depth —— SSH-2.0 server

Depth

Full SSH-2.0 Protocol in Pure x86_64 Assembly.
Complete SSH implementation — KEX, auth, encrypted transport, PTY, SFTP, port forwarding, pipe exec — ~94 KB static ELF, no libc.

~94 KB

Static ELF

Source Files

268

Passing Tests

Dependencies

View Source Read Docs

// capabilities

Pure assembly. Full protocol.

Every byte handcrafted in NASM. No libc, no dynamic linking, no runtime. Complete SSH-2.0 with ChaCha20-Poly1305, Ed25519, SFTP, PTY, and port forwarding — all from scratch.

ChaCha20-Poly1305 AEAD

Full chacha20-poly1305@openssh.com transport. Two-key scheme, sequence-number nonce. Every packet authenticated.

Ed25519 + X25519

Complete elliptic curve crypto from scratch. X25519 ECDH key exchange, Ed25519 host signatures, SHA-512 internals.

Full SSH Protocol

RFC 4253/4254: KEXINIT, ECDH, NEWKEYS, password auth, 8 multiplexed channels, window management.

SFTP + PTY + Forwarding

SFTPv3 file transfers, interactive PTY shells, pipe-based exec, local and remote TCP port forwarding.

~94 KB Static Binary

No libc, no dynamic linking. Pure Linux syscalls. 22 source files compile to one self-contained ELF.

268 Passing Tests

Every crypto primitive and protocol feature tested. Python harnesses drive NASM test binaries via binary protocol.

// architecture

SSH handshake & encrypted transport.

Full SSH-2.0 key exchange with curve25519-sha256, Ed25519 host authentication, and ChaCha20-Poly1305 encrypted transport — every packet authenticated and encrypted after NEWKEYS.

depth —— SSH-2.0 handshake

[Operator]                              [Target]
 OpenSSH  ──────── TCP ────────>   depth (bind)
          <── SSH-2.0 banner ────
          ── KEXINIT ───────────>
          <── KEXINIT ──────────
          ── ECDH_INIT ─────────>
          <── ECDH_REPLY ───────    (Ed25519 signed)
          ═══ encrypted ═══════>
          <═══ encrypted ═══════

Transport	Raw TCP via syscall
Encryption	chacha20-poly1305@openssh.com
Key Exchange	curve25519-sha256
Host Auth	ssh-ed25519
User Auth	Password (ssh-userauth)
Channels	8 multiplexed with window mgmt
Shell	PTY + pipe-based exec
SFTP	SFTPv3, 16 handles
Forwarding	Local + remote TCP

// internals

Every component from scratch.

What makes Depth tick — every component implemented from scratch in assembly.

depth —— component map

ChaCha20 Quarter-Round

ChaCha20 Block Cipher

Poly1305 MAC

AEAD Encrypt / Decrypt

X25519 ECDH

Ed25519 Sign / Verify

SHA-512 Internals

curve25519-sha256 KEX

SSH Binary Packet Protocol

KEXINIT Negotiation

NEWKEYS Transition

Password Auth (userauth)

Channel Multiplexing (8ch)

Window Management

PTY Allocation

Pipe-Based Exec

SFTPv3 Subsystem

16 File Handles

Local TCP Forwarding

Remote TCP Forwarding

Raw Linux Syscalls

Static ELF (no libc)

/dev/urandom Entropy

epoll Event Loop

Crypto Key Exchange Protocol Channels Services System

// quick start

Build and connect.

Clone, build, run. Connect with any standard SSH client — OpenSSH, PuTTY, or libssh.

bash —— build

# Clone and build

$ git clone https://github.com/Real-Fruit-Snacks/Depth.git

$ cd Depth

$ make

$ make test

bash —— connect

# Start server and connect

$ ./build/depth

$ ssh -p 7777 svc@target

$ ssh -p 7777 svc@target 'whoami'

$ sftp -P 7777 svc@target