Connection

The identifier presented to the SSH-2 server.

Will be used to generate all random data needed for the current connection. Note: SecureRandom.nextBytes() is thread safe.

Prepares a fresh Connection object which can then be used to establish a connection to the specified SSH-2 server.

Same as Connection(hostname, 22).

Prepares a fresh Connection object which can then be used to establish a connection to the specified SSH-2 server.

Add a ConnectionMonitor to this connection. Can be invoked at any time, but it is best to add connection monitors before invoking connect() to avoid glitches (e.g., you add a connection monitor after a successful connect(), but the connection has died in the mean time. Then, your connection monitor won't be notified.)

You can add as many monitors as you like.

After a successful connect, one has to authenticate oneself. This method is based on DSA (it uses DSA to sign a challenge sent by the server).

If the authentication phase is complete, true will be returned. If the server does not accept the request (or if further authentication steps are needed), false is returned and one can retry either by using this or any other authentication method (use the getRemainingAuthMethods method to get a list of the remaining possible methods).

A wrapper that calls authenticateWithKeyboardInteractivewith a null submethod list.

After a successful connect, one has to authenticate oneself. This method is based on "keyboard-interactive", specified in draft-ietf-secsh-auth-kbdinteract-XX. Basically, you have to define a callback object which will be feeded with challenges generated by the server. Answers are then sent back to the server. It is possible that the callback will be called several times during the invocation of this method (e.g., if the server replies to the callback's answer(s) with another challenge...)

If the authentication phase is complete, true will be returned. If the server does not accept the request (or if further authentication steps are needed), false is returned and one can retry either by using this or any other authentication method (use the getRemainingAuthMethods method to get a list of the remaining possible methods).

Note: some SSH servers advertise "keyboard-interactive", however, any interactive request will be denied (without having sent any challenge to the client).

After a successful connect, one has to authenticate oneself. This method can be used to explicitly use the special "none" authentication method (where only a username has to be specified).

Note 1: The "none" method may always be tried by clients, however as by the specs, the server will not explicitly announce it. In other words, the "none" token will never show up in the list returned by getRemainingAuthMethods(String).

Note 2: no matter which one of the authenticateWithXXX() methods you call, the library will always issue exactly one initial "none" authentication request to retrieve the initially allowed list of authentication methods by the server. Please read RFC 4252 for the details.

If the authentication phase is complete, true will be returned. If further authentication steps are needed, false is returned and one can retry by any other authentication method (use the getRemainingAuthMethods method to get a list of the remaining possible methods).

After a successful connect, one has to authenticate oneself. This method sends username and password to the server.

If the authentication phase is complete, true will be returned. If the server does not accept the request (or if further authentication steps are needed), false is returned and one can retry either by using this or any other authentication method (use the getRemainingAuthMethods method to get a list of the remaining possible methods).

Note: if this method fails, then please double-check that it is actually offered by the server (use getRemainingAuthMethods().

Often, password authentication is disabled, but users are not aware of it. Many servers only offer "publickey" and "keyboard-interactive". However, even though "keyboard-interactive" *feels* like password authentication (e.g., when using the putty or openssh clients) it is *not* the same mechanism.

A convenience wrapper function which reads in a private key (PEM format, either DSA or RSA) and then calls authenticateWithPublicKey(String, char[], String).

NOTE PUTTY USERS: Event though your key file may start with "-----BEGIN..." it is not in the expected format. You have to convert it to the OpenSSH key format by using the "puttygen" tool (can be downloaded from the Putty website). Simply load your key and then use the "Conversions/Export OpenSSH key" functionality to get a proper PEM file.

After a successful connect, one has to authenticate oneself. The authentication method "publickey" works by signing a challenge sent by the server. The signature is either DSA or RSA based - it just depends on the type of private key you specify, either a DSA or RSA private key in PEM format. And yes, this is may seem to be a little confusing, the method is called "publickey" in the SSH-2 protocol specification, however since we need to generate a signature, you actually have to supply a private key =).

The private key contained in the PEM file may also be encrypted ("Proc-Type: 4,ENCRYPTED"). The library supports DES-CBC and DES-EDE3-CBC encryption, as well as the more exotic PEM encrpytions AES-128-CBC, AES-192-CBC and AES-256-CBC.

If the authentication phase is complete, true will be returned. If the server does not accept the request (or if further authentication steps are needed), false is returned and one can retry either by using this or any other authentication method (use the getRemainingAuthMethods method to get a list of the remaining possible methods).

NOTE PUTTY USERS: Event though your key file may start with "-----BEGIN..." it is not in the expected format. You have to convert it to the OpenSSH key format by using the "puttygen" tool (can be downloaded from the Putty website). Simply load your key and then use the "Conversions/Export OpenSSH key" functionality to get a proper PEM file.

Cancel an earlier requested remote port forwarding. Currently active forwardings will not be affected (e.g., disrupted). Note that further connection forwarding requests may be received until this method has returned.

Close the connection to the SSH-2 server. All assigned sessions will be closed, too. Can be called at any time. Don't forget to call this once you don't need a connection anymore - otherwise the receiver thread may run forever.

Same as connect(verifier, 0, 0).

Same as connect(null, 0, 0).

Connect to the SSH-2 server and, as soon as the server has presented its host key, use the ServerHostKeyVerifier.verifyServerHostKey() method of the verifier to ask for permission to proceed. If verifier is null, then any host key will be accepted - this is NOT recommended, since it makes man-in-the-middle attackes VERY easy (somebody could put a proxy SSH server between you and the real server).

Note: The verifier will be called before doing any crypto calculations (i.e., diffie-hellman). Therefore, if you don't like the presented host key then no CPU cycles are wasted (and the evil server has less information about us).

However, it is still possible that the server presented a fake host key: the server cheated (typically a sign for a man-in-the-middle attack) and is not able to generate a signature that matches its host key. Don't worry, the library will detect such a scenario later when checking the signature (the signature cannot be checked before having completed the diffie-hellman exchange).

Note 2: The ServerHostKeyVerifier.verifyServerHostKey() method will *NOT* be called from the current thread, the call is being made from a background thread (there is a background dispatcher thread for every established connection).

Note 3: This method will block as long as the key exchange of the underlying connection has not been completed (and you have not specified any timeouts).

Note 4: If you want to re-use a connection object that was successfully connected, then you must call the close() method before invoking connect() again.

Creates a new LocalPortForwarder. A LocalPortForwarder forwards TCP/IP connections that arrive at a local port via the secure tunnel to another host (which may or may not be identical to the remote SSH-2 server).

This method must only be called after one has passed successfully the authentication step. There is no limit on the number of concurrent forwardings.

Creates a new LocalPortForwarder. A LocalPortForwarder forwards TCP/IP connections that arrive at a local port via the secure tunnel to another host (which may or may not be identical to the remote SSH-2 server).

This method must only be called after one has passed successfully the authentication step. There is no limit on the number of concurrent forwardings.

Creates a new LocalStreamForwarder. A LocalStreamForwarder manages an Input/Outputstream pair that is being forwarded via the secure tunnel into a TCP/IP connection to another host (which may or may not be identical to the remote SSH-2 server).

Create a very basic SCPClient that can be used to copy files from/to the SSH-2 server.

Works only after one has passed successfully the authentication step. There is no limit on the number of concurrent SCP clients.

Note: This factory method will probably disappear in the future.

Enable/disable debug logging. Only do this when requested by Trilead support.

For speed reasons, some static variables used to check whether debugging is enabled are not protected with locks. In other words, if you dynamicaly enable/disable debug logging, then some threads may still use the old setting. To be on the safe side, enable debugging before doing the connect() call.

Force an asynchronous key re-exchange (the call does not block). The latest values set for MAC, Cipher and DH group exchange parameters will be used. If a key exchange is currently in progress, then this method has the only effect that the so far specified parameters will be used for the next (server driven) key exchange.

Note: This implementation will never start a key exchange (other than the initial one) unless you or the SSH-2 server ask for it.

Unless you know what you are doing, you will never need this.

Unless you know what you are doing, you will never need this.

Unless you know what you are doing, you will never need this.

Returns a ConnectionInfo object containing the details of the connection. Can be called as soon as the connection has been established (successfully connected).

Returns the hostname that was passed to the constructor.

Returns the port that was passed to the constructor.

After a successful connect, one has to authenticate oneself. This method can be used to tell which authentication methods are supported by the server at a certain stage of the authentication process (for the given username).

Note 1: the username will only be used if no authentication step was done so far (it will be used to ask the server for a list of possible authentication methods by sending the initial "none" request). Otherwise, this method ignores the user name and returns a cached method list (which is based on the information contained in the last negative server response).

Note 2: the server may return method names that are not supported by this implementation.

After a successful authentication, this method must not be called anymore.

Checks if a specified authentication method is available. This method is actually just a wrapper for getRemainingAuthMethods().

Determines if the authentication phase is complete. Can be called at any time.

Returns true if there was at least one failed authentication request and the last failed authentication request was marked with "partial success" by the server. This is only needed in the rare case of SSH-2 server setups that cannot be satisfied with a single successful authentication request (i.e., multiple authentication steps are needed.)

If you are interested in the details, then have a look at RFC4252.

Open a new Session on this connection. Works only after one has passed successfully the authentication step. There is no limit on the number of concurrent sessions.

This method can be used to perform end-to-end connection testing. It sends a 'ping' message to the server and waits for the 'pong' from the server.

When this method throws an exception, then you can assume that the connection should be abandoned.

Note: Works only after one has passed successfully the authentication step.

Implementation details: this method sends a SSH_MSG_GLOBAL_REQUEST request ('trilead-ping') to the server and waits for the SSH_MSG_REQUEST_FAILURE reply packet from the server.

Request a remote port forwarding. If successful, then forwarded connections will be redirected to the given target address. You can cancle a requested remote port forwarding by calling cancelRemotePortForwarding().

A call of this method will block until the peer either agreed or disagreed to your request-

Note 1: this method typically fails if you

• pass a port number for which the used remote user has not enough permissions (i.e., port < 1024)
• or pass a port number that is already in use on the remote server
• or if remote port forwarding is disabled on the server.

Note 2: (from the openssh man page): By default, the listening socket on the server will be bound to the loopback interface only. This may be overriden by specifying a bind address. Specifying a remote bind address will only succeed if the server's GatewayPorts option is enabled (see sshd_config(5)).

Send an SSH_MSG_IGNORE packet with the given data attribute.

This method must only be called once the connection is established.

Send an SSH_MSG_IGNORE packet. This method will generate a random data attribute (length between 0 (invlusive) and 16 (exclusive) bytes, contents are random bytes).

This method must only be called once the connection is established.

Unless you know what you are doing, you will never need this.

Unless you know what you are doing, you will never need this.

Sets the parameters for the diffie-hellman group exchange. Unless you know what you are doing, you will never need this. Default values are defined in the DHGexParameters class.

Used to tell the library that the connection shall be established through a proxy server. It only makes sense to call this method before calling the connect() method.

At the moment, only HTTP proxies are supported.

Note: This method can be called any number of times. The connect() method will use the value set in the last preceding invocation of this method.

Provide your own instance of SecureRandom. Can be used, e.g., if you want to seed the used SecureRandom generator manually.

The SecureRandom instance is used during key exchanges, public key authentication, x11 cookie generation and the like.

Unless you know what you are doing, you will never need this.

Unless you know what you are doing, you will never need this.

Define the set of allowed server host key algorithms to be used for the following key exchange operations.

Unless you know what you are doing, you will never need this.

Enable/disable TCP_NODELAY (disable/enable Nagle's algorithm) on the underlying socket.

Can be called at any time. If the connection has not yet been established then the passed value will be stored and set after the socket has been set up. The default value that will be used is false.

After a successful connect, one has to authenticate oneself. This method allows you to test particular public key (f.e. if you need to prompt user for passphrase, it is a good idea to try the key first).

If the public key is accepted, true will be returned. If the server does not accept the request, false is returned and one can retry either by using this or any other authentication method (use the getRemainingAuthMethods method to get a list of the remaining possible methods).