Interface module for the
See
The exact behaviour of some functions can be adjusted with the use of options which are documented together with the functions. Generally could each option be used at most one time in each function call. If given two or more times, the effect is not predictable unless explicitly documented.
The options are of different kinds:
which alters limits in the system, for example number of simultaneous login attempts.
which give some defined behaviour if too long time elapses before a given event or action, for example time to wait for an answer.
which gives the caller of the function the possibility to execute own code on some events, for example calling an own logging function or to perform an own login function
which changes the systems behaviour.
Type definitions that are used more than once in this module, or abstractions to indicate the intended use of the data type, or both:
opaque() -
as returned by
opaque() - as returned by
Closes an SSH connection.
Connects to an SSH server. No channel is started. This is done
by calling
Options:
IP version to use.
Sets the user directory, that is, the directory containing
If the user DSA key is protected by a passphrase, it can be supplied with this option.
If the user RSA key is protected by a passphrase, it can be supplied with this option.
This option guides the
The option can be given in three different forms as seen above:
If
Provides a fun to implement your own logging when a server disconnects the client.
Provides a fun to implement your own logging or other action when an unexpected message arrives.
If the fun returns
List of user (client) public key algorithms to try to use.
The default value is the
If there is no public key of a specified type available, the corresponding entry is ignored. Note that the available set is dependent on the underlying cryptolib and current user's public keys.
List of algorithms to use in the algorithm negotiation. The default
If an alg_entry() is missing in the algs_list(), the default value is used for that entry.
Here is an example of this option:
{preferred_algorithms,
[{public_key,['ssh-rsa','ssh-dss']},
{cipher,[{client2server,['aes128-ctr']},
{server2client,['aes128-cbc','3des-cbc']}]},
{mac,['hmac-sha2-256','hmac-sha1']},
{compression,[none,zlib]}
]
}
The example specifies different algorithms in the two directions (client2server and server2client), for cipher but specifies the same algorithms for mac and compression in both directions. The kex (key exchange) is implicit but public_key is set explicitly.
For background and more examples see the
Changing the values can make a connection less secure. Do not change unless you know exactly what you are doing. If you do not understand the values then you are not supposed to change them.
Modifies the list of algorithms to use in the algorithm negotiation. The modifications are
applied after the option
The algoritm for modifications works like this:
Input is the
The head of the
The possible modifications are:
Append or prepend supported but not enabled algorithm(s) to the list of
algorithms. If the wanted algorithms already are in
Remove (rm) one or more algorithms from
Repeat the modification step with the tail of
If an unsupported algorithm is in the
If there are more than one modify_algorithms options, the result is undefined.
Here is an example of this option:
{modify_algorithms,
[{prepend, [{kex, ['diffie-hellman-group1-sha1']}],
{rm, [{compression, [none]}]}
]
}
The example specifies that:
the old key exchange algorithm 'diffie-hellman-group1-sha1' should be the main alternative. It will be the main alternative since it is prepened to the list
The compression algorithm none (= no compression) is removed so compression is enforced
For background and more examples see the
Sets the three diffie-hellman-group-exchange parameters that guides the connected server in choosing a group.
See RFC 4419 for the function of thoose. The default value is
Sets a time-out on the transport layer
connection. For
Comma-separated string that determines which
authentication methods that the client shall support and
in which order they are tried. Defaults to
Provides a username. If this option is not given,
Provides a password for password authentication. If this option is not given, the user is asked for a password, if the password authentication method is attempted.
Tell the server that the client accepts extension negotiation. See
Currently implemented extension is
Default value is
Module implementing the behaviour
If
The string that the client presents to a connected server initially. The default value is "Erlang/VSN" where VSN is the ssh application version number.
The value
Allows an existing file descriptor to be used (by passing it on to the transport protocol).
Provides, in bytes, when rekeying is to be initiated. Defaults to once per each GB and once per hour.
Sets a time-out on a connection when no channels are active.
Defaults to
Provide a fun to implement your own logging of the SSH message SSH_MSG_DEBUG. The last three parameters are from the message, see RFC4253, section 11.3. The
The default behaviour is ignore the message.
To get a printout for each message with
Retrieves information about a connection.
Starts a server listening for SSH connections on the given
port. If the
Please note that by historical reasons both the
The rules for handling the two address passing options are:
Options:
IP version to use when the host address is specified as
Provides specifications for handling of subsystems. The
"sftp" subsystem specification is retrieved by calling
Defines the read-eval-print loop used when a shell is
requested by the client. The default is to use the Erlang shell:
Provides your own CLI implementation, that is, a channel callback
module that implements a shell and command execution. The shell
read-eval-print loop can be customized, using the
option
Sets the user directory. That is, the directory containing
Sets the system directory, containing the host key files
that identify the host keys for
Comma-separated string that determines which
authentication methods that the server is to support and
in what order they are tried. Defaults to
Note that the client is free to use any order and to exclude methods.
Sets the text strings that the daemon sends to the client for presentation to the user when using
The parameter
The default value is:
Provides passwords for password authentication. The passwords are used when someone tries to connect to the server and public key user-authentication fails. The option provides a list of valid usernames and the corresponding passwords.
Provides a global password that authenticates any user. From a security perspective this option makes the server very vulnerable.
List of algorithms to use in the algorithm negotiation. The default
If an alg_entry() is missing in the algs_list(), the default value is used for that entry.
Here is an example of this option:
{preferred_algorithms,
[{public_key,['ssh-rsa','ssh-dss']},
{cipher,[{client2server,['aes128-ctr']},
{server2client,['aes128-cbc','3des-cbc']}]},
{mac,['hmac-sha2-256','hmac-sha1']},
{compression,[none,zlib]}
]
}
The example specifies different algorithms in the two directions (client2server and server2client), for cipher but specifies the same algorithms for mac and compression in both directions. The kex (key exchange) is implicit but public_key is set explicitly.
For background and more examples see the
Changing the values can make a connection less secure. Do not change unless you know exactly what you are doing. If you do not understand the values then you are not supposed to change them.
Modifies the list of algorithms to use in the algorithm negotiation. The modifications are
applied after the option
The possible modifications are to:
Append or prepend supported but not enabled algorithm(s) to the list of algorithms.
If the wanted algorithms already are in the list of algorithms, they will first be removed and then appended or prepended.
Remove (rm) one or more algorithms from the list of algorithms.
If an unsupported algorithm is in the list, it will be silently ignored
Here is an example of this option:
{modify_algorithms,
[{prepend, [{kex, ['diffie-hellman-group1-sha1']}],
{rm, [{compression, [none]}]}
]
}
The example specifies that:
the old key exchange algorithm 'diffie-hellman-group1-sha1' should be the main alternative. It will be the main alternative since it is prepened to the list
The compression algorithm none (= no compression) is removed so compression is enforced
For background and more examples see the
Defines the groups the server may choose among when diffie-hellman-group-exchange is negotiated. See RFC 4419 for details. The three variants of this option are:
The default list is fetched from the
Limits what a client can ask for in diffie-hellman-group-exchange.
The limits will be
The default value is
If
See RFC 4419 for the function of the Max and Min values.
Provides a function for password validation. This could used for calling an external system or if passwords should be stored as a hash. The fun returns:
This fun can also be used to make delays in authentication tries for example by calling
A third usage is to block login attempts from a missbehaving peer. The
Provides a function for password validation. This function is called
with user and password as strings, and returns
This option (
Maximum time in milliseconds for the authentication negotiation. Defaults to 120000 (2 minutes). If the client fails to log in within this time, the connection is closed.
The maximum number of simultaneous sessions that are accepted at any time
for this daemon. This includes sessions that are being authorized.
Thus, if set to
The counter is per listening port. Thus, if two daemons are started, one with
Notice that if
By default, this option is not set. This means that the number is not limited.
The maximum number of channels with active remote subsystem that are accepted for each connection to this daemon
By default, this option is not set. This means that the number is not limited.
If set to false (the default value), only one login is handled at a time. If set to true, an unlimited number of login attempts are allowed simultaneously.
If the
Do not enable
The least maximum packet size that the daemon will accept in channel open requests from the client. The default value is 0.
The string the daemon will present to a connecting peer initially. The default value is "Erlang/VSN" where VSN is the ssh application version number.
The value
Send a list of extensions to the client if the client has asked for it. See
Currently implemented extension is sending
Default value is
Module implementing the behaviour
Used together with
Allows an existing file-descriptor to be used (passed on to the transport protocol).
Provides a fun to implement your own logging when a user fails to authenticate.
Provides a fun to implement your own logging when a user authenticates to the server.
Provides a fun to implement your own logging when a user disconnects from the server.
Provides a fun to implement your own logging or other action when an unexpected message arrives.
If the fun returns
Sets a time-out on a connection when no channels are active.
Defaults to
Provide a fun to implement your own logging of the SSH message SSH_MSG_DEBUG. The last three parameters are from the message, see RFC4253, section 11.3. The
The default behaviour is ignore the message.
To get a printout for each message with
Returns a key-value list with information about the daemon. For now, only the listening port is returned. This is intended for the case the daemon is started with the port set to 0.
Returns a key-value list, where the keys are the different types of algorithms and the values are the algorithms themselves. An example:
20> ssh:default_algorithms().
[{kex,['diffie-hellman-group1-sha1']},
{public_key,['ssh-rsa','ssh-dss']},
{cipher,[{client2server,['aes128-ctr','aes128-cbc','3des-cbc']},
{server2client,['aes128-ctr','aes128-cbc','3des-cbc']}]},
{mac,[{client2server,['hmac-sha2-256','hmac-sha1']},
{server2client,['hmac-sha2-256','hmac-sha1']}]},
{compression,[{client2server,[none,zlib]},
{server2client,[none,zlib]}]}]
21>
Starts an interactive shell over an SSH server on the
given
Utility function that starts the applications
Stops the
Stops the listener and all connections started by the listener.
Stops the listener, but leaves existing connections started by the listener operational.