1 Introduction

SSH is a protocol for secure remote logon and other secure network services over an insecure network.

1.1  Scope and Purpose

SSH provides a single, full-duplex, and byte-oriented connection between client and server. The protocol also provides privacy, integrity, server authentication, and man-in-the-middle protection.

The ssh application is an implementation of the SSH Transport, Connection and Authentication Layer Protocols in Erlang. It provides the following:

  • API functions to write customized SSH clients and servers applications
  • The Erlang shell available over SSH
  • An SFTP client (ssh_sftp) and server (ssh_sftpd)

1.2  Prerequisites

It is assumed that the reader is familiar with the Erlang programming language, concepts of OTP, and has a basic understanding of public keys.

1.3  SSH Protocol Overview

Conceptually, the SSH protocol can be partitioned into four layers:


Figure 1.1:   SSH Protocol Architecture

Transport Protocol

The SSH Transport Protocol is a secure, low-level transport. It provides strong encryption, cryptographic host authentication, and integrity protection. A minimum of Message Authentication Code (MAC) and encryption algorithms are supported. For details, see the ssh(3) manual page in ssh.

Authentication Protocol

The SSH Authentication Protocol is a general-purpose user authentication protocol run over the SSH Transport Layer Protocol. The ssh application supports user authentication as follows:

  • Using public key technology. RSA and DSA, X509-certificates are not supported.
  • Using keyboard-interactive authentication. This is suitable for interactive authentication methods that do not need any special software support on the client side. Instead, all authentication data is entered from the keyboard.
  • Using a pure password-based authentication scheme. Here, the plain text password is encrypted before sent over the network.

Several configuration options for authentication handling are available in ssh:connect/[3,4] and ssh:daemon/[2,3].

The public key handling can be customized by implementing the following behaviours from ssh:

Connection Protocol

The SSH Connection Protocol provides application-support services over the transport pipe, for example, channel multiplexing, flow control, remote program execution, signal propagation, and connection forwarding. Functions for handling the SSH Connection Protocol can be found in the module ssh_connection in ssh.


All terminal sessions, forwarded connections, and so on, are channels. Multiple channels are multiplexed into a single connection. All channels are flow-controlled. This means that no data is sent to a channel peer until a message is received to indicate that window space is available. The initial window size specifies how many bytes of channel data that can be sent to the channel peer without adjusting the window. Typically, an SSH client opens a channel, sends data (commands), receives data (control information), and then closes the channel. The ssh_client_channel behaviour handles generic parts of SSH channel management. This makes it easy to write your own SSH client/server processes that use flow-control and thus opens for more focus on the application logic.

Channels come in the following three flavors:

  • Subsystem - Named services that can be run as part of an SSH server, such as SFTP (ssh_sftpd), that is built into the SSH daemon (server) by default, but it can be disabled. The Erlang ssh daemon can be configured to run any Erlang- implemented SSH subsystem.
  • Shell - Interactive shell. By default the Erlang daemon runs the Erlang shell. The shell can be customized by providing your own read-eval-print loop. You can also provide your own Command-Line Interface (CLI) implementation, but that is much more work.
  • Exec - One-time remote execution of commands. See function ssh_connection:exec/4 for more information.

1.4  Where to Find More Information

For detailed information about the SSH protocol, refer to the following Request for Comments(RFCs):