1 (edited by forza 2024-07-03 13:11:14)

Topic: WolfSSH as a generic sshd service (alternative to OpenSSH server)

Hi,

I am investigating using wolfSSH as an alternative to OpenSSH server on my systems. Unfortunately it isn't packaged yet so I am building wolfSSL and wolfSSH from git sources.

I am able to run wolfsshd with a minor sshd_config that i took from the test unit.

There doesn't seem to be any official documentation on the wolfsshd itself. The manual at https://www.wolfssl.com/documentation/m … ter03.html simply says "This tool is a place holder." which makes me think that the server part is more of an example of how the wolfSSH library could be implemented?

I am also not sure if a key gen tool should be available. I built ssl and ssh with --enable-all as well as with --enable-keygen specifically, but no keygen tool is created. It means that I had to create host keys using the openssh key-gen tool 'ssh-keygen -t rsa -b 2048 -f server-key.pem -m PEM'

This is the configure output:

---
Configuration summary for wolfssh version 1.4.17
   * Installation prefix:       /opt/wolfssh
   * System type:               pc-linux-gnu
   * Host CPU:                  x86_64
   * C Compiler:                gcc
   * C Flags:                   -O2 -march=native -Wno-pragmas -Wall -Wno-strict-aliasing -Wextra -Wunknown-pragmas --param=ssp-buffer-size=1 -Waddress -Warray-bounds -Wbad-function-cast -Wchar-subscripts -Wcomment -Wfloat-equal -Wformat-security -Wformat=2 -Wmaybe-uninitialized -Wmissing-field-initializers -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Wnormalized=id -Woverride-init -Wpointer-arith -Wpointer-sign -Wredundant-decls -Wshadow -Wsign-compare -Wstrict-overflow=1 -Wstrict-prototypes -Wswitch-enum -Wundef -Wunused -Wunused-result -Wunused-variable -Wwrite-strings -fwrapv
   * CPP Flags:                 -I/opt/wolfssl/include
   * Linker Flags:              -L/opt/wolfssl/lib
   Features
   * Inline Code:               yes
   * Small stack:               no
   * keygen:                    yes
   * psuedo-terminal:           yes
   * echoserver shell support:  yes
   * scp:                       yes
   * sftp:                      yes
   * sshd:                      yes
   * ssh client:                yes
   * agent:                     yes
   * TCP/IP Forwarding:         yes
   * X.509 Certs:               yes
   * Examples:                  yes
   * liboqs Integration:        no

This is output from make:

make[1]: Entering directory '/usr/src/wolf/wolfssh/wolfssh-1.4.17-stable'
  CC       apps/wolfsshd/test/test_configuration-test_configuration.o
  CC       apps/wolfssh/wolfssh.o
  CC       apps/wolfssh/common.o
  CC       src/libwolfssh_la-ssh.lo
  CC       src/libwolfssh_la-internal.lo
  CC       src/libwolfssh_la-log.lo
  CC       src/libwolfssh_la-io.lo
  CC       src/libwolfssh_la-port.lo
  CC       src/libwolfssh_la-keygen.lo
  CC       src/libwolfssh_la-wolfscp.lo
  CC       src/libwolfssh_la-wolfsftp.lo
  CC       src/libwolfssh_la-agent.lo
  CC       src/libwolfssh_la-certman.lo
  CC       apps/wolfsshd/wolfsshd.o
  CC       apps/wolfsshd/configuration.o
  CC       apps/wolfsshd/auth.o
  CC       apps/wolfsshd/test_test_configuration-configuration.o
  CC       examples/client/client.o
  CC       apps/wolfsshd/test_test_configuration-auth.o
  CC       examples/client/common.o
  CC       examples/echoserver/echoserver-echoserver.o
  CC       examples/portfwd/portfwd.o
  CC       examples/sftpclient/sftpclient.o
  CC       examples/scpclient/scpclient.o
  CC       tests/unit_test-unit.o
  CC       tests/api_test-api.o
  CC       examples/echoserver/tests_api_test-echoserver.o
  CC       tests/testsuite_test-testsuite.o
  CC       tests/testsuite_test-sftp.o
  CC       examples/echoserver/tests_testsuite_test-echoserver.o
  CC       examples/client/tests_testsuite_test-client.o
  CC       examples/client/tests_testsuite_test-common.o
  CC       examples/sftpclient/tests_testsuite_test-sftpclient.o
  CCLD     src/libwolfssh.la
  CCLD     apps/wolfsshd/wolfsshd
  CCLD     apps/wolfssh/wolfssh
  CCLD     apps/wolfsshd/test/test_configuration
  CCLD     examples/client/client
  CCLD     examples/echoserver/echoserver
  CCLD     examples/portfwd/portfwd
  CCLD     examples/sftpclient/wolfsftp
  CCLD     examples/scpclient/wolfscp
  CCLD     tests/unit.test
  CCLD     tests/api.test
  CCLD     tests/testsuite.test
make[1]: Leaving directory '/usr/src/wolf/wolfssh/wolfssh-1.4.17-stable'

Share

Re: WolfSSH as a generic sshd service (alternative to OpenSSH server)

Hello forza,

Thanks for joining the wolfSSL Forums. wolfSSH-sshd is intended to be full replacement for the OpenSSH server. Here is a getting started video:
https://www.youtube.com/watch?v=xJOyoalxA0U

There doesn't seem to be any official documentation on the wolfsshd itself

This is relatively new feature of the project, so documentation is still forthcoming.

I'll check with the team about the key-gen tool.

Could you tell us a bit about your project using wolfSSH? Feel free to email us at support@wolfssl.com for a more private discussion.

Kind regards,
Eric - wolfSSL Support

3 (edited by forza 2024-07-03 13:59:06)

Re: WolfSSH as a generic sshd service (alternative to OpenSSH server)

Thank you for the quick reply.

For the time being I'm investigating this project for my own personal usage. OpenSSH has become a rather large project and every now and then there are some major vulnerabilities popping up, so having good alternatives feels important.

I'm using Gentoo Linux on amd64 hardware, and unfortunately, wolfSSL and wolfSSH aren't packaged for us yet.

I should have looked at the sources for the options.

https://github.com/wolfSSL/wolfssh/blob … ion.c#L357

Interestingly, listenAddress isn't available in the config, although it is defined earlier at https://github.com/wolfSSL/wolfssh/blob … tion.c#L67

❯ ./wolfsshd -d -D -f ../etc/sshd_config
[PID 82313]: [SSHD] parsing config file ../etc/sshd_config
[PID 82313]: [SSHD] Error parsing config line.
Unable to parse config line : listenAddres 127.0.0.1
[PID 82313]: Error reading in configure file ../etc/sshd_config

Share

Re: WolfSSH as a generic sshd service (alternative to OpenSSH server)

The keygen component is present in source, but there is not a separate utility (yet)
https://github.com/wolfSSL/wolfssh/blob … c/keygen.c

It looks like the listenAddress option is not fully supported yet.

Re: WolfSSH as a generic sshd service (alternative to OpenSSH server)

We didn't make this a 100% drop in replacement for the other sshd. I'd love it to be, but they've had many more years to work on it than I have. That said, we didn't implement their entire configuration file yet either. While some variables were added to the configuration structure, wolfSSHd doesn't know how to parse them yet. There's also some parsing set up for some options, where they are just skipped. ListenAddress is one of those.

It is on my wish-list to add a wolfssh-keygen tool, but I haven't had the time to do it yet. The file keygen.c has some wrapper functions for the wolfCrypt RSA and ECDSA key generation functions. wolfSSH is able to load OpenSSH formatted unencrypted private keys. (We don't have Blowfish or bcrypt support in wolfCrypt yet. We've been focused on algorithms that can get FIPS validations.)

The wolfSSHd application is intended to be used as a server. The examples directory applications are the demonstrations for how one could use the library.

We typically add things on paid customer requests.

--John

Re: WolfSSH as a generic sshd service (alternative to OpenSSH server)

Thanks for the explanation. The YouTube link was quite interesting and I am glad to hear that wolfsshd is indeed meant as a production ready tool.

I don't think having a 100% feature set of openssh is really necessary for most use cases. Having a small footprint is definitely a positive. I have in my mind the idea to use it on small VMs that need secure remote access. I see that wolfSSL and wolfSSH are packaged for Alpine Linux, a distro I am often using at my workplace. The package is unfortunately also missing an example sshd_config.

I'll try a bit more to get used to both the client and server and perhaps document some basic use-cases with them. I am sure to have some more questions, if that's OK?

Share

7 (edited by forza 2024-07-07 03:10:43)

Re: WolfSSH as a generic sshd service (alternative to OpenSSH server)

Good morning smile

I've looked through the sourcecode and found that these are the sshd_config options that are accepted.

##
## wolfsshd configuration file
##

Port 1234
PermitRootLogin yes
PasswordAuthentication yes
LoginGraceTime 30

HostKey /opt/wolfssh/etc/host_key_ed25519.pem
HostKey /opt/wolfssh/etc/host_key_ecdsa.pem
HostKey /opt/wolfssh/etc/host_key_rsa.pem

##
## All available config options
##
# AuthorizedKeysFile
# ChrootDirectory
# ForceCommand
# HostCertificate
# HostKey
# Include
# LoginGraceTime
# Match
# PasswordAuthentication
# PermitEmptyPasswords
# PermitRootLogin
# PidFile
# Port
# Protocol
# TrustedUserCAKeys
# UsePrivilegeSeparation

##
## These are also accepted but their functions are implemented.
##
# AcceptEnv
# ChallengeResponseAuthentication
# PrintMotd
# Subsystem
# UseDNS
# UsePAM
# X11Forwarding

Notably, the listenAddress option is not accepted and renders an error message. I believe it is because it is missing a OPT_LISTEN_ADDRESS equivalent in configuration.c https://github.com/wolfSSL/wolfssh/blob … ion.c#L937


I have not yet figured out how the Match option works. The option is accepted and parsed in HandleMatch, and it looks like the option User and Group can be used, however I am not sure how to use it and what options can be overridden.

Example:

Port 1234
PermitRootLogin yes
PasswordAuthentication no
LoginGraceTime 30

Match User forza
PasswordAuthentication yes
LoginGraceTime 5

In this case, the PasswordAuthentication and LoginGraceTime 5 is not applied for user forza.

The logfile shows

[PID 46798]: [SSHD] parsing config file /opt/wolfssh/etc/sshd_config
[PID 46798]: [SSHD] password authentication disabled
[PID 46798]: [SSHD] Setting login grace time to 30
[PID 46798]: [SSHD] Setting login grace time to 5
[PID 46798]: [SSHD] Starting wolfSSH SSHD application
[PID 46798]: [SSHD] Setting default Unix user name check
[PID 46798]: [SSHD] Setting Unix password check
[PID 46798]: [SSHD] Setting Unix public key check
[PID 46798]: [SSHD] parsing config file /opt/wolfssh/etc/sshd_config
[PID 46798]: [SSHD] password authentication disabled
[PID 46798]: [SSHD] Setting login grace time to 30
[PID 46798]: [SSHD] Setting login grace time to 5
[PID 46798]: [SSHD] Starting wolfSSH SSHD application
[PID 46798]: [SSHD] Setting default Unix user name check
[PID 46798]: [SSHD] Setting Unix password check
[PID 46798]: [SSHD] Setting Unix public key check
[PID 46798]: [SSHD] parsing config file /opt/wolfssh/etc/sshd_config
[PID 46798]: [SSHD] password authentication disabled
[PID 46798]: [SSHD] Setting login grace time to 30
[PID 46798]: [SSHD] Setting login grace time to 5
[PID 46798]: [SSHD] Starting wolfSSH SSHD application
[PID 46798]: [SSHD] Setting default Unix user name check
[PID 46798]: [SSHD] Setting Unix password check
[PID 46798]: [SSHD] Setting Unix public key check
[PID 46800]: [SSHD] Starting to listen on port 1234
[PID 46800]: [SSHD] Listening on port 1234
[PID 46800]: [SSHD] Lowering permissions level
[PID 46800]: [SSHD] Incoming TCP data found
[PID 46826]: [SSHD] grace time = 30 timeout = 0
[PID 46826]: [SSHD] Failed to accept WOLFSSH connection from 192.168.0.122 error -1001
[PID 46826]: [SSHD] Return from closing connection = -1001

During my testing I came across this problem when using pipes with the wolfSSHd. It does not realise the pipe ended and sits and waits forever until I send ctrl-c.

echo "Hello World" | ssh -p 1234 192.168.0.1 'cat > /tmp/hello.txt'
wolfSSHD
forza@192.168.0.1's password:
... just sits and waits after password is entered

An strace shows:  read(0</dev/pts/14<char 136:14>>,  <unfinished ...>

76806<cat> 11:57:05.412434 fstat(1</tmp/hello.txt>, {st_dev=makedev(0, 0x23), st_ino=348474, st_mode=S_IFREG|0666, st_nlink=1, st_uid=1006, st_gid=1008, st_blksize=2097152, st_blocks=0, st_size=0, st_atime=1720345964 /* 2024-07-07T11:52:44.357263087+0200 */, st_atime_nsec=357263087, st_mtime=1720346225 /* 2024-07-07T11:57:05.401054702+0200 */, st_mtime_nsec=401054702, st_ctime=1720346225 /* 2024-07-07T11:57:05.401054702+0200 */, st_ctime_nsec=401054702}) = 0
76806<cat> 11:57:05.412456 fstat(0</dev/pts/14<char 136:14>>, {st_dev=makedev(0, 0x17), st_ino=17, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=0, st_gid=5, st_blksize=1024, st_blocks=0, st_rdev=makedev(0x88, 0xe), st_atime=1720346225 /* 2024-07-07T11:57:05.361054122+0200 */,st_atime_nsec=361054122, st_mtime=1720346225 /* 2024-07-07T11:57:05.361054122+0200 */, st_mtime_nsec=361054122, st_ctime=1720346225 /* 2024-07-07T11:57:05.361054122+0200 */, st_ctime_nsec=361054122}) = 0
76806<cat> 11:57:05.412479 fadvise64(0</dev/pts/14<char 136:14>>, 0, 0, POSIX_FADV_SEQUENTIAL) = 0
76806<cat> 11:57:05.412498 mmap(NULL, 2105344, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe3b8200000
76806<cat> 11:57:05.412517 read(0</dev/pts/14<char 136:14>>, "Hello World\n", 2097152) = 12
76806<cat> 11:57:05.412538 write(1</tmp/hello.txt>, "Hello World\n", 12) = 12
76806<cat> 11:57:05.412605 read(0</dev/pts/14<char 136:14>>,  <unfinished ...>
58066<wolfsshd> 11:57:06.041197 <... pselect6 resumed>) = 0 (Timeout)
58066<wolfsshd> 11:57:06.041299 pselect6(5, [4<TCP:[0.0.0.0:1234]>], [], [], {tv_sec=1, tv_nsec=0}, NULL) = 0 (Timeout)
58066<wolfsshd> 11:57:07.042328 pselect6(5, [4<TCP:[0.0.0.0:1234]>], [], [], {tv_sec=1, tv_nsec=0}, NULL) = 0 (Timeout)
58066<wolfsshd> 11:57:08.043451 pselect6(5, [4<TCP:[0.0.0.0:1234]>], [], [], {tv_sec=1, tv_nsec=0}, NULL) = 0 (Timeout)
58066<wolfsshd> 11:57:09.044199 pselect6(5, [4<TCP:[0.0.0.0:1234]>], [], [], {tv_sec=1, tv_nsec=0}, NULL) = 0 (Timeout)
... continues forever

Perhaps wolfSSHd is not receiving or handling EOF correctly?

Share