[talk] Thoughts on TinySSH?
Justin Dearing
zippy1981 at gmail.com
Sun Mar 16 14:27:00 EDT 2014
http://tinyssh.org/index.html
Someone is making a tiny ssh server without using malloc (pure static
memory analysis). Its not supporting ssh1, sftp or scp and not supporting
AES or DES.They're expecting an alpha in 2015 and a beta in 2016. Some of
my thoughts:
- Two years seems a little long to reimplement ssh. However, I don't
know enough about ssh internals to comment
- I don't see the source code on his site, just directions to download a
deb.
- Even if all the memory is statically allocated, isn't it still
potentially vulnerable to pointer math errors? I'll defer to those who
actively write C to tell me otherwise.
- Its a server, so saying it only supports newer encryption protocols is
ok. As something for embedded devices, this is an ok design decision.
- No SFTP or SCP support is questionable. SCP as a payload delivery
mechanism would be useful, but perhaps that can be added later.
- If this code can compile on windows without cygwin, that would be an
awesome win. However, its limited scope means there's little chance its
going to support Kerberos authentication.
Anyone else have any thoughts?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20140316/3fec15a1/attachment.htm>
More information about the talk
mailing list