<div dir="ltr"><a href="http://tinyssh.org/index.html">http://tinyssh.org/index.html</a><br><div><br></div><div>Someone is making a tiny ssh server without using malloc (pure static memory analysis). Its not supporting ssh1, sftp or scp and not supporting AES or DES.They're expecting an alpha in 2015 and a beta in 2016. Some of my thoughts:</div>
<div><br></div><div><ul><li>Two years seems a little long to reimplement ssh. However, I don't know enough about ssh internals to comment</li><li>I don't see the source code on his site, just directions to download a deb.</li>
<li>Even if all the memory is statically allocated, isn't it still potentially vulnerable to pointer math errors? I'll defer to those who actively write C to tell me otherwise.</li><li>Its a server, so saying it only supports newer encryption protocols is ok. As something for embedded devices, this is an ok design decision.</li>
<li>No SFTP or SCP support is questionable. SCP as a payload delivery mechanism would be useful, but perhaps that can be added later.</li><li>If this code can compile on windows without cygwin, that would be an awesome win. However, its limited scope means there's little chance its going to support Kerberos authentication.</li>
</ul><div>Anyone else have any thoughts?</div></div></div>