tarssh vs. endlessh

[Luflosi]

What are the differences between tarssh and endlessh? The README.md explains, that tarssh is "similar to endlessh" but doesn't tell me much else.
I'm trying to decide which one to use on Linux. Can you please explain the main differences between the two? What was your motivation for writing tarssh when endlessh already existed?
After a little bit of research, the main differences I noticed are:

• tarssh is written in Rust. This gives me slightly more confidence that there are no exploitable bugs that could lead to remote code execution.
• endlessh is more popular (at least when measured by GitHub stars). This means that more people probably looked at the code and found potential bugs.
• tarssh has more frequent releases. For such a simple program this is probably not a good indicator of good maintenance though.
• tarssh has an option to run as a specific user and group. I think this is useful when starting as root to bind to port 22, so it doesn't continue to run as root. endlessh doesn't seem to have this option, although Add support for socket activation skeeto/endlessh#40 might provide a much better alternative in the future.
• endlessh seems to generate pseudorandom data, while tarssh seems to use a few hardcoded strings. The latter makes it very easy to fingerprint a tarssh server, which may or may not actually matter, while generating pseudorandomness takes a tiny bit more computational resources but might also be almost as easily fingerprintable if not initialised properly with a true random number (ie. always with the same value).

[Freaky]

tarssh is written in Rust. This gives me slightly more confidence that there are no exploitable bugs that could lead to remote code execution.

For such a simple service, I'm not sure I'd be too worried, but yes - one would hope.

endlessh is more popular (at least when measured by GitHub stars). This means that more people probably looked at the code and found potential bugs.

Don't overestimate the "many eyes" hypothesis - how often do you audit the source code for all the things you use even if it is available? I wrote my own SSH tarpit and even I only vaguely skimmed endlessh.

tarssh has more frequent releases. For such a simple program this is probably not a good indicator of good maintenance though.

endlessh is and was backed by a mature language with mature APIs. tarssh started life before Rust even had dedicated async syntax and before Tokio had a stable API - a lot of its updates were mostly just following those, accompanied by relatively minor tweaks like a few more options for logging or fancier control over Tokio configuration.

The only real major change was when I went from spawning a Tokio task per connection to making it radically single-threaded with just a list of polled clients - more closely following the endlessh approach.

tarssh has an option to run as a specific user and group. I think this is useful when starting as root to bind to port 22, so it doesn't continue to run as root

This is certainly a nice-to-have, but even without socket activation you should have alternatives. I'm not familiar with the precise mechanisms on Linux, but on FreeBSD you can expose privileged ports to specific unprivileged users via the mac_portacl kernel module - I'm sure Linux has similar functionality.

tarssh also has Capsicum and pledge support, but this (sadly) isn't really of interest outside the BSDs.

endlessh seems to generate pseudorandom data, while tarssh seems to use a few hardcoded strings. The latter makes it very easy to fingerprint a tarssh server, which may or may not actually matter

Yeah, I'm not sure about this. Is a script kiddie really going to fingerprint a specific tarpit over just implementing proper timeouts or even just outright rejecting banners? Maybe it's worth adding a random mode just to see if it changes any of the numbers...

FWIW the main purpose of tarssh is for me to learn a bit of Tokio, and it has been a great success in that at least. Anything else is just cream.

Finally, I should apologise for leaving this issue for so long. I looked at it and made an ineffective mental note to deal with it later, and then it just got lost amongst all the other read notifications I have.

[Luflosi]

Thank you for answering my questions in detail.