NanoSSH client overview

NanoSSH Client is used to securely connect to remote servers, which may be running NanoSSH Server or any other SSH server.

Typical uses for NanoSSH client

SSH client shell: Provides a secured communication channel between two networked devices; typically used to log into a remote machine and execute commands. See Use NanoSSH Client for Shell (Remote) Access.
SSH client SFTP: Enables secure retrieval (GET) and writing (PUT) of files from/to a remote machine; for example, to retrieve an updated image file from a server and to write a log file to the server. See Use NanoSSH Client for Secure File Transfer.
SSH client port forwarding: Encrypts and decrypts TCP/IP traffic; often used so that proprietary applications operating on distributed machines can securely communicate. See Use NanoSSH Client for Port Forwarding.

Features

Small memory footprint
Speeds integration and testing of complex cryptographic functions for your product
SSHv2 compliant
TCP/IP-neutral
Certificate support, per IETF draft 3, http://tools.ietf.org/html/draft-ietf-secsh-x509-03
Re-keying at will, based on a specified number of packets or a certain amount of time
Support for TPM-generated keys
OS- and platform-agnostic for easy portability
Threadless architecture, synchronous and asynchronous
Guaranteed GPL-free code that protects your intellectual property

RFC Support

SSH File Transfer Protocol, v2, v3 and v4
RFC 4250: The Secure Shell (SSH) Protocol Assigned Numbers
RFC 4251: The Secure Shell (SSH) Protocol Architecture
RFC 4252: The Secure Shell (SSH) Authentication Protocol
RFC 4253: The Secure Shell (SSH) Transport Layer Protocol
RFC 4254: The Secure Shell (SSH) Connection Protocol (partially supported)
RFC 4344: The Secure Shell (SSH) Transport Layer Encryption Modes
RFC 4335: The Secure Shell (SSH) Session Channel Break Extension
RFC 4419: Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
RFC 4432: RSA Key Exchange for the Secure Shell (SSH) Transport Layer Protocol. For detailed information refer to section 7 of the RFC draft-ietf-secsh-filexfer-03.txt, SSH File Transfer Protocol (http://tools.ietf.org/html/draft-ietf-secsh-filexfer-03).
RFC 6187: X.509v3 Certificates for Secure Shell Authentication
RFC 6239: Suite B cryptographic suites for SSH
Draft-green-secsh-ecc-07: Elliptic-Curve Algorithm Integration in the Secure Shell Transport Layer
Draft-igoe-secsh-aes-gcm-02: AES Galois Counter Mode for the Secure Shell Transport Layer Protocol
Draft-josefsson-ssh-chacha20-poly1305-openssh-00 - ChaCha20 Poly1305 for the Secure Shell Transport Layer Protocol
Draft-ietf-curdle-ssh-ed25519-02 - Ed25519 for Secure Shell Transport Layer Protocol

Code architecture

The following diagram displays how NanoSSH Client code uses a layered code hierarchy.

Figure 1.

NanoSSH client code hierarchy

APIs

TrustCore SDK NanoSSH Client is implemented by the following ANSI C APIs:

Common code base: Functions common to all TrustCore SDK components; defined in src/common/mocana.h.
SSH client: Functions to implement synchronous communication between a NanoSSH Client and an SSH server; defined in src/ssh/client/sshc.h.
SSH SFTP client: Functions to implement NanoSSH SFTP Clients; defined in src/ssh/client/sshc.h.

Build NanoSSH client example code

To assist with the integration of a NanoSSH client into devices, a suite of example code is included in the source distribution in the src/examples directory that corresponds to the following typical use caÏses:

SSH client shell: Using the sshc_shell_example.c file, and follow the procedures in Use NanoSSH client for Shell (Remote) Access.
SFTP client: Using the sshc_example.c file, and follow the procedures in Use NanoSSH client for Secure File Transfer.
SSH client port forwarding: Using the sshc_pf_example.c file, and follow the procedures in Use NanoSSH client for Port Forwarding.
SSH client reverse port forwarding: Using the sshc_rpf_example.c file, and follow the procedures in Use NanoSSH client for Port Forwarding.

Sample code has also been provided to quickly build a NanoSSH client to demonstrate its features using example cmake project and build scripts.

Important

The example code should be used “as-is” to validate SSH client-server communication. After verifying that the TrustCore SDK code works as expected on a system (see Use case examples), the example code may be customized or used as a model for other implementations; see Customize a NanoSSH client Implementation.

Generate NanoSSH client quick build

Example 1. Standard Edition

Run the following command:

./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh <arguments>

Table 1. Standard Edition build flags

Flag	Description
`--debug`	Enables debug logs.
`--gdb`	Enable debug symbols.
`--suiteb`	Enable NIST Suite B algorithms.
`--cert`	Enable certificate support in the stack.
`--server_cert_auth`	Server authenticates with a certificate (requires `--cert`).
`--cert_ocsp`	Enable OCSP stapling when the server uses a certificate.
`--ocsp_config_timeout`	Enable OCSP timeout configuration.
`--client_cert_auth`	Clients authenticate with a certificate (requires `--cert`).
`--client_auth`	Clients authenticate with a public key.
`--fips`	Build with FIPS enabled (requires TrustCore SDK FIPS binary).
`--hw-accel`	Enable hardware-accelerator support.
`--port-forwarding`	Enable port-forwarding support.
`--remote-port-forwarding`	Enable remote port-forwarding support.
`--oqs`	Build with the Open Quantum Safe library.
`--oqs-path`	Path to the directory containing the Open Quantum Safe library.

Example 2. Community Edition

Run the following commands from the root of the repository:

cmake -DBUILD_SAMPLES=ON <options> -B build -S .
cd build
make

Table 2. Community Edition CMake flags

CMake flag	Purpose
`-DENABLE_SSH_SERVER_CERT_AUTH=ON`	Enable the server to present an X.509 certificate for authentication.
`-DENABLE_SSH_CLIENT_CERT_AUTH=ON`	Enable the client to present an X.509 certificate for authentication.
`-DENABLE_SSH_CLIENT_SHELL_EXAMPLE=ON`	Build the interactive shell example executable.
`-DENABLE_SSH_ASYNC_API_SUPPORT=ON`	Build the asynchronous-API sample.

Command examples

Without certificates

./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh

With server certificate

./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --cert --server_cert_auth

With server certificate and OCSP stapling

./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --cert_ocsp

With server certificate and client certificate

./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --cert --server_cert_auth --client_cert_auth

With server certificate, client certificate, and OCSP stapling

./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --cert --server_cert_auth --client_cert_auth --cert_ocsp

With EC key support (Suite B)

./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --suiteb

Run NanoSSH client quick build

Run the following command:

./bin/ssh_client <options>

Options

?: Displays the help.
-ip <ipaddr>: Sets the remote IP address.
-username <username>: Sets the username for the remote host.
-password <password>: Sets the password for the remote host.
-port <port>: Sets the port number for the remote host.
-ssh_ca_cert <ca_cert>: Sets the CA certificate path (used for authenticating cert provided by the server).
-ssh_client_cert <cert>: Sets the certificate path (used by client to authenticate itself).
-ssh_client_blob <key>: Sets the corresponding private key BLOB file path.

Note

When using a certificate and key, ensure the corresponding cipher algorithms are enabled.