Hello,

My name is Aris Adamantiadis. I am a student at the Free University of
Brussels (Université libre de Bruxelles). I am completing my second year in
computer science (out of 4). I can be reached at aris@0xbadc0de.be

My project is related to an other project I began two years ago. Its name is
libssh. The current releases are hosted on http://0xbadc0de.be/
This library is a client side library for SSH2 services, programmed in C.
There is a basic sftp support for client.

My project would be split in two parts:
1- Extend the library to server SSH services.
2- Programming a sftp server.

1- Extending the library.
The library was not done with server support in mind. I'll have to change the
API so it becomes easy to create servers. Then I'll have to move the old
working code to the current API.
Next, I'll have to implement the server part. The analys part being already
made, it won't be too hard since most operations are exactly symmetrical to
the client ones (Like, for cryptography).
The testing of the library will be basic at this time. The second part will
permit to spot problems.

2- sftp server.
sftp stands for secure ftp. It's a built-in protocol for SSH2 which doesn't
look like FTP over SSL. It has advantages against FTP over SSL (ftps):
-Unified authentication: A ssh server is used for authentication. It's a
protocol that was designed for peer authentication. It allows everything that
current SSH implementations can do.
-One port only communication. This protocol is very firewall friendly, since
the firewall only needs to redirect the traffic from a certain port to an
other.
-Real filesystem-like actions. The protocol is packet based. It's very easy
for a client to ask only a few bytes of this file, then another bytes from
this one, etc.

Openssh already includes a sftp server, so why build another one ?

OpenSSH sftp server was not designed for the same goal as this project.
Openssh server is meant to distribute files to regular users of a system to
which they have an access (most often a shell access) using common unix
properties. Unmodified versions don't support several options that are common 
through popular ftp servers, like root changing (disallow a certain user to 
browse elsewhere than his home directory), anonymous access (a typical 
installation requires a special account with no shell, and then again same 
problems of path roots. Then, it's impossible to disallow an anonymous user 
from overwriting a file another anonymous has uploaded, etc.

The sftp server project would be an elegant solution to implement all of these
functionalities, through config files.

All of this takes time. Here is how my summer is organized:
20th of June: end of exams
14th of July: Boy scout camp
31th of July: back from camp
15th of July: begin to study for september exams (I don't know yet).
(I can still continue to work during this period if needed).
So, this is more than 40 days.

-Redesigning the API 
 It won't be too long. 1 or 2 days. I can launch calls to the
 actual user base of libssh to ask what they think about the changes. I can
 still begin to work because if I make changes to what was decided before
 (because of an user comment), they won't be too big (It's generaly on
 details).

-Converting existing codebase to new API
 I know very well the code. It won't take more than 3 days.

-Building the server side code
 there are different parts:
  * Writing the socket binding code, blank functions and small test programs.
    1 day at most
  * Cryptographic handshake. The packet protocol already exists. 
    1 day
  * Authentication. The act of agreeing a login or not is outside the scope of
    the library, at least for a password. I will write code to handle out of
    the box public key authentication.
    2 days
  * Channels implementation must be adapted, in order to provide the server
    capabilities. this doesn't take much time.
    1 day
  * The multiplexing algorithm has to be changed. It has to support buffering.
    2 days
  * At this point, the basic server features should work. It's worth good
    testing.
    2 days.
Total for library : 14 days

-Writing the sftp server
  * Requirements and analys : What will the server do ? Which functionalities ?
    What configuration files will look like. How I am going to implement
    it. This is the most important part.
    2 days
  * Write the configuration parser. Maybe I should use some existing parser.
    2 days
  * the sftp protocol parser must be written. It's symmetrical from the
    existing client functions, the tricky part is to get it run efficiently.
    2 days
  * Client authentication part. Through PAM or by hand (getting in into
    /etc/passwd & such). It's quick.
    1 day
  * the rest is file service : memorise a user context, handle multiple
    connections, optimize transfers ... this is the hard part of the work.
    5 days
  * testing, testing, testing
    2 days, maybe more.
Total for server: 14 days

These estimations let me time in case some work is late. I think it's
reasonable.

About licenses:
Libssh is under the LGPL License. The sftp server license is not determined
now. Probably GPL or BSD.