Sunday 15 May 2011

How to build openSSH with NSS or GnuTLS instead of OpenSSL? -



How to build openSSH with NSS or GnuTLS instead of OpenSSL? -

due security issues openssl, utilize nss or gnutls instead. apache server needs, easy since there exist module each one. ssh, looks hard if not impossible.

dropbear embeds own algorithms , not open outside. openssh has used beingness built openssl, since few months, it possible build without it new option:

make openssl=no

but software cryptographic algorithms used d. j. bernstein works. good, not me because shall utilize tpm, , have access pkcs11 layer. consequence, right solution build openssh either nss or gnutls.

i cannot wait libressl on linux, nor utilize openbsd has released , made ssl default layer.

so question is: has tryed , managed build openssh nss or gnutls instead of openssl, or patched dropbear or other solution have ssh server working tpm , ec authentication ?

note: have limited resources, cannot utilize openssl openssh , nss apache. absolutely need minimize embedded libraries.

no. may able cut down increment on disk usage related openssl linking libcrypto (which part of openssl openssh uses) statically sshd.

on scheme can manually running next command after make sshd:

gcc -o sshd sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o audit.o \ audit-bsm.o audit-linux.o platform.o sshpty.o sshlogin.o servconf.o serverloop.o \ auth.o auth1.o auth2.o auth-options.o session.o auth-chall.o auth2-chall.o \ groupaccess.o auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \ auth2-none.o auth2-passwd.o auth2-pubkey.o monitor_mm.o monitor.o monitor_wrap.o \ kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o auth-krb5.o auth2-gss.o gss-serv.o \ gss-serv-krb5.o loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \ sftp-server.o sftp-common.o roaming_common.o roaming_serv.o sandbox-null.o \ sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o sandbox-seccomp-filter.o \ sandbox-capsicum.o -l. -lopenbsd-compat/ -wl,-z,relro -wl,-z,now -wl,-z,noexecstack \ -fstack-protector-strong -lssh -lopenbsd-compat \ /usr/lib/x86_64-linux-gnu/libcrypto.a -ldl -lutil -lz -lnsl -lcrypt -lresolv

(that's result of replacing -lcrypto total path libcrypto.a , removing -pie flag linker command generated make).

then, running strip on sshd reduces size 2mb.

obviously makes sense if going ship sshd on device. if need ssh there, becomes useless.

openssl openssh nss gnutls libressl

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)