[Libwebsockets] Announce: libwebsockets ssh server protocol plugin available

Andy Green andy at warmcat.com
Wed Oct 11 15:59:28 CEST 2017

Hi -

Master branch of lws now includes a very small footprint generic ssh 
server "plugin", written from scratch in lws bytewise state machine style.

It lets you very simply add a vhost on a selected port which provides a 
server using full strength ssh v2 authentication and encryption.

Key Exchange:    curve25519-sha256 at libssh.org
Server host key: ssh-rsa (4096b)
Encryption:      chacha20-poly1305 at openssh.com
Client keys:     ssh-rsa (up to 4096b)

The lws-ssh-base plugin is an abstract implementation, it takes an "ops" 
struct to actually do anything outside of the ssh protocol itself


the ops struct wires it up to user functions for authentication, send 
and receive data etc.  It relies on ops to define everything, eg, there 
is no implementation by default for spawning shells.  If that's what you 
want you have to provide code for it (although the demo app shows how to 
do it).  It should be very handy for data that naturally wants a remote 
tty or optional / debugging features like tail -f style internal log 

A demo app and a demo plugin are provided, the app is a standalone test 
server app that opens a shell on your system when you login, it's not a 
full pty just a shell.  At the moment you need to run it as root simply 
because it wants to read / write its server key down /etc.


The demo plugin doesn't open any shell serverside, it just prints some 
stuff and waits for you to press a key.


The ssh server demo plugin is now enabled on libwebsockets.org:2222.

Grab the demo private key here

$ wget 

Then you can login to the libwebsockets.org test plugin like this:

  $ ssh -p2222 -i lws-ssh-test-keys anybody at libwebsockets.org

Docs here:


Some points:

  - LWS plugins work as dynamic loaded plugins via libuv, but they can 
also be included as static code into your own app without any dynamic 
load.  So don't be put off by the word 'plugin', the ssh server plugin 
works fine on, eg, ESP32.

  - The demo isn't a separate server.  It's just another vhost on lwsws, 
so it runs in the same event loop etc.

  - There's no special security dimension to the plugin more than 
running an http server.  The plugin doesn't have any code in it for 
spawning shells or accessing your system ssh keys, and your system sshd 
if you have one has no contact with the plugin keys.  It only uses 
whatever you wired up the ops functions to... for example the demo 
plugin has a hardcoded public key it will accept, and only prints canned 
strings with no shell or pty.

  - coverity + valgrind clean


More information about the Libwebsockets mailing list