The Grumpy Editor's guide to SSH servers [LWN.net]

This article is part of the LWN Grumpy Editor series.

Back in March, your editor received some not-entirely-friendly communications from a prominent OpenSSH developer. This person was unhappy about a number of things found in the article about OpenBSD's financial issues, as well as one thing that was absent: a discussion of OpenSSH alternatives. The point which was supposed to emerge from such a discussion is that there are no viable alternatives. Your editor has set out to try to determine if that is truly the situation or not. To that end, this article will look at SSH server implementations; the client side of the picture will be addressed in a future article.

There are a number of things one can look at while evaluating an SSH server. Features, for example: which ciphers are supported, port forwarding features, control over what users can do, PAM integration, etc. One can also look at performance issues; data-heavy SSH sessions can put a significant load on the host system. But the issue which must dominate the others is security. An SSH server is designed to give access - perhaps full, root access - to a suitably authorized user coming in from an arbitrary location on the net. Any vulnerabilities in this server thus have a high probability of turning into a full compromise of the system.

Evaluating security is hard. Certainly one can look at security-oriented features found in a given implementation, and there will be useful information there. But features do not make security; that requires careful coding, extensive code review, and quick response to security issues as they come up. It requires an active development community which continually works to tighten the security of the server. An SSH server which is the subject of a large number of security advisories would make your editor nervous, but a server with a moribund mailing list and no advisories at all would be worse.

With these thoughts in mind, your editor set out to play with the three SSH server implementations he found which are free and under some sort of active development.

Dropbear

Dropbear is an SSH server and client implementation available under an MIT-style license. It runs on just about every Unix-like system, including Cygwin. Dropbear development places a strong emphasis on small size; it is intended for use in embedded systems and other space-constrained situations. The current version of Dropbear is 0.48.1, released on March 12, 2006.

As might be expected in a program which is meant to be small, Dropbear offers fewer features than some others. It can perform X11 connection forwarding (and port forwarding in general), and has options for controlling whether password authentication may be used to log in. There is no configuration file, however, and many of the options available with certain other servers are not implemented in Dropbear.

Dropbear can do passwordless login using RSA or DSA keys. It understands OpenSSH-style authorized_keys files, allowing the same keys to be used with both servers. The key format for host keys is different, however; a script is provided to convert OpenSSH keys into Dropbear's format if needed. Dropbear can be configured to perform password authentication through PAM, though one gets the sense that most installations don't bother.

There is little information available on the ciphers supported by Dropbear. A look at the code, however, shows options for AES-128, AES-256, triple DES, Blowfish, Twofish-128 and Twofish-256.

Dropbear appears to have an active developer and user community. There is a fairly long list of distributions listed as using Dropbear, including OpenWRT, OpenZaurus, Trinux, and Motorola A780 phones. The volume on the mailing list is steady but low - Dropbear users apparently have little to talk about. The last publicly-acknowledged security issue was in March, 2006, when a denial of service problem (which also affected a wide variety of other network servers) was fixed. Prior to that, fully remotely exploitable format string vulnerability was disclosed (and very quickly fixed) in 2003. Another remote vulnerability was disclosed in 2004 and yet another was fixed in early 2005. In December of 2005, a "buffer sizing error" which could enable root access for authenticated users was fixed.

The code base is small - a little over 23,000 lines for both the server and client - but not particularly well commented. The Dropbear code should be relatively easy to audit; the extent to which anybody has done so is unclear, however.

lsh

Lsh comes billed as "a GNU implementation of the secure shell protocols." So, unsurprisingly, it is released under the GPL. Lsh provides both client and server implementations. The current release of lsh is 2.0.3, from May 9, 2006.

The lshd server daemon, like Dropbear, lacks a configuration file; it does have a number of command-line options for controlling options like password authentication and port forwarding. There is support for public-key authentication in lshd, but OpenSSH-format keys must be converted into the lsh format first. The converted key must then be fed to lsh-authorize before the server will recognize it. There does not appear to be an lsh-unauthorize command, making it more challenging than it should be to revoke access for a specific key.

Documentation for lsh is more complete than for Dropbear. From that documentation, one sees that the supported ciphers are AES-256, triple-DES (though it is listed as "3dec"), Blowfish, and ARCFOUR.

Disclosed vulnerabilities in lsh include a file descriptor leak enabling a local denial of service attack (January, 2006), a denial of service problem (March, 2005), and a remotely exploitable buffer overflow (September, 2003). While lsh releases do continue to happen, it is not clear how large the user and developer community really is. The lsh mailing list is dominated by spam, with legitimate messages seemingly being carried at a rate of less than one per month.

Lsh is written in C, but a look at the code gives the impression that the author would rather be using something else. Some sort of preprocessor is used on the code, a memory garbage collector has been implemented, there appears to be some sort of exception mechanism in place, etc. As a whole, the code is harder to read than the Dropbear code, and it is not clear that this code has seen much attention from anybody other than its original author.

All told, your editor would hesitate before committing to lsh; it is far from clear that this tool has the user and developer communities needed to keep it alive and secure into the future.

OpenSSH

OpenSSH is clearly the dominant offering in this area. All available evidence indicates that almost every publicly reachable SSH server is running OpenSSH. This implementation is maintained by the OpenBSD developers; the current release is 4.3 (or 4.3p2 for systems other than OpenBSD) from February, 2006.

If you are looking for features, OpenSSH is the way to go. The sshd_config man page lists a vast number of options controlling authentication mechanisms, ciphers used, user restrictions, file locations, port forwarding, and more. The list of supported ciphers includes ARCFOUR, blowfish, CAST, and several variants of AES. OpenSSH is clearly the most feature-complete of the SSH server implementations; it is also, in many ways, the best documented.

Vulnerabilities disclosed in OpenSSH include a root compromise in 2001 (but only when an obscure configuration option was set to a non-default value), a set of integer and buffer overflow vulnerabilities in 2002 which affected relatively few sites, a remotely exploitable heap corruption bug in 2003, an access restriction bypass vulnerability in 2003, a remotely exploitable PAM-related vulnerability in 2003 (non-default configurations only). The nastiest of these will be the 2003 heap corruption bug, which is thought by some to have been actively exploited for some months prior to being fixed.

It would appear that no OpenSSH server vulnerabilities have emerged since 2003 (there has been one client-side vulnerability since then). As this article is being written, there is some discussion on the OpenSSH list of a number of bugs found by a Coverity scan. Fixes are in circulation, but there does not appear to be much concern that these bugs are exploitable.

The OpenSSH developers clearly take security seriously. The code base is probably the most heavily reviewed of the three implementations discussed here. The OpenSSH server also has a "privilege separation" feature, wherein the bulk of the protocol code (prior to the establishment of the user's session) runs in a separate, unprivileged process. This mechanism will, it is hoped, contain the damage should an exploitable vulnerability turn up in that code in the future.

The handling of the 2002 integer and buffer overflow vulnerability raised some eyebrows; the developers refused to disclose specifics on the vulnerability, insisting, instead, that all users perform a significant upgrade to the current release. They have made it clear that they would do so again:

If there is ever a security problem (again :) in OpenSSH we will disclose it exactly like we want, and in no other way, and quite frankly since noone has ever paid a cent for it's development they have nothing they can say about it. Dear non-paying user -- please remember your place.

The fact remains that the OpenSSH developers have earned a high level of trust, and that most users are entirely happy in their place. The OpenSSH mailing list is active, with a steady flow of questions (and patches) from the user community.

OpenSSH is implemented with a significant amount of C code. The code base is written for OpenBSD in particular; the version the rest of us use is the "portable" release which has seen added tweaks to make it run elsewhere. There is a set of regression tests packaged with the code as well.

Conclusion

Your editor began this project with the idea of determining whether there are truly no alternatives to OpenSSH on the server side. Of the two discussed here, only Dropbear looks even remotely viable. For resource-constrained applications dropbear may even be the preferred choice, but it can also be used in any other setting that does not require the larger feature set of OpenSSH. As noted above, your editor is made a little nervous by lsh, and would choose to avoid it.

There are two schools of thought on the OpenSSH monoculture - for that is essentially what it is. Some, including your editor, find the situation a little scary; a serious vulnerability in OpenSSH could be the opening needed for a devastating Internet worm. To these people, some diversity in the OpenSSH ecosystem could only help to make the net as a whole more secure. Others, however, feel that we are better off with a single code base which can benefit from the concentrated auditing and hardening efforts of the entire development community.

One can only hope that there is some merit in the latter view, given that, for most systems, OpenSSH is the only viable choice available.

(Log in to post comments)

The Grumpy Editor's guide to SSH servers

Posted Jun 21, 2006 20:38 UTC (Wed) by kirkengaard (subscriber, #15022) [Link]

(Wow, I need to be consistent with analogies, or leave them alone. Sorry!)

acacia nilotica

Posted Jun 22, 2006 4:19 UTC (Thu) by xoddam (subscriber, #2322) [Link]

Hmmm, a prickly kind of large shade tree. Try Acacia Nilotica.

http://eriss.erin.gov.au/biodiversity/invasive/publicatio...

It's an African species, but in Australia it's a 'weed of national
significance'.

The Grumpy Editor's guide to SSH servers

Posted Jun 22, 2006 7:58 UTC (Thu) by dd9jn (subscriber, #4459) [Link]

To be fair the lsh developers: The lsh project came to life at a time when there was no free SSH implementation available and the GNU task list had a free ssh protocol implementation as an item. Then OpenSSH appeared out of the nowhere. Thus speaking of a GNU re-implementation is in this case not correct. Actually the OpenSSH development was the other way around: They took the last GPL implementation of ssh.com and replaced all GPL code by new code under the BSD license.

IIRC, the reason for the unusual architecture of lsh (i.e. very lispy) is due to several rewrites and that Nisse started reading the Wizard book while working on lsh.

The Grumpy Editor's guide to SSH servers

Posted Jun 22, 2006 8:44 UTC (Thu) by kirkengaard (subscriber, #15022) [Link]

Thanks; I wasn't aware of that. So it was a common itch, and poof! OpenSSH came along. That makes way more sense. Sorry for any false implications or statements on my part!

The Grumpy Editor's guide to SSH servers

Posted Jun 22, 2006 23:22 UTC (Thu) by smoogen (subscriber, #97) [Link]

Uhm.. actually I dont think ssh.com was ever GPL'd. They took the last version that had a BSD like licesne and worked from there.

The Grumpy Editor's guide to SSH servers

Posted Jun 23, 2006 7:15 UTC (Fri) by dd9jn (subscriber, #4459) [Link]

ssh 1.2.12 is the version OpenSSH was based on. It included for big integer arithmetics a copy of the GMP 1.3.2 - that version of the GMP (from 1993) is under the GPL. The FSF later relicensed the GMP under the LGPL but this is not the version included and used by that and all earlier ssh versions. Thus the rules of the GPL apply to these versions of ssh.

The Grumpy Editor's guide to SSH servers

Posted Jun 29, 2006 7:48 UTC (Thu) by Wol (guest, #4433) [Link]

Just because a GPL library was included doesn't make SSH GPL too ... it just means the SSH licence must be GPL-compatible (which is true of BSD).

So It's quite likely the SSH code was BSD, the library was GPL, and hence the combination was GPL.

In which case, there was no need to "rewrite all the GPL'd SSH code" because there wasn't any GPL'd SSH code to rewrite! :-)

Cheers,
Wol

The Grumpy Editor's guide to SSH servers

Posted Jun 29, 2006 5:40 UTC (Thu) by djm (subscriber, #11651) [Link]

To be fair to Niels Moller (the lsh developer), he actually started working on lsh before we started on OpenSSH, so it isn't a "me too" product.

The Grumpy Editor's guide to SSH servers

Posted Jun 22, 2006 1:43 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link]

>play with the three SSH server implementations he found which are free

The Grumpy Editor's guide to SSH servers

Posted Jun 22, 2006 6:08 UTC (Thu) by eru (subscriber, #2753) [Link]

>>play with the three SSH server implementations he found which are free

Nevertheless, it might be interesting to know how OpenSSH would
fare in comparison to the commercial SSH. Of course I realize that
benchmarking expensive proprietary software would be
outside lwn.net:s scope, and maybe resources as well. Wonder
if such comparison exists elsewhere?

The Grumpy Editor's guide to SSH servers

Posted Jun 22, 2006 18:08 UTC (Thu) by horen (subscriber, #2514) [Link]

Excerpted from the LICENSE file of ssh-3.2.9.1 (from SSH.COM):

"NON-COMMERCIAL VERSION LICENSE

To qualify for a Non-Commercial Version License, You must: (1) use the
Software solely on a system under the Linux, FreeBSD, NetBSD, or OpenBSD
operating system (whether for commercial or non-commercial use), or (2)
use the Software for non-commercial purposes as defined herein and be a
Non-Commercial Entity as defined herein, or (3) be an University User as
defined herein, or (4) be an Excluded Contractor as defined herein.

The term "Non-Commercial Entity" is limited to the following: university
or other educational institutions (such as pre-schools, elementary
schools, middle or junior high schools, high schools, and community or
junior colleges), non-profit organizations (such as public libraries,
charities, and other organizations created for the promotion of social
welfare), "University Users", and other individual users who use the
Software for personal use (such as connecting to an Internet Service
Provider for personal use, hobby, recreational, or educational
purposes). The term "University Users" is limited to students, faculty
members, researchers, administrators, support staff, and employees of a
university when acting in this capacity. The term "Excluded Contractor"
is limited to independent, solo contractors while performing work for a
Non-Commercial Entity, such as a university or other educational
institution in an individual capacity. If You qualify for a
Non-Commercial Version License, You may use the Software free of
charge. SSH reserves the right to further clarify the terms
Non-Commercial Entity, University Users and Excluded Contractor at its
sole determination."

I apologize for the length, but the SSH.COM server and client remain major players throughout the formal academic and no-less-formal personal-user communities. I have used it since it became available (while a Unix sysadmin at Tel-Aviv University), and continue doing so, on my personal home computers, to this very day.

Thank you for this provocative and eye-opening article. Perhaps someone will as Apple Computers, who chose to base their MacOSX on FreeBSD (and then castrate it by their non-Unix commands and horrible GUIs, but that's grist for a different mill).

The Grumpy Editor's guide to SSH servers

Posted Jun 23, 2006 20:57 UTC (Fri) by piman (subscriber, #8957) [Link]

That license doesn't allow LWN (which is commercial, not a personal user, and not a university) to download and review the product, even if they wanted to.

The Grumpy Editor's guide to SSH servers

Posted Jun 29, 2006 9:29 UTC (Thu) by fgrosshans (guest, #35486) [Link]

Yes, it allows them :

>To qualify for a Non-Commercial Version License, You must: (1) use the
>Software solely on a system under the Linux, FreeBSD, NetBSD, or OpenBSD
>operating system (whether for commercial or non-commercial use), or (2)...

It doesn't allow lwn to use ssh on windows or solaris, but they can do so "under the Linux, FreeBSD, NetBSD, or OpenBSD operating system". I guess it would be possible for them to install linux ;-)