SSH Implementation - IDEA and seeking Suggestions.

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SSH Implementation - IDEA and seeking Suggestions.

Vinod Kumar Badhavat
Hi

I applied to ASF as a part of Google Summer of Code program for a project -
"Implementation of SSH in Java" , and this implementation may be added to
commons net.

I have an idea on how to start-off with this. Although I consulted my mentor
with this idea, i'm posting this idea here to get an insight on developing
code.

  /*
     * we will have a class called SSHConnect to establish SSH connection.

     * SSHConnect sshCon = new SSHConnect(hostname to which a connection
must be established ) ;
     * sshCon.serverAuth(); // used to authenticate server
     *                         // This involves
     *                         // 1.exchange of identification strings
between server and client hosts
     *                         // 2.exchange of SSH_MSG_KEYINIT
     *                         // 3.Algorithm negotiation.
     *                         // 4.Key Exchange algorithm is run - server
authentication is done in this step
     *                         // 5.If 4th step is successful, then exchange
SSH_MSG_NEWKEYS .
     *                         // 6.This ends the Server Authentication
     * // If server authentication is successful then everything must go
smoothly and we can proceed to
     *     user authentication.
     * sshCon.userAuthentication(method of authentication, user details )
;
     *                         // 1.Now the user name is sent to server.
Already the algorithm negotiation is
     *                              done in serverAuth() method. So we use
these negotiated algorithms to
     *                              compress, encrypted, signed (signature
is used only for user
     *                              authentication. MAC will be used for
further message transmission ) and transported .
     *                         // 2. Server that receives the above message
authenticates the user ( by
     *                               the signature ) and confirms whether it
is communicating with the correct
     *                               user host.
     *                         // 3. Now depending upon the type of
authentication method, user will
     *                               be authenticated.
     *  // If user authentication is successful then a session is started
and here in session, client will have
     *     access to SSH features like remote command execution, X11
forwarding, port forwarding, DSA and RSA key
     *     generation, SCP etc .
     * sshCon.startSession() ;  // sending data - data is compressed(if
negotiated) , 'mac' is calculated,
     *                             // encrypted, mac is appended to the
encrypted data and next transported.
     *
     *
     * // The above mentioned is the basic structure how a programmer can
use SSH in his/her program.
     * // Now the real task is developing code for this to happen according
to SSH2 standards.
     *
     * // for server authentication we require
     *
     *    1.Packet description ( Binary Packet - as mentioned in RFC ) -
     *            we may have an interface called Packet which is
implemented by all the Packet type classes
     *            like SSH_MSG_KEYINIT ( there are many such messages ).
Although the basic structure of all
     *            the packets is same we try to classify them according the
message they convey, because we
     *            can have methods declared and coded in respective classes
( ( different packets have
     *            different information and hence must be handled
differently ). For example SSH_MSG_KEYINIT
     *            will have some stuff for algorithm negotiation and hence
will be handled in that class
     *            appropriately.
     *
     *    2.Algorithm Negotiation -
     *            we can have a class called AlgoNegotiation and a static
method in this class for negotiation.
     *            This method will be used when handling SSH_MSG_KEYINIT
     *
     *    3.Key Exchange Algorithm -
     *            class named KexAlgo can handle this algorithm
appropriately. We use cryptography algorithms
     *            defined in java crypto. We may require this class to
create a harmony between crypto classes
     *            and our implementation ( to take care of correct argument
passing and returned results ).
     *
     *    // TO BE CONTINUED. I'll continue to develop this idea in gradual
steps.
     *
     * */

am I approaching in correct way? You can see that I'm approaching in Top to
Down fashion - i first considered how an user will use this implementation
and then going down to protocol implementation.

Please suggest me some of developing tips which will be useful for this
project.

Thank you,

Vinod Kumar.
Reply | Threaded
Open this post in threaded view
|

Re: SSH Implementation - IDEA and seeking Suggestions.

Sergey Vladimirov
Vinod (hope it's first name),

1) As an end-user of SSH library i would prefer to have classes like
"SSHConnectionFactory" and "SSHConnection". Factory will be used to setup
different connection parameters, including (but not limited to) key exchange
rate, connection timeout, authentication scheme (user+password,
user+interactive, certificate, etc?). Something like this:

SSHConnectionFactory factory = new SSHConnectionFactory();
factory.setConnectionTimeout(...);
SSHConnection connection = factory.connect(host, port);
connection.auth(username, password); OR connection.auth(certificate);

ConsoleSession session = connection.openConsoleSession(80, 24, 800, 600, 0);
...

2) Still want to consider implementing SSH as part of distinguish library,
not as part of commons-net. Because of internal regulations i would not be
able to use any crypto-related libraries in some projects. We are using
commons-net already, and it will be pain to get rid of it if it will start
to contain SSH-related stuff.

Best regards,
Sergey

On Wed, Apr 8, 2009 at 2:39 PM, Vinod Kumar Badhavat <
[hidden email]> wrote:

> SSHConnect




--
Sergey Vladimirov
Reply | Threaded
Open this post in threaded view
|

Re: SSH Implementation - IDEA and seeking Suggestions.

Vinod Kumar Badhavat
Hi Sergey Vladimi

Thank you for your valuable suggestions. "SSHConnectionFactory", to setup
connection parameters is a nice idea and I'll include that in my SSH
implementation.

I thought to use SocketClient and related stuff from commons-net to have
socket I/O. I need to talk to my mentor regarding this - to implement SSH
independent of commons-net.

Thank you,

Vinod Kumar.  (Yes Mr.Sergey Vladimi, my first name is Vinod)


On Sat, Apr 11, 2009 at 11:47 AM, Sergey Vladimirov <[hidden email]>wrote:

> Vinod (hope it's first name),
>
> 1) As an end-user of SSH library i would prefer to have classes like
> "SSHConnectionFactory" and "SSHConnection". Factory will be used to setup
> different connection parameters, including (but not limited to) key
> exchange
> rate, connection timeout, authentication scheme (user+password,
> user+interactive, certificate, etc?). Something like this:
>
> SSHConnectionFactory factory = new SSHConnectionFactory();
> factory.setConnectionTimeout(...);
> SSHConnection connection = factory.connect(host, port);
> connection.auth(username, password); OR connection.auth(certificate);
>
> ConsoleSession session = connection.openConsoleSession(80, 24, 800, 600,
> 0);
> ...
>
> 2) Still want to consider implementing SSH as part of distinguish library,
> not as part of commons-net. Because of internal regulations i would not be
> able to use any crypto-related libraries in some projects. We are using
> commons-net already, and it will be pain to get rid of it if it will start
> to contain SSH-related stuff.
>
> Best regards,
> Sergey
>
> On Wed, Apr 8, 2009 at 2:39 PM, Vinod Kumar Badhavat <
> [hidden email]> wrote:
>
> > SSHConnect
>
>
>
>
> --
> Sergey Vladimirov
>
Reply | Threaded
Open this post in threaded view
|

Re: SSH Implementation - IDEA and seeking Suggestions.

Sergey Vladimirov
Vinod,
The sudjestion was not to implement independed clases, but just split
commons-net and (commons-ssh?) ssh implementation. Put it in another
JAR. It's okay to have dependency from this SSH implementation to
commons-net and use things like SocketClient.

Other way (commons-net with SSH) may create legal problems for me, and, i
think, for other commercial-related projects.

Sergey

On Sat, Apr 11, 2009 at 12:35 PM, Vinod Kumar Badhavat <
[hidden email]> wrote:

> ea and I'll include that in my SSH
> implementation.
>



--
Sergey Vladimirov
Reply | Threaded
Open this post in threaded view
|

Re: SSH Implementation - IDEA and seeking Suggestions.

Vinod Kumar Badhavat
Sergey

ok, i got the point and Thank you very much.

Vinod.

On Sat, Apr 11, 2009 at 2:10 PM, Sergey Vladimirov <[hidden email]>wrote:

> Vinod,
> The sudjestion was not to implement independed clases, but just split
> commons-net and (commons-ssh?) ssh implementation. Put it in another
> JAR. It's okay to have dependency from this SSH implementation to
> commons-net and use things like SocketClient.
>
> Other way (commons-net with SSH) may create legal problems for me, and, i
> think, for other commercial-related projects.
>
> Sergey
>
> On Sat, Apr 11, 2009 at 12:35 PM, Vinod Kumar Badhavat <
> [hidden email]> wrote:
>
> > ea and I'll include that in my SSH
> > implementation.
> >
>
>
>
> --
> Sergey Vladimirov
>
Reply | Threaded
Open this post in threaded view
|

Re: SSH Implementation - IDEA and seeking Suggestions.

Guillaume Nodet
In reply to this post by Vinod Kumar Badhavat
In case you haven't followed the earlier discussion, you may want to
have a look at the Apache SSHD project, which implements an SSH server
and some parts of the client.  The client is far from complete, so it
may be a good idea to join our forces:
   http://svn.apache.org/repos/asf/mina/sshd/trunk/

Currently, the client api is asynchronous, but it would make sense to
add a synchronous api for ease of use.
In all cases, feel free to reuse any code from this project, as most
of the crypto stuff / kex negociation and other algorithms have
already been implemented, as there's really no need to duplicate the
work.

2009/4/8 Vinod Kumar Badhavat <[hidden email]>:

> Hi
>
> I applied to ASF as a part of Google Summer of Code program for a project -
> "Implementation of SSH in Java" , and this implementation may be added to
> commons net.
>
> I have an idea on how to start-off with this. Although I consulted my mentor
> with this idea, i'm posting this idea here to get an insight on developing
> code.
>
>  /*
>     * we will have a class called SSHConnect to establish SSH connection.
>
>     * SSHConnect sshCon = new SSHConnect(hostname to which a connection
> must be established ) ;
>     * sshCon.serverAuth(); // used to authenticate server
>     *                         // This involves
>     *                         // 1.exchange of identification strings
> between server and client hosts
>     *                         // 2.exchange of SSH_MSG_KEYINIT
>     *                         // 3.Algorithm negotiation.
>     *                         // 4.Key Exchange algorithm is run - server
> authentication is done in this step
>     *                         // 5.If 4th step is successful, then exchange
> SSH_MSG_NEWKEYS .
>     *                         // 6.This ends the Server Authentication
>     * // If server authentication is successful then everything must go
> smoothly and we can proceed to
>     *     user authentication.
>     * sshCon.userAuthentication(method of authentication, user details )
> ;
>     *                         // 1.Now the user name is sent to server.
> Already the algorithm negotiation is
>     *                              done in serverAuth() method. So we use
> these negotiated algorithms to
>     *                              compress, encrypted, signed (signature
> is used only for user
>     *                              authentication. MAC will be used for
> further message transmission ) and transported .
>     *                         // 2. Server that receives the above message
> authenticates the user ( by
>     *                               the signature ) and confirms whether it
> is communicating with the correct
>     *                               user host.
>     *                         // 3. Now depending upon the type of
> authentication method, user will
>     *                               be authenticated.
>     *  // If user authentication is successful then a session is started
> and here in session, client will have
>     *     access to SSH features like remote command execution, X11
> forwarding, port forwarding, DSA and RSA key
>     *     generation, SCP etc .
>     * sshCon.startSession() ;  // sending data - data is compressed(if
> negotiated) , 'mac' is calculated,
>     *                             // encrypted, mac is appended to the
> encrypted data and next transported.
>     *
>     *
>     * // The above mentioned is the basic structure how a programmer can
> use SSH in his/her program.
>     * // Now the real task is developing code for this to happen according
> to SSH2 standards.
>     *
>     * // for server authentication we require
>     *
>     *    1.Packet description ( Binary Packet - as mentioned in RFC ) -
>     *            we may have an interface called Packet which is
> implemented by all the Packet type classes
>     *            like SSH_MSG_KEYINIT ( there are many such messages ).
> Although the basic structure of all
>     *            the packets is same we try to classify them according the
> message they convey, because we
>     *            can have methods declared and coded in respective classes
> ( ( different packets have
>     *            different information and hence must be handled
> differently ). For example SSH_MSG_KEYINIT
>     *            will have some stuff for algorithm negotiation and hence
> will be handled in that class
>     *            appropriately.
>     *
>     *    2.Algorithm Negotiation -
>     *            we can have a class called AlgoNegotiation and a static
> method in this class for negotiation.
>     *            This method will be used when handling SSH_MSG_KEYINIT
>     *
>     *    3.Key Exchange Algorithm -
>     *            class named KexAlgo can handle this algorithm
> appropriately. We use cryptography algorithms
>     *            defined in java crypto. We may require this class to
> create a harmony between crypto classes
>     *            and our implementation ( to take care of correct argument
> passing and returned results ).
>     *
>     *    // TO BE CONTINUED. I'll continue to develop this idea in gradual
> steps.
>     *
>     * */
>
> am I approaching in correct way? You can see that I'm approaching in Top to
> Down fashion - i first considered how an user will use this implementation
> and then going down to protocol implementation.
>
> Please suggest me some of developing tips which will be useful for this
> project.
>
> Thank you,
>
> Vinod Kumar.
>



--
Cheers,
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/
------------------------
Open Source SOA
http://fusesource.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SSH Implementation - IDEA and seeking Suggestions.

Vinod Kumar Badhavat
Hi Guillaume Nodet

Thank you for your information. I applied to Apache as a part of Google
Summer of Code(GSoC), so I think, I should stick to the proposal I made in
the application and implement SSH as a part of commons-net. I would like to
use SSHD's key and algorithm negotiation. I'm planning to use java
cryptography directly. If this is not so useful, then i may turn to SSHD's
crypto.

can i use mina's mailing list to discuss about SSH Implementation?

--- Vinod.

On Sat, Apr 11, 2009 at 8:47 PM, Guillaume Nodet <[hidden email]> wrote:

> In case you haven't followed the earlier discussion, you may want to
> have a look at the Apache SSHD project, which implements an SSH server
> and some parts of the client.  The client is far from complete, so it
> may be a good idea to join our forces:
>   http://svn.apache.org/repos/asf/mina/sshd/trunk/
>
> Currently, the client api is asynchronous, but it would make sense to
> add a synchronous api for ease of use.
> In all cases, feel free to reuse any code from this project, as most
> of the crypto stuff / kex negociation and other algorithms have
> already been implemented, as there's really no need to duplicate the
> work.
>
> 2009/4/8 Vinod Kumar Badhavat <[hidden email]>:
> [hidden email]
> --
> Cheers,
> Guillaume Nodet
> ------------------------
> Blog: http://gnodet.blogspot.com/
> ------------------------
> Open Source SOA
> http://fusesource.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
Reply | Threaded
Open this post in threaded view
|

Re: SSH Implementation - IDEA and seeking Suggestions.

Guillaume Nodet
On Sat, Apr 11, 2009 at 22:42, Vinod Kumar Badhavat
<[hidden email]> wrote:
> Hi Guillaume Nodet
>
> Thank you for your information. I applied to Apache as a part of Google
> Summer of Code(GSoC), so I think, I should stick to the proposal I made in
> the application and implement SSH as a part of commons-net. I would like to
> use SSHD's key and algorithm negotiation. I'm planning to use java
> cryptography directly. If this is not so useful, then i may turn to SSHD's
> crypto.

I know, but when the proposal has been created, the authors were not
aware of the existence of the Apache SSHD subproject.
Have a look at the code for SSHD, it uses the java cryptography api
already.  The main difference is that the socket layer uses MINA (NIO)
instead of plain sockets, but this does not mean you have to rewrite
the whole crypto / key exchange / negociation from scratch.
Actually, the dependency to MINA is quite thin, and I'd be happy if
you need to refactor any part of it to make it more reusable ....

>
> can i use mina's mailing list to discuss about SSH Implementation?

Sure, just prefix your message subject with [SSHD] when you post to
[hidden email]

>
> --- Vinod.
>
> On Sat, Apr 11, 2009 at 8:47 PM, Guillaume Nodet <[hidden email]> wrote:
>
>> In case you haven't followed the earlier discussion, you may want to
>> have a look at the Apache SSHD project, which implements an SSH server
>> and some parts of the client.  The client is far from complete, so it
>> may be a good idea to join our forces:
>>   http://svn.apache.org/repos/asf/mina/sshd/trunk/
>>
>> Currently, the client api is asynchronous, but it would make sense to
>> add a synchronous api for ease of use.
>> In all cases, feel free to reuse any code from this project, as most
>> of the crypto stuff / kex negociation and other algorithms have
>> already been implemented, as there's really no need to duplicate the
>> work.
>>
>> 2009/4/8 Vinod Kumar Badhavat <[hidden email]>:
>> [hidden email]
>> --
>> Cheers,
>> Guillaume Nodet
>> ------------------------
>> Blog: http://gnodet.blogspot.com/
>> ------------------------
>> Open Source SOA
>> http://fusesource.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [hidden email]
>> For additional commands, e-mail: [hidden email]
>>
>>
>



--
Cheers,
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/
------------------------
Open Source SOA
http://fusesource.com

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: SSH Implementation - IDEA and seeking Suggestions.

Vinod Kumar Badhavat
 Hi Guillaume Nodet

I'm ready and happy to work on SSHD subproject. My intention is to take part
in open source development, so even if I'm selected or not ( for GSoC), I
would love to work for open source. As a part of proposal writing, I learnt
many things about SSH protocol and hence working on SSHD will be quite
comfortable. I need to talk to my mentor to know whether I can work on SSHD
as a part of GSoC program. If I'm allowed to do that, then I'd be very happy
to work with you on SSHD.

In any case, I'll definitely look into SSHD for more information and to
reuse the code.

Thank you,
Vinod.


On Sun, Apr 12, 2009 at 3:56 AM, Guillaume Nodet <[hidden email]> wrote:

> On Sat, Apr 11, 2009 at 22:42, Vinod Kumar Badhavat
> <[hidden email]> wrote:
> > Hi Guillaume Nodet
> >
> > Thank you for your information. I applied to Apache as a part of Google
> > Summer of Code(GSoC), so I think, I should stick to the proposal I made
> in
> > the application and implement SSH as a part of commons-net. I would like
> to
> > use SSHD's key and algorithm negotiation. I'm planning to use java
> > cryptography directly. If this is not so useful, then i may turn to
> SSHD's
> > crypto.
>
> I know, but when the proposal has been created, the authors were not
> aware of the existence of the Apache SSHD subproject.
> Have a look at the code for SSHD, it uses the java cryptography api
> already.  The main difference is that the socket layer uses MINA (NIO)
> instead of plain sockets, but this does not mean you have to rewrite
> the whole crypto / key exchange / negociation from scratch.
> Actually, the dependency to MINA is quite thin, and I'd be happy if
> you need to refactor any part of it to make it more reusable ....
>
> >
> > can i use mina's mailing list to discuss about SSH Implementation?
>
> Sure, just prefix your message subject with [SSHD] when you post to
> [hidden email]
>
> >
> > --- Vinod.
> >
> > On Sat, Apr 11, 2009 at 8:47 PM, Guillaume Nodet <[hidden email]>
> wrote:
> >
> >> In case you haven't followed the earlier discussion, you may want to
> >> have a look at the Apache SSHD project, which implements an SSH server
> >> and some parts of the client.  The client is far from complete, so it
> >> may be a good idea to join our forces:
> >>   http://svn.apache.org/repos/asf/mina/sshd/trunk/
> >>
> >> Currently, the client api is asynchronous, but it would make sense to
> >> add a synchronous api for ease of use.
> >> In all cases, feel free to reuse any code from this project, as most
> >> of the crypto stuff / kex negociation and other algorithms have
> >> already been implemented, as there's really no need to duplicate the
> >> work.
> >>
> >> 2009/4/8 Vinod Kumar Badhavat <[hidden email]>:
> >> [hidden email]
> >> --
> >> Cheers,
> >> Guillaume Nodet
> >> ------------------------
> >> Blog: http://gnodet.blogspot.com/
> >> ------------------------
> >> Open Source SOA
> >> http://fusesource.com
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: [hidden email]
> >> For additional commands, e-mail: [hidden email]
> >>
> >>
> >
>
>
>
> --
> Cheers,
> Guillaume Nodet
> ------------------------
> Blog: http://gnodet.blogspot.com/
> ------------------------
> Open Source SOA
> http://fusesource.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>