More .NET components

SSH server

Rebex File Server can be used to easily add SSH server capabilities to your .NET application, no matter whether you use C#, VB.NET or any other .NET language:

CSharp

// create a server instance
var server = new FileServer();

// bind virtual shell to port 22
server.Bind(22, FileServerProtocol.Shell);

// load a server private key from encrypted 'serverkey.ppk' file
server.Keys.Add(new SshPrivateKey("server-key.ppk", "password"));

// add a user with clean shell with only one command ('exit')
// use ShellCommand event to handle commands issued by the client
server.Users.Add("user01", "password");

// start the server in the background
server.Start();

VisualBasic

' create a server instance
Dim server = New FileServer()

' bind virtual shell to port 22
server.Bind(22, FileServerProtocol.Shell)

' load a server private key from encrypted 'serverkey.ppk' file
server.Keys.Add(New SshPrivateKey("server-key.ppk", "password"))

' add a user with clean shell with only one command ('exit')
' use ShellCommand event to handle commands issued by the client
server.Users.Add("user01", "password")

' start the server in the background
server.Start()

See also

SSH subsystems #

The SSH module hosts SFTP, shell (SCP) and tunneling subsystems.

The 'SCP/shell' subsystem provides "shell" and "exec" subsystems that implement simple shell commands to access the server's virtual filesystem. This makes it possible to access it with SSH clients such as PuTTY, SCP clients such as WinSCP, and of course with standard SSH ssh and scp commands. SCP support and built-in commands can be disabled, making it simple to implement a custom shell.

SSH shell #

The virtual shell environment offers two different shells:

Empty shell

ShellType.Empty is a clean, minimalist shell which only supports one predefined command - exit. It can be easily extended to handle any custom command using the ShellCommand event.

CSharp

// creates a user with shell with only one command: 'exit'
// use ShellCommand event to handle custom commands
server.Users.Add("user", "password", ShellType.Empty);

// creates a user with same empty shell
// and set users home director (e.g. for SFTP access)
server.Users.Add("user", "password", @"c:\home\user", ShellType.Empty);

VisualBasic

' creates a user with shell with only one command 'exit'
' use ShellCommand event to handle custom commands
server.Users.Add("user", "password", ShellType.Empty)

' creates a user with same empty shell
' And set users home director (e.g. for SFTP access)
server.Users.Add("user", "password", "c:\home\user", ShellType.Empty)

Virtual shell with SCP support

ShellType.Scp shell features built-in commands to access the virtual file system and also supports the SCP protocol.

This virtual shell environment can be easily extended by implementing additional commands. Even the built-in commands can be redefined to provide custom functionality, making it simple to use Rebex File Server as an SSH server that can be accessed by SSH client applications.

This makes it possible (for example) to simulate a simple Unix-like environment on Windows platforms for third-party applications and utilities designed to work with SSH and a Unix-like OS. See the Custom commands section for details.

CSharp

// creates a user with shell with scp-related commands predefined
server.Users.Add("user", "password", @"c:\home\user", ShellType.Scp);

VisualBasic

' creates a user with shell with scp-related commands predefined
server.Users.Add("user", "password", "c:\home\user", ShellType.Scp)

Automatic shell type detection

When ShellType.Default or no shell type is specified for a user, it will be determined automatically: Users with access to a virtual file system get Scp shell, users with no file system get Empty shell.

CSharp

// creates a user with shell with scp-related commands predefined
server.Users.Add("user", "password", @"c:\home\user", ShellType.Default);
server.Users.Add("user", "password", @"c:\home\user"); // same as above

// creates a user with an empty shell
server.Users.Add("user", "password", ShellType.Default);
server.Users.Add("user", "password"); // same as above

VisualBasic

' creates a user with shell with scp-related commands predefined
server.Users.Add("user", "password", "c:\home\user", ShellType.Default)
server.Users.Add("user", "password", "c:\home\user") ' same As above

' creates a user with an empty shell
server.Users.Add("user", "password", ShellType.Default)
server.Users.Add("user", "password") ' same As above

Custom commands #

It's very simple to implement custom commands for SSH "shell" and "exec" subsystems provided by the 'shell (SCP) subsystem'. Just write a ShellCommand event handler:

CSharp

// implement several simple custom shell commands
server.ShellCommand += (sender, e) =>
{
    switch (e.Command)
    {
        case "date":
            e.WriteLine(DateTime.UtcNow);
            break;
        case "say":
            e.WriteLine(string.Join(" ", e.Arguments));
            break;
        case "fail":
            e.WriteLine("Command failed.");
            e.ExitCode = 1;
            break;
    }
};

VisualBasic

' implement several simple custom shell commands
AddHandler server.ShellCommand,
    Sub(sender, e)
        Select Case e.Command
            Case "date"
                e.WriteLine(DateTime.UtcNow)
                Exit Select
            Case "say"
                e.WriteLine(String.Join(" ", e.Arguments))
                Exit Select
            Case "fail"
                e.WriteLine("Command failed.")
                e.ExitCode = 1
                Exit Select
        End Select
    End Sub

Alternatively, to implement commands that need to interact with the user or take a long time to complete, use the Action property:

CSharp

// implement a complex command
server.ShellCommand += (sender, e) =>
{
    if (e.Command == "hello")
    {
        e.Action = (args, console) =>
        {
            // clear the terminal screen
            console.Clear();

            // ask a question and wait for answer
            console.WriteLine("Enter your name: ");
            string name = console.ReadLine();

            // say hello
            console.WriteLine("Hello, {0}!", name);

            // exit code
            return 0;
        };
    }
};

VisualBasic

' implement a complex command
AddHandler server.ShellCommand,
    Sub(sender, e)
        If e.Command = "hello" Then
            e.Action =
                Function(args, console)
                    ' clear the terminal screen
                    console.Clear()

                    ' ask a question and wait for answer
                    console.WriteLine("Enter your name: ")
                    Dim name As String = console.ReadLine()

                    ' say hello
                    console.WriteLine("Hello, {0}!", name)

                    ' exit code
                    Return 0

                End Function
        End If
    End Sub

SSH settings #

The SSH module is tightly integrated into Rebex File Server. It can be configured through FileServer object's Settings property. It uses events such as Authentication and hosts SFTP and SCP subsystems.

Use FileServer.Settings.SshParameters object to specify various settings:

CSharp

// get SSH parameters object
SshParameters par = server.Settings.SshParameters;

// allow both DSS and RSA
par.HostKeyAlgorithms = SshHostKeyAlgorithm.DSS |
                        SshHostKeyAlgorithm.RSA;

// when the server supports both, prefer RSA
par.PreferredHostKeyAlgorithm = SshHostKeyAlgorithm.RSA;

// only allow AES and Twofish
par.EncryptionAlgorithms = SshEncryptionAlgorithm.AES |
                           SshEncryptionAlgorithm.Twofish;

VisualBasic

' get SSH parameters object
Dim par As SshParameters = server.Settings.SshParameters

' allow both DSS and RSA
par.HostKeyAlgorithms = SshHostKeyAlgorithm.DSS Or SshHostKeyAlgorithm.RSA

' when the server supports both, prefer RSA
par.PreferredHostKeyAlgorithm = SshHostKeyAlgorithm.RSA

' only allow AES and Twofish
par.EncryptionAlgorithms = SshEncryptionAlgorithm.AES Or SshEncryptionAlgorithm.Twofish

SSH ciphers #

Rebex File Server's SSH module supports a number of security algorithms:

  • Encryption Algorithms (AES, Triple DES, Twofish, Blowfish, RC4).
  • Encryption Modes (CBC, CTR).
  • Host Key Algorithms (RSA, DSS, ECDSA, EdDSA).
  • Key Exchange Algorithms (Diffie-Hellman or Elliptic Curve Diffie-Hellman).
  • MAC Algorithms (MD5, SHA-1, SHA-2).

Use FileServer.Settings.SshParameters property to specify all kinds of SSH ciphers:

Key Exchange Ciphers

Use SshParameters.KeyExchangeAlgorithms property to enable/disable whole categories of key exchange ciphers. If you need more control over key exchange ciphers, use SshParameters.SetKeyExchangeAlgorithms(...) method to specify supported ciphers in order of preference. The following table lists supported key exchange ciphers:

Cipher ID Key length Description Note
diffie-hellman-group1-sha1 1024 bits Diffie Hellman with Oakley Group 2 and SHA-1 hash Available on all platforms. Insecure. Disabled by default.
diffie-hellman-group14-sha1 2048 bits Diffie Hellman with Oakley Group 14 and SHA-1 hash Available on all* platforms.
diffie-hellman-group-exchange-sha1 Negotiated Diffie Hellman with group exchange and SHA-1 hash Available on all* platforms.
diffie-hellman-group-exchange-sha256 Negotiated Diffie Hellman with group exchange and SHA-256 hash Available on all* platforms.
ecdh-sha2-nistp256 256 bits Elliptic Curve Diffie Hellman with NIST P-256 curve and SHA-256 hash External plugin required.
ecdh-sha2-nistp384 384 bits Elliptic Curve Diffie Hellman with NIST P-384 curve and SHA-384 hash External plugin required.
ecdh-sha2-nistp521 521 bits Elliptic Curve Diffie Hellman with NIST P-521 curve and SHA-512 hash External plugin required.
curve25519-sha256@libssh.org 256 bits Elliptic Curve Diffie-Hellman on Curve25519 with SHA-256 hash Plugin required.

Host Key Algorithms

Use SshParameters.HostKeyAlgorithms property to enable/disable whole categories of key exchange ciphers. If you need more control over key exchange ciphers, use SshParameters.SetHostKeyAlgorithms(...) method to specify supported ciphers in order of preference. The following table lists supported key exchange ciphers:

Cipher ID Description Note
ssh-dss NIST Digital Signature Algorithm (DSA) with SHA-1 hash Available on all platforms.
ssh-rsa RSA with SHA-1 hash Available on all platforms.
ssh-rsa-sha256@ssh.com RSA with SHA-256 hash Available on all platforms.
x509v3-sign-rsa-sha256@ssh.com X509 certificate with RSA and SHA-256 hash Available on all platforms.
x509v3-sign-rsa X509 certificate with RSA and SHA-1 hash Available on all platforms.
x509v3-sign-dss X509 certificate with DSA and SHA-1 hash Available on all platforms.
ecdsa-sha2-nistp256 Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-256 curve with SHA-256 hash External plugin required.
ecdsa-sha2-nistp384 Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-384 curve with SHA-384 hash External plugin required.
ecdsa-sha2-nistp521 Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-521 curve with SHA-512 hash External plugin required.
ssh-ed25519 Ed25519, an Edwards-curve Digital Signature Algorithm (EdDSA) Plugin required.

Encryption Ciphers

Use SshParameters.EncryptionAlgorithms and SshParameters.EncryptionModes properties to enable/disable whole categories of encryption ciphers. If you need more control over encryption ciphers, use SshParameters.SetEncryptionAlgorithms(...) method to specify supported ciphers in order of preference. The following table lists supported encryption ciphers:

Cipher ID Description Note
aes256-ctr AES in CTR mode with 256-bit key
aes192-ctr AES in CTR mode with 192-bit key
aes128-ctr AES in CTR mode with 128-bit key
aes256-cbc AES in CBC mode with 256-bit key
aes192-cbc AES in CBC mode with 192-bit key
aes128-cbc AES in CBC mode with 128-bit key
3des-ctr TripleDES in CTR mode
3des-cbc TripleDES in CBC mode
twofish256-ctr Twofish in CTR mode with 256-bit key
twofish192-ctr Twofish in CTR mode with 192-bit key
twofish128-ctr Twofish in CTR mode with 128-bit key
twofish256-cbc Twofish in CBC mode with 256-bit key
twofish192-cbc Twofish in CBC mode with 192-bit key
twofish128-cbc Twofish in CBC mode with 128-bit key
twofish-cbc Twofish in CBC mode with 256-bit key Disabled by default.
blowfish-ctr Twofish in CTR mode with 256-bit key Disabled by default.
blowfish-cbc Blowfish in CBC mode with 128-bit key Disabled by default.
arcfour256 ArcFour (RC4) stream cipher (with discard step) with 256-bit key Disabled by default.
arcfour128 ArcFour (RC4) stream cipher (with discard step) with 128-bit key Disabled by default.
arcfour ArcFour (RC4) stream cipher with 128-bit key Disabled by default.

MAC Ciphers

Use SshParameters.MacAlgorithms property to enable/disable whole categories of message authentication code (MAC) ciphers. If you need more control over MAC ciphers, use SshParameters.SetMacAlgorithms(...) method to specify supported ciphers in order of preference. The following table lists supported MAC ciphers:

Cipher ID Description Note
hmac-sha2-256 SHA-256
hmac-sha2-512 SHA-512
hmac-sha1 SHA-1
hmac-md5 MD5 Disabled by default.

* Might be very slow on legacy Windows CE platforms