Re: Limiting attack surface for Debian sshd
Le 14/04/2025 à 13:57, Marc SCHAEFER a écrit :
Hello,
Yes! On the (dynamic) dependancy side it seems ideal.
So it means it's a reimplementation of the SSH server, not using libssh?
(or it's statically compiled, which could be worse?)
libssh does not appear in the build-dependencies of the source package
either:
https://packages.debian.org/source/bookworm/tinyssh
and from the FAQ of the project at
https://mojzis.com/software/tinyssh/faq.html, I quote:
"[...]
How do I compile TinySSH using full NaCl library?
TinySSH has internal crypto library, but can be compiled using fast
crypto primitives from NaCl library.
[...]"
that seem to indicate that tinysshd has no relation with libssh?
However: it could mean it's much less scrutinized than libssh, which in turn
"looks" less scrutinized than OpenSSH ...
It looks it has very few lines of code, which is good:
https://github.com/janmojzis/tinyssh
However, it does not seem to support port forwarding, which can be
handy on a jump host ...
apparently, yes, it's a balancing move between various opposite
characteristics: size, speed, features, security...
if tinysshd does meet your features requirements, you can take a look at:
- dropbear-bin which seem to not depend upon libssh either directly or
indirectly
- lsh-server which seem to not depend upon libssh either directly or
indirectly, but seems to depend indirectlly (through libkrb) upon libssl
please take all that precedes with a grain of salt: I do not install and
set up ssh servers :-)
Reply to: