tinyssh

TinySSH is promising less than 100000 word of code. How is it measured?

It’s automatically measured at the end of the build process. See these lines:

make
....
....
=== Mon May 12 07:05:09 CEST 2014 === counting words of code
=== Mon May 12 07:05:09 CEST 2014 ===   sysdep 2684
=== Mon May 12 07:05:09 CEST 2014 ===   tinyssh 36148
=== Mon May 12 07:05:09 CEST 2014 ===   crypto 10891
=== Mon May 12 07:05:09 CEST 2014 ===   49709 words of code
=== Mon May 12 07:05:09 CEST 2014 === finishing

The result is approximate and is using shell command:

cat *.c *.h \
| (cpp -fpreprocessed || gcpp -fpreprocessed) \
| sed 's/[_a-zA-Z0-9][_a-zA-Z0-9]*/x/g' \
| tr -d ' \012' | wc -c | tr -d ' '

TinySSH doesn’t have SCP?

No, ‘rsync -e ssh’ makes same job. If you really need scp, use scp for example from OpenSSH. TinySSH doesn’t have problem with scp protocol, only doesn’t have scp program.

TinySSH is server-only. Which clients can connect to TinySSH?

Since version 20140901 TinySSH supports standardized ecdsa-sha2-nistp256 + ecdh-sha2-nistp256 + aes256-ctr these alghoritms are available in OpenSSH (≥ 5.7). New algorithms ssh ed25519 + curve25519-sha256@libssh.org + chacha20-poly1305@openssh.com are avalaible in OpenSSH (≥ 6.5)

TinySSH is promising ‘no older cryptographic primitives’, but md5 is available in crypto library. What does it mean?

MD5 is used only in tinysshd-printkey program. It prints key in hexadecimal format and prints also md5-fingerprint. MD5 fingerprint is common format used by SSH software. Don’t worry, TinySSH never uses MD5 for authentication.
update: since version 20150201 tinysshd-printkey is not using MD5, MD5 removed.

TinySSH is using authorized_keys for authorization. Is it compatible with OpenSSH authorized_keys?

Yes, but only keys are supported. Options are not allowed.
OK example:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGNuFuEdklT/eyEkLKgFhVHOLw3A9eI7myBAA0q+Zly1 name@name

Not supported:

command="ls" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGNuFuEdklT/eyEkLKgFhVHOLw3A9eI7myBAA0q+Zly1 name@name

How do I compile TinySSH using full NaCl library?

TinySSH has internal crypto library, but can be compiled using fast crypto primitives from NaCl library. TinySSH compilation process accepts environment variables LIBS/CFLAGS/LDFLAGS. Just compile NaCl library and than compile TinySSH using environment variables LIBS/CFLAGS/LDFLAGS. Path in CFLAGS/LDFLAGS must be always absolute (must start with /).

LIBS='-lnacl'; export LIBS
CFLAGS='-I/{NACL_HEADERS_DIRECTORY}'; export CFLAGS
LDFLAGS='-L/{NACL_LIBRARY_DIRECTORY}'; export LDFLAGS
make

… and see compilation process (version in brackets). Primitives from internal crypto library is marked as ‘tinyssh’, primitives from NaCl library is marked using it’s version from NaCl ‘crypto../../..’.

... 
=== Thu Jan  1 19:10:46 CET 2015 === starting crypto headers
=== Thu Jan  1 19:10:46 CET 2015 ===   crypto_stream_chacha20.h (tinyssh) ok
=== Thu Jan  1 19:10:46 CET 2015 ===   crypto_onetimeauth_poly1305.h (crypto_onetimeauth/poly1305/amd64) ok
=== Thu Jan  1 19:10:46 CET 2015 ===   crypto_auth_hmacsha256.h (crypto_auth/hmacsha256/ref) ok
=== Thu Jan  1 19:10:47 CET 2015 ===   crypto_hash_sha512.h (crypto_hash/sha512/ref) ok
=== Thu Jan  1 19:10:47 CET 2015 ===   crypto_hash_sha256.h (crypto_hash/sha256/ref) ok
=== Thu Jan  1 19:10:47 CET 2015 ===   crypto_verify_16.h (crypto_verify/16/ref) ok
=== Thu Jan  1 19:10:47 CET 2015 ===   crypto_verify_32.h (crypto_verify/32/ref) ok
=== Thu Jan  1 19:10:48 CET 2015 ===   crypto_core_aes256encrypt.h (tinyssh) ok
=== Thu Jan  1 19:10:49 CET 2015 ===   crypto_scalarmult_curve25519.h (crypto_scalarmult/curve25519/donna_c64) ok
=== Thu Jan  1 19:10:50 CET 2015 ===   crypto_scalarmult_nistp256.h (tinyssh) ok
=== Thu Jan  1 19:10:51 CET 2015 ===   crypto_sign_ed25519.h (tinyssh) ok
=== Thu Jan  1 19:10:52 CET 2015 ===   crypto_sign_nistp256ecdsa.h (tinyssh) ok
=== Thu Jan  1 19:10:52 CET 2015 === finishing
...

How do I enable standardized crypto ecdsa-sha2-nistp256, ecdh-sha2-nistp256, aes256-ctr, hmac-sha2-256 ?

TinySSH has support for standardized crypto, namely ecdsa-sha2-nistp256, ecdh-sha2-nistp256, aes256-ctr, hmac-sha2-256. But it’s disabled by default. To enable, use switch ‘-s’.

... tinysshd -s /etc/tinyssh/sshkeydir

Can I use sftp using TinySSH?

Yes. TinySSH doesn’t have sftp program, but can run e.g. OpenSSH /usr/libexec/openssh/sftp-server.
Sftp support can be enabled using switch ‘-x’

... tinysshd -x sftp=/usr/libexec/openssh/sftp-server  /etc/tinyssh/sshkeydir

Is it possible to compile and run tinyssh on Windows (Cygwin)?

Yes. Just install cygwin. Install also packages diffutils, gcc-g++, make, busybox. Then download and compile tinyssh and run it for-example using tcpsvd from busybox.

tinysshd-makekey /etc/tinyssh/sshkeydir
busybox tcpsvd 0 22 tinysshd -vv /etc/tinyssh/sshkeydir 

In the next step You will need to create file /home/{USER}/.ssh/authorized_keys including Ed25519 public-key. And probably also fix permitions on /home and /home/{USER} directory.

chmod o-w /home /home/{USER}
chmod g-w /home /home/{USER}

Can I use TinySSH using OpenSSH keys?

No. TinySSH is using different format. But OpenSSH key can be converted to TinySSH format using e.g. tinyssh-convert.