current arhclinux, gives me this on a sshfs attempt.. not sure if bug or just a lacking feature?

tinysshd: cVG3YoxN: BUG: (protocol error){channel.c:214} Not sure about the activity of project but you are a great dev mate!!

I HOPE what seems as a slowdown of activity is simply because of a fairly complete package ,)

love from EUrope to .cz. Ok, so that line indicates the channel pid is negative in channel_put.

Ignore error above; I didn't have sftp enabled in the tinysshd server. However, once I did, and can sftp in, I still get an error from tinyssh when trying sshfs:

tinysshd: eSIpVRao: BUG: (connection reset){packet_auth.c:57}

l57: if (!packet_getall(b, SSH_MSG_USERAUTH_REQUEST)) bug(); SO some exchange issue, maybe I can browse some more tomorrow when I have more time. Although I don't recall if this is sshfs compatible (man sshfs saisi t used sftp which is why I realise the former mistake).

SSHv2 keepalive packets cause the connection to be reset intinysshd.c

(I was using ServerAliveInterval 60 in my ~/.ssh/config)

daemon.info: Jul 18 20:05:07 tinysshd: M2lhPXOB: info: kex: kex selected: [email protected] {sshcrypto_kex.c:106}
daemon.info: Jul 18 20:05:07 tinysshd: M2lhPXOB: info: kex: key selected: ssh-ed25519 {sshcrypto_key.c:122}
daemon.info: Jul 18 20:05:07 tinysshd: M2lhPXOB: info: kex: cipher selected: [email protected] {sshcrypto_cipher.c:110}
daemon.info: Jul 18 20:05:07 tinysshd: M2lhPXOB: info: kex: mac selected: [email protected] {sshcrypto_cipher.c:111}
daemon.info: Jul 18 20:05:10 tinysshd: M2lhPXOB: info: auth: stuart: none rejected {packet_auth.c:144}
daemon.info: Jul 18 20:05:10 tinysshd: M2lhPXOB: info: auth: stuart: ssh-rsa rejected {packet_auth.c:144}
daemon.info: Jul 18 20:05:17 tinysshd: M2lhPXOB: info: auth: stuart: ssh-ed25519 accepted {packet_auth.c:158}
daemon.info: Jul 18 20:06:25 tinysshd: M2lhPXOB: fatal: unknown message type (temporary failure){tinysshd.c:303}
daemon.info: Jul 18 20:08:25 tinysshd: 5wbjLsha: info: kex: kex selected: [email protected] {sshcrypto_kex.c:106}
daemon.info: Jul 18 20:08:25 tinysshd: 5wbjLsha: info: kex: key selected: ssh-ed25519 {sshcrypto_key.c:122}
daemon.info: Jul 18 20:08:25 tinysshd: 5wbjLsha: info: kex: cipher selected: [email protected] {sshcrypto_cipher.c:110}
daemon.info: Jul 18 20:08:25 tinysshd: 5wbjLsha: info: kex: mac selected: [email protected] {sshcrypto_cipher.c:111}
daemon.info: Jul 18 20:08:28 tinysshd: 5wbjLsha: info: auth: stuart: none rejected {packet_auth.c:144}
daemon.info: Jul 18 20:08:28 tinysshd: 5wbjLsha: info: auth: stuart: ssh-rsa rejected {packet_auth.c:144}
daemon.info: Jul 18 20:08:35 tinysshd: 5wbjLsha: info: auth: stuart: ssh-ed25519 accepted {packet_auth.c:158}
daemon.info: Jul 18 20:09:36 tinysshd: 5wbjLsha: fatal: unknown message type {tinysshd.c:303}

`sniffing the interface shows the SSHv2 packet that causes the reset:

No.     Time        Source                Destination           Protocol Length Info
    126 80.903015   LAN.IP            VPN.IP          TCP      54     22→61681 [FIN, ACK] Seq=1572 Ack=3961 Win=45664 Len=0

Frame 126: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94), Dst: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39)
Internet Protocol Version 4, Src: LAN.IP(LAN.IP), Dst: VPN.IP (VPN.IP)
Transmission Control Protocol, Src Port: 22 (22), Dst Port: 61681 (61681), Seq: 1572, Ack: 3961, Len: 0

No.     Time        Source                Destination           Protocol Length Info
    127 80.928609   VPN.IP          LAN.IP            TCP      54     61681→22 [ACK] Seq=3961 Ack=1573 Win=59904 Len=0

Frame 127: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39), Dst: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94)
Internet Protocol Version 4, Src: VPN.IP (VPN.IP), Dst: LAN.IP(LAN.IP)
Transmission Control Protocol, Src Port: 61681 (61681), Dst Port: 22 (22), Seq: 3961, Ack: 1573, Len: 0

No.     Time        Source                Destination           Protocol Length Info
    128 80.929648   VPN.IP          LAN.IP            SSHv2    114    Client: Encrypted packet (len=60)

Frame 128: 114 bytes on wire (912 bits), 114 bytes captured (912 bits)
Ethernet II, Src: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39), Dst: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94)
Internet Protocol Version 4, Src: VPN.IP (VPN.IP), Dst: LAN.IP(LAN.IP)
Transmission Control Protocol, Src Port: 61681 (61681), Dst Port: 22 (22), Seq: 3961, Ack: 1573, Len: 60
SSH Protocol

No.     Time        Source                Destination           Protocol Length Info
    129 80.929665   LAN.IP            VPN.IP          TCP      54     22→61681 [RST] Seq=1573 Win=0 Len=0

Frame 129: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94), Dst: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39)
Internet Protocol Version 4, Src: LAN.IP(LAN.IP), Dst: VPN.IP (VPN.IP)
Transmission Control Protocol, Src Port: 22 (22), Dst Port: 61681 (61681), Seq: 1573, Len: 0

No.     Time        Source                Destination           Protocol Length Info
    130 80.930936   VPN.IP          LAN.IP            TCP      54     61681→22 [FIN, ACK] Seq=4021 Ack=1573 Win=59904 Len=0

Frame 130: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39), Dst: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94)
Internet Protocol Version 4, Src: VPN.IP (VPN.IP), Dst: LAN.IP(LAN.IP)
Transmission Control Protocol, Src Port: 61681 (61681), Dst Port: 22 (22), Seq: 4021, Ack: 1573, Len: 0

No.     Time        Source                Destination           Protocol Length Info
    131 80.930950   LAN.IP            VPN.IP          TCP      54     22→61681 [RST] Seq=1573 Win=0 Len=0

Frame 131: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: 76:3a:3e:a7:71:94 (76:3a:3e:a7:71:94), Dst: ReboxBV_f9:3e:39 (00:16:3c:f9:3e:39)
Internet Protocol Version 4, Src: LAN.IP(LAN.IP), Dst: VPN.IP (VPN.IP)
Transmission Control Protocol, Src Port: 22 (22), Dst Port: 61681 (61681), Seq: 1573, Len: 0

Will ssh_send_keepalive be part of /* XXX TODO - send SSH_MSG_UNIMPLEMENTED */ ?

The automatic log out after 1 hour is nice. I've not had any problem with my build against libsodium.

I've also been testing tinysshd with fwknop & have automatic logins through nat into LXC containers working.

Given that tinyssh already supports channels in which stdin/stdout are from an external binary (e.g. bash), is there any reason not to add SFTP support? It would require openssh's sftp-server binary, and a bit of code to accept the sftp channel type and run the sftp-server binary as the logged in user, but all of the support code for that is already in place.

Initially reported (by me) downstream: https://bugs.debian.org/995146 Forwarding here because I reproduced it with 20210601 much quicker than I expected. See the attached transcript for the exact openssh CLI options I used. transcript.txt

=== Thu May 26 19:42:23 GMT 2016 ===   numtostrtest ok
=== Thu May 26 19:42:23 GMT 2016 ===   opentest failed ... see the log /tmp/tinyssh-master/build/log

build.log:

=== Thu May 26 19:42:23 GMT 2016 ===   newenvtest ok
numtostrtest.c:299:8: warning: integer constant is so large that it is unsigned [enabled by default]
     { -9223372036854775808LL, "-9223372036854775808" },
        ^
numtostrtest.c:299:5: warning: this decimal constant is unsigned only in ISO C90 [enabled by default]
     { -9223372036854775808LL, "-9223372036854775808" },
     ^
=== Thu May 26 19:42:23 GMT 2016 ===   numtostrtest ok
opentest.c:62: process exited with status = 0

https://github.com/openwrt/packages/issues/7919

This is the build log: https://gist.github.com/neheb/0c11d413757bcb5957e39561e6803039

It seems the proper include directory is not there.

I have no real time to work on this, thus posting it here.

Are there any plans to add support for authentication agent forwarding?

I have a herd of SBCs (perfect for TinySSH) that I sometimes have to access via bastion. Currently the only way to access them would be to put the private key on the bastion, which is less than ideal.

DESTDIR=/tmp/tinyssh-release make -C /tmp/tinyssh-build install
make[1]: Entering directory '/tmp/tinyssh-build'
sh -e make-install.sh /tmp/tinyssh-release
=== Wed Jul 27 14:44:12 UTC 2016 === installing bin directory /tmp/tinyssh-release/usr/bin
=== Wed Jul 27 14:44:13 UTC 2016 ===   installing /tmp/tinyssh-build/build/bin/tinysshd-makekey -> /tmp/tinyssh-release/usr/bin/tinysshd-makekey
=== Wed Jul 27 14:44:13 UTC 2016 ===   installing /tmp/tinyssh-build/build/bin/tinysshd-printkey -> /tmp/tinyssh-release/usr/bin/tinysshd-printkey
=== Wed Jul 27 14:44:13 UTC 2016 ===   installing /tmp/tinyssh-build/build/bin/tinysshd -> /tmp/tinyssh-release/usr/bin/tinysshd
=== Wed Jul 27 14:44:13 UTC 2016 === finishing
=== Wed Jul 27 14:44:13 UTC 2016 === installing man directory /tmp/tinyssh-release/usr/share/man
_tinysshd-install: fatal: unable to stat directory /tmp/tinyssh-release/usr/share/man/man1 (file does not exist)
make[1]: *** [Makefile:6: install] Error 111
make[1]: Leaving directory '/tmp/tinyssh-build'
make: *** [Makefile:30: build] Error 2

It looks like this is because the code creates manfiles directly in ${man}, but the install code expects to find it in man/man$n/. Digging in now to see if I can get a clean patch to fix it

I have tinysshd running without any problems in Alpine Linux & will be introducing a tinysshd package to Alpine shortly.

Can a switch be added to disable root logins please ?

After upgrade to latest version 20220222-1 (Arch) SCP does not work anymore, SSH works all right.

Client: client_loop: send disconnect: Broken pipe, lost connection Server's log: tinysshd[929]: tinysshd: JLiyKgwc: BUG: (protocol error){sshcrypto_cipher_chachapoly.c:88}

Hi guys. I'm trying to build tinyssh from source (apt source tinysshd) in Ubuntu 20.04.2 (amd64) using crosscompiler CC=aarch64-linux-gnu-gcc make for ARMv8

before make I did sudo apt-get build-dep tinyssh, but It did not help much.

Build fails on libtinynacl.a failed ... see the log /home/user/tinyssh-20190101/build/log First it wanted libutil.h, so I installed sudo apt install libutil-freebsd-dev But it wants a lot of other includes...

Are there any build images? How could I find nessesary libs and headers for build?

In file included from haslibutilh.h-yes.c:2: /usr/include/libutil.h:43:10: fatal error: sys/_types.h: No such file or directory 43 | #include <sys/_types.h> | ^~~~~~~~~~~~~~ compilation terminated. hasutilh.h-yes.c:2:10: fatal error: util.h: No such file or directory 2 | #include <util.h> | ^~~~~~~~ compilation terminated. hasutmpxupdwtmpx.h-yes.c: In function 'foo': hasutmpxupdwtmpx.h-yes.c:6:5: warning: implicit declaration of function 'updwtmpx' [-Wimplicit-function-declaration] 6 | updwtmpx("/nonexistent", &ut); | ^~~~~~~~ hasutmpxsyslen.h-yes.c: In function 'main': hasutmpxsyslen.h-yes.c:7:14: error: 'struct utmpx' has no member named 'ut_syslen' 7 | return ut.ut_syslen; | ^ hasutmpxsyslen.h-yes.c:6:18: warning: variable 'ut' set but not used [-Wunused-but-set-variable] 6 | struct utmpx ut = {0}; | ^~ hasutmp.h-yes.c: In function 'main': hasutmp.h-yes.c:8:17: warning: unused variable 'ut' [-Wunused-variable] 8 | struct utmp ut = {0}; | ^~ hasutmptype.h-yes.c: In function 'main': hasutmptype.h-yes.c:8:17: warning: variable 'ut' set but not used [-Wunused-but-set-variable] 8 | struct utmp ut; | ^~ === Wed May 26 16:08:35 2021 === finishing === Wed May 26 16:08:35 2021 === starting crypto lib cleanup.c:2:10: fatal error: hasasmvolatilememory.h: No such file or directory 2 | #include "hasasmvolatilememory.h" | ^~~~~~~~~~~~~~~~~~~~~~~~ compilation terminated. === Wed May 26 16:08:36 2021 === libtinynacl.a failed ... see the log /home/user/tinyssh-20190101/build/log

Not sure if this are already been ruled out because it might need a dep on libfido2 but if not... fido2 resident keys are pretty neato

Generate a key that lives on the actual fido2 device with:

ssh-keygen -t ed25519-sk -O resident

And then when working on a new computer you can load the keys into the current session with just:

ssh-add -K

When attempting to build with libsodium (as a drop-in libnacl replacement) as suggested in FAQ it does not actually links to libsodium:

export LIBS="-lsodium"
export CFLAGS="-I/usr/include/sodium"
...
=== Mon Aug 22 13:34:51 UTC 2022 === starting crypto headers
=== Mon Aug 22 13:34:51 UTC 2022 ===   crypto_stream_chacha20.h (tinyssh\n) ok
=== Mon Aug 22 13:34:52 UTC 2022 ===   crypto_onetimeauth_poly1305.h (tinyssh\n) ok
=== Mon Aug 22 13:34:52 UTC 2022 ===   crypto_hash_sha512.h (tinyssh\n) ok
=== Mon Aug 22 13:34:52 UTC 2022 ===   crypto_hash_sha256.h (tinyssh\n) ok
=== Mon Aug 22 13:34:52 UTC 2022 ===   crypto_verify_16.h (tinyssh\n) ok
=== Mon Aug 22 13:34:52 UTC 2022 ===   crypto_verify_32.h (tinyssh\n) ok
=== Mon Aug 22 13:34:53 UTC 2022 ===   crypto_scalarmult_curve25519.h (tinyssh\n) ok
=== Mon Aug 22 13:34:54 UTC 2022 ===   crypto_sign_ed25519.h (tinyssh\n) ok
=== Mon Aug 22 13:34:54 UTC 2022 ===   crypto_sort_uint32.h (tinyssh\n) ok
=== Mon Aug 22 13:34:56 UTC 2022 ===   crypto_kem_sntrup761.h (tinyssh\n) ok
=== Mon Aug 22 13:34:58 UTC 2022 ===   crypto_kem_sntrup761x25519.h (tinyssh\n) ok
=== Mon Aug 22 13:34:58 UTC 2022 === finishing

(Also note \n in tinyssh\n).

It seems because of errors like this:

=== Mon Aug 22 13:34:51 UTC 2022 === trying: ext. crypto_stream_chacha20:
In file included from crypto_stream_chacha20test.c:8:
misc.h:9:10: fatal error: crypto_uint8.h: No such file or directory
    9 | #include "crypto_uint8.h"
      |          ^~~~~~~~~~~~~~~~
compilation terminated.

Except for the symbol crypto_verify_16 which is alone linked to libsodium.

Adding -I${PWD}/crypto to CFLAGS fixes the problem:

export LIBS="-lsodium"
export CFLAGS="-I/usr/include/sodium -I${PWD}/crypto"
...
=== Mon Aug 22 13:41:33 UTC 2022 === starting crypto headers
=== Mon Aug 22 13:41:33 UTC 2022 ===   crypto_stream_chacha20.h () ok
=== Mon Aug 22 13:41:34 UTC 2022 ===   crypto_onetimeauth_poly1305.h () ok
=== Mon Aug 22 13:41:34 UTC 2022 ===   crypto_hash_sha512.h () ok
=== Mon Aug 22 13:41:34 UTC 2022 ===   crypto_hash_sha256.h () ok
=== Mon Aug 22 13:41:34 UTC 2022 ===   crypto_verify_16.h () ok
=== Mon Aug 22 13:41:34 UTC 2022 ===   crypto_verify_32.h () ok
=== Mon Aug 22 13:41:34 UTC 2022 ===   crypto_scalarmult_curve25519.h () ok
=== Mon Aug 22 13:41:34 UTC 2022 ===   crypto_sign_ed25519.h () ok
=== Mon Aug 22 13:41:34 UTC 2022 ===   crypto_sort_uint32.h (tinyssh\n) ok
=== Mon Aug 22 13:41:36 UTC 2022 ===   crypto_kem_sntrup761.h (tinyssh\n) ok
=== Mon Aug 22 13:41:38 UTC 2022 ===   crypto_kem_sntrup761x25519.h (tinyssh\n) ok
=== Mon Aug 22 13:41:38 UTC 2022 === finishing

It would be nice if a key fingerprint was displayed at host key creation. Ass it stands now, there is no way to perform the initial fingerprint verification when you connect.

Also needs a -Werror=implicit-function-declaration in the CFLAGS as for some reason the linker seems to accept it at configure/detection time but not compile time.

Hi,

First of all, let me say I appreciate the work that's been put into this unique project; it's quite rare to see such a good, minimalist SSH server.

I'm trying to make use of TinySSH on Windows using Cygwin (using 3.0.7 which is the latest as of today) and despite managing to compile it successfully (no obvious error messages, process completes fully), I'm having some problems in what seems to be the "packet_hello.c" function:

I've modified the function a bit (the one with the tick doesn't produce an error while the one with a cross does) to produce some more debug output:

This is the output during runtime, which seems garbled:

Everything seems good from the client side, as shown by these OpenSSH and PuTTY logs:

I've not got any good leads to investigate but I believe this could either be a problem caused by Cygwin or perhaps a problem caused by the difference between Linux and Windows line terminators (not sure if the code takes this into account) ?

Many thanks for any assistance !

Hi,

I looked for an equivalent to mkinitcpio-tinyssh for debian and could not find it anywhere.
I made a quick one using initramfs-tools based on the already existing dropbear hooks and the Arch one.

Sharing it here for future users, feel free to include it in your repo if you wish.

https://git.sp4ke.com/sp4ke/tinyssh-initramfs