Customize a NanoSSH client implementation
After building and verifying the NanoSSH Client example code, the NanoSSH Client implementation may be customized. This section explains how to enable debugging messages, select particular authentication and encryption methods, optimize performance, and more.
This section provides information about the following topics:
Required features and mutually exclusive features
Every NanoSSH Client must include at least one enabled authentication method. See the following sections:
List of customizable features
This section describes the features that may be added to the NanoSSH Client. For each feature’s section, there is a description of the feature, background information to help with the decision of how to use the feature, and information about which flags, callback functions, and API methods are needed to implement the feature.
Implementation sequence
The quickest path to an up-and-running NanoSSH application is to first turn on basic NanoSSH example code, build it, and then verify communications. Then the example code may be customized or integrated application by adding features one at a time (by defining the appropriate flags). That is, do not define many unrelated flags at once, but use a staged approach:
Turn on NanoSSH Client and the desired NanoSSH example code, and build the example use case, and validate that it runs (see Use Case Examples).
Turn on debugging code (see Enabling Debug Messages).
Customize the code to turn on additional features (see List of Customizable Features).
Add FIPS (see Adding FIPS).
Process overview
The steps below describe the tasks required to implement a TrustCore SDK NanoSSH Client shell.
Define any necessary flags for the implementation. This involves editing the
moptions.h
file to include the applicable flags. See ???.Add function calls within the application code to initialize and shut down TrustCore SDK. Additionally, set up threads for any TrustCore SDK components that require it. See Initializing TrustCore SDK Code.
Add code within the application to configure the NanoSSH Client. This includes setting up communication, initializing the session manager, and configuring the internal structures. See Use case examples.
Replace stub functions with custom routines modeled on the NanoSSH Client example code. Ensure all function pointers are defined in the
sshClientSettings
structure, and register the necessary callbacks. See the Callback functions section in the applicable feature documentation.Include any additional function calls required for specific features of the NanoSSH Client.
Add code to reclaim device resources and NanoSSH Client resources when necessary. See Use case examples.
Once all code is added and configured, rebuild the NanoSSH Client to integrate the new implementation. See Build a NanoSSH Client executable.
Enable debug messages
DigiCert TrustCore SDK code includes extensive debugging messages to help with integration efforts. DigiCert may also ask for debugging to be enabled if support is contacted with any technical questions.
The debug log messages may be sent to stdout, a telnet console, or a customized platform-specific interface.
Applicability
Debugging may be enabled for any NanoSSH Client example code or customized implementation.
Flags
To enable debug messages, define the appropriate flags in Table 8 below (depending on where to send the debug output) and rebuild the executable(s). Table 8: Debug Flags
Flag | Description |
---|---|
__ENABLE_ALL_DEBUGGING__ | Displays extensive debug information from all TrustCore SDK modules to the debug console. |
__ENABLE_CUSTOM_DEBUG_CONSOLE_DEFS__ | Enables the use of custom debug console functions in place of the TrustCore SDK debug console. This is generally unnecessary as the standard debug console may be used to view all debug output. |
__ENABLE_MOCANA_DEBUG_CONSOLE__ | Enables the TrustCore SDK debug console, which logs debugging information to stdout or (if __MOCANA_DUMP_CONSOLE_TO_STDOUT__ is not defined) to a telnet port. |
__ENABLE_MOCANA_DEBUG_MEMORY__ | Enables the TrustCore SDK memory leak debugger, which detects memory leaks, double frees, and other memory issues. File and line for every call to malloc and free are recorded. |
__MOCANA_DUMP_CONSOLE_TO_STDOUT__ | Sends enabled debug messages to stdout. |
__ENABLE_MOCANA_SSH_CHANNEL_ID_DEBUG__ | Enables inclusion of channel Id in NanoSSH (client and server) debug and log messages. |
MOCANA_DEBUG_CONSOLE_PORT | (Default = 4097) Port number to which enabled debug messages are sent (if __MOCANA_DUMP_CONSOLE_TO_STDOUT__ is not defined). |
Callback Functions
No callback functions necessary to use the TrustCore SDK debug messages.
API Methods
No API calls required to receive TrustCore SDK debug messages on stdout or a telnet port; simply define the appropriate debug flags, rebuild the executable, and run it. If the TrustCore SDK memory leak debugger has been enabled by defining the __ENABLE_MOCANA_DEBUG_MEMORY__
flag, the application code should call dbg_dump()
whenever a dump of the accumulated memory debug messages (calls to malloc and free) needs to be viewed.
Selecting a host authentication method
NanoSSH Client supports public key and password authentication, so which should be used? Although public keys and passwords are both transmitted over a secure channel, it is better to use public keys to eliminate the problems inherent in password-based systems (that is, systems that rely on user names and passwords for access authorization) for the following reasons:
Authorized usernames and passwords are frequently obtained from the users themselves because users often record their passwords so they are not forgotten or even deliberately shared with someone else. Because private keys are stored electronically and handled by client applications (not users), users are very unlikely to share those private keys.
User names and passwords, often sent in clear text over the wire, are all that is needed to access password-based systems. Public keys function with private keys, which are not sent over the wire.
Many passwords are chosen to be easy to remember or limited to only eight (or even fewer) characters, leaving them vulnerable to dictionary attacks. A certificate’s cryptographic keys are random in nature and are hundreds or even thousands of bits long, making them invulnerable to dictionary attacks.
Although NanoSSH Client supports the none authentication method in accordance with RFC 4252, using “none” is strongly discouraged because it lets anyone successfully log in without authentication.
As an alternative to transmitting either public keys or passwords, certificates may be used; see Using Certificates.
Applicability
Public key or password authentication may be enabled for any NanoSSH Client implementation.
Flags
No flags are required to choose between public key and password authentication.
Callback Functions
To select the desired authentication method (public key or password), customize the sshClientSettings->funcPtrRetrieveUserAuthRequestInfo callback function in the code. For the client application to query the server for supported algorithms (by sending Signature = FALSE), define sshClientSettings->funcPtrRetrieveUserAuthRequestInfoEx handler instead to allow the application to control the authentication request by explicitly setting SendSignature to TRUE or FALSE. The funcPtrRetrieveUserAuthRequestInfoEx overrides the funcPtrRetrieveUserAuthRequestInfo callback. These callback(s) function is invoked when an SSH server (NanoSSH or any other SSH server) requests that the NanoSSH Client authenticate itself. Callback registration happens at session creation and initialization by assigning a custom callback function, which may have any name, to this callback pointer.
The following example shows a typical implementation.
static int SSHC_EXAMPLE_userAuthRequestInfoUpcall(int connectionInstance, unsigned char **ppUserName, unsigned int *pUserNameLength, unsigned int *pMethod) { /* MY credentials for logging on to a remote server */ int status = 0; MOC_UNUSED(connectionInstance); /* return username, can use different usernames for each logon attempt */ *ppUserName = (unsigned char*)sshc_exampleUserName; *pUserNameLength = (sizeof(sshc_exampleUserName) - 1); /* return authentication method type, possible to use different authentication method for each logon attempt */ *pMethod = MOCANA_SSH_AUTH_PASSWORD; /* or MOCANA_SSH_AUTH_PUBLIC_KEY */ return status; } main { /* other initialization */ SSHC_sshClientSettings()->funcPtrRetrieveUserAuthRequestInfo = SSHC_EXAMPLE_userAuthRequestInfoUpcall; /* main functionality */ SSHC_shutdown(); return; }
API Methods
No API methods are required to choose between public key and password authentication.
Use password authentication
Using password authentication in a NanoSSH Client implementation is a simple process:
Customize the sshClientSettings->funcPtrRetrieveUserAuthRequestInfo callback as described in Selecting a Host Authentication Method. Be sure to assign a value of MOCANA_SSH_AUTH_PASSWORD to the pMethod parameter.
Set up and register the sshClientSettings->funcPtrRetrieveUserPassword callback function as described below.
Rebuild the executable(s).
Applicability
Password authentication may be used for any NanoSSH Client implementation.
Flags
No flags are required to use password authentication.
Callback Functions
The sshClientSettings->funcPtrRetrieveUserPassword callback is invoked when an SSH server (NanoSSH or any other SSH server) requests authentication; it should return the user’s password and its length. Callback registration happens at session creation and initialization by assigning a custom callback function, which may have any name, to this callback pointer.
The following example shows a typical implementation.
static int SSHC_EXAMPLE_userPasswordUpcall(int connectionInstance, unsigned char *pUserName, unsigned int userNameLength, unsigned char **ppUserPassword, unsigned int *pUserPasswordLength) { /* MY credentials for logging on to a remote server */ MOC_UNUSED(connectionInstance); MOC_UNUSED(pUserName); MOC_UNUSED(userNameLength); /* return password for simple username/password authentication */ *ppUserPassword = (unsigned char*)sshc_examplePassword; *pUserPasswordLength = strlen(sshc_examplePassword); return 0; } main { /* other initialization */ SSHC_sshClientSettings()->funcPtrRetrieveUserPassword = SSHC_EXAMPLE_userPasswordUpcall; /* main functionality */ SSHC_shutdown(); return; }
API Methods
No API methods are required to use password authentication.
Disable password authentication
To disable password authentication in a NanoSSH Client application, a different authentication method (public key or certificates) must be enabled:
Public key: Follow the instructions in Selecting a Host Authentication Method, and assign any valid value to the pMethod parameter, except MOCANA_SSH_AUTH_PASSWORD.
Certificates: See Using Certificates.
Applicability
Password authentication is not required for any NanoSSH Client implementation.
Flags
No flag definitions are required to disable password authentication.
Callback Functions
To disable password authentication, the pMethod parameter of the sshClientSettings->funcPtrRetrieveUserAuthRequestInfo callback function must be set to anything other than MOCANA_SSH_AUTH_PASSWORD. When password authentication is disabled, it does not matter whether the sshClientSettings->funcPtrRetrieveUserPassword callback function is registered because it is not used.
API Methods
No API methods are required to disable password authentication.
Add public key authentication
Before enabling public key authentication, decide which key encryption methods are to be allowed. TrustCore SDK NanoSSH supports DSA, RSA, ECDSA, and EDDSA public keys, so which one should be used?
If the application must be FIPS certified or requires Suite B support, use ECDSA; otherwise, choose between RSA and DSA. RSA is significantly faster than DSA, typically by a factor of three. So if using the NanoSSH Client or another client known to support RSA, use it; otherwise, use DSA or ECDSA. If there are no external requirements, all the key encryption methods may be enabled for maximum interoperability.
Note: Per the SSH protocol definition, RSA support is optional; therefore, some clients require DSA to be used To add public key authentication:
Customize the sshClientSettings >funcPtrRetrieveUserAuthRequestInfo callback as described in Selecting a Host Authentication Method. Be sure to assign a value of MOCANA_SSH_AUTH_PUBLIC_KEY to the pMethod parameter.
Define the compilation flags (described in Flags).
Set up and register the necessary callbacks (described in Callback Functions).
Rebuild executable(s).
Applicability
Public key authentication and any key encryption method may be used in any NanoSSH Client implementation.
Flags
To enable a key encryption method, define the appropriate compilation flags:
RSA: Define the following flag:
__ENABLE_MOCANA_SSH_RSA_SUPPORT__
DSA: Define the following flags:
__ENABLE_MOCANA_DSA__
__ENABLE_MOCANA_SSH_DSA_SUPPORT__
ECDSA: Define the following flag:
__ENABLE_MOCANA_ECC__
If more than one encryption method is enabled for NanoSSH Client and also offered by the SSH server (NanoSSH or any other SSH server), the first match in the internal NanoSSH Client structure, mHostKeySuites, is the one that is chosen.
ECDSA
RSA/ECDSA certificates
DSA
RSA certificates
ECDSA certificates
Note: If the SSH server offers certificate support but certificates are not used, be sure that the
__ENABLE_MOCANA_SSH_X509V3_SIGN_SUPPORT__
flag is not enabled. If this flag is defined, certificates are chosen instead of straightpublic key authentication.
Callback Functions
To add public key authentication, customize and register the following callback functions:
sshClientSettings >funcPtrServerPubKeyAuth: Invoked during connection establishment; it should verify that the provided public key is on record, compare the provided and on-file keys, and return TRUE or FALSE to indicate whether the keys match. If they match, the key is valid.
sshClientSettings >funcPtrRetrieveNakedAuthKeys: Invoked when the NanoSSH Client needs to authenticate itself to an SSH server using public key authentication; it should return the key blob containing the public and private keys from the public and private authorization key files, respectively; tTherefore, NanoSSH Client must have access to the client’s unique key.
sshClientSettings >funcPtrReleaseNakedAuthKeys: Invoked after a call to sshClientSettings >funcPtrRetrieveNakedKeys, it should release (free) the memory allocated for the public and private keys that were retrieved by the sshClientSettings >funcPtrRetrieveNakedKeys call.
Callback registration happens at session creation and initialization by assigning a custom callback function, which may have any name, to this callback pointer.
The following examples show typical implementations for the required callbacks.
code listing (funcPtrServerPubKeyAuth)
static int SSHC_EXAMPLE_serverPubKeyAuthUpcall(int connectionInstance, const unsigned char *pPubKey, unsigned int pubKeyLength) { ubyte* pStoredHostPublicKey = NULL; ubyte4 storedHostPublicKeyLength; sbyte4 result = 0; MOC_UNUSED(connectionInstance); ubyte* pSerializedKey = NULL; ubyte4 serializedKeyLength = 0; ubyte* pEncodedKey = NULL; ubyte4 encodedKeyLength = 0; AsymmetricKey asymKey = { 0 }; AsymmetricKey asymKey2 = { 0 }; /* The SSH Client will only call this function, if the server's */ /* public key matched the signature provided. We need to now */ /* verify that the public key is an acceptable public key (i.e. on record) */ /* we would want to extract the server's IP address from connectionInstance */ /* then use that to look up the appropriate host key stored file */ /* make sure the server provided pubkey matches a public key on file */ if (0 == MOCANA_readFile(AUTH_KEYFILE_NAME, &pStoredHostPublicKey, &storedHostPublicKeyLength)) { if (OK > SSHC_parseServerAuthKeyFile(pStoredHostPublicKey, storedHostPublicKeyLength, &asymKey)) goto exit; } else { /* if necessary, do additional checks here */ /* finally, if we do not recognize this IP address we should store the ip address in a file */ /* a simple scheme filename convention: /keys/host/sshc/ip_<ip.ad.dr.ess>.pubkey */ result = 1; /* we made it to the end! */ exit: if (NULL != pStoredHostPublicKey) MOCANA_freeReadFile(&pStoredHostPublicKey); return result; } main { /* other initialization */ SSHC_sshClientSettings()->funcPtrServerPubKeyAuth = SSHC_EXAMPLE_serverPubKeyAuthUpcall; /* main functionality */ SSHC_shutdown(); return; }
code listing (funcPtrRetrieveNakedAuthKeys)
static int SSHC_EXAMPLE_retrieveAuthKeys(int connectionInstance, unsigned char **ppRetKeyBlob, unsigned int *pRetKeyBlobLength) { int status; MOC_UNUSED(connectionInstance); *ppRetKeyBlob = NULL; *pRetKeyBlobLength = 0; if (0 > (status = MOCANA_readFile(KEYBLOB_AUTH_KEY_FILE_NAME, ppRetKeyBlob, pRetKeyBlobLength))) status = ERR_SSH_MISSING_KEY_FILE; return status; } /* SSHC_EXAMPLE_retrieveAuthKeys */ main { /* other initialization */ SSHC_sshClientSettings()->funcPtrRetrieveNakedAuthKeys = SSHC_EXAMPLE_retrieveAuthKeys; /* main functionality */ SSHC_shutdown(); return; }
code listing (funcPtrReleaseNakedAuthKeys)
static sbyte4 SSHC_EXAMPLE_releaseAuthKeys(sbyte4 connectionInstance, ubyte **ppFreeKeyBlob) { MOC_UNUSED(connectionInstance); MOCANA_freeReadFile(ppFreeKeyBlob); return 0; } main { /* other initialization */ SSHC_sshClientSettings()->funcPtrReleaseNakedAuthKeys = SSHC_EXAMPLE_releaseAuthKeys; /* main functionality */ SSHC_shutdown(); return; }
API Methods
No API methods are required to use public key authentication.
Use certificates
Growing numbers of systems are forsaking transmission of public keys and passwords for authentication and are choosing to use certificates instead. Although the certificates themselves contain the same public keys that could be sent directly, using certificates is more secure because:
The system verifies that the user certificate was issued by a trusted CA (certificate authority).
No local database of user public keys is required on the server.
User access may be denied simply by revoking the user’s certificate (via Online Certificate Status Protocol or Certificate Revocation Lists).
To use certificates:
Define compilation flags (see Flags).
Set up and register the necessary callbacks (see Callback Functions).
Rebuild the executable(s).
Applicability
Any implementation may use certificates in place of public keys or passwords for authentication.
Flags
To enable certificate support for NanoSSH Client, define the following flags:
__ENABLE_MOCANA_SSH_X509V3_SIGN_SUPPORT__
__ENABLE_MOCANA_SSH_X509V3_RFC_6187_SUPPORT__
__ENABLE_MOCANA_SSH_CLIENT_CERT_AUTH__
: Enables client certificate authentication.__ENABLE_MOCANA_SSH_SERVER_CERT_AUTH__
: Enables server certificate authentication.__ENABLE_MOCANA_SSH_OCSP_SUPPORT__
: Enables OCSP stapling validation sent by the server.__ENABLE_MOCANA_OCSP_CLIENT__
: Enables OCSP stapling validation sent by the client.
In addition, RSA, DSA, or ECC may be enabled as required using the following flags:
RSA: Define the
__ENABLE_MOCANA_SSH_RSA_SUPPORT__
flagDSA: Define the following flags:
__ENABLE_MOCANA_DSA__
__ENABLE_MOCANA_SSH_DSA_SUPPORT__
ECC: Define the
__ENABLE_MOCANA_ECC__
flag. To disable a particular curve, use the following flags:__DISABLE_MOCANA_ECC_P256__
: Disables P256.__DISABLE_MOCANA_ECC_P384__
: Disables P384.__DISABLE_MOCANA_ECC_P521__
: Disables P521.
Also ensure that the following flags are not defined:
__DISABLE_MOCANA_CERTIFICATE_PARSING__
__DISABLE_MOCANA_CERTIFICATE_GENERATION__
__DISABLE_MOCANA_KEY_GENERATION__
__DISABLE_MOCANA_RSA_SIGN__
Callback Functions
To use certificates, customize and register the following callback functions:
sshClientSettings > funcPtrCertificateStoreVerify
: Verifies that the last certificate or self-signed certificate is trusted. The code may simply memcmp trusted certificates with the provided certificate, or implement a more efficient and rigorous algorithm, such as including a call to the TrustCore SDK certificate management function, CA_MGMT_extractCertDistinguishedName.sshClientSettings > funcPtrCertificateStoreLookup
: Retrieves a certificate from the trusted certificate store based on the provided distinguished name. It is also used by NanoSSL clients when a certificate chain is incomplete.sshClientSettings > funcPtrCertificateStoreRelease
: Releases memory used by a previous call tosshClientSettings > funcPtrCertificateStoreLookup
.
Optionally, the following callback function may also be customized and registered:
sshClientSettings > funcPtrCertificateLeafTest
: Verifies that the leaf (first certificate in a chain) is an acceptable, known certificate.
For detailed information about these callback functions and their parameters, refer to the TrustCore SDK NanoSSH API Reference.
API Methods
No API methods are required to use certificates.
Use the “none” authentication method
The “none” authentication method may be configured, although it is strongly discouraged because it lets anyone successfully log in without authentication, thereby circumventing normal security strategies; however, there might be times when using no authentication may be useful, such as in a testing environment during the build process.
To configure the “none” authentication method:
Define compilation flags (see Flags).
Set up and register the necessary callbacks (see Callback Functions).
Rebuild the executable(s).
Testing the “none” Authentication
One method of testing the “none” authentication method is to configure an SSH server (NanoSSH or any other SSH server) for “none,” build the NanoSSH Client example code (first defining the necessary flags functions, and callbacks, as described above), and then connect the SSH server and client for communications.
On the machine on which the SSH server is running, determine the process ID of the SSH server process(es).
ps -ef | grep ssh
Terminate all the SSH server processes.
killall ssh
Configure the SSH server for the “none” authentication method.
Open the /etc/ssh/sshd_config file for editing.
Change pubkey authentication or password authentication to get required authentications.
Save and close the file.
Restart the SSH server.
Start the NanoSSH Client. OpenSSH supported methods should go in SSH_AUTH_FAILURE message when AUTH_NONE is received.
Applicability
Any implementation may use the “none” authentication method.
Flags
To enable the “none” authentication method for NanoSSH Client, define the following flags:
__ENABLE_MOCANA_SSH_CLIENT_EXAMPLE_AUTH_NONE__
SSHC_EXAMPLE_AUTH_METHOD
MOCANA_SSH_AUTH_NONE
Callback Functions
No callback functions are required to use the “none” authentication method.
API Methods
No API methods are required to use the “none” authentication method.
Configure NanoSSH client
To use the NanoSSH Client, no configuration is required except as explained in the applicable use case example description (see Use Case Examples). Likewise, see the applicable feature section in this section, Customizing a NanoSSH Client Implementation for detailed configuration instructions, including how to define flags and customizing and registering callback functions.
If desired, the NanoSSH Client may be further configured by defining optional flags (see Flags), customizing any of the NanoSSH Client callback functions (see Callback Functions), and assigning custom values to the NanoSSH sshClientSettings fields (see Table 9 below).
Table 9: Configurable sshClientSettings Fields
Field | Description |
---|---|
sshListenPort | Port used for connections. |
sshMaxAuthAttempts | Number of authentication tries allowed before the connection is said to have failed. |
sshMaxConnections | Maximum number of connections to this client. |
sshTimeOutAuthentication | Number of milliseconds the client waits for an authentication response before timing out. |
sshTimeOutDefaultOpenState | Number of milliseconds before timing out for the client to make a request (such as open a shell) after authentication. |
sshTimeOutKeyExchange | Number of milliseconds the client waits for a key exchange before timing out. |
sshTimeOutNewKeys | Number of milliseconds the client waits for new keys before timing out. |
sshTimeOutOpen | Number of milliseconds the client waits for an open session response before timing out. |
sshTimeOutServiceRequest | Number of milliseconds the client waits for a service request response before timing out. |
Flags
The following list of flags in alphabetical order, that may be defined to configure a NanoSSH Client. For detailed flag definition requirements, be sure to see the applicable feature section in this section.
__DISABLE_3DES_CIPHERS__
__DISABLE_AES_CIPHERS__
__DISABLE_AES128_CIPHER__
__DISABLE_AES192_CIPHER__
__DISABLE_AES256_CIPHER__
__DISABLE_ARC2_CIPHERS__
__DISABLE_MOCANA_ECC_P192__
__DISABLE_MOCANA_ECC_P224__
__DISABLE_MOCANA_ECC_P256__
__DISABLE_MOCANA_ECC_P384__
__DISABLE_MOCANA_ECC_P521__
__DISABLE_MOCANA_INIT__
__DISABLE_MOCANA_SSH_COMMON_NAME_CHECK__
__ENABLE_BLOWFISH_CIPHERS__
__ENABLE_MOCANA_AEAD_CIPHER__
__ENABLE_MOCANA_CHACHA20__
__ENABLE_MOCANA_DSA__
__ENABLE_MOCANA_DSA_ALL_KEYSIZE__
__ENABLE_MOCANA_ECC__
__ENABLE_MOCANA_ECC_ED25519__
__ENABLE_MOCANA_EXAMPLES__
__ENABLE_MOCANA_GCM__
__ENABLE_MOCANA_GCM_256B__
__ENABLE_MOCANA_GCM_4K__
__ENABLE_MOCANA_GCM_64K__
__ENABLE_MOCANA_POLY1305__
__ENABLE_MOCANA_SSH_CHANNEL_ID_DEBUG__
__ENABLE_MOCANA_SSH_CLIENT_EXAMPLE__
__ENABLE_MOCANA_SSH_DSA_SUPPORT__
__ENABLE_MOCANA_SSH_FTP_CLIENT__
__ENABLE_MOCANA_SSH_MAX_SESSION_TIME_LIMIT__
__ENABLE_MOCANA_SSH_OLD_DSA_CONVERSION__
__ENABLE_MOCANA_SSH_X509V3_SIGN_SUPPORT__
__ENABLE_MOCANA_SSH_X509V3_RFC_6187_SUPPORT__
__ENABLE_MOCANA_SSH_CLIENT_CERT_AUTH__
__ENABLE_MOCANA_SSH_SERVER_CERT_AUTH__
__ENABLE_MOCANA_SSH_OCSP_SUPPORT__
__ENABLE_MOCANA_OCSP_CLIENT__
__ENABLE_MOCANA_SSH_PING__
__ENABLE_MOCANA_SSH_PORT_FORWARDING__
__ENABLE_MOCANA_SSH_RSA_SUPPORT__
__ENABLE_MOCANA_SSH_SENDER_RECV__
__ENABLE_MOCANA_SSH_STREAM_API__
__ENABLE_MOCANA_SSH_X509V3_SIGN_SUPPORT__
__ENABLE_SSH_VERSION1_SUPPORT__
Applicability
When configuring NanoSSH Client by assigning custom values to the sshClientSettings fields, defining flags, and customizing callback functions, it is important to understand which configuration items correspond to the application’s intended use cases and features. For example, if the __ENABLE_MOCANA_GCM__
flag is defined but do not need Suite B support, the code’s footprint has been created for no gain in functionality.
Callback Functions
As described in this section, the key approach to configuring a NanoSSH Client is to customize and register the appropriate callback functions.
General purpose callbacks: Any of the following NanoSSH Client callback functions may be customized for an application. Registering callbacks entails assigning custom functions to the session callback function pointers (the functions that begin with funcPtr) of the sshClientSettings structure.
funcPtrReleaseNakedAuthKeys
funcPtrRetrieveNakedAuthKeys
funcPtrServerPubKeyAuth
funcPtrRetrieveUserAuthRequestInfo
funcPtrRetrieveUserAuthRequestInfoEx
funcPtrRetrieveUserPassword
funcPtrAuthOpen
funcPtrSessionOpen
funcPtrSessionOpenFail
funcPtrStartTimer
Protocol-specific callbacks: NanoSSH Client tracks synchronous session state by using sshClientSettings callback function pointers that are invoked whenever a new connection state is activated.
There is a single function, sshcProtocolUpcall, that is assigned to every callback function pointer. Do not change this function or any of the protocol-specific callback function pointers.
funcPtrBreakOp
funcPtrClosed
funcPtrEof
funcPtrOpenSftp
funcPtrOpenShell
funcPtrPtyRequest
funcPtrReceivedData
funcPtrStdErr
funcPtrWindowChange
Port forwarding callbacks (see Adding Port Forwarding):
funcPtrLocalPortForwardClosed
funcPtrLocalPortForwardEof
funcPtrLocalPortFwdReceivedData
funcPtrLocalPortFwdSessionOpen
funcPtrLocalPortFwdSessionOpenFail
Certificate support callbacks (see Using Certificates):
funcPtrCertificateChainTest
funcPtrCertificateLeafTest
funcPtrCertificateStoreLookup
funcPtrCertificateStoreRelease
funcPtrCertificateStoreVerify
API Methods
The NanoSSH Client API methods are used to implement desired functionality and features; there are no methods that are strictly for configuration.
Enable shell support
Shell support is automatically included in any NanoSSH Client application. For information about building the NanoSSH Client shell example code, see Using NanoSSH Client for Shell (Remote) Access.
Applicability
The NanoSSH Client may be used any time secure communications are needed between two network devices, such as when logging into a remote machine to execute commands.
Flags
No flag definitions are required to enable shell support; however, flag definitions are required to enable the chosen authentication method. For detailed information, see the applicable sections in this section.
Callback Functions
No callback functions are required to enable NanoSSH Client shell support; however, callback functions need to be customized and registered for the chosen authentication method. For detailed information, see the applicable sections in this section.
API Methods
The following API methods are specific to NanoSSH Client shell support:
SSHC_negotiatePtyTerminalChannelRequest: Sends an SSH PTY command on the specified connection. To start an interactive or scripted shell with a server, this function must be invoked during negotiation on the specified connection.
SSHC_negotiateShellChannelRequest: Sends an SSH shell command on the specified connection. To start an interactive or scripted shell with a server, this function must be invoked during negotiation on the specified connection.
SSHC_sendMessage: Sends data to an SSH server.
SSHC_recvMessage: Retrieves data from a connected server/client. It should not be called until an SSH connection is established between the client and server.
SSHC_setTerminalTextWindowSize: Resizes a client terminal window’s dimensions from their defaults (80 x 24). This function is necessary when using NanoSSH Client as an interactive shell. For automated SSH Client applications, this function is unnecessary.
Enable Remote File Transfer Protocol operations (SFTP)
To enable NanoSSH Client SFTP operations, simply add a flag definition as described below. For information about building the NanoSSH Client sftp example code, see Using NanoSSH Client for Secure File Transfer.
Applicability
NanoSSH Client SFTP applications are appropriate anytime secure writing (PUT) and retrieval (GET) of files to/from a remote machine are needed, such as to retrieve an updated image file from a server and to write a log file to the server.
Flags
To enable NanoSSH Client SFTP operations, define the following flag:
__ENABLE_MOCANA_SSH_FTP_CLIENT__
Additionally, flag definitions are required to enable the chosen authentication method. For detailed information, see the applicable sections in this section.
Callback Functions
There are no callback functions that are specific to NanoSSH Client SFTP; however, callback functions need to be customized and registered for the chosen authentication method. For detailed information, see the applicable sections in this section.
API Methods
The following functions are used to implement NanoSSH FTP clients; for detailed function information, refer to the TrustCore SDK NanoSSH API Reference:
General functions:
SSHC_sftpSetCookie
SSHC_sftpGetCookie
SSHC_sftpRequestStatusCode
SSHC_sftpClientSettings
Basic I/O functions:
SSHC_openFile
SSHC_readFile
SSHC_writeFile
SSHC_closeFile
Directory listing functions:
SSHC_openDirectory
SSHC_readDirectory
SSHC_closeDirectory
SSHC_sftpGetDirEntryFileSize
SSHC_sftpGetDirEntryFileType
SSHC_sftpGetDirEntryFilePermission
Memory management functions:
SSHC_freeHandle
SSHC_freeFilename
SFTP get functions:
SSHC_sftpReadLocation
SSHC_sftpReadBuffer
SSHC_sftpReadBufferSize
SSHC_sftpNumBytesRead
SFTP put functions:
SSHC_sftpSetWriteBuffer
SSHC_sftpSetWriteBufferSize
SSHC_sftpWriteLocation
SSHC_sftpWriteBuffer
SSHC_sftpWriteBufferSize
SSHC_sftpNumBytesWritten
File and directory management functions:
SSHC_getFileStat
SSHC_realpath
SSHC_removeFile
SSHC_mkdir
SSHC_rmdir
Client authentication key functions:
SSHC_freeGenerateServerAuthKeyFile
SSHC_generateServerAuthKeyFile
SSHC_parseServerAuthKeyFile
SSHC_parsePublicKeyBuffer
Add port forwarding
NanoSSH Client supports both single and multiple local port forwarding. This feature enables an application client to make a secure virtual connection, over any network or the Internet using TCP/IP, to application servers via the NanoSSH Client. For information about building the NanoSSH port forwarding example code, see Using NanoSSH Client for Port Forwarding.
Applicability
Port forwarding may be added to any NanoSSH Client implementation.
Flags
To enable NanoSSH Client port forwarding operations, define the following flag:
__ENABLE_MOCANA_SSH_PORT_FORWARDING__
Additionally, flag definitions are required to enable the chosen authentication method. For detailed information, see the applicable sections in this section.
Callback Functions: Port Forwarding
To add port forwarding, customize and register the following callback functions:
sshClientSettings >funcPtrLocalPortFwdSessionOpen: Invoked when NanoSSH Client successfully opens a service.
sshClientSettings >funcPtrLocalPortFwdSessionOpenFail: Invoked when NanoSSH Client attempts to open a service but fails because the service is not available on the server. This callback function should try a different service or return an error code.
sshClientSettings >funcPtrLocalPortForwardClosed: Invoked when NanoSSH Client receives a session close message from the SSH server.
sshClientSettings >funcPtrLocalPortFwdReceivedData: Invoked when NanoSSH Client receives a session data message from the SSH server.
sshClientSettings >funcPtrLocalPortForwardEof: Invoked when NanoSSH Client receives a session EOF request from the SSH server. Callback registration happens at session creation and initialization by assigning a custom callback function, which may have any name, to this callback pointer.
In addition to the port forwarding-specific callbacks, callback functions need to be customized and registered for the chosen authentication method. For detailed information, see the applicable sections in this section.
API Methods
The following API methods are specific to NanoSSH Client port forwarding operations:
SSHC_lpfRegisterConnection: Registers the port number on which to listen for port forwarding messages from the SSH server.
SSHC_lpfSendMessage: Sends local port forwarding connection data from SSH client to SSH server.
SSHC_lpfStartConnection: Starts a port forwarding session by sending the required SSH message from the NanoSSH Client to the SSH server.
SSHC_lpfStopConenction: Stops port forwarding (terminates the connection) by sending an SSH CLOSE message to the SSH server.
SSHC_doProtocolProcessPortForwardSession: Forwards port forwarding messages (that originate from an SSH server) to local ports.
For information about the order in which to call NanoSSH Client methods to implement port forwarding, see Client Port Forwarding Integration Flowchart.
Callback functions
To add reverse port forwarding, customize and register the following reverse port forwarding callback functions:
sshClientSettings >funcPtrPortForwardConnect: Invoked when the client receives a request to open a channel for reverse port forwarding. It should connect to the requested host IP address and port. If it connects successfully, it must return “OK.”
sshClientSettings >funcPtrRemotePortReqStatus: Invoked when the client requests a random port from the server. It should return the server-assigned port if its status is “OK.”
Additionally, the standard port forwarding functions must be customized and registered; see Callback Functions: Port Forwarding.
API Methods
The following API methods are specific to NanoSSH Client reverse port forwarding operations:
SSHC_startRemotePortForwarding: Registers the port number on which to listen for port forwarding messages from the SSH server.
SSHC_cancelRemotePortForwarding: Tells the server to close its connection with the isolated client.
Select ciphers (encryption method)
NanoSSH Client may use the strongest cipher suite available or the desired cipher settings may be specified. The following factors should be considered:
Maximum interoperability: Ideally, a device should be able to communicate with any and every network and device that implements any flavor of SSH. At a minimum, be sure to include AES (Advanced Encryption Standard, also known as Rijndael) and 3DES. Next, be sure to include ciphers typically used by the target industry. For example, the electronic payments industry uses 2TDES extensively.
Speed: Ciphers vary greatly in speed; however, if simply the fastest is chosen, it is unlikely that the system is as secure as required. For some key sizes, AES is faster than 3DES, but 3DES is generally considered stronger. Blowfish is also a popular choice for its speed and strength.
Cipher strength: If encryption strength is of the greatest concern, be sure that the SSH implementation supports Triple-DES (3DES); however, be aware that the usual tradeoff for strength is incurred: 3DES is slower than many other ciphers.
Key size: If integrating SSH into an application environment that has predetermined or predefined key sizes, choose a cipher that offers the appropriate key size support. Rijndael offers the greatest number of key sizes (128 to 256 bits, in 32-bit increments), closely followed by AES (128, 192, and 256 bits). 3DES uses 192-bit keys. Blowfish has a variable key length from 0 to 448 bits, with 128 an often-used choice.
For details about the supported ciphers and their pros and cons, see Table 10.
Applicability
Any cipher may be enabled for any NanoSSH Client implementation.
Flags
Table 10 lists the available ciphers and the TrustCore SDK compilation flag definition required to enable the cipher, along with the ciphers’ pros and cons.
Configure certificate-based authentication
This section describes how to configure support for X509 Certificates for server and client certificate-based authentication:
Before you being
The following tasks need to be performed before configuring certificate-based authentication:
Before running the server, clean the directory by deleting all .pub, .key, *.dat, src.txt, dst.txt, generatedrequest.der files.
On the SSH server, update the following command line arguments:
-port <port>
: Sets the listening port.-ssh_server_cert <cert>
: Sets the server’s certificate path.-ssh_server_blob <key>
: Sets the server’s BLOB path.-ssh_ca_cert <ca_cert>
: Sets the CA certificate.
On the SSH client, update the following command line arguments:
-ip <ipaddr>
: Sets the remote IP address.-username <username>
: Sets the username for the remote host.-password <password>
: Sets the password for the remote host.-port <port>
: Sets the port number for the remote host.-ssh_client_cert <cert>
: Sets the client’s certificate path.-ssh_client_blob <key>
: Sets the client’s BLOB path.-ssh_ca_cert <ca_cert>
: Sets the CA certificate path (used for authenticating cert provided by the server.
For OCSP verification, perform only ONE of the following tasks:
Define
SSH_sshSettings()->pOcspResponderUrl
(OCSP URL).Ensure that the certificates have the OCSP URI embedded in them.
Non-certificate-based authentication
To build and run ssh_server and ssh_client without certificate-based authentication:
Generate the builds by running the following commands:
./scripts/nanossh/ssh_server/build_ssh_server_ncrypto.sh --debug –gdb ./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --debug --gdb
Start the SSH server by running the following command:
./ssh_server –port 1440
Start the SSH client by running the following command:
./ssh_client –port 1440 –ip 127.0.0.1
Use a server certificate
To build and run ssh_server and ssh_client with a server certificate:
Generate the builds by running the following commands:
./scripts/nanossh/ssh_server/build_ssh_server_ncrypto.sh --cert --server_cert_auth --client_cert_auth ./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --cert --server_cert_auth --client_cert_auth
Start the SSH server by running the following command:
./ssh_server --port 1440 –ssh_server_cert <certname in .der/.pem format> --ssh_server_blob <keyblob in .der/.pem/.dat format> --ssh_ca_cert <CAcert in .der/pem>
When OCSP is enabled, the
-ssh_ca_cert <CAcert in .der/.pem format>
command line argument is required for the server.Start the SSH client by running the following command:
./ssh_client –port 1440 --ip 127.0.0.1 --ssh_ca_cert <CAcert in .der/.pem format>
Use a server certificate and OCSP stapling
To build and run ssh_server and ssh_client with a server certificate and OCSP stapling:
Generate the builds by running the following commands:
./scripts/nanossh/ssh_server/build_ssh_server_ncrypto.sh --cert --server_cert_auth --cert_ocsp ./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --cert --server_cert_auth --cert_ocsp
Start the SSH server by running the following command:
./ssh_server --port 1440 –ssh_server_cert <certname> --ssh_server_blob <keyblob> --ssh_ca_cert <CAcert>
Start the SSH client by running the following command:
./ssh_client --port 1440 --ip 127.0.0.1 --ssh_ca_cert <CAcert>
Use server and client Certificates
To build and run ssh_server and ssh_client with server and client certificates:
Generate the builds by running the following commands:
./scripts/nanossh/ssh_server/build_ssh_server_ncrypto.sh –cert –server_cert_auth –client_cert_auth ./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh –cert –server_cert_auth –client_cert_auth
Start the SSH server by running the following command:
./ssh_server –port 1440 --ssh_server_cert <certname> --ssh_server_blob <keyblob> --ssh_ca_cert <CAcert>
Start the SSH client by running the following command:
./ssh_client --port 1440 --ip 127.0.0.1 --ssh_client_cert <certname> --ssh_client_blob <keyblob> --ssh_ca_cert <CAcert>
Enable support for EC Keys (Suite B)
To build and run ssh_server and ssh_client support for EC keys (Suite B):
Configure the following flags to selectively disable specific EC curves. These flags can be added to mocana_suiteb_flags.txt:
__DISABLE_MOCANA_ECC_P521__
__DISABLE_MOCANA_ECC_P384__
__DISABLE_MOCANA_ECC_P256__
__DISABLE_MOCANA_ECC_P192__
Generate the builds by running the following commands:
./scripts/nanossh/ssh_server/build_ssh_server_ncrypto.sh --suiteb ./scripts/nanossh/ssh_client/build_ssh_client_ncrypto.sh --suiteb
Start the SSH server by running the following command:
./ssh_server --port 1440
Start the SSH client by running the following command:
./ssh_client --port 1440 --ip 127.0.0.1
OCSP Client API for Certificate Revocation Status
The OCSP_CLIENT_getCertStatus API may be used to verify the certificate revocation status. The __ENABLE_MOCANA_OCSP_CERT_VERIFY__
flag is required for the application to use the API:
#ifdef __ENABLE_MOCANA_OCSP_CERT_VERIFY__ MOC_EXTERN MSTATUS OCSP_CLIENT_getCertStatus(ubyte *pCertificate, ubyte4 certLen, certChainPtr pCertChain, const ubyte *pAnchorCert, ubyte4 anchorCertLen) ; #endif /* __ENABLE_MOCANA_OCSP_CERT_VERIFY__ */
NanoSSH certificate status callback
sbyte4(*funcPtrCertStatus) (sbyte4 connectionInstance, const ubyte *pUser, ubyte4 userLength, sbyte4 cert_status, ubyte *pCertificate, ubyte4 certLen, certChainPtr pCertChain, const ubyte *pAnchorCert, ubyte4 anchorCertLen);
connectionInstance
: Connection instance returned fromSSH_acceptConnection()
orSSH_ASYNC_acceptConnection()
.pUser
: Pointer to user name.userLength
: Number of bytes in user name (pUser
).cert_status
: Certificate verification status done by the stackpCertificate
: Certificate of the peercertLen
: Length of the certificate bufferpCertChain
: Certificate chain leading to the anchorpAnchorCert
: Anchor CA certificate if not present inpCertChain
anchorCertLen
: Anchor cert length if presentreturn
: OK (0) if successful; otherwise a negative number error code definition frommerrors.h
. To retrieve a string containing an English text error identifier corresponding to the function’s returned error status, use theDISPLAY_ERROR
macro.
Certificate validation with NanoSSH server
With client certificate-based authentication, NanoSSH Server receives and validates the client certificates against the trust chain, and performs the time validity. Applications may define and register a post certificate validation callback with NanoSSH Server. The callback provides the application with verification status, along with the certificate(s) received for the application to perform extended validation on the certificate or override the status. The following example code provides a simple implementation that uses the callback to verify certificate status using OCSP.
static sbyte4 SSH_EXAMPLE_certstatus(sbyte4 connectionInstance, const ubyte *pUser, ubyte4 userLength, sbyte4 cert_status, ubyte *pCertificate, ubyte4 certLen, certChainPtr pCertChain, const ubyte *pAnchorCert, ubyte4 anchorCertLen) { MSTATUS status = OK; DEBUG_PRINTNL(DEBUG_SSH_EXAMPLE, (sbyte *)"SSH_EXAMPLE_certstatus:"); /* if no client cert validation is needed, return OK from here */ if (cert_status != OK) { status = cert_status ; goto exit ; } #if ((defined(__ENABLE_MOCANA_SSH_OCSP_SUPPORT__)) && (defined(__ENABLE_MOCANA_OCSP_CLIENT__)) && \ (defined(__ENABLE_MOCANA_OCSP_CERT_VERIFY__))) status = OCSP_CLIENT_getCertStatus(ocsp_ResponderUrl, pCertificate, certLen, pCertChain, pAnchorCert, anchorCertLen ) ; #endif exit: return status ; } SSH_EXAMPLE_main() { SSH_sshSettings()->funcPtrCertStatus = SSH_EXAMPLE_certstatus ; … }
Enable Suite B support
NanoSSH supports draft-igoe-secsh-suiteb-00, Suite B Cryptographic Suites for Secure Shell. Suite B cryptography is a set of cryptographic algorithms and protocols, specified by NIST, that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS).
The TrustCore SDK API functions that are related to NSA Suite B cryptography are available only if the Suite B edition of the TrustCore SDK product Platform has been purchased.
Applicability
Suite B cryptographic ciphers may be added to any NanoSSH Client example code or customized implementation.
Flags
To enable Suite B cipher support in NanoSSH Client, use the –suiteb argument when running the build script.
If using GCM, the __ENABLE_MOCANA_GCM__
flag must be defined. If none of the corresponding GCM message sizes are defined, the cryptographic code uses the default flag, __ENABLE_MOCANA_GCM_265B__. Optionally, any flag may be defined, but only one of the __ENABLE_MOCANA_GCM_*__
message size flags are used.
Callback Functions
No callback functions are required to enable Suite B support.
API Methods
No API methods are required to enable Suite B support.
Rekeying strategy
For best security, it is important to periodically refresh the authentication keys. RFC 4253, The Secure Shell (SSH) Transport Layer Protocol, section 9, states that “It is RECOMMENDED that the keys be changed after each gigabyte of transmitted data or after each hour of connection time, whichever comes sooner; however, because the re-exchange is a public key operation, it requires a fair amount of processing power and should not be performed too often.”
Applicability
Rekeying is applicable to any NanoSSH Client implementation that uses public key authentication or certificates.
Flags
No flag definitions are required to enable rekeying.
Callback Functions
No callback functions are required to initiate rekeying.
API Methods
To initiate rekeying, call the following API method:
SSHC_initiateReKey
: Initiates an SSH rekey operation. NanoSSH Client automatically processes rekey requests from an SSH server.
To rekey based on the amount of data transmitted, call SSHC_initiateReKey only when indicated by the results from the following API method:
SSHC_numBytesTransmitted
: Returns the number of bytes sent and received through a given connection.
Reduce the memory footprint
The TrustCore SDK memory footprint may be reduced by defining compilation flags to disable products or features that are not in use, which removes the corresponding code from the resultant executable.
For example, if the only TrustCore SDK products being used are NanoSSH Client and NanoSSH Server, do not define the flags for NanoSSL (client and server) or NanoSec. Similarly, unneeded features may also be disabled, such as support for certificate parsing, key generation, or ciphers that the system does not recognize.
Applicability
Footprint reduction techniques may be applied for any NanoSSH Client example code or customized implementation.
Flags
Table 11 below lists a typical set of flags that when defined substantially reduce the NanoSSH Client memory footprint. These flags can be added to projects/nanossh/mocana_suiteb_flags.txt or projects/nanossh/ssh_client/mocana_flags.txt.
Table 11: Typical Footprint Reduction Flags
Flag Description
__ENABLE_MOCANA_SMALL_CODE_FOOTPRINT__
Reduces the size of the executable, at the expense of execution speed. Depending on which products are included and which options are enabled, defining this flag may reduce heap and stack requirements.__DISABLE_ARC2_CIPHERS__
__DISABLE_MOCANA_SHA256__
__DISABLE_MOCANA_SHA512__
__DISABLE_3DES_CIPHERS__
Disables the indicated cipher suite support (both hardware and software).__DISABLE_AES_CIPHERS__
__DISABLE_AES128_CIPHER__
__DISABLE_AES192_CIPHER__
__DISABLE_AES256_CIPHER__
Disables AES cipher suite support (both hardware and software). Note that the__DISABLE_AES_CIPHERS__
flag disables all AES ciphers. If using some but not all key length-specific AES ciphers, individually disable the ones that are not needed.__DISABLE_MOCANA_ECC_P192__
__DISABLE_MOCANA_ECC_P224__
__DISABLE_MOCANA_ECC_P256__
__DISABLE_MOCANA_ECC_P384__
__DISABLE_MOCANA_ECC_P521__
Disables specific key-length ECDSA cipher suite support (both hardware and software).__DISABLE_MOCANA_CERTIFICATE_GENERATION__
__DISABLE_MOCANA_CERTIFICATE_PARSING__
__DISABLE_MOCANA_SSH_COMMON_NAME_CHECK__
Disables TrustCore SDK certificate generation and parsing code.
Callback Functions
No callback functions are required to reduce the NanoSSH Client footprint.
API Methods
No API methods are required to reduce the NanoSSH Client footprint.
Add FIPS 140-2 compliance
LINK TO FIPS INFO
To integrate a NanoSSH application with a licensed TrustCore SDK NanoCrypto FIPS binary cryptographic module, a staged approach is recommended:
Build the example code
--fips
to build with FIPS enabled.Customize the example code (as described in this section) or use it as a model for the application’s integration.
Note: If adding FIPS to an application, hardware acceleration cannot be added; they are mutually exclusive.
Add FIPS functionality by modifying the makefiles to link with the TrustCore SDK NanoCrypto FIPS binary.
If the operating system is Linux, refer to the Using TrustCore SDK NanoCrypto FIPS Binaries for Linux guide for instructions.
Gather statistics
A variety of NanoSSH Client statistics may be gathered:
Information about a given file, in the format of an
sftpcFileHandleDescr[]
structure (refer tosshc.h
).The number of bytes sent and received through a given connection instance. This information is typically used to determine when it is appropriate to initiate a rekey exchange operation.
The number of bytes read from or written to a remote file. This information is typically used to keep track of download (read) or upload (write) progress.
Applicability
Statistics may be gathered in any NanoSSH Client application.
Flags
No flags are required to gather NanoSSH Client statistics.
Callback Functions
No callback functions are required to gather NanoSSH Client statistics.
API Methods
To gather the statistics described above, call the following API methods:
SSHC_getFileStat
SSHC_numBytesTransmitted
SSHC_sftpNumBytesRead
SSHC_sftpNumBytesWritten
Client terminal configuration
In NanoSSH Client shell implementations, the client terminal text windows’ dimensions may be resized from their defaults (80 x 24). This function is necessary when using NanoSSH Client as an interactive shell. For automated SSH Client applications, this function is unnecessary.
Applicability
Client terminal text window sizing is applicable to NanoSSH Client shell implementations.
Flags
No flags are required to resize the client terminal text window.
Callback Functions
No callback functions are required to resize the client terminal text window.
API Methods
To resize the client terminal text window, call the SSHC_setTerminalTextWindowSize
API method.
Manag AES-GCM Ciphers with OpenSSH
By default, NanoSSH supports the aes128-gcm@openssh.com
and aes256-gcm@openssh.com
ciphers. AES-GCM implementation complies with RFC 5647.
Applicability
Disabling these ciphers is applicable if specific requirements or security policies dictate.
Flags
To disable these ciphers, define the following flag:
__DISABLE_OPEN_SSH_AES_GCM__
Callback Functions
No callback functions are required to disable AES-GCM ciphers for RFC 5647 compliance.
API Methods
There are no API methods associated with disabling AES-GCM ciphers for RFC 5647 compliance.