Features

  • Support for Linux, BSD, Solaris and Windows
  • Client and Server implementation
  • Kerberos support (GSSAPI)
  • OpenSSL and GCrypt
  • Public Key infrastructure
  • Elliptic Curve DSA (ECDSA) support (with OpenSSL)
  • Elliptic Curve Diffie Hellman (ECDH) support
  • Asynchronous (non-blocking) support
  • SCP and SFTP support (client and server)

What is this?

libssh is a mulitplatform C library implementing the SSHv2 and SSHv1 protocol for client and server implementations. With libssh, you can remotely execute programs, transfer files and use a secure and transparent tunnel for your remote applications.


Read our Tutorial and take a look at our testing infrastructure or the code in git.


Who uses libssh?






News

libssh 0.6.4 (Security and bugfix release)

This is an important SECURITY and maintenance release in order to address CVE-2014-8132 – Double free on dangling pointers in initial key exchange packet.
libssh versions 0.5.1 and above could leave dangling pointers in the session
crypto structures. It is possible to send a malicious kexinit package to
eventually cause a server to do a double-free before this fix.

This could be used for a Denial of Service attack.

As this was found by a libssh developer there are no currently known exploits
for this problem (as of December 19th 2014).

If you are new to libssh read The Tutorial how to get started. Please join our mailing list or visit our IRC channel if you have questions.

You can download libssh 0.6.4 here.

ChangeLog

  • Fixed CVE-2014-8132.
  • Added SHA-2 for session ID signing with ECDSA keys.
  • Added support for ECDSA host keys.
  • Added support for more ECDSA hostkey algorithms.
  • Added ssh_pki_key_ecdsa_name() API.
  • Fixed setting the bindfd only after successful listen.
  • Fixed issues with user created sockets.
  • Fixed several issues in libssh C++ wrapper.
  • Fixed several documentation issues.
  • Fixed channel exit-signal request.
  • Fixed X11 request screen number in messages.
  • Fixed several memory leaks.

flattr this!

libssh 0.6.3 (Security release)

This is an important SECURITY and maintenance release in order to address CVE-2014-0017 – PRNG state reuse on forking servers.
This bug happens when a SSH server forks on new connections. OpenSSL PRNG does not always detect the change of process (PID collision) and PRNG state may be shared between two successive children. However that bug is greatly mitigated by OpenSSL ECDSA signing code itself that reseeds the PRNG on every operation.
We advise that you upgrade or patch if you use libssh to build a forked SSH server.

This is the same as before, but we messed up with the repository. So the new tarball reflects the git changes.

If you are new to libssh read The Tutorial how to get started. Please join our mailing list or visit our IRC channel if you have questions.

You can download libssh 0.6.3 here.

ChangeLog

  • CVE-2014-0017 – PRNG state reuse on forking servers
  • Fixed memory leak with ecdsa signatures.

flattr this!

libssh 0.6.2 (Security release)

This is an important SECURITY and maintenance release in order to address CVE-2014-0017 – PRNG state reuse on forking servers.
This bug happens when a SSH server forks on new connections. OpenSSL PRNG does not always detect the change of process (PID collision) and PRNG state may be shared between two successive children. However that bug is greatly mitigated by OpenSSL ECDSA signing code itself that reseeds the PRNG on every operation.
We advise that you upgrade or patch if you use libssh to build a forked SSH server.

If you are new to libssh read The Tutorial how to get started. Please join our mailing list or visit our IRC channel if you have questions.

You can download libssh 0.6.2 here.

ChangeLog

  • CVE-2014-0017 – PRNG state reuse on forking servers

flattr this!

libssh 0.6.1

We are happy to announce the first bugfix version of libssh 0.6. This version also provides some new functions and uses the openssh known_hosts heuristic to negotiate the cipher for key exchange.

Thanks to all contributors!

If you are new to libssh you should read our tutorial how to get started. Please join our mailing list or visit our irc channel if you have questions.

You can download libssh 0.6.0 here. For Windows we also provide a zip file and an installer built on Windows 8.1 or you can use the MSVC and MinGW binaries from the KDE Windows project here.

ChangeLog:

  • Added support for libgcrypt 1.6.
  • Added ssh_channel_accept_forward().
  • Added known_hosts heuristic during connection (#138).
  • Added getters for session cipher names.
  • Fixed decrypt of zero length buffer.
  • Fixed padding in RSA signature blobs.
  • Fixed DSA signature extraction.
  • Fixed some memory leaks.
  • Fixed read of non-connected socket.
  • Fixed thread dectection.

flattr this!

libssh 0.6.0

Ultimately the day has come that we can release libssh 0.6.0. This version has a lot of new features and we put a lot of effort into it to make it stable. The most important features are a callback based server API which is already in use by some projects. We added support for ECDSA and implemented curve25519-sha256@libssh.org key exchange! For this we have a new clean API to manage public keys. Another big feature is support for GSSAPI which has been tested by Red Hat engineers to correctly work with FreeIPA and gssproxy.

Thanks to all contributors!

If you are new to libssh you should our tutorial how to get started. Please join our mailing list or visit our irc channel if you have questions.

You can download libssh 0.6.0 here. For Windows we also provide a zip file and an installer built on Windows 8.1 or you can use the MSVC and MinGW binaries from the KDE Windows project here. Packages for Fedora and for openSUSE are available here.

In order to use ECDSA support you need to migrate to the new Public Key API and userauth functions!

ChangeLog:

  • Added new publicy key API.
  • Added new userauth API.
  • Added ssh_get_publickey_hash() function.
  • Added ssh_get_poll_flags() function.
  • Added gssapi-mic userauth.
  • Added GSSAPIServerIdentity option.
  • Added GSSAPIClientIdentity option.
  • Added GSSAPIDelegateCredentials option.
  • Added new callback based server API.
  • Added Elliptic Curve DSA (ECDSA) support (with OpenSSL).
  • Added Elliptic Curve Diffie Hellman (ECDH) support.
  • Added Curve25519 for ECDH key exchange.
  • Added improved logging system.
  • Added SSH-agent forwarding.
  • Added key-reexchange.
  • Added more unit tests.
  • Improved documentation.
  • Fixed timeout handling.

flattr this!

libssh 0.6.0rc2 and GSSAPI

We would like to announce libssh 0.6.0rc2 with full GSSAPI support. Last week Simo Sorce and I planned a day to test libssh against FreeIPA and gssproxy. The gss-proxy protocol allows proxying of GSSAPI initiation and authentication to have isolation and privilege separation for user-mode applications. Well we worked 3 days on libssh and gss-proxy and fixed several bugs in both components and added new options to libssh: GSSAPIServerIdentity, GSSAPIClientIdentity and GSSAPIDelegateCredentials. These options are also available in GSSAPI-enabled OpenSSH versions like in Fedora or RHEL. So thanks to Simo for help with our GSSAPI journey.

You can download libssh 0.6.0rc2 here.

flattr this!

OpenSSH introduces curve25519-sha256@libssh.org key exchange !

A while back, I introduced a new key exchange mechanism, “curve25519-sha256@libssh.org” in our code base. The reasons were explained together with the specifications. In a nutshell, this key exchange function is based on DJB’s Curve25519 elliptic curve Diffie-Hellman key exchange. This algorithm does not rely on NIST-based curves and gives us more security confidence against a possible backdoor in nistp-256 curve.
Today is a big day for us because OpenSSH team approved my patch and made curve25519-sha256@libssh.org the default key exchange !

flattr this!

libssh 0.6.0rc1

We are proud to announce the release of the first release candidate of libssh 0.6.0. We have rewritten a lot of code to provide a better API and added a lot of features. The most important changes are the new public key API, Kerberos support, ECDSA and ECDH support and the new callback based server support.

If you are new to libssh read The Tutorial how to get started. Please join our mailing list or visit our irc channel if you have questions.

You can download libssh 0.6.0rc1 here.

ChangeLog:

  • Added new publicy key API.
  • Added new userauth API.
  • Added gssapi-mic userauth.
  • Added new callback based server API.
  • Added Elliptic Curve DSA (ECDSA) support (with OpenSSL).
  • Added Elliptic Curve Diffie Hellman (ECDH) support.
  • Added improved logging system.
  • Added SSH-agent forwarding.
  • Added key-reexchange.
  • Improved documentation.
  • Fixed timeout handling.

flattr this!

libssh 0.5.5

This is another bugfix release of libssh version 0.5.

If you are new to libssh read The Tutorial how to get started. Please join our mailing list or visit our irc channel if you have questions.

You can download libssh 0.5.5 here. For Windows binaries we suggest to use the MSVC or MinGW binaries from the KDE Windows project here. Packages for Fedora and for openSUSE are available here.

ChangeLog:

  • BUG 103: Fix ProxyCommand parsing.
  • Fix setting -D_FORTIFY_SOURCE=2.
  • Fix pollset error return if emtpy.
  • Fix NULL pointer checks in channel functions.
  • Several bugfixes.

flattr this!

libssh 0.5.4 (SECURITY RELEASE)

This is an important SECURITY and maintenance release in order to address CVE-2013-0176 – NULL dereference leads to denial of service.

The crash could kill a SSH server using libssh. However it depends on the the server process model how bad the situation can be. If you use a forked model to implement your server, the user will just kill its own connection.

Thanks to Yong Chuan Koh, X-Force Research for the report.

If you are new to libssh read The Tutorial how to get started. Please join our mailing list or visit our irc channel if you have questions.

You can download libssh 0.5.4 here. For Windows binaries we suggest to use the MSVC and MinGW binaries from the KDE Windows project here. Packages for Fedora and for openSUSE are available here.

ChangeLog

  • CVE-2013-0176 – NULL dereference leads to denial of service
  • Fixed several NULL pointer dereferences in SSHv1.
  • Fixed a free crash bug in options parsing.

flattr this!