[Libwebsockets] Announce: libwebsockets ssh server protocol plugin available
andy at warmcat.com
Wed Oct 11 15:59:28 CEST 2017
Master branch of lws now includes a very small footprint generic ssh
server "plugin", written from scratch in lws bytewise state machine style.
It lets you very simply add a vhost on a selected port which provides a
server using full strength ssh v2 authentication and encryption.
Key Exchange: curve25519-sha256 at libssh.org
Server host key: ssh-rsa (4096b)
Encryption: chacha20-poly1305 at openssh.com
Client keys: ssh-rsa (up to 4096b)
The lws-ssh-base plugin is an abstract implementation, it takes an "ops"
struct to actually do anything outside of the ssh protocol itself
the ops struct wires it up to user functions for authentication, send
and receive data etc. It relies on ops to define everything, eg, there
is no implementation by default for spawning shells. If that's what you
want you have to provide code for it (although the demo app shows how to
do it). It should be very handy for data that naturally wants a remote
tty or optional / debugging features like tail -f style internal log
A demo app and a demo plugin are provided, the app is a standalone test
server app that opens a shell on your system when you login, it's not a
full pty just a shell. At the moment you need to run it as root simply
because it wants to read / write its server key down /etc.
The demo plugin doesn't open any shell serverside, it just prints some
stuff and waits for you to press a key.
The ssh server demo plugin is now enabled on libwebsockets.org:2222.
Grab the demo private key here
Then you can login to the libwebsockets.org test plugin like this:
$ ssh -p2222 -i lws-ssh-test-keys anybody at libwebsockets.org
- LWS plugins work as dynamic loaded plugins via libuv, but they can
also be included as static code into your own app without any dynamic
load. So don't be put off by the word 'plugin', the ssh server plugin
works fine on, eg, ESP32.
- The demo isn't a separate server. It's just another vhost on lwsws,
so it runs in the same event loop etc.
- There's no special security dimension to the plugin more than
running an http server. The plugin doesn't have any code in it for
spawning shells or accessing your system ssh keys, and your system sshd
if you have one has no contact with the plugin keys. It only uses
whatever you wired up the ops functions to... for example the demo
plugin has a hardcoded public key it will accept, and only prints canned
strings with no shell or pty.
- coverity + valgrind clean
More information about the Libwebsockets