1ssh(3)                     Erlang Module Definition                     ssh(3)
2
3
4

NAME

6       ssh - Main API of the ssh application
7

DESCRIPTION

9       This  is the interface module for the SSH application. The Secure Shell
10       (SSH) Protocol is a protocol for secure remote login and  other  secure
11       network  services  over  an insecure network. See ssh(6) for details of
12       supported RFCs, versions, algorithms and unicode handling.
13
14       With the SSH application it is possible to start clients  and to  start
15       daemons  (servers).
16
17       Clients  are  started with connect/2, connect/3 or connect/4. They open
18       an encrypted connection on top of TCP/IP. In that encrypted  connection
19       one  or more channels could be opened with ssh_connection:session_chan‐
20       nel/2,4.
21
22       Each channel is an isolated "pipe" between a client-side process and  a
23       server-side  process. Those process pairs could handle for example file
24       transfers (sftp) or remote command execution (shell, exec and/or  cli).
25       If  a custom shell is implemented, the user of the client could execute
26       the special commands remotely. Note that the user is not necessarily  a
27       human but probably a system interfacing the SSH app.
28
29       A  server-side  subssystem  (channel) server is requested by the client
30       with ssh_connection:subsystem/4.
31
32       A server (daemon) is started with daemon/1, daemon/2 or daemon/3.  Pos‐
33       sible  channel  handlers  (subsystems)  are declared with the subsystem
34       option when the daemon is started.
35
36       To just run a shell on a remote machine, there are functions that  bun‐
37       dles  the  needed three steps needed into one: shell/1,2,3. Similarily,
38       to just open an sftp (file transfer) connection to  a  remote  machine,
39       the simplest way is to use ssh_sftp:start_channel/1,2,3.
40
41       To   write   your   own  client  channel  handler,  use  the  behaviour
42       ssh_client_channel. For server channel handlers use  ssh_server_channel
43       behaviour (replaces ssh_daemon_channel).
44
45       Both clients and daemons accepts options that controls the exact behav‐
46       iour. Some options are common to both. The three sets are called Client
47       Options, Daemon Options and Common Options.
48
49       The  descriptions  of  the  options  uses the Erlang Type Language with
50       explaining text.
51
52   Note:
53       The User's Guide has examples and a Getting Started section.
54
55

KEYS AND FILES

57       A number of objects must be present for the SSH  application  to  work.
58       Those objects are per default stored in files. The default names, paths
59       and file formats are the same as for OpenSSH. Keys could  be  generated
60       with the ssh-keygen program from OpenSSH. See the User's Guide.
61
62       The paths could easily be changed by options: user_dir and system_dir.
63
64       A  completly different storage could be interfaced by writing call-back
65       modules    using    the    behaviours     ssh_client_key_api     and/or
66       ssh_server_key_api.  A  callback  module  is  installed with the option
67       key_cb to the client and/or the daemon.
68
69   Daemons
70       The keys are by default stored in files:
71
72         * Mandatory: one or more Host  key(s)  ,  both  private  and  public.
73           Default is to store them in the directory /etc/ssh in the files
74
75           * ssh_host_dsa_key and ssh_host_dsa_key.pub
76
77           * ssh_host_rsa_key and ssh_host_rsa_key.pub
78
79           * ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub
80
81           The  host  keys  directory  could  be  changed with the option sys‐
82           tem_dir.
83
84         * Optional: one or more User's  public  key   in  case  of  publickey
85           authorization.  Default  is  to store them concatenated in the file
86           .ssh/authorized_keys in the user's home directory.
87
88           The user keys directory could be changed with the option user_dir.
89
90   Clients
91       The keys and some other data are by default  stored  in  files  in  the
92       directory .ssh in the user's home directory.
93
94       The directory could be changed with the option user_dir.
95
96         * Optional:  a  list  of Host public key(s)  for previously connected
97           hosts. This list is handled by the SSH application without any need
98           of  user  assistance.  The  default  is  to  store them in the file
99           known_hosts.
100
101           The host_accepting_client_options() are associated with  this  list
102           of keys.
103
104         * Optional:  one  or more User's private key(s)  in case of publickey
105           authorization. The default files are
106
107           * id_dsa and id_dsa.pub
108
109           * id_rsa and id_rsa.pub
110
111           * id_ecdsa and id_ecdsa.pub
112

DATA TYPES

114   Client Options
115       client_options() = [client_option()]
116
117       client_option() =
118           ssh_file:pubkey_passphrase_client_options() |
119           host_accepting_client_options() |
120           authentication_client_options() |
121           diffie_hellman_group_exchange_client_option() |
122           connect_timeout_client_option() |
123           recv_ext_info_client_option() |
124           opaque_client_options() |
125           gen_tcp:connect_option() |
126           common_option()
127
128              Options  for  clients.  The  individual  options   are   further
129              explained below or by following the hyperlinks.
130
131              Note  that  not  every gen_tcp:connect_option() is accepted. See
132              set_sock_opts/2 for a list of prohibited options.
133
134              Also note that setting a gen_tcp:connect_option()  could  change
135              the socket in a way that impacts the ssh client's behaviour neg‐
136              atively. You use it on your own risk.
137
138       host_accepting_client_options() =
139           {silently_accept_hosts, accept_hosts()} |
140           {user_interaction, boolean()} |
141           {save_accepted_host, boolean()} |
142           {quiet_mode, boolean()}
143
144       accept_hosts() =
145           boolean() |
146           accept_callback() |
147           {HashAlgoSpec :: fp_digest_alg(), accept_callback()}
148
149       fp_digest_alg() = md5 | crypto:sha1() | crypto:sha2()
150
151       accept_callback() =
152           fun((PeerName :: string(), fingerprint()) -> boolean()) |
153           fun((PeerName :: string(),
154                Port :: inet:port_number(),
155                fingerprint()) ->
156                   boolean())
157
158       fingerprint() = string() | [string()]
159
160                silently_accept_hosts:
161                  This option guides the connect function on how to  act  when
162                  the connected server presents a Host Key that the client has
163                  not seen before. The default is to ask the user with a ques‐
164                  tion  on  stdio  of whether to accept or reject the new Host
165                  Key. See the option user_dir for specifying the path to  the
166                  file  known_hosts  where  previously  accepted Host Keys are
167                  recorded. See also the option key_cb for the general way  to
168                  handle keys.
169
170                  The  option  can  be  given in three different forms as seen
171                  above:
172
173                  * The value is a boolean(). The value  true  will  make  the
174                    client accept any unknown Host Key without any user inter‐
175                    action. The value false preserves the default behaviour of
176                    asking the user on stdio.
177
178                  * An accept_callback() will be called and the boolean return
179                    value true will make the client accept  the  Host  Key.  A
180                    return  value  of false will make the client to reject the
181                    Host Key and as a result the connection  will  be  closed.
182                    The arguments to the fun are:
183
184                    * PeerName  -  a  string  with  the name or address of the
185                      remote host.
186
187                    * FingerPrint - the fingerprint of the Host  Key  as  pub‐
188                      lic_key:ssh_hostkey_fingerprint/1 calculates it.
189
190                  * A  tuple {HashAlgoSpec, accept_callback}. The HashAlgoSpec
191                    specifies which hash algorithm shall be used to  calculate
192                    the fingerprint used in the call of the accept_callback().
193                    The HashALgoSpec is either an atom or a list of  atoms  as
194                    the   first   argument  in  public_key:ssh_hostkey_finger‐
195                    print/2. If it is a list of hash algorithm names, the Fin‐
196                    gerPrint  argument in the accept_callback() will be a list
197                    of fingerprints in the same  order  as  the  corresponding
198                    name in the HashAlgoSpec list.
199
200                user_interaction:
201                  If  false,  disables  the client to connect to the server if
202                  any user interaction is needed, such as accepting the server
203                  to  be  added  to the known_hosts file, or supplying a pass‐
204                  word.
205
206                  Even if user interaction is allowed it can be suppressed  by
207                  other  options,  such as silently_accept_hosts and password.
208                  However, those options are not always desirable to use  from
209                  a security point of view.
210
211                  Defaults to true.
212
213                save_accepted_host:
214                  If  true, the client saves an accepted host key to avoid the
215                  accept question the next time the same host is connected. If
216                  the  option  key_cb  is not present, the key is saved in the
217                  file "known_hosts". See option user_dir for the location  of
218                  that file.
219
220                  If  false,  the  key  is not saved and the key will still be
221                  unknown at the next access of the same host.
222
223                  Defaults to true
224
225                quiet_mode:
226                  If true, the client does not print  anything  on  authoriza‐
227                  tion.
228
229                  Defaults to false
230
231       authentication_client_options() =
232           {user, string()} | {password, string()}
233
234                user:
235                  Provides  the  username.  If  this  option is not given, ssh
236                  reads from the environment (LOGNAME or USER on  UNIX,  USER‐
237                  NAME on Windows).
238
239                password:
240                  Provides  a  password  for  password authentication. If this
241                  option is not given, the user is asked for  a  password,  if
242                  the password authentication method is attempted.
243
244       diffie_hellman_group_exchange_client_option() =
245           {dh_gex_limits,
246            {Min :: integer() >= 1,
247             I :: integer() >= 1,
248             Max :: integer() >= 1}}
249
250              Sets  the  three  diffie-hellman-group-exchange  parameters that
251              guides the connected server in choosing a group.  See  RFC  4419
252              for the details. The default value is {1024, 6144, 8192}.
253
254       connect_timeout_client_option() = {connect_timeout, timeout()}
255
256              Sets  a timeout on the transport layer connect time. For gen_tcp
257              the time is in milli-seconds and the default value is infinity.
258
259              See the parameter Timeout in connect/4  for  a  timeout  of  the
260              negotiation phase.
261
262       recv_ext_info_client_option() = {recv_ext_info, boolean()}
263
264              Make  the  client tell the server that the client accepts exten‐
265              sion negotiation, that is, include  ext-info-c  in  the  kexinit
266              message  sent. See RFC 8308 for details and ssh(6) for a list of
267              currently implemented extensions.
268
269              Default value is true which is compatible with other implementa‐
270              tions not supporting ext-info.
271
272   Daemon Options (Server Options)
273       daemon_options() = [daemon_option()]
274
275       daemon_option() =
276           subsystem_daemon_option() |
277           shell_daemon_option() |
278           exec_daemon_option() |
279           ssh_cli_daemon_option() |
280           tcpip_tunnel_out_daemon_option() |
281           tcpip_tunnel_in_daemon_option() |
282           authentication_daemon_options() |
283           diffie_hellman_group_exchange_daemon_option() |
284           negotiation_timeout_daemon_option() |
285           hello_timeout_daemon_option() |
286           hardening_daemon_options() |
287           callbacks_daemon_options() |
288           send_ext_info_daemon_option() |
289           opaque_daemon_options() |
290           gen_tcp:listen_option() |
291           common_option()
292
293              Options   for   daemons.  The  individual  options  are  further
294              explained below or by following the hyperlinks.
295
296              Note that not every  gen_tcp:listen_option()  is  accepted.  See
297              set_sock_opts/2 for a list of prohibited options.
298
299              Also  note  that  setting a gen_tcp:listen_option() could change
300              the socket in a way that impacts the ssh deamon's behaviour neg‐
301              atively. You use it on your own risk.
302
303       subsystem_daemon_option() = {subsystems, subsystem_specs()}
304
305       subsystem_specs() = [subsystem_spec()]
306
307       subsystem_spec() = {Name :: string(), mod_args()}
308
309              Defines a subsystem in the daemon.
310
311              The  subsystem_name  is the name that a client requests to start
312              with for example ssh_connection:subsystem/4.
313
314              The  channel_callback  is  the  module   that   implements   the
315              ssh_server_channel  (replaces  ssh_daemon_channel)  behaviour in
316              the daemon. See the section Creating a Subsystem in  the  User's
317              Guide for more information and an example.
318
319              If   the   subsystems  option  is  not  present,  the  value  of
320              ssh_sftpd:subsystem_spec([]) is used. This enables the sftp sub‐
321              system  by  default.  The option can be set to the empty list if
322              you do not want the daemon to run any subsystems.
323
324       shell_daemon_option() = {shell, shell_spec()}
325
326       shell_spec() = mod_fun_args() | shell_fun() | disabled
327
328       shell_fun() = 'shell_fun/1'() | 'shell_fun/2'()
329
330       'shell_fun/1'() = fun((User :: string()) -> pid())
331
332       'shell_fun/2'() =
333           fun((User :: string(), PeerAddr :: inet:ip_address()) -> pid())
334
335              Defines the read-eval-print loop used in a daemon when  a  shell
336              is  requested  by  the  client. The default is to use the Erlang
337              shell: {shell, start, []}
338
339              See the option exec-option for a description of how  the  daemon
340              executes  shell-requests  and  exec-requests  depending  on  the
341              shell- and exec-options.
342
343       exec_daemon_option() = {exec, exec_spec()}
344
345       exec_spec() =
346           {direct, exec_fun()} | disabled | deprecated_exec_opt()
347
348       exec_fun() = 'exec_fun/1'() | 'exec_fun/2'() | 'exec_fun/3'()
349
350       'exec_fun/1'() = fun((Cmd :: string()) -> exec_result())
351
352       'exec_fun/2'() =
353           fun((Cmd :: string(), User :: string()) -> exec_result())
354
355       'exec_fun/3'() =
356           fun((Cmd :: string(),
357                User :: string(),
358                ClientAddr :: ip_port()) ->
359                   exec_result())
360
361       exec_result() =
362           {ok, Result :: term()} | {error, Reason :: term()}
363
364              This option changes how the daemon executes  exec-requests  from
365              clients.  The  term in the return value is formatted to a string
366              if it is a non-string type. No trailing newline is added in  the
367              ok-case.
368
369              See the User's Guide section on One-Time Execution for examples.
370
371              Error  texts  are  returned  on  channel-type 1 which usually is
372              piped to stderr on e.g Linux systems. Texts  from  a  successful
373              execution  are  returned  on  channel-type 0 and will in similar
374              manner be piped to stdout. The exit-status code is set to 0  for
375              success  and  255 for errors. The exact results presented on the
376              client side depends on the client  and  the  client's  operating
377              system.
378
379              In case of the {direct, exec_fun()} variant or no exec-option at
380              all, all reads from standard_input will  be  from  the  received
381              data-events  of type 0. Those are sent by the client. Similarily
382              all writes to standard_output will be sent as data-events to the
383              client.  An  OS  shell client like the command 'ssh' will usally
384              use stdin and stdout for the user interface.
385
386              The option cooperates with the daemon-option shell in  the  fol‐
387              lowing way:
388
389                1.   If  neither  the  exec-option  nor  the  shell-option  is
390                present::
391                  The default Erlang evaluator is used both for exec and shell
392                  requests. The result is returned to the client.
393
394                2.  If the exec_spec's value is disabled (the shell-option may
395                or may not be present)::
396                  No exec-requests are executed  but  shell-requests  are  not
397                  affected, they follow the shell_spec's value.
398
399                3.  If  the exec-option is present and the exec_spec value =/=
400                disabled (the shell-option may or may not be present)::
401                  The exec_spec fun() is called with the same number of param‐
402                  eters as the arity of the fun, and the result is returned to
403                  the client. Shell-requests are not affected, they follow the
404                  shell_spec's value.
405
406                4.  If  the  exec-option  is  absent,  and the shell-option is
407                present with the default  Erlang  shell  as  the  shell_spec's
408                value::
409                  The default Erlang evaluator is used both for exec and shell
410                  requests. The result is returned to the client.
411
412                5. If the exec-option  is  absent,  and  the  shell-option  is
413                present  with a value that is neither the default Erlang shell
414                nor the value disabled::
415                  The exec-request is not evaluated and an  error  message  is
416                  returned  to the client. Shell-requests are executed accord‐
417                  ing to the value of the shell_spec.
418
419                6. If the exec-option is absent, and the shell_spec's value is
420                disabled::
421                  Exec  requests are executed by the default shell, but shell-
422                  requests are not executed.
423
424              If a custom CLI is installed (see the option ssh_cli) the  rules
425              above are replaced by thoose implied by the custom CLI.
426
427          Note:
428              The  exec-option  has existed for a long time but has not previ‐
429              ously been documented. The  old  definition  and  behaviour  are
430              retained  but  obey  the rules 1-6 above if conflicting. The old
431              and undocumented style should not be used in new programs.
432
433
434       deprecated_exec_opt() = function() | mod_fun_args()
435
436              Old-style exec specification that are  kept  for  compatibility,
437              but should not be used in new programs
438
439       ssh_cli_daemon_option() = {ssh_cli, mod_args() | no_cli}
440
441              Provides your own CLI implementation in a daemon.
442
443              It is a channel callback module that implements a shell and com‐
444              mand execution. The shell's read-eval-print loop can be  custom‐
445              ized,  using  the option shell. This means less work than imple‐
446              menting an own CLI channel. If ssh_cli is set to no_cli, the CLI
447              channels  like  shell  and  exec are disabled and only subsystem
448              channels are allowed.
449
450       authentication_daemon_options() =
451           ssh_file:system_dir_daemon_option() |
452           {auth_method_kb_interactive_data, prompt_texts()} |
453           {user_passwords, [{UserName :: string(), Pwd :: string()}]} |
454           {pk_check_user, boolean()} |
455           {password, string()} |
456           {pwdfun, pwdfun_2() | pwdfun_4()}
457
458       prompt_texts() =
459           kb_int_tuple() | kb_int_fun_3() | kb_int_fun_4()
460
461       kb_int_tuple() =
462           {Name :: string(),
463            Instruction :: string(),
464            Prompt :: string(),
465            Echo :: boolean()}
466
467       kb_int_fun_3() =
468           fun((Peer :: ip_port(), User :: string(), Service :: string()) ->
469                   kb_int_tuple())
470
471       kb_int_fun_4() =
472           fun((Peer :: ip_port(),
473                User :: string(),
474                Service :: string(),
475                State :: any()) ->
476                   kb_int_tuple())
477
478       pwdfun_2() =
479           fun((User :: string(), Password :: string() | pubkey) ->
480                   boolean())
481
482       pwdfun_4() =
483           fun((User :: string(),
484                Password :: string() | pubkey,
485                PeerAddress :: ip_port(),
486                State :: any()) ->
487                   boolean() |
488                   disconnect |
489                   {boolean(), NewState :: any()})
490
491                auth_method_kb_interactive_data:
492                  Sets the text strings that the daemon sends  to  the  client
493                  for presentation to the user when using keyboard-interactive
494                  authentication.
495
496                  If the fun/3 or fun/4 is used, it is called when the  actual
497                  authentication  occurs and may therefore return dynamic data
498                  like time, remote ip etc.
499
500                  The parameter Echo guides the client about need to hide  the
501                  password.
502
503                  The   default  value  is:  {auth_method_kb_interactive_data,
504                  {"SSH server", "Enter password for  \""++User++"\"",  "pass‐
505                  word: ", false}>
506
507                user_passwords:
508                  Provides  passwords  for  password authentication. The pass‐
509                  words are used when someone tries to connect to  the  server
510                  and  public  key  user-authentication fails. The option pro‐
511                  vides a list of valid usernames and the corresponding  pass‐
512                  words.
513
514                pk_check_user:
515                  Enables  checking  of  the  client's user name in the server
516                  when doing public key  authentication.  It  is  disabled  by
517                  default.
518
519                  The  term  "user"  is used differently in OpenSSH and SSH in
520                  Erlang/OTP: see more in the User's Guide.
521
522                  If the option is enabled, and no pwdfun is present, the user
523                  name  must  present  in  the user_passwords for the check to
524                  succeed but the value of the password is not checked.
525
526                  In case of a pwdfun checking the user, the  atom  pubkey  is
527                  put in the password argument.
528
529                password:
530                  Provides a global password that authenticates any user.
531
532            Warning:
533                Intended to facilitate testing.
534
535                From  a security perspective this option makes the server very
536                vulnerable.
537
538
539                pwdfun with pwdfun_4():
540                  Provides a function for password validation. This could used
541                  for calling an external system or handeling passwords stored
542                  as hash values.
543
544                  This fun can also be used to make delays  in  authentication
545                  tries for example by calling timer:sleep/1.
546
547                  To  facilitate  for  instance  counting of failed tries, the
548                  State variable could be used. This state is  per  connection
549                  only.  The first time the pwdfun is called for a connection,
550                  the State variable has the value undefined.
551
552                  The fun should return:
553
554                  * true if the user and password is valid
555
556                  * false if the user or password is invalid
557
558                  * disconnect if a SSH_MSG_DISCONNECT message should be  sent
559                    immediately.  It will be followed by a close of the under‐
560                    lying tcp connection.
561
562                  * {true, NewState:any()} if the user and password is valid
563
564                  * {false, NewState:any()} if the user or password is invalid
565
566                  A third usage is to block login attempts from a missbehaving
567                  peer.  The  State  described above can be used for this. The
568                  return value disconnect is useful for this.
569
570                  In case of the pk_check_user is set, the atom pubkey is  put
571                  in the password argument when validating a public key login.
572                  The pwdfun is then responsible to check that the  user  name
573                  is valid.
574
575                pwdfun with pwdfun_2():
576                  Provides  a  function for password validation. This function
577                  is called with user and password as strings, and returns:
578
579                  * true if the user and password is valid
580
581                  * false if the user or password is invalid
582
583                  In case of the pk_check_user is set, the atom pubkey is  put
584                  in the password argument when validating a public key login.
585                  The pwdfun is then responsible to check that the  user  name
586                  is valid.
587
588                  This variant is kept for compatibility.
589
590       diffie_hellman_group_exchange_daemon_option() =
591           {dh_gex_groups,
592            [explicit_group()] |
593            explicit_group_file() |
594            ssh_moduli_file()} |
595           {dh_gex_limits, {Min :: integer() >= 1, Max :: integer() >= 1}}
596
597       explicit_group() =
598           {Size :: integer() >= 1,
599            G :: integer() >= 1,
600            P :: integer() >= 1}
601
602       explicit_group_file() = {file, string()}
603
604       ssh_moduli_file() = {ssh_moduli_file, string()}
605
606                dh_gex_groups:
607                  Defines  the groups the server may choose among when diffie-
608                  hellman-group-exchange  is  negotiated.  See  RFC  4419  for
609                  details. The three variants of this option are:
610
611                  {Size=integer(),G=integer(),P=integer()}:
612                    The groups are given explicitly in this list. There may be
613                    several elements with the same Size. In such a  case,  the
614                    server will choose one randomly in the negotiated Size.
615
616                  {file,filename()}:
617                    The  file  must  have one or more three-tuples {Size=inte‐
618                    ger(),G=integer(),P=integer()} terminated by  a  dot.  The
619                    file is read when the daemon starts.
620
621                  {ssh_moduli_file,filename()}:
622                    The  file  must  be  in ssh-keygen moduli file format. The
623                    file is read when the daemon starts.
624
625                  The default list is fetched from the public_key application.
626
627                dh_gex_limits:
628                  Limits what a client can ask  for  in  diffie-hellman-group-
629                  exchange.  The limits will be {MaxUsed = min(MaxClient,Max),
630                  MinUsed = max(MinClient,Min)} where MaxClient and  MinClient
631                  are the values proposed by a connecting client.
632
633                  The default value is {0,infinity}.
634
635                  If  MaxUsed < MinUsed in a key exchange, it will fail with a
636                  disconnect.
637
638                  See RFC 4419 for the function of the Max and Min values.
639
640       hello_timeout_daemon_option() = {hello_timeout, timeout()}
641
642              Maximum time in milliseconds for the first part of the ssh  ses‐
643              sion setup, the hello message exchange. Defaults to 30000 ms (30
644              seconds). If the client fails to send the first  message  within
645              this time, the connection is closed.
646
647       negotiation_timeout_daemon_option() =
648           {negotiation_timeout, timeout()}
649
650              Maximum time in milliseconds for the authentication negotiation.
651              Defaults to 120000 ms (2 minutes). If the client fails to log in
652              within this time, the connection is closed.
653
654       hardening_daemon_options() =
655           {max_sessions, integer() >= 1} |
656           {max_channels, integer() >= 1} |
657           {parallel_login, boolean()} |
658           {minimal_remote_max_packet_size, integer() >= 1}
659
660                max_sessions:
661                  The   maximum  number  of  simultaneous  sessions  that  are
662                  accepted at any time for this daemon. This includes sessions
663                  that  are being authorized. Thus, if set to N, and N clients
664                  have connected but not started the login process, connection
665                  attempt  N+1  is aborted. If N connections are authenticated
666                  and still logged in, no more logins are accepted  until  one
667                  of the existing ones log out.
668
669                  The  counter is per listening port. Thus, if two daemons are
670                  started,  one  with  {max_sessions,N}  and  the  other  with
671                  {max_sessions,M},  in total N+M connections are accepted for
672                  the whole ssh application.
673
674                  Notice that if parallel_login is false, only one client at a
675                  time can be in the authentication phase.
676
677                  By default, this option is not set. This means that the num‐
678                  ber is not limited.
679
680                max_channels:
681                  The maximum number of channels with active remote  subsystem
682                  that are accepted for each connection to this daemon
683
684                  By default, this option is not set. This means that the num‐
685                  ber is not limited.
686
687                parallel_login:
688                  If set to false (the default value), only one login is  han‐
689                  dled at a time. If set to true, an unlimited number of login
690                  attempts are allowed simultaneously.
691
692                  If the max_sessions option is set to N and parallel_login is
693                  set  to  true,  the  maximum  number  of  simultaneous login
694                  attempts at any time is limited to N-K, where K is the  num‐
695                  ber of authenticated connections present at this daemon.
696
697            Warning:
698                Do not enable parallel_logins without protecting the server by
699                other means, for example, by  the  max_sessions  option  or  a
700                firewall configuration. If set to true, there is no protection
701                against DOS attacks.
702
703
704                minimal_remote_max_packet_size:
705                  The least maximum packet size that the daemon will accept in
706                  channel  open requests from the client. The default value is
707                  0.
708
709       callbacks_daemon_options() =
710           {failfun,
711            fun((User :: string(),
712                 PeerAddress :: inet:ip_address(),
713                 Reason :: term()) ->
714                    term())} |
715           {connectfun,
716            fun((User :: string(),
717                 PeerAddress :: inet:ip_address(),
718                 Method :: string()) ->
719                    term())}
720
721                connectfun:
722                  Provides a fun to implement your own  logging  when  a  user
723                  authenticates to the server.
724
725                failfun:
726                  Provides  a  fun  to  implement your own logging when a user
727                  fails to authenticate.
728
729       send_ext_info_daemon_option() = {send_ext_info, boolean()}
730
731              Make the server (daemon) tell the client that the server accepts
732              extension  negotiation,  that is, include ext-info-s in the kex‐
733              init message sent. See RFC 8308 for details  and  ssh(6)  for  a
734              list of currently implemented extensions.
735
736              Default value is true which is compatible with other implementa‐
737              tions not supporting ext-info.
738
739       tcpip_tunnel_in_daemon_option() = {tcpip_tunnel_in, boolean()}
740
741              Enables (true) or disables (false) the possibility to  tunnel  a
742              TCP/IP connection in to a server. Disabled per default.
743
744       tcpip_tunnel_out_daemon_option() =
745           {tcpip_tunnel_out, boolean()}
746
747              Enables  (true)  or disables (false) the possibility to tunnel a
748              TCP/IP connection out of a server. Disabled per default.
749
750   Options common to clients and daemons
751       common_options() = [common_option()]
752
753       common_option() =
754           ssh_file:user_dir_common_option() |
755           profile_common_option() |
756           max_idle_time_common_option() |
757           key_cb_common_option() |
758           disconnectfun_common_option() |
759           unexpectedfun_common_option() |
760           ssh_msg_debug_fun_common_option() |
761           rekey_limit_common_option() |
762           id_string_common_option() |
763           pref_public_key_algs_common_option() |
764           preferred_algorithms_common_option() |
765           modify_algorithms_common_option() |
766           auth_methods_common_option() |
767           inet_common_option() |
768           fd_common_option()
769
770              The options above can be used both in  clients  and  in  daemons
771              (servers). They are further explained below.
772
773       profile_common_option() = {profile, atom()}
774
775              Used  together  with  ip-address and port to uniquely identify a
776              ssh daemon. This can be useful  in  a  virtualized  environment,
777              where  there  can  be more that one server that has the same ip-
778              address and port. If this property is not explicitly set, it  is
779              assumed that the the ip-address and port uniquely identifies the
780              SSH daemon.
781
782       max_idle_time_common_option() = {idle_time, timeout()}
783
784              Sets a time-out on a  connection  when  no  channels  are  open.
785              Defaults to infinity. The unit is milliseconds.
786
787              The timeout is not active until channels are started, so it does
788              not limit the time from the connection  creation  to  the  first
789              channel opening.
790
791       rekey_limit_common_option() =
792           {rekey_limit,
793            Bytes ::
794                limit_bytes() |
795                {Minutes :: limit_time(), Bytes :: limit_bytes()}}
796
797       limit_bytes() = integer() >= 0 | infinity
798
799       limit_time() = integer() >= 1 | infinity
800
801              Sets  the  limit  when rekeying is to be initiated. Both the max
802              time and max amount of data could be configured:
803
804                * {Minutes, Bytes} initiate rekeying when any  of  the  limits
805                  are reached.
806
807                * Bytes  initiate  rekeying  when  Bytes  number  of bytes are
808                  transferred, or at latest after one hour.
809
810              When a rekeying is done, both the timer and the byte counter are
811              restarted. Defaults to one hour and one GByte.
812
813              If  Minutes  is set to infinity, no rekeying will ever occur due
814              to that max time has passed.  Setting  Bytes  to  infinity  will
815              inhibit  rekeying after a certain amount of data has been trans‐
816              ferred. If the option value is set to {infinity,  infinity},  no
817              rekeying  will be initiated. Note that rekeying initiated by the
818              peer will still be performed.
819
820       key_cb_common_option() =
821           {key_cb,
822            Module :: atom() | {Module :: atom(), Opts :: [term()]}}
823
824              Module  implementing  the  behaviour  ssh_client_key_api  and/or
825              ssh_server_key_api.  Can  be  used  to customize the handling of
826              public keys. If callback options are  provided  along  with  the
827              module  name, they are made available to the callback module via
828              the options passed to it under the key 'key_cb_private'.
829
830              The Opts defaults to [] when only the Module is specified.
831
832              The default value of this option is {ssh_file, []}. See also the
833              manpage of ssh_file.
834
835              A call to the call-back function F will be
836
837                     Module:F(..., [{key_cb_private,Opts}|UserOptions])
838
839
840              where  ...  are  arguments  to F as in ssh_client_key_api and/or
841              ssh_server_key_api. The UserOptions are  the  options  given  to
842              ssh:connect, ssh:shell or ssh:daemon.
843
844       pref_public_key_algs_common_option() =
845           {pref_public_key_algs, [pubkey_alg()]}
846
847              List of user (client) public key algorithms to try to use.
848
849              The  default  value is the public_key entry in the list returned
850              by ssh:default_algorithms/0.
851
852              If there is no public key of a  specified  type  available,  the
853              corresponding  entry  is ignored. Note that the available set is
854              dependent on the underlying cryptolib and current user's  public
855              keys.
856
857              See  also  the  option  user_dir  for specifying the path to the
858              user's keys.
859
860       disconnectfun_common_option() =
861           {disconnectfun, fun((Reason :: term()) -> void | any())}
862
863              Provides a fun to implement your own logging or  other  handling
864              at disconnects.
865
866       unexpectedfun_common_option() =
867           {unexpectedfun,
868            fun((Message :: term(), {Host :: term(), Port :: term()}) ->
869                    report | skip)}
870
871              Provides  a  fun  to  implement your own logging or other action
872              when an unexpected message arrives. If the  fun  returns  report
873              the  usual  info  report  is  issued  but if skip is returned no
874              report is generated.
875
876       ssh_msg_debug_fun_common_option() =
877           {ssh_msg_debug_fun,
878            fun((ssh:connection_ref(),
879                 AlwaysDisplay :: boolean(),
880                 Msg :: binary(),
881                 LanguageTag :: binary()) ->
882                    any())}
883
884              Provide a fun to implement your own logging of the  SSH  message
885              SSH_MSG_DEBUG.  The  last three parameters are from the message,
886              see RFC 4253, section 11.3. The connection_ref() is  the  refer‐
887              ence  to the connection on which the message arrived. The return
888              value from the fun is not checked.
889
890              The default behaviour is ignore the message. To get  a  printout
891              for  each  message  with  AlwaysDisplay  = true, use for example
892              {ssh_msg_debug_fun, fun(_,true,M,_)->  io:format("DEBUG:  ~p~n",
893              [M]) end}
894
895       id_string_common_option() =
896           {id_string,
897            string() |
898            random |
899            {random, Nmin :: integer() >= 1, Nmax :: integer() >= 1}}
900
901              The  string  the  daemon  will present to a connecting peer ini‐
902              tially. The default value is "Erlang/VSN" where VSN is  the  ssh
903              application version number.
904
905              The  value  random  will  cause a random string to be created at
906              each connection attempt. This is to make it a bit more difficult
907              for a malicious peer to find the ssh software brand and version.
908
909              The value {random, Nmin, Nmax} will make a random string with at
910              least Nmin characters and at most Nmax characters.
911
912       preferred_algorithms_common_option() =
913           {preferred_algorithms, algs_list()}
914
915       algs_list() = [alg_entry()]
916
917       alg_entry() =
918           {kex, [kex_alg()]} |
919           {public_key, [pubkey_alg()]} |
920           {cipher, double_algs(cipher_alg())} |
921           {mac, double_algs(mac_alg())} |
922           {compression, double_algs(compression_alg())}
923
924       kex_alg() =
925           'diffie-hellman-group-exchange-sha1' |
926           'diffie-hellman-group-exchange-sha256' |
927           'diffie-hellman-group1-sha1' | 'diffie-hellman-group14-sha1' |
928           'diffie-hellman-group14-sha256' |
929           'diffie-hellman-group16-sha512' |
930           'diffie-hellman-group18-sha512' | 'curve25519-sha256' |
931           'curve25519-sha256@libssh.org' | 'curve448-sha512' |
932           'ecdh-sha2-nistp256' | 'ecdh-sha2-nistp384' |
933           'ecdh-sha2-nistp521'
934
935       pubkey_alg() =
936           'ecdsa-sha2-nistp256' | 'ecdsa-sha2-nistp384' |
937           'ecdsa-sha2-nistp521' | 'ssh-ed25519' | 'ssh-ed448' |
938           'rsa-sha2-256' | 'rsa-sha2-512' | 'ssh-dss' | 'ssh-rsa'
939
940       cipher_alg() =
941           '3des-cbc' | 'AEAD_AES_128_GCM' | 'AEAD_AES_256_GCM' |
942           'aes128-cbc' | 'aes128-ctr' | 'aes128-gcm@openssh.com' |
943           'aes192-ctr' | 'aes192-cbc' | 'aes256-cbc' | 'aes256-ctr' |
944           'aes256-gcm@openssh.com' | 'chacha20-poly1305@openssh.com'
945
946       mac_alg() =
947           'AEAD_AES_128_GCM' | 'AEAD_AES_256_GCM' | 'hmac-sha1' |
948           'hmac-sha1-etm@openssh.com' | 'hmac-sha1-96' |
949           'hmac-sha2-256' | 'hmac-sha2-512' |
950           'hmac-sha2-256-etm@openssh.com' |
951           'hmac-sha2-512-etm@openssh.com'
952
953       compression_alg() = none | zlib | 'zlib@openssh.com'
954
955       double_algs(AlgType) =
956           [{client2server, [AlgType]} | {server2client, [AlgType]}] |
957           [AlgType]
958
959              List of algorithms to use  in  the  algorithm  negotiation.  The
960              default algs_list() can be obtained from default_algorithms/0.
961
962              If  an  alg_entry()  is  missing in the algs_list(), the default
963              value is used for that entry.
964
965              Here is an example of this option:
966
967                     {preferred_algorithms,
968                     [{public_key,['ssh-rsa','ssh-dss']},
969                     {cipher,[{client2server,['aes128-ctr']},
970                        {server2client,['aes128-cbc','3des-cbc']}]},
971                     {mac,['hmac-sha2-256','hmac-sha1']},
972                     {compression,[none,zlib]}
973                     ]
974                     }
975
976
977              The example specifies different algorithms in the two directions
978              (client2server  and server2client), for cipher but specifies the
979              same algorithms for mac and compression in both directions.  The
980              kex (key exchange) is implicit but public_key is set explicitly.
981
982              For background and more examples see the User's Guide.
983
984              If an algorithm name occurs more than once in a list, the behav‐
985              iour is undefined. The tags  in  the  property  lists  are  also
986              assumed to occur at most one time.
987
988          Warning:
989              Changing  the  values  can make a connection less secure. Do not
990              change unless you know exactly what you are doing. If you do not
991              understand the values then you are not supposed to change them.
992
993
994       modify_algorithms_common_option() =
995           {modify_algorithms, modify_algs_list()}
996
997       modify_algs_list() =
998           [{append, algs_list()} |
999            {prepend, algs_list()} |
1000            {rm, algs_list()}]
1001
1002              Modifies the list of algorithms to use in the algorithm negotia‐
1003              tion. The  modifications  are  applied  after  the  option  pre‐
1004              ferred_algorithms (if existing) is applied.
1005
1006              The algoritm for modifications works like this:
1007
1008                * Input  is  the  modify_algs_list() and a set of algorithms A
1009                  obtained from the preferred_algorithms option  if  existing,
1010                  or else from the ssh:default_algorithms/0.
1011
1012                * The  head  of  the  modify_algs_list() modifies A giving the
1013                  result A'.
1014
1015                  The possible modifications are:
1016
1017                  * Append or prepend supported but not  enabled  algorithm(s)
1018                    to  the  list  of  algorithms.  If  the  wanted algorithms
1019                    already are in A they  will  first  be  removed  and  then
1020                    appended or prepended,
1021
1022                  * Remove (rm) one or more algorithms from A.
1023
1024                * Repeat   the   modification  step  with  the  tail  of  mod‐
1025                  ify_algs_list() and the resulting A'.
1026
1027              If an unsupported algorithm is  in  the  modify_algs_list(),  it
1028              will be silently ignored
1029
1030              If there are more than one modify_algorithms options, the result
1031              is undefined.
1032
1033              Here is an example of this option:
1034
1035                     {modify_algorithms,
1036                     [{prepend, [{kex, ['diffie-hellman-group1-sha1']}],
1037                     {rm,      [{compression, [none]}]}
1038                     ]
1039                     }
1040
1041
1042              The example specifies that:
1043
1044                * the old key exchange algorithm  'diffie-hellman-group1-sha1'
1045                  should be the main alternative. It will be the main alterna‐
1046                  tive since it is prepened to the list
1047
1048                * The compression algorithm none (= no compression) is removed
1049                  so compression is enforced
1050
1051              For background and more examples see the User's Guide.
1052
1053       inet_common_option() = {inet, inet | inet6}
1054
1055              IP version to use when the host address is specified as any.
1056
1057       auth_methods_common_option() = {auth_methods, string()}
1058
1059              Comma-separated  string  that  determines  which  authentication
1060              methods that the client shall support and in  which  order  they
1061              are tried. Defaults to "publickey,keyboard-interactive,password"
1062
1063              Note  that  the  client  is free to use any order and to exclude
1064              methods.
1065
1066       fd_common_option() = {fd, gen_tcp:socket()}
1067
1068              Allows an existing file-descriptor to be used (passed on to  the
1069              transport protocol).
1070
1071   Other data types
1072       host() = string() | inet:ip_address() | loopback
1073
1074       ip_port() = {inet:ip_address(), inet:port_number()}
1075
1076       mod_args() = {Module :: atom(), Args :: list()}
1077
1078       mod_fun_args() =
1079           {Module :: atom(), Function :: atom(), Args :: list()}
1080
1081       open_socket() = gen_tcp:socket()
1082
1083              The  socket  is  supposed to be result of a gen_tcp:connect or a
1084              gen_tcp:accept. The socket must be in  passive  mode  (that  is,
1085              opened with the option {active,false}).
1086
1087       daemon_ref()
1088
1089              Opaque data type representing a daemon.
1090
1091              Returned by the functions daemon/1,2,3.
1092
1093       connection_ref()
1094
1095              Opaque  data type representing a connection between a client and
1096              a server (daemon).
1097
1098              Returned by the functions connect/2,3,4 and ssh_sftp:start_chan‐
1099              nel/2,3.
1100
1101       channel_id()
1102
1103              Opaque data type representing a channel inside a connection.
1104
1105              Returned by the functions ssh_connection:session_channel/2,4.
1106
1107       connection_info_tuple() =
1108           {client_version, version()} |
1109           {server_version, version()} |
1110           {user, string()} |
1111           {peer, {inet:hostname(), ip_port()}} |
1112           {sockname, ip_port()} |
1113           {options, client_options()} |
1114           {algorithms, conn_info_algs()} |
1115           {channels, conn_info_channels()}
1116
1117       version() = {protocol_version(), software_version()}
1118
1119       protocol_version() =
1120           {Major :: integer() >= 1, Minor :: integer() >= 0}
1121
1122       software_version() = string()
1123
1124       conn_info_algs() =
1125           [{kex, kex_alg()} |
1126            {hkey, pubkey_alg()} |
1127            {encrypt, cipher_alg()} |
1128            {decrypt, cipher_alg()} |
1129            {send_mac, mac_alg()} |
1130            {recv_mac, mac_alg()} |
1131            {compress, compression_alg()} |
1132            {decompress, compression_alg()} |
1133            {send_ext_info, boolean()} |
1134            {recv_ext_info, boolean()}]
1135
1136       conn_info_channels() = [proplists:proplist()]
1137
1138              Return  values  from the connection_info/1 and connection_info/2
1139              functions.
1140
1141              In the option info tuple are only the options included that dif‐
1142              fers from the default values.
1143
1144       daemon_info_tuple() =
1145           {port, inet:port_number()} |
1146           {ip, inet:ip_address()} |
1147           {profile, atom()} |
1148           {options, daemon_options()}
1149
1150              Return  values  from  the  daemon_info/1 and daemon_info/2 func‐
1151              tions.
1152
1153              In the option info tuple are only the options included that dif‐
1154              fers from the default values.
1155
1156       opaque_client_options()
1157
1158       opaque_daemon_options()
1159
1160       opaque_common_options()
1161
1162              Opaque types that define experimental options that are not to be
1163              used in products.
1164

EXPORTS

1166       close(ConnectionRef) -> ok | {error, term()}
1167
1168              Types:
1169
1170                 ConnectionRef = connection_ref()
1171
1172              Closes an SSH connection.
1173
1174       connect(Host, Port, Options) -> Result
1175       connect(Host, Port, Options, NegotiationTimeout) -> Result
1176       connect(TcpSocket, Options) -> Result
1177       connect(TcpSocket, Options, NegotiationTimeout) -> Result
1178
1179              Types:
1180
1181                 Host = host()
1182                 Port = inet:port_number()
1183                 Options = client_options()
1184                 TcpSocket = open_socket()
1185                 NegotiationTimeout = timeout()
1186                 Result = {ok, connection_ref()} | {error, term()}
1187
1188              Connects to an SSH server at the Host on Port.
1189
1190              As an alternative, an already open TCP socket could be passed to
1191              the  function  in  TcpSocket. The SSH initiation and negotiation
1192              will be initiated on that one with the SSH that should be at the
1193              other end.
1194
1195              No  channel  is  started.  This  is done by calling  ssh_connec‐
1196              tion:session_channel/[2, 4].
1197
1198              The NegotiationTimeout is in milli-seconds. The default value is
1199              infinity.  For  connection timeout, use the option connect_time‐
1200              out.
1201
1202       connection_info(ConnectionRef) -> InfoTupleList
1203
1204       connection_info(ConnectionRef, Key :: ItemList | Item) ->
1205                          InfoTupleList | InfoTuple
1206
1207              Types:
1208
1209                 ConnectionRef = connection_ref()
1210                 ItemList = [Item]
1211                 Item =
1212                     client_version | server_version | user | peer |  sockname
1213                 |
1214                     options | algorithms | sockname
1215                 InfoTupleList = [InfoTuple]
1216                 InfoTuple = connection_info_tuple()
1217
1218              Returns  information  about a connection intended for e.g debug‐
1219              ging or logging.
1220
1221              When the Key is a single Item, the result is a single InfoTuple
1222
1223       set_sock_opts(ConnectionRef, SocketOptions) ->
1224                        ok | {error, inet:posix()}
1225
1226              Types:
1227
1228                 ConnectionRef = connection_ref()
1229                 SocketOptions = [gen_tcp:option()]
1230
1231              Sets tcp socket options on the tcp-socket below an  ssh  connec‐
1232              tion.
1233
1234              This  function calls the inet:setopts/2, read that documentation
1235              and for gen_tcp:option().
1236
1237              All gen_tcp socket options except
1238
1239                * active
1240
1241                * deliver
1242
1243                * mode and
1244
1245                * packet
1246
1247              are allowed. The excluded options are reserved by the SSH appli‐
1248              cation.
1249
1250          Warning:
1251              This  is  an extremly dangerous function. You use it on your own
1252              risk.
1253
1254              Some options are OS and OS version  dependent.  Do  not  use  it
1255              unless  you  know what effect your option values will have on an
1256              TCP stream.
1257
1258              Some values may destroy the functionality of the SSH protocol.
1259
1260
1261       get_sock_opts(ConnectionRef, SocketGetOptions) ->
1262                        ok | {error, inet:posix()}
1263
1264              Types:
1265
1266                 ConnectionRef = connection_ref()
1267                 SocketGetOptions = [gen_tcp:option_name()]
1268
1269              Get tcp socket option values of the tcp-socket below an ssh con‐
1270              nection.
1271
1272              This function calls the inet:getopts/2, read that documentation.
1273
1274       daemon(Port | TcpSocket) -> Result
1275       daemon(Port | TcpSocket, Options) -> Result
1276       daemon(HostAddress, Port, Options) -> Result
1277
1278              Types:
1279
1280                 Port = integer()
1281                 TcpSocket = open_socket()
1282                 Options = daemon_options()
1283                 HostAddress = host() | any
1284                 Result = {ok, daemon_ref()} | {error, atom()}
1285
1286              Starts a server listening for SSH connections on the given port.
1287              If the Port is 0, a random  free  port  is  selected.  See  dae‐
1288              mon_info/1 about how to find the selected port number.
1289
1290              As an alternative, an already open TCP socket could be passed to
1291              the function in TcpSocket. The SSH  initiation  and  negotiation
1292              will  be  initiated  on that one when an SSH starts at the other
1293              end of the TCP socket.
1294
1295              For a description of the options, see Daemon Options.
1296
1297              Please note that by  historical  reasons  both  the  HostAddress
1298              argument  and  the gen_tcp connect_option() {ip,Address} set the
1299              listening address. This is a  source  of  possible  inconsistent
1300              settings.
1301
1302              The rules for handling the two address passing options are:
1303
1304                * if HostAddress is an IP-address, that IP-address is the lis‐
1305                  tening address. An 'ip'-option will be discarded if present.
1306
1307                * if HostAddress is the atom loopback, the  listening  address
1308                  is  loopback  and an loopback address will be choosen by the
1309                  underlying layers.  An  'ip'-option  will  be  discarded  if
1310                  present.
1311
1312                * if  HostAddress  is  the  atom  any  and  no  'ip'-option is
1313                  present, the listening address is any and  the  socket  will
1314                  listen to all addresses
1315
1316                * if  HostAddress  is  any  and an 'ip'-option is present, the
1317                  listening address is set to the value of the 'ip'-option
1318
1319       daemon_info(DaemonRef) ->
1320                      {ok, InfoTupleList} | {error, bad_daemon_ref}
1321
1322       daemon_info(DaemonRef, Key :: ItemList | Item) ->
1323                      InfoTupleList | InfoTuple | {error, bad_daemon_ref}
1324
1325              Types:
1326
1327                 DaemonRef = daemon_ref()
1328                 ItemList = [Item]
1329                 Item = ip | port | profile | options
1330                 InfoTupleList = [InfoTuple]
1331                 InfoTuple = daemon_info_tuple()
1332
1333              Returns information about a daemon intended for e.g debugging or
1334              logging.
1335
1336              When the Key is a single Item, the result is a single InfoTuple
1337
1338              Note  that  daemon_info/1  and  daemon_info/2  returns different
1339              types due to compatibility reasons.
1340
1341       default_algorithms() -> algs_list()
1342
1343              Returns a key-value list, where the keys are the different types
1344              of algorithms and the values are the algorithms themselves.
1345
1346              See the User's Guide for an example.
1347
1348       shell(Host | TcpSocket) -> Result
1349       shell(Host | TcpSocket, Options) -> Result
1350       shell(Host, Port, Options) -> Result
1351
1352              Types:
1353
1354                 Host = host()
1355                 TcpSocket = open_socket()
1356                 Port = inet:port_number()
1357                 Options = client_options()
1358                 Result = ok | {error, Reason::term()}
1359
1360              Connects  to an SSH server at Host and Port (defaults to 22) and
1361              starts an interactive shell on that remote host.
1362
1363              As an alternative, an already open TCP socket could be passed to
1364              the  function  in  TcpSocket. The SSH initiation and negotiation
1365              will be initiated on that one and finaly a shell will be started
1366              on the host at the other end of the TCP socket.
1367
1368              For a description of the options, see Client Options.
1369
1370              The function waits for user input, and does not return until the
1371              remote shell is ended (that is, exit from the shell).
1372
1373       start() -> ok | {error, term()}
1374
1375       start(Type) -> ok | {error, term()}
1376
1377              Types:
1378
1379                 Type = permanent | transient | temporary
1380
1381              Utility function  that  starts  the  applications  crypto,  pub‐
1382              lic_key,  and  ssh. Default type is temporary. For more informa‐
1383              tion, see the application(3) manual page in Kernel.
1384
1385       stop() -> ok | {error, term()}
1386
1387              Stops the ssh application. For more information, see the  appli‐
1388              cation(3) manual page in Kernel.
1389
1390       stop_daemon(DaemonRef :: daemon_ref()) -> ok
1391
1392       stop_daemon(Address :: inet:ip_address(),
1393                   Port :: inet:port_number()) ->
1394                      ok
1395
1396       stop_daemon(Address :: any | inet:ip_address(),
1397                   Port :: inet:port_number(),
1398                   Profile :: atom()) ->
1399                      ok
1400
1401              Stops the listener and all connections started by the listener.
1402
1403       stop_listener(SysSup :: daemon_ref()) -> ok
1404
1405       stop_listener(Address :: inet:ip_address(),
1406                     Port :: inet:port_number()) ->
1407                        ok
1408
1409       stop_listener(Address :: any | inet:ip_address(),
1410                     Port :: inet:port_number(),
1411                     Profile :: term()) ->
1412                        ok
1413
1414              Stops  the  listener, but leaves existing connections started by
1415              the listener operational.
1416
1417       tcpip_tunnel_from_server(ConnectionRef, ListenHost, ListenPort,
1418                                ConnectToHost, ConnectToPort) ->
1419                                   {ok, TrueListenPort} | {error, term()}
1420
1421       tcpip_tunnel_from_server(ConnectionRef, ListenHost, ListenPort,
1422                                ConnectToHost, ConnectToPort, Timeout) ->
1423                                   {ok, TrueListenPort} | {error, term()}
1424
1425              Types:
1426
1427                 ConnectionRef = connection_ref()
1428                 ListenHost = host()
1429                 ListenPort = inet:port_number()
1430                 ConnectToHost = host()
1431                 ConnectToPort = inet:port_number()
1432                 Timeout = timeout()
1433                 TrueListenPort = inet:port_number()
1434
1435              Asks the remote server of ConnectionRef  to  listen  to  Listen‐
1436              Host:ListenPort. When someone connects that address, the connec‐
1437              tion is forwarded in an encrypted channel from the server to the
1438              client.  The  client (that is, at the node that calls this func‐
1439              tion) then connects to ConnectToHost:ConnectToPort.
1440
1441              The returned TrueListenPort is the port that is listened to.  It
1442              is  the  same as ListenPort, except when ListenPort = 0. In that
1443              case a free port is selected by the underlying OS.
1444
1445              Note that in case of an Erlang/OTP SSH server (daemon) as  peer,
1446              that  server  must  have been started with the option tcpip_tun‐
1447              nel_out to allow the connection.
1448
1449       tcpip_tunnel_to_server(ConnectionRef, ListenHost, ListenPort,
1450                              ConnectToHost, ConnectToPort) ->
1451                                 {ok, TrueListenPort} | {error, term()}
1452
1453       tcpip_tunnel_to_server(ConnectionRef, ListenHost, ListenPort,
1454                              ConnectToHost, ConnectToPort, Timeout) ->
1455                                 {ok, TrueListenPort} | {error, term()}
1456
1457              Types:
1458
1459                 ConnectionRef = connection_ref()
1460                 ListenHost = host()
1461                 ListenPort = inet:port_number()
1462                 ConnectToHost = host()
1463                 ConnectToPort = inet:port_number()
1464                 Timeout = timeout()
1465                 TrueListenPort = inet:port_number()
1466
1467              Tells the local client to listen to ListenHost:ListenPort.  When
1468              someone connects to that address, the connection is forwarded in
1469              an encrypted channel to the peer server of  ConnectionRef.  That
1470              server then connects to ConnectToHost:ConnectToPort.
1471
1472              The  returned TrueListenPort is the port that is listened to. It
1473              is the same as ListenPort, except when ListenPort = 0.  In  that
1474              case a free port is selected by the underlying OS.
1475
1476              Note  that in case of an Erlang/OTP SSH server (daemon) as peer,
1477              that server must have been started with  the  option  tcpip_tun‐
1478              nel_in to allow the connection.
1479
1480
1481
1482Ericsson AB                       ssh 4.11.1                            ssh(3)
Impressum