in reply to SSH daemon in Perl?

Hi robs87,

I know this probably isn't the response you're looking for, but my immediate thought upon reading this thread is: My suggestion is to spend your time figuring out how to do what you want with the standard tools instead of spending your time figuring out how to write your own SSH server. It may be less "interesting" but the solution should end up being more robust.

The reason is simple: security. For example, many firewalls I've seen allow incoming connections on this port (and only this port, I assume because many people consider SSH tried and tested and secure). Can you guarantee that the server you write will be secure? Will you be able to test its security? Will you follow news of possible SSH exploits, update your server accordingly, and be able to immediately update your servers? (OpenSSH and the distros that use it can.)

Port 22 is a privileged port. If you have enough permissions on this machine to set up a service that listens on this port, wouldn't it be possible for you to set up a new user with restricted access? Then you can rely on OpenSSH's security, *NIX's user account security, etc.

Of course maybe there's something I'm missing - I don't know the reasoning behind your post here, so if you could explain the why that might help.

Hope this helps,
-- Hauke D

Replies are listed 'Best First'.
Re^2: SSH daemon in Perl?
by robs87 (Novice) on Jun 22, 2016 at 22:41 UTC

    Thanks for the information. I'll definitely reconsider my stance on writing an SSH server in Perl (though I am still curious about Net::SSH::Perl::Subsystem::Server).

    I've installed openssh-server and created a Perl program named echo.pl as an example.

    #!/usr/bin/perl

use strict;
use warnings;

while ( my $line = <> )
{
    print $line;
}

    [download]

    How can I make the OpenSSH server execute this program upon connection without creating any user accounts?

[reply]
[d/l]
      How can I make the OpenSSH server execute this program upon connection without creating any user accounts?

      You'll need one user to actually own the process running the perl script but it can be the same user serving all your clients. Then use ForceCommand to ensure that they can only execute echo.pl. You can/should also set that user's shell to something suitably restrictive.

[reply]

        Yes, one user will execute the Perl program. However, is it possible to execute the program immediately upon connection without logging in with a Unix user account?

        Going back to the example of the SSH chat server written in Go (https://medium.com/swlh/ssh-how-does-it-even-9e43586e4ffc), a client can enter ssh hostname in their terminal and enter the "chat room" without logging in.

[reply]
[d/l]

      Hi robs87,

      How can I make the OpenSSH server execute this program upon connection without creating any user accounts?

      What's stopping you from setting up a new user? One more thing to consider, in your suggested scenario, whose user permissions is the script supposed to run with - I'm guessing not sshd's permissions (often root)?

      I don't know about Net::SSH::Perl::Subsystem::Server, but nothing is stopping you from trying it out :-) (The documentation does mention its API is in alpha.)

      Regards,
      -- Hauke D

[reply]
[d/l]
[select]

        It wouldn't be practical to create a user account on the server for each user. Plus, doing so would lead to quite a few security concerns. Authentication will be handled by the Perl program. Perhaps OpenSSH can be configured to pass the username and password to the Perl program as arguments?

        I'd rather not execute the Perl program as root. Perhaps OpenSSH has an option to execute it as a different user?

[reply]

      OpenSSH can be configured to use PAM for authentication, but Net::Dropbear::SSHd (as suggested by salva) looks like it would be easier to use for what you plan to do.

[reply]

        Thanks, that module looks promising. I'll give it a try.

[reply]

In Section Seekers of Perl Wisdom