I added the following line to
/etc/inetd to make it listen on port 22:
ssh stream tcp nowait root /usr/local/sbin/tinysshd-inetd tinysshd-inetd /usr/local/sbin/tinysshd -v /usr/local/etc/tinyssh/sshkeydir
Client installation on OS X
The default OpenSSH on OS X is ancient, and does not have the right options available for TinySSH’s modern cryptography. This means that you cannot connect to the TinySSH server. I use Homebrew for package management and have used the instructions here to update OpenSSH. Summarized:
brew tap homebrew/dupes brew install openssh --with-keychain-support launchctl stop org.openbsd.ssh-agent launchctl unload -w /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist sudo sed -i -e "s|/usr/bin/ssh-agent|/usr/local/bin/ssh-agent|" /System/Library/LaunchAgents/org.openbsd.ssh-agent.plist
It is best to logout and log back in to make sure that the
SSH_AUTH_SOCK variable is updated properly. Then we need to generate a key that will work with the modern crypto in TinySSH:
ssh-keygen -t ed25519
Make sure that you have the public key part installed on your server in
.ssh/authorized_keys, and then you can ssh into your new SSH-server, use
-v flags to get debug output like so:
... debug1: identity file /Users/jeroen/.ssh/id_ed25519 type 4 debug1: identity file /Users/jeroen/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6 debug1: Remote protocol version 2.0, remote software version tinyssh_20140501experimental diqDguON ...