The Grumpy Editor's guide to SSH servers
| This article is part of the LWN Grumpy Editor series. |
There are a number of things one can look at while evaluating an SSH server. Features, for example: which ciphers are supported, port forwarding features, control over what users can do, PAM integration, etc. One can also look at performance issues; data-heavy SSH sessions can put a significant load on the host system. But the issue which must dominate the others is security. An SSH server is designed to give access - perhaps full, root access - to a suitably authorized user coming in from an arbitrary location on the net. Any vulnerabilities in this server thus have a high probability of turning into a full compromise of the system.
Evaluating security is hard. Certainly one can look at security-oriented features found in a given implementation, and there will be useful information there. But features do not make security; that requires careful coding, extensive code review, and quick response to security issues as they come up. It requires an active development community which continually works to tighten the security of the server. An SSH server which is the subject of a large number of security advisories would make your editor nervous, but a server with a moribund mailing list and no advisories at all would be worse.
With these thoughts in mind, your editor set out to play with the three SSH server implementations he found which are free and under some sort of active development.
Dropbear
Dropbear is an SSH server and client implementation available under an MIT-style license. It runs on just about every Unix-like system, including Cygwin. Dropbear development places a strong emphasis on small size; it is intended for use in embedded systems and other space-constrained situations. The current version of Dropbear is 0.48.1, released on March 12, 2006.
As might be expected in a program which is meant to be small, Dropbear offers fewer features than some others. It can perform X11 connection forwarding (and port forwarding in general), and has options for controlling whether password authentication may be used to log in. There is no configuration file, however, and many of the options available with certain other servers are not implemented in Dropbear.
Dropbear can do passwordless login using RSA or DSA keys. It understands OpenSSH-style authorized_keys files, allowing the same keys to be used with both servers. The key format for host keys is different, however; a script is provided to convert OpenSSH keys into Dropbear's format if needed. Dropbear can be configured to perform password authentication through PAM, though one gets the sense that most installations don't bother.
There is little information available on the ciphers supported by Dropbear. A look at the code, however, shows options for AES-128, AES-256, triple DES, Blowfish, Twofish-128 and Twofish-256.
Dropbear appears to have an active developer and user community. There is a fairly long list of distributions listed as using Dropbear, including OpenWRT, OpenZaurus, Trinux, and Motorola A780 phones. The volume on the mailing list is steady but low - Dropbear users apparently have little to talk about. The last publicly-acknowledged security issue was in March, 2006, when a denial of service problem (which also affected a wide variety of other network servers) was fixed. Prior to that, fully remotely exploitable format string vulnerability was disclosed (and very quickly fixed) in 2003. Another remote vulnerability was disclosed in 2004 and yet another was fixed in early 2005. In December of 2005, a "buffer sizing error" which could enable root access for authenticated users was fixed.
The code base is small - a little over 23,000 lines for both the server and client - but not particularly well commented. The Dropbear code should be relatively easy to audit; the extent to which anybody has done so is unclear, however.
lsh
Lsh comes billed as "a GNU implementation of the secure shell protocols." So, unsurprisingly, it is released under the GPL. Lsh provides both client and server implementations. The current release of lsh is 2.0.3, from May 9, 2006.
The lshd server daemon, like Dropbear, lacks a configuration file; it does have a number of command-line options for controlling options like password authentication and port forwarding. There is support for public-key authentication in lshd, but OpenSSH-format keys must be converted into the lsh format first. The converted key must then be fed to lsh-authorize before the server will recognize it. There does not appear to be an lsh-unauthorize command, making it more challenging than it should be to revoke access for a specific key.
Documentation for lsh is more complete than for Dropbear. From that documentation, one sees that the supported ciphers are AES-256, triple-DES (though it is listed as "3dec"), Blowfish, and ARCFOUR.
Disclosed vulnerabilities in lsh include a file descriptor leak enabling a local denial of service attack (January, 2006), a denial of service problem (March, 2005), and a remotely exploitable buffer overflow (September, 2003). While lsh releases do continue to happen, it is not clear how large the user and developer community really is. The lsh mailing list is dominated by spam, with legitimate messages seemingly being carried at a rate of less than one per month.
Lsh is written in C, but a look at the code gives the impression that the author would rather be using something else. Some sort of preprocessor is used on the code, a memory garbage collector has been implemented, there appears to be some sort of exception mechanism in place, etc. As a whole, the code is harder to read than the Dropbear code, and it is not clear that this code has seen much attention from anybody other than its original author.
All told, your editor would hesitate before committing to lsh; it is far from clear that this tool has the user and developer communities needed to keep it alive and secure into the future.
OpenSSH
OpenSSH is clearly the dominant offering in this area. All available evidence indicates that almost every publicly reachable SSH server is running OpenSSH. This implementation is maintained by the OpenBSD developers; the current release is 4.3 (or 4.3p2 for systems other than OpenBSD) from February, 2006.
If you are looking for features, OpenSSH is the way to go. The sshd_config man page lists a vast number of options controlling authentication mechanisms, ciphers used, user restrictions, file locations, port forwarding, and more. The list of supported ciphers includes ARCFOUR, blowfish, CAST, and several variants of AES. OpenSSH is clearly the most feature-complete of the SSH server implementations; it is also, in many ways, the best documented.
Vulnerabilities disclosed in OpenSSH include a root compromise in 2001 (but only when an obscure configuration option was set to a non-default value), a set of integer and buffer overflow vulnerabilities in 2002 which affected relatively few sites, a remotely exploitable heap corruption bug in 2003, an access restriction bypass vulnerability in 2003, a remotely exploitable PAM-related vulnerability in 2003 (non-default configurations only). The nastiest of these will be the 2003 heap corruption bug, which is thought by some to have been actively exploited for some months prior to being fixed.
It would appear that no OpenSSH server vulnerabilities have emerged since 2003 (there has been one client-side vulnerability since then). As this article is being written, there is some discussion on the OpenSSH list of a number of bugs found by a Coverity scan. Fixes are in circulation, but there does not appear to be much concern that these bugs are exploitable.
The OpenSSH developers clearly take security seriously. The code base is probably the most heavily reviewed of the three implementations discussed here. The OpenSSH server also has a "privilege separation" feature, wherein the bulk of the protocol code (prior to the establishment of the user's session) runs in a separate, unprivileged process. This mechanism will, it is hoped, contain the damage should an exploitable vulnerability turn up in that code in the future.
The handling of the 2002 integer and buffer overflow vulnerability raised some eyebrows; the developers refused to disclose specifics on the vulnerability, insisting, instead, that all users perform a significant upgrade to the current release. They have made it clear that they would do so again:
The fact remains that the OpenSSH developers have earned a high level of trust, and that most users are entirely happy in their place. The OpenSSH mailing list is active, with a steady flow of questions (and patches) from the user community.
OpenSSH is implemented with a significant amount of C code. The code base is written for OpenBSD in particular; the version the rest of us use is the "portable" release which has seen added tweaks to make it run elsewhere. There is a set of regression tests packaged with the code as well.
Conclusion
Your editor began this project with the idea of determining whether there are truly no alternatives to OpenSSH on the server side. Of the two discussed here, only Dropbear looks even remotely viable. For resource-constrained applications dropbear may even be the preferred choice, but it can also be used in any other setting that does not require the larger feature set of OpenSSH. As noted above, your editor is made a little nervous by lsh, and would choose to avoid it.
There are two schools of thought on the OpenSSH monoculture - for that is essentially what it is. Some, including your editor, find the situation a little scary; a serious vulnerability in OpenSSH could be the opening needed for a devastating Internet worm. To these people, some diversity in the OpenSSH ecosystem could only help to make the net as a whole more secure. Others, however, feel that we are better off with a single code base which can benefit from the concentrated auditing and hardening efforts of the entire development community.
One can only hope that there is some merit in the latter view, given that,
for most systems, OpenSSH is the only viable choice available.
Posted Jun 21, 2006 19:30 UTC (Wed)
by sbishop (guest, #33061)
[Link]
Posted Jun 21, 2006 20:02 UTC (Wed)
by landley (guest, #6789)
[Link] (1 responses)
Posted Jun 21, 2006 22:05 UTC (Wed)
by ehovland (subscriber, #2284)
[Link]
Just to say, me too!
Dropbear is the default client and server for the familiar distribution for handhelds running linux.
There have been a few issues that the familiar group has had to patch over and over again. For example, 2048-bit keys can cause a core dump on the dropbear ssh client, and only because dropbear does not allocate enough space for a key that size. But that issue is minor when one wants ssh on a small device (and let me tell you, ssh on a small device is handy).
Posted Jun 21, 2006 20:26 UTC (Wed)
by kirkengaard (guest, #15022)
[Link] (8 responses)
I don't mean to sound like I'm complaining about the quality of the competition like it's OpenSSH's fault. This is a group choice in large part. It could be worse; at least this dominant player is nominally on the Open side of the fence, even if prickly at times. I've always thought of the logo as a caveat. ;)
Posted Jun 21, 2006 20:38 UTC (Wed)
by kirkengaard (guest, #15022)
[Link] (1 responses)
Posted Jun 22, 2006 4:19 UTC (Thu)
by xoddam (subscriber, #2322)
[Link]
Posted Jun 22, 2006 7:58 UTC (Thu)
by dd9jn (✭ supporter ✭, #4459)
[Link] (4 responses)
IIRC, the reason for the unusual architecture of lsh (i.e. very lispy) is due to several rewrites and that Nisse started reading the Wizard book while working on lsh.
Posted Jun 22, 2006 8:44 UTC (Thu)
by kirkengaard (guest, #15022)
[Link]
Posted Jun 22, 2006 23:22 UTC (Thu)
by smoogen (subscriber, #97)
[Link] (2 responses)
Posted Jun 23, 2006 7:15 UTC (Fri)
by dd9jn (✭ supporter ✭, #4459)
[Link] (1 responses)
Posted Jun 29, 2006 7:48 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
So It's quite likely the SSH code was BSD, the library was GPL, and hence the combination was GPL.
In which case, there was no need to "rewrite all the GPL'd SSH code" because there wasn't any GPL'd SSH code to rewrite! :-)
Cheers,
Posted Jun 29, 2006 5:40 UTC (Thu)
by djm (subscriber, #11651)
[Link]
Posted Jun 22, 2006 1:26 UTC (Thu)
by miah (guest, #639)
[Link] (5 responses)
Posted Jun 22, 2006 1:43 UTC (Thu)
by smitty_one_each (subscriber, #28989)
[Link] (4 responses)
Posted Jun 22, 2006 6:08 UTC (Thu)
by eru (subscriber, #2753)
[Link]
Nevertheless, it might be interesting to know how OpenSSH would
Posted Jun 22, 2006 18:08 UTC (Thu)
by horen (guest, #2514)
[Link] (2 responses)
"NON-COMMERCIAL VERSION LICENSE
To qualify for a Non-Commercial Version License, You must: (1) use the
The term "Non-Commercial Entity" is limited to the following: university
I apologize for the length, but the SSH.COM server and client remain major players throughout the formal academic and no-less-formal personal-user communities. I have used it since it became available (while a Unix sysadmin at Tel-Aviv University), and continue doing so, on my personal home computers, to this very day.
Thank you for this provocative and eye-opening article. Perhaps someone will as Apple Computers, who chose to base their MacOSX on FreeBSD (and then castrate it by their non-Unix commands and horrible GUIs, but that's grist for a different mill).
Posted Jun 23, 2006 20:57 UTC (Fri)
by piman (guest, #8957)
[Link] (1 responses)
Posted Jun 29, 2006 9:29 UTC (Thu)
by fgrosshans (guest, #35486)
[Link]
>To qualify for a Non-Commercial Version License, You must: (1) use the
It doesn't allow lwn to use ssh on windows or solaris, but they can do so "under the Linux, FreeBSD, NetBSD, or OpenBSD operating system". I guess it would be possible for them to install linux ;-)
Posted Jun 22, 2006 5:23 UTC (Thu)
by b7j0c (guest, #27559)
[Link] (3 responses)
Posted Jun 22, 2006 5:43 UTC (Thu)
by kmself (guest, #11565)
[Link]
Posted Jun 23, 2006 16:11 UTC (Fri)
by alvherre (subscriber, #18730)
[Link]
Posted Jun 23, 2006 17:11 UTC (Fri)
by sbergman27 (guest, #10767)
[Link]
Posted Jun 22, 2006 6:00 UTC (Thu)
by fyodor (guest, #3481)
[Link] (1 responses)
Funny you should mention this, as Nmap developer Doug Hoyte just last week posted the results of an large scale Internet survey of SSH daemons. He did find that the vast majority of servers run OpenSSH, though he found that a bit more than 1% of the servers (98 of them out of about 8,000) ran Dropbear. LSH was truly obscure -- he found only 2 instances.
Speaking of security tools (and pardon me for plugging my own site), I released a new site this morning at SecTools.Org. This covers the top 100 network security tools, as voted on by more than 3,000 Nmap users. SSH made the list, with users specifying a certain implementation generally suggesting either OpenSSH or PuTTy. I think the latter is mostly used by Windows and embedded device users. I do these security tool surveys every 3 years, and find them quite valuable for learning about the new and interesting tools out there. Sometimes we get stuck in a rut of using just the tools we know well, without exploring other options.
-Fyodor
Posted Jun 28, 2006 1:37 UTC (Wed)
by roelofs (guest, #2599)
[Link]
I came across that article via LinuxSecurity.com's newsletter, and I fully agree with the author--the tools survey is extremely useful, even if it does include many that aren't relevant to me due to my choice of OS. I only wish there was a single-page version of the survey (or, if there is one, that it was more prominently linked). ;-)
Greg
Posted Jun 22, 2006 7:53 UTC (Thu)
by kleptog (subscriber, #1183)
[Link]
Ah yes, I remember that day, when a simple security update broke SSH throughout our network and I had to spend a good part of the day logging into every machine and fixing it.
Posted Jun 22, 2006 9:07 UTC (Thu)
by pointwood (guest, #2814)
[Link]
Posted Jun 22, 2006 9:24 UTC (Thu)
by Segora (subscriber, #8209)
[Link] (3 responses)
Posted Jun 22, 2006 12:59 UTC (Thu)
by job (guest, #670)
[Link] (2 responses)
Posted Jun 23, 2006 2:09 UTC (Fri)
by scruffie (guest, #5704)
[Link] (1 responses)
Posted Jun 24, 2006 14:13 UTC (Sat)
by kevinbsmith (guest, #4778)
[Link]
If someone built command-line wrappers around twisted conch and paramiko, we would immediately have 40% more SSH servers available for evaluation. An added benefit would be that they would be less featureful than openssh. Lots of configuration options can lead to confusion, and in the worst case, bad security.
Posted Jun 22, 2006 13:03 UTC (Thu)
by job (guest, #670)
[Link]
Posted Jun 24, 2006 2:37 UTC (Sat)
by rickmoen (subscriber, #6943)
[Link]
Rick Moen
This article doesn't appear to be "subscribers only"...The Grumpy Editor's guide to SSH servers
I've been using dropbear for years now, it's actually pretty nice. It's The Grumpy Editor's guide to SSH servers
been the default ssh server/client in the embedded space since about 2004,
and I'm unaware of anything interesting openssh does that dropbear
doesn't.
Setup's fairly easy too: extract the tarball and run the standard
"./configure; make; make install", then set up a host key.
Right after running ./configure I edit options.h to comment out
the #defines for DROPBEAR_SMALL_CODE, DO_HOST_LOOKUP and DO_MOTD, and I
set DROPBEAR_RANDOM_DEV to "/dev/urandom", but all of that's just tweaks I
could live without.
After install you need to create a host key, ala:
mkdir /etc/dropbear
./dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key -s 2048
Then just run dropbear and you should be able to ssh to your machine.
(Try the loopback port.)
> I've been using dropbear for years now, it's actually pretty nice.The Grumpy Editor's guide to SSH servers
This seems to be the case with many de facto standard codebases. Like monolithic shade trees, it is hard for anything to grow in their shadow; most things that try to fill the same niche wind up compared to the 'big tree', just as dropbear and lsh do here. This is, to some extent, a self-reinforcing issue, and it can have good results, as you pointed out. A monoculture built around fanatic security-consciousness is perhaps more stable than some others. Big trees of this sort eat up a large share of their noosphere 'ground', and take up a very large share of the developer attention 'light'. Consider that dropbear lives by filling an available niche in the SSH market. There is ground and light for their particular choices. Lsh seems to be suffering the "Me, too!" that the GNU reimplementation tendencies can drive people to. The developer's itch is not common enough; OpenSSH is not enough of a pain to drive quality and masses to a GNU reimplementation.The Grumpy Editor's guide to SSH servers
(Wow, I need to be consistent with analogies, or leave them alone. Sorry!)The Grumpy Editor's guide to SSH servers
Hmmm, a prickly kind of large shade tree. Try Acacia Nilotica. acacia nilotica
http://eriss.erin.gov.au/biodiversity/invasive/publicatio...
It's an African species, but in Australia it's a 'weed of national
significance'.
To be fair the lsh developers: The lsh project came to life at a time when there was no free SSH implementation available and the GNU task list had a free ssh protocol implementation as an item. Then OpenSSH appeared out of the nowhere. Thus speaking of a GNU re-implementation is in this case not correct. Actually the OpenSSH development was the other way around: They took the last GPL implementation of ssh.com and replaced all GPL code by new code under the BSD license.The Grumpy Editor's guide to SSH servers
Thanks; I wasn't aware of that. So it was a common itch, and poof! OpenSSH came along. That makes way more sense. Sorry for any false implications or statements on my part!The Grumpy Editor's guide to SSH servers
Uhm.. actually I dont think ssh.com was ever GPL'd. They took the last version that had a BSD like licesne and worked from there.The Grumpy Editor's guide to SSH servers
ssh 1.2.12 is the version OpenSSH was based on. It included for big integer arithmetics a copy of the GMP 1.3.2 - that version of the GMP (from 1993) is under the GPL. The FSF later relicensed the GMP under the LGPL but this is not the version included and used by that and all earlier ssh versions. Thus the rules of the GPL apply to these versions of ssh. The Grumpy Editor's guide to SSH servers
Just because a GPL library was included doesn't make SSH GPL too ... it just means the SSH licence must be GPL-compatible (which is true of BSD).The Grumpy Editor's guide to SSH servers
Wol
To be fair to Niels Moller (the lsh developer), he actually started working on lsh before we started on OpenSSH, so it isn't a "me too" product.The Grumpy Editor's guide to SSH servers
I'm kind of curious why ssh.com's ssh server wasn't reviewed. Considering its what OpenSSH was based on and is available for most UNIX's and even Windows. Though I use OpenSSH and Dropbear the most, I feel that you missed something with this review.The Grumpy Editor's guide to SSH servers
>play with the three SSH server implementations he found which are freeThe Grumpy Editor's guide to SSH servers
>>play with the three SSH server implementations he found which are freeThe Grumpy Editor's guide to SSH servers
fare in comparison to the commercial SSH. Of course I realize that
benchmarking expensive proprietary software would be
outside lwn.net:s scope, and maybe resources as well. Wonder
if such comparison exists elsewhere?
Excerpted from the LICENSE file of ssh-3.2.9.1 (from SSH.COM):The Grumpy Editor's guide to SSH servers
Software solely on a system under the Linux, FreeBSD, NetBSD, or OpenBSD
operating system (whether for commercial or non-commercial use), or (2)
use the Software for non-commercial purposes as defined herein and be a
Non-Commercial Entity as defined herein, or (3) be an University User as
defined herein, or (4) be an Excluded Contractor as defined herein.
or other educational institutions (such as pre-schools, elementary
schools, middle or junior high schools, high schools, and community or
junior colleges), non-profit organizations (such as public libraries,
charities, and other organizations created for the promotion of social
welfare), "University Users", and other individual users who use the
Software for personal use (such as connecting to an Internet Service
Provider for personal use, hobby, recreational, or educational
purposes). The term "University Users" is limited to students, faculty
members, researchers, administrators, support staff, and employees of a
university when acting in this capacity. The term "Excluded Contractor"
is limited to independent, solo contractors while performing work for a
Non-Commercial Entity, such as a university or other educational
institution in an individual capacity. If You qualify for a
Non-Commercial Version License, You may use the Software free of
charge. SSH reserves the right to further clarify the terms
Non-Commercial Entity, University Users and Excluded Contractor at its
sole determination."
That license doesn't allow LWN (which is commercial, not a personal user, and not a university) to download and review the product, even if they wanted to.The Grumpy Editor's guide to SSH servers
Yes, it allows them :The Grumpy Editor's guide to SSH servers
>Software solely on a system under the Linux, FreeBSD, NetBSD, or OpenBSD
>operating system (whether for commercial or non-commercial use), or (2)...
why does the author refer to himself as "your editor", just say "I".annoying third-person references
Your editor prefers "your editor". ;-)annoying third-person references
Style. Myself, I don't like it when authors of an article use the first person. It's a matter of taste, of course.annoying third-person references
Our editor's delightfully dry humor would not come off quite so well if said editor did not set such a formal tone in this site's journalistic offerings.annoying third-person references
All available evidence indicates that almost every publicly reachable SSH
server is running OpenSSH
Large scale SSH server survey, and top network security tool survey
Insecure.Org
Speaking of security tools (and pardon me for plugging my own site), I released a new site this morning at SecTools.Org. This covers the top 100 network security tools, as voted on by more than 3,000 Nmap users. ... I do these security tool surveys every 3 years, and find them quite valuable for learning about the new and interesting tools out there. Sometimes we get stuck in a rut of using just the tools we know well, without exploring other options.
Large scale SSH server survey, and top network security tool survey
The handling of the 2002 integer and buffer overflow vulnerability raised some eyebrows; the developers refused to disclose specifics on the vulnerability, insisting, instead, that all users perform a significant upgrade to the current release.
The Grumpy Editor's guide to SSH servers
At least we know that the OpenBSD/OpenSSH developers take security very seriously and have a very good track record.The Grumpy Editor's guide to SSH servers
There are also special purpose ssh servers like the one in Erlang/OTP.The Grumpy Editor's guide to SSH servers
There's also one in Python called Twisted Conch.The Grumpy Editor's guide to SSH servers
Another Python one is Paramiko.
The Grumpy Editor's guide to SSH servers
At least in theory, wouldn't it be easier to write a highly secure tool (like an SSH server) in a higher-level language such as python? I realize there might (or might not) be performance issues, but for most of us (who have at most a handful of users) that's not even a consideration.Getting away from C
I think you are being a bit unfair to the non-OpenSSH implementations. I've had some servers on lshd since before OpenSSH came about, and I've had much less trouble with them compared to the latter. It's a very nice piece of software.The Grumpy Editor's guide to SSH servers
If I may be so immodest, I maintain a bestiary of all known SSH implementations categorised by OS at http://linuxmafia.com/ssh/. The Unix category is http://linuxmafia.com/ssh/unix.html. It's not a review piece and cannot compare with Jon's excellent work in that area, but does at least aim to be complete.
The Grumpy Editor's guide to SSH servers
rick@linuxmafia.com