aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssh/doc/src/introduction.xml
blob: 70c6fb2ee1e9d0d678c91665af07c727aaa579e9 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE chapter SYSTEM "chapter.dtd">

<chapter>
  <header>
    <copyright>
      <year>2012</year>
      <year>2013</year>
      <holder>Ericsson AB, All Rights Reserved</holder>
    </copyright>
    <legalnotice>
  The contents of this file are subject to the Erlang Public License,
  Version 1.1, (the "License"); you may not use this file except in
  compliance with the License. You should have received a copy of the
  Erlang Public License along with this software. If not, it can be
  retrieved online at http://www.erlang.org/.

  Software distributed under the License is distributed on an "AS IS"
  basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
  the License for the specific language governing rights and limitations
  under the License.

  The Initial Developer of the Original Code is Ericsson AB.
    </legalnotice>

    <title>Introduction</title>
    <prepared>OTP team</prepared>
    <responsible></responsible>
    <docno></docno>
    <approved></approved>
    <checked></checked>
    <date></date>
    <rev></rev>
    <file>introduction.xml</file>
  </header>
  <p>SSH is a protocol for secure remote logon and
    other secure network services over an insecure network.</p>
  <section>
    <title>Scope and Purpose</title>

    <p>SSH provides a single, full-duplex, and byte-oriented connection between
    client and server. The protocol also provides privacy, integrity,
    server authentication, and man-in-the-middle protection.</p>

    <p>The <c>ssh</c> application is an implementation of the SSH Transport
    Layer Protocol in Erlang. It provides the following:</p>
    <list type="bulleted">
      <item>API functions to write customized SSH clients and servers</item>
      <item>The Erlang shell available through SSH</item>
      <item>An SFTP client (<seealso marker="ssh_sftp">ssh_sftp</seealso>)
      and server (<seealso marker="ssh_sftp">ssh_sftpd</seealso>)</item>
    </list>
  </section>

  <section>
    <title>Prerequisites</title>
    <p>It is assumed that the reader is familiar with the Erlang programming language,
    concepts of <em>OTP</em>, and has a basic understanding of <em>public keys</em>.</p>
  </section>

<section>
    <title>SSH Protocol Overview</title>

    <p>Conceptually, the SSH protocol can be partitioned into four
    layers:</p>

    <image file="SSH_protocols.png">
      <icaption>SSH Protocol Architecture</icaption>
    </image>

    <section>
      <title>Transport Protocol</title>

      <p>The SSH Transport Protocol is a secure, low-level transport.
      It provides strong encryption, cryptographic host
      authentication, and integrity protection. A minimum of
      Message Authentication Code (MAC) and encryption
      algorithms are supported. For details, see the
      <seealso marker="ssh">ssh(3)</seealso> manual page in <c>ssh</c>.</p>
    </section>

    <section>
      <title>Authentication Protocol</title>

      <p>The SSH Authentication Protocol is a general-purpose user
      authentication protocol run over the SSH Transport Layer
      Protocol. The <c>ssh</c> application supports user authentication as follows:
      </p>
      <list type="bulleted">
	<item>
	  Using public key technology. RSA and DSA, X509-certificates
	  are not supported.
	</item>
	<item>
	  Using keyboard-interactive authentication.
	  This is suitable for interactive authentication methods
	  that do not need any special software support on the client side.
	  Instead, all authentication data is entered from the keyboard.
	</item>
	<item>
	  Using a pure password-based authentication scheme.
	  Here, the plain text password is encrypted before sent
	  over the network.
	</item>
      </list>
      <p>Several configuration options for
      authentication handling are available in
      <seealso marker="ssh#connect-3">ssh:connect/[3,4]</seealso>
      and <seealso marker="ssh#daemon-2">ssh:daemon/[2,3]</seealso>.</p>
      <p>
      The public key handling can be customized by implementing
      the following behaviours from <c>ssh</c>:</p>
      <list type="bulleted">
	<item>Module
      <seealso marker="ssh_client_key_api">ssh_client_key_api</seealso>.
	</item>
	<item>Module
      <seealso marker="ssh_server_key_api">ssh_server_key_api</seealso>.
	</item>
      </list>
    </section>

    <section>
      <title>Connection Protocol</title>

      <p>The SSH Connection Protocol provides application-support
      services over the transport pipe, for example, channel multiplexing,
      flow control, remote program execution, signal propagation, and
      connection forwarding. Functions for handling the SSH
      Connection Protocol can be found in the module <seealso
      marker="ssh_connection">ssh_connection</seealso> in <c>ssh</c>.
      </p>
    </section>

    <section>
      <title>Channels</title>

      <p>All terminal sessions, forwarded connections, and so on, are
      channels. Multiple channels are multiplexed into a single
      connection. All channels are flow-controlled. This means that no
      data is sent to a channel peer until a message is received to
      indicate that window space is available.
      The <em>initial window size</em> specifies how many bytes of channel
      data that can be sent to the channel peer without adjusting the
      window. Typically, an SSH client opens a channel, sends data (commands),
      receives data (control information), and then closes the channel.
      The <seealso marker="ssh_channel">ssh_channel</seealso> behaviour
      handles generic parts of SSH channel management. This makes it easy
      to write your own SSH client/server processes that use flow-control
      and thus opens for more focus on the application logic.
      </p>

      <p>Channels come in the following three flavors:</p>

      <list type="bulleted">
	<item><em>Subsystem</em> - Named services that can be run as
	part of an SSH server, such as SFTP <seealso
	marker="ssh_sftpd">(ssh_sftpd)</seealso>, that is built into the
	SSH daemon (server) by default, but it can be disabled. The Erlang <c>ssh</c>
	daemon can be configured to run any Erlang-
	implemented SSH subsystem.
	</item>
	<item><em>Shell</em> - Interactive shell. By default the
	Erlang daemon runs the Erlang shell. The shell can be customized by
	providing your own read-eval-print loop. You can also provide your
	own Command-Line Interface (CLI) implementation,
	but that is much more work.
	</item>
	<item><em>Exec</em> - One-time remote execution of commands. See function
	<seealso marker="ssh_connection#exec-4">ssh_connection:exec/4</seealso>
	for more information.</item>
      </list>
    </section>



  </section>

  <section>
    <title>Where to Find More Information</title>
    <p>
      For detailed information about the SSH protocol, refer to the
      following Request for Comments(RFCs):
    </p>

    <list type="bulleted">
      <item><url href="http://www.ietf.org/rfc/rfc4250.txt">RFC 4250</url> -
      Protocol Assigned Numbers</item>
      <item><url href="http://www.ietf.org/rfc/rfc4251.txt">RFC 4251</url> -
      Protocol Architecture</item>
      <item><url href="http://www.ietf.org/rfc/rfc4252.txt">RFC 4252</url> -
      Authentication Protocol</item>
      <item><url href="http://www.ietf.org/rfc/rfc4253.txt">RFC 4253</url> -
      Transport Layer Protocol</item>
      <item><url href="http://www.ietf.org/rfc/rfc4254.txt">RFC 4254</url> -
      Connection Protocol</item>
      <item><url href="http://www.ietf.org/rfc/rfc4255.txt">RFC 4255</url> -
      Key Fingerprints</item>
      <item><url href="http://www.ietf.org/rfc/rfc4344.txt">RFC 4344</url> -
      Transport Layer Encryption Modes</item>
      <item><url href="http://www.ietf.org/rfc/rfc4716.txt">RFC 4716</url> -
      Public Key File Format</item>
    </list>
  </section>
</chapter>