Interface module for the
The actual set of algorithms can vary depending on which OpenSSL crypto library that is installed on the machine.
For the list on a particular installation, use the command
The exact behaviour of some functions can be adjusted with the use of options which are documented together with the functions. Generally could each option be used at most one time in each function call. If given two or more times, the effect is not predictable unless explicitly documented.
The options are of different kinds:
which alters limits in the system, for example number of simultaneous login attempts.
which give some defined behaviour if too long time elapses before a given event or action, for example time to wait for an answer.
which gives the caller of the function the possibility to execute own code on some events, for example calling an own logging function or to perform an own login function
which changes the systems behaviour.
Type definitions that are used more than once in this module, or abstractions to indicate the intended use of the data type, or both:
opaque() -
as returned by
opaque() - as returned by
Closes an SSH connection.
Connects to an SSH server. No channel is started. This is done
by calling
Options:
IP version to use.
Sets the user directory, that is, the directory containing
If the user DSA key is protected by a passphrase, it can be supplied with this option.
If the user RSA key is protected by a passphrase, it can be supplied with this option.
When
If
Provides a fun to implement your own logging when a server disconnects the client.
Provides a fun to implement your own logging or other action when an unexpected message arrives.
If the fun returns
This option is kept for compatibility. It is ignored if the
Sets the preferred public key algorithm to use for user
authentication. If the preferred algorithm fails,
the other algorithm is tried. The default is
to try
This option is kept for compatibility. It is ignored if the
List of public key algorithms to try to use.
List of algorithms to use in the algorithm negotiation. The default
Here is an example of this option:
{preferred_algorithms,
[{public_key,['ssh-rsa','ssh-dss']},
{cipher,[{client2server,['aes128-ctr']},
{server2client,['aes128-cbc','3des-cbc']}]},
{mac,['hmac-sha2-256','hmac-sha1']},
{compression,[none,zlib]}
}
The example specifies different algorithms in the two directions (client2server and server2client), for cipher but specifies the same algorithms for mac and compression in both directions. The kex (key exchange) and public key algorithms are set to their default values, kex is implicit but public_key is set explicitly.
Changing the values can make a connection less secure. Do not change unless you know exactly what you are doing. If you do not understand the values then you are not supposed to change them.
Sets the three diffie-hellman-group-exchange parameters that guides the connected server in choosing a group.
See RFC 4419 for the function of thoose. The default value is
Sets a time-out on the transport layer
connection. For
Provides a username. If this option is not given,
Provides a password for password authentication. If this option is not given, the user is asked for a password, if the password authentication method is attempted.
Module implementing the behaviour
If
The string that the client presents to a connected server initially. The default value is "Erlang/VSN" where VSN is the ssh application version number.
The value
Allows an existing file descriptor to be used (by passing it on to the transport protocol).
Provides, in bytes, when rekeying is to be initiated. Defaults to once per each GB and once per hour.
Sets a time-out on a connection when no channels are active.
Defaults to
Provide a fun to implement your own logging of the SSH message SSH_MSG_DEBUG. The last three parameters are from the message, see RFC4253, section 11.3. The
The default behaviour is ignore the message.
To get a printout for each message with
Retrieves information about a connection.
Starts a server listening for SSH connections on the given port.
Options:
IP version to use when the host address is specified as
Provides specifications for handling of subsystems. The
"sftp" subsystem specification is retrieved by calling
Defines the read-eval-print loop used when a shell is
requested by the client. The default is to use the Erlang shell:
Provides your own CLI implementation, that is, a channel callback
module that implements a shell and command execution. The shell
read-eval-print loop can be customized, using the
option
Sets the user directory. That is, the directory containing
Sets the system directory, containing the host key files
that identify the host keys for
Comma-separated string that determines which
authentication methods that the server is to support and
in what order they are tried. Defaults to
Sets the text strings that the daemon sends to the client for presentation to the user when using
The parameter
The default value is:
Provides passwords for password authentication. The passwords are used when someone tries to connect to the server and public key user-authentication fails. The option provides a list of valid usernames and the corresponding passwords.
Provides a global password that authenticates any user. From a security perspective this option makes the server very vulnerable.
List of algorithms to use in the algorithm negotiation. The default
Here is an example of this option:
{preferred_algorithms,
[{public_key,['ssh-rsa','ssh-dss']},
{cipher,[{client2server,['aes128-ctr']},
{server2client,['aes128-cbc','3des-cbc']}]},
{mac,['hmac-sha2-256','hmac-sha1']},
{compression,[none,zlib]}
}
The example specifies different algorithms in the two directions (client2server and server2client), for cipher but specifies the same algorithms for mac and compression in both directions. The kex (key exchange) and public key algorithms are set to their default values, kex is implicit but public_key is set explicitly.
Changing the values can make a connection less secure. Do not change unless you know exactly what you are doing. If you do not understand the values then you are not supposed to change them.
Defines the groups the server may choose among when diffie-hellman-group-exchange is negotiated. See RFC 4419 for details. The three variants of this option are:
The default list is fetched from the
Limits what a client can ask for in diffie-hellman-group-exchange.
The limits will be
The default value is
If
See RFC 4419 for the function of the Max and Min values.
Provides a function for password validation. This could used for calling an external system or if
passwords should be stored as a hash. The fun returns:
This fun can also be used to make delays in authentication tries for example by calling
A third usage is to block login attempts from a missbehaving peer. The
Provides a function for password validation. This function is called
with user and password as strings, and returns
This option (
Maximum time in milliseconds for the authentication negotiation. Defaults to 120000 (2 minutes). If the client fails to log in within this time, the connection is closed.
The maximum number of simultaneous sessions that are accepted at any time
for this daemon. This includes sessions that are being authorized.
Thus, if set to
The counter is per listening port. Thus, if two daemons are started, one with
Notice that if
By default, this option is not set. This means that the number is not limited.
The maximum number of channels with active remote subsystem that are accepted for each connection to this daemon
By default, this option is not set. This means that the number is not limited.
If set to false (the default value), only one login is handled at a time. If set to true, an unlimited number of login attempts are allowed simultaneously.
If the
Do not enable
The least maximum packet size that the daemon will accept in channel open requests from the client. The default value is 0.
The string the daemon will present to a connecting peer initially. The default value is "Erlang/VSN" where VSN is the ssh application version number.
The value
Module implementing the behaviour
Used together with
Allows an existing file-descriptor to be used (passed on to the transport protocol).
Provides a fun to implement your own logging when a user fails to authenticate.
Provides a fun to implement your own logging when a user authenticates to the server.
Provides a fun to implement your own logging when a user disconnects from the server.
Provides a fun to implement your own logging or other action when an unexpected message arrives.
If the fun returns
Provide a fun to implement your own logging of the SSH message SSH_MSG_DEBUG. The last three parameters are from the message, see RFC4253, section 11.3. The
The default behaviour is ignore the message.
To get a printout for each message with
Returns a key-value list, where the keys are the different types of algorithms and the values are the algorithms themselves. An example:
20> ssh:default_algorithms().
[{kex,['diffie-hellman-group1-sha1']},
{public_key,['ssh-rsa','ssh-dss']},
{cipher,[{client2server,['aes128-ctr','aes128-cbc','3des-cbc']},
{server2client,['aes128-ctr','aes128-cbc','3des-cbc']}]},
{mac,[{client2server,['hmac-sha2-256','hmac-sha1']},
{server2client,['hmac-sha2-256','hmac-sha1']}]},
{compression,[{client2server,[none,zlib]},
{server2client,[none,zlib]}]}]
21>
Starts an interactive shell over an SSH server on the
given
Utility function that starts the applications
Stops the
Stops the listener and all connections started by the listener.
Stops the listener, but leaves existing connections started by the listener operational.