1ssh_file(3) Erlang Module Definition ssh_file(3)
2
6 ssh_file - Default callback module for the client's and server's data‐
7 base operations in the ssh application
8
10 This module is the default callback handler for the client's and the
11 server's user and host "database" operations. All data, for instance
12 key pairs, are stored in files in the normal file system. This page
13 documents the files, where they are stored and configuration options
14 for this callback module.
15 The intention is to be compatible with the OpenSSH storage in files.
17 Therefore it mimics directories and filenames of OpenSSH.
18 Ssh_file implements the ssh_server_key_api and the ssh_client_key_api.
20 This enables the user to make an own interface using for example a
21 database handler.
22 Such another callback module could be used by setting the option key_cb
24 when starting a client or a server (with for example ssh:connect,
25 ssh:daemon of ssh:shell ).
26 Note:
28 The functions are Callbacks for the SSH app. They are not intended to
29 be called from the user's code!
30
33 Daemons
34 Daemons uses all files stored in the SYSDIR directory.
35 Optionaly, in case of publickey authorization, one or more of the re‐
37 mote user's public keys in the USERDIR directory are used. See the
38 files USERDIR/authorized_keys and USERDIR/authorized_keys2.
39 Clients
41 Clients uses all files stored in the USERDIR directory.
42 Directory contents
44 LOCALUSER:
45 The user name of the OS process running the Erlang virtual machine
46 (emulator).
47 SYSDIR:
49 This is the directory holding the server's files:
50 * ssh_host_dsa_key - private dss host key (optional)
52 * ssh_host_rsa_key - private rsa host key (optional)
54 * ssh_host_ecdsa_key - private ecdsa host key (optional)
56 * ssh_host_ed25519_key - private eddsa host key for curve 25519
58 (optional)
59 * ssh_host_ed448_key - private eddsa host key for curve 448 (op‐
61 tional)
62 The key files could be generated with OpenSSH's ssh-keygen command.
64 At least one host key must be defined. The default value of SYSDIR
66 is /etc/ssh.
67 For security reasons, this directory is normally accessible only to
69 the root user.
70 To change the SYSDIR, see the system_dir option.
72 USERDIR:
74 This is the directory holding the files:
75 * authorized_keys and, as second alternative authorized_keys2 - the
77 user's public keys are stored concatenated in one of those files.
78 It is composed of lines as for OpenSSH:
80 (options)? keytype base64-encoded-key comment
82 where
84 options :: option(,option)*
86 option :: % All options are skipped
87 keytype :: 'ssh-dsa'
88 | 'ssh-rsa'
89 | 'ssh-ecdsa-nistp256'
90 | 'ssh-ecdsa-nistp384'
91 | 'ssh-ecdsa-nistp521'
92 | 'ssh-ed25519'
93 | 'ssh-ed448'
94 base64-encoded-key :: % The user's public key
95 comment :: % Comments are skipped
96 * known_hosts - host keys from hosts visited concatenated. The file
99 is created and used by the client.
100 It is composed of lines as for OpenSSH:
102 (option)? pattern(,pattern)* keytype key (comment)?
104 where
106 option :: '@revoked'
108 pattern :: host | '[' host ']:' port
109 host :: ip-address | hostname | '*'
110 port :: portnumber | '*'
111 keytype :: 'ssh-dsa'
112 | 'ssh-rsa'
113 | 'ssh-ecdsa-nistp256'
114 | 'ssh-ecdsa-nistp384'
115 | 'ssh-ecdsa-nistp521'
116 | 'ssh-ed25519'
117 | 'ssh-ed448'
118 key :: % encoded key from eg ssh_host_*.pub
119 * id_dsa - private dss user key (optional)
122 * id_rsa - private rsa user key (optional)
124 * id_ecdsa - private ecdsa user key (optional)
126 * id_ed25519 - private eddsa user key for curve 25519 (optional)
128 * id_ed448 - private eddsa user key for curve 448 (optional)
130 The key files could be generated with OpenSSH's ssh-keygen command.
132 The default value of USERDIR is /home/LOCALUSER/.ssh.
134 To change the USERDIR, see the user_dir option
136
138 Options for the default ssh_file callback module
139 user_dir_common_option() = {user_dir, string()}
140 Sets the user directory.
142 user_dir_fun_common_option() = {user_dir_fun, user2dir()}
144 user2dir() =
146 fun((RemoteUserName :: string()) -> UserDir :: string())
147 Sets the user directory dynamically by evaluating the user2dir
149 function.
150 system_dir_daemon_option() = {system_dir, string()}
152 Sets the system directory.
154 pubkey_passphrase_client_options() =
156 {dsa_pass_phrase, string()} |
157 {rsa_pass_phrase, string()} |
158 {ecdsa_pass_phrase, string()}
159 If the user's DSA, RSA or ECDSA key is protected by a
161 passphrase, it can be supplied with thoose options.
162 Note that EdDSA passhrases (Curves 25519 and 448) are not imple‐
164 mented.
165 optimize_key_lookup() = {optimize, time | space}
167 Make the handling of large files fast by setting time, but this
169 will use more memory. The space variant shrinks the memory re‐
170 quirements, but with a higher time consumption.
171 To set it, set the option {key_cb, {ssh_file, [{optimize,Time‐
173 OrSpace}]} in the call of "ssh:connect/3, ssh:daemon/2 or simi‐
174 lar function call that initiates an ssh connection.
175 key() = public_key:public_key() | public_key:private_key()
177 The key representation.
179 experimental_openssh_key_v1() =
181 [{key() |
182 {ed_pri, ed25519 | ed448, Pub :: binary(), Priv :: binary()} |
183 {ed_pub, ed25519 | ed448, Key :: binary()},
184 openssh_key_v1_attributes()}]
185 openssh_key_v1_attributes() = [{atom(), term()}]
187 Types for the experimental implementaition of the openssh_key_v1
189 format. The #ECPoint{} and ECPrivateKey{} are not used for Ed‐
190 wards curves (ed25519 and ed448), but will be in next major re‐
191 lease.
192
194 host_key(Algorithm, Options) -> Result
195 Types:
197 Algorithm = ssh:pubkey_alg()
199 Result = {ok, public_key:private_key()} | {error, term()}
200 Options = ssh_server_key_api:daemon_key_cb_options(none())
201 Types and description
203 See the api description in ssh_server_key_api, Mod‐
205 ule:host_key/2.
206 Options
208 * system_dir
210 Files
212 * SYSDIR/ssh_host_rsa_key
214 * SYSDIR/ssh_host_dsa_key
216 * SYSDIR/ssh_host_ecdsa_key
218 * SYSDIR/ssh_host_ed25519_key
220 * SYSDIR/ssh_host_ed448_keyc>
222 is_auth_key(Key, User, Options) -> boolean()
224 Types:
226 Key = public_key:public_key()
228 User = string()
229 Options =
230 ssh_server_key_api:daemon_key_cb_options(opti‐
231 mize_key_lookup())
232 Types and description
234 See the api description in ssh_server_key_api: Mod‐
236 ule:is_auth_key/3.
237 Options
239 * user_dir_fun
241 * user_dir
243 Files
245 * USERDIR/authorized_keys
247 * USERDIR/authorized_keys2
249 This functions discards all options in the begining of the lines
251 of thoose files when reading them.
252 add_host_key(Host, Port, Key, Options) -> Result
254 Types:
256 Host =
258 inet:ip_address() |
259 inet:hostname() |
260 [inet:ip_address() | inet:hostname()]
261 Port = inet:port_number()
262 Key = public_key:public_key()
263 Options = ssh_client_key_api:client_key_cb_options(none())
264 Result = ok | {error, term()}
265 Types and description
267 See the api description in ssh_client_key_api, Mod‐
269 ule:add_host_key/4.
270 Note that the alternative, the old Module:add_host_key/3 is no
272 longer supported by ssh_file.
273 Option
275 * user_dir
277 File
279 * USERDIR/known_hosts
281 is_host_key(Key, Host, Port, Algorithm, Options) -> Result
283 Types:
285 Key = public_key:public_key()
287 Host =
288 inet:ip_address() |
289 inet:hostname() |
290 [inet:ip_address() | inet:hostname()]
291 Port = inet:port_number()
292 Algorithm = ssh:pubkey_alg()
293 Options =
294 ssh_client_key_api:client_key_cb_options(opti‐
295 mize_key_lookup())
296 Result = boolean() | {error, term()}
297 Types and description
299 See the api description in ssh_client_key_api, Mod‐
301 ule:is_host_key/5.
302 Note that the alternative, the old Module:is_host_key/4 is no
304 longer supported by ssh_file.
305 Option
307 * user_dir
309 File
311 * USERDIR/known_hosts
313 user_key(Algorithm, Options) -> Result
315 Types:
317 Algorithm = ssh:pubkey_alg()
319 Result = {ok, public_key:private_key()} | {error, string()}
320 Options = ssh_client_key_api:client_key_cb_options(none())
321 Types and description
323 See the api description in ssh_client_key_api, Mod‐
325 ule:user_key/2.
326 Options
328 * user_dir
330 * dsa_pass_phrase
332 * rsa_pass_phrase
334 * ecdsa_pass_phrase
336 Note that EdDSA passhrases (Curves 25519 and 448) are not imple‐
338 mented.
339 Files
341 * USERDIR/id_dsa
343 * USERDIR/id_rsa
345 * USERDIR/id_ecdsa
347 * USERDIR/id_ed25519
349 * USERDIR/id_ed448
351 decode(SshBin, Type) -> Decoded | {error, term()}
353 Types:
355 SshBin = binary()
357 Type =
358 ssh2_pubkey | public_key | openssh_key | rfc4716_key |
359 openssh_key_v1 | known_hosts | auth_keys
360 Decoded =
361 Decoded_ssh2_pubkey | Decoded_public | Decoded_openssh |
362 Decoded_rfc4716 | Decoded_openssh_key_v1 |
363 Decoded_known_hosts | Decoded_auth_keys
364 Decoded_ssh2_pubkey = public_key:public_key()
365 Decoded_public =
366 Decoded_rfc4716 | Decoded_openssh_key_v1 | De‐
367 coded_openssh
368 Decoded_openssh =
369 [{public_key:public_key(), [{comment, string()}]}]
370 Decoded_rfc4716 = [{key(), [{headers, Attrs}]}]
371 Decoded_openssh_key_v1 = experimental_openssh_key_v1()
372 Decoded_known_hosts =
373 [{public_key:public_key(),
374 [{comment, string()} | {hostnames, [string()]}]}]
375 Decoded_auth_keys =
376 [{public_key:public_key(),
377 [{comment, string()} | {options, [string()]}]}]
378 Attrs = {Key :: string(), Value :: string()}
379 Decodes an SSH file-binary.
381 If Type is public_key the binary can be either an RFC4716 public
383 key or an OpenSSH public key.
384 Note:
386 The following key types have been renamed from the deprecated
387 public_key:ssh_decode/2:
388 * rfc4716_public_key -> rfc4716_key
390 * openssh_public_key -> openssh_key
392 Note:
394 The implementation of the openssh_key_v1 format is still experi‐
395 mental.
396 encode(InData, Type) -> binary() | {error, term()}
399 Types:
401 Type =
403 ssh2_pubkey | openssh_key | rfc4716_key | openssh_key_v1
404 |
405 known_hosts | auth_keys
406 InData =
407 InData_ssh2_pubkey | InData_openssh | InData_rfc4716 |
408 InData_openssh_key_v1 | InData_known_hosts | In‐
409 Data_auth_keys
410 InData_ssh2_pubkey = public_key:public_key()
411 InData_openssh =
412 [{public_key:public_key(), [{comment, string()}]}]
413 InData_rfc4716 = [{key(), [{headers, Attrs}]}]
414 InData_openssh_key_v1 = experimental_openssh_key_v1()
415 InData_known_hosts =
416 [{public_key:public_key(),
417 [{comment, string()} | {hostnames, [string()]}]}]
418 InData_auth_keys =
419 [{public_key:public_key(),
420 [{comment, string()} | {options, [string()]}]}]
421 Attrs = {Key :: string(), Value :: string()}
422 Encodes a list of SSH file entries (public keys and attributes)
424 to a binary.
425 Note:
427 The following key types have been renamed from the deprecated
428 public_key:ssh_encode/2:
429 * rfc4716_public_key -> rfc4716_key
431 * openssh_public_key -> openssh_key
433 Note:
435 The implementation of the openssh_key_v1 format is still experi‐
436 mental.
437Ericsson AB ssh 4.13.2.1 ssh_file(3)