Rebex File Server
SFTP, SCP and SSH server library for .NET
Download 30-day free trial Buy from $349More .NET libraries
-
Rebex SFTP
.NET SFTP client
-
Rebex FTP/SSL
.NET FTP/SSL client
-
Rebex Total Pack
All Rebex libraries together
Back to feature list...
SSH server
On this page:
Rebex File Server can be used to easily add SSH server capabilities to your .NET application, no matter whether you use C#, VB.NET or any other .NET language:
// create a server instance
var server = new FileServer();
// bind virtual shell to port 22
server.Bind(22, FileServerProtocol.Shell);
// load a server private key from encrypted 'serverkey.ppk' file
server.Keys.Add(new SshPrivateKey("server-key.ppk", "password"));
// add a user with clean shell with only one command ('exit')
// use ShellCommand event to handle commands issued by the client
server.Users.Add("user01", "password");
// start the server in the background
server.Start();
' create a server instance
Dim server = New FileServer()
' bind virtual shell to port 22
server.Bind(22, FileServerProtocol.Shell)
' load a server private key from encrypted 'serverkey.ppk' file
server.Keys.Add(New SshPrivateKey("server-key.ppk", "password"))
' add a user with clean shell with only one command ('exit')
' use ShellCommand event to handle commands issued by the client
server.Users.Add("user01", "password")
' start the server in the background
server.Start()
See also
SSH subsystems
The SSH module hosts SFTP, shell (SCP) and tunneling subsystems.
The 'SCP/shell' subsystem provides "shell" and "exec" subsystems that implement simple shell commands to access the server's virtual filesystem.
This makes it possible to access it with SSH clients such as PuTTY, SCP clients
such as WinSCP, and of course with standard SSH ssh and scp commands.
SCP support and built-in commands can be disabled, making it simple to implement a custom shell.
SSH shell
The virtual shell environment offers two different shells:
Empty shell
ShellType.Empty is a clean, minimalist shell which only supports one predefined command - exit.
It can be easily extended to handle any custom command using the
ShellCommand event.
// creates a user with shell with only one command: 'exit'
// use ShellCommand event to handle custom commands
server.Users.Add("user", "password", ShellType.Empty);
// creates a user with same empty shell
// and set users home director (e.g. for SFTP access)
server.Users.Add("user", "password", @"c:\home\user", ShellType.Empty);
' creates a user with shell with only one command 'exit'
' use ShellCommand event to handle custom commands
server.Users.Add("user", "password", ShellType.Empty)
' creates a user with same empty shell
' And set users home director (e.g. for SFTP access)
server.Users.Add("user", "password", "c:\home\user", ShellType.Empty)
Virtual shell with SCP support
ShellType.Scp shell features built-in commands to access the virtual file system and also supports the SCP protocol.
This virtual shell environment can be easily extended by implementing additional commands. Even the built-in commands can be redefined to provide custom functionality, making it simple to use Rebex File Server as an SSH server that can be accessed by SSH client applications.
This makes it possible (for example) to simulate a simple Unix-like environment on Windows platforms for third-party applications and utilities designed to work with SSH and a Unix-like OS. See the Custom commands section for details.
// creates a user with shell with scp-related commands predefined
server.Users.Add("user", "password", @"c:\home\user", ShellType.Scp);
' creates a user with shell with scp-related commands predefined
server.Users.Add("user", "password", "c:\home\user", ShellType.Scp)
Automatic shell type detection
When ShellType.Default or no shell type is specified for a user, it will be determined automatically:
Users with access to a virtual file system get Scp shell, users with no file system get Empty shell.
// creates a user with shell with scp-related commands predefined
server.Users.Add("user", "password", @"c:\home\user", ShellType.Default);
server.Users.Add("user", "password", @"c:\home\user"); // same as above
// creates a user with an empty shell
server.Users.Add("user", "password", ShellType.Default);
server.Users.Add("user", "password"); // same as above
' creates a user with shell with scp-related commands predefined
server.Users.Add("user", "password", "c:\home\user", ShellType.Default)
server.Users.Add("user", "password", "c:\home\user") ' same As above
' creates a user with an empty shell
server.Users.Add("user", "password", ShellType.Default)
server.Users.Add("user", "password") ' same As above
Custom commands
It's very simple to implement custom commands for SSH "shell" and "exec" subsystems provided by the 'shell (SCP) subsystem'. Just write a ShellCommand event handler:
// implement several simple custom shell commands
server.ShellCommand += (sender, e) =>
{
switch (e.Command)
{
case "date":
e.WriteLine(DateTime.UtcNow);
break;
case "say":
e.WriteLine(string.Join(" ", e.Arguments));
break;
case "fail":
e.WriteLine("Command failed.");
e.ExitCode = 1;
break;
}
};
' implement several simple custom shell commands
AddHandler server.ShellCommand,
Sub(sender, e)
Select Case e.Command
Case "date"
e.WriteLine(DateTime.UtcNow)
Exit Select
Case "say"
e.WriteLine(String.Join(" ", e.Arguments))
Exit Select
Case "fail"
e.WriteLine("Command failed.")
e.ExitCode = 1
Exit Select
End Select
End Sub
Alternatively, to implement commands that need to interact with the user or take a long time to complete, use the Action property:
// implement a complex command
server.ShellCommand += (sender, e) =>
{
if (e.Command == "hello")
{
e.Action = (args, console) =>
{
// clear the terminal screen
console.Clear();
// ask a question and wait for answer
console.WriteLine("Enter your name: ");
string name = console.ReadLine();
// say hello
console.WriteLine("Hello, {0}!", name);
// exit code
return 0;
};
}
};
' implement a complex command
AddHandler server.ShellCommand,
Sub(sender, e)
If e.Command = "hello" Then
e.Action =
Function(args, console)
' clear the terminal screen
console.Clear()
' ask a question and wait for answer
console.WriteLine("Enter your name: ")
Dim name As String = console.ReadLine()
' say hello
console.WriteLine("Hello, {0}!", name)
' exit code
Return 0
End Function
End If
End Sub
SSH settings
The SSH module is tightly integrated into Rebex File Server. It can be configured through FileServer object's
Settings property.
It uses events such as Authentication
and hosts SFTP and SCP subsystems.
Use FileServer.Settings.SshParameters object to specify various settings:
// get SSH parameters object SshParameters par = server.Settings.SshParameters; // only allow SHA-2 MAC ciphers par.MacAlgorithms = SshMacAlgorithm.SHA256 | SshMacAlgorithm.SHA512; // only allow AES and Chacha20/Poly1305 ciphers par.EncryptionAlgorithms = SshEncryptionAlgorithm.AES | SshEncryptionAlgorithm.Chacha20Poly1305;
' get SSH parameters object Dim par As SshParameters = server.Settings.SshParameters ' only allow SHA-2 MAC ciphers par.MacAlgorithms = SshMacAlgorithm.SHA256 Or SshMacAlgorithm.SHA512 ' only allow AES And Chacha20/Poly1305 ciphers par.EncryptionAlgorithms = SshEncryptionAlgorithm.AES Or SshEncryptionAlgorithm.Chacha20Poly1305
SSH ciphers
Rebex File Server's SSH module supports a number of security algorithms:
- Encryption algorithms (AES, AES/GCM, ChaCha20/Poly1305, Triple DES, Twofish, Blowfish, RC4).
- Encryption modes (CBC, CTR, AEAD).
- Host key algorithms (RSA, DSS, ECDSA, EdDSA).
- Key exchange algorithms (Diffie-Hellman or Elliptic Curve Diffie-Hellman).
- MAC algorithms (SHA-2, SHA-1, MD5).
Use FileServer.Settings.SshParameters property to specify all kinds of SSH ciphers:
Key Exchange Ciphers
Use SshParameters.KeyExchangeAlgorithms property to enable/disable whole categories of key exchange ciphers.
If you need more control over key exchange ciphers, use SshParameters.SetKeyExchangeAlgorithms(...) method to specify supported ciphers in order of preference.
The following table lists supported key exchange ciphers:
| Cipher ID | Key length | Description | Note |
|---|---|---|---|
| diffie-hellman-group-exchange-sha256 | Negotiated | Diffie Hellman with group exchange and SHA-256 hash | Available on all* platforms. |
| diffie-hellman-group16-sha512 | 4096 bits | Diffie Hellman with Oakley Group 16 and SHA-512 hash | Available on all* platforms. |
| diffie-hellman-group15-sha512 | 3072 bits | Diffie Hellman with Oakley Group 15 and SHA-512 hash | Available on all* platforms. |
| diffie-hellman-group14-sha256 | 2048 bits | Diffie Hellman with Oakley Group 14 and SHA-256 hash | Available on all* platforms. |
| diffie-hellman-group-exchange-sha1 | Negotiated | Diffie Hellman with group exchange and SHA-1 hash | Available on all* platforms. |
| diffie-hellman-group14-sha1 | 2048 bits | Diffie Hellman with Oakley Group 14 and SHA-1 hash | Available on all* platforms. |
| diffie-hellman-group1-sha1 | 1024 bits | Diffie Hellman with Oakley Group 2 and SHA-1 hash | Available on all platforms. Insecure. Disabled by default. |
| ecdh-sha2-nistp256 | 256 bits | Elliptic Curve Diffie Hellman with NIST P-256 curve and SHA-256 hash | Available on Windows 10/11, Windows Server 2016/2019/2022 and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms. |
| ecdh-sha2-nistp384 | 384 bits | Elliptic Curve Diffie Hellman with NIST P-384 curve and SHA-384 hash |
Available on Windows 10/11, Windows Server 2016/2019/2022 and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
| ecdh-sha2-nistp521 | 521 bits | Elliptic Curve Diffie Hellman with NIST P-521 curve and SHA-512 hash |
Available on Windows 10/11, Windows Server 2016/2019/2022 and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
| ecdh-sha2-1.3.132.0.10 | 256 bits | Elliptic Curve Diffie Hellman with secp256k1 curve and SHA-256 hash |
Available on Windows 10/11 and Windows Server 2016/2019/2022.
Disabled by default. |
| curve25519-sha256 (curve25519-sha256@libssh.org) |
256 bits | Elliptic Curve Diffie-Hellman on Curve25519 with SHA-256 hash | Available on Windows 10/11 and Windows Server 2016/2019/2022. External plugin needed for other platforms. |
Host Key Algorithms
Use SshParameters.HostKeyAlgorithms property to enable/disable whole categories of host key algorithms.
If you need more control over host key algorithms, use SshParameters.SetHostKeyAlgorithms(...) method to specify supported algorithms in order of preference.
The following table lists supported host key algorithms:
| Algorithm ID | Description | Note |
|---|---|---|
| rsa-sha2-256 | RSA with SHA-256 hash | Available on all platforms. |
| rsa-sha2-512 | RSA with SHA-512 hash | Available on all platforms. |
| ssh-dss | NIST Digital Signature Algorithm (DSA) with SHA-1 hash | Available on all platforms. |
| ssh-rsa | RSA with SHA-1 hash | Available on all platforms. |
| ssh-rsa-sha256@ssh.com | RSA with SHA-256 hash | Available on all platforms. |
| x509v3-rsa2048-sha256 | X.509 certificate with RSA (2048-bit or larger key) and SHA-256 hash | Available on all platforms. |
| x509v3-sign-rsa-sha256@ssh.com | X.509 certificate with RSA and SHA-256 hash | Available on all platforms. |
| x509v3-sign-rsa | X.509 certificate with RSA and SHA-1 hash | Available on all platforms. |
| x509v3-sign-dss | X.509 certificate with DSA and SHA-1 hash | Available on all platforms. |
| ssh-ed25519 | Ed25519, an Edwards-curve Digital Signature Algorithm (EdDSA) | Available on all platforms. |
| ecdsa-sha2-nistp256 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-256 curve with SHA-256 hash | Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms. |
| ecdsa-sha2-nistp384 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-384 curve with SHA-384 hash |
Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
| ecdsa-sha2-nistp521 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-521 curve with SHA-512 hash |
Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
| ecdsa-sha2-1.3.132.0.10 | Elliptic Curve Digital Signature Algorithm (ECDSA) on secp256k1 curve with SHA-256 hash |
Available on Windows 10/11 and Windows Server 2016/2019/2022.
Disabled by default. |
| x509v3-ecdsa-sha2-nistp256 | X.509 certificate with Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-256 curve with SHA-256 hash | Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms. |
| x509v3-ecdsa-sha2-nistp384 | X.509 certificate with Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-384 curve with SHA-384 hash |
Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
| x509v3-ecdsa-sha2-nistp521 | X.509 certificate with Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-521 curve with SHA-512 hash |
Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
Encryption Ciphers
Use SshParameters.EncryptionAlgorithms and SshParameters.EncryptionModes properties to enable/disable whole categories of encryption ciphers.
If you need more control over encryption ciphers, use SshParameters.SetEncryptionAlgorithms(...) method to specify supported ciphers in order of preference.
The following table lists supported encryption ciphers:
| Cipher ID | Description | Note |
|---|---|---|
| aes256-gcm@openssh.com | AES in GCM mode with 256-bit key | |
| aes128-gcm@openssh.com | AES in GCM mode with 128-bit key | |
| chacha20-poly1305@openssh.com | ChaCha20/Poly1305 AEAD cipher with 256-bit key | |
| aes256-ctr | AES in CTR mode with 256-bit key | |
| aes192-ctr | AES in CTR mode with 192-bit key | |
| aes128-ctr | AES in CTR mode with 128-bit key | |
| aes256-cbc | AES in CBC mode with 256-bit key | |
| aes192-cbc | AES in CBC mode with 192-bit key | |
| aes128-cbc | AES in CBC mode with 128-bit key | |
| 3des-ctr | TripleDES in CTR mode | |
| 3des-cbc | TripleDES in CBC mode | |
| twofish256-ctr | Twofish in CTR mode with 256-bit key | |
| twofish192-ctr | Twofish in CTR mode with 192-bit key | |
| twofish128-ctr | Twofish in CTR mode with 128-bit key | |
| twofish256-cbc | Twofish in CBC mode with 256-bit key | |
| twofish192-cbc | Twofish in CBC mode with 192-bit key | |
| twofish128-cbc | Twofish in CBC mode with 128-bit key | |
| twofish-cbc | Twofish in CBC mode with 256-bit key | |
| blowfish-ctr | Twofish in CTR mode with 256-bit key | Disabled by default. |
| blowfish-cbc | Blowfish in CBC mode with 128-bit key | Disabled by default. |
| arcfour256 | ArcFour (RC4) stream cipher (with discard step) with 256-bit key | Disabled by default. |
| arcfour128 | ArcFour (RC4) stream cipher (with discard step) with 128-bit key | Disabled by default. |
| arcfour | ArcFour (RC4) stream cipher with 128-bit key | Disabled by default. |
MAC Ciphers
Use SshParameters.MacAlgorithms property to enable/disable whole categories of message authentication code (MAC) ciphers.
If you need more control over MAC ciphers, use SshParameters.SetMacAlgorithms(...) method to specify supported ciphers in order of preference.
The following table lists supported MAC ciphers:
| Cipher ID | Description | Note |
|---|---|---|
| hmac-sha2-256-etm@openssh.com | SHA-256 (ETM mode) | |
| hmac-sha2-256 | SHA-256 | |
| hmac-sha2-512-etm@openssh.com | SHA-512 (ETM mode) | |
| hmac-sha2-512 | SHA-512 | |
| hmac-sha1 | SHA-1 | |
| hmac-md5 | MD5 | Disabled by default. |
| hmac-sha1-96 | SHA-1 (trimmed to 96 bits) | Disabled by default. |
| hmac-md5-96 | MD5 (trimmed to 96 bits) | Disabled by default. |
* Might be very slow on legacy Windows CE platforms
** Windows Vista and higher, or Windows Embedded Compact 2013
Back to feature list...