-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/
-- | SSH protocol implementation
--
-- Please see the README on Github at
-- https://github.com/lpeterse/haskell-ssh#readme
@package hssh
@version 0.1.0.0
module Network.SSH.Client
module Network.SSH
-- | An AuthAgent is something that is capable of cryptographic
-- signing using a public key algorithm like Ed25519 or RSA.
--
-- Currently, KeyPair is the only instance, but the method
-- signatures have been designed with other mechanisms like HSM's or
-- agent-forwarding in mind.
class AuthAgent agent
-- | Get a list of public keys for which the agent holds the corresponding
-- private keys.
--
-- The list contents may change when called subsequently.
getPublicKeys :: AuthAgent agent => agent -> IO [PublicKey]
-- | Sign the given hash with the requested public key.
--
-- The signature may be denied in case the key is no longer available.
-- This method shall not throw exceptions, but rather return
-- Nothing if possible.
getSignature :: (AuthAgent agent, ByteArrayAccess hash) => agent -> PublicKey -> hash -> IO (Maybe Signature)
data KeyPair
KeyPairEd25519 :: PublicKey -> SecretKey -> KeyPair
newKeyPair :: IO KeyPair
decodePrivateKeyFile :: (MonadFail m, ByteArray input, ByteArrayAccess passphrase, ByteArray comment) => passphrase -> input -> m [(KeyPair, comment)]
-- | A DuplexStream is an abstraction over all things that behave
-- like file handles or sockets.
class (InputStream stream, OutputStream stream) => DuplexStream stream
-- | An InputStream is something that bytes can be read from.
class InputStream stream
-- | Like receive, but does not actually remove anything from the
-- input buffer.
--
--
-- - Use with care! There are very few legitimate use cases for
-- this.
--
peek :: InputStream stream => stream -> Int -> IO ByteString
-- | Receive a chunk of bytes from the stream.
--
--
-- - This method shall block until at least one byte becomes available
-- or the connection got closed.
-- - As with sockets, the chunk boundaries are not guaranteed to be
-- preserved during transmission although this will be most often the
-- case. Never rely on this behaviour!
-- - The second parameter determines how many bytes to receive at most,
-- but the ByteString returned might be shorter.
-- - Returns a chunk which is guaranteed to be shorter or equal than
-- the given limit. It is empty when the connection got closed and all
-- subsequent attempts to read shall return the empty string. This must
-- be checked when collecting chunks in a loop or the program will get
-- stuck in endless recursion!
--
receive :: InputStream stream => stream -> Int -> IO ByteString
-- | Like receive, but allows for more efficiency with less memory
-- allocations when working with builders and re-usable buffers.
receiveUnsafe :: InputStream stream => stream -> MemView -> IO Int
-- | Try to receive a ByteString of the designated length in bytes.
--
--
-- - Blocks until either the complete ByteString has been
-- received or throws an exception when the connection got terminated
-- before enough bytes arrived.
--
receiveAll :: InputStream stream => stream -> Int -> IO ByteString
-- | An OutputStream is something that chunks of bytes can be
-- written to.
class OutputStream stream
-- | Send a chunk of bytes into the stream.
--
--
-- - This method shall block until at least one byte could be sent or
-- the connection got closed.
-- - Returns the number of bytes sent or 0 if the other side closed the
-- connection. The return value must be checked when using a loop for
-- sending or the program will get stuck in endless recursion!
--
send :: OutputStream stream => stream -> ByteString -> IO Int
-- | Like send, but allows for more efficiency with less memory
-- allocations when working with builders and re-usable buffers.
sendUnsafe :: OutputStream stream => stream -> MemView -> IO Int
-- | Try to send the complete ByteString.
--
--
-- - Blocks until either the ByteString has been sent or throws
-- an exception when the connection got terminated while sending it.
--
sendAll :: OutputStream stream => stream -> ByteString -> IO ()
data TransportConfig
TransportConfig :: NonEmpty HostKeyAlgorithm -> NonEmpty KeyExchangeAlgorithm -> NonEmpty EncryptionAlgorithm -> Word64 -> Word64 -> (ByteString -> IO ()) -> (ByteString -> IO ()) -> TransportConfig
[serverHostKeyAlgorithms] :: TransportConfig -> NonEmpty HostKeyAlgorithm
[kexAlgorithms] :: TransportConfig -> NonEmpty KeyExchangeAlgorithm
[encryptionAlgorithms] :: TransportConfig -> NonEmpty EncryptionAlgorithm
[maxTimeBeforeRekey] :: TransportConfig -> Word64
[maxDataBeforeRekey] :: TransportConfig -> Word64
[onSend] :: TransportConfig -> ByteString -> IO ()
[onReceive] :: TransportConfig -> ByteString -> IO ()
data Disconnect
Disconnect :: DisconnectParty -> DisconnectReason -> DisconnectMessage -> Disconnect
data DisconnectParty
Local :: DisconnectParty
Remote :: DisconnectParty
data DisconnectReason
DisconnectHostNotAllowedToConnect :: DisconnectReason
DisconnectProtocolError :: DisconnectReason
DisconnectKeyExchangeFailed :: DisconnectReason
DisconnectReserved :: DisconnectReason
DisconnectMacError :: DisconnectReason
DisconnectCompressionError :: DisconnectReason
DisconnectServiceNotAvailable :: DisconnectReason
DisconnectProtocolVersionNotSupported :: DisconnectReason
DisconnectHostKeyNotVerifiable :: DisconnectReason
DisconnectConnectionLost :: DisconnectReason
DisconnectByApplication :: DisconnectReason
DisconnectTooManyConnection :: DisconnectReason
DisconnectAuthCancelledByUser :: DisconnectReason
DisconnectNoMoreAuthMethodsAvailable :: DisconnectReason
DisconnectIllegalUsername :: DisconnectReason
DisconnectOtherReason :: Word32 -> DisconnectReason
newtype DisconnectMessage
DisconnectMessage :: ByteString -> DisconnectMessage
data Name
type UserName = Name
type ServiceName = Name
class HasName a
name :: HasName a => a -> Name
data HostKeyAlgorithm
SshEd25519 :: HostKeyAlgorithm
data KeyExchangeAlgorithm
Curve25519Sha256AtLibsshDotOrg :: KeyExchangeAlgorithm
data EncryptionAlgorithm
Chacha20Poly1305AtOpensshDotCom :: EncryptionAlgorithm
data CompressionAlgorithm
None :: CompressionAlgorithm
data PublicKey
PublicKeyEd25519 :: PublicKey -> PublicKey
PublicKeyRSA :: PublicKey -> PublicKey
PublicKeyOther :: Name -> PublicKey
data Signature
SignatureEd25519 :: Signature -> Signature
SignatureRSA :: ByteString -> Signature
SignatureOther :: Name -> Signature
module Network.SSH.Server
-- | Serve a single connection represented by a DuplexStream.
--
--
-- - The actual server behaviour is only determined by its
-- configuration. The default configuration rejects all authentication
-- and service requests, so you will need to adapt it to your
-- use-case.
-- - The AuthAgent will be used to authenticate to the client.
-- It is usually sufficient to use a KeyPair as agent.
-- - This operation does not return unless the other side either
-- gracefully closes the connection or an error occurs (like connection
-- loss). All expected exceptional conditions get caught and are
-- reflected in the return value.
-- - If the connection needs to be terminated by the server, this can
-- be achieved by throwing an asynchronous exception to the executing
-- thread. All depdendant threads and resources will be properly freed
-- and a disconnect message will be delivered to the client (if
-- possible). It is a good idea to run serve within an
-- Async which can be canceled on demand.
--
--
-- Example:
--
--
-- runServer :: Socket -> IO ()
-- runServer sock = do
-- keyPair <- newKeyPair
-- serve conf keyPair sock
-- where
-- conf = def { userAuthConfig = def { onAuthRequest = handleAuthRequest }
-- , connectionConfig = def { onSessionRequest = handleSessionRequest
-- , onDirectTcpIpRequest = handleDirectTcpIpRequest
-- }
-- }
--
-- handleAuthRequest :: UserName -> ServiceName -> PublicKey -> IO (Maybe UserName)
-- handleAuthRequest user service pubkey = case user of
-- "simon" -> pure (Just user)
-- _ -> pure Nothing
--
-- handleSessionRequest :: identity -> SessionRequest -> IO (Maybe SessionHandler)
-- handleSessionRequest _ _ = pure $ Just $ SessionHandler $ env mterm mcmd stdin stdout stderr -> do
-- sendAll stdout "Hello, world!\n"
-- pure ExitSuccess
--
-- handleDirectTcpIpRequest :: identity -> DirectTcpIpRequest -> IO (Maybe DirectTcpIpHandler)
-- handleDirectTcpIpRequest _ req =
-- | port (dstPort req) == 80 = pure $ Just $ DirectTcpIpHandler $ stream -> do
-- bs <- receive stream 4096
-- sendAll stream "HTTP/1.1 200 OK\n"
-- sendAll stream "Content-Type: text/plain\n\n"
-- sendAll stream "Hello, world!\n"
-- sendAll stream "\n"
-- sendAll stream bs
-- pure ()
-- | otherwise = pure Nothing
--
serve :: (DuplexStream stream, AuthAgent agent) => Config identity -> agent -> stream -> IO Disconnect
-- | The server configuration.
--
--
-- - The type variable identity represents the return type of
-- the user authentication process. It may be chosen freely. The identity
-- object will be supplied to all subsequent service handler functions
-- and can be used as connection state.
--
data Config identity
Config :: TransportConfig -> UserAuthConfig identity -> ConnectionConfig identity -> Config identity
[transportConfig] :: Config identity -> TransportConfig
[userAuthConfig] :: Config identity -> UserAuthConfig identity
[connectionConfig] :: Config identity -> ConnectionConfig identity
-- | Configuration for the user authentication layer.
--
-- After a successful key exchange the client will usually request the
-- user-auth service to authenticate against. In this
-- implementation, the user-auth service is the only service
-- available after key exchange and the client must request the
-- connection layer through the authentication layer. Except for
-- transport messages, all other message types will result in a
-- disconnect as long as user authentication is in progress (looking at
-- you, libssh ;-)
data UserAuthConfig identity
UserAuthConfig :: (UserName -> ServiceName -> PublicKey -> IO (Maybe identity)) -> Word16 -> Word16 -> UserAuthConfig identity
-- | This handler will be called for each authentication attempt.
--
--
-- - The client might try several methods and keys: Just return
-- Nothing for every request that is not sufficient to determine
-- the user's identity.
-- - When access shall be granted, return Just. The
-- identity may contain whatever is desired; it may be just the
-- UserName.
-- - When the client uses public key authentication, the transport
-- layer has already determined that the client is in posession of the
-- corresponding private key (by requesting and validating a
-- signature).
-- - The default rejects all authentication attempts
-- unconditionally.
--
[onAuthRequest] :: UserAuthConfig identity -> UserName -> ServiceName -> PublicKey -> IO (Maybe identity)
-- | Timeout for user authentication in seconds (default is 60).
--
--
-- - A SSH_DISCONNECT_BY_APPLICATION will be sent to the
-- client when the timeout occurs before successful authentication.
--
[userAuthMaxTime] :: UserAuthConfig identity -> Word16
-- | A limit for the number of failed attempts per connection (default is
-- 20).
--
--
-- - A SSH_DISCONNECT_BY_APPLICATION will be sent to the
-- client when limit has been exceeded.
--
[userAuthMaxAttempts] :: UserAuthConfig identity -> Word16
data ConnectionConfig identity
ConnectionConfig :: (identity -> SessionRequest -> IO (Maybe SessionHandler)) -> (identity -> DirectTcpIpRequest -> IO (Maybe DirectTcpIpHandler)) -> Word16 -> Word32 -> Word32 -> ConnectionConfig identity
-- | This callback will be executed for every session request.
--
-- Return a SessionHandler or Nothing to reject the request
-- (default).
[onSessionRequest] :: ConnectionConfig identity -> identity -> SessionRequest -> IO (Maybe SessionHandler)
-- | This callback will be executed for every direct-tcpip request.
--
-- Return a DirectTcpIpHandler or Nothing to reject the
-- request (default).
[onDirectTcpIpRequest] :: ConnectionConfig identity -> identity -> DirectTcpIpRequest -> IO (Maybe DirectTcpIpHandler)
-- | The maximum number of channels that may be active simultaneously
-- (default: 256).
--
-- Any requests that would exceed the limit will be rejected. Setting the
-- limit to high values might expose the server to denial of service
-- issues!
[channelMaxCount] :: ConnectionConfig identity -> Word16
-- | The maximum size of the internal buffers in bytes (also limits the
-- maximum window size, default: 32 kB)
--
-- Increasing this value might help with performance issues (if
-- connection delay is in a bad ration with the available bandwidth the
-- window resizing might cause unncessary throttling).
[channelMaxQueueSize] :: ConnectionConfig identity -> Word32
-- | The maximum size of inbound channel data payload (default: 32 kB)
--
-- Values that are larger than channelMaxQueueSize or the maximum
-- message size (35000 bytes) will be automatically adjusted to the
-- maximum possible value.
[channelMaxPacketSize] :: ConnectionConfig identity -> Word32
-- | Information associated with the session request.
--
-- Might be exteded in the future.
data SessionRequest
SessionRequest :: SessionRequest
-- | The session handler contains the application logic that serves a
-- client's shell or exec request.
--
--
-- - The Command parameter will be present if this is an exec
-- request and absent for shell requests.
-- - The TermInfo parameter will be present if the client
-- requested a pty.
-- - The Environment parameter contains the set of all env
-- requests the client issued before the actual shell or exec
-- request.
-- - stdin, stdout and stderr are streams.
-- The former can only be read from while the latter can only be written
-- to. After the handler has gracefully terminated, the implementation
-- assures that all bytes will be sent before sending an eof and actually
-- closing the channel. has gracefully terminated. The client will then
-- receive an eof and close.
-- - A SIGILL exit signal will be sent if the handler
-- terminates with an exception. Otherwise the client will receive the
-- returned exit code.
--
--
--
-- handler :: SessionHandler
-- handler = SessionHandler $ \env mterm mcmd stdin stdout stderr -> case mcmd of
-- Just "echo" -> do
-- bs <- receive stdin 1024
-- sendAll stdout bs
-- pure ExitSuccess
-- Nothing ->
-- pure (ExitFailure 1)
--
newtype SessionHandler
SessionHandler :: (forall stdin stdout stderr. (InputStream stdin, OutputStream stdout, OutputStream stderr) => Environment -> Maybe TermInfo -> Maybe Command -> stdin -> stdout -> stderr -> IO ExitCode) -> SessionHandler
-- | The Environment is list of key-value pairs.
--
--
-- Environment [ ("LC_ALL", "en_US.UTF-8") ]
--
newtype Environment
Environment :: [(ByteString, ByteString)] -> Environment
-- | The TermInfo describes the client's terminal settings if it
-- requested a pty.
--
-- NOTE: This will follow in a future release. You may access the
-- constructor through the Internal module, but should not rely on
-- it yet.
data TermInfo
-- | The Command is what the client wants to execute when making an
-- exec request (shell requests don't have a command).
newtype Command
Command :: ByteString -> Command
-- | When the client makes a DirectTcpIpRequest it requests a TCP
-- port forwarding.
data DirectTcpIpRequest
DirectTcpIpRequest :: ByteString -> Word32 -> ByteString -> Word32 -> DirectTcpIpRequest
-- | The destination address.
[dstAddress] :: DirectTcpIpRequest -> ByteString
-- | The destination port.
[dstPort] :: DirectTcpIpRequest -> Word32
-- | The source address (usually the IP the client will bind the local
-- listening socket to).
[srcAddress] :: DirectTcpIpRequest -> ByteString
-- | The source port (usually the port the client will bind the local
-- listening socket).
[srcPort] :: DirectTcpIpRequest -> Word32
-- | The DirectTcpIpHandler contains the application logic that
-- handles port forwarding requests.
--
-- There is of course no need to actually do a real forwarding - this
-- mechanism might also be used to give access to process internal
-- services like integrated web servers etc.
--
--
-- - When the handler exits gracefully, the implementation assures that
-- all bytes will be sent to the client before terminating the stream
-- with an eof and actually closing the channel.
--
newtype DirectTcpIpHandler
DirectTcpIpHandler :: (forall stream. DuplexStream stream => stream -> IO ()) -> DirectTcpIpHandler
instance Data.Default.Class.Default (Network.SSH.Server.Config identity)
module Network.SSH.Internal
data HostKeyAlgorithm
SshEd25519 :: HostKeyAlgorithm
data KeyExchangeAlgorithm
Curve25519Sha256AtLibsshDotOrg :: KeyExchangeAlgorithm
data EncryptionAlgorithm
Chacha20Poly1305AtOpensshDotCom :: EncryptionAlgorithm
data CompressionAlgorithm
None :: CompressionAlgorithm
type Get = Get
class Encoding a
put :: forall b. (Encoding a, Builder b) => a -> b
get :: Encoding a => Get a
runPut :: ByteArrayBuilder -> ByteString
runGet :: (MonadFail m, Encoding a) => ByteString -> m a
putExitCode :: Builder b => ExitCode -> b
getExitCode :: Get ExitCode
getFramed :: Get a -> Get a
putWord8 :: Builder b => Word8 -> b
getWord8 :: Get Word8
expectWord8 :: Word8 -> Get ()
getWord32 :: Get Word32
putBytes :: Builder b => ByteArrayAccess ba => ba -> b
getBytes :: ByteArray ba => Word32 -> Get ba
lenByteString :: ByteString -> Word32
putByteString :: Builder b => ByteString -> b
getByteString :: Word32 -> Get ByteString
getRemainingByteString :: Get ByteString
putString :: (Builder b, ByteArrayAccess ba) => ba -> b
putShortString :: Builder b => ShortByteString -> b
getShortString :: Get ShortByteString
getString :: ByteArray ba => Get ba
getName :: Get Name
putName :: Builder b => Name -> b
putBool :: Builder b => Bool -> b
getBool :: Get Bool
getTrue :: Get ()
getFalse :: Get ()
putAsMPInt :: (Builder b, ByteArrayAccess ba) => ba -> b
data Disconnect
Disconnect :: DisconnectParty -> DisconnectReason -> DisconnectMessage -> Disconnect
data DisconnectParty
Local :: DisconnectParty
Remote :: DisconnectParty
data DisconnectReason
DisconnectHostNotAllowedToConnect :: DisconnectReason
DisconnectProtocolError :: DisconnectReason
DisconnectKeyExchangeFailed :: DisconnectReason
DisconnectReserved :: DisconnectReason
DisconnectMacError :: DisconnectReason
DisconnectCompressionError :: DisconnectReason
DisconnectServiceNotAvailable :: DisconnectReason
DisconnectProtocolVersionNotSupported :: DisconnectReason
DisconnectHostKeyNotVerifiable :: DisconnectReason
DisconnectConnectionLost :: DisconnectReason
DisconnectByApplication :: DisconnectReason
DisconnectTooManyConnection :: DisconnectReason
DisconnectAuthCancelledByUser :: DisconnectReason
DisconnectNoMoreAuthMethodsAvailable :: DisconnectReason
DisconnectIllegalUsername :: DisconnectReason
DisconnectOtherReason :: Word32 -> DisconnectReason
newtype DisconnectMessage
DisconnectMessage :: ByteString -> DisconnectMessage
exceptionProtocolVersionNotSupported :: Disconnect
exceptionConnectionLost :: Disconnect
exceptionKexInvalidTransition :: Disconnect
exceptionKexInvalidSignature :: Disconnect
exceptionKexNoSignature :: Disconnect
exceptionKexNoCommonKexAlgorithm :: Disconnect
exceptionKexNoCommonEncryptionAlgorithm :: Disconnect
exceptionMacError :: Disconnect
exceptionInvalidPacket :: Disconnect
exceptionPacketLengthExceeded :: Disconnect
exceptionAuthenticationTimeout :: Disconnect
exceptionAuthenticationLimitExceeded :: Disconnect
exceptionServiceNotAvailable :: Disconnect
exceptionInvalidChannelId :: Disconnect
exceptionInvalidChannelRequest :: Disconnect
exceptionWindowSizeOverflow :: Disconnect
exceptionWindowSizeUnderrun :: Disconnect
exceptionPacketSizeExceeded :: Disconnect
exceptionDataAfterEof :: Disconnect
exceptionAlreadyExecuting :: Disconnect
exceptionUnexpectedMessage :: ByteString -> Disconnect
data KeyPair
KeyPairEd25519 :: PublicKey -> SecretKey -> KeyPair
newKeyPair :: IO KeyPair
data PublicKey
PublicKeyEd25519 :: PublicKey -> PublicKey
PublicKeyRSA :: PublicKey -> PublicKey
PublicKeyOther :: Name -> PublicKey
decodePrivateKeyFile :: (MonadFail m, ByteArray input, ByteArrayAccess passphrase, ByteArray comment) => passphrase -> input -> m [(KeyPair, comment)]
toPublicKey :: KeyPair -> PublicKey
data Message
MsgDisconnect :: Disconnected -> Message
MsgIgnore :: Ignore -> Message
MsgUnimplemented :: Unimplemented -> Message
MsgDebug :: Debug -> Message
MsgServiceRequest :: ServiceRequest -> Message
MsgServiceAccept :: ServiceAccept -> Message
MsgKexInit :: KexInit -> Message
MsgKexNewKeys :: KexNewKeys -> Message
MsgKexEcdhInit :: KexEcdhInit -> Message
MsgKexEcdhReply :: KexEcdhReply -> Message
MsgUserAuthRequest :: UserAuthRequest -> Message
MsgUserAuthFailure :: UserAuthFailure -> Message
MsgUserAuthSuccess :: UserAuthSuccess -> Message
MsgUserAuthBanner :: UserAuthBanner -> Message
MsgUserAuthPublicKeyOk :: UserAuthPublicKeyOk -> Message
MsgChannelOpen :: ChannelOpen -> Message
MsgChannelOpenConfirmation :: ChannelOpenConfirmation -> Message
MsgChannelOpenFailure :: ChannelOpenFailure -> Message
MsgChannelWindowAdjust :: ChannelWindowAdjust -> Message
MsgChannelData :: ChannelData -> Message
MsgChannelExtendedData :: ChannelExtendedData -> Message
MsgChannelEof :: ChannelEof -> Message
MsgChannelClose :: ChannelClose -> Message
MsgChannelRequest :: ChannelRequest -> Message
MsgChannelSuccess :: ChannelSuccess -> Message
MsgChannelFailure :: ChannelFailure -> Message
MsgUnknown :: Word8 -> Message
class MessageStream a
sendMessage :: forall msg. (MessageStream a, Encoding msg) => a -> msg -> IO ()
receiveMessage :: forall msg. (MessageStream a, Encoding msg) => a -> IO msg
data Disconnected
Disconnected :: DisconnectReason -> ShortByteString -> ShortByteString -> Disconnected
[disconnectedReason] :: Disconnected -> DisconnectReason
[disconnectedDescription] :: Disconnected -> ShortByteString
[disconnectedLanguageTag] :: Disconnected -> ShortByteString
data DisconnectReason
DisconnectHostNotAllowedToConnect :: DisconnectReason
DisconnectProtocolError :: DisconnectReason
DisconnectKeyExchangeFailed :: DisconnectReason
DisconnectReserved :: DisconnectReason
DisconnectMacError :: DisconnectReason
DisconnectCompressionError :: DisconnectReason
DisconnectServiceNotAvailable :: DisconnectReason
DisconnectProtocolVersionNotSupported :: DisconnectReason
DisconnectHostKeyNotVerifiable :: DisconnectReason
DisconnectConnectionLost :: DisconnectReason
DisconnectByApplication :: DisconnectReason
DisconnectTooManyConnection :: DisconnectReason
DisconnectAuthCancelledByUser :: DisconnectReason
DisconnectNoMoreAuthMethodsAvailable :: DisconnectReason
DisconnectIllegalUsername :: DisconnectReason
DisconnectOtherReason :: Word32 -> DisconnectReason
data Ignore
Ignore :: Ignore
data Unimplemented
Unimplemented :: Word32 -> Unimplemented
data Debug
Debug :: Bool -> ShortByteString -> ShortByteString -> Debug
[debugAlwaysDisplay] :: Debug -> Bool
[debugMessage] :: Debug -> ShortByteString
[debugLanguageTag] :: Debug -> ShortByteString
data ServiceRequest
ServiceRequest :: ServiceName -> ServiceRequest
data ServiceAccept
ServiceAccept :: ServiceName -> ServiceAccept
data KexInit
KexInit :: Cookie -> [Name] -> [Name] -> [Name] -> [Name] -> [Name] -> [Name] -> [Name] -> [Name] -> [Name] -> [Name] -> Bool -> KexInit
[kexCookie] :: KexInit -> Cookie
[kexKexAlgorithms] :: KexInit -> [Name]
[kexServerHostKeyAlgorithms] :: KexInit -> [Name]
[kexEncryptionAlgorithmsClientToServer] :: KexInit -> [Name]
[kexEncryptionAlgorithmsServerToClient] :: KexInit -> [Name]
[kexMacAlgorithmsClientToServer] :: KexInit -> [Name]
[kexMacAlgorithmsServerToClient] :: KexInit -> [Name]
[kexCompressionAlgorithmsClientToServer] :: KexInit -> [Name]
[kexCompressionAlgorithmsServerToClient] :: KexInit -> [Name]
[kexLanguagesClientToServer] :: KexInit -> [Name]
[kexLanguagesServerToClient] :: KexInit -> [Name]
[kexFirstPacketFollows] :: KexInit -> Bool
data KexNewKeys
KexNewKeys :: KexNewKeys
data KexEcdhInit
KexEcdhInit :: PublicKey -> KexEcdhInit
[kexClientEphemeralKey] :: KexEcdhInit -> PublicKey
data KexEcdhReply
KexEcdhReply :: PublicKey -> PublicKey -> Signature -> KexEcdhReply
[kexServerHostKey] :: KexEcdhReply -> PublicKey
[kexServerEphemeralKey] :: KexEcdhReply -> PublicKey
[kexHashSignature] :: KexEcdhReply -> Signature
data UserAuthRequest
UserAuthRequest :: UserName -> ServiceName -> AuthMethod -> UserAuthRequest
data UserAuthFailure
UserAuthFailure :: [Name] -> Bool -> UserAuthFailure
data UserAuthSuccess
UserAuthSuccess :: UserAuthSuccess
data UserAuthBanner
UserAuthBanner :: ShortByteString -> ShortByteString -> UserAuthBanner
data UserAuthPublicKeyOk
UserAuthPublicKeyOk :: PublicKey -> UserAuthPublicKeyOk
data ChannelOpen
ChannelOpen :: ChannelId -> ChannelWindowSize -> ChannelPacketSize -> ChannelOpenType -> ChannelOpen
data ChannelOpenType
ChannelOpenSession :: ChannelOpenType
ChannelOpenDirectTcpIp :: ShortByteString -> Word32 -> ShortByteString -> Word32 -> ChannelOpenType
[coDestinationAddress] :: ChannelOpenType -> ShortByteString
[coDestinationPort] :: ChannelOpenType -> Word32
[coSourceAddress] :: ChannelOpenType -> ShortByteString
[coSourcePort] :: ChannelOpenType -> Word32
ChannelOpenOther :: ChannelType -> ChannelOpenType
data ChannelOpenConfirmation
ChannelOpenConfirmation :: ChannelId -> ChannelId -> ChannelWindowSize -> ChannelPacketSize -> ChannelOpenConfirmation
data ChannelOpenFailure
ChannelOpenFailure :: ChannelId -> ChannelOpenFailureReason -> ShortByteString -> ShortByteString -> ChannelOpenFailure
data ChannelOpenFailureReason
ChannelOpenAdministrativelyProhibited :: ChannelOpenFailureReason
ChannelOpenConnectFailed :: ChannelOpenFailureReason
ChannelOpenUnknownChannelType :: ChannelOpenFailureReason
ChannelOpenResourceShortage :: ChannelOpenFailureReason
ChannelOpenOtherFailure :: Word32 -> ChannelOpenFailureReason
data ChannelWindowAdjust
ChannelWindowAdjust :: ChannelId -> ChannelWindowSize -> ChannelWindowAdjust
data ChannelData
ChannelData :: ChannelId -> ShortByteString -> ChannelData
data ChannelExtendedData
ChannelExtendedData :: ChannelId -> Word32 -> ShortByteString -> ChannelExtendedData
data ChannelEof
ChannelEof :: ChannelId -> ChannelEof
data ChannelClose
ChannelClose :: ChannelId -> ChannelClose
data ChannelRequest
ChannelRequest :: ChannelId -> ShortByteString -> Bool -> ByteString -> ChannelRequest
[crChannel] :: ChannelRequest -> ChannelId
[crType] :: ChannelRequest -> ShortByteString
[crWantReply] :: ChannelRequest -> Bool
[crData] :: ChannelRequest -> ByteString
data ChannelRequestEnv
ChannelRequestEnv :: ShortByteString -> ShortByteString -> ChannelRequestEnv
[crVariableName] :: ChannelRequestEnv -> ShortByteString
[crVariableValue] :: ChannelRequestEnv -> ShortByteString
data ChannelRequestPty
ChannelRequestPty :: PtySettings -> ChannelRequestPty
[crPtySettings] :: ChannelRequestPty -> PtySettings
data ChannelRequestWindowChange
ChannelRequestWindowChange :: Word32 -> Word32 -> Word32 -> Word32 -> ChannelRequestWindowChange
[crWidth] :: ChannelRequestWindowChange -> Word32
[crHeight] :: ChannelRequestWindowChange -> Word32
[crWidthPixels] :: ChannelRequestWindowChange -> Word32
[crHeightPixels] :: ChannelRequestWindowChange -> Word32
data ChannelRequestShell
ChannelRequestShell :: ChannelRequestShell
data ChannelRequestExec
ChannelRequestExec :: ShortByteString -> ChannelRequestExec
[crCommand] :: ChannelRequestExec -> ShortByteString
data ChannelRequestSignal
ChannelRequestSignal :: ShortByteString -> ChannelRequestSignal
[crSignal] :: ChannelRequestSignal -> ShortByteString
data ChannelRequestExitStatus
ChannelRequestExitStatus :: ExitCode -> ChannelRequestExitStatus
[crExitStatus] :: ChannelRequestExitStatus -> ExitCode
data ChannelRequestExitSignal
ChannelRequestExitSignal :: ShortByteString -> Bool -> ShortByteString -> ShortByteString -> ChannelRequestExitSignal
[crSignalName] :: ChannelRequestExitSignal -> ShortByteString
[crCodeDumped] :: ChannelRequestExitSignal -> Bool
[crErrorMessage] :: ChannelRequestExitSignal -> ShortByteString
[crLanguageTag] :: ChannelRequestExitSignal -> ShortByteString
data ChannelSuccess
ChannelSuccess :: ChannelId -> ChannelSuccess
data ChannelFailure
ChannelFailure :: ChannelId -> ChannelFailure
data AuthMethod
AuthNone :: AuthMethod
AuthHostBased :: AuthMethod
AuthPassword :: Password -> AuthMethod
AuthPublicKey :: PublicKey -> Maybe Signature -> AuthMethod
AuthOther :: Name -> AuthMethod
newtype ChannelId
ChannelId :: Word32 -> ChannelId
newtype ChannelType
ChannelType :: ShortByteString -> ChannelType
type ChannelPacketSize = Word32
type ChannelWindowSize = Word32
data Cookie
newCookie :: MonadRandom m => m Cookie
nilCookie :: Cookie
newtype Password
Password :: ShortByteString -> Password
data PtySettings
PtySettings :: ShortByteString -> Word32 -> Word32 -> Word32 -> Word32 -> ShortByteString -> PtySettings
[ptyEnv] :: PtySettings -> ShortByteString
[ptyWidthCols] :: PtySettings -> Word32
[ptyHeightRows] :: PtySettings -> Word32
[ptyWidthPixels] :: PtySettings -> Word32
[ptyHeightPixels] :: PtySettings -> Word32
[ptyModes] :: PtySettings -> ShortByteString
data PublicKey
PublicKeyEd25519 :: PublicKey -> PublicKey
PublicKeyRSA :: PublicKey -> PublicKey
PublicKeyOther :: Name -> PublicKey
newtype SessionId
SessionId :: ShortByteString -> SessionId
data Signature
SignatureEd25519 :: Signature -> Signature
SignatureRSA :: ByteString -> Signature
SignatureOther :: Name -> Signature
newtype Version
Version :: ShortByteString -> Version
type ServiceName = Name
type UserName = Name
newtype Name
Name :: ShortByteString -> Name
class HasName a
name :: HasName a => a -> Name
data Connection identity
data ConnectionConfig identity
ConnectionConfig :: (identity -> SessionRequest -> IO (Maybe SessionHandler)) -> (identity -> DirectTcpIpRequest -> IO (Maybe DirectTcpIpHandler)) -> Word16 -> Word32 -> Word32 -> ConnectionConfig identity
-- | This callback will be executed for every session request.
--
-- Return a SessionHandler or Nothing to reject the request
-- (default).
[onSessionRequest] :: ConnectionConfig identity -> identity -> SessionRequest -> IO (Maybe SessionHandler)
-- | This callback will be executed for every direct-tcpip request.
--
-- Return a DirectTcpIpHandler or Nothing to reject the
-- request (default).
[onDirectTcpIpRequest] :: ConnectionConfig identity -> identity -> DirectTcpIpRequest -> IO (Maybe DirectTcpIpHandler)
-- | The maximum number of channels that may be active simultaneously
-- (default: 256).
--
-- Any requests that would exceed the limit will be rejected. Setting the
-- limit to high values might expose the server to denial of service
-- issues!
[channelMaxCount] :: ConnectionConfig identity -> Word16
-- | The maximum size of the internal buffers in bytes (also limits the
-- maximum window size, default: 32 kB)
--
-- Increasing this value might help with performance issues (if
-- connection delay is in a bad ration with the available bandwidth the
-- window resizing might cause unncessary throttling).
[channelMaxQueueSize] :: ConnectionConfig identity -> Word32
-- | The maximum size of inbound channel data payload (default: 32 kB)
--
-- Values that are larger than channelMaxQueueSize or the maximum
-- message size (35000 bytes) will be automatically adjusted to the
-- maximum possible value.
[channelMaxPacketSize] :: ConnectionConfig identity -> Word32
-- | Information associated with the session request.
--
-- Might be exteded in the future.
data SessionRequest
SessionRequest :: SessionRequest
-- | The session handler contains the application logic that serves a
-- client's shell or exec request.
--
--
-- - The Command parameter will be present if this is an exec
-- request and absent for shell requests.
-- - The TermInfo parameter will be present if the client
-- requested a pty.
-- - The Environment parameter contains the set of all env
-- requests the client issued before the actual shell or exec
-- request.
-- - stdin, stdout and stderr are streams.
-- The former can only be read from while the latter can only be written
-- to. After the handler has gracefully terminated, the implementation
-- assures that all bytes will be sent before sending an eof and actually
-- closing the channel. has gracefully terminated. The client will then
-- receive an eof and close.
-- - A SIGILL exit signal will be sent if the handler
-- terminates with an exception. Otherwise the client will receive the
-- returned exit code.
--
--
--
-- handler :: SessionHandler
-- handler = SessionHandler $ \env mterm mcmd stdin stdout stderr -> case mcmd of
-- Just "echo" -> do
-- bs <- receive stdin 1024
-- sendAll stdout bs
-- pure ExitSuccess
-- Nothing ->
-- pure (ExitFailure 1)
--
newtype SessionHandler
SessionHandler :: (forall stdin stdout stderr. (InputStream stdin, OutputStream stdout, OutputStream stderr) => Environment -> Maybe TermInfo -> Maybe Command -> stdin -> stdout -> stderr -> IO ExitCode) -> SessionHandler
-- | The Environment is list of key-value pairs.
--
--
-- Environment [ ("LC_ALL", "en_US.UTF-8") ]
--
newtype Environment
Environment :: [(ByteString, ByteString)] -> Environment
-- | The TermInfo describes the client's terminal settings if it
-- requested a pty.
--
-- NOTE: This will follow in a future release. You may access the
-- constructor through the Internal module, but should not rely on
-- it yet.
data TermInfo
TermInfo :: PtySettings -> TermInfo
-- | The Command is what the client wants to execute when making an
-- exec request (shell requests don't have a command).
newtype Command
Command :: ByteString -> Command
-- | When the client makes a DirectTcpIpRequest it requests a TCP
-- port forwarding.
data DirectTcpIpRequest
DirectTcpIpRequest :: ByteString -> Word32 -> ByteString -> Word32 -> DirectTcpIpRequest
-- | The destination address.
[dstAddress] :: DirectTcpIpRequest -> ByteString
-- | The destination port.
[dstPort] :: DirectTcpIpRequest -> Word32
-- | The source address (usually the IP the client will bind the local
-- listening socket to).
[srcAddress] :: DirectTcpIpRequest -> ByteString
-- | The source port (usually the port the client will bind the local
-- listening socket).
[srcPort] :: DirectTcpIpRequest -> Word32
-- | The DirectTcpIpHandler contains the application logic that
-- handles port forwarding requests.
--
-- There is of course no need to actually do a real forwarding - this
-- mechanism might also be used to give access to process internal
-- services like integrated web servers etc.
--
--
-- - When the handler exits gracefully, the implementation assures that
-- all bytes will be sent to the client before terminating the stream
-- with an eof and actually closing the channel.
--
newtype DirectTcpIpHandler
DirectTcpIpHandler :: (forall stream. DuplexStream stream => stream -> IO ()) -> DirectTcpIpHandler
data ConnectionMsg
ConnectionChannelOpen :: ChannelOpen -> ConnectionMsg
ConnectionChannelClose :: ChannelClose -> ConnectionMsg
ConnectionChannelEof :: ChannelEof -> ConnectionMsg
ConnectionChannelData :: ChannelData -> ConnectionMsg
ConnectionChannelRequest :: ChannelRequest -> ConnectionMsg
ConnectionChannelWindowAdjust :: ChannelWindowAdjust -> ConnectionMsg
serveConnection :: forall stream identity. MessageStream stream => ConnectionConfig identity -> stream -> identity -> IO ()
-- | Configuration for the user authentication layer.
--
-- After a successful key exchange the client will usually request the
-- user-auth service to authenticate against. In this
-- implementation, the user-auth service is the only service
-- available after key exchange and the client must request the
-- connection layer through the authentication layer. Except for
-- transport messages, all other message types will result in a
-- disconnect as long as user authentication is in progress (looking at
-- you, libssh ;-)
data UserAuthConfig identity
UserAuthConfig :: (UserName -> ServiceName -> PublicKey -> IO (Maybe identity)) -> Word16 -> Word16 -> UserAuthConfig identity
-- | This handler will be called for each authentication attempt.
--
--
-- - The client might try several methods and keys: Just return
-- Nothing for every request that is not sufficient to determine
-- the user's identity.
-- - When access shall be granted, return Just. The
-- identity may contain whatever is desired; it may be just the
-- UserName.
-- - When the client uses public key authentication, the transport
-- layer has already determined that the client is in posession of the
-- corresponding private key (by requesting and validating a
-- signature).
-- - The default rejects all authentication attempts
-- unconditionally.
--
[onAuthRequest] :: UserAuthConfig identity -> UserName -> ServiceName -> PublicKey -> IO (Maybe identity)
-- | Timeout for user authentication in seconds (default is 60).
--
--
-- - A SSH_DISCONNECT_BY_APPLICATION will be sent to the
-- client when the timeout occurs before successful authentication.
--
[userAuthMaxTime] :: UserAuthConfig identity -> Word16
-- | A limit for the number of failed attempts per connection (default is
-- 20).
--
--
-- - A SSH_DISCONNECT_BY_APPLICATION will be sent to the
-- client when limit has been exceeded.
--
[userAuthMaxAttempts] :: UserAuthConfig identity -> Word16
withAuthentication :: forall identity stream a. MessageStream stream => UserAuthConfig identity -> stream -> SessionId -> (ServiceName -> Maybe (identity -> IO a)) -> IO a
verifyAuthSignature :: SessionId -> UserName -> ServiceName -> PublicKey -> Signature -> Bool
-- | A DuplexStream is an abstraction over all things that behave
-- like file handles or sockets.
class (InputStream stream, OutputStream stream) => DuplexStream stream
-- | An OutputStream is something that chunks of bytes can be
-- written to.
class OutputStream stream
-- | Send a chunk of bytes into the stream.
--
--
-- - This method shall block until at least one byte could be sent or
-- the connection got closed.
-- - Returns the number of bytes sent or 0 if the other side closed the
-- connection. The return value must be checked when using a loop for
-- sending or the program will get stuck in endless recursion!
--
send :: OutputStream stream => stream -> ByteString -> IO Int
-- | Like send, but allows for more efficiency with less memory
-- allocations when working with builders and re-usable buffers.
sendUnsafe :: OutputStream stream => stream -> MemView -> IO Int
-- | An InputStream is something that bytes can be read from.
class InputStream stream
-- | Like receive, but does not actually remove anything from the
-- input buffer.
--
--
-- - Use with care! There are very few legitimate use cases for
-- this.
--
peek :: InputStream stream => stream -> Int -> IO ByteString
-- | Receive a chunk of bytes from the stream.
--
--
-- - This method shall block until at least one byte becomes available
-- or the connection got closed.
-- - As with sockets, the chunk boundaries are not guaranteed to be
-- preserved during transmission although this will be most often the
-- case. Never rely on this behaviour!
-- - The second parameter determines how many bytes to receive at most,
-- but the ByteString returned might be shorter.
-- - Returns a chunk which is guaranteed to be shorter or equal than
-- the given limit. It is empty when the connection got closed and all
-- subsequent attempts to read shall return the empty string. This must
-- be checked when collecting chunks in a loop or the program will get
-- stuck in endless recursion!
--
receive :: InputStream stream => stream -> Int -> IO ByteString
-- | Like receive, but allows for more efficiency with less memory
-- allocations when working with builders and re-usable buffers.
receiveUnsafe :: InputStream stream => stream -> MemView -> IO Int
-- | Try to send the complete ByteString.
--
--
-- - Blocks until either the ByteString has been sent or throws
-- an exception when the connection got terminated while sending it.
--
sendAll :: OutputStream stream => stream -> ByteString -> IO ()
-- | Try to receive a ByteString of the designated length in bytes.
--
--
-- - Blocks until either the complete ByteString has been
-- received or throws an exception when the connection got terminated
-- before enough bytes arrived.
--
receiveAll :: InputStream stream => stream -> Int -> IO ByteString
data Transport
data TransportConfig
TransportConfig :: NonEmpty HostKeyAlgorithm -> NonEmpty KeyExchangeAlgorithm -> NonEmpty EncryptionAlgorithm -> Word64 -> Word64 -> (ByteString -> IO ()) -> (ByteString -> IO ()) -> TransportConfig
[serverHostKeyAlgorithms] :: TransportConfig -> NonEmpty HostKeyAlgorithm
[kexAlgorithms] :: TransportConfig -> NonEmpty KeyExchangeAlgorithm
[encryptionAlgorithms] :: TransportConfig -> NonEmpty EncryptionAlgorithm
[maxTimeBeforeRekey] :: TransportConfig -> Word64
[maxDataBeforeRekey] :: TransportConfig -> Word64
[onSend] :: TransportConfig -> ByteString -> IO ()
[onReceive] :: TransportConfig -> ByteString -> IO ()
data Disconnected
Disconnected :: DisconnectReason -> ShortByteString -> ShortByteString -> Disconnected
[disconnectedReason] :: Disconnected -> DisconnectReason
[disconnectedDescription] :: Disconnected -> ShortByteString
[disconnectedLanguageTag] :: Disconnected -> ShortByteString
withTransport :: (DuplexStream stream, AuthAgent agent) => TransportConfig -> Maybe agent -> stream -> (Transport -> SessionId -> IO a) -> IO (Either Disconnect a)
plainEncryptionContext :: OutputStream stream => stream -> EncryptionContext
plainDecryptionContext :: InputStream stream => stream -> DecryptionContext
newChaCha20Poly1305EncryptionContext :: (OutputStream stream, ByteArrayAccess key) => stream -> key -> key -> IO EncryptionContext
newChaCha20Poly1305DecryptionContext :: InputStream stream => ByteArrayAccess key => stream -> key -> key -> IO DecryptionContext
data TStreamingQueue
TStreamingQueue :: Word32 -> TVar Word32 -> TVar Word32 -> TVar Bool -> TMVar ShortByteString -> TChan ShortByteString -> TStreamingQueue
[qCapacity] :: TStreamingQueue -> Word32
[qWindow] :: TStreamingQueue -> TVar Word32
[qSize] :: TStreamingQueue -> TVar Word32
[qEof] :: TStreamingQueue -> TVar Bool
[qHead] :: TStreamingQueue -> TMVar ShortByteString
[qTail] :: TStreamingQueue -> TChan ShortByteString
newTStreamingQueue :: Word32 -> TVar Word32 -> STM TStreamingQueue
capacity :: TStreamingQueue -> Word32
getSize :: TStreamingQueue -> STM Word32
getFree :: TStreamingQueue -> STM Word32
getWindowSpace :: TStreamingQueue -> STM Word32
addWindowSpace :: TStreamingQueue -> Word32 -> STM ()
askWindowSpaceAdjustRecommended :: TStreamingQueue -> STM Bool
fillWindowSpace :: TStreamingQueue -> STM Word32
terminate :: TStreamingQueue -> STM ()
enqueue :: TStreamingQueue -> ByteString -> STM Word32
dequeue :: TStreamingQueue -> Word32 -> STM ByteString
dequeueShort :: TStreamingQueue -> Word32 -> STM ShortByteString
lookAhead :: TStreamingQueue -> Word32 -> STM ByteString