1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
|
.TH tinysshd 8
.SH NAME
tinysshd \- Tiny SSH daemon
.SH SYNOPSIS
.B tinysshd
[ options ]
.I keydir
.SH DESCRIPTION
.B tinysshd
is a minimalistic SSH server which implements only a subset of SSHv2 features.
.sp
.B tinysshd
supports only secure cryptography (minimum 128\-bit security, protected against cache\-timing attacks)
.sp
.B tinysshd
doesn't implement older crypto (such as RSA, DSA, HMAC\-MD5, HMAC\-SHA1, 3DES, RC4, ...)
.sp
.B tinysshd
doesn't implement unsafe features (such as password or hostbased authentication)
.sp
.B tinysshd
doesn't have features such: SSH1 protocol, compression, port forwarding, agent forwarding, X11 forwarding ...
.sp
.B tinysshd
doesn't use dynamic memory allocation (no allocation failures, etc.)
.SH OPTIONS
.TP
.B \-q
no error messages
.TP
.B \-Q
print error messages (default)
.TP
.B \-v
print extra information
.TP
.B \-s
enable state\-of\-the\-art crypto (default)
.sp
signing \- ssh\-ed25519
.sp
key-exchange \- curve25519\-sha256
.sp
symmetric \- chacha20\-poly1305@openssh.com
.TP
.B \-S
disable state\-of\-the\-art crypto
.TP
.B \-p
enable post\-quantum crypto (default)
.sp
signing \- TODO (not implemented yet)
.sp
key-exchange \- sntrup761x25519\-sha512@openssh.com
.sp
symmetric \- chacha20\-poly1305@openssh.com
.TP
.B \-P
disable post\-quantum crypto
.TP
.B \-l
use syslog instead of standard error output (useful for running from inetd)
.TP
.B \-L
don't use syslog, use standard error output (default)
.TP
.B \-x \fIname=command
add subsystem command (e.g.: sftp=/usr/libexec/openssh/sftp\-server)
.TP
.B \-e \fIcommand
execute the given command instead of spawning the shell (disables \fIexec\fR/\fIsubsystem\fR channel requests)
.TP
.I keydir
directory containing TinySSH keys, typically /etc/tinyssh/sshkeydir
.SH AUTHORIZATION
.B tinysshd
supports only public-key authorization via
.B AuthorizedKeysFile
~/.ssh/authorized_keys. Each line of the file contains one key in format "keytype base64-encoded-key comment".
.B tinyssh
supports only "ssh-ed25519" keytype.
.sp
~/.ssh/authorized_keys example:
.nf
.RS 2
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILV5AGhGQ1QVXjBWhTKJP3vrqE3isL4ivisBailQ14gS comment
.RE
.SH RUNNING
.TP
.B TCPSERVER
tcpserver \-HRDl0 0.0.0.0 22 /usr/sbin/tinysshd \-v /etc/tinyssh/sshkeydir &
.TP
.B BUSYBOX
busybox tcpsvd 0 22 tinysshd \-v /etc/tinyssh/sshkeydir &
.TP
.B INETD
.RS 4
/etc/inetd.conf:
.RS 4
ssh stream tcp nowait root /usr/sbin/tinysshd tinysshd \-l \-v /etc/tinyssh/sshkeydir
.RE
.RE
.TP
.B SYSTEMD
.RS 4
tinysshd.socket:
.RS 4
.nf
[Unit]
Description=TinySSH server socket
ConditionPathExists=!/etc/tinyssh/disable_tinysshd
[Socket]
ListenStream=22
Accept=yes
[Install]
WantedBy=sockets.target
.fi
.RE
.RE
.sp
.RS 4
tinysshd@.service:
.RS 4
.nf
[Unit]
Description=Tiny SSH server
After=network.target auditd.service
[Service]
ExecStartPre=\-/usr/sbin/tinysshd\-makekey \-q /etc/tinyssh/sshkeydir
EnvironmentFile=\-/etc/default/tinysshd
ExecStart=/usr/sbin/tinysshd ${TINYSSHDOPTS} \-\- /etc/tinyssh/sshkeydir
KillMode=process
SuccessExitStatus=111
StandardInput=socket
StandardError=journal
[Install]
WantedBy=multi\-user.target
.fi
.RE
.RE
.SH SEE ALSO
.BR tinysshd\-makekey (8),
.BR tinysshd\-printkey (8)
.sp
.nf
https://tinyssh.org/
.fi
|
