writing an SSH server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

writing an SSH server

David Durham, Jr.
Hi all,

I'm new to C++ and libssl, but nevertheless trying to write an SSH
server.  I have gone through tutorials and believe I have a working
server that initializes and SSL context, binds and listens on a TCP
socket, and accepts a connection.  Using a debugger I see that if I
try to "ssh myserver -p myport", the process hangs on the call to
SSL_accept.  I figure this is because the ssh client needs to do
something before calling SSL_connect.  I don't need authentication, I
just want to use ssh kind of like a secure telnet.  Here's my code,
any advice is appreciated:


bool SecureServer::Start ()
{
  SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
  if (SSL_CTX_use_certificate_file(ctx, "conf/ssl/server.crt",
SSL_FILETYPE_PEM) <= 0)
  {
    Error("failed to load server cert");
    return false;
  }

  if (SSL_CTX_use_PrivateKey_file(ctx, "conf/ssl/server.key",
SSL_FILETYPE_PEM) <= 0)
  {
    Error("failed to load server private key");
    return false;
  }

  SSL *ssl = SSL_new(ctx);

  SocketType listen_sock = socket(AF_INET, SOCK_STREAM, 0);
  if (listen_sock <= 0)
  {
    Error("failed creating socket");
    return false;
  }

  sockaddr_in sa_serv, sa_cli;

  sa_serv.sin_family = AF_INET;
  sa_serv.sin_addr.s_addr = INADDR_ANY;
  sa_serv.sin_port = htons(2002); /* Server Port number */
  if (bind(listen_sock, (struct sockaddr*) ((&sa_serv)), sizeof(sa_serv)) < 0)
  {
    Error("bind failed");
    return false;
  }
  /* Receive a TCP connection. */
  if (listen(listen_sock, 5) < 0)
  {
    Error("listen failed");
    return false;
  }
  socklen_t clientLen = sizeof(sa_cli);
  SocketType sock = accept(listen_sock, (struct sockaddr*)
((&sa_cli)), &clientLen);

  printf("Connection from %x, port %x\n", sa_cli.sin_addr.s_addr,
sa_cli.sin_port);
  SSL_set_fd(ssl, sock);

  if (SSL_accept(ssl) <= 0)
  {
    Error("SSL handshake failed");
    return false;
  }

  char *message = "Hello SSL";
  if (SSL_write(ssl, message, sizeof(message)) <= 0)
  {
    Error("error on ssl write");
  }

  return true;
}



Thanks,
Dave
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: writing an SSH server

Eric S. Eberhard-2
I believe the last function, the write, is missing a return false
with the error message?

Writing servers is VERY difficult to make 100% reliable, good
logging, etc.  I have many years experience and still avoid it when I
can.  You need to understand blocking and non-blocking calls, your
network, etc.

If you are on Unix -- use inetd if your volume is not too high.  By
too high I have productions systems with 10,000 connections
continually with averaging 1,000 new connections per second.  On
inetd under AIX.

In the old days of slow hardware people complained about the
performance because it does have to create a new process.

However your code becomes simple -- read/write to stdin/stdout.  No
need to open, accept, poll, close, or otherwise deal with sockets.

Which then brings up stunnel ... and another performance barrier I
supposed by throwing in another program.  However -- I have easily
used it for credit cards, UPS, USPS, Fedex, 10s of companies more
obscure, Web interfaces, secure telnet, HTTPS, etc.

On a modern machine you are unlikely, unless really resource
strained, to care about the over head -- and you would have no
programming to do at all.  If stunnel is too limited, I'd still
consider inetd.

NOTE -- pretty much all code you write to work under inetd can later
be transferred to  a standalone server program.  So you are wasting
little time trying it.  I actually have a generic server program I
start with whenever I need a server (it's in C) that runs either
under inetd or standalone.  In practice I always use inetd -- it is
dead reliable and if it is not working, Unix is not working.

I am sure someone will disagree based on resource/performance
reasons.  You will have to judge that ... and like I said, trying it
in inetd is not wasted time.

If you are on Windows .... ignore this :-)

Eric

E




At 01:48 PM 10/27/2011, David Durham wrote:

>Hi all,
>
>I'm new to C++ and libssl, but nevertheless trying to write an SSH
>server.  I have gone through tutorials and believe I have a working
>server that initializes and SSL context, binds and listens on a TCP
>socket, and accepts a connection.  Using a debugger I see that if I
>try to "ssh myserver -p myport", the process hangs on the call to
>SSL_accept.  I figure this is because the ssh client needs to do
>something before calling SSL_connect.  I don't need authentication, I
>just want to use ssh kind of like a secure telnet.  Here's my code,
>any advice is appreciated:
>
>
>bool SecureServer::Start ()
>{
>   SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
>   if (SSL_CTX_use_certificate_file(ctx, "conf/ssl/server.crt",
>SSL_FILETYPE_PEM) <= 0)
>   {
>     Error("failed to load server cert");
>     return false;
>   }
>
>   if (SSL_CTX_use_PrivateKey_file(ctx, "conf/ssl/server.key",
>SSL_FILETYPE_PEM) <= 0)
>   {
>     Error("failed to load server private key");
>     return false;
>   }
>
>   SSL *ssl = SSL_new(ctx);
>
>   SocketType listen_sock = socket(AF_INET, SOCK_STREAM, 0);
>   if (listen_sock <= 0)
>   {
>     Error("failed creating socket");
>     return false;
>   }
>
>   sockaddr_in sa_serv, sa_cli;
>
>   sa_serv.sin_family = AF_INET;
>   sa_serv.sin_addr.s_addr = INADDR_ANY;
>   sa_serv.sin_port = htons(2002); /* Server Port number */
>   if (bind(listen_sock, (struct sockaddr*) ((&sa_serv)),
> sizeof(sa_serv)) < 0)
>   {
>     Error("bind failed");
>     return false;
>   }
>   /* Receive a TCP connection. */
>   if (listen(listen_sock, 5) < 0)
>   {
>     Error("listen failed");
>     return false;
>   }
>   socklen_t clientLen = sizeof(sa_cli);
>   SocketType sock = accept(listen_sock, (struct sockaddr*)
>((&sa_cli)), &clientLen);
>
>   printf("Connection from %x, port %x\n", sa_cli.sin_addr.s_addr,
>sa_cli.sin_port);
>   SSL_set_fd(ssl, sock);
>
>   if (SSL_accept(ssl) <= 0)
>   {
>     Error("SSL handshake failed");
>     return false;
>   }
>
>   char *message = "Hello SSL";
>   if (SSL_write(ssl, message, sizeof(message)) <= 0)
>   {
>     Error("error on ssl write");
>   }
>
>   return true;
>}
>
>
>
>Thanks,
>Dave
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


Eric S. Eberhard
(928) 567-3727          Voice
(928) 567-6122          Fax
(928) 301-7537                           Cell

Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC

For Metropolis support and VICS MBA Support!!!!    http://www.vicsmba.com

For pictures:  http://www.vicsmba.com/ourpics/index.html

(You can see why we love this state :-) )  

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: writing an SSH server

David Durham, Jr.
On Thu, Oct 27, 2011 at 4:09 PM, Eric S. Eberhard <[hidden email]> wrote:
> I believe the last function, the write, is missing a return false with the
> error message?

Doesn't matter though, it's not an issue.  Thanks.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: writing an SSH server

Dave Thompson-5
In reply to this post by David Durham, Jr.
> From: [hidden email] On Behalf Of David Durham
> Sent: Thursday, 27 October, 2011 16:48

> I'm new to C++ and libssl, but nevertheless trying to write an SSH
> server.  I have gone through tutorials and believe I have a working
> server that initializes and SSL context, binds and listens on a TCP
> socket, and accepts a connection.  Using a debugger I see that if I
> try to "ssh myserver -p myport", the process hangs on the call to
> SSL_accept.  I figure this is because the ssh client needs to do
> something before calling SSL_connect.  I don't need authentication, I
> just want to use ssh kind of like a secure telnet.  <snip>

SSH and SSL are different protocols, even though there is
only one letter difference in the acronym. See RFCs 4250-6.
The underlying *crypto* primitives are mostly the same,
and the widely-used openssh implementation uses the libcrypto
part of OpenSSL, but the protocol part of openssh is entirely
different from the libssl part of OpenSSL (including SSL_accept).

AFAIK SSH always formally authenticates the server, although
in practice this is usually done by accepting the server's key
the first time manually, which people are supposed to think
about but don't, and thereafter checking it is the same.
Similarly I believe it always formally authenticates the
client, but that can be e.g. "anybody/dontcare".

If you just want confidentiality with truly no authentication,
SSL/TLS (and OpenSSL) can do that with the anonymous-DH and
anonymous-ECDH suites. I assume you understand and accept the
vulnerabilities you are creating by not authenticating.

Also:

You didn't show your Error() routine (method?). I hope it
displays the OpenSSL error stack in some suitable way;
that information is very often vital in debugging errors.

And:

>   char *message = "Hello SSL";
>   if (SSL_write(ssl, message, sizeof(message)) <= 0)

is a very basic (but all too common) C bug.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: writing an SSH server

Eric S. Eberhard-2
In reply to this post by David Durham, Jr.
I end up using SSL because, weirdly, credit card companies and
shipping companies (I do business software), and so forth, all use
SSL -- almost always HTTPS -- and I don't have a call for a protocol.

It would be REALLY cool if you could make a wrapper on stunnel to
handle the "H" protocol portion as I could certainly use it.

As you pointed out there are two things -- the protocol and the
encryption, there was third I was trying to address and that is the
whole problem of running your own server under Unix ... that you can
skip.  When then open source code breaks out the connection from the
protocol is another matter ... they may be mixing them.

I actually was just trying to suggest there might be easier ways (and
maybe I am wrong) -- I try to help new people and I usually come up
with odd solutions that is theory many people say are "slow" when in
practice make no difference.

And, I am not sure, but below that routine may be an actual Unix
accept and then you have those issues of blocking and non-blocking
that become a pain and are not required.

Anyway you can easily ignore me or if you need anything, glad to
help.  If you make an SSH server that runs in inetd I'd love to have
it, and if you extend stunnel to do this (I think that would work)
then you could add to the stunnel project which is cool (I have added
very minor things to many open source programs, even libxml2 and so
forth).  Also, if you need anything on old-fashioned C, I do breath that :-)

E

At 02:55 PM 10/27/2011, you wrote:

> > From: [hidden email] On Behalf Of David Durham
> > Sent: Thursday, 27 October, 2011 16:48
>
> > I'm new to C++ and libssl, but nevertheless trying to write an SSH
> > server.  I have gone through tutorials and believe I have a working
> > server that initializes and SSL context, binds and listens on a TCP
> > socket, and accepts a connection.  Using a debugger I see that if I
> > try to "ssh myserver -p myport", the process hangs on the call to
> > SSL_accept.  I figure this is because the ssh client needs to do
> > something before calling SSL_connect.  I don't need authentication, I
> > just want to use ssh kind of like a secure telnet.  <snip>
>
>SSH and SSL are different protocols, even though there is
>only one letter difference in the acronym. See RFCs 4250-6.
>The underlying *crypto* primitives are mostly the same,
>and the widely-used openssh implementation uses the libcrypto
>part of OpenSSL, but the protocol part of openssh is entirely
>different from the libssl part of OpenSSL (including SSL_accept).
>
>AFAIK SSH always formally authenticates the server, although
>in practice this is usually done by accepting the server's key
>the first time manually, which people are supposed to think
>about but don't, and thereafter checking it is the same.
>Similarly I believe it always formally authenticates the
>client, but that can be e.g. "anybody/dontcare".
>
>If you just want confidentiality with truly no authentication,
>SSL/TLS (and OpenSSL) can do that with the anonymous-DH and
>anonymous-ECDH suites. I assume you understand and accept the
>vulnerabilities you are creating by not authenticating.
>
>Also:
>
>You didn't show your Error() routine (method?). I hope it
>displays the OpenSSL error stack in some suitable way;
>that information is very often vital in debugging errors.
>
>And:
>
> >   char *message = "Hello SSL";
> >   if (SSL_write(ssl, message, sizeof(message)) <= 0)
>
>is a very basic (but all too common) C bug.
>
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


Eric S. Eberhard
(928) 567-3727          Voice
(928) 567-6122          Fax
(928) 301-7537                           Cell

Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC

For Metropolis support and VICS MBA Support!!!!    http://www.vicsmba.com

For pictures:  http://www.vicsmba.com/ourpics/index.html

(You can see why we love this state :-) )  

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: writing an SSH server

Jakob Bohm-7
On 10/28/2011 2:08 AM, Eric S. Eberhard wrote:
> I end up using SSL because, weirdly, credit card companies and
> shipping companies (I do business software), and so forth, all use SSL
> -- almost always HTTPS -- and I don't have a call for a protocol.
>
> It would be REALLY cool if you could make a wrapper on stunnel to
> handle the "H" protocol portion as I could certainly use it.
>
The "H" parts are not in openssl because they are in the openssh "addon"
to openssl.

There is such a wrapper, it is the SSH command itself from openssh
(which uses
openssl for crypto).

There is also another such wrapper for Windows, it is called "plink"
from the
"putty" product (also open source).

Either can be invoked with options to act similar to "openssl stunnel"
(passing
standard input to the other end and passing the other ends output to
standard out).

Both also support a different "SSH tunneling" mechanism for passing through
TCP connections in parallel to its "main" connection.  All the tunneled TCP
connections are transmitted inside the same encrypted TCP connection as
the "main" connection.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: writing an SSH server

David Durham, Jr.
In reply to this post by Dave Thompson-5
On Thu, Oct 27, 2011 at 4:55 PM, Dave Thompson <[hidden email]> wrote:
> If you just want confidentiality with truly no authentication,
> SSL/TLS (and OpenSSL) can do that with the anonymous-DH and
> anonymous-ECDH suites. I assume you understand and accept the
> vulnerabilities you are creating by not authenticating.

Thanks for this info.  I'll look into it.

> Also:
>
> You didn't show your Error() routine (method?). I hope it
> displays the OpenSSL error stack in some suitable way;
> that information is very often vital in debugging errors.

I'm just sending the message to cout.  If you can point me to
information on outputting the full OpenSSL error stack, I'd appreciate
it.

>
> And:
>
>>   char *message = "Hello SSL";

changed to:

  char message[] = "Hello SSL";


Thanks,
Dave
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: writing an SSH server

David Durham, Jr.
On Fri, Oct 28, 2011 at 12:26 PM, David Durham
<[hidden email]> wrote:
>
> I'm just sending the message to cout.  If you can point me to
> information on outputting the full OpenSSL error stack, I'd appreciate
> it.

replied too soon, looks like this is what I want:

    ERR_print_errors(sbio);

-Dave
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: writing an SSH server

Eric S. Eberhard-2
In reply to this post by Eric S. Eberhard-2
Thank you!  Thank is great info for me if I ever need SSH (meaning
SSL with the protocol).  It may also help the original person as he
may be able to solve his problem using inetd and openssh ... which is
easy and reliable and works great if you have remotely reasonable
traffic.  Also, way less coding :-)  Eric


At 05:59 AM 10/28/2011, Jakob Bohm wrote:

>On 10/28/2011 2:08 AM, Eric S. Eberhard wrote:
>>I end up using SSL because, weirdly, credit card companies and
>>shipping companies (I do business software), and so forth, all use
>>SSL -- almost always HTTPS -- and I don't have a call for a protocol.
>>
>>It would be REALLY cool if you could make a wrapper on stunnel to
>>handle the "H" protocol portion as I could certainly use it.
>The "H" parts are not in openssl because they are in the openssh
>"addon" to openssl.
>
>There is such a wrapper, it is the SSH command itself from openssh (which uses
>openssl for crypto).
>
>There is also another such wrapper for Windows, it is called "plink" from the
>"putty" product (also open source).
>
>Either can be invoked with options to act similar to "openssl
>stunnel" (passing
>standard input to the other end and passing the other ends output to
>standard out).
>
>Both also support a different "SSH tunneling" mechanism for passing through
>TCP connections in parallel to its "main" connection.  All the tunneled TCP
>connections are transmitted inside the same encrypted TCP connection as
>the "main" connection.
>
>
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


Eric S. Eberhard
(928) 567-3727          Voice
(928) 567-6122          Fax
(928) 301-7537                           Cell

Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC

For Metropolis support and VICS MBA Support!!!!    http://www.vicsmba.com

For pictures:  http://www.vicsmba.com/ourpics/index.html

(You can see why we love this state :-) )  

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]