SSH Server with User Authorization

SSH Server with User Authorization

A NetBurner embedded application that implements a secure SSH server with customizable user authentication management.

Overview

This application creates an SSH server that listens on TCP port 22 for incoming SSH client connections. The server uses an automatically generated onboard key for encryption and implements a flexible user authentication system that supports both password and key-based authentication.

Key Features

• SSH Server: Full SSH server implementation listening on port 22
• User Authentication Management: Custom user authentication system with support for:
  • Password-based authentication
  • Key-based authentication
  • User authorization levels
• Automatic Certificate Generation: Self-signed certificates generated on first boot
• Persistent User Storage: User credentials stored in device UserParam space
• Interactive Management: Serial console interface for user management
• Connection Timeout: Configurable connection timeout (default: 120 seconds)

Architecture

Core Components

1. main.cpp: Main application with SSH server task and user interface
2. UserAuth.cpp: User authentication manager implementation
3. UserAuth.h: Authentication interface definitions

Key Classes and Functions

• UserAuthManager: Manages user authentication records and validation
• SshServerTask(): Main SSH server listening and connection handling
• AuthenticateUser(): SSH authentication callback function
• SaveAuthRecordsUserParam() / LoadAuthRecordsUserParam(): Persistent storage functions

Configuration

Default Settings

#define SSH_LISTEN_PORT 22       // SSH server port
#define CONNECTION_TIMEOUT 120   // Connection timeout in seconds
#define BUFSIZE (4096)          // Buffer size for data transfer

Authentication Types

• eAuthTypePassword (1): Password-based authentication
• eAuthTypeKey (2): SSH key-based authentication

Usage

Building and Deployment

1. Compile the application using NetBurner development tools
2. Load the firmware onto your NetBurner device
3. Connect via MTTTY to the USB/Serial port for configuration

Initial Setup

1. Certificate Generation: On first boot, the device automatically generates SSL certificates
2. Network Connection: Wait for active network connection
3. SSH Server Start: Server begins listening on port 22

User Management Commands

Access these commands via the serial console when no SSH client is connected:

• A: Add new user (prompts for username, auth value, and auth type)
• D: Delete existing user (prompts for username)
• L: List all configured users
• ?: Show command list

SSH Client Connection

1. Use any SSH client (PuTTY, OpenSSH, etc.)
2. Connect to the NetBurner device's IP address on port 22
3. Authenticate using configured username and password/key
4. Interactive session allows bidirectional communication

Security Features

Certificate Management

• Automatic onboard certificate and key generation
• One-year certificate validity period
• Optional automatic certificate regeneration (enable ENABLE_AUTOCERT_REGEN)

User Authentication

• Secure password hashing using SHA-256
• Support for SSH public key authentication
• Configurable user authorization levels
• Persistent storage of authentication records

Connection Security

• Full SSH protocol implementation
• Encrypted communication channels
• Connection timeout protection
• Proper session management

Data Storage

User authentication records are stored in JSON format in the device's UserParam space:

{
  "0": {
    "un": "username",
    "at": 1,
    "al": 0,
    "ah": [hash_array]
  }
}

Where:

• un: Username
• at: Authentication type (1=password, 2=key)
• al: Authorization level
• ah: SHA-256 hash array

Error Handling

The application includes comprehensive error handling for:

• TCP connection errors (timeout, reset, abort)
• SSH negotiation failures
• Authentication failures
• Certificate generation errors
• User management errors

Common Error Codes

• TCP_ERR_TIMEOUT: Connection timeout
• TCP_ERR_CON_RESET: Connection reset by peer
• SSH_ERROR_FAILED_NEGOTIATION: SSH handshake failure
• SSH_ERROR_FAILED_SESSION_FAILED: SSH session establishment failure

Development Notes

Memory Usage

• SSH Server task stack: USER_TASK_STK_SIZE * 4
• Buffer allocation: 4KB for both TX and RX
• JSON buffer: 1.5KB for user record storage

Task Priority

SSH Server task runs at MAIN_PRIO - 1 (higher priority than UserMain) to ensure responsive connection handling.

Dependencies

• NetBurner SSH library (ssh/NetBurner/NbWolfSsh.h)
• Certificate generation (crypto/certgen.h)
• JSON parsing (json_lexer.h)
• Standard NetBurner networking and serial libraries

Troubleshooting

Connection Issues

1. Verify network connectivity
2. Check if SSH server task started successfully
3. Confirm firewall settings allow port 22
4. Validate certificate generation completed

Authentication Problems

1. List users to verify account exists
2. Check authentication type matches client configuration
3. Verify user authorization level
4. Review SSH client logs for specific errors

Performance Considerations

• Maximum 5 concurrent connection queue
• 120-second connection timeout
• 4KB buffer size may limit large data transfers
• JSON parsing occurs on user record changes

Example Session

Starting SSH Server Task, Listening for SSH connection on port 22
 
Waiting for connection on port 22...
Connected to: 192.168.1.100:54321
Welcome to the NetBurner SSH Server
You are connected to IP Address 192.168.1.50, port 22
 
[Interactive SSH session follows...]