diff options
Diffstat (limited to 'lib/ssh/doc/src')
| -rw-r--r-- | lib/ssh/doc/src/Makefile | 3 | ||||
| -rw-r--r-- | lib/ssh/doc/src/configure_algos.xml | 428 | ||||
| -rw-r--r-- | lib/ssh/doc/src/notes.xml | 230 | ||||
| -rw-r--r-- | lib/ssh/doc/src/ssh.xml | 218 | ||||
| -rw-r--r-- | lib/ssh/doc/src/ssh_app.xml | 57 | ||||
| -rw-r--r-- | lib/ssh/doc/src/ssh_sftp.xml | 12 | ||||
| -rw-r--r-- | lib/ssh/doc/src/usersguide.xml | 1 | 
7 files changed, 912 insertions, 37 deletions
| diff --git a/lib/ssh/doc/src/Makefile b/lib/ssh/doc/src/Makefile index a759854da4..adbda5a030 100644 --- a/lib/ssh/doc/src/Makefile +++ b/lib/ssh/doc/src/Makefile @@ -53,7 +53,8 @@ XML_PART_FILES = part_notes.xml \  XML_CHAPTER_FILES = notes.xml \  	introduction.xml \  	ssh_protocol.xml \ -	using_ssh.xml +	using_ssh.xml \ +	configure_algos.xml  BOOK_FILES = book.xml diff --git a/lib/ssh/doc/src/configure_algos.xml b/lib/ssh/doc/src/configure_algos.xml new file mode 100644 index 0000000000..dd60324851 --- /dev/null +++ b/lib/ssh/doc/src/configure_algos.xml @@ -0,0 +1,428 @@ +<?xml version="1.0" encoding="utf-8" ?> +<!DOCTYPE chapter SYSTEM "chapter.dtd"> + +<chapter> +  <header> +    <copyright> +      <year>2017</year> +      <year>2017</year> +      <holder>Ericsson AB. All Rights Reserved.</holder> +    </copyright> +    <legalnotice> +      Licensed under the Apache License, Version 2.0 (the "License"); +      you may not use this file except in compliance with the License. +      You may obtain a copy of the License at +  +          http://www.apache.org/licenses/LICENSE-2.0 + +      Unless required by applicable law or agreed to in writing, software +      distributed under the License is distributed on an "AS IS" BASIS, +      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +      See the License for the specific language governing permissions and +      limitations under the License. + +    </legalnotice> + +    <title>Configuring algorithms in SSH</title> +    <prepared></prepared> +    <docno></docno> +    <approved></approved> +    <date></date> +    <rev></rev> +    <file>configure_algos.xml</file> +  </header> + +  <section> +    <marker id="introduction"/> +    <title>Introduction</title> +    <p>To fully understand how to configure the algorithms, it is essential to have a basic understanding of the SSH protocol +    and how OTP SSH app handles the corresponding items</p> + +    <p>The first subsection will give a short background of the SSH protocol while later sections describes +    the implementation and provides some examples</p> + +    <section> +      <title>Basics of the ssh protocol's algorithms handling</title> + +      <p>SSH uses different sets of algorithms in different phases of a session. Which +      algorithms to use is negotiated by the client and the server at the beginning of a session. +      See <url href="https://tools.ietf.org/html/rfc4253">RFC 4253</url>, +      "The Secure Shell (SSH) Transport Layer Protocol" for details. +      </p> + +      <p>The negotiation is simple: both peers sends their list of supported alghorithms to the other part. +      The first algorithm on the client's list that also in on the server's list is selected. So it is the +      client's orderering of the list that gives the priority for the algorithms.</p> + +      <p>There are five lists exchanged in the connection setup. Three of them are also divided in two +      directions, to and from the server.</p> + +      <p>The lists are (named as in the SSH application's options):</p> +      <taglist> +	<tag><c>kex</c></tag> +	<item> +	  <p>Key exchange.</p> +	  <p>An algorithm is selected for computing a secret encryption key. Among examples are: +	  the old nowadays week <c>'diffie-hellman-group-exchange-sha1'</c> and the very strong and modern +	  <c>'ecdh-sha2-nistp512'</c>.</p> +	</item> + +	<tag><c>public_key</c></tag> +	<item> +	  <p>Server host key</p> +	  <p>The asymetric encryption algorithm used in the server's private-public host key pair. +	  Examples include the well-known RSA <c>'ssh-rsa'</c> and elliptic curve <c>'ecdsa-sha2-nistp521'</c>. +	  </p> +	</item> + +	<tag><c>cipher</c></tag> +	<item> +	  <p>Symetric cipher algorithm used for the payload encryption. This algorithm will use the key calculated +	  in the kex phase (together with other info) to genereate the actual key used. Examples are  +	  tripple-DES <c>'3des-cbc'</c> and one of many AES variants <c>'aes192-ctr'</c>. +	  </p> +	  <p>This list is actually two - one for each direction server-to-client and client-to-server. Therefore it +	  is possible but rare to have different algorithms in the two directions in one connection.</p> +	</item> + +	<tag><c>mac</c></tag> +	<item> +	  <p>Message authentication code</p> +	  <p>"Check sum" of each message sent between the peers. Examples are SHA <c>'hmac-sha1'</c> and +	  SHA2 <c>'hmac-sha2-512'</c>.</p> +	  <p>This list is also divided into two for the both directions</p> +	</item> + +	<tag><c>compression</c></tag> +	<item> +	  <p>If and how to compress the message. Examples are <c>none</c>, that is, no compression and +	  <c>zlib</c>.</p> +	  <p>This list is also divided into two for the both directions</p> +	</item> +	 +      </taglist> +    </section> + +    <section> +      <title>The SSH app's mechanism</title> +      <p>The set of algorithms that the SSH app uses by default depends on the algoritms supported by the:</p> +      <list> +	<item><p><seealso marker="crypto:crypto">crypto</seealso> app,</p> +	</item> +	<item><p>The cryptolib OTP is linked with, usally the one the OS uses, probably OpenSSL,</p> +	</item> +	<item><p>and finaly what the SSH app implements</p> +	</item> +      </list> +      <p>Due to this, it impossible to list in documentation what algorithms that are available in a certain installation.</p> +      <p>There is an important command to list the actual algorithms and their ordering: +      <seealso marker="ssh#default_algorithms-0">ssh:default_algorithms/0</seealso>.</p> +      <code type="erl"> +0> ssh:default_algorithms(). +[{kex,['ecdh-sha2-nistp384','ecdh-sha2-nistp521', +       'ecdh-sha2-nistp256','diffie-hellman-group-exchange-sha256', +       'diffie-hellman-group16-sha512', +       'diffie-hellman-group18-sha512', +       'diffie-hellman-group14-sha256', +       'diffie-hellman-group14-sha1', +       'diffie-hellman-group-exchange-sha1']}, + {public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521', +              'ecdsa-sha2-nistp256','ssh-rsa','rsa-sha2-256', +              'rsa-sha2-512','ssh-dss']}, + {cipher,[{client2server,['[email protected]', +                          'aes256-ctr','aes192-ctr','[email protected]', +                          'aes128-ctr','aes128-cbc','3des-cbc']}, +          {server2client,['[email protected]','aes256-ctr', +                          'aes192-ctr','[email protected]','aes128-ctr', +                          'aes128-cbc','3des-cbc']}]}, + {mac,[{client2server,['hmac-sha2-256','hmac-sha2-512', +                       'hmac-sha1']}, +       {server2client,['hmac-sha2-256','hmac-sha2-512', +                       'hmac-sha1']}]}, + {compression,[{client2server,[none,'[email protected]',zlib]}, +               {server2client,[none,'[email protected]',zlib]}]}] + +      </code> +      <p>To change the algorithm list, there are two options which can be used in  +      <seealso marker="ssh#connect-3">ssh:connect/2,3,4</seealso> +      and +      <seealso marker="ssh#daemon-2">ssh:daemon/2,3</seealso>. The options could of course +      be used in all other functions that initiates connections.</p> +       +      <p>The options are <c>preferred_algorithms</c> and <c>modify_algorithms</c>. The first one +      replaces the default set, while the latter modifies the default set.</p> +    </section> +  </section> +       +  <section> +    <title>Replacing the default set: preferred_algorithms</title> +    <p>See the <seealso marker="ssh#option_preferred_algorithms">Reference Manual</seealso> for details</p> +     +    <p>Here follows a series of examples ranging from simple to more complex.</p> + +    <p>To forsee the effect of an option there is an experimental function <c>ssh:chk_algos_opts(Opts)</c>. +    It mangles the options <c>preferred_algorithms</c> +    and <c>modify_algorithms</c> in the same way as <c>ssh:dameon</c>, <c>ssh:connect</c> and their friends does.</p> + +    <section> +      <title>Example 1</title> +      <p>Replace the kex algorithms list with the single algorithm <c>'diffie-hellman-group14-sha256'</c>:</p> +      <code> +1> ssh:chk_algos_opts( +               [{preferred_algorithms, +                     [{kex, ['diffie-hellman-group14-sha256']} +                     ] +                } +              ]). +[{kex,['diffie-hellman-group14-sha256']}, + {public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521', +              'ecdsa-sha2-nistp256','ssh-rsa','rsa-sha2-256', +              'rsa-sha2-512','ssh-dss']}, + {cipher,[{client2server,['[email protected]', +                          'aes256-ctr','aes192-ctr','[email protected]', +                          'aes128-ctr','aes128-cbc','3des-cbc']}, +          {server2client,['[email protected]','aes256-ctr', +                          'aes192-ctr','[email protected]','aes128-ctr', +                          'aes128-cbc','3des-cbc']}]}, + {mac,[{client2server,['hmac-sha2-256','hmac-sha2-512', +                       'hmac-sha1']}, +       {server2client,['hmac-sha2-256','hmac-sha2-512', +                       'hmac-sha1']}]}, + {compression,[{client2server,[none,'[email protected]',zlib]}, +               {server2client,[none,'[email protected]',zlib]}]}] +      </code> +      <p>Note that the unmentioned lists (<c>public_key</c>, <c>cipher</c>, <c>mac</c> and <c>compression</c>) +      are un-changed.</p> +    </section> +       +    <section> +      <title>Example 2</title> +      <p>In the lists that are divided in two for the two directions (c.f <c>cipher</c>) it is possible +      to change both directions at once:</p> +      <code> +2> ssh:chk_algos_opts( +               [{preferred_algorithms, +                     [{cipher,['aes128-ctr']} +                     ] +                } +              ]). +[{kex,['ecdh-sha2-nistp384','ecdh-sha2-nistp521', +       'ecdh-sha2-nistp256','diffie-hellman-group-exchange-sha256', +       'diffie-hellman-group16-sha512', +       'diffie-hellman-group18-sha512', +       'diffie-hellman-group14-sha256', +       'diffie-hellman-group14-sha1', +       'diffie-hellman-group-exchange-sha1']}, + {public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521', +              'ecdsa-sha2-nistp256','ssh-rsa','rsa-sha2-256', +              'rsa-sha2-512','ssh-dss']}, + {cipher,[{client2server,['aes128-ctr']}, +          {server2client,['aes128-ctr']}]}, + {mac,[{client2server,['hmac-sha2-256','hmac-sha2-512', +                       'hmac-sha1']}, +       {server2client,['hmac-sha2-256','hmac-sha2-512', +                       'hmac-sha1']}]}, + {compression,[{client2server,[none,'[email protected]',zlib]}, +               {server2client,[none,'[email protected]',zlib]}]}] +      </code> +      <p>Note that both lists in <c>cipher</c> has been changed to the provided value (<c>'aes128-ctr'</c>).</p> +    </section> +       +    <section> +      <title>Example 3</title> +      <p>In the lists that are divided in two for the two directions (c.f <c>cipher</c>) it is possible +      to change only one of the directions:</p> +      <code> +3> ssh:chk_algos_opts( +               [{preferred_algorithms, +                     [{cipher,[{client2server,['aes128-ctr']}]} +                     ] +                } +              ]). +[{kex,['ecdh-sha2-nistp384','ecdh-sha2-nistp521', +       'ecdh-sha2-nistp256','diffie-hellman-group-exchange-sha256', +       'diffie-hellman-group16-sha512', +       'diffie-hellman-group18-sha512', +       'diffie-hellman-group14-sha256', +       'diffie-hellman-group14-sha1', +       'diffie-hellman-group-exchange-sha1']}, + {public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521', +              'ecdsa-sha2-nistp256','ssh-rsa','rsa-sha2-256', +              'rsa-sha2-512','ssh-dss']}, + {cipher,[{client2server,['aes128-ctr']}, +          {server2client,['[email protected]','aes256-ctr', +                          'aes192-ctr','[email protected]','aes128-ctr', +                          'aes128-cbc','3des-cbc']}]}, + {mac,[{client2server,['hmac-sha2-256','hmac-sha2-512', +                       'hmac-sha1']}, +       {server2client,['hmac-sha2-256','hmac-sha2-512', +                       'hmac-sha1']}]}, + {compression,[{client2server,[none,'[email protected]',zlib]}, +               {server2client,[none,'[email protected]',zlib]}]}] +      </code> +    </section> + +    <section> +      <title>Example 4</title> +      <p>It is of course possible to change more than one list:</p> +      <code> +4> ssh:chk_algos_opts( +               [{preferred_algorithms, +                     [{cipher,['aes128-ctr']}, +		      {mac,['hmac-sha2-256']}, +                      {kex,['ecdh-sha2-nistp384']}, +		      {public_key,['ssh-rsa']}, +		      {compression,[{server2client,[none]}, +		                    {client2server,[zlib]}]} +                     ] +                } +              ]). +[{kex,['ecdh-sha2-nistp384']}, + {public_key,['ssh-rsa']}, + {cipher,[{client2server,['aes128-ctr']}, +          {server2client,['aes128-ctr']}]}, + {mac,[{client2server,['hmac-sha2-256']}, +       {server2client,['hmac-sha2-256']}]}, + {compression,[{client2server,[zlib]}, +               {server2client,[none]}]}] + +      </code> +      <p>Note that the ordering of the tuples in the lists didn't matter.</p> +    </section> +  </section>     +   +  <section> +    <title>Modifying the default set: modify_algorithms</title> +    <p>A situation where it might be useful to add an algorithm is when one need to use a supported but disabled one. +    An example is the <c>'diffie-hellman-group1-sha1'</c> which nowadays is very unsecure and therefore disabled. It is  +    however still supported and might be used.</p> +     +    <p>The option <c>preferred_algorithms</c> may be complicated to use for adding or removing single algorithms. +    First one has to list them with <c>ssh:default_algorithms()</c> and then do changes in the lists.</p> + +    <p>To facilitate addition or removal of algorithms the option <c>modify_algorithms</c> is available. +    See the <seealso marker="ssh#option_modify_algorithms">Reference Manual</seealso> for details.</p> +  +    <p>The option takes a list with instructions to append, prepend or remove algorithms:</p> +    <code type="erl"> +{modify_algorithms, [{append,  ...}, +                     {prepend, ...}, +		     {rm,      ...} +		    ]} +    </code> +    <p>Each of the <c>...</c> can be a <c>algs_list()</c> as the argument to the  <c>preferred_algorithms</c> option.</p> +    <section> +      <title>Example 5</title> +      <p>As an example let's add the Diffie-Hellman Group1 first in the kex list. It is supported according to  +      <seealso marker="SSH_app#supported_algos">Supported algoritms</seealso>.</p> +      <code type="erl"> +5> ssh:chk_algos_opts( +         [{modify_algorithms, +	       [{prepend, +	           [{kex,['diffie-hellman-group1-sha1']}] +		   } +	       ] +          } +        ]). +[{kex,['diffie-hellman-group1-sha1','ecdh-sha2-nistp384', +       'ecdh-sha2-nistp521','ecdh-sha2-nistp256', +       'diffie-hellman-group-exchange-sha256', +       'diffie-hellman-group16-sha512', +       'diffie-hellman-group18-sha512', +       'diffie-hellman-group14-sha256', +       'diffie-hellman-group14-sha1', +       'diffie-hellman-group-exchange-sha1']}, + {public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521', +              'ecdsa-sha2-nistp256','ssh-rsa','rsa-sha2-256', +              'rsa-sha2-512','ssh-dss']}, + {cipher,[{client2server,['[email protected]', +                          'aes256-ctr','aes192-ctr','[email protected]', +                          'aes128-ctr','aes128-cbc','3des-cbc']}, +          {server2client,['[email protected]','aes256-ctr', +                          'aes192-ctr','[email protected]','aes128-ctr', +                          'aes128-cbc','3des-cbc']}]}, + {mac,[{client2server,['hmac-sha2-256','hmac-sha2-512', +                       'hmac-sha1']}, +       {server2client,['hmac-sha2-256','hmac-sha2-512', +                       'hmac-sha1']}]}, + {compression,[{client2server,[none,'[email protected]',zlib]}, +               {server2client,[none,'[email protected]',zlib]}]}] + +      </code> +      <p>And the result shows that the Diffie-Hellman Group1 is added at the head of the kex list</p> +    </section> +     +    <section> +      <title>Example 6</title> +      <p>In this example, we in put the 'diffie-hellman-group1-sha1' first and also move the +      <c>'ecdh-sha2-nistp521'</c> to the end in the kex list, that is, <c>append</c> it.</p> +      <code type="erl"> +6> ssh:chk_algos_opts( +         [{modify_algorithms, +	       [{prepend, +	           [{kex, ['diffie-hellman-group1-sha1']} +		   ]}, +		{append, +                   [{kex, ['ecdh-sha2-nistp521']} +                   ]} +	       ] +          } +        ]). +[{kex,['diffie-hellman-group1-sha1','ecdh-sha2-nistp384', +       'ecdh-sha2-nistp256','diffie-hellman-group-exchange-sha256', +       'diffie-hellman-group16-sha512', +       'diffie-hellman-group18-sha512', +       'diffie-hellman-group14-sha256', +       'diffie-hellman-group14-sha1', +       'diffie-hellman-group-exchange-sha1','ecdh-sha2-nistp521']}, + {public_key,['ecdsa-sha2-nistp384','ecdsa-sha2-nistp521', +   ..... +]  +      </code> +      <p>Note that the appended algorithm is removed from its original place and then appended to the same list.</p> +    </section> +     +    <section> +      <title>Example 7</title> +      <p>In this example, we use both options (<c>preferred_algorithms</c> and <c>modify_algorithms</c>) and +      also try to prepend an unsupported algorithm.   Any unsupported algorithm is quietly removed.</p> +      <code type="erl"> +7> ssh:chk_algos_opts( +         [{preferred_algorithms, +               [{cipher,['aes128-ctr']}, +	        {mac,['hmac-sha2-256']}, +                {kex,['ecdh-sha2-nistp384']}, +		{public_key,['ssh-rsa']}, +		{compression,[{server2client,[none]}, +		              {client2server,[zlib]}]} +               ] +           }, +          {modify_algorithms, +	       [{prepend, +	           [{kex, ['some unsupported algorithm']} +		   ]}, +		{append, +                   [{kex, ['diffie-hellman-group1-sha1']} +                   ]} +	       ] +          } +        ]). +[{kex,['ecdh-sha2-nistp384','diffie-hellman-group1-sha1']}, + {public_key,['ssh-rsa']}, + {cipher,[{client2server,['aes128-ctr']}, +          {server2client,['aes128-ctr']}]}, + {mac,[{client2server,['hmac-sha2-256']}, +       {server2client,['hmac-sha2-256']}]}, + {compression,[{client2server,[zlib]}, +               {server2client,[none]}]}] + +      </code> +      <p>It is of course questionable why anyone would like to use the both these options together, +      but it is possible if an unforeseen need should arise.</p> +    </section> +     +     +     +  </section> + +</chapter> diff --git a/lib/ssh/doc/src/notes.xml b/lib/ssh/doc/src/notes.xml index c8c6e61cc8..4ba75b761f 100644 --- a/lib/ssh/doc/src/notes.xml +++ b/lib/ssh/doc/src/notes.xml @@ -4,7 +4,7 @@  <chapter>    <header>      <copyright> -      <year>2004</year><year>2016</year> +      <year>2004</year><year>2017</year>        <holder>Ericsson AB. All Rights Reserved.</holder>      </copyright>      <legalnotice> @@ -30,6 +30,234 @@      <file>notes.xml</file>    </header> +<section><title>Ssh 4.6</title> + +    <section><title>Fixed Bugs and Malfunctions</title> +      <list> +        <item> +          <p> +	    Enables the <c>ssh_io module</c> to also accept binary +	    values when reading standard_io instead of getting stuck +	    in the receive clause.</p> +          <p> +	    Own Id: OTP-14506 Aux Id: PR1503 </p> +        </item> +        <item> +          <p> +	    Previously, the file owner access permission in response +	    to ssh_sftp:read_file_info/2 function was always +	    <c>read_write</c>. With this fix, the actual value of +	    file owner access permission is added to the returning +	    record. That value is calculated from file mode value.</p> +          <p> +	    Own Id: OTP-14550 Aux Id: PR1533 </p> +        </item> +      </list> +    </section> + + +    <section><title>Improvements and New Features</title> +      <list> +        <item> +          <p> +	    A new option <c>modify_algorithms</c> is implemented. It +	    enables specifying changes on the default algorithms +	    list. See the reference manual and the SSH User's Guide +	    chapter "Configuring algorithms in SSH".</p> +          <p> +	    Own Id: OTP-14568</p> +        </item> +      </list> +    </section> + +</section> + +<section><title>Ssh 4.5.1</title> + +    <section><title>Fixed Bugs and Malfunctions</title> +      <list> +        <item> +          <p> +	    All unknown options are sent to the transport handler +	    regardless of type.</p> +          <p> +	    Own Id: OTP-14541 Aux Id: EIRERL-63 </p> +        </item> +      </list> +    </section> + +</section> + +<section><title>Ssh 4.5</title> + +    <section><title>Improvements and New Features</title> +      <list> +        <item> +          <p> +	    The internal handling of SSH options is re-written.</p> +          <p> +	    Previously there were no checks if a client option was +	    given to a daemon or vice versa. This is corrected now. +	    If your code has e.g. a client-only option in a call to +	    start a daemon, the call will fail.</p> +          <p> +	    *** POTENTIAL INCOMPATIBILITY ***</p> +          <p> +	    Own Id: OTP-12872</p> +        </item> +        <item> +          <p> +	    Modernization of key exchange algorithms. See +	    draft-ietf-curdle-ssh-kex-sha2 for a discussion.</p> +          <p> +	    Removed an outdated weak algorithm and added stronger +	    replacements to keep interoperability with other modern +	    ssh clients and servers. The default ordering of the +	    algorithms is also adjusted.</p> +          <p> +	    Retired: The nowadays unsecure key-exchange +	    <c>diffie-hellman-group1-sha1</c> is not enabled by +	    default, but can be enabled with the option +	    <c>preferred-algorithms</c>.</p> +          <p> +	    Added: The new stronger key-exchange +	    <c>diffie-hellman-group16-sha512</c>, +	    <c>diffie-hellman-group18-sha512</c> and +	    <c>diffie-hellman-group14-sha256</c> are added and +	    enabled by default.</p> +          <p> +	    The questionable [RFC 6194] sha1-based algorithms +	    <c>diffie-hellman-group-exchange-sha1</c> and +	    <c>diffie-hellman-group14-sha1</c> are however still kept +	    enabled by default for compatibility with ancient clients +	    and servers that lack modern key-exchange alternatives. +	    When the draft-ietf-curdle-ssh-kex-sha2 becomes an rfc, +	    those sha1-based algorithms and +	    <c>diffie-hellman-group1-sha1</c> will be deprecated by +	    IETF. They might then be removed from the default list in +	    Erlang/OTP.</p> +          <p> +	    *** POTENTIAL INCOMPATIBILITY ***</p> +          <p> +	    Own Id: OTP-14110</p> +        </item> +        <item> +          <p> +	    Modernized internal representation of sftp by use of +	    maps.</p> +          <p> +	    Own Id: OTP-14117</p> +        </item> +        <item> +          <p> +	    The Extension Negotiation Mechanism and the extension +	    <c>server-sig-algs</c> in +	    draft-ietf-curdle-ssh-ext-info-05 are implemented.</p> +          <p> +	    The related draft-ietf-curdle-rsa-sha2-05 is implemented +	    and introduces the signature algorithms +	    <c>rsa-sha2-256</c> and <c>rsa-sha2-512</c>.</p> +          <p> +	    Own Id: OTP-14193</p> +        </item> +        <item> +          <p> +	    The 'timeout' and 'connect_timeout' handling in +	    ssh_sftp:start_channel documentation is clarified.</p> +          <p> +	    Own Id: OTP-14216</p> +        </item> +        <item> +          <p> +	    The functions <c>ssh:connect</c>, <c>ssh:shell</c> and +	    <c>ssh:start_channel</c> now accept an IP-tuple as Host +	    destination argument.</p> +          <p> +	    Own Id: OTP-14243</p> +        </item> +        <item> +          <p> +	    The function <c>ssh:daemon_info/1</c> now returns Host +	    and Profile as well as the Port info in the property +	    list.</p> +          <p> +	    Own Id: OTP-14259</p> +        </item> +        <item> +          <p> +	    Removed the option <c>public_key_alg</c> which was +	    deprecated in 18.2. Use <c>pref_public_key_algs</c> +	    instead.</p> +          <p> +	    *** POTENTIAL INCOMPATIBILITY ***</p> +          <p> +	    Own Id: OTP-14263</p> +        </item> +        <item> +          <p> +	    The SSH application is refactored regarding daemon +	    starting. The resolution of contradicting <c>Host</c> +	    argument and <c>ip</c> option were not described. There +	    were also strange corner cases when the <c>'any'</c> +	    value was used in <c>Host</c> argument or <c>ip</c> +	    option. This is (hopefully) resolved now, but it may +	    cause incompatibilities for code using both <c>Host</c> +	    and the <c>ip</c> option. The value 'loopback' has been +	    added for a correct way of naming those addresses.</p> +          <p> +	    *** POTENTIAL INCOMPATIBILITY ***</p> +          <p> +	    Own Id: OTP-14264</p> +        </item> +        <item> +          <p> +	    The supervisor code is refactored. The naming of +	    listening IP-Port-Profile triples are slightly changed to +	    improve consistency in strange corner cases as resolved +	    by OTP-14264</p> +          <p> +	    Own Id: OTP-14267 Aux Id: OTP-14266 </p> +        </item> +        <item> +          <p> +	    The <c>idle_time</c> option can now be used in daemons.</p> +          <p> +	    Own Id: OTP-14312</p> +        </item> +        <item> +          <p> +	    Added test cases for IETF-CURDLE Extension Negotiation +	    (ext-info)</p> +          <p> +	    Own Id: OTP-14361</p> +        </item> +        <item> +          <p> +	    Testcases for IETF-CURDLE extension +	    <c>server-sig-algs</c> including <c>rsa-sha2-*</c></p> +          <p> +	    Own Id: OTP-14362 Aux Id: OTP-14361 </p> +        </item> +        <item> +          <p> +	    The option <c>auth_methods</c> can now also be used in +	    clients to select which authentication options that are +	    used and in which order.</p> +          <p> +	    Own Id: OTP-14399</p> +        </item> +        <item> +          <p> +	    Checks that a ECDSA public key (<c>ecdsa-sha2-nistp*</c>) +	    stored in a file has the correct size.</p> +          <p> +	    Own Id: OTP-14410</p> +        </item> +      </list> +    </section> + +</section> +  <section><title>Ssh 4.4.2</title>      <section><title>Fixed Bugs and Malfunctions</title> diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index 604b9f5bbb..337f4094cc 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -108,6 +108,9 @@        <tag><c>double_algs() =</c></tag>        <item><p><c>[{client2serverlist,simple_algs()},{server2client,simple_algs()}] | simple_algs()</c></p></item> + +      <tag><c>modify_algs_list() =</c></tag> +      <item><p><c>list( {append,algs_list()} | {prepend,algs_list()} | {rm,algs_list()} )</c></p></item>       </taglist>  </section> @@ -175,6 +178,12 @@  	    supplied with this option.  	    </p>  	  </item> +	  <tag><c><![CDATA[{ecdsa_pass_phrase, string()}]]></c></tag> +	  <item> +	    <p>If the user ECDSA key is protected by a passphrase, it can be +	    supplied with this option. +	    </p> +	  </item>            <tag>              <c><![CDATA[{silently_accept_hosts, boolean()}]]></c> <br/>              <c><![CDATA[{silently_accept_hosts, CallbackFun}]]></c> <br/> @@ -243,31 +252,19 @@  	    <p><c>Peer</c> is in the format of <c>{Host,Port}</c>.</p>  	  </item> -	  <tag><c><![CDATA[{public_key_alg, 'ssh-rsa' | 'ssh-dss'}]]></c></tag> -	  <item> -	    <note> -	      <p>This option will be removed in OTP 20, but is kept for compatibility. It is ignored if -	      the preferred <c>pref_public_key_algs</c> option is used.</p> -	    </note> -            <p>Sets the preferred public key algorithm to use for user -	    authentication. If the preferred algorithm fails, -	    the other algorithm is tried. If <c>{public_key_alg, 'ssh-rsa'}</c> is set, it is translated -	    to <c>{pref_public_key_algs, ['ssh-rsa','ssh-dss']}</c>.  If it is  -	    <c>{public_key_alg, 'ssh-dss'}</c>, it is translated -	    to <c>{pref_public_key_algs, ['ssh-dss','ssh-rsa']}</c>. -	    </p> -	  </item> -  	  <tag><c><![CDATA[{pref_public_key_algs, list()}]]></c></tag>  	  <item>              <p>List of user (client) public key algorithms to try to use.</p> -	    <p>The default value is  -	    <c><![CDATA[['ssh-rsa','ssh-dss','ecdsa-sha2-nistp256','ecdsa-sha2-nistp384','ecdsa-sha2-nistp521'] ]]></c> +	    <p>The default value is the <c>public_key</c> entry in  +	    <seealso marker="#default_algorithms/0">ssh:default_algorithms/0</seealso>. +	    </p> +	    <p>If there is no public key of a specified type available, the corresponding entry is ignored. +	    Note that the available set is dependent on the underlying cryptolib and current user's public keys.  	    </p> -	    <p>If there is no public key of a specified type available, the corresponding entry is ignored.</p>  	  </item> -	  <tag><c><![CDATA[{preferred_algorithms, algs_list()}]]></c></tag> +	  <tag><marker id="option_preferred_algorithms"></marker> +	  <c><![CDATA[{preferred_algorithms, algs_list()}]]></c></tag>  	  <item>              <p>List of algorithms to use in the algorithm negotiation. The default <c>algs_list()</c> can  	    be obtained from <seealso marker="#default_algorithms/0">default_algorithms/0</seealso>. @@ -288,6 +285,8 @@  	for cipher but specifies the same algorithms for mac and compression in both directions.  	The kex (key exchange) is implicit but public_key is set explicitly.</p> +	<p>For background and more examples see the <seealso marker="configure_algos#introduction">User's Guide</seealso>.</p> +          <warning>  	  <p>Changing the values can make a connection less secure. Do not change unless you  	  know exactly what you are doing. If you do not understand the values then you @@ -295,6 +294,62 @@  	</warning>  	  </item> +	  <tag><marker id="option_modify_algorithms"></marker> +	  <c><![CDATA[{modify_algorithms, modify_algs_list()}]]></c></tag> +	  <item> +	    <p>Modifies the list of algorithms to use in the algorithm negotiation. The modifications are +	    applied after the option <c>preferred_algorithms</c> (if existing) is applied.</p> +	    <p>The algoritm for modifications works like this:</p> +	    <list> +	      <item> +		<p>Input is the <c>modify_algs_list()</c> and a set of algorithms <c>A</c> +		obtained from the <c>preferred_algorithms</c> option if existing, or else from the +		<seealso marker="ssh#default_algorithms-0">ssh:default_algorithms/0</seealso>. +		</p> +	      </item> +	      <item> +		<p>The head of the <c>modify_algs_list()</c> modifies <c>A</c> giving the result <c>A'</c>.</p> +		<p>The possible modifications are:</p> +		<list> +		  <item> +		    <p>Append or prepend supported but not enabled algorithm(s) to the list of +		    algorithms. If the wanted algorithms already are in <c>A</c> they will first +		    be removed and then appended or prepended, +		    </p> +		  </item> +		  <item> +		    <p>Remove (rm) one or more algorithms from <c>A</c>. +		    </p> +		  </item> +		</list> +	      </item> +	      <item> +		<p>Repeat the modification step with the tail of <c>modify_algs_list()</c> and the resulting +		<c>A'</c>. +		</p> +	      </item> +	    </list> +	    <p>If an unsupported algorithm is in the <c>modify_algs_list()</c>, it will be silently ignored</p> +	    <p>If there are more than one modify_algorithms options, the result is undefined.</p> +	    <p>Here is an example of this option:</p> +	<code> +{modify_algorithms,  + [{prepend, [{kex, ['diffie-hellman-group1-sha1']}], +  {rm,      [{compression, [none]}]} + ] +} +</code> +          <p>The example specifies that:</p> +	  <list> +	    <item><p>the old key exchange algorithm 'diffie-hellman-group1-sha1' should be +	    the main alternative. It will be the main alternative since it is prepened to the list</p> +	    </item> +	    <item><p>The compression algorithm none (= no compression) is removed so compression is enforced</p> +	    </item> +	  </list> +	  <p>For background and more examples see the <seealso marker="configure_algos#introduction">User's Guide</seealso>.</p> +	  </item> +  	  <tag><c><![CDATA[{dh_gex_limits,{Min=integer(),I=integer(),Max=integer()}}]]></c></tag>  	  <item>  	    <p>Sets the three diffie-hellman-group-exchange parameters that guides the connected server in choosing a group. @@ -308,6 +363,15 @@  	    connection. For <c>gen_tcp</c> the time is in milli-seconds and the default value is  	    <c>infinity</c>.</p>  	  </item> + +	  <tag><c><![CDATA[{auth_methods, string()}]]></c></tag> +	  <item> +	    <p>Comma-separated string that determines which +	    authentication methods that the client shall support and +	    in which order they are tried. Defaults to +	    <c><![CDATA["publickey,keyboard-interactive,password"]]></c></p> +          </item> +  	  <tag><c><![CDATA[{user, string()}]]></c></tag>            <item>  	    <p>Provides a username. If this option is not given, <c>ssh</c> @@ -315,6 +379,7 @@  	    <c><![CDATA[USER]]></c> on UNIX,  	    <c><![CDATA[USERNAME]]></c> on Windows).</p>            </item> +  	  <tag><c><![CDATA[{password, string()}]]></c></tag>            <item>  	    <p>Provides a password for password authentication. @@ -322,6 +387,30 @@  	    password, if the password authentication method is  	    attempted.</p>            </item> + +	  <!--tag><c><![CDATA[{send_ext_info, boolean()}]]></c></tag> +          <item> +	    <p>Send a list of extensions to the server if the server has asked for it.  See  +	    <url href="https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info">Draft-ietf-curdle-ssh-ext-info (work in progress)</url> for details. +	    </p> +	    <p>Currently the client do not react on any extensions. +	    </p> +	    <p>Default value is <c>true</c>. +	    </p> +          </item--> + +	  <tag><c><![CDATA[{recv_ext_info, boolean()}]]></c></tag> +          <item> +	    <p>Tell the server that the client accepts extension negotiation.  See  +	    <url href="https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info">Draft-ietf-curdle-ssh-ext-info (work in progress)</url> for details. +	    </p> +	    <p>Currently implemented extension is <c>server-sig-algs</c> which is the list of the server's preferred +	    user's public key algorithms. +	    </p> +	    <p>Default value is <c>true</c>. +	    </p> +          </item> +  	  <tag><c><![CDATA[{key_cb, key_cb()}]]></c></tag>  	  <item>  	    <p>Module implementing the behaviour <seealso @@ -331,6 +420,7 @@  	    module via the options passed to it under the key 'key_cb_private'.  	    </p>  	  </item> +  	  <tag><c><![CDATA[{quiet_mode, atom() = boolean()}]]></c></tag>  	  <item>  	    <p>If <c>true</c>, the client does not print anything on authorization.</p> @@ -394,7 +484,7 @@        on the given port.</fsummary>        <type>          <v>Port = integer()</v> -	<v>HostAddress = ip_address() | any</v> +	<v>HostAddress = ip_address() | any | loopback</v>  	<v>Options = [{Option, Value}]</v>          <v>Option = atom()</v>  	<v>Value = term()</v> @@ -405,6 +495,26 @@          <p>Starts a server listening for SSH connections on the given          port. If the <c>Port</c> is 0, a random free port is selected. See  	<seealso marker="#daemon_info/1">daemon_info/1</seealso> about how to find the selected port number.</p> + +	<p>Please note that by historical reasons both the <c>HostAddress</c> argument and the inet socket option +	<c>ip</c> set the listening address. This is a source of possible inconsistent settings.</p> + +	<p>The rules for handling the two address passing options are:</p> +	<list> +	  <item>if <c>HostAddress</c> is an IP-address, that IP-address is the listening address. +	  An 'ip'-option will be discarded if present.</item> + +	  <item>if <c>HostAddress</c> is <c>loopback</c>, the listening address +	  is <c>loopback</c> and an loopback address will be choosen by the underlying layers. +	  An 'ip'-option will be discarded if present.</item> + +	  <item>if <c>HostAddress</c> is <c>any</c> and no 'ip'-option is present, the listening address is +	  <c>any</c> and the socket will listen to all addresses</item> + +	  <item>if <c>HostAddress</c> is <c>any</c> and an 'ip'-option is present, the listening address is +	  set to the value of the 'ip'-option</item> +	</list> +  	<p>Options:</p>          <taglist>  	  <tag><c><![CDATA[{inet, inet | inet6}]]></c></tag> @@ -461,6 +571,7 @@  	    authentication methods that the server is to support and  	    in what order they are tried. Defaults to  	    <c><![CDATA["publickey,keyboard-interactive,password"]]></c></p> +	    <p>Note that the client is free to use any order and to exclude methods.</p>            </item>  	  <tag><c><![CDATA[{auth_method_kb_interactive_data, PromptTexts}]]></c> @@ -512,6 +623,8 @@  	for cipher but specifies the same algorithms for mac and compression in both directions.  	The kex (key exchange) is implicit but public_key is set explicitly.</p> +	<p>For background and more examples see the <seealso marker="configure_algos#introduction">User's Guide</seealso>.</p> +          <warning>  	  <p>Changing the values can make a connection less secure. Do not change unless you  	  know exactly what you are doing. If you do not understand the values then you @@ -519,6 +632,41 @@  	</warning>  	  </item> +	  <tag><marker id="option_modify_algorithms"></marker> +	  <c><![CDATA[{modify_algorithms, modify_algs_list()}]]></c></tag> +	  <item> +	    <p>Modifies the list of algorithms to use in the algorithm negotiation. The modifications are +	    applied after the option <c>preferred_algorithms</c> is applied (if existing)</p> +	    <p>The possible modifications are to:</p> +	    <list> +	      <item><p>Append or prepend supported but not enabled algorithm(s) to the list of +	      algorithms.</p><p>If the wanted algorithms already are in the list of algorithms, they will first +	      be removed and then appended or prepended. +	    </p> +	      </item> +	      <item><p>Remove (rm) one or more algorithms from the list of algorithms.</p></item> +	    </list> +	    <p>If an unsupported algorithm is in the list, it will be silently ignored</p> + +	    <p>Here is an example of this option:</p> +	<code> +{modify_algorithms,  + [{prepend, [{kex, ['diffie-hellman-group1-sha1']}], +  {rm,      [{compression, [none]}]} + ] +} +</code> +          <p>The example specifies that:</p> +	  <list> +	    <item><p>the old key exchange algorithm 'diffie-hellman-group1-sha1' should be +	    the main alternative. It will be the main alternative since it is prepened to the list</p> +	    </item> +	    <item><p>The compression algorithm none (= no compression) is removed so compression is enforced</p> +	    </item> +	  </list> +	  <p>For background and more examples see the <seealso marker="configure_algos#introduction">User's Guide</seealso>.</p> +	  </item> +  	  <tag><c><![CDATA[{dh_gex_groups, [{Size=integer(),G=integer(),P=integer()}] | {file,filename()} {ssh_moduli_file,filename()} }]]></c></tag>  	  <item>  	    <p>Defines the groups the server may choose among when diffie-hellman-group-exchange is negotiated. @@ -665,6 +813,27 @@  	    </p>  	  </item> +	  <tag><c><![CDATA[{send_ext_info, boolean()}]]></c></tag> +          <item> +	    <p>Send a list of extensions to the client if the client has asked for it. See  +	    <url href="https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info">Draft-ietf-curdle-ssh-ext-info (work in progress)</url> for details. +	    </p> +	    <p>Currently implemented extension is sending <c>server-sig-algs</c> which is the list of the server's preferred +	    user's public key algorithms. +	    </p> +	    <p>Default value is <c>true</c>. +	    </p> +          </item> + +	  <!--tag><c><![CDATA[{recv_ext_info, boolean()}]]></c></tag> +          <item> +	    <p>Tell the client that the server accepts extension negotiation.  See  +	    <url href="https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info">Draft-ietf-curdle-ssh-ext-info (work in progress)</url> for details. +	    </p> +	    <p>Default value is <c>true</c>. +	    </p> +          </item--> +  	  <tag><c><![CDATA[{key_cb, key_cb()}]]></c></tag>  	  <item>  	    <p>Module implementing the behaviour <seealso @@ -714,6 +883,12 @@  	    <p><c>Peer</c> is in the format of <c>{Host,Port}</c>.</p>  	  </item> +	  <tag><c><![CDATA[{idle_time, integer()}]]></c></tag> +	  <item> +	  <p>Sets a time-out on a connection when no channels are active. +	  Defaults to <c>infinity</c>.</p> +	  </item> +  	  <tag><c><![CDATA[{ssh_msg_debug_fun, fun(ConnectionRef::ssh_connection_ref(), AlwaysDisplay::boolean(), Msg::binary(), LanguageTag::binary()) -> _}]]></c></tag>  	  <item>  	    <p>Provide a fun to implement your own logging of the SSH message SSH_MSG_DEBUG. The last three parameters are from the message, see RFC4253, section 11.3. The <c>ConnectionRef</c> is the reference to the connection on which the message arrived. The return value from the fun is not checked.</p> @@ -726,9 +901,10 @@      </func>      <func> -      <name>daemon_info(Daemon) -> {ok, [{port,Port}]} | {error,Error}</name> +      <name>daemon_info(Daemon) -> {ok, [DaemonInfo]} | {error,Error}</name>        <fsummary>Get info about a daemon</fsummary>        <type> +	<v>DaemonInfo = {port,Port::pos_integer()} | {listen_address, any|ip_address()} | {profile,atom()}</v>          <v>Port = integer()</v>  	<v>Error = bad_daemon_ref</v>        </type> diff --git a/lib/ssh/doc/src/ssh_app.xml b/lib/ssh/doc/src/ssh_app.xml index 5cc4c24889..1cbbdfcf38 100644 --- a/lib/ssh/doc/src/ssh_app.xml +++ b/lib/ssh/doc/src/ssh_app.xml @@ -4,7 +4,7 @@  <appref>    <header>      <copyright> -      <year>2012</year><year>2016</year> +      <year>2012</year><year>2017</year>        <holder>Ericsson AB. All Rights Reserved.</holder>      </copyright>      <legalnotice> @@ -97,7 +97,7 @@      <p>The <c>known_hosts</c> file contains a list of approved servers and        their public keys. Once a server is listed, it can be verified        without user interaction. -      </p> +     </p>    </section>   <section>      <title>Authorized Keys</title> @@ -109,7 +109,7 @@    </section>   <section>      <title>Host Keys</title> -    <p>RSA and DSA host keys are supported and are +    <p>RSA, DSA and ECDSA host keys are supported and are         expected to be found in files named <c>ssh_host_rsa_key</c>,         <c>ssh_host_dsa_key</c> and <c>ssh_host_ecdsa_key</c>.         </p> @@ -135,7 +135,7 @@      </p>      <p>Supported algorithms are:</p> - +    <marker id="supported_algos"></marker>      <taglist>        <tag>Key exchange algorithms</tag>        <item> @@ -146,7 +146,10 @@  	  <item>diffie-hellman-group-exchange-sha1</item>  	  <item>diffie-hellman-group-exchange-sha256</item>  	  <item>diffie-hellman-group14-sha1</item> -	  <item>diffie-hellman-group1-sha1</item> +	  <item>diffie-hellman-group14-sha256</item> +	  <item>diffie-hellman-group16-sha512</item> +	  <item>diffie-hellman-group18-sha512</item> +	  <item>(diffie-hellman-group1-sha1, retired: can be enabled with the <c>preferred_algorithms</c> option)</item>  	</list>        </item> @@ -158,6 +161,8 @@  	  <item>ecdsa-sha2-nistp521</item>  	  <item>ssh-rsa</item>  	  <item>ssh-dss</item> +	  <item>rsa-sha2-256</item> +	  <item>rsa-sha2-512</item>  	</list>        </item> @@ -173,21 +178,23 @@        <tag>Encryption algorithms (ciphers)</tag>        <item>  	<list type="bulleted"> -	  <item>[email protected] (AEAD_AES_128_GCM)</item> -          <item>[email protected] (AEAD_AES_256_GCM)</item> +          <item>[email protected]</item> +          <item>[email protected]</item>  	  <item>aes128-ctr</item>  	  <item>aes192-ctr</item>  	  <item>aes256-ctr</item>  	  <item>aes128-cbc</item>  	  <item>3des-cbc</item> +	  <item>(AEAD_AES_128_GCM, not enabled per default)</item> +          <item>(AEAD_AES_256_GCM, not enabled per default)</item>  	</list> +	<p>See the text at the description of <seealso marker="#rfc5647_note">the rfc 5647 further down</seealso> +	for more information regarding AEAD_AES_*_GCM. +	</p>  	<p>Following the internet de-facto standard, the cipher and mac algorithm AEAD_AES_128_GCM is selected when the   	cipher [email protected] is negotiated. The cipher and mac algorithm AEAD_AES_256_GCM is selected when the  	cipher [email protected] is negotiated.  	</p> -	<p>See the text at the description of <seealso marker="#rfc5647_note">the rfc 5647 further down</seealso> -	for more information. -	</p>        </item>        <tag>Compression algorithms</tag> @@ -232,7 +239,11 @@        </item>        <item><url href="https://tools.ietf.org/html/rfc4253">RFC 4253</url>, The Secure Shell (SSH) Transport Layer Protocol. -       <p></p> +      <p>Except</p> +      <list type="bulleted"> +	<item>8.1.  diffie-hellman-group1-sha1. Disabled by default, can be enabled with the <c>preferred_algorithms</c> option.</item> +      </list> +      <p/>        </item>        <item><url href="https://tools.ietf.org/html/rfc4254">RFC 4254</url>, The Secure Shell (SSH) Connection Protocol. @@ -306,6 +317,30 @@        <p>Comment: Defines hmac-sha2-256 and hmac-sha2-512        </p>        </item> + +      <item><url href="https://tools.ietf.org/html/draft-ietf-curdle-ssh-kex-sha2">Draft-ietf-curdle-ssh-kex-sha2 (work in progress)</url>, Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH). +      <p>Deviations:</p> +      <list type="bulleted"> +	<item>The <c>diffie-hellman-group1-sha1</c> is not enabled by default, but is still supported and can be enabled +	with the option <c>preferred-algorithms</c></item> +	<item>The questionable sha1-based algorithms <c>diffie-hellman-group-exchange-sha1</c> and +	<c>diffie-hellman-group14-sha1</c> are still enabled by default for compatibility with ancient clients and servers. +	They can be disabled with the option <c>preferred-algorithms</c></item> +      </list> +      <p/> +      </item> + +      <item><url href="https://tools.ietf.org/html/draft-ietf-curdle-rsa-sha2">Draft-ietf-curdle-rsa-sha2 (work in progress)</url>, Use of RSA Keys with SHA-2 256 and 512 in Secure Shell (SSH). +      </item> +       +      <item><url href="https://tools.ietf.org/html/draft-ietf-curdle-ssh-ext-info">Draft-ietf-curdle-ssh-ext-info (work in progress)</url>, Extension Negotiation in Secure Shell (SSH). +      <p>Implemented are:</p> +      <list type="bulleted"> +	<item>The Extension Negotiation Mechanism</item> +	<item>The extension <c>server-sig-algs</c></item> +      </list> +      <p/> +      </item>      </list> diff --git a/lib/ssh/doc/src/ssh_sftp.xml b/lib/ssh/doc/src/ssh_sftp.xml index eb6f43d417..ed7fbf9cf3 100644 --- a/lib/ssh/doc/src/ssh_sftp.xml +++ b/lib/ssh/doc/src/ssh_sftp.xml @@ -4,7 +4,7 @@  <erlref>    <header>      <copyright> -      <year>2005</year><year>2016</year> +      <year>2005</year><year>2017</year>        <holder>Ericsson AB. All Rights Reserved.</holder>      </copyright>      <legalnotice> @@ -558,8 +558,14 @@  	<taglist>            <tag><c><![CDATA[{timeout, timeout()}]]></c></tag>  	  <item> -	    <p>The time-out is passed to the <c>ssh_channel</c> start function, -	    and defaults to <c>infinity</c>.</p> +	    <p>There are two ways to set a timeout for the underlying ssh connection:</p> +	    <list> +	      <item>If the connection timeout option <c>connect_timeout</c> is set, that value +	      is used also for the negotiation timeout and this option (<c>timeout</c>) is ignored.</item> +	      <item>Otherwise, this option (<c>timeout</c>) is used as the negotiation timeout +	      only and there is no connection timeout set</item> +	    </list> +	    <p>The value defaults to <c>infinity</c>.</p>  	  </item>  	  <tag>  	    <c><![CDATA[{sftp_vsn, integer()}]]></c> diff --git a/lib/ssh/doc/src/usersguide.xml b/lib/ssh/doc/src/usersguide.xml index 70051ba771..d902df6848 100644 --- a/lib/ssh/doc/src/usersguide.xml +++ b/lib/ssh/doc/src/usersguide.xml @@ -36,4 +36,5 @@    </description>    <xi:include href="introduction.xml"/>    <xi:include href="using_ssh.xml"/> +  <xi:include href="configure_algos.xml"/>  </part> | 
