diff options
Diffstat (limited to 'lib/ssh/doc/src')
| -rw-r--r-- | lib/ssh/doc/src/Makefile | 4 | ||||
| -rw-r--r-- | lib/ssh/doc/src/SSH_app.xml | 2 | ||||
| -rw-r--r-- | lib/ssh/doc/src/configurations.xml | 8 | ||||
| -rw-r--r-- | lib/ssh/doc/src/configure_algos.xml | 16 | ||||
| -rw-r--r-- | lib/ssh/doc/src/hardening.xml | 103 | ||||
| -rw-r--r-- | lib/ssh/doc/src/notes.xml | 280 | ||||
| -rw-r--r-- | lib/ssh/doc/src/ssh.xml | 213 | ||||
| -rw-r--r-- | lib/ssh/doc/src/ssh_agent.xml | 2 | ||||
| -rw-r--r-- | lib/ssh/doc/src/ssh_client_key_api.xml | 12 | ||||
| -rw-r--r-- | lib/ssh/doc/src/ssh_connection.xml | 4 | ||||
| -rw-r--r-- | lib/ssh/doc/src/ssh_file.xml | 26 | ||||
| -rw-r--r-- | lib/ssh/doc/src/ssh_sftp.xml | 4 | ||||
| -rw-r--r-- | lib/ssh/doc/src/ssh_timeouts.jpg | bin | 0 -> 40281 bytes | |||
| -rw-r--r-- | lib/ssh/doc/src/ssh_timeouts.odp | bin | 0 -> 13832 bytes | |||
| -rw-r--r-- | lib/ssh/doc/src/terminology.xml | 8 | ||||
| -rw-r--r-- | lib/ssh/doc/src/using_ssh.xml | 4 |
16 files changed, 520 insertions, 166 deletions
diff --git a/lib/ssh/doc/src/Makefile b/lib/ssh/doc/src/Makefile index a4a25f8eed..3835866fcc 100644 --- a/lib/ssh/doc/src/Makefile +++ b/lib/ssh/doc/src/Makefile @@ -1,7 +1,7 @@ # # %CopyrightBegin% # -# Copyright Ericsson AB 2004-2021. All Rights Reserved. +# Copyright Ericsson AB 2004-2022. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -63,7 +63,7 @@ BOOK_FILES = book.xml XML_FILES = $(BOOK_FILES) $(XML_APPLICATION_FILES) $(XML_REF3_FILES) $(XML_REF6_FILES)\ $(XML_PART_FILES) $(XML_CHAPTER_FILES) -IMAGE_FILES = SSH_protocols.png +IMAGE_FILES = SSH_protocols.png ssh_timeouts.jpg TOP_SPECS_FILE = specs.xml diff --git a/lib/ssh/doc/src/SSH_app.xml b/lib/ssh/doc/src/SSH_app.xml index 8f3b5fc80b..4d12669c1e 100644 --- a/lib/ssh/doc/src/SSH_app.xml +++ b/lib/ssh/doc/src/SSH_app.xml @@ -282,7 +282,7 @@ </section> <section> <title>Unicode support</title> - <p>Unicode filenames are supported if the emulator and the underlaying OS support it. See section DESCRIPTION in the + <p>Unicode filenames are supported if the emulator and the underlying OS support it. See section DESCRIPTION in the <seeerl marker="kernel:file">file</seeerl> manual page in Kernel for information about this subject. </p> <p>The shell and the cli both support unicode. diff --git a/lib/ssh/doc/src/configurations.xml b/lib/ssh/doc/src/configurations.xml index cd55e87027..56dc84e7e0 100644 --- a/lib/ssh/doc/src/configurations.xml +++ b/lib/ssh/doc/src/configurations.xml @@ -4,7 +4,7 @@ <chapter> <header> <copyright> - <year>2020</year> + <year>2020</year><year>2022</year> <holder>Ericsson AB. All Rights Reserved.</holder> </copyright> <legalnotice> @@ -105,7 +105,7 @@ <p>There is an ordering, which is: </p> <list> - <item>Level 0: Hard-coded default values in the source code</item> + <item>Level 0: Hard-coded default values in the OTP SSH source code</item> <item>Level 1: <seefile marker="kernel:config">OTP Configuration Parameters</seefile></item> <item>Level 2: Options in the <seefile marker="kernel:config">OTP Configuration Parameters</seefile> <c>server_options</c> or <c>client_options</c></item> @@ -116,7 +116,7 @@ <p>The only exception is the <seetype marker="ssh#modify_algorithms_common_option">modify_algorithms</seetype> common option. They are all applied in ascending level order on the set of algorithms. So a - <c>modify_algorithms</c> on level zero is applied before one of level one and so on. + <c>modify_algorithms</c> on level one is applied before one of level two and so on. </p> <p>If there is an <seetype marker="ssh#preferred_algorithms_common_option">preferred_algorithms</seetype> @@ -250,7 +250,7 @@ ok ]). {ok,>0.118.0>} </code> - <p>We check which algoritms are negotiated by the client and the server, and note that + <p>We check which algorithms are negotiated by the client and the server, and note that the (only) <c>kex</c> algorithm <c>'curve25519-sha256@libssh.org'</c> was selected: </p> <code> diff --git a/lib/ssh/doc/src/configure_algos.xml b/lib/ssh/doc/src/configure_algos.xml index acc6269da5..df4ed145a6 100644 --- a/lib/ssh/doc/src/configure_algos.xml +++ b/lib/ssh/doc/src/configure_algos.xml @@ -75,15 +75,15 @@ <tag><c>public_key</c></tag> <item> <p>Server host key</p> - <p>The asymetric encryption algorithm used in the server's private-public host key pair. + <p>The asymmetric encryption algorithm used in the server's private-public host key pair. Examples include the well-known RSA <c>'ssh-rsa'</c> and elliptic curve <c>'ecdsa-sha2-nistp521'</c>. </p> </item> <tag><c>cipher</c></tag> <item> - <p>Symetric cipher algorithm used for the payload encryption. This algorithm will use the key calculated - in the kex phase (together with other info) to genereate the actual key used. Examples are + <p>Symmetric cipher algorithm used for the payload encryption. This algorithm will use the key calculated + in the kex phase (together with other info) to generate the actual key used. Examples are tripple-DES <c>'3des-cbc'</c> and one of many AES variants <c>'aes192-ctr'</c>. </p> <p>This list is actually two - one for each direction server-to-client and client-to-server. Therefore it @@ -110,13 +110,13 @@ <section> <title>The SSH app's mechanism</title> - <p>The set of algorithms that the SSH app uses by default depends on the algoritms supported by the:</p> + <p>The set of algorithms that the SSH app uses by default depends on the algorithms supported by the:</p> <list> <item><p><seeerl marker="crypto:crypto">crypto</seeerl> app,</p> </item> - <item><p>The cryptolib OTP is linked with, usally the one the OS uses, probably OpenSSL,</p> + <item><p>The cryptolib OTP is linked with, usually the one the OS uses, probably OpenSSL,</p> </item> - <item><p>and finaly what the SSH app implements</p> + <item><p>and finally what the SSH app implements</p> </item> </list> <p>Due to this, it impossible to list in documentation what algorithms that are available in a certain installation.</p> @@ -170,7 +170,7 @@ <p>To forsee the effect of an option there is an experimental function <c>ssh:chk_algos_opts(Opts)</c>. It mangles the options <c>preferred_algorithms</c> - and <c>modify_algorithms</c> in the same way as <c>ssh:dameon</c>, <c>ssh:connect</c> and their friends does.</p> + and <c>modify_algorithms</c> in the same way as <c>ssh:daemon</c>, <c>ssh:connect</c> and their friends does.</p> <section> <title>Example 1</title> @@ -322,7 +322,7 @@ <section> <title>Example 5</title> <p>As an example let's add the Diffie-Hellman Group1 first in the kex list. It is supported according to - <seeapp marker="SSH_app#supported_algos">Supported algoritms</seeapp>.</p> + <seeapp marker="SSH_app#supported_algos">Supported algorithms</seeapp>.</p> <code type="erl"> 5> ssh:chk_algos_opts( [{modify_algorithms, diff --git a/lib/ssh/doc/src/hardening.xml b/lib/ssh/doc/src/hardening.xml index c1d3f7669c..cc530ace0e 100644 --- a/lib/ssh/doc/src/hardening.xml +++ b/lib/ssh/doc/src/hardening.xml @@ -5,14 +5,14 @@ <header> <copyright> <year>2017</year> - <year>2020</year> + <year>2022</year> <holder>Ericsson AB. All Rights Reserved.</holder> </copyright> <legalnotice> Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software @@ -59,43 +59,64 @@ However, some measures could be taken in the configuration of the SSH server to increase the resilence. The options to use are:</p> - <taglist> - <tag><seetype marker="ssh#hello_timeout_daemon_option">hello_timeout</seetype></tag> - <item> - If the client fails to send the first ssh message after a tcp connection setup - within this time (in milliseconds), the connection is closed. - The default value is 30 seconds. This is actualy a generous time, so it can lowered - to make the daemon less prone to DoS attacks. - </item> - <tag><seetype marker="ssh#negotiation_timeout_daemon_option">negotiation_timeout</seetype></tag> - <item> - Maximum time in milliseconds for the authentication negotiation. - If the client fails to log in within this time, the connection is closed. - The default value is 2 minutes. It is quite a long time, but can lowered if the client is - supposed to be fast like if it is a program logging in. - </item> - <tag><seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl></tag> - <item> - The maximum number of simultaneous sessions that are accepted at any time for this daemon. - This includes sessions that are being authorized. The default is that an unlimited number of - simultaneous sessions are allowed. It is a good candidate to set if the capacity of the server - is low or a capacity margin is needed. - </item> - <tag><seeerl marker="ssh#hardening_daemon_options--max_channels">max_channels</seeerl></tag> - <item> - The maximum number of channels that are accepted for each connection. The default is unlimited. - </item> - <tag><seeerl marker="ssh#hardening_daemon_options--parallel_login">parallel_login</seeerl></tag> - <item> - If set to false (the default value), only one login is handled at a time. - If set to true, the number of simultaneous login attempts are limited by the value of - <seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl> option. - </item> - <tag><seetype marker="ssh#max_idle_time_common_option">idle_time<!--sic!--></seetype></tag> - <item> - Sets a time-out on a connection when no channels are open. Defaults to infinity. - </item> - </taglist> + <section> + <title>Counters and parallelism</title> + <taglist> + <tag><seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl></tag> + <item> + The maximum number of simultaneous sessions that are accepted at any time for this daemon. + This includes sessions that are being authorized. The default is that an unlimited number of + simultaneous sessions are allowed. It is a good candidate to set if the capacity of the server + is low or a capacity margin is needed. + </item> + <tag><seeerl marker="ssh#hardening_daemon_options--max_channels">max_channels</seeerl></tag> + <item> + The maximum number of channels that are accepted for each connection. The default is unlimited. + </item> + <tag><seeerl marker="ssh#hardening_daemon_options--parallel_login">parallel_login</seeerl></tag> + <item> + If set to false (the default value), only one login is handled at a time. + If set to true, the number of simultaneous login attempts are limited by the value of the + <seeerl marker="ssh#hardening_daemon_options--max_sessions">max_sessions</seeerl> option. + </item> + </taglist> + </section> + + <section> + <title>Timeouts</title> + <taglist> + <tag><seetype marker="ssh#hello_timeout_daemon_option">hello_timeout</seetype></tag> + <item> + If the client fails to send the first ssh message after a tcp connection setup + within this time (in milliseconds), the connection is closed. + The default value is 30 seconds. This is actually a generous time, so it can lowered + to make the daemon less prone to DoS attacks. + </item> + <tag><seetype marker="ssh#negotiation_timeout_daemon_option">negotiation_timeout</seetype></tag> + <item> + Maximum time in milliseconds for the authentication negotiation counted from the TCP connection establishment. + If the client fails to log in within this time the connection is closed. + The default value is 2 minutes. It is quite a long time, but can lowered if the client is + supposed to be fast like if it is a program logging in. + </item> + <tag><seetype marker="ssh#max_idle_time_common_option">idle_time<!--sic!--></seetype></tag> + <item> + Sets a time-out on a connection when no channels are left after closing the final one. + It defaults to infinity. + </item> + <tag><seetype marker="ssh#max_initial_idle_time_daemon_option">max_initial_idle_time</seetype></tag> + <item> + Sets a time-out on a connection that will expire if no channel is opened on the connection. + The timeout is started when the authentication phase is completed. + It defaults to infinity. + </item> + </taglist> + <p>A figure clarifies when a timeout is started and when it triggers: + </p> + <image file="ssh_timeouts.jpg"> + <icaption>SSH server timeouts</icaption> + </image> + </section> </section> @@ -170,7 +191,7 @@ fun(User, Password, _PeerAddress, State) -> end. </code> <p>If a public key is used for logging in, there is normally no checking of the user name. It - could be enabled by setting the option + could be enabled by setting the option <seeerl marker="ssh#option-pk_check_user"><c>pk_check_user</c></seeerl> to <c>true</c>. In that case the pwdfun will get the atom <c>pubkey</c> in the password argument. @@ -251,7 +272,7 @@ end. <code> ssh:daemon(1234, [{id_string,"hi there"}, ... ]). </code> - <p>and the deamon will present itself as:</p> + <p>and the daemon will present itself as:</p> <pre>SSH-2.0-hi there</pre> <p>It is possible to replace the string with one randomly generated for each connection attempt. See the reference manual for <seetype marker="ssh#id_string_common_option">id_string</seetype>. diff --git a/lib/ssh/doc/src/notes.xml b/lib/ssh/doc/src/notes.xml index 54904de950..b445e649f8 100644 --- a/lib/ssh/doc/src/notes.xml +++ b/lib/ssh/doc/src/notes.xml @@ -4,7 +4,7 @@ <chapter> <header> <copyright> - <year>2004</year><year>2022</year> + <year>2004</year><year>2023</year> <holder>Ericsson AB. All Rights Reserved.</holder> </copyright> <legalnotice> @@ -30,6 +30,242 @@ <file>notes.xml</file> </header> +<section><title>Ssh 4.15.3</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + With this change, PKCS8 formatted private key file is + properly decoded and SSH daemon with such key can be + started.</p> + <p> + Own Id: OTP-18446 Aux Id: GH-6475 </p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + Replace size/1 with either tuple_size/1 or byte_size/1</p> + <p> + The <c>size/1</c> BIF is not optimized by the JIT, and + its use can result in worse types for Dialyzer.</p> + <p> + When one knows that the value being tested must be a + tuple, <c>tuple_size/1</c> should always be preferred.</p> + <p> + When one knows that the value being tested must be a + binary, <c>byte_size/1</c> should be preferred. However, + <c>byte_size/1</c> also accepts a bitstring (rounding up + size to a whole number of bytes), so one must make sure + that the call to <c>byte_size/</c> is preceded by a call + to <c>is_binary/1</c> to ensure that bitstrings are + rejected. Note that the compiler removes redundant calls + to <c>is_binary/1</c>, so if one is not sure whether + previous code had made sure that the argument is a + binary, it does not harm to add an <c>is_binary/1</c> + test immediately before the call to <c>byte_size/1</c>.</p> + <p> + Own Id: OTP-18432 Aux Id: + GH-6672,PR-6793,PR-6784,PR-6787,PR-6785,PR-6682,PR-6800,PR-6797,PR-6798,PR-6799,PR-6796,PR-6813,PR-6671,PR-6673,PR-6684,PR-6694,GH-6677,PR-6696,PR-6670,PR-6674 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.15.2</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + With this change, ssh application does not crash when + formatting some of info reports for unsuccessful + connections.</p> + <p> + Own Id: OTP-18386 Aux Id: PR-6611 </p> + </item> + <item> + <p> + With this change, ssh does not log extensively long + messages.</p> + <p> + Own Id: OTP-18417 Aux Id: DAFH-1349,ERIERL-888,IA18357 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.15.1</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + graceful shutdown of ssh_conection_handler when + connection is closed by peer</p> + <p> + Own Id: OTP-18326 Aux Id: ERIERL-865 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.15</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Handling rare race condition at channel close.</p> + <p> + Own Id: OTP-18220 Aux Id: ERIERL-666, ERIERL-661 </p> + </item> + </list> + </section> + + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + New ssh option <c>no_auth_needed</c> to skip the ssh + authentication. Use with caution!</p> + <p> + Own Id: OTP-18134 Aux Id: GH-6021 </p> + </item> + <item> + <p> + This change fixes dialyzer warnings generated for + inets/httpd examples (includes needed adjustment of spec + for ssh_sftp module).</p> + <p> + Own Id: OTP-18178 Aux Id: ERIERL-833, ERIERL-834, + ERIERL-835 </p> + </item> + <item> + <p> + The new function <c>ssh:daemon_replace_options/2</c> + makes it possible to change the <c>Options</c> in a + running SSH server.</p> + <p> + Established connections are not affected, only those + created after the call to this new function.</p> + <p> + Own Id: OTP-18196</p> + </item> + <item> + <p> + Add a timeout as option <c>max_initial_idle_time</c>. It + closes a connection that does not allocate a channel + within the timeout time.</p> + <p> + For more information about timeouts, see the <seeguide + marker="hardening#timeouts">Timeouts section </seeguide> + in the User's Guide <seeguide + marker="hardening">Hardening</seeguide> chapter.</p> + <p> + Own Id: OTP-18207 Aux Id: PR-6231 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.14.1</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Binaries can be limited in logs with the parameter + <c>max_log_item_len</c>. The default value is 500 bytes.</p> + <p> + Own Id: OTP-18094</p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.14</title> + + <section><title>Improvements and New Features</title> + <list> + <item> + <p> + The representation of Edward curves (ed25519 and ed448) + inside ssh had a temporary representation (ed_pri and + ed_pub).</p> + <p> + That is now changed to the public_key form. See the + manual for more information.</p> + <p> + *** POTENTIAL INCOMPATIBILITY ***</p> + <p> + Own Id: OTP-17920</p> + </item> + <item> + <p> + Former internal function + <c>ssh_file:extract_public_key/1</c> documented publicly.</p> + <p> + Internally it was previously in ssh_transport.</p> + <p> + Own Id: OTP-18079 Aux Id: GH-5767 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.13.2.2</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + With this change, ssh application does not crash when + formatting some of info reports for unsuccessful + connections.</p> + <p> + Own Id: OTP-18386 Aux Id: PR-6611 </p> + </item> + <item> + <p> + With this change, ssh does not log extensively long + messages.</p> + <p> + Own Id: OTP-18417 Aux Id: DAFH-1349,ERIERL-888,IA18357 </p> + </item> + </list> + </section> + +</section> + +<section><title>Ssh 4.13.2.1</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Binaries can be limited in logs with the parameter + <c>max_log_item_len</c>. The default value is 500 bytes.</p> + <p> + Own Id: OTP-18094</p> + </item> + </list> + </section> + +</section> + <section><title>Ssh 4.13.2</title> <section><title>Fixed Bugs and Malfunctions</title> @@ -340,6 +576,22 @@ </section> +<section><title>Ssh 4.11.1.6</title> + + <section><title>Fixed Bugs and Malfunctions</title> + <list> + <item> + <p> + Binaries can be limited in logs with the parameter + <c>max_log_item_len</c>. The default value is 500 bytes.</p> + <p> + Own Id: OTP-18094</p> + </item> + </list> + </section> + +</section> + <section><title>Ssh 4.11.1.5</title> <section><title>Fixed Bugs and Malfunctions</title> @@ -1125,7 +1377,7 @@ input/output, the I/O was erroneously handled by the *server's* group leader, so the I/O turned up in the the server's Erlang shell (if any). The user at the client - side did therefor not see that I/O.</p> + side did therefore not see that I/O.</p> <p> This is corrected now, so the client - for example the ssh OS shell command - handles the I/O. The user could @@ -1670,7 +1922,7 @@ </item> <item> <p> - The type specifications in SSH are completly reworked and + The type specifications in SSH are completely reworked and the following types are renamed:</p> <p> <c>ssh:ssh_connection_ref()</c> is changed to @@ -1935,7 +2187,7 @@ </item> <item> <p> - Fix rare spurios shutdowns of ssh servers when receiveing + Fix rare spurious shutdowns of ssh servers when receiving <c>{'EXIT',_,normal}</c> messages.</p> <p> Own Id: OTP-15018</p> @@ -2386,7 +2638,7 @@ <list> <item> <p> - Fix rare spurios shutdowns of ssh servers when receiveing + Fix rare spurious shutdowns of ssh servers when receiving <c>{'EXIT',_,normal}</c> messages.</p> <p> Own Id: OTP-15018</p> @@ -2618,7 +2870,7 @@ <item> <p> If a client illegaly sends an info-line and then - immediatly closes the TCP-connection, a badmatch + immediately closes the TCP-connection, a badmatch exception was raised.</p> <p> Own Id: OTP-13966</p> @@ -2831,7 +3083,7 @@ <list> <item> <p> - Fix rare spurios shutdowns of ssh servers when receiveing + Fix rare spurious shutdowns of ssh servers when receiving <c>{'EXIT',_,normal}</c> messages.</p> <p> Own Id: OTP-15018</p> @@ -3453,7 +3705,7 @@ <p> The possible values are: <c>{id_string,string()}</c> and <c>{id_string,random}</c>. The latter will make ssh - generate a random nonsence id-string for each new + generate a random nonsense id-string for each new connection.</p> <p> Own Id: OTP-12659</p> @@ -3579,7 +3831,7 @@ <p> The possible values are: <c>{id_string,string()}</c> and <c>{id_string,random}</c>. The latter will make ssh - generate a random nonsence id-string for each new + generate a random nonsense id-string for each new connection.</p> <p> Own Id: OTP-12659</p> @@ -4242,7 +4494,7 @@ <list> <item> <p> - ssh:daemon will get feeded with an argument even if it is + ssh:daemon will get fed with an argument even if it is not a valid expression.</p> <p> Own Id: OTP-10975</p> @@ -4590,7 +4842,7 @@ <list> <item> <p> - All keys in authorized_keys are considerd, wrongly only + All keys in authorized_keys are considered, wrongly only the first one was before.</p> <p> Own Id: OTP-7235</p> @@ -4964,7 +5216,7 @@ <list> <item> <p> - Now clear all processes when a connnection is terminated.</p> + Now clear all processes when a connection is terminated.</p> <p> Own Id: OTP-8121 Aux Id:</p> </item> @@ -5062,13 +5314,13 @@ <list> <item> <p> - ssh_sftp:start_channel/3 did not handle timout correctly.</p> + ssh_sftp:start_channel/3 did not handle timeout correctly.</p> <p> Own Id: OTP-8159 Aux Id: seq11386</p> </item> <item> <p> - If a progress message was not recieved after invoking ssh:connect/3 + If a progress message was not received after invoking ssh:connect/3 the call could hang for ever. A timeout option has also been added.</p> <p> Own Id: OTP-8160 Aux Id: seq11386</p> diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index 44188ea34c..d58166711a 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -4,14 +4,14 @@ <erlref> <header> <copyright> - <year>2004</year><year>2021</year> + <year>2004</year><year>2022</year> <holder>Ericsson AB. All Rights Reserved.</holder> </copyright> <legalnotice> Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - + http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software @@ -21,7 +21,7 @@ limitations under the License. </legalnotice> - + <title>ssh</title> <prepared></prepared> <docno></docno> @@ -40,8 +40,8 @@ <p>With the SSH application it is possible to start <i>clients</i> and to start <i>daemons</i> (servers). </p> <p>Clients are started with - <seemfa marker="#connect/2">connect/2</seemfa>, - <seemfa marker="#connect/3">connect/3</seemfa> or + <seemfa marker="#connect/2">connect/2</seemfa>, + <seemfa marker="#connect/3">connect/3</seemfa> or <seemfa marker="#connect/4">connect/4</seemfa>. They open an encrypted connection on top of TCP/IP. In that encrypted connection one or more channels could be opened with <seemfa marker="ssh_connection#session_channel/2">ssh_connection:session_channel/2,4</seemfa>. @@ -52,32 +52,32 @@ the user is not necessarily a human but probably a system interfacing the SSH app. </p> <p>A server-side subssystem (channel) server is requested by the client with - <seemfa marker="ssh_connection#subsystem/4">ssh_connection:subsystem/4</seemfa>. + <seemfa marker="ssh_connection#subsystem/4">ssh_connection:subsystem/4</seemfa>. </p> - <p>A server (daemon) is started with + <p>A server (daemon) is started with <seemfa marker="#daemon/2">daemon/1</seemfa>, <seemfa marker="#daemon/2">daemon/2</seemfa> or <seemfa marker="#daemon/2">daemon/3</seemfa>. Possible channel handlers (subsystems) are declared with the <seetype marker="#subsystem_daemon_option">subsystem</seetype> option when the daemon is started. </p> - <p>To just run a shell on a remote machine, there are functions that bundles the needed + <p>To just run a shell on a remote machine, there are functions that bundles the needed three steps needed into one: <seemfa marker="#shell/1">shell/1,2,3</seemfa>. - Similarily, to just open an sftp (file transfer) connection to a remote machine, the simplest way is to use + Similarly, to just open an sftp (file transfer) connection to a remote machine, the simplest way is to use <seemfa marker="ssh_sftp#start_channel/1">ssh_sftp:start_channel/1,2,3</seemfa>. </p> - <p>To write your own client channel handler, use the behaviour - <seeerl marker="ssh_client_channel">ssh_client_channel</seeerl>. For server channel handlers use + <p>To write your own client channel handler, use the behaviour + <seeerl marker="ssh_client_channel">ssh_client_channel</seeerl>. For server channel handlers use <seeerl marker="ssh_server_channel">ssh_server_channel</seeerl> behaviour (replaces ssh_daemon_channel). </p> <p>Both clients and daemons accepts options that controls the exact behaviour. Some options are common to both. - The three sets are called - <seetype marker="#client_options">Client Options</seetype>, + The three sets are called + <seetype marker="#client_options">Client Options</seetype>, <seetype marker="#daemon_options">Daemon Options</seetype> and <seetype marker="#common_options">Common Options</seetype>. </p> - <p>The descriptions of the options uses the + <p>The descriptions of the options uses the <seeguide marker="system/reference_manual:typespec">Erlang Type Language</seeguide> with explaining text. </p> <note> @@ -90,7 +90,7 @@ <section> <title>Keys and files</title> - <p>A number of objects must be present for the SSH application to work. + <p>A number of objects must be present for the SSH application to work. Those objects are per default stored in files. The default names, paths and file formats are the same as for <url href="http://www.openssh.com">OpenSSH</url>. Keys could be generated with the <c>ssh-keygen</c> @@ -102,7 +102,7 @@ <seetype marker="ssh_file#user_dir_common_option"><c>user_dir</c></seetype> and <seetype marker="ssh_file#system_dir_daemon_option"><c>system_dir</c></seetype>. </p> - <p>A completly different storage could be interfaced by writing call-back modules + <p>A completely different storage could be interfaced by writing call-back modules using the behaviours <seeerl marker="ssh_client_key_api">ssh_client_key_api</seeerl> and/or <seeerl marker="ssh_server_key_api">ssh_server_key_api</seeerl>. @@ -122,12 +122,12 @@ <item><c>ssh_host_rsa_key</c> and <c>ssh_host_rsa_key.pub</c></item> <item><c>ssh_host_ecdsa_key</c> and <c>ssh_host_ecdsa_key.pub</c></item> </list> - <p>The host keys directory could be changed with the option + <p>The host keys directory could be changed with the option <seetype marker="ssh_file#system_dir_daemon_option"><c>system_dir</c></seetype>.</p> </item> <item>Optional: one or more <i>User's public key</i> in case of <c>publickey</c> authorization. Default is to store them concatenated in the file <c>.ssh/authorized_keys</c> in the user's home directory. - <p>The user keys directory could be changed with the option + <p>The user keys directory could be changed with the option <seetype marker="ssh_file#user_dir_common_option"><c>user_dir</c></seetype>.</p> </item> </list> @@ -137,14 +137,14 @@ <title>Clients</title> <p>The keys and some other data are by default stored in files in the directory <c>.ssh</c> in the user's home directory.</p> - <p>The directory could be changed with the option + <p>The directory could be changed with the option <seetype marker="ssh_file#user_dir_common_option"><c>user_dir</c></seetype>. </p> <list> <item>Optional: a list of <i>Host public key(s)</i> for previously connected hosts. This list is handled by the SSH application without any need of user assistance. The default is to store them in the file <c>known_hosts</c>. - <p>The + <p>The <seetype marker="#host_accepting_client_options">host_accepting_client_options()</seetype> are associated with this list of keys. </p> @@ -206,12 +206,12 @@ <c>silently_accept_hosts</c> </tag> <item> - <p>This option guides the <c>connect</c> function on how to act when the connected server presents a Host + <p>This option guides the <c>connect</c> function on how to act when the connected server presents a Host Key that the client has not seen before. The default is to ask the user with a question on stdio of whether to accept or reject the new Host Key. See the option <seetype marker="ssh_file#user_dir_common_option"><c>user_dir</c></seetype> for specifying the path to the file <c>known_hosts</c> where previously accepted Host Keys are recorded. - See also the option + See also the option <seetype marker="#key_cb_common_option">key_cb</seetype> for the general way to handle keys. </p> @@ -228,7 +228,7 @@ result the connection will be closed. The arguments to the fun are: <list type="bulleted"> <item><c>PeerName</c> - a string with the name or address of the remote host.</item> - <item><c>FingerPrint</c> - the fingerprint of the Host Key as + <item><c>FingerPrint</c> - the fingerprint of the Host Key as <seemfa marker="#hostkey_fingerprint/1">hostkey_fingerprint/1</seemfa> calculates it. </item> @@ -241,12 +241,12 @@ is either an atom or a list of atoms as the first argument in <seemfa marker="#hostkey_fingerprint/2">hostkey_fingerprint/2</seemfa>. If it is a list of hash algorithm names, the <c>FingerPrint</c> argument in the - <c>accept_callback()</c> will be + <c>accept_callback()</c> will be a list of fingerprints in the same order as the corresponding name in the <c>HashAlgoSpec</c> list. </item> </list> </item> - + <tag><c>user_interaction</c></tag> <item> <p>If <c>false</c>, disables the client to connect to the server @@ -322,7 +322,7 @@ <name name="connect_timeout_client_option"/> <desc> <p>Sets a timeout on the transport layer connect time. - For <seeerl marker="kernel:gen_tcp"><c>gen_tcp</c></seeerl> the time is in milli-seconds and the default + For <seeerl marker="kernel:gen_tcp"><c>gen_tcp</c></seeerl> the time is in milli-seconds and the default value is <c>infinity</c>. </p> <p>See the parameter <c>Timeout</c> in <seemfa marker="#connect/4">connect/4</seemfa> for @@ -335,7 +335,7 @@ <name name="recv_ext_info_client_option"/> <desc> <p>Make the client tell the server that the client accepts extension negotiation, that is, - include <c>ext-info-c</c> in the kexinit message sent. See + include <c>ext-info-c</c> in the kexinit message sent. See <url href="https://tools.ietf.org/html/rfc8308">RFC 8308</url> for details and <seeapp marker="SSH_app#supported-ext-info">ssh(6)</seeapp> for a list of currently implemented extensions. @@ -370,7 +370,7 @@ </desc> </datatype> - + <datatype> <name name="subsystem_daemon_option"/> <name name="subsystem_specs"/> @@ -382,7 +382,7 @@ </p> <p>The <c>channel_callback</c> is the module that implements the <seeerl marker="ssh_server_channel">ssh_server_channel</seeerl> (replaces ssh_daemon_channel) - behaviour in the daemon. See the section + behaviour in the daemon. See the section <seeguide marker="using_ssh#usersguide_creating_a_subsystem">Creating a Subsystem</seeguide> in the User's Guide for more information and an example. </p> @@ -440,8 +440,8 @@ </p> <p>In case of the <c>{direct, exec_fun()}</c> variant or no exec-option at all, all reads from <c>standard_input</c> will be from the received data-events of type 0. - Those are sent by the client. Similarily all writes to <c>standard_output</c> - will be sent as data-events to the client. An OS shell client like the command 'ssh' will usally use + Those are sent by the client. Similarly all writes to <c>standard_output</c> + will be sent as data-events to the client. An OS shell client like the command 'ssh' will usually use stdin and stdout for the user interface. </p> <p>The option cooperates with the daemon-option <seetype marker="#shell_daemon_option"><c>shell</c></seetype> @@ -473,7 +473,7 @@ <seetype marker="#shell_daemon_option"><c>shell_spec</c></seetype>'s value. </p> </item> - + <tag>4. If the <seetype marker="#exec_daemon_option"><c>exec-option</c></seetype> is absent, and the <seetype marker="#shell_daemon_option"><c>shell-option</c></seetype> is present with the default Erlang shell as the @@ -483,7 +483,7 @@ <p>The default Erlang evaluator is used both for exec and shell requests. The result is returned to the client.</p> </item> - + <tag>5. If the <seetype marker="#exec_daemon_option"><c>exec-option</c></seetype> is absent, and the <seetype marker="#shell_daemon_option"><c>shell-option</c></seetype> is present with a value that is neither the default Erlang shell nor the value <c>disabled</c>:</tag> @@ -492,7 +492,7 @@ are executed according to the value of the <seetype marker="#shell_daemon_option"><c>shell_spec</c></seetype>.</p> </item> - + <tag>6. If the <seetype marker="#exec_daemon_option"><c>exec-option</c></seetype> is absent, and the <seetype marker="#shell_daemon_option"><c>shell_spec</c></seetype>'s value is <c>disabled</c>:</tag> <item> @@ -601,11 +601,11 @@ </warning> </item> - <tag><marker id="option-pwdfun"/><c>pwdfun</c> with + <tag><marker id="option-pwdfun"/><c>pwdfun</c> with <seetype marker="#pwdfun_4"><c>pwdfun_4()</c></seetype> </tag> <item> - <p>Provides a function for password validation. This could used for calling an external system or handeling + <p>Provides a function for password validation. This could used for calling an external system or handling passwords stored as hash values. </p> <p>This fun can also be used to make delays in authentication tries for example by calling @@ -618,13 +618,13 @@ </p> <list type="bulleted"> <item><c>true</c> if the user and password is valid</item> - <item><c>false</c> if the user or password is invalid</item> + <item><c>false</c> if the user or password is invalid</item> <item><c>disconnect</c> if a SSH_MSG_DISCONNECT message should be sent immediately. It will be followed by a close of the underlying tcp connection.</item> <item><c>{true, NewState:any()}</c> if the user and password is valid</item> - <item><c>{false, NewState:any()}</c> if the user or password is invalid</item> + <item><c>{false, NewState:any()}</c> if the user or password is invalid</item> </list> - <p>A third usage is to block login attempts from a missbehaving peer. The <c>State</c> described above + <p>A third usage is to block login attempts from a missbehaving peer. The <c>State</c> described above can be used for this. The return value <c>disconnect</c> is useful for this.</p> <p>In case of the <seeerl marker="#option-pk_check_user"><c>pk_check_user</c></seeerl> is set, the atom <c>pubkey</c> is put in the password argument when validating a public key login. The @@ -640,7 +640,7 @@ as strings, and returns:</p> <list type="bulleted"> <item><c>true</c> if the user and password is valid</item> - <item><c>false</c> if the user or password is invalid</item> + <item><c>false</c> if the user or password is invalid</item> </list> <p>In case of the <seeerl marker="#option-pk_check_user"><c>pk_check_user</c></seeerl> is set, the atom <c>pubkey</c> is put in the password argument when validating a public key login. The @@ -648,6 +648,19 @@ </p> <p>This variant is kept for compatibility.</p> </item> + + <tag><marker id="option-no_auth_needed"/><c>no_auth_needed</c></tag> + <item> + <p>If <c>true</c>, a client is authenticated without any need of + providing any password or key. + </p> + <p>This option is only intended for very special applications due + to the high risk of accepting any connecting client. + </p> + <p>The default value is <c>false</c>. + </p> + </item> + </taglist> </desc> </datatype> @@ -662,7 +675,7 @@ <tag><c>dh_gex_groups</c></tag> <item> <p>Defines the groups the server may choose among when diffie-hellman-group-exchange is negotiated. - See + See <url href="https://tools.ietf.org/html/rfc4419">RFC 4419</url> for details. The three variants of this option are: </p> @@ -672,7 +685,7 @@ In such a case, the server will choose one randomly in the negotiated Size. </item> <tag><c>{file,filename()}</c></tag> - <item>The file must have one or more three-tuples <c>{Size=integer(),G=integer(),P=integer()}</c> + <item>The file must have one or more three-tuples <c>{Size=integer(),G=integer(),P=integer()}</c> terminated by a dot. The file is read when the daemon starts. </item> <tag><c>{ssh_moduli_file,filename()}</c></tag> @@ -681,7 +694,7 @@ The file is read when the daemon starts. </item> </taglist> - <p>The default list is fetched from the + <p>The default list is fetched from the <seemfa marker="public_key:public_key#dh_gex_group/4">public_key</seemfa> application. </p> </item> @@ -690,14 +703,14 @@ <item> <p>Limits what a client can ask for in diffie-hellman-group-exchange. The limits will be - <c>{MaxUsed = min(MaxClient,Max), MinUsed = max(MinClient,Min)}</c> where <c>MaxClient</c> and + <c>{MaxUsed = min(MaxClient,Max), MinUsed = max(MinClient,Min)}</c> where <c>MaxClient</c> and <c>MinClient</c> are the values proposed by a connecting client. </p> <p>The default value is <c>{0,infinity}</c>. </p> <p>If <c>MaxUsed < MinUsed</c> in a key exchange, it will fail with a disconnect. </p> - <p>See + <p>See <url href="https://tools.ietf.org/html/rfc4419">RFC 4419</url> for the function of the Max and Min values.</p> </item> @@ -712,6 +725,10 @@ Defaults to 30000 ms (30 seconds). If the client fails to send the first message within this time, the connection is closed. </p> + <p>For more information about timeouts, see the + <seeguide marker="hardening#timeouts">Timeouts section </seeguide> + in the User's Guide <seeguide marker="hardening">Hardening</seeguide> chapter. + </p> </desc> </datatype> @@ -722,12 +739,33 @@ Defaults to 120000 ms (2 minutes). If the client fails to log in within this time, the connection is closed. </p> + <p>For more information about timeouts, see the + <seeguide marker="hardening#timeouts">Timeouts section </seeguide> + in the User's Guide <seeguide marker="hardening">Hardening</seeguide> chapter. + </p> + </desc> + </datatype> + + <datatype> + <name name="max_initial_idle_time_daemon_option"/> + <desc> + <p>Maximum time in milliseconds for the first channel start after + completion of the authentication negotiation. + Defaults to <c>infinity</c>. + </p> + <p>For more information about timeouts, see the + <seeguide marker="hardening#timeouts">Timeouts section </seeguide> + in the User's Guide <seeguide marker="hardening">Hardening</seeguide> chapter. + </p> </desc> </datatype> <datatype> <name name="hardening_daemon_options"/> <desc> + <p>For more information about hardening, see the + <seeguide marker="hardening">Hardening</seeguide> section in the User's Guide chapter. + </p> <taglist> <tag> <marker id="hardening_daemon_options--max_sessions"/> @@ -751,7 +789,7 @@ <p>By default, this option is not set. This means that the number is not limited. </p> </item> - + <tag> <marker id="hardening_daemon_options--max_channels"/> <c>max_channels</c> @@ -792,11 +830,11 @@ The default value is 0. </p> </item> - + </taglist> </desc> </datatype> - + <datatype> <name name="callbacks_daemon_options"/> <desc> @@ -880,6 +918,19 @@ <p>The timeout is not active until channels are started, so it does not limit the time from the connection creation to the first channel opening. </p> + <p>For more information about timeouts, see the + <seeguide marker="hardening#timeouts">Timeouts section </seeguide> + in the User's Guide <seeguide marker="hardening">Hardening</seeguide> chapter. + </p> + </desc> + </datatype> + + <datatype> + <name name="max_log_item_len_common_option"/> + <desc> + <p>Sets a limit for the size of a logged item excluding a header. + The unit is bytes and the value defaults to 500. + </p> </desc> </datatype> @@ -925,10 +976,10 @@ <code> Module:F(..., [{key_cb_private,Opts}|UserOptions]) </code> - <p>where <c>...</c> are arguments to <c>F</c> as in + <p>where <c>...</c> are arguments to <c>F</c> as in <seeerl marker="ssh_client_key_api">ssh_client_key_api</seeerl> and/or <seeerl marker="ssh_server_key_api">ssh_server_key_api</seeerl>. - The <c>UserOptions</c> are the options given to + The <c>UserOptions</c> are the options given to <seemfa marker="ssh:ssh#connect/3">ssh:connect</seemfa>, <seemfa marker="ssh:ssh#shell/1">ssh:shell</seemfa> or <seemfa marker="ssh:ssh#daemon/2">ssh:daemon</seemfa>. @@ -973,7 +1024,7 @@ <name name="ssh_msg_debug_fun_common_option"/> <desc> <p>Provide a fun to implement your own logging of the SSH message SSH_MSG_DEBUG. - The last three parameters are from the message, see + The last three parameters are from the message, see <url href="https://tools.ietf.org/html/rfc4253#section-11.3">RFC 4253, section 11.3</url>. The <seetype marker="#connection_ref"><c>connection_ref()</c></seetype> is the reference to the connection on which the message arrived. @@ -1018,7 +1069,7 @@ <p>If an alg_entry() is missing in the algs_list(), the default value is used for that entry.</p> <p>Here is an example of this option:</p> <code> - {preferred_algorithms, + {preferred_algorithms, [{public_key,['ssh-rsa','ssh-dss']}, {cipher,[{client2server,['aes128-ctr']}, {server2client,['aes128-cbc','3des-cbc']}]}, @@ -1051,7 +1102,7 @@ <desc> <p>Modifies the list of algorithms to use in the algorithm negotiation. The modifications are applied after the option <c>preferred_algorithms</c> (if existing) is applied.</p> - <p>The algoritm for modifications works like this:</p> + <p>The algorithm for modifications works like this:</p> <list> <item> <p>Input is the <c>modify_algs_list()</c> and a set of algorithms <c>A</c> @@ -1085,7 +1136,7 @@ <p>If there are more than one modify_algorithms options, the result is undefined.</p> <p>Here is an example of this option:</p> <code> - {modify_algorithms, + {modify_algorithms, [{prepend, [{kex, ['diffie-hellman-group1-sha1']}], {rm, [{compression, [none]}]} ] @@ -1131,7 +1182,7 @@ <!--................................................................--> <datatype_title>Other data types</datatype_title> - + <datatype> <name name="host"/> <desc> @@ -1149,13 +1200,13 @@ <desc> </desc> </datatype> - + <datatype> <name name="mod_fun_args"/> <desc> </desc> </datatype> - + <datatype> <name name="open_socket"/> <desc> @@ -1222,7 +1273,7 @@ <p>In the <c>option</c> info tuple are only the options included that differs from the default values. </p> </desc> - </datatype> + </datatype> <datatype> <name>opaque_client_options()</name> @@ -1248,7 +1299,7 @@ <fsummary>Closes an SSH connection.</fsummary> <desc><p>Closes an SSH connection.</p></desc> </func> - + <!-- CONNECT/2 etc --> <func> <name since="">connect(Host, Port, Options) -> Result </name> @@ -1318,7 +1369,7 @@ <p>are allowed. The excluded options are reserved by the SSH application. </p> <warning> - <p>This is an extremly dangerous function. You use it on your own risk.</p> + <p>This is an extremely dangerous function. You use it on your own risk.</p> <p>Some options are OS and OS version dependent. Do not use it unless you know what effect your option values will have on an TCP stream.</p> @@ -1340,7 +1391,7 @@ </desc> </func> -<!-- DEAMON/1,2,3 --> +<!-- DAEMON/1,2,3 --> <func> <name since="">daemon(Port | TcpSocket) -> Result</name> <name since="">daemon(Port | TcpSocket, Options) -> Result</name> @@ -1374,7 +1425,7 @@ An 'ip'-option will be discarded if present.</item> <item>if <c>HostAddress</c> is the atom <c>loopback</c>, the listening address - is <c>loopback</c> and an loopback address will be choosen by the underlying layers. + is <c>loopback</c> and an loopback address will be chosen by the underlying layers. An 'ip'-option will be discarded if present.</item> <item>if <c>HostAddress</c> is the atom <c>any</c> and no 'ip'-option is present, the listening address is @@ -1386,7 +1437,32 @@ </desc> </func> -<!-- DAEMON_INFO/1 --> +<!-- DAEMON_REPLACE_OPTIONS/2 --> + <func> + <name name="daemon_replace_options" arity="2" since="OTP 25.1"/> + <fsummary>Change options in a running daemon</fsummary> + <desc> + <p> + Replaces the options in a running daemon with the options in + <c>NewUserOptions</c>. Only connections established after this call + are affected, already established connections are not. + </p> + <note> + <p>In the final phase of this function, the listening process is restarted. + Therfore a connection attempt to the daemon in this final phase could fail. + </p> + </note> + <p> + The handling of Erlang configurations is described in the User's Guide; + see chapters + <seeguide marker="configurations">Configuration in SSH</seeguide> + and + <seeguide marker="configure_algos">Configuring algorithms in SSH</seeguide>. + </p> + </desc> + </func> + +<!-- DAEMON_INFO/1 --> <func> <name name="daemon_info" arity="1" since="OTP 19.0"/> <name name="daemon_info" arity="2" since="OTP 22.1"/> @@ -1402,7 +1478,6 @@ </desc> </func> - <!-- DEFAULT_ALGORITHMS/0 --> <func> <name name="default_algorithms" arity="0" since="OTP 18.0"/> @@ -1433,7 +1508,7 @@ interactive shell on that remote host. </p> <p>As an alternative, an already open TCP socket could be passed to the function in <c>TcpSocket</c>. - The SSH initiation and negotiation will be initiated on that one and finaly a shell will be started + The SSH initiation and negotiation will be initiated on that one and finally a shell will be started on the host at the other end of the TCP socket. </p> <p>For a description of the options, see <seetype marker="#client_options">Client Options</seetype>.</p> @@ -1464,7 +1539,7 @@ manual page in Kernel.</p> </desc> </func> - + <func> <name name="stop_daemon" arity="1" since=""/> <name name="stop_daemon" arity="2" since=""/> @@ -1506,7 +1581,7 @@ </p> </desc> </func> - + <func> <name name="tcpip_tunnel_to_server" arity="5" since="OTP 23.0"/> <name name="tcpip_tunnel_to_server" arity="6" since="OTP 23.0"/> @@ -1544,7 +1619,7 @@ in uppercase as in newer ssh-keygen commands.</p> <p>Examples:</p> <code> - 2> ssh:hostkey_fingerprint(Key). + 2> ssh:hostkey_fingerprint(Key). "f5:64:a6:c1:5a:cb:9f:0a:10:46:a2:5c:3e:2f:57:84" 3> ssh:hostkey_fingerprint(md5,Key). @@ -1566,5 +1641,5 @@ </funcs> - + </erlref> diff --git a/lib/ssh/doc/src/ssh_agent.xml b/lib/ssh/doc/src/ssh_agent.xml index a6ff511f2f..ceada72371 100644 --- a/lib/ssh/doc/src/ssh_agent.xml +++ b/lib/ssh/doc/src/ssh_agent.xml @@ -52,7 +52,7 @@ </code> <p> The agent communication is established through a UNIX domain socket. By default, the socket path - will be fetched from the <c>SSH_AUTH_SOCK</c> enviroment variable, which is the default socket path in the agent + will be fetched from the <c>SSH_AUTH_SOCK</c> environment variable, which is the default socket path in the agent implementation of <url href="http://www.openssh.com">OpenSSH</url>. </p> diff --git a/lib/ssh/doc/src/ssh_client_key_api.xml b/lib/ssh/doc/src/ssh_client_key_api.xml index a81d0d3274..cb20724496 100644 --- a/lib/ssh/doc/src/ssh_client_key_api.xml +++ b/lib/ssh/doc/src/ssh_client_key_api.xml @@ -69,7 +69,7 @@ <v>ConnectOptions = <seetype marker="#client_key_cb_options">client_key_cb_options()</seetype></v> </type> <desc> - <p>This function is retired in favour for <c>Module:add_host_key/4</c> which is the prefered API function. + <p>This function is retired in favour for <c>Module:add_host_key/4</c> which is the preferred API function. The calling SSH application will still try the <c>add_host_key/3</c> if the call to <c>add_host_key/4</c> failed. </p> <p>Adds a host key to the set of trusted host keys.</p> @@ -96,10 +96,10 @@ </type> <desc> <p>Adds a host key to the set of trusted host keys.</p> - <p>This function is prefered to the old <c>Module:add_host_key/3</c> since it also uses + <p>This function is preferred to the old <c>Module:add_host_key/3</c> since it also uses the peer host port number and may return an error message.</p> <p>The OTP/SSH application first calls this function in the callback module, and then - the old <c>Module:add_host_key/3</c> for compatibilty.</p> + the old <c>Module:add_host_key/3</c> for compatibility.</p> </desc> </func> @@ -121,7 +121,7 @@ <v>Result = boolean()</v> </type> <desc> - <p>This function is retired in favour for <c>Module:is_host_key/5</c> which is the prefered API function. + <p>This function is retired in favour for <c>Module:is_host_key/5</c> which is the preferred API function. The calling SSH application will still try the <c>is_host_key/4</c> if the call to <c>is_host_key/5</c> failed. </p> <p>Checks if a host key is trusted.</p> @@ -155,10 +155,10 @@ </type> <desc> <p>Checks if a host key is trusted.</p> - <p>This function is prefered to the old <c>Module:is_host_key/4</c> since it also uses + <p>This function is preferred to the old <c>Module:is_host_key/4</c> since it also uses the peer host port number and may return an error message.</p> <p>The OTP/SSH application first calls this function in the callback module, and then - the old <c>Module:is_host_key/4</c> for compatibilty.</p> + the old <c>Module:is_host_key/4</c> for compatibility.</p> </desc> </func> diff --git a/lib/ssh/doc/src/ssh_connection.xml b/lib/ssh/doc/src/ssh_connection.xml index cd4b9c0f85..899bd0c2b7 100644 --- a/lib/ssh/doc/src/ssh_connection.xml +++ b/lib/ssh/doc/src/ssh_connection.xml @@ -5,7 +5,7 @@ <header> <copyright> <year>2008</year> - <year>2020</year> + <year>2022</year> <holder>Ericsson AB, All Rights Reserved</holder> </copyright> <legalnotice> @@ -85,7 +85,7 @@ <name name="req_status"/> <desc> <p>The status of a request. - Coresponds to the <c>SSH_MSG_CHANNEL_SUCCESS</c> and <c>SSH_MSG_CHANNEL_FAILURE</c> values in + Corresponds to the <c>SSH_MSG_CHANNEL_SUCCESS</c> and <c>SSH_MSG_CHANNEL_FAILURE</c> values in <url href="https://tools.ietf.org/html/rfc4254#section-5.4">RFC 4254, Section 5.4</url>. </p> </desc> diff --git a/lib/ssh/doc/src/ssh_file.xml b/lib/ssh/doc/src/ssh_file.xml index e97bb5b37f..29db36481a 100644 --- a/lib/ssh/doc/src/ssh_file.xml +++ b/lib/ssh/doc/src/ssh_file.xml @@ -4,7 +4,7 @@ <erlref> <header> <copyright> - <year>2018</year><year>2022</year> + <year>2018</year><year>2023</year> <holder>Ericsson AB. All Rights Reserved.</holder> </copyright> <legalnotice> @@ -66,7 +66,7 @@ <title>Daemons</title> <p>Daemons uses all files stored in the <seeerl marker="#SYSDIR">SYSDIR</seeerl> directory. </p> - <p>Optionaly, in case of <c>publickey</c> authorization, one or more of the remote user's public keys + <p>Optionally, in case of <c>publickey</c> authorization, one or more of the remote user's public keys in the <seeerl marker="#USERDIR">USERDIR</seeerl> directory are used. See the files <seeerl marker="#FILE-authorized_keys"><c>USERDIR/authorized_keys</c></seeerl> and @@ -223,7 +223,7 @@ key :: % encoded key from eg ssh_host_*.pub <datatype> <name name="key"/> <desc> - <p>The key representation.</p> + <p>The key representation</p> </desc> </datatype> @@ -232,8 +232,6 @@ key :: % encoded key from eg ssh_host_*.pub <name name="openssh_key_v1_attributes"/> <desc> <p>Types for the experimental implementaition of the <c>openssh_key_v1</c> format. - The <c>#ECPoint{}</c> and <c>ECPrivateKey{}</c> are not used for Edwards curves - (ed25519 and ed448), but will be in next major release. </p> </desc> </datatype> @@ -262,7 +260,7 @@ key :: % encoded key from eg ssh_host_*.pub <item><seeerl marker="#FILE-ssh_host_dsa_key"><c>SYSDIR/ssh_host_dsa_key</c></seeerl></item> <item><seeerl marker="#FILE-ssh_host_ecdsa_key"><c>SYSDIR/ssh_host_ecdsa_key</c></seeerl></item> <item><seeerl marker="#FILE-ssh_host_ed25519_key"><c>SYSDIR/ssh_host_ed25519_key</c></seeerl></item> - <item><seeerl marker="#FILE-ssh_host_ed448_key"><c>SYSDIR/ssh_host_ed448_key</c>c></seeerl></item> + <item><seeerl marker="#FILE-ssh_host_ed448_key"><c>SYSDIR/ssh_host_ed448_key</c></seeerl></item> </list> </desc> </func> @@ -285,7 +283,7 @@ key :: % encoded key from eg ssh_host_*.pub <item><seeerl marker="#FILE-authorized_keys"><c>USERDIR/authorized_keys</c></seeerl></item> <item><seeerl marker="#FILE-authorized_keys2"><c>USERDIR/authorized_keys2</c></seeerl></item> </list> - <p>This functions discards all options in the begining of the lines of thoose files when reading them. + <p>This functions discards all options in the beginning of the lines of thoose files when reading them. </p> </desc> </func> @@ -375,7 +373,7 @@ key :: % encoded key from eg ssh_host_*.pub an RFC4716 public key or an OpenSSH public key.</p> <note> <p>The following key types have been renamed from the deprecated - <seemfa marker="public_key:public_key#ssh_decode/2">public_key:ssh_decode/2</seemfa>:</p> + <c>public_key:ssh_decode/2</c>:</p> <list> <item>rfc4716_public_key -> rfc4716_key</item> <item>openssh_public_key -> openssh_key</item> @@ -391,8 +389,7 @@ key :: % encoded key from eg ssh_host_*.pub <desc> <p>Encodes a list of SSH file entries (public keys and attributes) to a binary.</p> <note> - <p>The following key types have been renamed from the deprecated - <seemfa marker="public_key:public_key#ssh_encode/2">public_key:ssh_encode/2</seemfa>:</p> + <p>The following key types have been renamed from the removed <c>public_key:ssh_encode/2</c>:</p> <list> <item>rfc4716_public_key -> rfc4716_key</item> <item>openssh_public_key -> openssh_key</item> @@ -402,6 +399,15 @@ key :: % encoded key from eg ssh_host_*.pub </desc> </func> + + <func> + <name since="OTP 25.0" name="extract_public_key" arity="1"/> + <fsummary></fsummary> + <desc> + <p>Fetches the public key from a private key.</p> + </desc> + </func> + </funcs> </erlref> diff --git a/lib/ssh/doc/src/ssh_sftp.xml b/lib/ssh/doc/src/ssh_sftp.xml index 6e30c1e20d..c035f74b3a 100644 --- a/lib/ssh/doc/src/ssh_sftp.xml +++ b/lib/ssh/doc/src/ssh_sftp.xml @@ -4,7 +4,7 @@ <erlref> <header> <copyright> - <year>2005</year><year>2020</year> + <year>2005</year><year>2022</year> <holder>Ericsson AB. All Rights Reserved.</holder> </copyright> <legalnotice> @@ -96,7 +96,7 @@ <seemfa marker="crypto:crypto#crypto_init/4">crypto:crypto_init/4</seemfa> or similar. The <c>crypto_state()</c> is the state such a function may return. </p> - <p>If the selected cipher needs to have the input data partioned into + <p>If the selected cipher needs to have the input data partitioned into blocks of a certain size, the <c>init_fun()</c> should return the second form of return value with the <c>chunk_size()</c> set to the block size. If the <c>chunk_size()</c> is <c>undefined</c>, the size of the <c>PlainBin</c>s varies, diff --git a/lib/ssh/doc/src/ssh_timeouts.jpg b/lib/ssh/doc/src/ssh_timeouts.jpg Binary files differnew file mode 100644 index 0000000000..da2f0914fc --- /dev/null +++ b/lib/ssh/doc/src/ssh_timeouts.jpg diff --git a/lib/ssh/doc/src/ssh_timeouts.odp b/lib/ssh/doc/src/ssh_timeouts.odp Binary files differnew file mode 100644 index 0000000000..ba2d072e9f --- /dev/null +++ b/lib/ssh/doc/src/ssh_timeouts.odp diff --git a/lib/ssh/doc/src/terminology.xml b/lib/ssh/doc/src/terminology.xml index 9766276192..78a24f1618 100644 --- a/lib/ssh/doc/src/terminology.xml +++ b/lib/ssh/doc/src/terminology.xml @@ -44,7 +44,7 @@ cause confusion. </p> <p>The term is used differently in <url href="http://www.openssh.com">OpenSSH</url> and SSH in Erlang/OTP. - The reason is the different environments and use cases that are not immediatly obvious. + The reason is the different environments and use cases that are not immediately obvious. </p> <p>This chapter aims at explaining the differences and giving a rationale for why Erlang/OTP handles "user" as it does. @@ -95,8 +95,8 @@ </p> </section> <section> - <title>The SSH server on UNIX/Linux/etc after a succesful authentication</title> - <p>After a succesful incoming authentication, a new process runs as the just authenticated user.</p> + <title>The SSH server on UNIX/Linux/etc after a successful authentication</title> + <p>After a successful incoming authentication, a new process runs as the just authenticated user.</p> <p>Next step is to start a service according to the ssh request. In case of a request of a shell, a new one is started which handles the OS-commands that arrives from the client (that's "you"). </p> @@ -166,7 +166,7 @@ </list> </section> <section> - <title>The Erlang/OTP SSH server after a succesful authentication</title> + <title>The Erlang/OTP SSH server after a successful authentication</title> <p>After a successful authentication an <i>Erlang process</i> is handling the service request from the remote ssh client. The rights of that process are those of the user of the OS process running the Erlang emulator. </p> diff --git a/lib/ssh/doc/src/using_ssh.xml b/lib/ssh/doc/src/using_ssh.xml index a127b66607..648b59ab23 100644 --- a/lib/ssh/doc/src/using_ssh.xml +++ b/lib/ssh/doc/src/using_ssh.xml @@ -5,7 +5,7 @@ <header> <copyright> <year>2012</year> - <year>2020</year> + <year>2022</year> <holder>Ericsson AB. All Rights Reserved.</holder> </copyright> <legalnotice> @@ -201,7 +201,7 @@ ok <p>To close the connection, call the function <seemfa marker="ssh#close/1"><c>ssh:close(ConnectionRef)</c></seemfa>. As an alternative, set the option <seetype marker="ssh#max_idle_time_common_option"><c>{idle_time, 1}</c></seetype> - when opening the connection. This will cause the connection to be closed automaticaly when there are + when opening the connection. This will cause the connection to be closed automatically when there are no channels open for the specified time period, in this case 1 ms. </p> </section> |
