1ssh(3) Erlang Module Definition ssh(3)
2
3
4
6 ssh - Main API of the ssh application
7
9 This is the interface module for the SSH application. The Secure Shell
10 (SSH) Protocol is a protocol for secure remote login and other secure
11 network services over an insecure network. See ssh(6) for details of
12 supported RFCs, versions, algorithms and unicode handling.
13
14 With the SSH application it is possible to start clients and to start
15 daemons (servers).
16
17 Clients are started with connect/2, connect/3 or connect/4. They open
18 an encrypted connection on top of TCP/IP. In that encrypted connection
19 one or more channels could be opened with ssh_connection:session_chan‐
20 nel/2,4.
21
22 Each channel is an isolated "pipe" between a client-side process and a
23 server-side process. Those process pairs could handle for example file
24 transfers (sftp) or remote command execution (shell, exec and/or cli).
25 If a custom shell is implemented, the user of the client could execute
26 the special commands remotely. Note that the user is not necessarily a
27 human but probably a system interfacing the SSH app.
28
29 A server-side subssystem (channel) server is requested by the client
30 with ssh_connection:subsystem/4.
31
32 A server (daemon) is started with daemon/1, daemon/2 or daemon/3. Pos‐
33 sible channel handlers (subsystems) are declared with the subsystem op‐
34 tion when the daemon is started.
35
36 To just run a shell on a remote machine, there are functions that bun‐
37 dles the needed three steps needed into one: shell/1,2,3. Similarly, to
38 just open an sftp (file transfer) connection to a remote machine, the
39 simplest way is to use ssh_sftp:start_channel/1,2,3.
40
41 To write your own client channel handler, use the behaviour
42 ssh_client_channel. For server channel handlers use ssh_server_channel
43 behaviour (replaces ssh_daemon_channel).
44
45 Both clients and daemons accepts options that controls the exact behav‐
46 iour. Some options are common to both. The three sets are called Client
47 Options, Daemon Options and Common Options.
48
49 The descriptions of the options uses the Erlang Type Language with ex‐
50 plaining text.
51
52 Note:
53 The User's Guide has examples and a Getting Started section.
54
55
57 A number of objects must be present for the SSH application to work.
58 Those objects are per default stored in files. The default names, paths
59 and file formats are the same as for OpenSSH. Keys could be generated
60 with the ssh-keygen program from OpenSSH. See the User's Guide.
61
62 The paths could easily be changed by options: user_dir and system_dir.
63
64 A completely different storage could be interfaced by writing call-back
65 modules using the behaviours ssh_client_key_api and/or
66 ssh_server_key_api. A callback module is installed with the option
67 key_cb to the client and/or the daemon.
68
69 Daemons
70 The keys are by default stored in files:
71
72 * Mandatory: one or more Host key(s) , both private and public. De‐
73 fault is to store them in the directory /etc/ssh in the files
74
75 * ssh_host_dsa_key and ssh_host_dsa_key.pub
76
77 * ssh_host_rsa_key and ssh_host_rsa_key.pub
78
79 * ssh_host_ecdsa_key and ssh_host_ecdsa_key.pub
80
81 The host keys directory could be changed with the option sys‐
82 tem_dir.
83
84 * Optional: one or more User's public key in case of publickey au‐
85 thorization. Default is to store them concatenated in the file
86 .ssh/authorized_keys in the user's home directory.
87
88 The user keys directory could be changed with the option user_dir.
89
90 Clients
91 The keys and some other data are by default stored in files in the di‐
92 rectory .ssh in the user's home directory.
93
94 The directory could be changed with the option user_dir.
95
96 * Optional: a list of Host public key(s) for previously connected
97 hosts. This list is handled by the SSH application without any need
98 of user assistance. The default is to store them in the file
99 known_hosts.
100
101 The host_accepting_client_options() are associated with this list
102 of keys.
103
104 * Optional: one or more User's private key(s) in case of publickey
105 authorization. The default files are
106
107 * id_dsa and id_dsa.pub
108
109 * id_rsa and id_rsa.pub
110
111 * id_ecdsa and id_ecdsa.pub
112
114 Client Options
115 client_options() = [client_option()]
116
117 client_option() =
118 ssh_file:pubkey_passphrase_client_options() |
119 host_accepting_client_options() |
120 authentication_client_options() |
121 diffie_hellman_group_exchange_client_option() |
122 connect_timeout_client_option() |
123 recv_ext_info_client_option() |
124 opaque_client_options() |
125 gen_tcp:connect_option() |
126 common_option()
127
128 Options for clients. The individual options are further ex‐
129 plained below or by following the hyperlinks.
130
131 Note that not every gen_tcp:connect_option() is accepted. See
132 set_sock_opts/2 for a list of prohibited options.
133
134 Also note that setting a gen_tcp:connect_option() could change
135 the socket in a way that impacts the ssh client's behaviour neg‐
136 atively. You use it on your own risk.
137
138 host_accepting_client_options() =
139 {silently_accept_hosts, accept_hosts()} |
140 {user_interaction, boolean()} |
141 {save_accepted_host, boolean()} |
142 {quiet_mode, boolean()}
143
144 accept_hosts() =
145 boolean() |
146 accept_callback() |
147 {HashAlgoSpec :: fp_digest_alg(), accept_callback()}
148
149 fp_digest_alg() = md5 | crypto:sha1() | crypto:sha2()
150
151 accept_callback() =
152 fun((PeerName :: string(), fingerprint()) -> boolean()) |
153 fun((PeerName :: string(),
154 Port :: inet:port_number(),
155 fingerprint()) ->
156 boolean())
157
158 fingerprint() = string() | [string()]
159
160 silently_accept_hosts:
161 This option guides the connect function on how to act when
162 the connected server presents a Host Key that the client has
163 not seen before. The default is to ask the user with a ques‐
164 tion on stdio of whether to accept or reject the new Host
165 Key. See the option user_dir for specifying the path to the
166 file known_hosts where previously accepted Host Keys are
167 recorded. See also the option key_cb for the general way to
168 handle keys.
169
170 The option can be given in three different forms as seen
171 above:
172
173 * The value is a boolean(). The value true will make the
174 client accept any unknown Host Key without any user inter‐
175 action. The value false preserves the default behaviour of
176 asking the user on stdio.
177
178 * An accept_callback() will be called and the boolean return
179 value true will make the client accept the Host Key. A re‐
180 turn value of false will make the client to reject the
181 Host Key and as a result the connection will be closed.
182 The arguments to the fun are:
183
184 * PeerName - a string with the name or address of the re‐
185 mote host.
186
187 * FingerPrint - the fingerprint of the Host Key as
188 hostkey_fingerprint/1 calculates it.
189
190 * A tuple {HashAlgoSpec, accept_callback}. The HashAlgoSpec
191 specifies which hash algorithm shall be used to calculate
192 the fingerprint used in the call of the accept_callback().
193 The HashALgoSpec is either an atom or a list of atoms as
194 the first argument in hostkey_fingerprint/2. If it is a
195 list of hash algorithm names, the FingerPrint argument in
196 the accept_callback() will be a list of fingerprints in
197 the same order as the corresponding name in the HashAlgo‐
198 Spec list.
199
200 user_interaction:
201 If false, disables the client to connect to the server if
202 any user interaction is needed, such as accepting the server
203 to be added to the known_hosts file, or supplying a pass‐
204 word.
205
206 Even if user interaction is allowed it can be suppressed by
207 other options, such as silently_accept_hosts and password.
208 However, those options are not always desirable to use from
209 a security point of view.
210
211 Defaults to true.
212
213 save_accepted_host:
214 If true, the client saves an accepted host key to avoid the
215 accept question the next time the same host is connected. If
216 the option key_cb is not present, the key is saved in the
217 file "known_hosts". See option user_dir for the location of
218 that file.
219
220 If false, the key is not saved and the key will still be un‐
221 known at the next access of the same host.
222
223 Defaults to true
224
225 quiet_mode:
226 If true, the client does not print anything on authoriza‐
227 tion.
228
229 Defaults to false
230
231 authentication_client_options() =
232 {user, string()} | {password, string()}
233
234 user:
235 Provides the username. If this option is not given, ssh
236 reads from the environment (LOGNAME or USER on UNIX, USER‐
237 NAME on Windows).
238
239 password:
240 Provides a password for password authentication. If this op‐
241 tion is not given, the user is asked for a password, if the
242 password authentication method is attempted.
243
244 diffie_hellman_group_exchange_client_option() =
245 {dh_gex_limits,
246 {Min :: integer() >= 1,
247 I :: integer() >= 1,
248 Max :: integer() >= 1}}
249
250 Sets the three diffie-hellman-group-exchange parameters that
251 guides the connected server in choosing a group. See RFC 4419
252 for the details. The default value is {1024, 6144, 8192}.
253
254 connect_timeout_client_option() = {connect_timeout, timeout()}
255
256 Sets a timeout on the transport layer connect time. For gen_tcp
257 the time is in milli-seconds and the default value is infinity.
258
259 See the parameter Timeout in connect/4 for a timeout of the ne‐
260 gotiation phase.
261
262 recv_ext_info_client_option() = {recv_ext_info, boolean()}
263
264 Make the client tell the server that the client accepts exten‐
265 sion negotiation, that is, include ext-info-c in the kexinit
266 message sent. See RFC 8308 for details and ssh(6) for a list of
267 currently implemented extensions.
268
269 Default value is true which is compatible with other implementa‐
270 tions not supporting ext-info.
271
272 Daemon Options (Server Options)
273 daemon_options() = [daemon_option()]
274
275 daemon_option() =
276 subsystem_daemon_option() |
277 shell_daemon_option() |
278 exec_daemon_option() |
279 ssh_cli_daemon_option() |
280 tcpip_tunnel_out_daemon_option() |
281 tcpip_tunnel_in_daemon_option() |
282 authentication_daemon_options() |
283 diffie_hellman_group_exchange_daemon_option() |
284 max_initial_idle_time_daemon_option() |
285 negotiation_timeout_daemon_option() |
286 hello_timeout_daemon_option() |
287 hardening_daemon_options() |
288 callbacks_daemon_options() |
289 send_ext_info_daemon_option() |
290 opaque_daemon_options() |
291 gen_tcp:listen_option() |
292 common_option()
293
294 Options for daemons. The individual options are further ex‐
295 plained below or by following the hyperlinks.
296
297 Note that not every gen_tcp:listen_option() is accepted. See
298 set_sock_opts/2 for a list of prohibited options.
299
300 Also note that setting a gen_tcp:listen_option() could change
301 the socket in a way that impacts the ssh deamon's behaviour neg‐
302 atively. You use it on your own risk.
303
304 subsystem_daemon_option() = {subsystems, subsystem_specs()}
305
306 subsystem_specs() = [subsystem_spec()]
307
308 subsystem_spec() = {Name :: string(), mod_args()}
309
310 Defines a subsystem in the daemon.
311
312 The subsystem_name is the name that a client requests to start
313 with for example ssh_connection:subsystem/4.
314
315 The channel_callback is the module that implements the
316 ssh_server_channel (replaces ssh_daemon_channel) behaviour in
317 the daemon. See the section Creating a Subsystem in the User's
318 Guide for more information and an example.
319
320 If the subsystems option is not present, the value of
321 ssh_sftpd:subsystem_spec([]) is used. This enables the sftp sub‐
322 system by default. The option can be set to the empty list if
323 you do not want the daemon to run any subsystems.
324
325 shell_daemon_option() = {shell, shell_spec()}
326
327 shell_spec() = mod_fun_args() | shell_fun() | disabled
328
329 shell_fun() = 'shell_fun/1'() | 'shell_fun/2'()
330
331 'shell_fun/1'() = fun((User :: string()) -> pid())
332
333 'shell_fun/2'() =
334 fun((User :: string(), PeerAddr :: inet:ip_address()) -> pid())
335
336 Defines the read-eval-print loop used in a daemon when a shell
337 is requested by the client. The default is to use the Erlang
338 shell: {shell, start, []}
339
340 See the option exec-option for a description of how the daemon
341 executes shell-requests and exec-requests depending on the
342 shell- and exec-options.
343
344 exec_daemon_option() = {exec, exec_spec()}
345
346 exec_spec() =
347 {direct, exec_fun()} | disabled | deprecated_exec_opt()
348
349 exec_fun() = 'exec_fun/1'() | 'exec_fun/2'() | 'exec_fun/3'()
350
351 'exec_fun/1'() = fun((Cmd :: string()) -> exec_result())
352
353 'exec_fun/2'() =
354 fun((Cmd :: string(), User :: string()) -> exec_result())
355
356 'exec_fun/3'() =
357 fun((Cmd :: string(),
358 User :: string(),
359 ClientAddr :: ip_port()) ->
360 exec_result())
361
362 exec_result() =
363 {ok, Result :: term()} | {error, Reason :: term()}
364
365 This option changes how the daemon executes exec-requests from
366 clients. The term in the return value is formatted to a string
367 if it is a non-string type. No trailing newline is added in the
368 ok-case.
369
370 See the User's Guide section on One-Time Execution for examples.
371
372 Error texts are returned on channel-type 1 which usually is
373 piped to stderr on e.g Linux systems. Texts from a successful
374 execution are returned on channel-type 0 and will in similar
375 manner be piped to stdout. The exit-status code is set to 0 for
376 success and 255 for errors. The exact results presented on the
377 client side depends on the client and the client's operating
378 system.
379
380 In case of the {direct, exec_fun()} variant or no exec-option at
381 all, all reads from standard_input will be from the received
382 data-events of type 0. Those are sent by the client. Similarly
383 all writes to standard_output will be sent as data-events to the
384 client. An OS shell client like the command 'ssh' will usually
385 use stdin and stdout for the user interface.
386
387 The option cooperates with the daemon-option shell in the fol‐
388 lowing way:
389
390 1. If neither the exec-option nor the shell-option is
391 present::
392 The default Erlang evaluator is used both for exec and shell
393 requests. The result is returned to the client.
394
395 2. If the exec_spec's value is disabled (the shell-option may
396 or may not be present)::
397 No exec-requests are executed but shell-requests are not af‐
398 fected, they follow the shell_spec's value.
399
400 3. If the exec-option is present and the exec_spec value =/=
401 disabled (the shell-option may or may not be present)::
402 The exec_spec fun() is called with the same number of param‐
403 eters as the arity of the fun, and the result is returned to
404 the client. Shell-requests are not affected, they follow the
405 shell_spec's value.
406
407 4. If the exec-option is absent, and the shell-option is
408 present with the default Erlang shell as the shell_spec's
409 value::
410 The default Erlang evaluator is used both for exec and shell
411 requests. The result is returned to the client.
412
413 5. If the exec-option is absent, and the shell-option is
414 present with a value that is neither the default Erlang shell
415 nor the value disabled::
416 The exec-request is not evaluated and an error message is
417 returned to the client. Shell-requests are executed accord‐
418 ing to the value of the shell_spec.
419
420 6. If the exec-option is absent, and the shell_spec's value is
421 disabled::
422 Exec requests are executed by the default shell, but shell-
423 requests are not executed.
424
425 If a custom CLI is installed (see the option ssh_cli) the rules
426 above are replaced by thoose implied by the custom CLI.
427
428 Note:
429 The exec-option has existed for a long time but has not previ‐
430 ously been documented. The old definition and behaviour are re‐
431 tained but obey the rules 1-6 above if conflicting. The old and
432 undocumented style should not be used in new programs.
433
434
435 deprecated_exec_opt() = function() | mod_fun_args()
436
437 Old-style exec specification that are kept for compatibility,
438 but should not be used in new programs
439
440 ssh_cli_daemon_option() = {ssh_cli, mod_args() | no_cli}
441
442 Provides your own CLI implementation in a daemon.
443
444 It is a channel callback module that implements a shell and com‐
445 mand execution. The shell's read-eval-print loop can be custom‐
446 ized, using the option shell. This means less work than imple‐
447 menting an own CLI channel. If ssh_cli is set to no_cli, the CLI
448 channels like shell and exec are disabled and only subsystem
449 channels are allowed.
450
451 authentication_daemon_options() =
452 ssh_file:system_dir_daemon_option() |
453 {auth_method_kb_interactive_data, prompt_texts()} |
454 {user_passwords, [{UserName :: string(), Pwd :: string()}]} |
455 {pk_check_user, boolean()} |
456 {password, string()} |
457 {pwdfun, pwdfun_2() | pwdfun_4()} |
458 {no_auth_needed, boolean()}
459
460 prompt_texts() =
461 kb_int_tuple() | kb_int_fun_3() | kb_int_fun_4()
462
463 kb_int_tuple() =
464 {Name :: string(),
465 Instruction :: string(),
466 Prompt :: string(),
467 Echo :: boolean()}
468
469 kb_int_fun_3() =
470 fun((Peer :: ip_port(), User :: string(), Service :: string()) ->
471 kb_int_tuple())
472
473 kb_int_fun_4() =
474 fun((Peer :: ip_port(),
475 User :: string(),
476 Service :: string(),
477 State :: any()) ->
478 kb_int_tuple())
479
480 pwdfun_2() =
481 fun((User :: string(), Password :: string() | pubkey) ->
482 boolean())
483
484 pwdfun_4() =
485 fun((User :: string(),
486 Password :: string() | pubkey,
487 PeerAddress :: ip_port(),
488 State :: any()) ->
489 boolean() |
490 disconnect |
491 {boolean(), NewState :: any()})
492
493 auth_method_kb_interactive_data:
494 Sets the text strings that the daemon sends to the client
495 for presentation to the user when using keyboard-interactive
496 authentication.
497
498 If the fun/3 or fun/4 is used, it is called when the actual
499 authentication occurs and may therefore return dynamic data
500 like time, remote ip etc.
501
502 The parameter Echo guides the client about need to hide the
503 password.
504
505 The default value is: {auth_method_kb_interactive_data,
506 {"SSH server", "Enter password for \""++User++"\"", "pass‐
507 word: ", false}>
508
509 user_passwords:
510 Provides passwords for password authentication. The pass‐
511 words are used when someone tries to connect to the server
512 and public key user-authentication fails. The option pro‐
513 vides a list of valid usernames and the corresponding pass‐
514 words.
515
516 Warning:
517 Note that this is very insecure due to the plain-text pass‐
518 words; it is intended for test purposes. Use the pwdfun option
519 to handle the password checking instead.
520
521
522 pk_check_user:
523 Enables checking of the client's user name in the server
524 when doing public key authentication. It is disabled by de‐
525 fault.
526
527 The term "user" is used differently in OpenSSH and SSH in
528 Erlang/OTP: see more in the User's Guide.
529
530 If the option is enabled, and no pwdfun is present, the user
531 name must present in the user_passwords for the check to
532 succeed but the value of the password is not checked.
533
534 In case of a pwdfun checking the user, the atom pubkey is
535 put in the password argument.
536
537 password:
538 Provides a global password that authenticates any user.
539
540 Warning:
541 Intended to facilitate testing.
542
543 From a security perspective this option makes the server very
544 vulnerable.
545
546
547 pwdfun with pwdfun_4():
548 Provides a function for password validation. This could used
549 for calling an external system or handling passwords stored
550 as hash values.
551
552 This fun can also be used to make delays in authentication
553 tries for example by calling timer:sleep/1.
554
555 To facilitate for instance counting of failed tries, the
556 State variable could be used. This state is per connection
557 only. The first time the pwdfun is called for a connection,
558 the State variable has the value undefined.
559
560 The fun should return:
561
562 * true if the user and password is valid
563
564 * false if the user or password is invalid
565
566 * disconnect if a SSH_MSG_DISCONNECT message should be sent
567 immediately. It will be followed by a close of the under‐
568 lying tcp connection.
569
570 * {true, NewState:any()} if the user and password is valid
571
572 * {false, NewState:any()} if the user or password is invalid
573
574 A third usage is to block login attempts from a missbehaving
575 peer. The State described above can be used for this. The
576 return value disconnect is useful for this.
577
578 In case of the pk_check_user is set, the atom pubkey is put
579 in the password argument when validating a public key login.
580 The pwdfun is then responsible to check that the user name
581 is valid.
582
583 pwdfun with pwdfun_2():
584 Provides a function for password validation. This function
585 is called with user and password as strings, and returns:
586
587 * true if the user and password is valid
588
589 * false if the user or password is invalid
590
591 In case of the pk_check_user is set, the atom pubkey is put
592 in the password argument when validating a public key login.
593 The pwdfun is then responsible to check that the user name
594 is valid.
595
596 This variant is kept for compatibility.
597
598 no_auth_needed:
599 If true, a client is authenticated without any need of pro‐
600 viding any password or key.
601
602 This option is only intended for very special applications
603 due to the high risk of accepting any connecting client.
604
605 The default value is false.
606
607 diffie_hellman_group_exchange_daemon_option() =
608 {dh_gex_groups,
609 [explicit_group()] |
610 explicit_group_file() |
611 ssh_moduli_file()} |
612 {dh_gex_limits, {Min :: integer() >= 1, Max :: integer() >= 1}}
613
614 explicit_group() =
615 {Size :: integer() >= 1,
616 G :: integer() >= 1,
617 P :: integer() >= 1}
618
619 explicit_group_file() = {file, string()}
620
621 ssh_moduli_file() = {ssh_moduli_file, string()}
622
623 dh_gex_groups:
624 Defines the groups the server may choose among when diffie-
625 hellman-group-exchange is negotiated. See RFC 4419 for de‐
626 tails. The three variants of this option are:
627
628 {Size=integer(),G=integer(),P=integer()}:
629 The groups are given explicitly in this list. There may be
630 several elements with the same Size. In such a case, the
631 server will choose one randomly in the negotiated Size.
632
633 {file,filename()}:
634 The file must have one or more three-tuples {Size=inte‐
635 ger(),G=integer(),P=integer()} terminated by a dot. The
636 file is read when the daemon starts.
637
638 {ssh_moduli_file,filename()}:
639 The file must be in ssh-keygen moduli file format. The
640 file is read when the daemon starts.
641
642 The default list is fetched from the public_key application.
643
644 dh_gex_limits:
645 Limits what a client can ask for in diffie-hellman-group-ex‐
646 change. The limits will be {MaxUsed = min(MaxClient,Max),
647 MinUsed = max(MinClient,Min)} where MaxClient and MinClient
648 are the values proposed by a connecting client.
649
650 The default value is {0,infinity}.
651
652 If MaxUsed < MinUsed in a key exchange, it will fail with a
653 disconnect.
654
655 See RFC 4419 for the function of the Max and Min values.
656
657 hello_timeout_daemon_option() = {hello_timeout, timeout()}
658
659 Maximum time in milliseconds for the first part of the ssh ses‐
660 sion setup, the hello message exchange. Defaults to 30000 ms (30
661 seconds). If the client fails to send the first message within
662 this time, the connection is closed.
663
664 For more information about timeouts, see the Timeouts section
665 in the User's Guide Hardening chapter.
666
667 negotiation_timeout_daemon_option() =
668 {negotiation_timeout, timeout()}
669
670 Maximum time in milliseconds for the authentication negotiation.
671 Defaults to 120000 ms (2 minutes). If the client fails to log in
672 within this time, the connection is closed.
673
674 For more information about timeouts, see the Timeouts section
675 in the User's Guide Hardening chapter.
676
677 max_initial_idle_time_daemon_option() =
678 {max_initial_idle_time, timeout()}
679
680 Maximum time in milliseconds for the first channel start after
681 completion of the authentication negotiation. Defaults to infin‐
682 ity.
683
684 For more information about timeouts, see the Timeouts section
685 in the User's Guide Hardening chapter.
686
687 hardening_daemon_options() =
688 {max_sessions, integer() >= 1} |
689 {max_channels, integer() >= 1} |
690 {parallel_login, boolean()} |
691 {minimal_remote_max_packet_size, integer() >= 1}
692
693 For more information about hardening, see the Hardening section
694 in the User's Guide chapter.
695
696 max_sessions:
697 The maximum number of simultaneous sessions that are ac‐
698 cepted at any time for this daemon. This includes sessions
699 that are being authorized. Thus, if set to N, and N clients
700 have connected but not started the login process, connection
701 attempt N+1 is aborted. If N connections are authenticated
702 and still logged in, no more logins are accepted until one
703 of the existing ones log out.
704
705 The counter is per listening port. Thus, if two daemons are
706 started, one with {max_sessions,N} and the other with
707 {max_sessions,M}, in total N+M connections are accepted for
708 the whole ssh application.
709
710 Notice that if parallel_login is false, only one client at a
711 time can be in the authentication phase.
712
713 By default, this option is not set. This means that the num‐
714 ber is not limited.
715
716 max_channels:
717 The maximum number of channels with active remote subsystem
718 that are accepted for each connection to this daemon
719
720 By default, this option is not set. This means that the num‐
721 ber is not limited.
722
723 parallel_login:
724 If set to false (the default value), only one login is han‐
725 dled at a time. If set to true, an unlimited number of login
726 attempts are allowed simultaneously.
727
728 If the max_sessions option is set to N and parallel_login is
729 set to true, the maximum number of simultaneous login at‐
730 tempts at any time is limited to N-K, where K is the number
731 of authenticated connections present at this daemon.
732
733 Warning:
734 Do not enable parallel_logins without protecting the server by
735 other means, for example, by the max_sessions option or a
736 firewall configuration. If set to true, there is no protection
737 against DOS attacks.
738
739
740 minimal_remote_max_packet_size:
741 The least maximum packet size that the daemon will accept in
742 channel open requests from the client. The default value is
743 0.
744
745 callbacks_daemon_options() =
746 {failfun,
747 fun((User :: string(),
748 PeerAddress :: inet:ip_address(),
749 Reason :: term()) ->
750 term())} |
751 {connectfun,
752 fun((User :: string(),
753 PeerAddress :: inet:ip_address(),
754 Method :: string()) ->
755 term())}
756
757 connectfun:
758 Provides a fun to implement your own logging when a user au‐
759 thenticates to the server.
760
761 failfun:
762 Provides a fun to implement your own logging when a user
763 fails to authenticate.
764
765 send_ext_info_daemon_option() = {send_ext_info, boolean()}
766
767 Make the server (daemon) tell the client that the server accepts
768 extension negotiation, that is, include ext-info-s in the kex‐
769 init message sent. See RFC 8308 for details and ssh(6) for a
770 list of currently implemented extensions.
771
772 Default value is true which is compatible with other implementa‐
773 tions not supporting ext-info.
774
775 tcpip_tunnel_in_daemon_option() = {tcpip_tunnel_in, boolean()}
776
777 Enables (true) or disables (false) the possibility to tunnel a
778 TCP/IP connection in to a server. Disabled per default.
779
780 tcpip_tunnel_out_daemon_option() =
781 {tcpip_tunnel_out, boolean()}
782
783 Enables (true) or disables (false) the possibility to tunnel a
784 TCP/IP connection out of a server. Disabled per default.
785
786 Options common to clients and daemons
787 common_options() = [common_option()]
788
789 common_option() =
790 ssh_file:user_dir_common_option() |
791 profile_common_option() |
792 max_idle_time_common_option() |
793 max_log_item_len_common_option() |
794 key_cb_common_option() |
795 disconnectfun_common_option() |
796 unexpectedfun_common_option() |
797 ssh_msg_debug_fun_common_option() |
798 rekey_limit_common_option() |
799 id_string_common_option() |
800 pref_public_key_algs_common_option() |
801 preferred_algorithms_common_option() |
802 modify_algorithms_common_option() |
803 auth_methods_common_option() |
804 inet_common_option() |
805 fd_common_option()
806
807 The options above can be used both in clients and in daemons
808 (servers). They are further explained below.
809
810 profile_common_option() = {profile, atom()}
811
812 Used together with ip-address and port to uniquely identify a
813 ssh daemon. This can be useful in a virtualized environment,
814 where there can be more that one server that has the same ip-ad‐
815 dress and port. If this property is not explicitly set, it is
816 assumed that the the ip-address and port uniquely identifies the
817 SSH daemon.
818
819 max_idle_time_common_option() = {idle_time, timeout()}
820
821 Sets a time-out on a connection when no channels are open. De‐
822 faults to infinity. The unit is milliseconds.
823
824 The timeout is not active until channels are started, so it does
825 not limit the time from the connection creation to the first
826 channel opening.
827
828 For more information about timeouts, see the Timeouts section
829 in the User's Guide Hardening chapter.
830
831 max_log_item_len_common_option() =
832 {max_log_item_len, limit_bytes()}
833
834 Sets a limit for the size of a logged item excluding a header.
835 The unit is bytes and the value defaults to 500.
836
837 rekey_limit_common_option() =
838 {rekey_limit,
839 Bytes ::
840 limit_bytes() |
841 {Minutes :: limit_time(), Bytes :: limit_bytes()}}
842
843 limit_bytes() = integer() >= 0 | infinity
844
845 limit_time() = integer() >= 1 | infinity
846
847 Sets the limit when rekeying is to be initiated. Both the max
848 time and max amount of data could be configured:
849
850 * {Minutes, Bytes} initiate rekeying when any of the limits
851 are reached.
852
853 * Bytes initiate rekeying when Bytes number of bytes are
854 transferred, or at latest after one hour.
855
856 When a rekeying is done, both the timer and the byte counter are
857 restarted. Defaults to one hour and one GByte.
858
859 If Minutes is set to infinity, no rekeying will ever occur due
860 to that max time has passed. Setting Bytes to infinity will in‐
861 hibit rekeying after a certain amount of data has been trans‐
862 ferred. If the option value is set to {infinity, infinity}, no
863 rekeying will be initiated. Note that rekeying initiated by the
864 peer will still be performed.
865
866 key_cb_common_option() =
867 {key_cb,
868 Module :: atom() | {Module :: atom(), Opts :: [term()]}}
869
870 Module implementing the behaviour ssh_client_key_api and/or
871 ssh_server_key_api. Can be used to customize the handling of
872 public keys. If callback options are provided along with the
873 module name, they are made available to the callback module via
874 the options passed to it under the key 'key_cb_private'.
875
876 The Opts defaults to [] when only the Module is specified.
877
878 The default value of this option is {ssh_file, []}. See also the
879 manpage of ssh_file.
880
881 A call to the call-back function F will be
882
883 Module:F(..., [{key_cb_private,Opts}|UserOptions])
884
885
886 where ... are arguments to F as in ssh_client_key_api and/or
887 ssh_server_key_api. The UserOptions are the options given to
888 ssh:connect, ssh:shell or ssh:daemon.
889
890 pref_public_key_algs_common_option() =
891 {pref_public_key_algs, [pubkey_alg()]}
892
893 List of user (client) public key algorithms to try to use.
894
895 The default value is the public_key entry in the list returned
896 by ssh:default_algorithms/0.
897
898 If there is no public key of a specified type available, the
899 corresponding entry is ignored. Note that the available set is
900 dependent on the underlying cryptolib and current user's public
901 keys.
902
903 See also the option user_dir for specifying the path to the
904 user's keys.
905
906 disconnectfun_common_option() =
907 {disconnectfun, fun((Reason :: term()) -> void | any())}
908
909 Provides a fun to implement your own logging or other handling
910 at disconnects.
911
912 unexpectedfun_common_option() =
913 {unexpectedfun,
914 fun((Message :: term(), {Host :: term(), Port :: term()}) ->
915 report | skip)}
916
917 Provides a fun to implement your own logging or other action
918 when an unexpected message arrives. If the fun returns report
919 the usual info report is issued but if skip is returned no re‐
920 port is generated.
921
922 ssh_msg_debug_fun_common_option() =
923 {ssh_msg_debug_fun,
924 fun((ssh:connection_ref(),
925 AlwaysDisplay :: boolean(),
926 Msg :: binary(),
927 LanguageTag :: binary()) ->
928 any())}
929
930 Provide a fun to implement your own logging of the SSH message
931 SSH_MSG_DEBUG. The last three parameters are from the message,
932 see RFC 4253, section 11.3. The connection_ref() is the refer‐
933 ence to the connection on which the message arrived. The return
934 value from the fun is not checked.
935
936 The default behaviour is ignore the message. To get a printout
937 for each message with AlwaysDisplay = true, use for example
938 {ssh_msg_debug_fun, fun(_,true,M,_)-> io:format("DEBUG: ~p~n",
939 [M]) end}
940
941 id_string_common_option() =
942 {id_string,
943 string() |
944 random |
945 {random, Nmin :: integer() >= 1, Nmax :: integer() >= 1}}
946
947 The string the daemon will present to a connecting peer ini‐
948 tially. The default value is "Erlang/VSN" where VSN is the ssh
949 application version number.
950
951 The value random will cause a random string to be created at
952 each connection attempt. This is to make it a bit more difficult
953 for a malicious peer to find the ssh software brand and version.
954
955 The value {random, Nmin, Nmax} will make a random string with at
956 least Nmin characters and at most Nmax characters.
957
958 preferred_algorithms_common_option() =
959 {preferred_algorithms, algs_list()}
960
961 algs_list() = [alg_entry()]
962
963 alg_entry() =
964 {kex, [kex_alg()]} |
965 {public_key, [pubkey_alg()]} |
966 {cipher, double_algs(cipher_alg())} |
967 {mac, double_algs(mac_alg())} |
968 {compression, double_algs(compression_alg())}
969
970 kex_alg() =
971 'diffie-hellman-group-exchange-sha1' |
972 'diffie-hellman-group-exchange-sha256' |
973 'diffie-hellman-group1-sha1' | 'diffie-hellman-group14-sha1' |
974 'diffie-hellman-group14-sha256' |
975 'diffie-hellman-group16-sha512' |
976 'diffie-hellman-group18-sha512' | 'curve25519-sha256' |
977 'curve25519-sha256@libssh.org' | 'curve448-sha512' |
978 'ecdh-sha2-nistp256' | 'ecdh-sha2-nistp384' |
979 'ecdh-sha2-nistp521'
980
981 pubkey_alg() =
982 'ecdsa-sha2-nistp256' | 'ecdsa-sha2-nistp384' |
983 'ecdsa-sha2-nistp521' | 'ssh-ed25519' | 'ssh-ed448' |
984 'rsa-sha2-256' | 'rsa-sha2-512' | 'ssh-dss' | 'ssh-rsa'
985
986 cipher_alg() =
987 '3des-cbc' | 'AEAD_AES_128_GCM' | 'AEAD_AES_256_GCM' |
988 'aes128-cbc' | 'aes128-ctr' | 'aes128-gcm@openssh.com' |
989 'aes192-ctr' | 'aes192-cbc' | 'aes256-cbc' | 'aes256-ctr' |
990 'aes256-gcm@openssh.com' | 'chacha20-poly1305@openssh.com'
991
992 mac_alg() =
993 'AEAD_AES_128_GCM' | 'AEAD_AES_256_GCM' | 'hmac-sha1' |
994 'hmac-sha1-etm@openssh.com' | 'hmac-sha1-96' |
995 'hmac-sha2-256' | 'hmac-sha2-512' |
996 'hmac-sha2-256-etm@openssh.com' |
997 'hmac-sha2-512-etm@openssh.com'
998
999 compression_alg() = none | zlib | 'zlib@openssh.com'
1000
1001 double_algs(AlgType) =
1002 [{client2server, [AlgType]} | {server2client, [AlgType]}] |
1003 [AlgType]
1004
1005 List of algorithms to use in the algorithm negotiation. The de‐
1006 fault algs_list() can be obtained from default_algorithms/0.
1007
1008 If an alg_entry() is missing in the algs_list(), the default
1009 value is used for that entry.
1010
1011 Here is an example of this option:
1012
1013 {preferred_algorithms,
1014 [{public_key,['ssh-rsa','ssh-dss']},
1015 {cipher,[{client2server,['aes128-ctr']},
1016 {server2client,['aes128-cbc','3des-cbc']}]},
1017 {mac,['hmac-sha2-256','hmac-sha1']},
1018 {compression,[none,zlib]}
1019 ]
1020 }
1021
1022
1023 The example specifies different algorithms in the two directions
1024 (client2server and server2client), for cipher but specifies the
1025 same algorithms for mac and compression in both directions. The
1026 kex (key exchange) is implicit but public_key is set explicitly.
1027
1028 For background and more examples see the User's Guide.
1029
1030 If an algorithm name occurs more than once in a list, the behav‐
1031 iour is undefined. The tags in the property lists are also as‐
1032 sumed to occur at most one time.
1033
1034 Warning:
1035 Changing the values can make a connection less secure. Do not
1036 change unless you know exactly what you are doing. If you do not
1037 understand the values then you are not supposed to change them.
1038
1039
1040 modify_algorithms_common_option() =
1041 {modify_algorithms, modify_algs_list()}
1042
1043 modify_algs_list() =
1044 [{append, algs_list()} |
1045 {prepend, algs_list()} |
1046 {rm, algs_list()}]
1047
1048 Modifies the list of algorithms to use in the algorithm negotia‐
1049 tion. The modifications are applied after the option pre‐
1050 ferred_algorithms (if existing) is applied.
1051
1052 The algorithm for modifications works like this:
1053
1054 * Input is the modify_algs_list() and a set of algorithms A
1055 obtained from the preferred_algorithms option if existing,
1056 or else from the ssh:default_algorithms/0.
1057
1058 * The head of the modify_algs_list() modifies A giving the re‐
1059 sult A'.
1060
1061 The possible modifications are:
1062
1063 * Append or prepend supported but not enabled algorithm(s)
1064 to the list of algorithms. If the wanted algorithms al‐
1065 ready are in A they will first be removed and then ap‐
1066 pended or prepended,
1067
1068 * Remove (rm) one or more algorithms from A.
1069
1070 * Repeat the modification step with the tail of mod‐
1071 ify_algs_list() and the resulting A'.
1072
1073 If an unsupported algorithm is in the modify_algs_list(), it
1074 will be silently ignored
1075
1076 If there are more than one modify_algorithms options, the result
1077 is undefined.
1078
1079 Here is an example of this option:
1080
1081 {modify_algorithms,
1082 [{prepend, [{kex, ['diffie-hellman-group1-sha1']}],
1083 {rm, [{compression, [none]}]}
1084 ]
1085 }
1086
1087
1088 The example specifies that:
1089
1090 * the old key exchange algorithm 'diffie-hellman-group1-sha1'
1091 should be the main alternative. It will be the main alterna‐
1092 tive since it is prepened to the list
1093
1094 * The compression algorithm none (= no compression) is removed
1095 so compression is enforced
1096
1097 For background and more examples see the User's Guide.
1098
1099 inet_common_option() = {inet, inet | inet6}
1100
1101 IP version to use when the host address is specified as any.
1102
1103 auth_methods_common_option() = {auth_methods, string()}
1104
1105 Comma-separated string that determines which authentication
1106 methods that the client shall support and in which order they
1107 are tried. Defaults to "publickey,keyboard-interactive,password"
1108
1109 Note that the client is free to use any order and to exclude
1110 methods.
1111
1112 fd_common_option() = {fd, gen_tcp:socket()}
1113
1114 Allows an existing file-descriptor to be used (passed on to the
1115 transport protocol).
1116
1117 Other data types
1118 host() = string() | inet:ip_address() | loopback
1119
1120 ip_port() = {inet:ip_address(), inet:port_number()}
1121
1122 mod_args() = {Module :: atom(), Args :: list()}
1123
1124 mod_fun_args() =
1125 {Module :: atom(), Function :: atom(), Args :: list()}
1126
1127 open_socket() = gen_tcp:socket()
1128
1129 The socket is supposed to be result of a gen_tcp:connect or a
1130 gen_tcp:accept. The socket must be in passive mode (that is,
1131 opened with the option {active,false}).
1132
1133 daemon_ref()
1134
1135 Opaque data type representing a daemon.
1136
1137 Returned by the functions daemon/1,2,3.
1138
1139 connection_ref()
1140
1141 Opaque data type representing a connection between a client and
1142 a server (daemon).
1143
1144 Returned by the functions connect/2,3,4 and ssh_sftp:start_chan‐
1145 nel/2,3.
1146
1147 channel_id()
1148
1149 Opaque data type representing a channel inside a connection.
1150
1151 Returned by the functions ssh_connection:session_channel/2,4.
1152
1153 connection_info_tuple() =
1154 {client_version, version()} |
1155 {server_version, version()} |
1156 {user, string()} |
1157 {peer, {inet:hostname(), ip_port()}} |
1158 {sockname, ip_port()} |
1159 {options, client_options()} |
1160 {algorithms, conn_info_algs()} |
1161 {channels, conn_info_channels()}
1162
1163 version() = {protocol_version(), software_version()}
1164
1165 protocol_version() =
1166 {Major :: integer() >= 1, Minor :: integer() >= 0}
1167
1168 software_version() = string()
1169
1170 conn_info_algs() =
1171 [{kex, kex_alg()} |
1172 {hkey, pubkey_alg()} |
1173 {encrypt, cipher_alg()} |
1174 {decrypt, cipher_alg()} |
1175 {send_mac, mac_alg()} |
1176 {recv_mac, mac_alg()} |
1177 {compress, compression_alg()} |
1178 {decompress, compression_alg()} |
1179 {send_ext_info, boolean()} |
1180 {recv_ext_info, boolean()}]
1181
1182 conn_info_channels() = [proplists:proplist()]
1183
1184 Return values from the connection_info/1 and connection_info/2
1185 functions.
1186
1187 In the option info tuple are only the options included that dif‐
1188 fers from the default values.
1189
1190 daemon_info_tuple() =
1191 {port, inet:port_number()} |
1192 {ip, inet:ip_address()} |
1193 {profile, atom()} |
1194 {options, daemon_options()}
1195
1196 Return values from the daemon_info/1 and daemon_info/2 func‐
1197 tions.
1198
1199 In the option info tuple are only the options included that dif‐
1200 fers from the default values.
1201
1202 opaque_client_options()
1203
1204 opaque_daemon_options()
1205
1206 opaque_common_options()
1207
1208 Opaque types that define experimental options that are not to be
1209 used in products.
1210
1212 close(ConnectionRef) -> ok | {error, term()}
1213
1214 Types:
1215
1216 ConnectionRef = connection_ref()
1217
1218 Closes an SSH connection.
1219
1220 connect(Host, Port, Options) -> Result
1221 connect(Host, Port, Options, NegotiationTimeout) -> Result
1222 connect(TcpSocket, Options) -> Result
1223 connect(TcpSocket, Options, NegotiationTimeout) -> Result
1224
1225 Types:
1226
1227 Host = host()
1228 Port = inet:port_number()
1229 Options = client_options()
1230 TcpSocket = open_socket()
1231 NegotiationTimeout = timeout()
1232 Result = {ok, connection_ref()} | {error, term()}
1233
1234 Connects to an SSH server at the Host on Port.
1235
1236 As an alternative, an already open TCP socket could be passed to
1237 the function in TcpSocket. The SSH initiation and negotiation
1238 will be initiated on that one with the SSH that should be at the
1239 other end.
1240
1241 No channel is started. This is done by calling ssh_connec‐
1242 tion:session_channel/[2, 4].
1243
1244 The NegotiationTimeout is in milli-seconds. The default value is
1245 infinity or the value of the connect_timeout option, if present.
1246 For connection timeout, use the option connect_timeout.
1247
1248 connection_info(ConnectionRef) -> InfoTupleList
1249
1250 connection_info(ConnectionRef, Key :: ItemList | Item) ->
1251 InfoTupleList | InfoTuple
1252
1253 Types:
1254
1255 ConnectionRef = connection_ref()
1256 ItemList = [Item]
1257 Item =
1258 client_version | server_version | user | peer | sockname
1259 |
1260 options | algorithms | sockname
1261 InfoTupleList = [InfoTuple]
1262 InfoTuple = connection_info_tuple()
1263
1264 Returns information about a connection intended for e.g debug‐
1265 ging or logging.
1266
1267 When the Key is a single Item, the result is a single InfoTuple
1268
1269 set_sock_opts(ConnectionRef, SocketOptions) ->
1270 ok | {error, inet:posix()}
1271
1272 Types:
1273
1274 ConnectionRef = connection_ref()
1275 SocketOptions = [gen_tcp:option()]
1276
1277 Sets tcp socket options on the tcp-socket below an ssh connec‐
1278 tion.
1279
1280 This function calls the inet:setopts/2, read that documentation
1281 and for gen_tcp:option().
1282
1283 All gen_tcp socket options except
1284
1285 * active
1286
1287 * deliver
1288
1289 * mode and
1290
1291 * packet
1292
1293 are allowed. The excluded options are reserved by the SSH appli‐
1294 cation.
1295
1296 Warning:
1297 This is an extremely dangerous function. You use it on your own
1298 risk.
1299
1300 Some options are OS and OS version dependent. Do not use it un‐
1301 less you know what effect your option values will have on an TCP
1302 stream.
1303
1304 Some values may destroy the functionality of the SSH protocol.
1305
1306
1307 get_sock_opts(ConnectionRef, SocketGetOptions) ->
1308 ok | {error, inet:posix()}
1309
1310 Types:
1311
1312 ConnectionRef = connection_ref()
1313 SocketGetOptions = [gen_tcp:option_name()]
1314
1315 Get tcp socket option values of the tcp-socket below an ssh con‐
1316 nection.
1317
1318 This function calls the inet:getopts/2, read that documentation.
1319
1320 daemon(Port | TcpSocket) -> Result
1321 daemon(Port | TcpSocket, Options) -> Result
1322 daemon(HostAddress, Port, Options) -> Result
1323
1324 Types:
1325
1326 Port = integer()
1327 TcpSocket = open_socket()
1328 Options = daemon_options()
1329 HostAddress = host() | any
1330 Result = {ok, daemon_ref()} | {error, atom()}
1331
1332 Starts a server listening for SSH connections on the given port.
1333 If the Port is 0, a random free port is selected. See dae‐
1334 mon_info/1 about how to find the selected port number.
1335
1336 As an alternative, an already open TCP socket could be passed to
1337 the function in TcpSocket. The SSH initiation and negotiation
1338 will be initiated on that one when an SSH starts at the other
1339 end of the TCP socket.
1340
1341 For a description of the options, see Daemon Options.
1342
1343 Please note that by historical reasons both the HostAddress ar‐
1344 gument and the gen_tcp connect_option() {ip,Address} set the
1345 listening address. This is a source of possible inconsistent
1346 settings.
1347
1348 The rules for handling the two address passing options are:
1349
1350 * if HostAddress is an IP-address, that IP-address is the lis‐
1351 tening address. An 'ip'-option will be discarded if present.
1352
1353 * if HostAddress is the atom loopback, the listening address
1354 is loopback and an loopback address will be chosen by the
1355 underlying layers. An 'ip'-option will be discarded if
1356 present.
1357
1358 * if HostAddress is the atom any and no 'ip'-option is
1359 present, the listening address is any and the socket will
1360 listen to all addresses
1361
1362 * if HostAddress is any and an 'ip'-option is present, the
1363 listening address is set to the value of the 'ip'-option
1364
1365 daemon_replace_options(DaemonRef, NewUserOptions) ->
1366 {ok, daemon_ref()} | {error, term()}
1367
1368 Types:
1369
1370 DaemonRef = daemon_ref()
1371 NewUserOptions = daemon_options()
1372
1373 Replaces the options in a running daemon with the options in
1374 NewUserOptions. Only connections established after this call are
1375 affected, already established connections are not.
1376
1377 Note:
1378 In the final phase of this function, the listening process is
1379 restarted. Therfore a connection attempt to the daemon in this
1380 final phase could fail.
1381
1382
1383 The handling of Erlang configurations is described in the User's
1384 Guide; see chapters Configuration in SSH and Configuring algo‐
1385 rithms in SSH.
1386
1387 daemon_info(DaemonRef) ->
1388 {ok, InfoTupleList} | {error, bad_daemon_ref}
1389
1390 daemon_info(DaemonRef, Key :: ItemList | Item) ->
1391 InfoTupleList | InfoTuple | {error, bad_daemon_ref}
1392
1393 Types:
1394
1395 DaemonRef = daemon_ref()
1396 ItemList = [Item]
1397 Item = ip | port | profile | options
1398 InfoTupleList = [InfoTuple]
1399 InfoTuple = daemon_info_tuple()
1400
1401 Returns information about a daemon intended for e.g debugging or
1402 logging.
1403
1404 When the Key is a single Item, the result is a single InfoTuple
1405
1406 Note that daemon_info/1 and daemon_info/2 returns different
1407 types due to compatibility reasons.
1408
1409 default_algorithms() -> algs_list()
1410
1411 Returns a key-value list, where the keys are the different types
1412 of algorithms and the values are the algorithms themselves.
1413
1414 See the User's Guide for an example.
1415
1416 shell(Host | TcpSocket) -> Result
1417 shell(Host | TcpSocket, Options) -> Result
1418 shell(Host, Port, Options) -> Result
1419
1420 Types:
1421
1422 Host = host()
1423 TcpSocket = open_socket()
1424 Port = inet:port_number()
1425 Options = client_options()
1426 Result = ok | {error, Reason::term()}
1427
1428 Connects to an SSH server at Host and Port (defaults to 22) and
1429 starts an interactive shell on that remote host.
1430
1431 As an alternative, an already open TCP socket could be passed to
1432 the function in TcpSocket. The SSH initiation and negotiation
1433 will be initiated on that one and finally a shell will be
1434 started on the host at the other end of the TCP socket.
1435
1436 For a description of the options, see Client Options.
1437
1438 The function waits for user input, and does not return until the
1439 remote shell is ended (that is, exit from the shell).
1440
1441 start() -> ok | {error, term()}
1442
1443 start(Type) -> ok | {error, term()}
1444
1445 Types:
1446
1447 Type = permanent | transient | temporary
1448
1449 Utility function that starts the applications crypto, pub‐
1450 lic_key, and ssh. Default type is temporary. For more informa‐
1451 tion, see the application(3) manual page in Kernel.
1452
1453 stop() -> ok | {error, term()}
1454
1455 Stops the ssh application. For more information, see the appli‐
1456 cation(3) manual page in Kernel.
1457
1458 stop_daemon(DaemonRef :: daemon_ref()) -> ok
1459
1460 stop_daemon(Address :: inet:ip_address(),
1461 Port :: inet:port_number()) ->
1462 ok
1463
1464 stop_daemon(Address :: any | inet:ip_address(),
1465 Port :: inet:port_number(),
1466 Profile :: atom()) ->
1467 ok
1468
1469 Stops the listener and all connections started by the listener.
1470
1471 stop_listener(SysSup :: daemon_ref()) -> ok
1472
1473 stop_listener(Address :: inet:ip_address(),
1474 Port :: inet:port_number()) ->
1475 ok
1476
1477 stop_listener(Address :: any | inet:ip_address(),
1478 Port :: inet:port_number(),
1479 Profile :: term()) ->
1480 ok
1481
1482 Stops the listener, but leaves existing connections started by
1483 the listener operational.
1484
1485 tcpip_tunnel_from_server(ConnectionRef, ListenHost, ListenPort,
1486 ConnectToHost, ConnectToPort) ->
1487 {ok, TrueListenPort} | {error, term()}
1488
1489 tcpip_tunnel_from_server(ConnectionRef, ListenHost, ListenPort,
1490 ConnectToHost, ConnectToPort, Timeout) ->
1491 {ok, TrueListenPort} | {error, term()}
1492
1493 Types:
1494
1495 ConnectionRef = connection_ref()
1496 ListenHost = host()
1497 ListenPort = inet:port_number()
1498 ConnectToHost = host()
1499 ConnectToPort = inet:port_number()
1500 Timeout = timeout()
1501 TrueListenPort = inet:port_number()
1502
1503 Asks the remote server of ConnectionRef to listen to Listen‐
1504 Host:ListenPort. When someone connects that address, the connec‐
1505 tion is forwarded in an encrypted channel from the server to the
1506 client. The client (that is, at the node that calls this func‐
1507 tion) then connects to ConnectToHost:ConnectToPort.
1508
1509 The returned TrueListenPort is the port that is listened to. It
1510 is the same as ListenPort, except when ListenPort = 0. In that
1511 case a free port is selected by the underlying OS.
1512
1513 Note that in case of an Erlang/OTP SSH server (daemon) as peer,
1514 that server must have been started with the option tcpip_tun‐
1515 nel_out to allow the connection.
1516
1517 tcpip_tunnel_to_server(ConnectionRef, ListenHost, ListenPort,
1518 ConnectToHost, ConnectToPort) ->
1519 {ok, TrueListenPort} | {error, term()}
1520
1521 tcpip_tunnel_to_server(ConnectionRef, ListenHost, ListenPort,
1522 ConnectToHost, ConnectToPort, Timeout) ->
1523 {ok, TrueListenPort} | {error, term()}
1524
1525 Types:
1526
1527 ConnectionRef = connection_ref()
1528 ListenHost = host()
1529 ListenPort = inet:port_number()
1530 ConnectToHost = host()
1531 ConnectToPort = inet:port_number()
1532 Timeout = timeout()
1533 TrueListenPort = inet:port_number()
1534
1535 Tells the local client to listen to ListenHost:ListenPort. When
1536 someone connects to that address, the connection is forwarded in
1537 an encrypted channel to the peer server of ConnectionRef. That
1538 server then connects to ConnectToHost:ConnectToPort.
1539
1540 The returned TrueListenPort is the port that is listened to. It
1541 is the same as ListenPort, except when ListenPort = 0. In that
1542 case a free port is selected by the underlying OS.
1543
1544 Note that in case of an Erlang/OTP SSH server (daemon) as peer,
1545 that server must have been started with the option tcpip_tun‐
1546 nel_in to allow the connection.
1547
1548 hostkey_fingerprint(HostKey) -> string()
1549 hostkey_fingerprint(DigestType, HostKey) -> string()
1550 hostkey_fingerprint([DigestType], HostKey) -> [string()]
1551
1552 Types:
1553
1554 HostKey = public_key:public_key()
1555 DigestType = public_key:digest_type()
1556
1557 Calculates a ssh fingerprint from a public host key as openssh
1558 does.
1559
1560 The algorithm in hostkey_fingerprint/1 is md5 to be compatible
1561 with older ssh-keygen commands. The string from the second vari‐
1562 ant is prepended by the algorithm name in uppercase as in newer
1563 ssh-keygen commands.
1564
1565 Examples:
1566
1567 2> ssh:hostkey_fingerprint(Key).
1568 "f5:64:a6:c1:5a:cb:9f:0a:10:46:a2:5c:3e:2f:57:84"
1569
1570 3> ssh:hostkey_fingerprint(md5,Key).
1571 "MD5:f5:64:a6:c1:5a:cb:9f:0a:10:46:a2:5c:3e:2f:57:84"
1572
1573 4> ssh:hostkey_fingerprint(sha,Key).
1574 "SHA1:bSLY/C4QXLDL/Iwmhyg0PGW9UbY"
1575
1576 5> ssh:hostkey_fingerprint(sha256,Key).
1577 "SHA256:aZGXhabfbf4oxglxltItWeHU7ub3Dc31NcNw2cMJePQ"
1578
1579 6> ssh:hostkey_fingerprint([sha,sha256],Key).
1580 ["SHA1:bSLY/C4QXLDL/Iwmhyg0PGW9UbY",
1581 "SHA256:aZGXhabfbf4oxglxltItWeHU7ub3Dc31NcNw2cMJePQ"]
1582
1583
1584
1585
1586Ericsson AB ssh 4.15.1 ssh(3)