tinysshd(8)

Tiny SSH daemon

Section 8 tinysshd bookworm source

Description

tinysshd

NAME

tinysshd - Tiny SSH daemon

SYNOPSIS

tinysshd [ options ] keydir

DESCRIPTION

tinysshd is a minimalistic SSH server which implements only a subset of SSHv2 features.

tinysshd supports only secure cryptography (minimum 128-bit security, protected against cache-timing attacks)

tinysshd doesn’t implement older crypto (such as RSA, DSA, HMAC-MD5, HMAC-SHA1, 3DES, RC4, ...)

tinysshd doesn’t implement unsafe features (such as password or hostbased authentication)

tinysshd doesn’t have features such: SSH1 protocol, compression, port forwarding, agent forwarding, X11 forwarding ...

tinysshd doesn’t use dynamic memory allocation (no allocation failures, etc.)

OPTIONS

-q

no error messages

-Q

print error messages (default)

-v

print extra information

-s

enable state-of-the-art crypto (default)

signing - ssh-ed25519

key-exchange - curve25519-sha256

symmetric - chacha20-poly1305@openssh.com

-S

disable state-of-the-art crypto

-p

enable post-quantum crypto (default)

signing - TODO (not implemented yet)

key-exchange - sntrup761x25519-sha512@openssh.com

symmetric - chacha20-poly1305@openssh.com

-P

disable post-quantum crypto

-l

use syslog instead of standard error output (useful for running from inetd)

-L

don’t use syslog, use standard error output (default)

-x name=command

add subsystem command (e.g.: sftp=/usr/libexec/openssh/sftp-server)

-e command

execute the given command instead of spawning the shell (disables exec/subsystem channel requests)

keydir

directory containing TinySSH keys, typically /etc/tinyssh/sshkeydir

AUTHORIZATION

tinysshd supports only public-key authorization via AuthorizedKeysFile ˜/.ssh/authorized_keys. Each line of the file contains one key in format "keytype base64-encoded-key comment". tinyssh supports only "ssh-ed25519" keytype.

˜/.ssh/authorized_keys example:

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV5AGhGQ1QVXjBWhTKJP3vrqE3isL4ivisBailQ14gS comment

RUNNING

TCPSERVER

tcpserver -HRDl0 0.0.0.0 22 /usr/sbin/tinysshd -v /etc/tinyssh/sshkeydir &

BUSYBOX

busybox tcpsvd 0 22 tinysshd -v /etc/tinyssh/sshkeydir &

INETD

/etc/inetd.conf:

ssh stream tcp nowait root /usr/sbin/tinysshd tinysshd -l -v /etc/tinyssh/sshkeydir

SYSTEMD

tinysshd.socket:

[Unit]
Description=TinySSH server socket
ConditionPathExists=!/etc/tinyssh/disable_tinysshd

[Socket]
ListenStream=22
Accept=yes

[Install]
WantedBy=sockets.target

tinysshd@.service:

[Unit]
Description=Tiny SSH server
After=network.target auditd.service

[Service]
ExecStartPre=-/usr/sbin/tinysshd-makekey -q /etc/tinyssh/sshkeydir
EnvironmentFile=-/etc/default/tinysshd
ExecStart=/usr/sbin/tinysshd ${TINYSSHDOPTS} -- /etc/tinyssh/sshkeydir
KillMode=process
SuccessExitStatus=111
StandardInput=socket
StandardError=journal

[Install]
WantedBy=multi-user.target

SEE ALSO

tinysshd-makekey(8), tinysshd-printkey(8)

https://tinyssh.org/