Category: wolfSSH

wolfSSH has several useful features that were introduced in this most recent release.

We have made wolfSSH builds for various systems better and easier. This includes changes to configuration scripts and modifying code to work with various compiler quirks. We’ve made building wolfSSH for Nucleus, QNX, Windows, and ESP32 builds better. And we’ve fixed an issue working with the Zephyr file system involving redundant file mode bits.

We’ve improved testing of wolfSSH. There are new scripts to test details of the wolfSSHd server. Also, the Zephyr SFTP test uses a different file for the transfer test. The new file used is available in all situations.

The terminal support with shells is improved. The terminal size bounds were not getting set correctly in all builds, and that is now fixed. The shell environment now sets up things like the `$SHELL` variable and the `$0` value as expected. We fixed a potential memory leak when receiving the terminal modes from the peer. For Windows builds, the shell environment has its own quirks and we are working with those better.

wolfSSH has been able to run commands and scripts over a connection for a while. We’ve recently improved this behavior with wolfSSHd and use the I/O pipes better. The return code from the script or command is captured and returned to the peer as expected.

Missed with the SHA-1 disable and reenable was a bug with verifying RSA signatures. Disabling SHA-1, the testing used ECDSA authentication instead. This bug is now fixed.

Finally, we try to keep wolfSSH tunable for size. If you don’t want a feature, you can easily leave it out of a build. This is good for embedded targets with constraints on code and memory usage. A few of the guard checks were incorrect and have been fixed.

In all, we think this makes wolfSSH a better product. If you have any questions or are wondering about wolfSSH on other platforms, please email support@wolfSSL.com. Thank you!

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

wolfSSH now has Curve25519 support as of version 1.4.17! Go ahead and download it today. You’ll need both wolfSSL and wolfSSH. Here are instructions to get this up and running to try out yourself.

Compile wolfSSL with support for wolfSSH and Curve25519.

$ cd wolfssl
$ ./configure --enable-wolfssh --enable-curve25519
$ make all
$ sudo make install
$ sudo ldconfig

After building and installing wolfSSL, you can simply configure wolfSSH with no options and build:

$ cd wolfssh
$ ./configure
$ make all

The wolfSSH client and server will automatically negotiate the use of Curve25519 for key exchange.

Run the server:

$ ./examples/echoserver/echoserver -f

In a separate terminal, run the client: 


$ ./examples/client/client -u jill -P upthehill

Congratulations! You’ve just made an SSH connection where the key exchange was done with Curve25519.

Our next natural step is to add support for hybrid Curve25519 and Kyber/ML-KEM at NIST security level 1. Want to see this work at a higher priority and accelerated? Let our management know. Simply send a message saying you support our efforts in developing this implementation to facts@wolfSSL.com.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

The wolfSSH 1.4.15 release includes brand new support for the Zephyr RTOS. wolfSSH is a lightweight SSH library designed for embedded systems. It is a performant and low footprint solution, making it an ideal choice for IoT devices. The Zephyr RTOS is an open-source, scalable, and flexible real-time operating system tailored for resource-constrained devices. Its modular architecture and broad hardware support make it a popular choice for various embedded applications.

wolfSSH is introduced as a new module in the Zephyr ecosystem. Necessary steps to get started include setting up wolfSSH as a Zephyr module, modifying the west manifest, and finally building your project. In-depth instructions to set up wolfSSH with Zephyr can be found at the wolfSSH Github.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now

Not long ago, we announced preview support for new Espressif Managed Components. This is in addition to the core wolfssl managed component. Today you can add SSH capabilities to your toolbox by visiting this link:

https://components.espressif.com/components/wolfssl/wolfssh

If the ESP Registry page does not fully load with all the text, try holding down the “ctrl” key when pressing the refresh button in your browser. The CDN seems to occasionally cache incomplete web content.

Getting started with wolfSSL and wolfSSH has never been easier! You can add wolfSSH to your project with this command:

idf.py add-dependency “wolfssl/wolfssh”

We’ve also included a complete example project to connect to the AWS IoT MQTT. Just click the little “copy” icon and paste into a command prompt after the ESP-IDF has been installed:

Try it

Here’s an example of how the example can be created, built, and flashed onto your ESP32:

# Setup the ESP-IDF Environment (your actual path may vary)
. ~/esp/esp-idf/export.sh

# Download and create the example
idf.py create-project-from-example “wolfssl/wolfssh:wolfssh_echoserver”
cd wolfssl_echoserver

# Set your SSID and wifi Password in Example Connection Configuration
idf.py menuconfig

# Flash the code to your ESP32

idf.py -p /dev/ttyS9 -b 115200 flash monitor

The full wolfSSL repository for wolfSSH contains even more examples for not only this Echo Server Example, but many other target platforms as well.

Get Started with wolfSSL

Additional information on getting Started with wolfSSL on the Espressif environment is available on the wolfSSL GitHub repository as well as this YouTube recording:

Find out more

If you have any feedback, questions, or require support, please don’t hesitate to reach out to us via facts@wolfSSL.com, call us at +1 425 245 8247, or open an issue on GitHub.

Download wolfSSL Now

About the Compromise

Recently, a team led by Keegan Ryan from UCSD discovered that several implementations of the SSH protocol have been potentially leaking information about their keys and they came up with a way of exploiting it.

Every now and then, an RSA signature is made with a combination of padding and data that doesn’t verify correctly. If one saves billions of SSH signatures they can analyze the broken signatures and work out some keys.

The team released a paper [1] describing the issue and how it can be analyzed to obtain keys.

The wolfSSH Vulnerability

While wolfSSL verifies an RSA signature after producing it, and erroring out if it doesn’t verify, wolfSSH does not do this process. The compromise has not been proven against wolfSSH, the assumption is that it is possible. wolfSSH did not verify the RSA signatures after generation.

The Fix

As of wolfSSH v1.4.15, just released, we have added the verify step for RSA signatures. Luckily the time to verify an RSA signature is short compared to signing so there shouldn’t be a noticeable slowdown during the key exchange process.

References

1. Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger. 2023. Passive SSH Key Compromise via Lattices. Cryptology ePrint Archive, Report 2023/1711. https://eprint.iacr.org/2023/1711.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or call us at +1 425 245 8247.

Download wolfSSL Now