Skip to content

Instantly share code, notes, and snippets.

@h-yamamo

h-yamamo/RSH.md

Last active November 26, 2022 01:42
Show Gist options
  • Save h-yamamo/e4abe8d81f996960b77fcf5a966742b0 to your computer and use it in GitHub Desktop.
Save h-yamamo/e4abe8d81f996960b77fcf5a966742b0 to your computer and use it in GitHub Desktop.
Download ZIP
Support encryption with X25519 and ChaCha20-Poly1305 for rsh-redone
Raw
RSH.md

rsh-redone: Support encryption with X25519 and ChaCha20-Poly1305

Although SSH has sufficient security, handring keys is confusing. I wanted easy encrypted communication tool in my home LAN. I found that the source code of rsh-redone is simpler than that of netkit-rsh. So I decided to add encrypt function to rsh-redone.

How to build and install

Preparation

You need to build and install patched OpenSSL or LibreSSL or BoringSSL: its library libcrypto.so supports X25519 API and EVP_AEAD API. ( P.S. Add another way to use Nettle cryptographic library. See Using Nettle. )

  • Common preparation
sudo apt-get install openbsd-inetd lzip
sudo apt-get build-dep openssl rsh-redone

Case of using h-yamamo's patch

Build patched openssl packages and install libssl3 (bookworm, jammy) / libssl1.1 / libssl1.0.0 (xenial) and libssl-dev packages.

git clone -b evp-aead-camellia --depth 1 https://gist.github.com/h-yamamo/157804dc9011a33afb99a3324114ee23
apt-get -d source openssl
tar xf openssl_1.1.0l.orig.tar.gz
cd openssl-1.1.0l
tar xf ../openssl_1.1.0l-1~deb9u6.debian.tar.xz
tar xf ../157804dc9011a33afb99a3324114ee23/debian.tlz
debuild -uc -us
(# messages of build)
cd ..
sudo dpkg -i libssl1.1_1.1.0l-1~deb9u6+aec1_XXX.deb libssl-dev_1.1.0l-1~deb9u6+aec1_XXX.deb openssl_1.1.0l-1~deb9u6+aec1_XXX.deb
(# XXX: architecture - amd64, arm64, armhf, i386 ...)
  • Debian 9 stretch (2)
git clone --depth 1 https://gist.github.com/h-yamamo/eb84154b24ba798b474a219027908cfc
apt-get -d source openssl
tar xf openssl_1.1.0l.orig.tar.gz
cd openssl-1.1.0l
tar xf ../openssl_1.1.0l-1~deb9u6.debian.tar.xz
tar xf ../eb84154b24ba798b474a219027908cfc/debian.tlz
debuild -uc -us
(# messages of build)
cd ..
sudo dpkg -i libssl1.1_1.1.0l-1~deb9u6+ae1_XXX.deb libssl-dev_1.1.0l-1~deb9u6+ae1_XXX.deb openssl_1.1.0l-1~deb9u6+ae1_XXX.deb
(# XXX: architecture - amd64, arm64, armhf, i386 ...)
  • Ubuntu 18.04 LTS bionic
git clone -b bionic_e1 --depth 1 https://gist.github.com/h-yamamo/157804dc9011a33afb99a3324114ee23
apt-get -d source openssl
tar xf openssl_1.1.1.orig.tar.gz
cd openssl-1.1.1
tar xf ../openssl_1.1.1-1ubuntu2.1~18.04.20.debian.tar.xz
tar xf ../157804dc9011a33afb99a3324114ee23/debian.tlz
debuild -uc -us
(# messages of build)
cd ..
sudo dpkg -i libssl1.1_1.1.1-1ubuntu2.1~18.04.20+e1_XXX.deb libssl-dev_1.1.1-1ubuntu2.1~18.04.20+e1_XXX.deb openssl_1.1.1-1ubuntu2.1~18.04.20+e1_XXX.deb
(# XXX: architecture - amd64, arm64, armhf, i386 ...)
  • Ubuntu 16.04 LTS xenial
git clone -b xenial --depth 1 https://gist.github.com/h-yamamo/aea11d6cdcb0bb93a499d4846d2dd202
apt-get -d source openssl
tar xf openssl_1.0.2g.orig.tar.gz
cd openssl-1.0.2g
tar xf ../openssl_1.0.2g-1ubuntu4.20.debian.tar.xz
tar xf ../aea11d6cdcb0bb93a499d4846d2dd202/debian.tlz
debuild -uc -us
(# messages of build)
cd ..
sudo dpkg -i libssl1.0.0_1.0.2g-1ubuntu4.20+x1_XXX.deb libssl-dev_1.0.2g-1ubuntu4.20+x1_XXX.deb openssl_1.0.2g-1ubuntu4.20+x1_XXX.deb
(# XXX: architecture - amd64, arm64, armhf, i386 ...)

Build and Install

  • This step is same Debian stretch, buster and bullseye, Ubuntu xenial, bionic and focal
git clone -b debian --depth 1 https://gist.github.com/h-yamamo/e4abe8d81f996960b77fcf5a966742b0
apt-get -d source rsh-redone
tar xf rsh-redone_85.orig.tar.gz
cd rsh-redone-85
tar xf ../e4abe8d81f996960b77fcf5a966742b0/debian.txz
debuild -uc -us
(# messages of build)
cd ..
sudo dpkg -i rsh-redone-client_85-2+e10_XXX.deb rsh-redone-server_85-2+e10_XXX.deb
(# XXX: architecture - amd64, arm64, armhf, i386 ...)
(# edit tcp-wrapper's files - /etc/hosts.allow, /etc/hosts.deny and ~/.rhosts)

Debian 12 (bookworm)

Ubuntu 22.04 LTS jammy can be done by the following too.

git clone -b bookworm_ossl --depth 1 https://gist.github.com/h-yamamo/e4abe8d81f996960b77fcf5a966742b0
apt-get -d source rsh-redone
tar xf rsh-redone_85.orig.tar.gz
cd rsh-redone-85
tar xf ../rsh-redone_85-4.debian.tar.xz
tar xvf ../e4abe8d81f996960b77fcf5a966742b0/debian.tlz
(# you may edit debian/changelog and/or something others)
debuild -uc -us
(# messages of build)
cd ..
sudo apt-get install ./rsh-redone-client_85-4+e1_XXX.deb ./rsh-redone-server_85-4+e1_XXX.deb
(# XXX: architecture - amd64, arm64, armhf, i386 ...)
(# edit tcp-wrapper's files - /etc/hosts.allow, /etc/hosts.deny and ~/.rhosts)

Case of using LibreSSL

  • Preparation

    Get LibreSSL source and build, and then install.

wget https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.6.1.tar.gz
tar xf libressl-3.6.1.tar.gz
cd libressl-3.6.1
./configure
make -j4 check
(# messages of build)
sudo make install
(# installed under /usr/local default)
sudo ldconfig

  • Build and Install

    Get encryption patches and rsh-redone source, and then build, and then install.

git clone -b debian --depth 1 https://gist.github.com/h-yamamo/e4abe8d81f996960b77fcf5a966742b0
apt-get -d source rsh-redone
tar xf rsh-redone_85.orig.tar.gz
cd rsh-redone-85
tar xf ../e4abe8d81f996960b77fcf5a966742b0/debian.txz
patch -p1 -i debian/patches/rsh-redone_85-2.patch
patch -p1 -i debian/patches/encrypt.patch
cp ../e4abe8d81f996960b77fcf5a966742b0/Makefile.custom .
make OPENSSL_INCLUDE_PATH=/usr/local/include LIBCRYPTO_PATH=/usr/local/lib -f Makefile.custom 
(# messages of build)
sudo make -f Makefile.custom install
(# installed under /usr/local default)
(# edit /etc/inetd.conf and tcp-wrapper's files - /etc/hosts.allow, /etc/hosts.deny and ~/.rhosts)

Case of using BoringSSL

  • Preparation

    Get BoringSSL source and build, and then install.

(# preparation for BoringSSL build)
sudo apt-get install cmake golang
(# Here, an example of working in /tmp directory)
cd /tmp
wget https://boringssl.googlesource.com/boringssl/+archive/refs/heads/fips-20220613.tar.gz
mkdir -p boringssl/build
cd boringssl
tar xf ../fips-20220613.tar.gz
cd build
cmake -DBUILD_SHARED_LIBS=1 ..
make -j4
(# messages of build)
cd crypto
(# to be able to coexist with the official openssl library, change soname)
sed 's/soname,libcrypto.so -o libcrypto.so/soname,libcrypto.so.103 -o libcrypto.so.103.0.5060/' CMakeFiles/crypto.dir/link.txt > link
sh link
strip --strip-unneeded --remove-section=.comment --remove-section=.note libcrypto.so.103.0.5060
sudo install -m 644 libcrypto.so.103.0.5060 /usr/local/lib/
cd /usr/local/lib
sudo ln -s libcrypto.so.103.0.5060 libcrypto.so.103
sudo ln -s libcrypto.so.103.0.5060 libcrypto.so
sudo ldconfig

  • Build and Install

    Get encryption patches and rsh-redone source, and then build, and then install.

cd /tmp
git clone -b debian --depth 1 https://gist.github.com/h-yamamo/e4abe8d81f996960b77fcf5a966742b0
apt-get -d source rsh-redone
tar xf rsh-redone_85.orig.tar.gz
cd rsh-redone-85
tar xf ../e4abe8d81f996960b77fcf5a966742b0/debian.txz
patch -p1 -i debian/patches/rsh-redone_85-2.patch
patch -p1 -i debian/patches/encrypt.patch
cp ../e4abe8d81f996960b77fcf5a966742b0/Makefile.custom .
(# edit it if necessary)
make OPENSSL_INCLUDE_PATH=/tmp/boringssl/include LIBCRYPTO_PATH=/usr/local/lib -f Makefile.custom 
(# messages of build)
sudo make -f Makefile.custom install
(# installed under /usr/local default)
(# edit /etc/inetd.conf and tcp-wrapper's files - /etc/hosts.allow, /etc/hosts.deny and ~/.rhosts)

Using Nettle

It's using Nettle cryptographic library instead of OpenSSL or compatibles. X25519 API and EVP_AEAD API are implemented by wrapping nettle libs.

Debian 12 (bookworm)

Ubuntu 22.04 LTS jammy can be done by the following too.

  • Preparation
sudo apt-get install nettle-dev lzip
sudo apt-get build-dep rsh-redone
  • Build and Install
git clone -b bookworm_nettle --depth 1 https://gist.github.com/h-yamamo/e4abe8d81f996960b77fcf5a966742b0
apt-get -d source rsh-redone
tar xf rsh-redone_85.orig.tar.gz
cd rsh-redone-85
tar xf ../rsh-redone_85-4.debian.tar.xz
tar xvf ../e4abe8d81f996960b77fcf5a966742b0/debian.tlz
(# you may edit debian/changelog and/or something others)
debuild -uc -us
(# messages of build)
cd ..
sudo apt-get install ./rsh-redone-client_85-4+en1_XXX.deb ./rsh-redone-server_85-4+en1_XXX.deb
(# XXX: architecture - amd64, arm64, armhf, i386 ...)
(# edit tcp-wrapper's files - /etc/hosts.allow, /etc/hosts.deny and ~/.rhosts)

Earlier Debian and Ubuntu

Debian 9 stretch or later, Ubuntu 16.04 LTS xenial or later required.

  • Preparation
sudo apt-get install nettle-dev openbsd-inetd
sudo apt-get build-dep rsh-redone
  • Build and Install
git clone -b debian-nettle --depth 1 https://gist.github.com/h-yamamo/e4abe8d81f996960b77fcf5a966742b0
apt-get -d source rsh-redone
tar xf rsh-redone_85.orig.tar.gz
cd rsh-redone-85
tar xf ../e4abe8d81f996960b77fcf5a966742b0/debian.txz
debuild -uc -us
(# messages of build)
cd ..
sudo dpkg -i rsh-redone-client_85-2+en6_XXX.deb rsh-redone-server_85-2+en6_XXX.deb
(# XXX: architecture - amd64, arm64, armhf, i386 ...)
(# edit tcp-wrapper's files - /etc/hosts.allow, /etc/hosts.deny and ~/.rhosts)

Notes

  • No communication beyond NAT

    It's using ip-address and port pair of client and server to generate keys.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment