Jump to content

OpenSSH/Development

100% developed
From Wikibooks, open books for an open world

It is possible to advance OpenSSH through donations of hardware or money. See the OpenSSH project web site at www.openssh.com for details.

OpenSSH is a volunteer project with the goal of making quality software. In that way it relies upon hardware and cash donations to keep the project rolling. Funds are needed for daily operation to cover network line subscriptions and electrical costs. If two dollars were given for every download of the OpenSSH source code from the master site in 2015, ignoring the mirrors, or if a penny was donated for every instance of PF or OpenSSH installed with a mainstream operating system or phone in 2015[1], then funding goals for the year would be met. Hardware is needed for development and porting to new architectures and platforms always requires new hardware.

OpenSSH is currently developed by two teams. The first team works to provide code that is as clean, simple and secure as possible. It is part of the OpenBSD project. The second team works using this core version and ports it to a great many other operating systems. Thus there are two development tracks, the OpenBSD core and the portable version. All the work is done in countries that permit export of cryptography.

Use the Source, Luke

[edit | edit source]

The main development branch of OpenSSH is part of the OpenBSD project. So the source code for the "-current" branch of OpenBSD is where to look for latest activity. Nightly, bleeding-edge snapshots of OpenSSH itself are thus publicly available from OpenBSD's CVS tree. Use a mirror when possible.

The source code for the portable releases of OpenSSH are published using anonymous Git, so no password is needed to download source from the read-only repository. The repository is provided and maintained by Damien Miller.

git://anongit.mindrot.org/openssh.git

We ask anyone wishing to report security bugs in OpenSSH to please use the contact address given in the source and to practice responsible disclosure.

libssh

[edit | edit source]

libssh is an independent project that provides a multiplatform C library implementing the SSHv2 and SSHv1 protocols for client and server implementations. With libssh, developers can remotely execute programs, transfer files and use a secure and transparent tunnel for your remote applications.

libssh is available under LGPL 2.1 license, on the web page https://www.libssh.org/

Features:

  • Key Exchange Methods: curve25519-sha256@libssh.org, ecdh-sha2-nistp256, diffie-hellman-group1-sha1, diffie-hellman-group14-sha1
  • Hostkey Types: ecdsa-sha2-nistp256, ssh-dss, ssh-rsa
  • Ciphers: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc, aes192-cbc, aes128-cbc, 3des-cbc, des-cbc-ssh1, blowfish-cbc
  • Compression Schemes: zlib, zlib@openssh.com, none
  • MAC hashes: hmac-sha1, none
  • Authentication: none, password, public-key, hostbased, keyboard-interactive, gssapi-with-mic
  • Channels: shell, exec (incl. SCP wrapper), direct-tcpip, subsystem, auth-agent-req@openssh.com
  • Global Requests: tcpip-forward, forwarded-tcpip
  • Channel Requests: x11, pty, exit-status, signal, exit-signal, keepalive@openssh.com, auth-agent-req@openssh.com
  • Subsystems: sftp(version 3), publickey(version 2), OpenSSH Extensions
  • SFTP: statvfs@openssh.com, fstatvfs@openssh.com
  • Thread-safe: Just don’t share sessions
  • Non-blocking: it can be used both blocking and non-blocking
  • Your sockets: the app hands over the socket, or uses libssh sockets
  • OpenSSL or gcrypt: builds with either

Additional Features:

  • Client and server support
  • SSHv2 and SSHv1 protocol support
  • Supports Linux, UNIX, BSD, Solaris, OS/2 and Windows
  • Full API documentation and a tutorial
  • Automated test cases with nightly tests
  • Event model based on poll(2), or a poll(2)-emulation.


libssh2

[edit | edit source]

libssh2 is another independent project providing a lean C library implementing the SSH2 protocol for embedding specific SSH capabilities into other tools. It has a stable, well-documented API for working on the client side with the different SSH subsystems: Session, Userauth, Channel, SFTP, and Public Key. The API can be set to either blocking or non-blocking. The code uses strict name spaces, is C89-compatible and builds using regular GNU Autotools.

libssh2 is available under a modified BSD license. The functions are each documented in their own manual pages. The project web site contains the documentation, source code and examples: http://www.libssh2.org/

There is a mailing list for libssh2 in addition to an IRC channel. The project is small, low-key and, as true to the spirit of the Internet, a meritocracy. Hundreds of specific functions allow specific activities and components to be cherry-picked and added to an application:

  • Shell and SFTP sessions
  • Port forwarding
  • Password, public-key, host-based keys, and keyboard-interactive authentication methods.
  • Key Exchange Methods diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1
  • Host Key Types: ssh-rsa and ssh-dss
  • Ciphers: aes256-ctr, aes192-ctr, aes128-ctr, aes256-cbc (rijndael-cbc@lysator.liu.se), aes192-cbc, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, arcfour128, or without a cipher.
  • Compression Scheme zlib or without compression
  • Message Authentication Code (MAC) algorithms for hashes: hmac-sha1, hmac-sha1-96, hmac-md5, hmac-md5-96, hmac-ripemd160 (hmac-ripemd160@openssh.com), or none at all
  • Channels: Shell, Exec – including the SCP wrapper, direct TCP/IP, subsystem
    • Channel Requests: x11, pty
  • Subsystems: sftp version 3, public-key version 2
  • Thread-safe, blocking or non-blocking API
  • Your sockets: the app hands over the socket, calls select() etc.
  • Builds with either OpenSSL or gcrypt

See also the library libcurl which supports SFTP and SCP URLs.

Thrussh

[edit | edit source]

Thrussh is an SSH library written in Rust and available under the Apache License version 2.0. It is a full implementation of the SSH 2 protocol. The only non-Rust part is the crypto back end, which uses ring instead. It is designed to work on any platform and to use asynchronous I/O. The project web site contains the documentation, source code, and examples. The code is accessible using darcs:

darcs get https://pijul.org/thrussh

It is not an implementation of an actual server or client, but instead contains all the elements needed to write custom clients and servers using Rust.

Other language bindings for the SSH protocols

[edit | edit source]

What follows is a list of additional independent resources by programming language:

  • Net::SSH2: a wrapper module for libssh2.
  • Net::SSH::Perl: a full SSH/SFTP implementation in pure Perl. Unfortunately this module is not being maintained any more and has several open bugs. Also, installing it can be a daunting task due to some of its dependencies.
  • Net::OpenSSH: a wrapper for OpenSSH binaries and other handy programs (scp, rsync, sshfs). It uses OpenSSH multiplexing feature in order to reuse connections.
  • Net::OpenSSH::Parallel a module build on top of Net::OpenSSH that allows to transfer files and run programs on several machines in parallel efficiently.
  • SSH::Batch another module build on top of Net::OpenSSH that allows to run programs on several hosts in parallel.
  • Net::SSH::Expect: this module uses Expect to drive interactive shell sessions run on top of SSH.
  • Net::SSH: a simple wrapper around any SSH client. It does not support password authentication and is very slow as it establishes a new SSH connection for every remote program invoked.
  • Net::SCP and Net::SCP::Expect: modules wrapping the scp program. Note that Net::SSH2, Net::SSH::Perl and Net::OpenSSH already support file transfers via scp natively.
  • Net::SFTP::Foreign: a full SFTP client written in Perl with lots of bells and whistles. By default is uses ssh to connect to the remote machines but it can also run on top of Net::SSH2 and Net::OpenSSH.
  • GRID::Machine, IPC::PerlSSH and SSH::RPC: these modules allow to distribute and run Perl code on remote machines through SSH.

Python

[edit | edit source]

Paramiko

Fabric

libssh2

TwistedConch

Net::SSH

Capistrano

Jaramiko

JSch - a pure Java implementation of SSH2.


References

[edit | edit source]
  1. "The OpenBSD Foundation 2016 Fundraising Campaign". The OpenBSD Foundation. 2016. Retrieved 2016-03-07.