2

Due to security issues with OpenSSL, I would like to use NSS or GnuTLS instead. For Apache server needs, it is easy since there exist a module for each one. But for SSH, it looks like difficult if not impossible.

Dropbear embeds its own algorithms and is not open to the outside. OpenSSH has used to being built with OpenSSL, but since a few months, it is possible to build it without it thanks to the new option:

make OPENSSL=no

But then software cryptographic algorithms are used from D. J. Bernstein works. This is good, but not for me because I shall use a TPM, and so have access to a pkcs11 layer. As a consequence, the right solution would be to build OpenSSH with either NSS or GnuTLS.

I cannot wait for LibReSSL on Linux, nor use OpenBSD which has just released it and made it its SSL default layer.

So my question is: Has someone tryed and managed to build OpenSSH with NSS or GnuTLS instead of OpenSSL, or patched Dropbear or any other solution to have a SSH server working with a TPM and EC authentication ?

Note: as I have limited resources, I cannot use OpenSSL with OpenSSH and NSS with Apache. I absolutely need to minimize the embedded libraries.

lalebarde
  • 1,279
  • 1
  • 14
  • 33

2 Answers2

1

No. But you may be able to reduce the increase on disk usage related to OpenSSL by linking libcrypto (which is the part of OpenSSL that OpenSSH actually uses) statically into sshd.

On my system I can do that by manually running the following command after make sshd:

gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o audit.o \
  audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o \
  auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o \
  groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
  auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o \
  kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o auth-krb5.o auth2-gss.o gss-serv.o \
  gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
  sftp-server.o sftp-common.o roaming_common.o roaming_serv.o sandbox-null.o \
  sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o \
  sandbox-capsicum.o -L. -Lopenbsd-compat/  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack \
  -fstack-protector-strong  -lssh -lopenbsd-compat \
  /usr/lib/x86_64-linux-gnu/libcrypto.a -ldl -lutil -lz -lnsl  -lcrypt -lresolv

(that's the result of replacing -lcrypto for the full path to libcrypto.a and removing the -pie flag from the linker command generated by make).

Then, running strip on sshd reduces its size to roughly 2MB.

Obviously that makes sense if you are only going to ship sshd on the device. If you need ssh also there, it becomes useless.

salva
  • 9,300
  • 3
  • 24
  • 55
  • 1
    Thanks salva. The point is that I want to avoid OpenSSL stuff. I am investigating GnuTLS and NSS wrappers that deliver an OpenSSL API. But they provide a subset only. I have to check if it is enough for my needs or not. – lalebarde Oct 16 '14 at 13:00
1

I have identified three solutions:

  1. Use NSS with Nss compat ossl that offers a 80% compatible OpenSSL API.
  2. Use GnuTLS with its OpenSSL compatibility layer (I have not checked the coverage).
  3. Go on with OpenSSL and move to OpenBSD's LibReSSL or Google's BoringSSL when available. The first one is already available on OpenBSD and they manage a portability project towards other nx distributions, so I assume it will be available for Linux in some months. Tremendous cleaning and improvements have been performed.
lalebarde
  • 1,279
  • 1
  • 14
  • 33
  • I know this answer is old, but can you describe which solution you chose in the end? I am facing the same question and I would like to go with 2) but I just can't figure out how. – flowit Jul 11 '16 at 20:38
  • Unfortunatly, I moved. But please post when you have something working. – lalebarde Jul 25 '16 at 16:47