Hi

Since there might be someone willing to fund me adding SCP/SFTP support to
libcurl, I've taken a first tour around the world of SSH-libs and below
follows some of what I've learned.

I'm interested in hearing if anyone on this list have anything additional to
say or if you can contradict my findings or anything else related.

The goal is to find the most suitable SSH library to use as base for this. Of
course other libs can be made to work as well in the future, but I now need to
pick a single one to go with for now and the forseeable future.

I've tried to mark the items with '-' (bad) and '+' (good) based on what I
think is best for libcurl and what the funder prefers.

SSH lib evaluation for libcurl usage
====================================

libssh 0.11 (the stable version)

  + LGPL licensed
  - uses its own *blocking* TCP/network connect and offers "wrapper" functions
    for poll and select
  - suffers from speed penalty compared to OpenSSH (reported on mailing list)
  - no mention of working Windows port
  + 6400 lines of C code
  - relies on blocking reads
  - depends on OpenSSL
  - development seems to have stopped and is continued in 0.2, see below

libssh 0.2 (dev version, checked out from their svn repo)

  + LGPL licensed
  - not released yet and is said to contains bugs all over (my words)
  + can use libgcrypt instead of OpenSSL
  - docs seems to still detail the 0.11 API
  - uses its own *blocking* TCP/network connect and offers "wrapper" functions
    for poll and select
  + might support non-blocking reads (based on source code reading, and it
    still has its own connect and select etc)
  - 10000 lines of C code
  - "current status" was updated August 2005

libssh2 0.14

  + BSD licensed
  + allows the application to do the connect()
  - suffers from speed penalty compared to OpenSSH (reported on mailing list)
  - depends on OpenSSL
  + mentioned to work on Windows
  + 7800 lines of C code
  - does blocking reads "under the hood", even if the socket has been set
    non-blocking
  - mailing list seems to be questions without answers and CVS repo shows no
    real "activity" in the project

OpenSSH 4.2p1

  + BSD licensed
  - depends on OpenSSL
  - not designed to be a lib for external use
  - lots of code since it is a lot more than just "SSH lib stuff" there, 53000
    lines of C code
  - seems to be using blocking reads internally anyway

yassh 0.2
  - GPL licensed
  - 15800 lines of C++ code (includes taocrypt)
  - not further evaluated due to license restrictions

Conclusion
==========

No, there's no conclusion/winner drawn by me just yet. I'm interested in
opinions.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html