tinysshd - Tiny SSH daemon

NAME  SYNOPSIS  DESCRIPTION  OPTIONS  AUTHORIZATION  RUNNING  SEE ALSO 

NAME

tinysshd − Tiny SSH daemon

SYNOPSIS

tinysshd [ options ] keydir

DESCRIPTION

tinysshd is a minimalistic SSH server which implements only a subset of SSHv2 features.

tinysshd supports only secure cryptography (minimum 128−bit security, protected against cache−timing attacks)

tinysshd doesn’t implement older crypto (such as RSA, DSA, HMAC−MD5, HMAC−SHA1, 3DES, RC4, ...)

tinysshd doesn’t implement unsafe features (such as password or hostbased authentication)

tinysshd doesn’t have features such: SSH1 protocol, compression, port forwarding, agent forwarding, X11 forwarding ...

tinysshd doesn’t use dynamic memory allocation (no allocation failures, etc.)

OPTIONS

−q

no error messages

−Q

print error messages (default)

−v

print extra information

−s

enable state−of−the−art crypto (default)

signing − ssh−ed25519

key-exchange − curve25519−sha256

symmetric − chacha20−[email protected]

−S

disable state−of−the−art crypto

−p

enable post−quantum crypto (default)

signing − TODO (not implemented yet)

key-exchange − sntrup761x25519−[email protected]

symmetric − chacha20−[email protected]

−P

disable post−quantum crypto

−l

use syslog instead of standard error output (useful for running from inetd)

−L

don’t use syslog, use standard error output (default)

−x name=command

add subsystem command (e.g.: sftp=/usr/libexec/openssh/sftp−server)

−e command

execute the given command instead of spawning the shell (disables exec/subsystem channel requests)

keydir

directory containing TinySSH keys, typically /etc/tinyssh/sshkeydir

AUTHORIZATION

tinysshd supports only public-key authorization via AuthorizedKeysFile ˜/.ssh/authorized_keys. Each line of the file contains one key in format "keytype base64-encoded-key comment". tinyssh supports only "ssh-ed25519" keytype.

˜/.ssh/authorized_keys example:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV5AGhGQ1QVXjBWhTKJP3vrqE3isL4ivisBailQ14gS comment

RUNNING

TCPSERVER

tcpserver −HRDl0 0.0.0.0 22 /usr/sbin/tinysshd −v /etc/tinyssh/sshkeydir &

BUSYBOX

busybox tcpsvd 0 22 tinysshd −v /etc/tinyssh/sshkeydir &

INETD

/etc/inetd.conf:

ssh stream tcp nowait root /usr/sbin/tinysshd tinysshd −l −v /etc/tinyssh/sshkeydir

SYSTEMD

tinysshd.socket:

[Unit]
Description=TinySSH server socket
ConditionPathExists=!/etc/tinyssh/disable_tinysshd

[Socket]
ListenStream=22
Accept=yes

[Install]
WantedBy=sockets.target

[email protected]:

[Unit]
Description=Tiny SSH server
After=network.target auditd.service

[Service]
ExecStartPre=−/usr/sbin/tinysshd−makekey −q /etc/tinyssh/sshkeydir
EnvironmentFile=−/etc/default/tinysshd
ExecStart=/usr/sbin/tinysshd ${TINYSSHDOPTS} −− /etc/tinyssh/sshkeydir
KillMode=process
SuccessExitStatus=111
StandardInput=socket
StandardError=journal

[Install]
WantedBy=multi−user.target

SEE ALSO

tinysshd−makekey(8), tinysshd−printkey(8)

https://tinyssh.org/

Updated 2024-01-29 - jenkler.se | uex.se