Google Git
Sign in
apache / mina-sshd / HEAD / . / docs / cli.md
blob: 01c3be3f4045beb5869aec8fdcea61c8d34de65b [file] [log] [blame] [view]
## Command line clients
The _apache-sshd.zip_ distribution provides `Windows/Linux` scripts that use the MINA SSHD code base to implement the common
_ssh, scp, sftp_ commands. The clients accept most useful switches from the original commands they mimic, where the `-o Option=Value`
arguments can be used to configure the client/server in addition to the system properties mechanism. For more details, consult
the _main_ methods code in the respective `SshClientMain`, `SftpCommandMain` and `ScpClientMain` classes. The code also includes
`SshKeyScanMain` that is a simple implementation for [ssh-keyscan(1)](https://www.freebsd.org/cgi/man.cgi?query=ssh-keyscan&sektion=1).
The distribution also includes also an _sshd_ script that can be used to launch a server instance - see `SshServerMain#main`
for activation command line arguments and options.
In order to use this CLI code as part of another project, one needs to include the _sshd-cli_ module:
```xml
<dependency>
<groupId>org.apache.sshd</groupId>
<artifactId>sshd-cli</artifactId>
<version>...same version as the core...</version>
</dependency>
```
In general, the CLI clients accept most of their Linux counterpart arguments. Furthermore, one can use the `-o Option=Value`
argument in order to provide **internal** SSHD code configurations (in addition to the ones specified as system
properties via `-Dprop=value` JVM option. **Note:** not all options listed in [ssh_config](https://www.freebsd.org/cgi/man.cgi?query=ssh_config)
or [sshd_config](https://linux.die.net/man/5/sshd_config) are supported, some of the `-o Option=Value` options have extra
or special meaning, or are new altogether. Here are a few worth mentioning:
#### `Ciphers`
Comma-separated list of allowed/supported ciphers in their **order** of preference.
#### `MACs`
Comma-separated list of allowed/supported message authentication code algorithms in their **order** of preference.
#### `KexAlgorithms`
Comma-separated list of allowed/supported key exchange algorithms in their **order** of preference.
#### `HostKeyAlgorithms`
Comma-separated list of allowed/supported signature algorithms in their **order** of preference.
#### `Compression`
Whether to use compression, and if so which.
#### `LogLevel`
The verbosity level that is used when logging messages - **Note:** this is not the same as the internal logging configuration but rather
an extra verbosity level of the CLI code itself - instructing it what extra data to display in STDOUT/STDERR. Each specific CLI (scp, sftp, ssh, sshd)
has its own interpretation of this value.
#### `PreferredAuthentications`
The preferred user authentications factory names and their **order**:
```
# Allow only public key authentication
-o PreferredAuthentications=publickey
# Prefer keyboard-interactive BEFORE publickey
-o PreferredAuthentications=keyboard-interactive,publickey
```
#### `ShellFactory`
One can use it specify a non-default shell factory - including disabling it altogether - or *add* the SCP shell to an existing one:
```
# Disable shell entirely
-o ShellFactory=none
# Add the SCP shell to the default factory
-o ShellFactory=+scp
# Use ONLY the SCP shell
-o ShellFactory=scp
# Use a custom factory
-o ShellFactory=com.demo.MyShellFactory
# Add the SCP shell to a custom factory
-o ShellFactory=scp+com.demo.MyShellFactory
```
#### `Subsystem`
Can be used to specify built-in or custom subsystems to use in the server - or disable them altogether:
```
# Disable all subsystems
-o Subsystem=none
# Use the built-in SFTP subsystem
-o Subsystem=sftp
# Use one or more custom subsystems
-o Subsystem=Sub1,Sub2,Sub3
```
**Note:** Subsystems are automatically detected via `ServiceLoader#load(SubsystemFactory.class)` call - the option value simply states which ones to use - according to their *logical* name.
#### Server/Client heartbeat
Controlled by a combination of the `ServerAliveInterval`, `ClientAliveInterval`, `ClientAliveUseNullPackets` and `ClientAliveReplyWait` properties.
#### Host keys and certificate
`HostKey` and `HostCertificate` properties - enable specifying multiple paths to key files/certificates.
#### `Banner` / `VisualHostKey`
Controls the server's banner display.
#### `AllowTcpForwarding` / `AllowAgentForwarding` / `X11Forwarding`
Control server forwarding capabilities.
### `SftpCommandMain`
A CLI client reminiscent of [sftp(1)](https://linux.die.net/man/1/sftp). By default uses an internal `SftpClientFactory`.
This can be overridden as follows:
1. Provide a `-o SftpClientFactory=XXX` command line argument where the option specifies the fully-qualified name of
the class that implements this interface.
2. Add a `META-INF\services\org.apache.sshd.sftp.client.SftpClientFactory` file containing the fully-qualified name of
the class that implements this interface. **Note:** if more than one such instance is detected an exception is thrown.
**Note:** The specified class(es) must be public and contain a public no-args constructor.
The CLI client provides a few extra "commands" that can be used to view metadata information about the current session
* `session` - Show current SSH session details - including ID, client/server identification line, peer, etc..
* `kex` - Show KEX details - client proposal, server one and negotiated parameters.
* `info` - General details about the SFTP protocol - e.g., supported extensions by the server.
* `version` - The negotiated SFTP protocol version.
* `help` - List all available commands.
* `exit` - Quit the SFTP session
### `SshClientMain`
A CLI client compatible with the [ssh(1)](https://linux.die.net/man/1/ssh) command line options, with a few extra options:
* `-io` - select a specific `IoServiceFactoryFactory`:
```
java -cp ... org.apache.sshd.cli.client.SshClientMain -io <value>
```
Where value can be:
* One of the default builtin values (NIO2, MINA, NETTY)
* A fully qualified class name implementing this interface
If no specific value provided NIO2 is used.
* `-w <password>` - provide a password as part of the command instead of waiting to be prompted.
```
java -cp ... org.apache.sshd.cli.client.SshClientMain -l <login> -w <password> ...host...
```
* `SetEnv/SendEnv` - can be used to send specific environment variables to the server when executing a command
or opening a shell. Example:
```
java -cp ... org.apache.sshd.cli.client.SshClientMain -o SetEnv=X=7,Y=8
# Can also be used as separate options
java -cp ... org.apache.sshd.cli.client.SshClientMain -o SetEnv=X=7 -o SetEnv=Y=8
```
* `RequestTTY` - can be `no`, `yes` or `auto` (default). If `auto` the CLI client will attempt to initialize
the PTY options according to the O/S. In **addition** to the auto-detected PTY modes, one can override them
by using the `PtyMode` option:
```
java -cp ... org.apache.sshd.cli.client.SshClientMain -o PtyMode=VINTR,TTY_OP_ISPEED=4200
# Can also be used as separate options
java -cp ... org.apache.sshd.cli.client.SshClientMain -o PtyMode=VINTR -o PtyMode=TTY_OP_ISPEED=4200
```
Any option that does not have a specific value specified for it is assumed to use `1` - therefore, in order
to **disable** an option one must use `-o PtyMode=WHATEVER=0`.
### `ScpCommandMain`
Reminiscent of the [scp(1)](https://man7.org/linux/man-pages/man1/scp.1.html) CLI client - including support for "3-way" copy
(a.k.a. remote-to-remote) option:
```
scp -p -r -3 user1@server1:source user2@server2:destination
```
In this context, it is worth mentioning that the CLI also supports URI locations having the format `scp://[user@]host[:port][/path]`
```
# If port is omitted then 22 is assumed
scp -p scp://user1@server1:2222/source/file /home/user2/destination
# Note: same effect can be achieved with -P option
scp -p -P 2222 user1@server1:source/file /home/user2/destination
# the URI is better suited for remote-to-remote transfers
scp -p -r -3 scp://user1@server1:2222/source scp://user2@server2:3333/destination
```
### `SshServerMain`
Command line SSH daemon
* **Port** - by default the SSH server sets up to list on port 8000 in order to avoid conflicts with any running SSH O/S daemon.
This can be modified by providing a `-p NNNN` or `-o Port=NNNN` command line option.
* **Subsystem(s)** - the server automatically detects subsystems using the
[Java ServiceLoader mechanism](https://docs.oracle.com/javase/8/docs/api/java/util/ServiceLoader.html).
This can be overwritten as follows (in this order):
1. Provide a `org.apache.sshd.server.subsystem.SubsystemFactory` system property containing comma-separated fully-qualified names of classes implementing
this interface. The implementations must be public and have a public no-args constructor for instantiating them. The order of the provided subsystems will
be according to their order in the specified list.
2. Provide a `-o Subsystem=xxx,yyy` command line argument where value is a comma-separated list of the **name**(s) of the auto-detected factories via
the `ServiceLoader` mechanism. The special value `none` may be used to indicate that no subsystem is to be configured. **Note:** no specific order is
provided when subsystems are auto-detected and/or filtered.
* **Shell** - unless otherwise instructed, the default SSH server uses an internal shell (see `InteractiveProcessShellFactory`). The shell can be overridden
or disabled by specifying a `-o ShellFactory=XXX` option where the value can either be `none` to specify that no shell is to be used, or the fully-qualified
name of a class that implements the `ShellFactory` interface. The implementation must be public and have a public no-args constructor for instantiating it.
**Note:** A special value of `scp` can be used to use the built-in `ScpShell` instead of the interactive one (reminder: the SCP "shell" is a limited shell that provides
a good enough functionality for *WinScp*).