1ssh(3) Erlang Module Definition ssh(3)
2
6 ssh - Main API of the ssh application
7
9 This is the interface module for the SSH application. The Secure Shell
10 (SSH) Protocol is a protocol for secure remote login and other secure
11 network services over an insecure network. See ssh(6) for details of
12 supported RFCs, versions, algorithms and unicode handling.
13 With the SSH application it is possible to start clients and to start
15 daemons (servers).
16 Clients are started with connect/2, connect/3 or connect/4. They open
18 an encrypted connection on top of TCP/IP. In that encrypted connection
19 one or more channels could be opened with ssh_connection:session_chan‐
20 nel/2,4.
21 Each channel is an isolated "pipe" between a client-side process and a
23 server-side process. Those process pairs could handle for example file
24 transfers (sftp) or remote command execution (shell, exec and/or cli).
25 If a custom shell is implemented, the user of the client could execute
26 the special commands remotely. Note that the user is not necessarily a
27 human but probably a system interfacing the SSH app.
28 A server-side subssystem (channel) server is requested by the client
30 with ssh_connection:subsystem/4.
31 A server (daemon) is started with daemon/1, daemon/2 or daemon/3. Pos‐
33 sible channel handlers (subsystems) are declared with the subsystem op‐
34 tion when the daemon is started.
35 To just run a shell on a remote machine, there are functions that bun‐
37 dles the needed three steps needed into one: shell/1,2,3. Similarily,
38 to just open an sftp (file transfer) connection to a remote machine,
39 the simplest way is to use ssh_sftp:start_channel/1,2,3.
40 To write your own client channel handler, use the behaviour
42 ssh_client_channel. For server channel handlers use ssh_server_channel
43 behaviour (replaces ssh_daemon_channel).
44 Both clients and daemons accepts options that controls the exact behav‐
46 iour. Some options are common to both. The three sets are called Client
47 Options, Daemon Options and Common Options.
48 The descriptions of the options uses the Erlang Type Language with ex‐
50 plaining text.
51 Note:
53 The User's Guide has examples and a Getting Started section.
54
57 A number of objects must be present for the SSH application to work.
58 Those objects are per default stored in files. The default names, paths
59 and file formats are the same as for OpenSSH. Keys could be generated
60 with the ssh-keygen program from OpenSSH. See the User's Guide.
61 The paths could easily be changed by options: user_dir and system_dir.
63 A completly different storage could be interfaced by writing call-back
65 modules using the behaviours ssh_client_key_api and/or
66 ssh_server_key_api. A callback module is installed with the option
67 key_cb to the client and/or the daemon.
68 Daemons
70 The keys are by default stored in files:
71 * Mandatory: one or more Host key(s) , both private and public. De‐
73 fault is to store them in the directory /etc/ssh in the files
74 * ssh_host_dsa_key and ssh_host_dsa_key.pub
76 * ssh_host_rsa_key and ssh_host_rsa_key.pub
78 * ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub
80 The host keys directory could be changed with the option sys‐
82 tem_dir.
83 * Optional: one or more User's public key in case of publickey au‐
85 thorization. Default is to store them concatenated in the file
86 .ssh/authorized_keys in the user's home directory.
87 The user keys directory could be changed with the option user_dir.
89 Clients
91 The keys and some other data are by default stored in files in the di‐
92 rectory .ssh in the user's home directory.
93 The directory could be changed with the option user_dir.
95 * Optional: a list of Host public key(s) for previously connected
97 hosts. This list is handled by the SSH application without any need
98 of user assistance. The default is to store them in the file
99 known_hosts.
100 The host_accepting_client_options() are associated with this list
102 of keys.
103 * Optional: one or more User's private key(s) in case of publickey
105 authorization. The default files are
106 * id_dsa and id_dsa.pub
108 * id_rsa and id_rsa.pub
110 * id_ecdsa and id_ecdsa.pub
112
114 Client Options
115 client_options() = [client_option()]
116 client_option() =
118 ssh_file:pubkey_passphrase_client_options() |
119 host_accepting_client_options() |
120 authentication_client_options() |
121 diffie_hellman_group_exchange_client_option() |
122 connect_timeout_client_option() |
123 recv_ext_info_client_option() |
124 opaque_client_options() |
125 gen_tcp:connect_option() |
126 common_option()
127 Options for clients. The individual options are further ex‐
129 plained below or by following the hyperlinks.
130 Note that not every gen_tcp:connect_option() is accepted. See
132 set_sock_opts/2 for a list of prohibited options.
133 Also note that setting a gen_tcp:connect_option() could change
135 the socket in a way that impacts the ssh client's behaviour neg‐
136 atively. You use it on your own risk.
137 host_accepting_client_options() =
139 {silently_accept_hosts, accept_hosts()} |
140 {user_interaction, boolean()} |
141 {save_accepted_host, boolean()} |
142 {quiet_mode, boolean()}
143 accept_hosts() =
145 boolean() |
146 accept_callback() |
147 {HashAlgoSpec :: fp_digest_alg(), accept_callback()}
148 fp_digest_alg() = md5 | crypto:sha1() | crypto:sha2()
150 accept_callback() =
152 fun((PeerName :: string(), fingerprint()) -> boolean()) |
153 fun((PeerName :: string(),
154 Port :: inet:port_number(),
155 fingerprint()) ->
156 boolean())
157 fingerprint() = string() | [string()]
159 silently_accept_hosts:
161 This option guides the connect function on how to act when
162 the connected server presents a Host Key that the client has
163 not seen before. The default is to ask the user with a ques‐
164 tion on stdio of whether to accept or reject the new Host
165 Key. See the option user_dir for specifying the path to the
166 file known_hosts where previously accepted Host Keys are
167 recorded. See also the option key_cb for the general way to
168 handle keys.
169 The option can be given in three different forms as seen
171 above:
172 * The value is a boolean(). The value true will make the
174 client accept any unknown Host Key without any user inter‐
175 action. The value false preserves the default behaviour of
176 asking the user on stdio.
177 * An accept_callback() will be called and the boolean return
179 value true will make the client accept the Host Key. A re‐
180 turn value of false will make the client to reject the
181 Host Key and as a result the connection will be closed.
182 The arguments to the fun are:
183 * PeerName - a string with the name or address of the re‐
185 mote host.
186 * FingerPrint - the fingerprint of the Host Key as
188 hostkey_fingerprint/1 calculates it.
189 * A tuple {HashAlgoSpec, accept_callback}. The HashAlgoSpec
191 specifies which hash algorithm shall be used to calculate
192 the fingerprint used in the call of the accept_callback().
193 The HashALgoSpec is either an atom or a list of atoms as
194 the first argument in hostkey_fingerprint/2. If it is a
195 list of hash algorithm names, the FingerPrint argument in
196 the accept_callback() will be a list of fingerprints in
197 the same order as the corresponding name in the HashAlgo‐
198 Spec list.
199 user_interaction:
201 If false, disables the client to connect to the server if
202 any user interaction is needed, such as accepting the server
203 to be added to the known_hosts file, or supplying a pass‐
204 word.
205 Even if user interaction is allowed it can be suppressed by
207 other options, such as silently_accept_hosts and password.
208 However, those options are not always desirable to use from
209 a security point of view.
210 Defaults to true.
212 save_accepted_host:
214 If true, the client saves an accepted host key to avoid the
215 accept question the next time the same host is connected. If
216 the option key_cb is not present, the key is saved in the
217 file "known_hosts". See option user_dir for the location of
218 that file.
219 If false, the key is not saved and the key will still be un‐
221 known at the next access of the same host.
222 Defaults to true
224 quiet_mode:
226 If true, the client does not print anything on authoriza‐
227 tion.
228 Defaults to false
230 authentication_client_options() =
232 {user, string()} | {password, string()}
233 user:
235 Provides the username. If this option is not given, ssh
236 reads from the environment (LOGNAME or USER on UNIX, USER‐
237 NAME on Windows).
238 password:
240 Provides a password for password authentication. If this op‐
241 tion is not given, the user is asked for a password, if the
242 password authentication method is attempted.
243 diffie_hellman_group_exchange_client_option() =
245 {dh_gex_limits,
246 {Min :: integer() >= 1,
247 I :: integer() >= 1,
248 Max :: integer() >= 1}}
249 Sets the three diffie-hellman-group-exchange parameters that
251 guides the connected server in choosing a group. See RFC 4419
252 for the details. The default value is {1024, 6144, 8192}.
253 connect_timeout_client_option() = {connect_timeout, timeout()}
255 Sets a timeout on the transport layer connect time. For gen_tcp
257 the time is in milli-seconds and the default value is infinity.
258 See the parameter Timeout in connect/4 for a timeout of the ne‐
260 gotiation phase.
261 recv_ext_info_client_option() = {recv_ext_info, boolean()}
263 Make the client tell the server that the client accepts exten‐
265 sion negotiation, that is, include ext-info-c in the kexinit
266 message sent. See RFC 8308 for details and ssh(6) for a list of
267 currently implemented extensions.
268 Default value is true which is compatible with other implementa‐
270 tions not supporting ext-info.
271 Daemon Options (Server Options)
273 daemon_options() = [daemon_option()]
274 daemon_option() =
276 subsystem_daemon_option() |
277 shell_daemon_option() |
278 exec_daemon_option() |
279 ssh_cli_daemon_option() |
280 tcpip_tunnel_out_daemon_option() |
281 tcpip_tunnel_in_daemon_option() |
282 authentication_daemon_options() |
283 diffie_hellman_group_exchange_daemon_option() |
284 negotiation_timeout_daemon_option() |
285 hello_timeout_daemon_option() |
286 hardening_daemon_options() |
287 callbacks_daemon_options() |
288 send_ext_info_daemon_option() |
289 opaque_daemon_options() |
290 gen_tcp:listen_option() |
291 common_option()
292 Options for daemons. The individual options are further ex‐
294 plained below or by following the hyperlinks.
295 Note that not every gen_tcp:listen_option() is accepted. See
297 set_sock_opts/2 for a list of prohibited options.
298 Also note that setting a gen_tcp:listen_option() could change
300 the socket in a way that impacts the ssh deamon's behaviour neg‐
301 atively. You use it on your own risk.
302 subsystem_daemon_option() = {subsystems, subsystem_specs()}
304 subsystem_specs() = [subsystem_spec()]
306 subsystem_spec() = {Name :: string(), mod_args()}
308 Defines a subsystem in the daemon.
310 The subsystem_name is the name that a client requests to start
312 with for example ssh_connection:subsystem/4.
313 The channel_callback is the module that implements the
315 ssh_server_channel (replaces ssh_daemon_channel) behaviour in
316 the daemon. See the section Creating a Subsystem in the User's
317 Guide for more information and an example.
318 If the subsystems option is not present, the value of
320 ssh_sftpd:subsystem_spec([]) is used. This enables the sftp sub‐
321 system by default. The option can be set to the empty list if
322 you do not want the daemon to run any subsystems.
323 shell_daemon_option() = {shell, shell_spec()}
325 shell_spec() = mod_fun_args() | shell_fun() | disabled
327 shell_fun() = 'shell_fun/1'() | 'shell_fun/2'()
329 'shell_fun/1'() = fun((User :: string()) -> pid())
331 'shell_fun/2'() =
333 fun((User :: string(), PeerAddr :: inet:ip_address()) -> pid())
334 Defines the read-eval-print loop used in a daemon when a shell
336 is requested by the client. The default is to use the Erlang
337 shell: {shell, start, []}
338 See the option exec-option for a description of how the daemon
340 executes shell-requests and exec-requests depending on the
341 shell- and exec-options.
342 exec_daemon_option() = {exec, exec_spec()}
344 exec_spec() =
346 {direct, exec_fun()} | disabled | deprecated_exec_opt()
347 exec_fun() = 'exec_fun/1'() | 'exec_fun/2'() | 'exec_fun/3'()
349 'exec_fun/1'() = fun((Cmd :: string()) -> exec_result())
351 'exec_fun/2'() =
353 fun((Cmd :: string(), User :: string()) -> exec_result())
354 'exec_fun/3'() =
356 fun((Cmd :: string(),
357 User :: string(),
358 ClientAddr :: ip_port()) ->
359 exec_result())
360 exec_result() =
362 {ok, Result :: term()} | {error, Reason :: term()}
363 This option changes how the daemon executes exec-requests from
365 clients. The term in the return value is formatted to a string
366 if it is a non-string type. No trailing newline is added in the
367 ok-case.
368 See the User's Guide section on One-Time Execution for examples.
370 Error texts are returned on channel-type 1 which usually is
372 piped to stderr on e.g Linux systems. Texts from a successful
373 execution are returned on channel-type 0 and will in similar
374 manner be piped to stdout. The exit-status code is set to 0 for
375 success and 255 for errors. The exact results presented on the
376 client side depends on the client and the client's operating
377 system.
378 In case of the {direct, exec_fun()} variant or no exec-option at
380 all, all reads from standard_input will be from the received
381 data-events of type 0. Those are sent by the client. Similarily
382 all writes to standard_output will be sent as data-events to the
383 client. An OS shell client like the command 'ssh' will usally
384 use stdin and stdout for the user interface.
385 The option cooperates with the daemon-option shell in the fol‐
387 lowing way:
388 1. If neither the exec-option nor the shell-option is
390 present::
391 The default Erlang evaluator is used both for exec and shell
392 requests. The result is returned to the client.
393 2. If the exec_spec's value is disabled (the shell-option may
395 or may not be present)::
396 No exec-requests are executed but shell-requests are not af‐
397 fected, they follow the shell_spec's value.
398 3. If the exec-option is present and the exec_spec value =/=
400 disabled (the shell-option may or may not be present)::
401 The exec_spec fun() is called with the same number of param‐
402 eters as the arity of the fun, and the result is returned to
403 the client. Shell-requests are not affected, they follow the
404 shell_spec's value.
405 4. If the exec-option is absent, and the shell-option is
407 present with the default Erlang shell as the shell_spec's
408 value::
409 The default Erlang evaluator is used both for exec and shell
410 requests. The result is returned to the client.
411 5. If the exec-option is absent, and the shell-option is
413 present with a value that is neither the default Erlang shell
414 nor the value disabled::
415 The exec-request is not evaluated and an error message is
416 returned to the client. Shell-requests are executed accord‐
417 ing to the value of the shell_spec.
418 6. If the exec-option is absent, and the shell_spec's value is
420 disabled::
421 Exec requests are executed by the default shell, but shell-
422 requests are not executed.
423 If a custom CLI is installed (see the option ssh_cli) the rules
425 above are replaced by thoose implied by the custom CLI.
426 Note:
428 The exec-option has existed for a long time but has not previ‐
429 ously been documented. The old definition and behaviour are re‐
430 tained but obey the rules 1-6 above if conflicting. The old and
431 undocumented style should not be used in new programs.
432 deprecated_exec_opt() = function() | mod_fun_args()
435 Old-style exec specification that are kept for compatibility,
437 but should not be used in new programs
438 ssh_cli_daemon_option() = {ssh_cli, mod_args() | no_cli}
440 Provides your own CLI implementation in a daemon.
442 It is a channel callback module that implements a shell and com‐
444 mand execution. The shell's read-eval-print loop can be custom‐
445 ized, using the option shell. This means less work than imple‐
446 menting an own CLI channel. If ssh_cli is set to no_cli, the CLI
447 channels like shell and exec are disabled and only subsystem
448 channels are allowed.
449 authentication_daemon_options() =
451 ssh_file:system_dir_daemon_option() |
452 {auth_method_kb_interactive_data, prompt_texts()} |
453 {user_passwords, [{UserName :: string(), Pwd :: string()}]} |
454 {pk_check_user, boolean()} |
455 {password, string()} |
456 {pwdfun, pwdfun_2() | pwdfun_4()}
457 prompt_texts() =
459 kb_int_tuple() | kb_int_fun_3() | kb_int_fun_4()
460 kb_int_tuple() =
462 {Name :: string(),
463 Instruction :: string(),
464 Prompt :: string(),
465 Echo :: boolean()}
466 kb_int_fun_3() =
468 fun((Peer :: ip_port(), User :: string(), Service :: string()) ->
469 kb_int_tuple())
470 kb_int_fun_4() =
472 fun((Peer :: ip_port(),
473 User :: string(),
474 Service :: string(),
475 State :: any()) ->
476 kb_int_tuple())
477 pwdfun_2() =
479 fun((User :: string(), Password :: string() | pubkey) ->
480 boolean())
481 pwdfun_4() =
483 fun((User :: string(),
484 Password :: string() | pubkey,
485 PeerAddress :: ip_port(),
486 State :: any()) ->
487 boolean() |
488 disconnect |
489 {boolean(), NewState :: any()})
490 auth_method_kb_interactive_data:
492 Sets the text strings that the daemon sends to the client
493 for presentation to the user when using keyboard-interactive
494 authentication.
495 If the fun/3 or fun/4 is used, it is called when the actual
497 authentication occurs and may therefore return dynamic data
498 like time, remote ip etc.
499 The parameter Echo guides the client about need to hide the
501 password.
502 The default value is: {auth_method_kb_interactive_data,
504 {"SSH server", "Enter password for \""++User++"\"", "pass‐
505 word: ", false}>
506 user_passwords:
508 Provides passwords for password authentication. The pass‐
509 words are used when someone tries to connect to the server
510 and public key user-authentication fails. The option pro‐
511 vides a list of valid usernames and the corresponding pass‐
512 words.
513 Warning:
515 Note that this is very insecure due to the plain-text pass‐
516 words; it is intended for test purposes. Use the pwdfun option
517 to handle the password checking instead.
518 pk_check_user:
521 Enables checking of the client's user name in the server
522 when doing public key authentication. It is disabled by de‐
523 fault.
524 The term "user" is used differently in OpenSSH and SSH in
526 Erlang/OTP: see more in the User's Guide.
527 If the option is enabled, and no pwdfun is present, the user
529 name must present in the user_passwords for the check to
530 succeed but the value of the password is not checked.
531 In case of a pwdfun checking the user, the atom pubkey is
533 put in the password argument.
534 password:
536 Provides a global password that authenticates any user.
537 Warning:
539 Intended to facilitate testing.
540 From a security perspective this option makes the server very
542 vulnerable.
543 pwdfun with pwdfun_4():
546 Provides a function for password validation. This could used
547 for calling an external system or handeling passwords stored
548 as hash values.
549 This fun can also be used to make delays in authentication
551 tries for example by calling timer:sleep/1.
552 To facilitate for instance counting of failed tries, the
554 State variable could be used. This state is per connection
555 only. The first time the pwdfun is called for a connection,
556 the State variable has the value undefined.
557 The fun should return:
559 * true if the user and password is valid
561 * false if the user or password is invalid
563 * disconnect if a SSH_MSG_DISCONNECT message should be sent
565 immediately. It will be followed by a close of the under‐
566 lying tcp connection.
567 * {true, NewState:any()} if the user and password is valid
569 * {false, NewState:any()} if the user or password is invalid
571 A third usage is to block login attempts from a missbehaving
573 peer. The State described above can be used for this. The
574 return value disconnect is useful for this.
575 In case of the pk_check_user is set, the atom pubkey is put
577 in the password argument when validating a public key login.
578 The pwdfun is then responsible to check that the user name
579 is valid.
580 pwdfun with pwdfun_2():
582 Provides a function for password validation. This function
583 is called with user and password as strings, and returns:
584 * true if the user and password is valid
586 * false if the user or password is invalid
588 In case of the pk_check_user is set, the atom pubkey is put
590 in the password argument when validating a public key login.
591 The pwdfun is then responsible to check that the user name
592 is valid.
593 This variant is kept for compatibility.
595 diffie_hellman_group_exchange_daemon_option() =
597 {dh_gex_groups,
598 [explicit_group()] |
599 explicit_group_file() |
600 ssh_moduli_file()} |
601 {dh_gex_limits, {Min :: integer() >= 1, Max :: integer() >= 1}}
602 explicit_group() =
604 {Size :: integer() >= 1,
605 G :: integer() >= 1,
606 P :: integer() >= 1}
607 explicit_group_file() = {file, string()}
609 ssh_moduli_file() = {ssh_moduli_file, string()}
611 dh_gex_groups:
613 Defines the groups the server may choose among when diffie-
614 hellman-group-exchange is negotiated. See RFC 4419 for de‐
615 tails. The three variants of this option are:
616 {Size=integer(),G=integer(),P=integer()}:
618 The groups are given explicitly in this list. There may be
619 several elements with the same Size. In such a case, the
620 server will choose one randomly in the negotiated Size.
621 {file,filename()}:
623 The file must have one or more three-tuples {Size=inte‐
624 ger(),G=integer(),P=integer()} terminated by a dot. The
625 file is read when the daemon starts.
626 {ssh_moduli_file,filename()}:
628 The file must be in ssh-keygen moduli file format. The
629 file is read when the daemon starts.
630 The default list is fetched from the public_key application.
632 dh_gex_limits:
634 Limits what a client can ask for in diffie-hellman-group-ex‐
635 change. The limits will be {MaxUsed = min(MaxClient,Max),
636 MinUsed = max(MinClient,Min)} where MaxClient and MinClient
637 are the values proposed by a connecting client.
638 The default value is {0,infinity}.
640 If MaxUsed < MinUsed in a key exchange, it will fail with a
642 disconnect.
643 See RFC 4419 for the function of the Max and Min values.
645 hello_timeout_daemon_option() = {hello_timeout, timeout()}
647 Maximum time in milliseconds for the first part of the ssh ses‐
649 sion setup, the hello message exchange. Defaults to 30000 ms (30
650 seconds). If the client fails to send the first message within
651 this time, the connection is closed.
652 negotiation_timeout_daemon_option() =
654 {negotiation_timeout, timeout()}
655 Maximum time in milliseconds for the authentication negotiation.
657 Defaults to 120000 ms (2 minutes). If the client fails to log in
658 within this time, the connection is closed.
659 hardening_daemon_options() =
661 {max_sessions, integer() >= 1} |
662 {max_channels, integer() >= 1} |
663 {parallel_login, boolean()} |
664 {minimal_remote_max_packet_size, integer() >= 1}
665 max_sessions:
667 The maximum number of simultaneous sessions that are ac‐
668 cepted at any time for this daemon. This includes sessions
669 that are being authorized. Thus, if set to N, and N clients
670 have connected but not started the login process, connection
671 attempt N+1 is aborted. If N connections are authenticated
672 and still logged in, no more logins are accepted until one
673 of the existing ones log out.
674 The counter is per listening port. Thus, if two daemons are
676 started, one with {max_sessions,N} and the other with
677 {max_sessions,M}, in total N+M connections are accepted for
678 the whole ssh application.
679 Notice that if parallel_login is false, only one client at a
681 time can be in the authentication phase.
682 By default, this option is not set. This means that the num‐
684 ber is not limited.
685 max_channels:
687 The maximum number of channels with active remote subsystem
688 that are accepted for each connection to this daemon
689 By default, this option is not set. This means that the num‐
691 ber is not limited.
692 parallel_login:
694 If set to false (the default value), only one login is han‐
695 dled at a time. If set to true, an unlimited number of login
696 attempts are allowed simultaneously.
697 If the max_sessions option is set to N and parallel_login is
699 set to true, the maximum number of simultaneous login at‐
700 tempts at any time is limited to N-K, where K is the number
701 of authenticated connections present at this daemon.
702 Warning:
704 Do not enable parallel_logins without protecting the server by
705 other means, for example, by the max_sessions option or a
706 firewall configuration. If set to true, there is no protection
707 against DOS attacks.
708 minimal_remote_max_packet_size:
711 The least maximum packet size that the daemon will accept in
712 channel open requests from the client. The default value is
713 0.
714 callbacks_daemon_options() =
716 {failfun,
717 fun((User :: string(),
718 PeerAddress :: inet:ip_address(),
719 Reason :: term()) ->
720 term())} |
721 {connectfun,
722 fun((User :: string(),
723 PeerAddress :: inet:ip_address(),
724 Method :: string()) ->
725 term())}
726 connectfun:
728 Provides a fun to implement your own logging when a user au‐
729 thenticates to the server.
730 failfun:
732 Provides a fun to implement your own logging when a user
733 fails to authenticate.
734 send_ext_info_daemon_option() = {send_ext_info, boolean()}
736 Make the server (daemon) tell the client that the server accepts
738 extension negotiation, that is, include ext-info-s in the kex‐
739 init message sent. See RFC 8308 for details and ssh(6) for a
740 list of currently implemented extensions.
741 Default value is true which is compatible with other implementa‐
743 tions not supporting ext-info.
744 tcpip_tunnel_in_daemon_option() = {tcpip_tunnel_in, boolean()}
746 Enables (true) or disables (false) the possibility to tunnel a
748 TCP/IP connection in to a server. Disabled per default.
749 tcpip_tunnel_out_daemon_option() =
751 {tcpip_tunnel_out, boolean()}
752 Enables (true) or disables (false) the possibility to tunnel a
754 TCP/IP connection out of a server. Disabled per default.
755 Options common to clients and daemons
757 common_options() = [common_option()]
758 common_option() =
760 ssh_file:user_dir_common_option() |
761 profile_common_option() |
762 max_idle_time_common_option() |
763 max_log_item_len_common_option() |
764 key_cb_common_option() |
765 disconnectfun_common_option() |
766 unexpectedfun_common_option() |
767 ssh_msg_debug_fun_common_option() |
768 rekey_limit_common_option() |
769 id_string_common_option() |
770 pref_public_key_algs_common_option() |
771 preferred_algorithms_common_option() |
772 modify_algorithms_common_option() |
773 auth_methods_common_option() |
774 inet_common_option() |
775 fd_common_option()
776 The options above can be used both in clients and in daemons
778 (servers). They are further explained below.
779 profile_common_option() = {profile, atom()}
781 Used together with ip-address and port to uniquely identify a
783 ssh daemon. This can be useful in a virtualized environment,
784 where there can be more that one server that has the same ip-ad‐
785 dress and port. If this property is not explicitly set, it is
786 assumed that the the ip-address and port uniquely identifies the
787 SSH daemon.
788 max_idle_time_common_option() = {idle_time, timeout()}
790 Sets a time-out on a connection when no channels are open. De‐
792 faults to infinity. The unit is milliseconds.
793 The timeout is not active until channels are started, so it does
795 not limit the time from the connection creation to the first
796 channel opening.
797 max_log_item_len_common_option() =
799 {max_log_item_len, limit_bytes()}
800 Sets a limit for the size of a logged item excluding a header.
802 The unit is bytes and the value defaults to 500.
803 rekey_limit_common_option() =
805 {rekey_limit,
806 Bytes ::
807 limit_bytes() |
808 {Minutes :: limit_time(), Bytes :: limit_bytes()}}
809 limit_bytes() = integer() >= 0 | infinity
811 limit_time() = integer() >= 1 | infinity
813 Sets the limit when rekeying is to be initiated. Both the max
815 time and max amount of data could be configured:
816 * {Minutes, Bytes} initiate rekeying when any of the limits
818 are reached.
819 * Bytes initiate rekeying when Bytes number of bytes are
821 transferred, or at latest after one hour.
822 When a rekeying is done, both the timer and the byte counter are
824 restarted. Defaults to one hour and one GByte.
825 If Minutes is set to infinity, no rekeying will ever occur due
827 to that max time has passed. Setting Bytes to infinity will in‐
828 hibit rekeying after a certain amount of data has been trans‐
829 ferred. If the option value is set to {infinity, infinity}, no
830 rekeying will be initiated. Note that rekeying initiated by the
831 peer will still be performed.
832 key_cb_common_option() =
834 {key_cb,
835 Module :: atom() | {Module :: atom(), Opts :: [term()]}}
836 Module implementing the behaviour ssh_client_key_api and/or
838 ssh_server_key_api. Can be used to customize the handling of
839 public keys. If callback options are provided along with the
840 module name, they are made available to the callback module via
841 the options passed to it under the key 'key_cb_private'.
842 The Opts defaults to [] when only the Module is specified.
844 The default value of this option is {ssh_file, []}. See also the
846 manpage of ssh_file.
847 A call to the call-back function F will be
849 Module:F(..., [{key_cb_private,Opts}|UserOptions])
851 where ... are arguments to F as in ssh_client_key_api and/or
854 ssh_server_key_api. The UserOptions are the options given to
855 ssh:connect, ssh:shell or ssh:daemon.
856 pref_public_key_algs_common_option() =
858 {pref_public_key_algs, [pubkey_alg()]}
859 List of user (client) public key algorithms to try to use.
861 The default value is the public_key entry in the list returned
863 by ssh:default_algorithms/0.
864 If there is no public key of a specified type available, the
866 corresponding entry is ignored. Note that the available set is
867 dependent on the underlying cryptolib and current user's public
868 keys.
869 See also the option user_dir for specifying the path to the
871 user's keys.
872 disconnectfun_common_option() =
874 {disconnectfun, fun((Reason :: term()) -> void | any())}
875 Provides a fun to implement your own logging or other handling
877 at disconnects.
878 unexpectedfun_common_option() =
880 {unexpectedfun,
881 fun((Message :: term(), {Host :: term(), Port :: term()}) ->
882 report | skip)}
883 Provides a fun to implement your own logging or other action
885 when an unexpected message arrives. If the fun returns report
886 the usual info report is issued but if skip is returned no re‐
887 port is generated.
888 ssh_msg_debug_fun_common_option() =
890 {ssh_msg_debug_fun,
891 fun((ssh:connection_ref(),
892 AlwaysDisplay :: boolean(),
893 Msg :: binary(),
894 LanguageTag :: binary()) ->
895 any())}
896 Provide a fun to implement your own logging of the SSH message
898 SSH_MSG_DEBUG. The last three parameters are from the message,
899 see RFC 4253, section 11.3. The connection_ref() is the refer‐
900 ence to the connection on which the message arrived. The return
901 value from the fun is not checked.
902 The default behaviour is ignore the message. To get a printout
904 for each message with AlwaysDisplay = true, use for example
905 {ssh_msg_debug_fun, fun(_,true,M,_)-> io:format("DEBUG: ~p~n",
906 [M]) end}
907 id_string_common_option() =
909 {id_string,
910 string() |
911 random |
912 {random, Nmin :: integer() >= 1, Nmax :: integer() >= 1}}
913 The string the daemon will present to a connecting peer ini‐
915 tially. The default value is "Erlang/VSN" where VSN is the ssh
916 application version number.
917 The value random will cause a random string to be created at
919 each connection attempt. This is to make it a bit more difficult
920 for a malicious peer to find the ssh software brand and version.
921 The value {random, Nmin, Nmax} will make a random string with at
923 least Nmin characters and at most Nmax characters.
924 preferred_algorithms_common_option() =
926 {preferred_algorithms, algs_list()}
927 algs_list() = [alg_entry()]
929 alg_entry() =
931 {kex, [kex_alg()]} |
932 {public_key, [pubkey_alg()]} |
933 {cipher, double_algs(cipher_alg())} |
934 {mac, double_algs(mac_alg())} |
935 {compression, double_algs(compression_alg())}
936 kex_alg() =
938 'diffie-hellman-group-exchange-sha1' |
939 'diffie-hellman-group-exchange-sha256' |
940 'diffie-hellman-group1-sha1' | 'diffie-hellman-group14-sha1' |
941 'diffie-hellman-group14-sha256' |
942 'diffie-hellman-group16-sha512' |
943 'diffie-hellman-group18-sha512' | 'curve25519-sha256' |
944 'curve25519-sha256@libssh.org' | 'curve448-sha512' |
945 'ecdh-sha2-nistp256' | 'ecdh-sha2-nistp384' |
946 'ecdh-sha2-nistp521'
947 pubkey_alg() =
949 'ecdsa-sha2-nistp256' | 'ecdsa-sha2-nistp384' |
950 'ecdsa-sha2-nistp521' | 'ssh-ed25519' | 'ssh-ed448' |
951 'rsa-sha2-256' | 'rsa-sha2-512' | 'ssh-dss' | 'ssh-rsa'
952 cipher_alg() =
954 '3des-cbc' | 'AEAD_AES_128_GCM' | 'AEAD_AES_256_GCM' |
955 'aes128-cbc' | 'aes128-ctr' | 'aes128-gcm@openssh.com' |
956 'aes192-ctr' | 'aes192-cbc' | 'aes256-cbc' | 'aes256-ctr' |
957 'aes256-gcm@openssh.com' | 'chacha20-poly1305@openssh.com'
958 mac_alg() =
960 'AEAD_AES_128_GCM' | 'AEAD_AES_256_GCM' | 'hmac-sha1' |
961 'hmac-sha1-etm@openssh.com' | 'hmac-sha1-96' |
962 'hmac-sha2-256' | 'hmac-sha2-512' |
963 'hmac-sha2-256-etm@openssh.com' |
964 'hmac-sha2-512-etm@openssh.com'
965 compression_alg() = none | zlib | 'zlib@openssh.com'
967 double_algs(AlgType) =
969 [{client2server, [AlgType]} | {server2client, [AlgType]}] |
970 [AlgType]
971 List of algorithms to use in the algorithm negotiation. The de‐
973 fault algs_list() can be obtained from default_algorithms/0.
974 If an alg_entry() is missing in the algs_list(), the default
976 value is used for that entry.
977 Here is an example of this option:
979 {preferred_algorithms,
981 [{public_key,['ssh-rsa','ssh-dss']},
982 {cipher,[{client2server,['aes128-ctr']},
983 {server2client,['aes128-cbc','3des-cbc']}]},
984 {mac,['hmac-sha2-256','hmac-sha1']},
985 {compression,[none,zlib]}
986 ]
987 }
988 The example specifies different algorithms in the two directions
991 (client2server and server2client), for cipher but specifies the
992 same algorithms for mac and compression in both directions. The
993 kex (key exchange) is implicit but public_key is set explicitly.
994 For background and more examples see the User's Guide.
996 If an algorithm name occurs more than once in a list, the behav‐
998 iour is undefined. The tags in the property lists are also as‐
999 sumed to occur at most one time.
1000 Warning:
1002 Changing the values can make a connection less secure. Do not
1003 change unless you know exactly what you are doing. If you do not
1004 understand the values then you are not supposed to change them.
1005 modify_algorithms_common_option() =
1008 {modify_algorithms, modify_algs_list()}
1009 modify_algs_list() =
1011 [{append, algs_list()} |
1012 {prepend, algs_list()} |
1013 {rm, algs_list()}]
1014 Modifies the list of algorithms to use in the algorithm negotia‐
1016 tion. The modifications are applied after the option pre‐
1017 ferred_algorithms (if existing) is applied.
1018 The algoritm for modifications works like this:
1020 * Input is the modify_algs_list() and a set of algorithms A
1022 obtained from the preferred_algorithms option if existing,
1023 or else from the ssh:default_algorithms/0.
1024 * The head of the modify_algs_list() modifies A giving the re‐
1026 sult A'.
1027 The possible modifications are:
1029 * Append or prepend supported but not enabled algorithm(s)
1031 to the list of algorithms. If the wanted algorithms al‐
1032 ready are in A they will first be removed and then ap‐
1033 pended or prepended,
1034 * Remove (rm) one or more algorithms from A.
1036 * Repeat the modification step with the tail of mod‐
1038 ify_algs_list() and the resulting A'.
1039 If an unsupported algorithm is in the modify_algs_list(), it
1041 will be silently ignored
1042 If there are more than one modify_algorithms options, the result
1044 is undefined.
1045 Here is an example of this option:
1047 {modify_algorithms,
1049 [{prepend, [{kex, ['diffie-hellman-group1-sha1']}],
1050 {rm, [{compression, [none]}]}
1051 ]
1052 }
1053 The example specifies that:
1056 * the old key exchange algorithm 'diffie-hellman-group1-sha1'
1058 should be the main alternative. It will be the main alterna‐
1059 tive since it is prepened to the list
1060 * The compression algorithm none (= no compression) is removed
1062 so compression is enforced
1063 For background and more examples see the User's Guide.
1065 inet_common_option() = {inet, inet | inet6}
1067 IP version to use when the host address is specified as any.
1069 auth_methods_common_option() = {auth_methods, string()}
1071 Comma-separated string that determines which authentication
1073 methods that the client shall support and in which order they
1074 are tried. Defaults to "publickey,keyboard-interactive,password"
1075 Note that the client is free to use any order and to exclude
1077 methods.
1078 fd_common_option() = {fd, gen_tcp:socket()}
1080 Allows an existing file-descriptor to be used (passed on to the
1082 transport protocol).
1083 Other data types
1085 host() = string() | inet:ip_address() | loopback
1086 ip_port() = {inet:ip_address(), inet:port_number()}
1088 mod_args() = {Module :: atom(), Args :: list()}
1090 mod_fun_args() =
1092 {Module :: atom(), Function :: atom(), Args :: list()}
1093 open_socket() = gen_tcp:socket()
1095 The socket is supposed to be result of a gen_tcp:connect or a
1097 gen_tcp:accept. The socket must be in passive mode (that is,
1098 opened with the option {active,false}).
1099 daemon_ref()
1101 Opaque data type representing a daemon.
1103 Returned by the functions daemon/1,2,3.
1105 connection_ref()
1107 Opaque data type representing a connection between a client and
1109 a server (daemon).
1110 Returned by the functions connect/2,3,4 and ssh_sftp:start_chan‐
1112 nel/2,3.
1113 channel_id()
1115 Opaque data type representing a channel inside a connection.
1117 Returned by the functions ssh_connection:session_channel/2,4.
1119 connection_info_tuple() =
1121 {client_version, version()} |
1122 {server_version, version()} |
1123 {user, string()} |
1124 {peer, {inet:hostname(), ip_port()}} |
1125 {sockname, ip_port()} |
1126 {options, client_options()} |
1127 {algorithms, conn_info_algs()} |
1128 {channels, conn_info_channels()}
1129 version() = {protocol_version(), software_version()}
1131 protocol_version() =
1133 {Major :: integer() >= 1, Minor :: integer() >= 0}
1134 software_version() = string()
1136 conn_info_algs() =
1138 [{kex, kex_alg()} |
1139 {hkey, pubkey_alg()} |
1140 {encrypt, cipher_alg()} |
1141 {decrypt, cipher_alg()} |
1142 {send_mac, mac_alg()} |
1143 {recv_mac, mac_alg()} |
1144 {compress, compression_alg()} |
1145 {decompress, compression_alg()} |
1146 {send_ext_info, boolean()} |
1147 {recv_ext_info, boolean()}]
1148 conn_info_channels() = [proplists:proplist()]
1150 Return values from the connection_info/1 and connection_info/2
1152 functions.
1153 In the option info tuple are only the options included that dif‐
1155 fers from the default values.
1156 daemon_info_tuple() =
1158 {port, inet:port_number()} |
1159 {ip, inet:ip_address()} |
1160 {profile, atom()} |
1161 {options, daemon_options()}
1162 Return values from the daemon_info/1 and daemon_info/2 func‐
1164 tions.
1165 In the option info tuple are only the options included that dif‐
1167 fers from the default values.
1168 opaque_client_options()
1170 opaque_daemon_options()
1172 opaque_common_options()
1174 Opaque types that define experimental options that are not to be
1176 used in products.
1177
1179 close(ConnectionRef) -> ok | {error, term()}
1180 Types:
1182 ConnectionRef = connection_ref()
1184 Closes an SSH connection.
1186 connect(Host, Port, Options) -> Result
1188 connect(Host, Port, Options, NegotiationTimeout) -> Result
1189 connect(TcpSocket, Options) -> Result
1190 connect(TcpSocket, Options, NegotiationTimeout) -> Result
1191 Types:
1193 Host = host()
1195 Port = inet:port_number()
1196 Options = client_options()
1197 TcpSocket = open_socket()
1198 NegotiationTimeout = timeout()
1199 Result = {ok, connection_ref()} | {error, term()}
1200 Connects to an SSH server at the Host on Port.
1202 As an alternative, an already open TCP socket could be passed to
1204 the function in TcpSocket. The SSH initiation and negotiation
1205 will be initiated on that one with the SSH that should be at the
1206 other end.
1207 No channel is started. This is done by calling ssh_connec‐
1209 tion:session_channel/[2, 4].
1210 The NegotiationTimeout is in milli-seconds. The default value is
1212 infinity or the value of the connect_timeout option, if present.
1213 For connection timeout, use the option connect_timeout.
1214 connection_info(ConnectionRef) -> InfoTupleList
1216 connection_info(ConnectionRef, Key :: ItemList | Item) ->
1218 InfoTupleList | InfoTuple
1219 Types:
1221 ConnectionRef = connection_ref()
1223 ItemList = [Item]
1224 Item =
1225 client_version | server_version | user | peer | sockname
1226 |
1227 options | algorithms | sockname
1228 InfoTupleList = [InfoTuple]
1229 InfoTuple = connection_info_tuple()
1230 Returns information about a connection intended for e.g debug‐
1232 ging or logging.
1233 When the Key is a single Item, the result is a single InfoTuple
1235 set_sock_opts(ConnectionRef, SocketOptions) ->
1237 ok | {error, inet:posix()}
1238 Types:
1240 ConnectionRef = connection_ref()
1242 SocketOptions = [gen_tcp:option()]
1243 Sets tcp socket options on the tcp-socket below an ssh connec‐
1245 tion.
1246 This function calls the inet:setopts/2, read that documentation
1248 and for gen_tcp:option().
1249 All gen_tcp socket options except
1251 * active
1253 * deliver
1255 * mode and
1257 * packet
1259 are allowed. The excluded options are reserved by the SSH appli‐
1261 cation.
1262 Warning:
1264 This is an extremly dangerous function. You use it on your own
1265 risk.
1266 Some options are OS and OS version dependent. Do not use it un‐
1268 less you know what effect your option values will have on an TCP
1269 stream.
1270 Some values may destroy the functionality of the SSH protocol.
1272 get_sock_opts(ConnectionRef, SocketGetOptions) ->
1275 ok | {error, inet:posix()}
1276 Types:
1278 ConnectionRef = connection_ref()
1280 SocketGetOptions = [gen_tcp:option_name()]
1281 Get tcp socket option values of the tcp-socket below an ssh con‐
1283 nection.
1284 This function calls the inet:getopts/2, read that documentation.
1286 daemon(Port | TcpSocket) -> Result
1288 daemon(Port | TcpSocket, Options) -> Result
1289 daemon(HostAddress, Port, Options) -> Result
1290 Types:
1292 Port = integer()
1294 TcpSocket = open_socket()
1295 Options = daemon_options()
1296 HostAddress = host() | any
1297 Result = {ok, daemon_ref()} | {error, atom()}
1298 Starts a server listening for SSH connections on the given port.
1300 If the Port is 0, a random free port is selected. See dae‐
1301 mon_info/1 about how to find the selected port number.
1302 As an alternative, an already open TCP socket could be passed to
1304 the function in TcpSocket. The SSH initiation and negotiation
1305 will be initiated on that one when an SSH starts at the other
1306 end of the TCP socket.
1307 For a description of the options, see Daemon Options.
1309 Please note that by historical reasons both the HostAddress ar‐
1311 gument and the gen_tcp connect_option() {ip,Address} set the
1312 listening address. This is a source of possible inconsistent
1313 settings.
1314 The rules for handling the two address passing options are:
1316 * if HostAddress is an IP-address, that IP-address is the lis‐
1318 tening address. An 'ip'-option will be discarded if present.
1319 * if HostAddress is the atom loopback, the listening address
1321 is loopback and an loopback address will be choosen by the
1322 underlying layers. An 'ip'-option will be discarded if
1323 present.
1324 * if HostAddress is the atom any and no 'ip'-option is
1326 present, the listening address is any and the socket will
1327 listen to all addresses
1328 * if HostAddress is any and an 'ip'-option is present, the
1330 listening address is set to the value of the 'ip'-option
1331 daemon_info(DaemonRef) ->
1333 {ok, InfoTupleList} | {error, bad_daemon_ref}
1334 daemon_info(DaemonRef, Key :: ItemList | Item) ->
1336 InfoTupleList | InfoTuple | {error, bad_daemon_ref}
1337 Types:
1339 DaemonRef = daemon_ref()
1341 ItemList = [Item]
1342 Item = ip | port | profile | options
1343 InfoTupleList = [InfoTuple]
1344 InfoTuple = daemon_info_tuple()
1345 Returns information about a daemon intended for e.g debugging or
1347 logging.
1348 When the Key is a single Item, the result is a single InfoTuple
1350 Note that daemon_info/1 and daemon_info/2 returns different
1352 types due to compatibility reasons.
1353 default_algorithms() -> algs_list()
1355 Returns a key-value list, where the keys are the different types
1357 of algorithms and the values are the algorithms themselves.
1358 See the User's Guide for an example.
1360 shell(Host | TcpSocket) -> Result
1362 shell(Host | TcpSocket, Options) -> Result
1363 shell(Host, Port, Options) -> Result
1364 Types:
1366 Host = host()
1368 TcpSocket = open_socket()
1369 Port = inet:port_number()
1370 Options = client_options()
1371 Result = ok | {error, Reason::term()}
1372 Connects to an SSH server at Host and Port (defaults to 22) and
1374 starts an interactive shell on that remote host.
1375 As an alternative, an already open TCP socket could be passed to
1377 the function in TcpSocket. The SSH initiation and negotiation
1378 will be initiated on that one and finaly a shell will be started
1379 on the host at the other end of the TCP socket.
1380 For a description of the options, see Client Options.
1382 The function waits for user input, and does not return until the
1384 remote shell is ended (that is, exit from the shell).
1385 start() -> ok | {error, term()}
1387 start(Type) -> ok | {error, term()}
1389 Types:
1391 Type = permanent | transient | temporary
1393 Utility function that starts the applications crypto, pub‐
1395 lic_key, and ssh. Default type is temporary. For more informa‐
1396 tion, see the application(3) manual page in Kernel.
1397 stop() -> ok | {error, term()}
1399 Stops the ssh application. For more information, see the appli‐
1401 cation(3) manual page in Kernel.
1402 stop_daemon(DaemonRef :: daemon_ref()) -> ok
1404 stop_daemon(Address :: inet:ip_address(),
1406 Port :: inet:port_number()) ->
1407 ok
1408 stop_daemon(Address :: any | inet:ip_address(),
1410 Port :: inet:port_number(),
1411 Profile :: atom()) ->
1412 ok
1413 Stops the listener and all connections started by the listener.
1415 stop_listener(SysSup :: daemon_ref()) -> ok
1417 stop_listener(Address :: inet:ip_address(),
1419 Port :: inet:port_number()) ->
1420 ok
1421 stop_listener(Address :: any | inet:ip_address(),
1423 Port :: inet:port_number(),
1424 Profile :: term()) ->
1425 ok
1426 Stops the listener, but leaves existing connections started by
1428 the listener operational.
1429 tcpip_tunnel_from_server(ConnectionRef, ListenHost, ListenPort,
1431 ConnectToHost, ConnectToPort) ->
1432 {ok, TrueListenPort} | {error, term()}
1433 tcpip_tunnel_from_server(ConnectionRef, ListenHost, ListenPort,
1435 ConnectToHost, ConnectToPort, Timeout) ->
1436 {ok, TrueListenPort} | {error, term()}
1437 Types:
1439 ConnectionRef = connection_ref()
1441 ListenHost = host()
1442 ListenPort = inet:port_number()
1443 ConnectToHost = host()
1444 ConnectToPort = inet:port_number()
1445 Timeout = timeout()
1446 TrueListenPort = inet:port_number()
1447 Asks the remote server of ConnectionRef to listen to Listen‐
1449 Host:ListenPort. When someone connects that address, the connec‐
1450 tion is forwarded in an encrypted channel from the server to the
1451 client. The client (that is, at the node that calls this func‐
1452 tion) then connects to ConnectToHost:ConnectToPort.
1453 The returned TrueListenPort is the port that is listened to. It
1455 is the same as ListenPort, except when ListenPort = 0. In that
1456 case a free port is selected by the underlying OS.
1457 Note that in case of an Erlang/OTP SSH server (daemon) as peer,
1459 that server must have been started with the option tcpip_tun‐
1460 nel_out to allow the connection.
1461 tcpip_tunnel_to_server(ConnectionRef, ListenHost, ListenPort,
1463 ConnectToHost, ConnectToPort) ->
1464 {ok, TrueListenPort} | {error, term()}
1465 tcpip_tunnel_to_server(ConnectionRef, ListenHost, ListenPort,
1467 ConnectToHost, ConnectToPort, Timeout) ->
1468 {ok, TrueListenPort} | {error, term()}
1469 Types:
1471 ConnectionRef = connection_ref()
1473 ListenHost = host()
1474 ListenPort = inet:port_number()
1475 ConnectToHost = host()
1476 ConnectToPort = inet:port_number()
1477 Timeout = timeout()
1478 TrueListenPort = inet:port_number()
1479 Tells the local client to listen to ListenHost:ListenPort. When
1481 someone connects to that address, the connection is forwarded in
1482 an encrypted channel to the peer server of ConnectionRef. That
1483 server then connects to ConnectToHost:ConnectToPort.
1484 The returned TrueListenPort is the port that is listened to. It
1486 is the same as ListenPort, except when ListenPort = 0. In that
1487 case a free port is selected by the underlying OS.
1488 Note that in case of an Erlang/OTP SSH server (daemon) as peer,
1490 that server must have been started with the option tcpip_tun‐
1491 nel_in to allow the connection.
1492 hostkey_fingerprint(HostKey) -> string()
1494 hostkey_fingerprint(DigestType, HostKey) -> string()
1495 hostkey_fingerprint([DigestType], HostKey) -> [string()]
1496 Types:
1498 HostKey = public_key:public_key()
1500 DigestType = public_key:digest_type()
1501 Calculates a ssh fingerprint from a public host key as openssh
1503 does.
1504 The algorithm in hostkey_fingerprint/1 is md5 to be compatible
1506 with older ssh-keygen commands. The string from the second vari‐
1507 ant is prepended by the algorithm name in uppercase as in newer
1508 ssh-keygen commands.
1509 Examples:
1511 2> ssh:hostkey_fingerprint(Key).
1513 "f5:64:a6:c1:5a:cb:9f:0a:10:46:a2:5c:3e:2f:57:84"
1514 3> ssh:hostkey_fingerprint(md5,Key).
1516 "MD5:f5:64:a6:c1:5a:cb:9f:0a:10:46:a2:5c:3e:2f:57:84"
1517 4> ssh:hostkey_fingerprint(sha,Key).
1519 "SHA1:bSLY/C4QXLDL/Iwmhyg0PGW9UbY"
1520 5> ssh:hostkey_fingerprint(sha256,Key).
1522 "SHA256:aZGXhabfbf4oxglxltItWeHU7ub3Dc31NcNw2cMJePQ"
1523 6> ssh:hostkey_fingerprint([sha,sha256],Key).
1525 ["SHA1:bSLY/C4QXLDL/Iwmhyg0PGW9UbY",
1526 "SHA256:aZGXhabfbf4oxglxltItWeHU7ub3Dc31NcNw2cMJePQ"]
1527Ericsson AB ssh 4.13.2.1 ssh(3)