TinySSH is an interesting piece of software. It is a ssh server that intentionally doesn’t implement:
There’s no configuration file. The end result is very small, as the author says: “less than 100000 words of code”. While Dropbear is designed for “embedded” systems, TinySSH has even smaller feature set.
I decided to give it a try on a Raspberry Pi2 running Raspbian Jessie Lite.
It is also an occasion to learn systemd while at it, as it’ll become the default on the next Ubuntu LTS. This post is a mix of experience of learning both TinySSH and systemd.
TinySSH preferred algorithms are Ed25519 for authentication instead of RSA, curve25519 for key exchange (albeit I observed ECDH being used) and chacha20-poly1305 for streaming cipher instead of AES-CTR-MD5 / AES-CTR-SHA1. They are respectively PubkeyAcceptedKeyTypes, KexAlgorithms and Ciphers in ssh_config. HostKeyAlgorithms is also limited by TinySSH’s support of only ssh-ed25519 and ecdsa-sha2-nistp256.
It is possible to lock down OpenSSH client with this
Ciphers email@example.com HostKeyAlgorithms ssh-ed25519 KexAlgorithms firstname.lastname@example.org # PubkeyAcceptedKeyTypes ssh-ed25519
PubkeyAcceptedKeyTypes is only supported in OpenSSH 7.0 and Ubuntu 14.04 includes 6.6.1 but this doesn’t matter since the user simply has to not create a .ssh/id_rsa.
With this configuration, the same parameter will be used when connecting to both TinySSH and OpenSSH servers. This won’t work on Dropbear, more on that in the follow up post.
This is very easy.
git clone https://github.com/janmojzis/tinyssh cd tinyssh ./make-tinyssh.sh
The binaries are in ./build/bin/
This will generate binaries in debian/nacl-20110221/build/bin. I haven’t tried it yet but the speed up is supposed to be significant.
Let’s generate an Ed25519 key via OpenSSH’s ssh-keygen.
ssh-keygen -t ed25519
$HOME/.ssh/id_ed25519.pubon your host to
$HOME/.ssh/authorized_keyson your server.
You can start TinySSH as a normal user using tcpserver as the socket broker on port 10022:
./tinysshd-makekey ./keys tcpserver -HRDl0 0.0.0.0 10022 ./tinysshd -v ./keys
In that case, the server will only accept authentication as the current user, which is a nice property. You can use this temporary server to scp file around then close the server.
This permits ensuring that the server is well configured.
To start the server as a root listener (at your own risk and peril), prefix with
The rest is all running as root:
TinySSH doesn’t have a standardized location for its keys. Using: /etc/tinyssh/sshkey.d
cd /path/to/tinyssh ./make-install.sh mkdir -p /etc/tinyssh /usr/sbin/tinysshd-makekey /etc/tinyssh/sshkey.d
Inspired by systemd ssh configuration on Raspbian, a systemd author blog post and the official documentation for socket, exec and service, here’s a quick howto to setup TinySSH as an alternate ssh server on port 10022.
It’s as simple as two text files and 2 commands.
cat > /etc/systemd/system/tinysshd@.service << EOF [Unit] Description=TinySSH per connection daemon After=auditd.service [Service] ExecStart=/usr/sbin/tinysshd -v /etc/tinyssh/sshkey.d StandardInput=socket StandardError=journal EOF
cat > /etc/systemd/system/tinysshd.socket << EOF [Unit] Description=TinySSH server socket Before=tinysshd.service Conflicts=tinysshd.service [Socket] ListenStream=10022 Accept=yes [Install] WantedBy=sockets.target EOF
systemctl daemon-reload systemctl enable tinysshd.socket
You should be able to ssh in right away.
Debugging the server is mostly debugging systemd.
Digital Ocean wrote a nice FAQ about systemd. Here’s a dump of a few commands you may find useful:
systemctl --version systemctl list-units systemctl status systemctl status tinysshd* journalctl -xn journalctl --unit tinysshd.socket journalctl --unit tinysshd@*
systemd-analyze verify tinysshd.socketbut it was added in 216 yet Raspbian Jessie includes systemd version 215!
ArchiLinux has a nice HowTo to automatically start ssh tunnels with systemd. IMHO this makes systemd quite appealing as creating boot up services is very simple.
While I’m concerned by the coding style (lacks of brackets around conditions: a recipe for another goto fail), I like the philosophy and the fact that less secure algorithms (like md5) are not implemented.
TinySSH is very well adapted to run with systemd because there’s no background server running, the server is started up on demand and throttling is handled by systemd. This reduce memory usage for low memory system, like containers.
It is also very interesting that the server can be started as a user process, it was especially useful for quick iteration.
In the next post, I compare TinySSH to OpenSSH and Dropbear.
2016-01-29: Changed /lib/systemd/system/ to /etc/systemd/system/ which is what is recommended by systemd FAQ.