3
Although it is a newcomer on the Secure Shell stage, Twisted.Conch has quickly
4
caught up with the two most popular free *nix implementations and the most
5
popular free Windows implementation in terms of functionality. This rapid
6
development time, as well as the stability and other advantages, owes much to
7
Python and the Twisted networking framework.
9
Other implementations (servers)
10
------------------------------
11
Other than Conch, there are three popular server implementations. OpenSSH
12
works with versions 1 and 2 of the protocol, and is the most popular on *nix
13
systems. FSecure is more popular on Windows servers, and also works with both
14
versions. LSH is newer, and implements version 2. All three are written in C,
15
with LSH having some supporting Scheme code to generate C files.
17
Other implementations (clients)
18
-------------------------------
19
On *nix, the SSH clients are provided by the server implementations (OpenSSH
20
and LSH). On Windows, there are a couple of separate clients. PuTTY is the
21
most popular and supports Telnet along with SSH1 and 2. TeraTerm recently
22
incorporated SSH into the core: before it had been an extension module.
23
MindTerm is the only implementation in this list to be written in a language
24
other than C. It runs as a Java applet, allowing SSH to run on any computer
29
Why is Twisted ideal for this type of project? Firstly, it is an asynchronous
30
library, meaning there are no worries about threading or concurrency issues.
31
This means more developer time can be devoted to making the code work well,
32
rather than just work. Second, Python lends itself to this kind of
33
development: the code is easy to read and easy to write. Third, the Twisted
34
library is high-level, so developers do not need to worry about select loops or
35
callbacks. Twisted handles all of that and allows developers to concentrate on
40
Unlike OpenSSH, the Conch server does not fork a process for each incoming
41
connection. Instead, it uses the Twisted reactor to multiplex the connections.
42
The only fork done is to execute a process such as a shell, but running a shell
43
is not necessary, in which case the entire protocol would be run in-process.
44
One of the initial features of the server was an in-process Python interpreter
45
which allowed a user to interact with the server as it was running. (It is
46
currently disabled for security reasons.) Threads are only used to interface
47
with synchronous libraries, such as PyPAM (Pluggable Authentication Modules
48
support) or PyME (GPGME support). By not using forks or threads, the time it
49
takes for the Conch server to start an SSH session is roughly half of the time
50
it takes for OpenSSH. However, this does require that code in Conch be
51
non-blocking, which is an obstacle for programmers not used to that style.
53
Security - No Pointers
54
----------------------
55
OpenSSH, LSH, and PuTTY are all written in C. Many security holes are a result
56
of problems with unsafe pointer usage, which is a large problem in C code.
57
Many other security holes result from related issues, such as buffer overflows,
58
off-by-one errors on arrays, and memory allocation/deallocation bugs. Python
59
is pointer-safe, and so is not vulnerable to this class of hole. This also
60
means that no arbitrary data from over-the-wire is ever run, meaning control
61
always stays with the Conch server.
65
Being written in Python provides more security than just pointer safety. The
66
strong builtin library that comes with Python (including powerful data types
67
like the list and dictionary) means that fewer wheels need to be reinvented.
68
This limits the potential to make mistakes in implementation. Exceptions are
69
another powerful tool. They centralize error handling, rather than the mix of
70
methods that the C libraries use. All errors are caught and dealt with: this
71
might mean that the server stops accepting connections, but it never
76
Also, Conch does not need to run as root. In the default server, root
77
privileges are used for two things: to bind to ports < 1024, and to fork a
78
process as a different user. If neither of these are needed, the server need
79
not run as root at all. Even if they are, the server is only running as root
80
for those small sections. The rest of the time, it runs under the effective
81
user and group ID of the user who started the server. This limits the amount
82
of damage that could be inflicted in the event of a compromise.
84
Interfacing with other software
85
--------------------------------------------
86
OpenSSH can interact with subsystems such as SFTP only by executing a process
87
to handle it. Not only is forking a process expensive, it limits the
88
interaction to a generic bitstream, which leaves developers to determine how
89
to interact with their users. Conch can run in the same process as other
90
Python software, and is easily integrated with other Twisted servers. This
91
allows for things like secure remote administration of a Twisted web server,
92
encrypted communication to a Reality MUD, or secure remote object access using
93
Perspective Broker. This saves the hassle and expense of forking, and allows
94
Python developers to interact with Conch the way they know best: with Python.
98
No one can deny that compiled C is faster than Python. Some part of Conch use
99
C (PyCrypto, TGMP) to speed frequent operations, but the majority of the code
100
is in Python. The client suffers the most from this because of the time it
101
takes to start the interpreter. Work is being done to speed up the client by
102
caching connections. This does not eliminate the interpreter start-up cost,
103
but it removes the cost of negotiating a new connection. This effort is
104
similar to FSH (also in Python) but interacts more nicely with the SSH
105
protocol. Psyco helps as well, offering a speedup of roughly 2x - 5x.
109
As I said in the introduction, Conch is still a newcomer on the Secure Shell
110
stage (The first commit for Conch was July 15, 2002.) Although Python solves
111
a large class of holes, it is probable that other security holes are in the
112
code. Until a full audit is conducted of Twisted and of Conch, it should not
113
be used for security-critical systems.
115
Applications with Conch
116
-----------------------
117
One of the applications for Conch is with Reality, a MUD framework using
118
Twisted. Conch makes it easy to allow secure connections to the MUD in
119
addition or even in place of a standard Telnet connection. As problems
120
such as character theft become more prevalent on the Internet, a secure
121
interface becomes more important.
122
More generally, work is being done on Insults, a replacement for libraries
123
like Curses and S-Lang. It allows developers to write GUI code that
124
interacts well with Conch and other Twisted software. Although it is in the
125
initial stages of development, it shows much promise for the future.
129
There are several different directions for Conch to move in. One of the most
130
interesting is system for generalized authentication forwarding. This would
131
allow all authentication to be performed on a host that the user controls,
132
which would help to stop vulnerabilities such as timing attacks. Second is
133
more work with applications. Insults is becoming more powerful, and it will
134
be interesting to see what it can be used for. Also important are auditing of
135
the code and increasing the speed. These will make the code more useful in
136
general, as well as improving security. Other ideas include direct support for
137
SFTP/SCP, support for a key agent, and interfacing with Twisted.Names to
142
Although it is new, Conch is a working implementation of the Secure Shell
143
protocol. It is robust enough to serve as both the client and server on
144
systems I and others use daily.