Zigistry
  • Packages
  • Programs
  • Statistics
  • Apps
  • API
  • About
  • Help
  • Star
© 2024Rohan Vashisht
  • About
  • Help
  • GitHub
misshodmisshod

ringtailsoftware/misshod

MIT

MiSSHod is a minimal, experimental SSH client implemented as a library

161610
5
ssh,ssh-client,zig,zig-package,ziglang
 
build.zig.zonbuild.zig
View package on GitHub

MiSSHod

misshod. (ˌmɪsˈʃɒd). adj. badly shod

About

MiSSHod is a minimal, experimental SSH client implemented as a library.

It has been tested with both OpenSSH and Dropbear.

MiSSHod is not secure, it should not be used in real world systems

It aims to be:

  • Transport and I/O agnostic - TCP would be normal, but MiSShod can be run over any reliable stream protocol
  • Asynchronous - MiSShod never blocks execution for I/O, it enters a wait state and can be resumed when data arrives
  • Callback free - asynchronous message passing prevents the caller needing callbacks and context structs
  • Very lightweight, opening up the possibility of running on small embedded devices

Features

  • Public key auth
  • Password auth
  • Supports exactly one of each of the required protocols
    • hmac-sha2-256 (hmac)
    • curve25519-sha256 (key exchange)
    • ssh-ed25519 (key)
    • aes256-ctr (cipher)

Building

MiSSHod requires Zig 0.14.0.

To build mssh, a command line SSH client for Mac/Linux

zig build test

cd mssh
zig build
./zig-out/bin/mssh
./zig-out/bin/mssh <username@host> <port> [idfile]

To run a test SSH server (dropbear) in docker

cd testserver
./sshserver

Login with password auth, ("password")

./zig-out/bin/mssh [email protected] 2022
# Same as: ssh -p 2022 [email protected]

Login with pubkey auth using a passwordless private key

./zig-out/bin/mssh [email protected] 2022 ../testserver/id_ed25519_passwordless
# Same as: ssh -p 2022 [email protected] -i ../testserver/id_ed25519_passwordless

Login with pubkey auth using a password protected private key ("secretpassword")

./zig-out/bin/mssh [email protected] 2022 ../testserver/id_ed25519_passworded
# Same as: ssh -p 2022 [email protected] -i ../testserver/id_ed25519_passworded

Tiny example

As a proof of concept, the tiny example logs into the test server but contains no socket code. Instead, it uses stdout and stdin. To run it via socat:

zig build && socat TCP4:127.0.0.1:2022 EXEC:./zig-out/bin/tiny

Tiny uses a weaker PRNG, a fixed buffer allocator and does no file I/O.

Security

MiSSHod is not secure, it should not be used in real world systems

  • Very little testing has been done and not all code paths have been exercised
  • No efforts have been made to prevent timing attacks
  • Sensitive data is held in RAM for longer than is strictly necessary
  • MiSSHod relies on Zig's standard library for all crypto algorithms, which is still relatively young
  • Most importantly, I am not a cryptographer and I have no idea what I'm doing

Status

MiSSHod was developed rapidly. The main aim was to get it working and learn something along the way. I don't know what's next, but hopefully you can learn something too by looking at a small SSH implementation.

It's entirely undocumented and there aren't enough tests.