ssh-base Plugin

Introduction

lws-ssh-base is a protcol plugin for libwebsockets that implements a generic, abstract, ssh server.

• very small footprint in code and memory, takes up small part of ESP32
• written with security in mind: valgrind and Coverity -clean
• binds to one or more vhosts, that controls listen port(s)
• all IO and settings abstracted through a single "ops" struct from user code
• each instance on a vhost has its own "ops" struct, defining server keys, auth method and functions to implement IO and other operations
• The plugin has no built-in behaviours like check ~/.ssh/authorized_keys, treat auth usernames as system usernames, or spawn the user's shell. Everything potentially dangerous is left to the user ops code to decide how to handle. It's NOT like sshd where running it implies it will accept existing keys for any system user, will spawn a shell, etc, unless you implement those parts in the ops callbacks.
• The plugin requires extra code around it in the form of the ops struct handlers. So it's role is something like an abstract base class for an ssh server. All the crypto, protocol sequencing and state machine are inside, but all the IO except the network connection is outside.
• Built as part of libwebsockets, like all plugins may be dynamically loaded at runtime or built statically. Test app libwebsockets-test-sshd provided
• Uses hash and RSA functions from either mbedTLS or OpenSSL automatically, according to which library libwebsockets was built for

To maintain its small size, it implements a single "best of breed" crypto for the following functions:

Function	Crypto
KEX	curve.nosp@m.2551.nosp@m.9-sha.nosp@m.256@.nosp@m.libss.nosp@m.h.or.nosp@m.g
Server host key	ssh-rsa (4096b)
Encryption	chach.nosp@m.a20-.nosp@m.poly1.nosp@m.305@.nosp@m.opens.nosp@m.sh.c.nosp@m.om
Compression	None

License

lws-ssh-base is Free Software, available under libwebsockets' MIT license.

The crypto parts are available elsewhere under a BSD license. But for simplicity the whole plugin is under MIT.

Generating your own keys

$ ssh-keygen -t rsa -b 4096 -f mykeys

will ask for a passphrase and generate the private key in mykeys and the public key in mykeys.pub. If you already have a suitable RSA key you use with ssh, you can just use that directly.

lws installs a test keypair in /usr[/local]/share/libwebsockets-test-server that the test apps will accept.

Example code

1) There's a working example app libwebsockets-test-sshd included that spawns a bash shell when an ssh client authenticates. The username used on the remote ssh has no meaning, it spawns the shell under the credentials of "lws-test-sshd" was run under. It accepts the lws ssh test key which is installed into /usr[/local]/share/libwebsockets-test-server.

Start the server like this (it wants root only because the server key is stored in /etc)

$ sudo libwebsockets-test-sshd

Connect to it using the test private key like this

$ ssh -p 2200 -i /usr/local/share/libwebsockets-test-server/lws-ssh-test-keys anyuser@127.0.0.1

2) There's also a working example plugin lws-sshd-demo that "subclasses" the abstract lws-ssh-base plugin to make a protocol which can be used from, eg, lwsws. For an lwsws vhost that listens on port 2222 and responds with the lws-sshd-demo ssh server, the related config is:

{
        "name": "sshd",
        "port": "2222",
        "onlyraw": "1",
        "ws-protocols": [{
                "lws-ssh-base": {
                        "status": "ok",
                        "ops-from": "lws-sshd-demo"
                },
                "lws-sshd-demo": {
                        "status": "ok",
                        "raw": "1"
                }
        }]
}

Integration to other apps

Step 0: Build and install libwebsockets

For the libwebsockets-test-sshd example, you will need CMake options LWS_WITH_CGI, since it uses lws helpers to spawn a shell.

lws-ssh-base itself doesn't require CGI support in libwebsockets.

Step 1: make the code available in your app

Include lws-plugin-ssh-base in your app, either as a runtime plugin or by using the lws static include scheme.

To bring in the whole of the ssh-base plugin into your app in one step, statically, just include plugins/ssh-base/include/lws-plugin-sshd-static-build-includes.h, you can see an example of this in ./test-apps/test-sshd.c.

Step 2: define your <tt>struct lws_ssh_ops</tt>

plugins/ssh-base/include/lws-plugin-ssh.h defines struct lws_ssh_ops which is used for all customization and integration of the plugin per vhost. Eg,

static const struct lws_ssh_ops ssh_ops = {
        .channel_create                 = ssh_ops_channel_create,
        .channel_destroy                = ssh_ops_channel_destroy,
        .tx_waiting                     = ssh_ops_tx_waiting,
        .tx                             = ssh_ops_tx,
        .rx                             = ssh_ops_rx,
        .get_server_key                 = ssh_ops_get_server_key,
        .set_server_key                 = ssh_ops_set_server_key,
        .set_env                        = ssh_ops_set_env,
        .pty_req                        = ssh_ops_pty_req,
        .child_process_io               = ssh_ops_child_process_io,
        .child_process_terminated       = ssh_ops_child_process_terminated,
        .exec                           = ssh_ops_exec,
        .shell                          = ssh_ops_shell,
        .is_pubkey_authorized           = ssh_ops_is_pubkey_authorized,
        .banner                         = ssh_ops_banner,
        .disconnect_reason              = ssh_ops_disconnect_reason,
        .server_string                  = "SSH-2.0-Libwebsockets",
        .api_version                    = 1,
};

The ssh_ops_...() functions are your implementations for the operations needed by the plugin for your purposes.

Step 3: enable <tt>lws-ssh-base</tt> protocol to a vhost and configure using pvo

A pointer to your struct lws_ssh_ops is passed into the vhost instance of the protocol using per-vhost options

static const struct lws_protocol_vhost_options pvo_ssh_ops = {
        NULL,
        NULL,
        "ops",
        (void *)&ssh_ops
};
 
static const struct lws_protocol_vhost_options pvo_ssh = {
        NULL,
        &pvo_ssh_ops,
        "lws-sshd-base",
        "" /* ignored, just matches the protocol name above */
};
 
...
        info.port = 22;
        info.options = LWS_SERVER_OPTION_ONLY_RAW;
        info.vhost_name = "sshd";
        info.protocols = protocols_sshd;
        info.pvo = &pvo_ssh;
 
        vh_sshd = lws_create_vhost(context, &info);

There are two possible pvos supported, "ops", shown above, directly passes the ops structure in using the value on the "ops" pvo.

To support other protocols that want to provide ops to lws-ssh-base themselves for a particular vhost, you can also provide a pvo "ops-from" whose value is the name of the protocol also enabled on this vhost, whose protocol ".user" pointer points to the ops struct lws-ssh-base should use.

Integration to other plugins

A worked example of using the abstract lws-ssh-base plugin from another plugin that provides the ops struct is in ./plugins/protocol_lws_sshd_demo.

The key points to note

• the plugin sets the ops struct for the vhost instantiation of lws-ssh-base by passing a pointer to the ops struct in its lws_protocols struct user member.
• the config for the vhost tells lws-ssh-base to pick up the ops struct pointer using an "ops-from" pvo that indicates the protocol name.

"lws-ssh-base": {
        "status": "ok",
        "ops-from": "lws-sshd-demo"
},

• the config for the vhost tells lws this vhost only serves RAW (ie, no http)

{
       "name": "sshd",
       "port": "2222",
       "onlyraw": "1",
       ...

• the config for the vhost marks the protocol that uses lws-ssh-base, not lws-ssh-base itself, as the protocol to be served for raw connections

"lws-sshd-demo": {
        "status": "ok",
        "raw": "1"
 ...

Notes

You can have the vhost it binds to listen on a nonstandard port. The ssh commandline app cane be told to connect to a non-22 port with ssh -p portnum user@hostname