[talk] Thoughts on TinySSH?

Justin Dearing zippy1981 at gmail.com
Sun Mar 16 14:27:00 EDT 2014


http://tinyssh.org/index.html

Someone is making a tiny ssh server without using malloc (pure static
memory analysis). Its not supporting ssh1, sftp or scp and not supporting
AES or DES.They're expecting an alpha in 2015 and a beta in 2016.  Some of
my thoughts:


   - Two years seems a little long to reimplement ssh. However, I don't
   know enough about ssh internals to comment
   - I don't see the source code on his site, just directions to download a
   deb.
   - Even if all the memory is statically allocated, isn't it still
   potentially vulnerable to pointer math errors? I'll defer to those who
   actively write C to tell me otherwise.
   - Its a server, so saying it only supports newer encryption protocols is
   ok. As something for embedded devices, this is an ok design decision.
   - No SFTP or SCP support is questionable. SCP as a payload delivery
   mechanism would be useful, but perhaps that can be added later.
   - If this code can compile on windows without cygwin, that would be an
   awesome win. However, its limited scope means there's little chance its
   going to support Kerberos authentication.

Anyone else have any thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20140316/3fec15a1/attachment.htm>


More information about the talk mailing list