1 Reply by forza

(8 replies, posted in wolfSSH)

Hi. I did a fresh compile against the master branch today, but unfortunately the pipe test still hangs like before.

Go to forum: wolfSSH

2 Reply by forza

(8 replies, posted in wolfSSH)

Good morning smile

I've looked through the sourcecode and found that these are the sshd_config options that are accepted.

##
## wolfsshd configuration file
##

Port 1234
PermitRootLogin yes
PasswordAuthentication yes
LoginGraceTime 30

HostKey /opt/wolfssh/etc/host_key_ed25519.pem
HostKey /opt/wolfssh/etc/host_key_ecdsa.pem
HostKey /opt/wolfssh/etc/host_key_rsa.pem

##
## All available config options
##
# AuthorizedKeysFile
# ChrootDirectory
# ForceCommand
# HostCertificate
# HostKey
# Include
# LoginGraceTime
# Match
# PasswordAuthentication
# PermitEmptyPasswords
# PermitRootLogin
# PidFile
# Port
# Protocol
# TrustedUserCAKeys
# UsePrivilegeSeparation

##
## These are also accepted but their functions are implemented.
##
# AcceptEnv
# ChallengeResponseAuthentication
# PrintMotd
# Subsystem
# UseDNS
# UsePAM
# X11Forwarding

Notably, the listenAddress option is not accepted and renders an error message. I believe it is because it is missing a OPT_LISTEN_ADDRESS equivalent in configuration.c https://github.com/wolfSSL/wolfssh/blob … ion.c#L937


I have not yet figured out how the Match option works. The option is accepted and parsed in HandleMatch, and it looks like the option User and Group can be used, however I am not sure how to use it and what options can be overridden.

Example:

Port 1234
PermitRootLogin yes
PasswordAuthentication no
LoginGraceTime 30

Match User forza
PasswordAuthentication yes
LoginGraceTime 5

In this case, the PasswordAuthentication and LoginGraceTime 5 is not applied for user forza.

The logfile shows 

[PID 46798]: [SSHD] parsing config file /opt/wolfssh/etc/sshd_config
[PID 46798]: [SSHD] password authentication disabled
[PID 46798]: [SSHD] Setting login grace time to 30
[PID 46798]: [SSHD] Setting login grace time to 5
[PID 46798]: [SSHD] Starting wolfSSH SSHD application
[PID 46798]: [SSHD] Setting default Unix user name check
[PID 46798]: [SSHD] Setting Unix password check
[PID 46798]: [SSHD] Setting Unix public key check
[PID 46798]: [SSHD] parsing config file /opt/wolfssh/etc/sshd_config
[PID 46798]: [SSHD] password authentication disabled
[PID 46798]: [SSHD] Setting login grace time to 30
[PID 46798]: [SSHD] Setting login grace time to 5
[PID 46798]: [SSHD] Starting wolfSSH SSHD application
[PID 46798]: [SSHD] Setting default Unix user name check
[PID 46798]: [SSHD] Setting Unix password check
[PID 46798]: [SSHD] Setting Unix public key check
[PID 46798]: [SSHD] parsing config file /opt/wolfssh/etc/sshd_config
[PID 46798]: [SSHD] password authentication disabled
[PID 46798]: [SSHD] Setting login grace time to 30
[PID 46798]: [SSHD] Setting login grace time to 5
[PID 46798]: [SSHD] Starting wolfSSH SSHD application
[PID 46798]: [SSHD] Setting default Unix user name check
[PID 46798]: [SSHD] Setting Unix password check
[PID 46798]: [SSHD] Setting Unix public key check
[PID 46800]: [SSHD] Starting to listen on port 1234
[PID 46800]: [SSHD] Listening on port 1234
[PID 46800]: [SSHD] Lowering permissions level
[PID 46800]: [SSHD] Incoming TCP data found
[PID 46826]: [SSHD] grace time = 30 timeout = 0
[PID 46826]: [SSHD] Failed to accept WOLFSSH connection from 192.168.0.122 error -1001
[PID 46826]: [SSHD] Return from closing connection = -1001

During my testing I came across this problem when using pipes with the wolfSSHd. It does not realise the pipe ended and sits and waits forever until I send ctrl-c.

echo "Hello World" | ssh -p 1234 192.168.0.1 'cat > /tmp/hello.txt'
wolfSSHD
forza@192.168.0.1's password:
... just sits and waits after password is entered

An strace shows:  read(0</dev/pts/14<char 136:14>>,  <unfinished ...>

76806<cat> 11:57:05.412434 fstat(1</tmp/hello.txt>, {st_dev=makedev(0, 0x23), st_ino=348474, st_mode=S_IFREG|0666, st_nlink=1, st_uid=1006, st_gid=1008, st_blksize=2097152, st_blocks=0, st_size=0, st_atime=1720345964 /* 2024-07-07T11:52:44.357263087+0200 */, st_atime_nsec=357263087, st_mtime=1720346225 /* 2024-07-07T11:57:05.401054702+0200 */, st_mtime_nsec=401054702, st_ctime=1720346225 /* 2024-07-07T11:57:05.401054702+0200 */, st_ctime_nsec=401054702}) = 0
76806<cat> 11:57:05.412456 fstat(0</dev/pts/14<char 136:14>>, {st_dev=makedev(0, 0x17), st_ino=17, st_mode=S_IFCHR|0620, st_nlink=1, st_uid=0, st_gid=5, st_blksize=1024, st_blocks=0, st_rdev=makedev(0x88, 0xe), st_atime=1720346225 /* 2024-07-07T11:57:05.361054122+0200 */,st_atime_nsec=361054122, st_mtime=1720346225 /* 2024-07-07T11:57:05.361054122+0200 */, st_mtime_nsec=361054122, st_ctime=1720346225 /* 2024-07-07T11:57:05.361054122+0200 */, st_ctime_nsec=361054122}) = 0
76806<cat> 11:57:05.412479 fadvise64(0</dev/pts/14<char 136:14>>, 0, 0, POSIX_FADV_SEQUENTIAL) = 0
76806<cat> 11:57:05.412498 mmap(NULL, 2105344, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fe3b8200000
76806<cat> 11:57:05.412517 read(0</dev/pts/14<char 136:14>>, "Hello World\n", 2097152) = 12
76806<cat> 11:57:05.412538 write(1</tmp/hello.txt>, "Hello World\n", 12) = 12
76806<cat> 11:57:05.412605 read(0</dev/pts/14<char 136:14>>,  <unfinished ...>
58066<wolfsshd> 11:57:06.041197 <... pselect6 resumed>) = 0 (Timeout)
58066<wolfsshd> 11:57:06.041299 pselect6(5, [4<TCP:[0.0.0.0:1234]>], [], [], {tv_sec=1, tv_nsec=0}, NULL) = 0 (Timeout)
58066<wolfsshd> 11:57:07.042328 pselect6(5, [4<TCP:[0.0.0.0:1234]>], [], [], {tv_sec=1, tv_nsec=0}, NULL) = 0 (Timeout)
58066<wolfsshd> 11:57:08.043451 pselect6(5, [4<TCP:[0.0.0.0:1234]>], [], [], {tv_sec=1, tv_nsec=0}, NULL) = 0 (Timeout)
58066<wolfsshd> 11:57:09.044199 pselect6(5, [4<TCP:[0.0.0.0:1234]>], [], [], {tv_sec=1, tv_nsec=0}, NULL) = 0 (Timeout)
... continues forever

Perhaps wolfSSHd is not receiving or handling EOF correctly?

Go to forum: wolfSSH

3 Reply by forza

(8 replies, posted in wolfSSH)

Thanks for the explanation. The YouTube link was quite interesting and I am glad to hear that wolfsshd is indeed meant as a production ready tool.

I don't think having a 100% feature set of openssh is really necessary for most use cases. Having a small footprint is definitely a positive. I have in my mind the idea to use it on small VMs that need secure remote access. I see that wolfSSL and wolfSSH are packaged for Alpine Linux, a distro I am often using at my workplace. The package is unfortunately also missing an example sshd_config.

I'll try a bit more to get used to both the client and server and perhaps document some basic use-cases with them. I am sure to have some more questions, if that's OK?

Go to forum: wolfSSH

4 Reply by forza

(8 replies, posted in wolfSSH)

Thank you for the quick reply.

For the time being I'm investigating this project for my own personal usage. OpenSSH has become a rather large project and every now and then there are some major vulnerabilities popping up, so having good alternatives feels important.

I'm using Gentoo Linux on amd64 hardware, and unfortunately, wolfSSL and wolfSSH aren't packaged for us yet.

I should have looked at the sources for the options.

https://github.com/wolfSSL/wolfssh/blob … ion.c#L357

Interestingly, listenAddress isn't available in the config, although it is defined earlier at https://github.com/wolfSSL/wolfssh/blob … tion.c#L67

❯ ./wolfsshd -d -D -f ../etc/sshd_config
[PID 82313]: [SSHD] parsing config file ../etc/sshd_config
[PID 82313]: [SSHD] Error parsing config line.
Unable to parse config line : listenAddres 127.0.0.1
[PID 82313]: Error reading in configure file ../etc/sshd_config

Go to forum: wolfSSH

5 Topic by forza

(8 replies, posted in wolfSSH)

Hi,

I am investigating using wolfSSH as an alternative to OpenSSH server on my systems. Unfortunately it isn't packaged yet so I am building wolfSSL and wolfSSH from git sources.

I am able to run wolfsshd with a minor sshd_config that i took from the test unit.

There doesn't seem to be any official documentation on the wolfsshd itself. The manual at https://www.wolfssl.com/documentation/m … ter03.html simply says "This tool is a place holder." which makes me think that the server part is more of an example of how the wolfSSH library could be implemented?

I am also not sure if a key gen tool should be available. I built ssl and ssh with --enable-all as well as with --enable-keygen specifically, but no keygen tool is created. It means that I had to create host keys using the openssh key-gen tool 'ssh-keygen -t rsa -b 2048 -f server-key.pem -m PEM'

This is the configure output:

---
Configuration summary for wolfssh version 1.4.17
   * Installation prefix:       /opt/wolfssh
   * System type:               pc-linux-gnu
   * Host CPU:                  x86_64
   * C Compiler:                gcc
   * C Flags:                   -O2 -march=native -Wno-pragmas -Wall -Wno-strict-aliasing -Wextra -Wunknown-pragmas --param=ssp-buffer-size=1 -Waddress -Warray-bounds -Wbad-function-cast -Wchar-subscripts -Wcomment -Wfloat-equal -Wformat-security -Wformat=2 -Wmaybe-uninitialized -Wmissing-field-initializers -Wmissing-noreturn -Wmissing-prototypes -Wnested-externs -Wnormalized=id -Woverride-init -Wpointer-arith -Wpointer-sign -Wredundant-decls -Wshadow -Wsign-compare -Wstrict-overflow=1 -Wstrict-prototypes -Wswitch-enum -Wundef -Wunused -Wunused-result -Wunused-variable -Wwrite-strings -fwrapv
   * CPP Flags:                 -I/opt/wolfssl/include
   * Linker Flags:              -L/opt/wolfssl/lib
   Features
   * Inline Code:               yes
   * Small stack:               no
   * keygen:                    yes
   * psuedo-terminal:           yes
   * echoserver shell support:  yes
   * scp:                       yes
   * sftp:                      yes
   * sshd:                      yes
   * ssh client:                yes
   * agent:                     yes
   * TCP/IP Forwarding:         yes
   * X.509 Certs:               yes
   * Examples:                  yes
   * liboqs Integration:        no

This is output from make:

make[1]: Entering directory '/usr/src/wolf/wolfssh/wolfssh-1.4.17-stable'
  CC       apps/wolfsshd/test/test_configuration-test_configuration.o
  CC       apps/wolfssh/wolfssh.o
  CC       apps/wolfssh/common.o
  CC       src/libwolfssh_la-ssh.lo
  CC       src/libwolfssh_la-internal.lo
  CC       src/libwolfssh_la-log.lo
  CC       src/libwolfssh_la-io.lo
  CC       src/libwolfssh_la-port.lo
  CC       src/libwolfssh_la-keygen.lo
  CC       src/libwolfssh_la-wolfscp.lo
  CC       src/libwolfssh_la-wolfsftp.lo
  CC       src/libwolfssh_la-agent.lo
  CC       src/libwolfssh_la-certman.lo
  CC       apps/wolfsshd/wolfsshd.o
  CC       apps/wolfsshd/configuration.o
  CC       apps/wolfsshd/auth.o
  CC       apps/wolfsshd/test_test_configuration-configuration.o
  CC       examples/client/client.o
  CC       apps/wolfsshd/test_test_configuration-auth.o
  CC       examples/client/common.o
  CC       examples/echoserver/echoserver-echoserver.o
  CC       examples/portfwd/portfwd.o
  CC       examples/sftpclient/sftpclient.o
  CC       examples/scpclient/scpclient.o
  CC       tests/unit_test-unit.o
  CC       tests/api_test-api.o
  CC       examples/echoserver/tests_api_test-echoserver.o
  CC       tests/testsuite_test-testsuite.o
  CC       tests/testsuite_test-sftp.o
  CC       examples/echoserver/tests_testsuite_test-echoserver.o
  CC       examples/client/tests_testsuite_test-client.o
  CC       examples/client/tests_testsuite_test-common.o
  CC       examples/sftpclient/tests_testsuite_test-sftpclient.o
  CCLD     src/libwolfssh.la
  CCLD     apps/wolfsshd/wolfsshd
  CCLD     apps/wolfssh/wolfssh
  CCLD     apps/wolfsshd/test/test_configuration
  CCLD     examples/client/client
  CCLD     examples/echoserver/echoserver
  CCLD     examples/portfwd/portfwd
  CCLD     examples/sftpclient/wolfsftp
  CCLD     examples/scpclient/wolfscp
  CCLD     tests/unit.test
  CCLD     tests/api.test
  CCLD     tests/testsuite.test
make[1]: Leaving directory '/usr/src/wolf/wolfssh/wolfssh-1.4.17-stable'

Go to forum: wolfSSH