2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
3
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
5
<html xmlns="http://www.w3.org/1999/xhtml">
8
<title>Twisted.Conch: SSH in Python with Twisted</title>
12
<h1>Twisted.Conch: SSH in Python with Twisted</h1>
16
<a href="mailto:z3p@twistedmatrix.com">z3p@twistedmatrix.com</a></li>
21
<p>Although it is a newcomer on the Secure Shell stage, Twisted.Conch has quickly
22
caught up with the two most popular free *nix implementations and the most
23
popular free Windows implementation in terms of functionality. This rapid
24
development time, as well as the stability and other advantages, owes much to
25
Python and the Twisted networking framework.</p>
27
<h2>Other implementations (servers)</h2>
29
<p>Other than Conch, there are three popular server implementations. OpenSSH
30
works with versions 1 and 2 of the protocol, and is the most popular on *nix
31
systems. FSecure is more popular on Windows servers, and also works with both
32
versions. LSH is newer, and implements version 2. All three are written in C,
33
with LSH having some supporting Scheme code to generate C files.</p>
35
<h2>Other implementations (clients)</h2>
37
<p>On *nix, the SSH clients are provided by the server implementations (OpenSSH
38
and LSH). On Windows, there are a couple of separate clients. PuTTY is the
39
most popular and supports Telnet along with SSH1 and 2. TeraTerm recently
40
incorporated SSH into the core: before it had been an extension module.
41
MindTerm is the only implementation in this list to be written in a language
42
other than C. It runs as a Java applet, allowing SSH to run on any computer
47
<p>Why is Twisted ideal for this type of project? Firstly, it is an asynchronous
48
library, meaning there are no worries about threading or concurrency issues.
49
This means more developer time can be devoted to making the code work well,
50
rather than just work. Second, Python lends itself to this kind of
51
development: the code is easy to read and easy to write. Third, the Twisted
52
library is high-level, so developers do not need to worry about select loops or
53
callbacks. Twisted handles all of that and allows developers to concentrate on
56
<h2>No forking/threads</h2>
58
<p>Unlike OpenSSH, the Conch server does not fork a process for each incoming
59
connection. Instead, it uses the Twisted reactor to multiplex the connections.
60
The only fork done is to execute a process such as a shell, but running a shell
61
is not necessary, in which case the entire protocol would be run in-process.
62
One of the initial features of the server was an in-process Python interpreter
63
which allowed a user to interact with the server as it was running. (It is
64
currently disabled for security reasons.) Threads are only used to interface
65
with synchronous libraries, such as PyPAM (Pluggable Authentication Modules
66
support) or PyME (GPGME support). By not using forks or threads, the time it
67
takes for the Conch server to start an SSH session is roughly half of the time
68
it takes for OpenSSH. However, this does require that code in Conch be
69
non-blocking, which is an obstacle for programmers not used to that style.</p>
71
<h2>Security - No Pointers</h2>
73
<p>OpenSSH, LSH, and PuTTY are all written in C. Many security holes are a result
74
of problems with unsafe pointer usage, which is a large problem in C code.
75
Many other security holes result from related issues, such as buffer overflows,
76
off-by-one errors on arrays, and memory allocation/deallocation bugs. Python
77
is pointer-safe, and so is not vulnerable to this class of hole. This also
78
means that no arbitrary data from over-the-wire is ever run, meaning control
79
always stays with the Conch server.</p>
81
<h2>Security - High Level</h2>
83
<p>Being written in Python provides more security than just pointer safety. The
84
strong builtin library that comes with Python (including powerful data types
85
like the list and dictionary) means that fewer wheels need to be reinvented.
86
This limits the potential to make mistakes in implementation. Exceptions are
87
another powerful tool. They centralize error handling, rather than the mix of
88
methods that the C libraries use. All errors are caught and dealt with: this
89
might mean that the server stops accepting connections, but it never
90
compromises security.</p>
92
<h2>Security - Not Root</h2>
94
<p>Also, Conch does not need to run as root. In the default server, root
95
privileges are used for two things: to bind to ports < 1024, and to fork a
96
process as a different user. If neither of these are needed, the server need
97
not run as root at all. Even if they are, the server is only running as root
98
for those small sections. The rest of the time, it runs under the effective
99
user and group ID of the user who started the server. This limits the amount
100
of damage that could be inflicted in the event of a compromise.</p>
102
<h2>Interfacing with other software</h2>
104
<p>OpenSSH can interact with subsystems such as SFTP only by executing a process
105
to handle it. Not only is forking a process expensive, it limits the
106
interaction to a generic bitstream, which leaves developers to determine how
107
to interact with their users. Conch can run in the same process as other
108
Python software, and is easily integrated with other Twisted servers. This
109
allows for things like secure remote administration of a Twisted web server,
110
encrypted communication to a Reality MUD, or secure remote object access using
111
Perspective Broker. This saves the hassle and expense of forking, and allows
112
Python developers to interact with Conch the way they know best: with Python.</p>
116
<p>No one can deny that compiled C is faster than Python. Some part of Conch use
117
C (PyCrypto, TGMP) to speed frequent operations, but the majority of the code
118
is in Python. The client suffers the most from this because of the time it
119
takes to start the interpreter. Work is being done to speed up the client by
120
caching connections. This does not eliminate the interpreter start-up cost,
121
but it removes the cost of negotiating a new connection. This effort is
122
similar to FSH (also in Python) but interacts more nicely with the SSH
123
protocol. Psyco helps as well, offering a speedup of roughly 2x - 5x.</p>
127
<p>As I said in the introduction, Conch is still a newcomer on the Secure Shell
128
stage (The first commit for Conch was July 15, 2002.) Although Python solves
129
a large class of holes, it is probable that other security holes are in the
130
code. Until a full audit is conducted of Twisted and of Conch, it should not
131
be used for security-critical systems.</p>
133
<h2>Applications with Conch</h2>
135
<p>One of the applications for Conch is with Reality, a MUD framework using
136
Twisted. Conch makes it easy to allow secure connections to the MUD in
137
addition or even in place of a standard Telnet connection. As problems
138
such as character theft become more prevalent on the Internet, a secure
139
interface becomes more important.</p>
141
<p>More generally, work is being done on Insults, a replacement for libraries
142
like Curses and S-Lang. It allows developers to write GUI code that
143
interacts well with Conch and other Twisted software. Although it is in the
144
initial stages of development, it shows much promise for the future.</p>
146
<h2>Future Directions</h2>
148
<p>There are several different directions for Conch to move in. One of the most
149
interesting is system for generalized authentication forwarding. This would
150
allow all authentication to be performed on a host that the user controls,
151
which would help to stop vulnerabilities such as timing attacks. Second is
152
more work with applications. Insults is becoming more powerful, and it will
153
be interesting to see what it can be used for. Also important are auditing of
154
the code and increasing the speed. These will make the code more useful in
155
general, as well as improving security. Other ideas include direct support for
156
SFTP/SCP, support for a key agent, and interfacing with Twisted.Names to
161
<p>Although it is new, Conch is a working implementation of the Secure Shell
162
protocol. It is robust enough to serve as both the client and server on
163
systems I and others use daily.</p>