Skip to main content

Customize a NanoSSH client implementation

After building and verifying the NanoSSH Client example code, the NanoSSH Client implementation may be customized. This section explains how to enable debugging messages, select particular authentication and encryption methods, optimize performance, and more.

This section provides information about the following topics:

Required features and mutually exclusive features

Every NanoSSH Client must include at least one enabled authentication method. See the following sections:

List of customizable features

This section describes the features that may be added to the NanoSSH Client. For each feature’s section, there is a description of the feature, background information to help with the decision of how to use the feature, and information about which flags, callback functions, and API methods are needed to implement the feature.

Implementation sequence

The quickest path to an up-and-running NanoSSH application is to first turn on basic NanoSSH example code, build it, and then verify communications. Then the example code may be customized or integrated application by adding features one at a time (by defining the appropriate flags). That is, do not define many unrelated flags at once, but use a staged approach:

  1. Turn on NanoSSH Client and the desired NanoSSH example code, and build the example use case, and validate that it runs (see Use Case Examples).

  2. Turn on debugging code (see Enabling Debug Messages).

  3. Customize the code to turn on additional features (see List of Customizable Features).

  4. Add FIPS (see Adding FIPS).

Process overview

The steps below describe the tasks required to implement a TrustCore SDK NanoSSH Client shell.

  1. Define any necessary flags for the implementation. This involves editing the moptions.h file to include the applicable flags. See ???.

  2. Add function calls within the application code to initialize and shut down TrustCore SDK. Additionally, set up threads for any TrustCore SDK components that require it. See Initializing TrustCore SDK Code.

  3. Add code within the application to configure the NanoSSH Client. This includes setting up communication, initializing the session manager, and configuring the internal structures. See Use case examples.

  4. Replace stub functions with custom routines modeled on the NanoSSH Client example code. Ensure all function pointers are defined in the sshClientSettings structure, and register the necessary callbacks. See the Callback functions section in the applicable feature documentation.

  5. Include any additional function calls required for specific features of the NanoSSH Client.

  6. Add code to reclaim device resources and NanoSSH Client resources when necessary. See Use case examples.

  7. Once all code is added and configured, rebuild the NanoSSH Client to integrate the new implementation. See Build a NanoSSH Client executable.

Enable debug messages

DigiCert TrustCore SDK code includes extensive debugging messages to help with integration efforts. DigiCert may also ask for debugging to be enabled if support is contacted with any technical questions.

The debug log messages may be sent to stdout, a telnet console, or a customized platform-specific interface.

Applicability

Debugging may be enabled for any NanoSSH Client example code or customized implementation.

Flags

To enable debug messages, define the appropriate flags in Table 8 below (depending on where to send the debug output) and rebuild the executable(s). Table 8: Debug Flags

Table 1. Debug Flags

Flag

Description

__ENABLE_ALL_DEBUGGING__

Displays extensive debug information from all TrustCore SDK modules to the debug console.

__ENABLE_CUSTOM_DEBUG_CONSOLE_DEFS__

Enables the use of custom debug console functions in place of the TrustCore SDK debug console. This is generally unnecessary as the standard debug console may be used to view all debug output.

__ENABLE_MOCANA_DEBUG_CONSOLE__

Enables the TrustCore SDK debug console, which logs debugging information to stdout or (if __MOCANA_DUMP_CONSOLE_TO_STDOUT__ is not defined) to a telnet port.

__ENABLE_MOCANA_DEBUG_MEMORY__

Enables the TrustCore SDK memory leak debugger, which detects memory leaks, double frees, and other memory issues. File and line for every call to malloc and free are recorded.

__MOCANA_DUMP_CONSOLE_TO_STDOUT__

Sends enabled debug messages to stdout.

__ENABLE_MOCANA_SSH_CHANNEL_ID_DEBUG__

Enables inclusion of channel Id in NanoSSH (client and server) debug and log messages.

MOCANA_DEBUG_CONSOLE_PORT

(Default = 4097) Port number to which enabled debug messages are sent (if __MOCANA_DUMP_CONSOLE_TO_STDOUT__ is not defined).


Callback Functions

No callback functions necessary to use the TrustCore SDK debug messages.

API Methods

No API calls required to receive TrustCore SDK debug messages on stdout or a telnet port; simply define the appropriate debug flags, rebuild the executable, and run it. If the TrustCore SDK memory leak debugger has been enabled by defining the __ENABLE_MOCANA_DEBUG_MEMORY__ flag, the application code should call dbg_dump() whenever a dump of the accumulated memory debug messages (calls to malloc and free) needs to be viewed.

Selecting a host authentication method

NanoSSH Client supports public key and password authentication, so which should be used? Although public keys and passwords are both transmitted over a secure channel, it is better to use public keys to eliminate the problems inherent in password-based systems (that is, systems that rely on user names and passwords for access authorization) for the following reasons:

  • Authorized usernames and passwords are frequently obtained from the users themselves because users often record their passwords so they are not forgotten or even deliberately shared with someone else. Because private keys are stored electronically and handled by client applications (not users), users are very unlikely to share those private keys.

  • User names and passwords, often sent in clear text over the wire, are all that is needed to access password-based systems. Public keys function with private keys, which are not sent over the wire.

  • Many passwords are chosen to be easy to remember or limited to only eight (or even fewer) characters, leaving them vulnerable to dictionary attacks. A certificate’s cryptographic keys are random in nature and are hundreds or even thousands of bits long, making them invulnerable to dictionary attacks.

  • Although NanoSSH Client supports the none authentication method in accordance with RFC 4252, using none is strongly discouraged because it lets anyone successfully log in without authentication.

  • As an alternative to transmitting either public keys or passwords, certificates may be used; see Using Certificates.

Applicability

Public key or password authentication may be enabled for any NanoSSH Client implementation.

Flags

No flags are required to choose between public key and password authentication.

Callback Functions

To select the desired authentication method (public key or password), customize the sshClientSettings->funcPtrRetrieveUserAuthRequestInfo callback function in the code. For the client application to query the server for supported algorithms (by sending Signature = FALSE), define sshClientSettings->funcPtrRetrieveUserAuthRequestInfoEx handler instead to allow the application to control the authentication request by explicitly setting SendSignature to TRUE or FALSE. The funcPtrRetrieveUserAuthRequestInfoEx overrides the funcPtrRetrieveUserAuthRequestInfo callback. These callback(s) function is invoked when an SSH server (NanoSSH or any other SSH server) requests that the NanoSSH Client authenticate itself. Callback registration happens at session creation and initialization by assigning a custom callback function, which may have any name, to this callback pointer.

The following example shows a typical implementation.

static int
SSHC_EXAMPLE_userAuthRequestInfoUpcall(int connectionInstance,
                                       unsigned char **ppUserName,
                                       unsigned int *pUserNameLength,
                                       unsigned int *pMethod)
{
    /* MY credentials for logging on to a remote server */
    int status = 0;
    MOC_UNUSED(connectionInstance);

    /* return username, can use different usernames for each logon attempt */
    *ppUserName = (unsigned char*)sshc_exampleUserName;
    *pUserNameLength = (sizeof(sshc_exampleUserName) - 1);

    /* return authentication method type, possible to use different authentication method for each logon attempt */
    *pMethod = MOCANA_SSH_AUTH_PASSWORD; /* or MOCANA_SSH_AUTH_PUBLIC_KEY */

    return status;
}

main
{
    /* other initialization */
     SSHC_sshClientSettings()->funcPtrRetrieveUserAuthRequestInfo =           SSHC_EXAMPLE_userAuthRequestInfoUpcall;

    /* main functionality */

    SSHC_shutdown();
    return;
}

API Methods

No API methods are required to choose between public key and password authentication.

Use password authentication

Using password authentication in a NanoSSH Client implementation is a simple process:

  1. Customize the sshClientSettings->funcPtrRetrieveUserAuthRequestInfo callback as described in Selecting a Host Authentication Method. Be sure to assign a value of MOCANA_SSH_AUTH_PASSWORD to the pMethod parameter.

  2. Set up and register the sshClientSettings->funcPtrRetrieveUserPassword callback function as described below.

  3. Rebuild the executable(s).

Applicability

Password authentication may be used for any NanoSSH Client implementation.

Flags

No flags are required to use password authentication.

Callback Functions

The sshClientSettings->funcPtrRetrieveUserPassword callback is invoked when an SSH server (NanoSSH or any other SSH server) requests authentication; it should return the user’s password and its length. Callback registration happens at session creation and initialization by assigning a custom callback function, which may have any name, to this callback pointer.

The following example shows a typical implementation.

static int
SSHC_EXAMPLE_userPasswordUpcall(int connectionInstance,
                                unsigned char *pUserName, unsigned int userNameLength,
                                unsigned char **ppUserPassword, unsigned int *pUserPasswordLength)
{
    /* MY credentials for logging on to a remote server */
    MOC_UNUSED(connectionInstance);
    MOC_UNUSED(pUserName);
    MOC_UNUSED(userNameLength);

    /* return password for simple username/password authentication */
    *ppUserPassword = (unsigned char*)sshc_examplePassword;
    *pUserPasswordLength = strlen(sshc_examplePassword);

    return 0;
}

main
{
    /* other initialization */
    SSHC_sshClientSettings()->funcPtrRetrieveUserPassword = SSHC_EXAMPLE_userPasswordUpcall;

    /* main functionality */

    SSHC_shutdown();
    return;
}

API Methods

No API methods are required to use password authentication.

Disable password authentication

To disable password authentication in a NanoSSH Client application, a different authentication method (public key or certificates) must be enabled:

  • Public key: Follow the instructions in Selecting a Host Authentication Method, and assign any valid value to the pMethod parameter, except MOCANA_SSH_AUTH_PASSWORD.

  • Certificates: See Using Certificates.

Applicability

Password authentication is not required for any NanoSSH Client implementation.

Flags

No flag definitions are required to disable password authentication.

Callback Functions

To disable password authentication, the pMethod parameter of the sshClientSettings->funcPtrRetrieveUserAuthRequestInfo callback function must be set to anything other than MOCANA_SSH_AUTH_PASSWORD. When password authentication is disabled, it does not matter whether the sshClientSettings->funcPtrRetrieveUserPassword callback function is registered because it is not used.

API Methods

No API methods are required to disable password authentication.

Add public key authentication

Before enabling public key authentication, decide which key encryption methods are to be allowed. TrustCore SDK NanoSSH supports DSA, RSA, ECDSA, and EDDSA public keys, so which one should be used?

If the application must be FIPS certified or requires Suite B support, use ECDSA; otherwise, choose between RSA and DSA. RSA is significantly faster than DSA, typically by a factor of three. So if using the NanoSSH Client or another client known to support RSA, use it; otherwise, use DSA or ECDSA. If there are no external requirements, all the key encryption methods may be enabled for maximum interoperability.

Note: Per the SSH protocol definition, RSA support is optional; therefore, some clients require DSA to be used To add public key authentication:

  1. Customize the sshClientSettings >funcPtrRetrieveUserAuthRequestInfo callback as described in Selecting a Host Authentication Method. Be sure to assign a value of MOCANA_SSH_AUTH_PUBLIC_KEY to the pMethod parameter.

  2. Define the compilation flags (described in Flags).

  3. Set up and register the necessary callbacks (described in Callback Functions).

  4. Rebuild executable(s).

Applicability

Public key authentication and any key encryption method may be used in any NanoSSH Client implementation.

Flags

To enable a key encryption method, define the appropriate compilation flags:

  • RSA: Define the following flag:

    • __ENABLE_MOCANA_SSH_RSA_SUPPORT__

  • DSA: Define the following flags:

    • __ENABLE_MOCANA_DSA__

    • __ENABLE_MOCANA_SSH_DSA_SUPPORT__

  • ECDSA: Define the following flag:

    • __ENABLE_MOCANA_ECC__

If more than one encryption method is enabled for NanoSSH Client and also offered by the SSH server (NanoSSH or any other SSH server), the first match in the internal NanoSSH Client structure, mHostKeySuites, is the one that is chosen.

  • ECDSA

  • RSA/ECDSA certificates

  • DSA

  • RSA certificates

  • ECDSA certificates

  • Note: If the SSH server offers certificate support but certificates are not used, be sure that the __ENABLE_MOCANA_SSH_X509V3_SIGN_SUPPORT__ flag is not enabled. If this flag is defined, certificates are chosen instead of straightpublic key authentication.

Callback Functions

To add public key authentication, customize and register the following callback functions:

  • sshClientSettings >funcPtrServerPubKeyAuth: Invoked during connection establishment; it should verify that the provided public key is on record, compare the provided and on-file keys, and return TRUE or FALSE to indicate whether the keys match. If they match, the key is valid.

  • sshClientSettings >funcPtrRetrieveNakedAuthKeys: Invoked when the NanoSSH Client needs to authenticate itself to an SSH server using public key authentication; it should return the key blob containing the public and private keys from the public and private authorization key files, respectively; tTherefore, NanoSSH Client must have access to the client’s unique key.

  • sshClientSettings >funcPtrReleaseNakedAuthKeys: Invoked after a call to sshClientSettings >funcPtrRetrieveNakedKeys, it should release (free) the memory allocated for the public and private keys that were retrieved by the sshClientSettings >funcPtrRetrieveNakedKeys call.

Callback registration happens at session creation and initialization by assigning a custom callback function, which may have any name, to this callback pointer.

The following examples show typical implementations for the required callbacks.

code listing (funcPtrServerPubKeyAuth)

static int
 SSHC_EXAMPLE_serverPubKeyAuthUpcall(int connectionInstance,
                                    const unsigned char *pPubKey, unsigned int pubKeyLength)
{
    ubyte*  pStoredHostPublicKey = NULL;
    ubyte4  storedHostPublicKeyLength;
    sbyte4  result = 0;
    MOC_UNUSED(connectionInstance);
    ubyte*  pSerializedKey = NULL;
    ubyte4  serializedKeyLength = 0;
    ubyte*  pEncodedKey = NULL;
    ubyte4  encodedKeyLength = 0;
    AsymmetricKey asymKey = { 0 };
    AsymmetricKey asymKey2 = { 0 };

    /* The SSH Client will only call this function, if the server's */
    /* public key matched the signature provided.  We need to now */
    /* verify that the public key is an acceptable public key (i.e. on record) */

    /* we would want to extract the server's IP address from connectionInstance */
    /* then use that to look up the appropriate host key stored file */

    /* make sure the server provided

 pubkey matches a public key on file */
    if (0 == MOCANA_readFile(AUTH_KEYFILE_NAME, &pStoredHostPublicKey, &storedHostPublicKeyLength))
    {
        if (OK > SSHC_parseServerAuthKeyFile(pStoredHostPublicKey,
            storedHostPublicKeyLength, &asymKey))
            goto exit;
    }
    else
    {

    /* if necessary, do additional checks here */

    /* finally, if we do not recognize this IP address we should store the ip address in a file */
    /* a simple scheme filename convention: /keys/host/sshc/ip_<ip.ad.dr.ess>.pubkey */

    result = 1; /* we made it to the end! */

exit:
    if (NULL != pStoredHostPublicKey)
        MOCANA_freeReadFile(&pStoredHostPublicKey);

    return result;
}

main
{
    /* other initialization */
     SSHC_sshClientSettings()->funcPtrServerPubKeyAuth =           SSHC_EXAMPLE_serverPubKeyAuthUpcall;

    /* main functionality */

    SSHC_shutdown();
    return;
}

code listing (funcPtrRetrieveNakedAuthKeys)

static int
 SSHC_EXAMPLE_retrieveAuthKeys(int connectionInstance,
                              unsigned char **ppRetKeyBlob, unsigned int *pRetKeyBlobLength)
{
    int     status;
    MOC_UNUSED(connectionInstance);

    *ppRetKeyBlob = NULL;
    *pRetKeyBlobLength = 0;

    if (0 > (status = MOCANA_readFile(KEYBLOB_AUTH_KEY_FILE_NAME, ppRetKeyBlob, pRetKeyBlobLength)))
        status = ERR_SSH_MISSING_KEY_FILE;

    return status;

} /* SSHC_EXAMPLE_retrieveAuthKeys */

main
{
    /* other initialization */
     SSHC_sshClientSettings()->funcPtrRetrieveNakedAuthKeys =           SSHC_EXAMPLE_retrieveAuthKeys;

    /* main functionality */

    SSHC_shutdown();
    return;
}

code listing (funcPtrReleaseNakedAuthKeys)

static sbyte4
 SSHC_EXAMPLE_releaseAuthKeys(sbyte4 connectionInstance, ubyte **ppFreeKeyBlob)
{
    MOC_UNUSED(connectionInstance);

    MOCANA_freeReadFile(ppFreeKeyBlob);

    return 0;
}

main
{
    /* other initialization */
     SSHC_sshClientSettings()->funcPtrReleaseNakedAuthKeys =           SSHC_EXAMPLE_releaseAuthKeys;

    /* main functionality */

    SSHC_shutdown();
    return;
}

API Methods

No API methods are required to use public key authentication.

Use certificates

Growing numbers of systems are forsaking transmission of public keys and passwords for authentication and are choosing to use certificates instead. Although the certificates themselves contain the same public keys that could be sent directly, using certificates is more secure because:

  • The system verifies that the user certificate was issued by a trusted CA (certificate authority).

  • No local database of user public keys is required on the server.

  • User access may be denied simply by revoking the user’s certificate (via Online Certificate Status Protocol or Certificate Revocation Lists).

To use certificates:

  1. Define compilation flags (see Flags).

  2. Set up and register the necessary callbacks (see Callback Functions).

  3. Rebuild the executable(s).

Applicability

Any implementation may use certificates in place of public keys or passwords for authentication.

Flags

To enable certificate support for NanoSSH Client, define the following flags:

  • __ENABLE_MOCANA_SSH_X509V3_SIGN_SUPPORT__

  • __ENABLE_MOCANA_SSH_X509V3_RFC_6187_SUPPORT__

  • __ENABLE_MOCANA_SSH_CLIENT_CERT_AUTH__: Enables client certificate authentication.

  • __ENABLE_MOCANA_SSH_SERVER_CERT_AUTH__: Enables server certificate authentication.

  • __ENABLE_MOCANA_SSH_OCSP_SUPPORT__: Enables OCSP stapling validation sent by the server.

  • __ENABLE_MOCANA_OCSP_CLIENT__: Enables OCSP stapling validation sent by the client.

In addition, RSA, DSA, or ECC may be enabled as required using the following flags:

  • RSA: Define the __ENABLE_MOCANA_SSH_RSA_SUPPORT__ flag

  • DSA: Define the following flags:

    • __ENABLE_MOCANA_DSA__

    • __ENABLE_MOCANA_SSH_DSA_SUPPORT__

  • ECC: Define the __ENABLE_MOCANA_ECC__ flag. To disable a particular curve, use the following flags:

    • __DISABLE_MOCANA_ECC_P256__: Disables P256.

    • __DISABLE_MOCANA_ECC_P384__: Disables P384.

    • __DISABLE_MOCANA_ECC_P521__: Disables P521.

Also ensure that the following flags are not defined:

  • __DISABLE_MOCANA_CERTIFICATE_PARSING__

  • __DISABLE_MOCANA_CERTIFICATE_GENERATION__

  • __DISABLE_MOCANA_KEY_GENERATION__

  • __DISABLE_MOCANA_RSA_SIGN__

Callback Functions

To use certificates, customize and register the following callback functions:

  • sshClientSettings > funcPtrCertificateStoreVerify: Verifies that the last certificate or self-signed certificate is trusted. The code may simply memcmp trusted certificates with the provided certificate, or implement a more efficient and rigorous algorithm, such as including a call to the TrustCore SDK certificate management function, CA_MGMT_extractCertDistinguishedName.

  • sshClientSettings > funcPtrCertificateStoreLookup: Retrieves a certificate from the trusted certificate store based on the provided distinguished name. It is also used by NanoSSL clients when a certificate chain is incomplete.

  • sshClientSettings > funcPtrCertificateStoreRelease: Releases memory used by a previous call to sshClientSettings > funcPtrCertificateStoreLookup.

Optionally, the following callback function may also be customized and registered:

  • sshClientSettings > funcPtrCertificateLeafTest: Verifies that the leaf (first certificate in a chain) is an acceptable, known certificate.

For detailed information about these callback functions and their parameters, refer to the TrustCore SDK NanoSSH API Reference.

API Methods

No API methods are required to use certificates.

Use the none authentication method

The none authentication method may be configured, although it is strongly discouraged because it lets anyone successfully log in without authentication, thereby circumventing normal security strategies; however, there might be times when using no authentication may be useful, such as in a testing environment during the build process.

To configure the none authentication method:

  1. Define compilation flags (see Flags).

  2. Set up and register the necessary callbacks (see Callback Functions).

  3. Rebuild the executable(s).

Testing the none Authentication

One method of testing the none authentication method is to configure an SSH server (NanoSSH or any other SSH server) for none, build the NanoSSH Client example code (first defining the necessary flags functions, and callbacks, as described above), and then connect the SSH server and client for communications.

  1. On the machine on which the SSH server is running, determine the process ID of the SSH server process(es).

    ps -ef | grep ssh
    
  2. Terminate all the SSH server processes.

    killall ssh
    
  3. Configure the SSH server for the none authentication method.

    1. Open the /etc/ssh/sshd_config file for editing.

    2. Change pubkey authentication or password authentication to get required authentications.

    3. Save and close the file.

  4. Restart the SSH server.

  5. Start the NanoSSH Client. OpenSSH supported methods should go in SSH_AUTH_FAILURE message when AUTH_NONE is received.

Applicability

Any implementation may use the none authentication method.

Flags

To enable the none authentication method for NanoSSH Client, define the following flags:

  • __ENABLE_MOCANA_SSH_CLIENT_EXAMPLE_AUTH_NONE__

  • SSHC_EXAMPLE_AUTH_METHOD

  • MOCANA_SSH_AUTH_NONE

Callback Functions

No callback functions are required to use the none authentication method.

API Methods

No API methods are required to use the none authentication method.

Configure NanoSSH client

To use the NanoSSH Client, no configuration is required except as explained in the applicable use case example description (see Use Case Examples). Likewise, see the applicable feature section in this section, Customizing a NanoSSH Client Implementation for detailed configuration instructions, including how to define flags and customizing and registering callback functions.

If desired, the NanoSSH Client may be further configured by defining optional flags (see Flags), customizing any of the NanoSSH Client callback functions (see Callback Functions), and assigning custom values to the NanoSSH sshClientSettings fields (see Table 9 below).

Table 9: Configurable sshClientSettings Fields

Table 2. SSH Configuration Parameters

Field

Description

sshListenPort

Port used for connections.

sshMaxAuthAttempts

Number of authentication tries allowed before the connection is said to have failed.

sshMaxConnections

Maximum number of connections to this client.

sshTimeOutAuthentication

Number of milliseconds the client waits for an authentication response before timing out.

sshTimeOutDefaultOpenState

Number of milliseconds before timing out for the client to make a request (such as open a shell) after authentication.

sshTimeOutKeyExchange

Number of milliseconds the client waits for a key exchange before timing out.

sshTimeOutNewKeys

Number of milliseconds the client waits for new keys before timing out.

sshTimeOutOpen

Number of milliseconds the client waits for an open session response before timing out.

sshTimeOutServiceRequest

Number of milliseconds the client waits for a service request response before timing out.


Flags

The following list of flags in alphabetical order, that may be defined to configure a NanoSSH Client. For detailed flag definition requirements, be sure to see the applicable feature section in this section.

  • __DISABLE_3DES_CIPHERS__

  • __DISABLE_AES_CIPHERS__

  • __DISABLE_AES128_CIPHER__

  • __DISABLE_AES192_CIPHER__

  • __DISABLE_AES256_CIPHER__

  • __DISABLE_ARC2_CIPHERS__

  • __DISABLE_MOCANA_ECC_P192__

  • __DISABLE_MOCANA_ECC_P224__

  • __DISABLE_MOCANA_ECC_P256__

  • __DISABLE_MOCANA_ECC_P384__

  • __DISABLE_MOCANA_ECC_P521__

  • __DISABLE_MOCANA_INIT__

  • __DISABLE_MOCANA_SSH_COMMON_NAME_CHECK__

  • __ENABLE_BLOWFISH_CIPHERS__

  • __ENABLE_MOCANA_AEAD_CIPHER__

  • __ENABLE_MOCANA_CHACHA20__

  • __ENABLE_MOCANA_DSA__

  • __ENABLE_MOCANA_DSA_ALL_KEYSIZE__

  • __ENABLE_MOCANA_ECC__

  • __ENABLE_MOCANA_ECC_ED25519__

  • __ENABLE_MOCANA_EXAMPLES__

  • __ENABLE_MOCANA_GCM__

  • __ENABLE_MOCANA_GCM_256B__

  • __ENABLE_MOCANA_GCM_4K__

  • __ENABLE_MOCANA_GCM_64K__

  • __ENABLE_MOCANA_POLY1305__

  • __ENABLE_MOCANA_SSH_CHANNEL_ID_DEBUG__

  • __ENABLE_MOCANA_SSH_CLIENT_EXAMPLE__

  • __ENABLE_MOCANA_SSH_DSA_SUPPORT__

  • __ENABLE_MOCANA_SSH_FTP_CLIENT__

  • __ENABLE_MOCANA_SSH_MAX_SESSION_TIME_LIMIT__

  • __ENABLE_MOCANA_SSH_OLD_DSA_CONVERSION__

  • __ENABLE_MOCANA_SSH_X509V3_SIGN_SUPPORT__

  • __ENABLE_MOCANA_SSH_X509V3_RFC_6187_SUPPORT__

  • __ENABLE_MOCANA_SSH_CLIENT_CERT_AUTH__

  • __ENABLE_MOCANA_SSH_SERVER_CERT_AUTH__

  • __ENABLE_MOCANA_SSH_OCSP_SUPPORT__

  • __ENABLE_MOCANA_OCSP_CLIENT__

  • __ENABLE_MOCANA_SSH_PING__

  • __ENABLE_MOCANA_SSH_PORT_FORWARDING__

  • __ENABLE_MOCANA_SSH_RSA_SUPPORT__

  • __ENABLE_MOCANA_SSH_SENDER_RECV__

  • __ENABLE_MOCANA_SSH_STREAM_API__

  • __ENABLE_MOCANA_SSH_X509V3_SIGN_SUPPORT__

  • __ENABLE_SSH_VERSION1_SUPPORT__

Applicability

When configuring NanoSSH Client by assigning custom values to the sshClientSettings fields, defining flags, and customizing callback functions, it is important to understand which configuration items correspond to the application’s intended use cases and features. For example, if the __ENABLE_MOCANA_GCM__ flag is defined but do not need Suite B support, the code’s footprint has been created for no gain in functionality.

Callback Functions

As described in this section, the key approach to configuring a NanoSSH Client is to customize and register the appropriate callback functions.

  • General purpose callbacks: Any of the following NanoSSH Client callback functions may be customized for an application. Registering callbacks entails assigning custom functions to the session callback function pointers (the functions that begin with funcPtr) of the sshClientSettings structure.

    • funcPtrReleaseNakedAuthKeys

    • funcPtrRetrieveNakedAuthKeys

    • funcPtrServerPubKeyAuth

    • funcPtrRetrieveUserAuthRequestInfo

    • funcPtrRetrieveUserAuthRequestInfoEx

    • funcPtrRetrieveUserPassword

    • funcPtrAuthOpen

    • funcPtrSessionOpen

    • funcPtrSessionOpenFail

    • funcPtrStartTimer

  • Protocol-specific callbacks: NanoSSH Client tracks synchronous session state by using sshClientSettings callback function pointers that are invoked whenever a new connection state is activated.

    • There is a single function, sshcProtocolUpcall, that is assigned to every callback function pointer. Do not change this function or any of the protocol-specific callback function pointers.

    • funcPtrBreakOp

    • funcPtrClosed

    • funcPtrEof

    • funcPtrOpenSftp

    • funcPtrOpenShell

    • funcPtrPtyRequest

    • funcPtrReceivedData

    • funcPtrStdErr

    • funcPtrWindowChange

  • Port forwarding callbacks (see Adding Port Forwarding):

    • funcPtrLocalPortForwardClosed

    • funcPtrLocalPortForwardEof

    • funcPtrLocalPortFwdReceivedData

    • funcPtrLocalPortFwdSessionOpen

    • funcPtrLocalPortFwdSessionOpenFail

  • Certificate support callbacks (see Using Certificates):

    • funcPtrCertificateChainTest

    • funcPtrCertificateLeafTest

    • funcPtrCertificateStoreLookup

    • funcPtrCertificateStoreRelease

    • funcPtrCertificateStoreVerify

API Methods

The NanoSSH Client API methods are used to implement desired functionality and features; there are no methods that are strictly for configuration.

Enable shell support

Shell support is automatically included in any NanoSSH Client application. For information about building the NanoSSH Client shell example code, see Using NanoSSH Client for Shell (Remote) Access.

Applicability

The NanoSSH Client may be used any time secure communications are needed between two network devices, such as when logging into a remote machine to execute commands.

Flags

No flag definitions are required to enable shell support; however, flag definitions are required to enable the chosen authentication method. For detailed information, see the applicable sections in this section.

Callback Functions

No callback functions are required to enable NanoSSH Client shell support; however, callback functions need to be customized and registered for the chosen authentication method. For detailed information, see the applicable sections in this section.

API Methods

The following API methods are specific to NanoSSH Client shell support:

  • SSHC_negotiatePtyTerminalChannelRequest: Sends an SSH PTY command on the specified connection. To start an interactive or scripted shell with a server, this function must be invoked during negotiation on the specified connection.

  • SSHC_negotiateShellChannelRequest: Sends an SSH shell command on the specified connection. To start an interactive or scripted shell with a server, this function must be invoked during negotiation on the specified connection.

  • SSHC_sendMessage: Sends data to an SSH server.

  • SSHC_recvMessage: Retrieves data from a connected server/client. It should not be called until an SSH connection is established between the client and server.

  • SSHC_setTerminalTextWindowSize: Resizes a client terminal window’s dimensions from their defaults (80 x 24). This function is necessary when using NanoSSH Client as an interactive shell. For automated SSH Client applications, this function is unnecessary.

Enable Remote File Transfer Protocol operations (SFTP)

To enable NanoSSH Client SFTP operations, simply add a flag definition as described below. For information about building the NanoSSH Client sftp example code, see Using NanoSSH Client for Secure File Transfer.

Applicability

NanoSSH Client SFTP applications are appropriate anytime secure writing (PUT) and retrieval (GET) of files to/from a remote machine are needed, such as to retrieve an updated image file from a server and to write a log file to the server.

Flags

To enable NanoSSH Client SFTP operations, define the following flag:

  • __ENABLE_MOCANA_SSH_FTP_CLIENT__

Additionally, flag definitions are required to enable the chosen authentication method. For detailed information, see the applicable sections in this section.

Callback Functions

There are no callback functions that are specific to NanoSSH Client SFTP; however, callback functions need to be customized and registered for the chosen authentication method. For detailed information, see the applicable sections in this section.

API Methods

The following functions are used to implement NanoSSH FTP clients; for detailed function information, refer to the TrustCore SDK NanoSSH API Reference:

  • General functions:

    • SSHC_sftpSetCookie

    • SSHC_sftpGetCookie

    • SSHC_sftpRequestStatusCode

    • SSHC_sftpClientSettings

  • Basic I/O functions:

    • SSHC_openFile

    • SSHC_readFile

    • SSHC_writeFile

    • SSHC_closeFile

  • Directory listing functions:

    • SSHC_openDirectory

    • SSHC_readDirectory

    • SSHC_closeDirectory

    • SSHC_sftpGetDirEntryFileSize

    • SSHC_sftpGetDirEntryFileType

    • SSHC_sftpGetDirEntryFilePermission

  • Memory management functions:

    • SSHC_freeHandle

    • SSHC_freeFilename

  • SFTP get functions:

    • SSHC_sftpReadLocation

    • SSHC_sftpReadBuffer

    • SSHC_sftpReadBufferSize

    • SSHC_sftpNumBytesRead

  • SFTP put functions:

    • SSHC_sftpSetWriteBuffer

    • SSHC_sftpSetWriteBufferSize

    • SSHC_sftpWriteLocation

    • SSHC_sftpWriteBuffer

    • SSHC_sftpWriteBufferSize

    • SSHC_sftpNumBytesWritten

  • File and directory management functions:

    • SSHC_getFileStat

    • SSHC_realpath

    • SSHC_removeFile

    • SSHC_mkdir

    • SSHC_rmdir

  • Client authentication key functions:

    • SSHC_freeGenerateServerAuthKeyFile

    • SSHC_generateServerAuthKeyFile

    • SSHC_parseServerAuthKeyFile

    • SSHC_parsePublicKeyBuffer

Add port forwarding

NanoSSH Client supports both single and multiple local port forwarding. This feature enables an application client to make a secure virtual connection, over any network or the Internet using TCP/IP, to application servers via the NanoSSH Client. For information about building the NanoSSH port forwarding example code, see Using NanoSSH Client for Port Forwarding.

Applicability

Port forwarding may be added to any NanoSSH Client implementation.

Flags

To enable NanoSSH Client port forwarding operations, define the following flag:

  • __ENABLE_MOCANA_SSH_PORT_FORWARDING__

Additionally, flag definitions are required to enable the chosen authentication method. For detailed information, see the applicable sections in this section.

Callback Functions: Port Forwarding

To add port forwarding, customize and register the following callback functions:

  • sshClientSettings >funcPtrLocalPortFwdSessionOpen: Invoked when NanoSSH Client successfully opens a service.

  • sshClientSettings >funcPtrLocalPortFwdSessionOpenFail: Invoked when NanoSSH Client attempts to open a service but fails because the service is not available on the server. This callback function should try a different service or return an error code.

  • sshClientSettings >funcPtrLocalPortForwardClosed: Invoked when NanoSSH Client receives a session close message from the SSH server.

  • sshClientSettings >funcPtrLocalPortFwdReceivedData: Invoked when NanoSSH Client receives a session data message from the SSH server.

  • sshClientSettings >funcPtrLocalPortForwardEof: Invoked when NanoSSH Client receives a session EOF request from the SSH server. Callback registration happens at session creation and initialization by assigning a custom callback function, which may have any name, to this callback pointer.

In addition to the port forwarding-specific callbacks, callback functions need to be customized and registered for the chosen authentication method. For detailed information, see the applicable sections in this section.

API Methods

The following API methods are specific to NanoSSH Client port forwarding operations:

  • SSHC_lpfRegisterConnection: Registers the port number on which to listen for port forwarding messages from the SSH server.

  • SSHC_lpfSendMessage: Sends local port forwarding connection data from SSH client to SSH server.

  • SSHC_lpfStartConnection: Starts a port forwarding session by sending the required SSH message from the NanoSSH Client to the SSH server.

  • SSHC_lpfStopConenction: Stops port forwarding (terminates the connection) by sending an SSH CLOSE message to the SSH server.

  • SSHC_doProtocolProcessPortForwardSession: Forwards port forwarding messages (that originate from an SSH server) to local ports.

For information about the order in which to call NanoSSH Client methods to implement port forwarding, see Client Port Forwarding Integration Flowchart.

Callback functions

To add reverse port forwarding, customize and register the following reverse port forwarding callback functions:

  • sshClientSettings >funcPtrPortForwardConnect: Invoked when the client receives a request to open a channel for reverse port forwarding. It should connect to the requested host IP address and port. If it connects successfully, it must return OK.

  • sshClientSettings >funcPtrRemotePortReqStatus: Invoked when the client requests a random port from the server. It should return the server-assigned port if its status is OK.

Additionally, the standard port forwarding functions must be customized and registered; see Callback Functions: Port Forwarding.

API Methods

The following API methods are specific to NanoSSH Client reverse port forwarding operations:

  • SSHC_startRemotePortForwarding: Registers the port number on which to listen for port forwarding messages from the SSH server.

  • SSHC_cancelRemotePortForwarding: Tells the server to close its connection with the isolated client.

Select ciphers (encryption method)

NanoSSH Client may use the strongest cipher suite available or the desired cipher settings may be specified. The following factors should be considered:

  • Maximum interoperability: Ideally, a device should be able to communicate with any and every network and device that implements any flavor of SSH. At a minimum, be sure to include AES (Advanced Encryption Standard, also known as Rijndael) and 3DES. Next, be sure to include ciphers typically used by the target industry. For example, the electronic payments industry uses 2TDES extensively.

  • Speed: Ciphers vary greatly in speed; however, if simply the fastest is chosen, it is unlikely that the system is as secure as required. For some key sizes, AES is faster than 3DES, but 3DES is generally considered stronger. Blowfish is also a popular choice for its speed and strength.

  • Cipher strength: If encryption strength is of the greatest concern, be sure that the SSH implementation supports Triple-DES (3DES); however, be aware that the usual tradeoff for strength is incurred: 3DES is slower than many other ciphers.

  • Key size: If integrating SSH into an application environment that has predetermined or predefined key sizes, choose a cipher that offers the appropriate key size support. Rijndael offers the greatest number of key sizes (128 to 256 bits, in 32-bit increments), closely followed by AES (128, 192, and 256 bits). 3DES uses 192-bit keys. Blowfish has a variable key length from 0 to 448 bits, with 128 an often-used choice.

For details about the supported ciphers and their pros and cons, see Table 10.

Applicability

Any cipher may be enabled for any NanoSSH Client implementation.

Flags

Table 10 lists the available ciphers and the TrustCore SDK compilation flag definition required to enable the cipher, along with the ciphers’ pros and cons.

Configure certificate-based authentication

This section describes how to configure support for X509 Certificates for server and client certificate-based authentication:

Before you being

The following tasks need to be performed before configuring certificate-based authentication:

  1. Before running the server, clean the directory by deleting all .pub, .key, *.dat, src.txt, dst.txt, generatedrequest.der files.

  2. On the SSH server, update the following command line arguments:

    • -port <port>: Sets the listening port.

    • -ssh_server_cert <cert>: Sets the server’s certificate path.

    • -ssh_server_blob <key>: Sets the server’s BLOB path.

    • -ssh_ca_cert <ca_cert>: Sets the CA certificate.

  3. On the SSH client, update the following command line arguments:

    • -ip <ipaddr>: Sets the remote IP address.

    • -username <username>: Sets the username for the remote host.

    • -password <password>: Sets the password for the remote host.

    • -port <port>: Sets the port number for the remote host.

    • -ssh_client_cert <cert>: Sets the client’s certificate path.

    • -ssh_client_blob <key>: Sets the client’s BLOB path.

    • -ssh_ca_cert <ca_cert>: Sets the CA certificate path (used for authenticating cert provided by the server.

For OCSP verification, perform only ONE of the following tasks:

  • Define SSH_sshSettings()->pOcspResponderUrl (OCSP URL).

  • Ensure that the certificates have the OCSP URI embedded in them.

Non-certificate-based authentication

To build and run ssh_server and ssh_client without certificate-based authentication:

  1. Generate the builds by running the following commands:

    ./scripts/nanossh/ssh_server/build_ssh_server_ncrypto.sh --debug –gdb
    ./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --debug --gdb
    
  2. Start the SSH server by running the following command:

    ./ssh_server –port 1440
    
  3. Start the SSH client by running the following command:

    ./ssh_client –port 1440 –ip 127.0.0.1
    

Use a server certificate

To build and run ssh_server and ssh_client with a server certificate:

  1. Generate the builds by running the following commands:

    ./scripts/nanossh/ssh_server/build_ssh_server_ncrypto.sh --cert --server_cert_auth --client_cert_auth ./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --cert --server_cert_auth --client_cert_auth
  2. Start the SSH server by running the following command:

    ./ssh_server --port 1440 –ssh_server_cert <certname in .der/.pem format> --ssh_server_blob <keyblob in .der/.pem/.dat format> --ssh_ca_cert <CAcert in .der/pem>

    When OCSP is enabled, the -ssh_ca_cert <CAcert in .der/.pem format> command line argument is required for the server.

  3. Start the SSH client by running the following command:

    ./ssh_client –port 1440 --ip 127.0.0.1 --ssh_ca_cert <CAcert in .der/.pem format>

Use a server certificate and OCSP stapling

To build and run ssh_server and ssh_client with a server certificate and OCSP stapling:

  1. Generate the builds by running the following commands:

    ./scripts/nanossh/ssh_server/build_ssh_server_ncrypto.sh --cert --server_cert_auth --cert_ocsp ./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --cert --server_cert_auth --cert_ocsp
  2. Start the SSH server by running the following command:

    ./ssh_server --port 1440 –ssh_server_cert <certname> --ssh_server_blob <keyblob> --ssh_ca_cert <CAcert>
  3. Start the SSH client by running the following command:

    ./ssh_client --port 1440 --ip 127.0.0.1 --ssh_ca_cert <CAcert>

Use server and client Certificates

To build and run ssh_server and ssh_client with server and client certificates:

  1. Generate the builds by running the following commands:

    ./scripts/nanossh/ssh_server/build_ssh_server_ncrypto.sh –cert –server_cert_auth –client_cert_auth ./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh –cert –server_cert_auth –client_cert_auth
  2. Start the SSH server by running the following command:

    ./ssh_server –port 1440 --ssh_server_cert <certname> --ssh_server_blob <keyblob> --ssh_ca_cert <CAcert>
  3. Start the SSH client by running the following command:

    ./ssh_client --port 1440 --ip 127.0.0.1 --ssh_client_cert <certname> --ssh_client_blob <keyblob> --ssh_ca_cert <CAcert>

Enable support for EC Keys (Suite B)

To build and run ssh_server and ssh_client support for EC keys (Suite B):

  1. Configure the following flags to selectively disable specific EC curves. These flags can be added to mocana_suiteb_flags.txt:

    • __DISABLE_MOCANA_ECC_P521__

    • __DISABLE_MOCANA_ECC_P384__

    • __DISABLE_MOCANA_ECC_P256__

    • __DISABLE_MOCANA_ECC_P192__

  2. Generate the builds by running the following commands: ./scripts/nanossh/ssh_server/build_ssh_server_ncrypto.sh --suiteb ./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --suiteb

  3. Start the SSH server by running the following command: ./ssh_server --port 1440

  4. Start the SSH client by running the following command: ./ssh_client --port 1440 --ip 127.0.0.1

OCSP Client API for Certificate Revocation Status

The OCSP_CLIENT_getCertStatus API may be used to verify the certificate revocation status. The __ENABLE_MOCANA_OCSP_CERT_VERIFY__ flag is required for the application to use the API:

#ifdef __ENABLE_MOCANA_OCSP_CERT_VERIFY__
MOC_EXTERN MSTATUS
OCSP_CLIENT_getCertStatus(ubyte *pCertificate, ubyte4 certLen, certChainPtr pCertChain,
const ubyte *pAnchorCert, ubyte4 anchorCertLen) ;
#endif /* __ENABLE_MOCANA_OCSP_CERT_VERIFY__ */

NanoSSH certificate status callback

sbyte4(*funcPtrCertStatus) (sbyte4 connectionInstance, const ubyte *pUser, ubyte4 userLength,
sbyte4 cert_status, ubyte *pCertificate, ubyte4 certLen,
certChainPtr pCertChain, const ubyte *pAnchorCert, ubyte4 anchorCertLen);
  • connectionInstance: Connection instance returned from SSH_acceptConnection() or SSH_ASYNC_acceptConnection().

  • pUser: Pointer to user name.

  • userLength: Number of bytes in user name (pUser).

  • cert_status: Certificate verification status done by the stack

  • pCertificate: Certificate of the peer

  • certLen: Length of the certificate buffer

  • pCertChain: Certificate chain leading to the anchor

  • pAnchorCert: Anchor CA certificate if not present in pCertChain

  • anchorCertLen: Anchor cert length if present

  • return: OK (0) if successful; otherwise a negative number error code definition from merrors.h. To retrieve a string containing an English text error identifier corresponding to the function’s returned error status, use the DISPLAY_ERROR macro.

Certificate validation with NanoSSH server

With client certificate-based authentication, NanoSSH Server receives and validates the client certificates against the trust chain, and performs the time validity. Applications may define and register a post certificate validation callback with NanoSSH Server. The callback provides the application with verification status, along with the certificate(s) received for the application to perform extended validation on the certificate or override the status. The following example code provides a simple implementation that uses the callback to verify certificate status using OCSP.

static sbyte4 SSH_EXAMPLE_certstatus(sbyte4 connectionInstance, const ubyte *pUser,
 ubyte4 userLength, sbyte4 cert_status, ubyte *pCertificate,
 ubyte4 certLen, certChainPtr pCertChain,
 const ubyte *pAnchorCert, ubyte4 anchorCertLen)
{
    MSTATUS status = OK;
    DEBUG_PRINTNL(DEBUG_SSH_EXAMPLE, (sbyte *)"SSH_EXAMPLE_certstatus:");
    /* if no client cert validation is needed, return OK from here */
    if (cert_status != OK) {
        status = cert_status ;
        goto exit ;
    }
#if ((defined(__ENABLE_MOCANA_SSH_OCSP_SUPPORT__)) &&
       (defined(__ENABLE_MOCANA_OCSP_CLIENT__)) && \
       (defined(__ENABLE_MOCANA_OCSP_CERT_VERIFY__)))
    status = OCSP_CLIENT_getCertStatus(ocsp_ResponderUrl, pCertificate, certLen, pCertChain,
       pAnchorCert, anchorCertLen  ) ;
#endif
exit:
    return status ;
}
SSH_EXAMPLE_main()
{
SSH_sshSettings()->funcPtrCertStatus = SSH_EXAMPLE_certstatus ;
    …
}

Enable Suite B support

NanoSSH supports draft-igoe-secsh-suiteb-00, Suite B Cryptographic Suites for Secure Shell. Suite B cryptography is a set of cryptographic algorithms and protocols, specified by NIST, that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS).

The TrustCore SDK API functions that are related to NSA Suite B cryptography are available only if the Suite B edition of the TrustCore SDK product Platform has been purchased.

Applicability

Suite B cryptographic ciphers may be added to any NanoSSH Client example code or customized implementation.

Flags

To enable Suite B cipher support in NanoSSH Client, use the –suiteb argument when running the build script.

If using GCM, the __ENABLE_MOCANA_GCM__ flag must be defined. If none of the corresponding GCM message sizes are defined, the cryptographic code uses the default flag, __ENABLE_MOCANA_GCM_265B__. Optionally, any flag may be defined, but only one of the __ENABLE_MOCANA_GCM_*__ message size flags are used.

Callback Functions

No callback functions are required to enable Suite B support.

API Methods

No API methods are required to enable Suite B support.

Rekeying strategy

For best security, it is important to periodically refresh the authentication keys. RFC 4253, The Secure Shell (SSH) Transport Layer Protocol, section 9, states that It is RECOMMENDED that the keys be changed after each gigabyte of transmitted data or after each hour of connection time, whichever comes sooner; however, because the re-exchange is a public key operation, it requires a fair amount of processing power and should not be performed too often.

Applicability

Rekeying is applicable to any NanoSSH Client implementation that uses public key authentication or certificates.

Flags

No flag definitions are required to enable rekeying.

Callback Functions

No callback functions are required to initiate rekeying.

API Methods

To initiate rekeying, call the following API method:

  • SSHC_initiateReKey: Initiates an SSH rekey operation. NanoSSH Client automatically processes rekey requests from an SSH server.

To rekey based on the amount of data transmitted, call SSHC_initiateReKey only when indicated by the results from the following API method:

  • SSHC_numBytesTransmitted: Returns the number of bytes sent and received through a given connection.

Reduce the memory footprint

The TrustCore SDK memory footprint may be reduced by defining compilation flags to disable products or features that are not in use, which removes the corresponding code from the resultant executable.

For example, if the only TrustCore SDK products being used are NanoSSH Client and NanoSSH Server, do not define the flags for NanoSSL (client and server) or NanoSec. Similarly, unneeded features may also be disabled, such as support for certificate parsing, key generation, or ciphers that the system does not recognize.

Applicability

Footprint reduction techniques may be applied for any NanoSSH Client example code or customized implementation.

Flags

Table 11 below lists a typical set of flags that when defined substantially reduce the NanoSSH Client memory footprint. These flags can be added to projects/nanossh/mocana_suiteb_flags.txt or projects/nanossh/ssh_client/mocana_flags.txt.

Table 11: Typical Footprint Reduction Flags

  • Flag Description

  • __ENABLE_MOCANA_SMALL_CODE_FOOTPRINT__ Reduces the size of the executable, at the expense of execution speed. Depending on which products are included and which options are enabled, defining this flag may reduce heap and stack requirements.

  • __DISABLE_ARC2_CIPHERS__

  • __DISABLE_MOCANA_SHA256__

  • __DISABLE_MOCANA_SHA512__

  • __DISABLE_3DES_CIPHERS__ Disables the indicated cipher suite support (both hardware and software).

  • __DISABLE_AES_CIPHERS__

  • __DISABLE_AES128_CIPHER__

  • __DISABLE_AES192_CIPHER__

  • __DISABLE_AES256_CIPHER__ Disables AES cipher suite support (both hardware and software). Note that the __DISABLE_AES_CIPHERS__ flag disables all AES ciphers. If using some but not all key length-specific AES ciphers, individually disable the ones that are not needed.

  • __DISABLE_MOCANA_ECC_P192__

  • __DISABLE_MOCANA_ECC_P224__

  • __DISABLE_MOCANA_ECC_P256__

  • __DISABLE_MOCANA_ECC_P384__

  • __DISABLE_MOCANA_ECC_P521__ Disables specific key-length ECDSA cipher suite support (both hardware and software).

  • __DISABLE_MOCANA_CERTIFICATE_GENERATION__

  • __DISABLE_MOCANA_CERTIFICATE_PARSING__

  • __DISABLE_MOCANA_SSH_COMMON_NAME_CHECK__ Disables TrustCore SDK certificate generation and parsing code.

Callback Functions

No callback functions are required to reduce the NanoSSH Client footprint.

API Methods

No API methods are required to reduce the NanoSSH Client footprint.

Add FIPS 140-2 compliance

LINK TO FIPS INFO

To integrate a NanoSSH application with a licensed TrustCore SDK NanoCrypto FIPS binary cryptographic module, a staged approach is recommended:

  1. Build the example code --fips to build with FIPS enabled.

  2. Customize the example code (as described in this section) or use it as a model for the application’s integration.

    • Note: If adding FIPS to an application, hardware acceleration cannot be added; they are mutually exclusive.

  3. Add FIPS functionality by modifying the makefiles to link with the TrustCore SDK NanoCrypto FIPS binary.

If the operating system is Linux, refer to the Using TrustCore SDK NanoCrypto FIPS Binaries for Linux guide for instructions.

Gather statistics

A variety of NanoSSH Client statistics may be gathered:

  • Information about a given file, in the format of an sftpcFileHandleDescr[] structure (refer to sshc.h).

  • The number of bytes sent and received through a given connection instance. This information is typically used to determine when it is appropriate to initiate a rekey exchange operation.

  • The number of bytes read from or written to a remote file. This information is typically used to keep track of download (read) or upload (write) progress.

Applicability

Statistics may be gathered in any NanoSSH Client application.

Flags

No flags are required to gather NanoSSH Client statistics.

Callback Functions

No callback functions are required to gather NanoSSH Client statistics.

API Methods

To gather the statistics described above, call the following API methods:

  • SSHC_getFileStat

  • SSHC_numBytesTransmitted

  • SSHC_sftpNumBytesRead

  • SSHC_sftpNumBytesWritten

Client terminal configuration

In NanoSSH Client shell implementations, the client terminal text windows’ dimensions may be resized from their defaults (80 x 24). This function is necessary when using NanoSSH Client as an interactive shell. For automated SSH Client applications, this function is unnecessary.

Applicability

Client terminal text window sizing is applicable to NanoSSH Client shell implementations.

Flags

No flags are required to resize the client terminal text window.

Callback Functions

No callback functions are required to resize the client terminal text window.

API Methods

To resize the client terminal text window, call the SSHC_setTerminalTextWindowSize API method.

Manag AES-GCM Ciphers with OpenSSH

By default, NanoSSH supports the aes128-gcm@openssh.com and aes256-gcm@openssh.com ciphers. AES-GCM implementation complies with RFC 5647.

Applicability

Disabling these ciphers is applicable if specific requirements or security policies dictate.

Flags

To disable these ciphers, define the following flag:

  • __DISABLE_OPEN_SSH_AES_GCM__

Callback Functions

No callback functions are required to disable AES-GCM ciphers for RFC 5647 compliance.

API Methods

There are no API methods associated with disabling AES-GCM ciphers for RFC 5647 compliance.