The SSH authentication functions.

Overview

Functions to authenticate with a server. More…

// enums

enum ssh_agent_state_e;
enum ssh_auth_auto_state_e;

// structs

struct ssh_agent_state_struct;
struct ssh_auth_auto_state_struct;

// global functions

int
ssh_userauth_agent(
    ssh_session session,
    const char* username
);

int
ssh_userauth_gssapi(ssh_session session);

int
ssh_userauth_kbdint(
    ssh_session session,
    const char* user,
    const char* submethods
);

const char*
ssh_userauth_kbdint_getanswer(
    ssh_session session,
    unsigned int i
);

const char*
ssh_userauth_kbdint_getinstruction(ssh_session session);

const char*
ssh_userauth_kbdint_getname(ssh_session session);

int
ssh_userauth_kbdint_getnanswers(ssh_session session);

int
ssh_userauth_kbdint_getnprompts(ssh_session session);

const char*
ssh_userauth_kbdint_getprompt(
    ssh_session session,
    unsigned int i,
    char* echo
);

int
ssh_userauth_kbdint_setanswer(
    ssh_session session,
    unsigned int i,
    const char* answer
);

int
ssh_userauth_list(
    ssh_session session,
    const char* username
);

int
ssh_userauth_none(
    ssh_session session,
    const char* username
);

int
ssh_userauth_password(
    ssh_session session,
    const char* username,
    const char* password
);

int
ssh_userauth_publickey(
    ssh_session session,
    const char* username,
    const ssh_key privkey
);

int
ssh_userauth_publickey_auto(
    ssh_session session,
    const char* username,
    const char* passphrase
);

int
ssh_userauth_try_publickey(
    ssh_session session,
    const char* username,
    const ssh_key pubkey
);

void
ssh_agent_state_free(void* data);

static
int
ssh_auth_response_termination(void* user);

void
ssh_kbdint_clean(ssh_kbdint kbd);

void
ssh_kbdint_free(ssh_kbdint kbd);

ssh_kbdint
ssh_kbdint_new(void);

SSH_PACKET_CALLBACK(ssh_packet_userauth_banner);
SSH_PACKET_CALLBACK(ssh_packet_userauth_failure);
SSH_PACKET_CALLBACK(ssh_packet_userauth_success);
SSH_PACKET_CALLBACK(ssh_packet_userauth_pk_ok);
SSH_PACKET_CALLBACK(ssh_packet_userauth_info_request);

int
ssh_userauth_agent_pubkey(
    ssh_session session,
    const char* username,
    ssh_public_key publickey
);

static
int
ssh_userauth_agent_publickey(
    ssh_session session,
    const char* username,
    ssh_key pubkey
);

static
int
ssh_userauth_get_response(ssh_session session);

static
int
ssh_userauth_kbdint_init(
    ssh_session session,
    const char* username,
    const char* submethods
);

static
int
ssh_userauth_kbdint_send(ssh_session session);

static
int
ssh_userauth_request_service(ssh_session session);

Detailed Documentation

Functions to authenticate with a server.

Global Functions

int
ssh_userauth_agent(
    ssh_session session,
    const char* username
)

Try to do public key authentication with ssh agent.

Note

Most server implementations do not permit changing the username during authentication. The username should only be set with ssh_options_set() only before you connect to the server.

Parameters:

session

The ssh session to use.

username

The username, this SHOULD be NULL.

Returns:

SSH_AUTH_ERROR: A serious error happened.

SSH_AUTH_DENIED: The server doesn’t accept that public key as an authentication token. Try another key or another method.

SSH_AUTH_PARTIAL: You’ve been partially authenticated, you still have to use another method.

SSH_AUTH_SUCCESS: The public key is accepted, you want now to use ssh_userauth_pubkey(). SSH_AUTH_AGAIN: In nonblocking mode, you’ve got to call this again later.

int
ssh_userauth_gssapi(ssh_session session)

Try to authenticate through the “gssapi-with-mic” method.

Parameters:

session

The ssh session to use.

Returns:

SSH_AUTH_ERROR: A serious error happened

SSH_AUTH_DENIED: Authentication failed : use another method

SSH_AUTH_PARTIAL: You’ve been partially authenticated, you still have to use another method

SSH_AUTH_SUCCESS: Authentication success

SSH_AUTH_AGAIN: In nonblocking mode, you’ve got to call this again later.

int
ssh_userauth_kbdint(
    ssh_session session,
    const char* user,
    const char* submethods
)

Try to authenticate through the “keyboard-interactive” method.

Parameters:

session

The ssh session to use.

user

The username to authenticate. You can specify NULL if ssh_option_set_username() has been used. You cannot try two different logins in a row.

submethods

Undocumented. Set it to NULL.

Returns:

SSH_AUTH_ERROR: A serious error happened

SSH_AUTH_DENIED: Authentication failed : use another method

SSH_AUTH_PARTIAL: You’ve been partially authenticated, you still have to use another method

SSH_AUTH_SUCCESS: Authentication success

SSH_AUTH_INFO: The server asked some questions. Use ssh_userauth_kbdint_getnprompts() and such.

SSH_AUTH_AGAIN: In nonblocking mode, you’ve got to call this again later.

See also:

ssh_userauth_kbdint_getnprompts()

ssh_userauth_kbdint_getname()

ssh_userauth_kbdint_getinstruction()

ssh_userauth_kbdint_getprompt()

ssh_userauth_kbdint_setanswer()

const char*
ssh_userauth_kbdint_getanswer(
    ssh_session session,
    unsigned int i
)

Get the answer for a question from a message block.

Parameters:

session

The ssh session to use.

i

index The number of the ith answer.

Returns:

0 on success, < 0 on error.

const char*
ssh_userauth_kbdint_getinstruction(ssh_session session)

Get the “instruction” of the message block.

Once you have called ssh_userauth_kbdint() and received SSH_AUTH_INFO return code, this function can be used to retrieve information about the keyboard interactive authentication questions sent by the remote host.

Parameters:

session

The ssh session to use.

Returns:

The instruction of the message block.

const char*
ssh_userauth_kbdint_getname(ssh_session session)

Get the “name” of the message block.

Once you have called ssh_userauth_kbdint() and received SSH_AUTH_INFO return code, this function can be used to retrieve information about the keyboard interactive authentication questions sent by the remote host.

Parameters:

session

The ssh session to use.

Returns:

The name of the message block. Do not free it.

int
ssh_userauth_kbdint_getnanswers(ssh_session session)

Get the number of answers the client has given.

Parameters:

session

The ssh session to use.

Returns:

The number of answers.

int
ssh_userauth_kbdint_getnprompts(ssh_session session)

Get the number of prompts (questions) the server has given.

Once you have called ssh_userauth_kbdint() and received SSH_AUTH_INFO return code, this function can be used to retrieve information about the keyboard interactive authentication questions sent by the remote host.

Parameters:

session

The ssh session to use.

Returns:

The number of prompts.

const char*
ssh_userauth_kbdint_getprompt(
    ssh_session session,
    unsigned int i,
    char* echo
)

Get a prompt from a message block.

Once you have called ssh_userauth_kbdint() and received SSH_AUTH_INFO return code, this function can be used to retrieve information about the keyboard interactive authentication questions sent by the remote host.

const char prompt;
char echo;

prompt = ssh_userauth_kbdint_getprompt(session, 0, &echo);
if (echo) ...

Parameters:

session

The ssh session to use.

i

The index number of the i’th prompt.

echo

This is an optional variable. You can obtain a boolean if the user input should be echoed or hidden. For passwords it is usually hidden.

Returns:

A pointer to the prompt. Do not free it.

int
ssh_userauth_kbdint_setanswer(
    ssh_session session,
    unsigned int i,
    const char* answer
)

Set the answer for a question from a message block.

If you have called ssh_userauth_kbdint() and got SSH_AUTH_INFO, this function returns the questions from the server.

Parameters:

session

The ssh session to use.

i

index The number of the ith prompt.

answer

The answer to give to the server. The answer MUST be encoded UTF-8. It is up to the server how to interpret the value and validate it. However, if you read the answer in some other encoding, you MUST convert it to UTF-8.

Returns:

0 on success, < 0 on error.

int
ssh_userauth_list(
    ssh_session session,
    const char* username
)

Get available authentication methods from the server.

This requires the function ssh_userauth_none() to be called before the methods are available. The server MAY return a list of methods that may continue.

Warning

Other reserved flags may appear in future versions.

Parameters:

session

The SSH session.

username

Deprecated, set to NULL.

Returns:

A bitfield of the fllowing values:

  • SSH_AUTH_METHOD_PASSWORD

  • SSH_AUTH_METHOD_PUBLICKEY

  • SSH_AUTH_METHOD_HOSTBASED

  • SSH_AUTH_METHOD_INTERACTIVE

See also:

ssh_userauth_none()

int
ssh_userauth_none(
    ssh_session session,
    const char* username
)

Try to authenticate through the “none” method.

Note

Most server implementations do not permit changing the username during authentication. The username should only be set with ssh_options_set() only before you connect to the server.

Parameters:

session

The ssh session to use.

username

The username, this SHOULD be NULL.

Returns:

SSH_AUTH_ERROR: A serious error happened.

SSH_AUTH_DENIED: Authentication failed: use another method

SSH_AUTH_PARTIAL: You’ve been partially authenticated, you still have to use another method

SSH_AUTH_SUCCESS: Authentication success

SSH_AUTH_AGAIN: In nonblocking mode, you’ve got to call this again later.

int
ssh_userauth_password(
    ssh_session session,
    const char* username,
    const char* password
)

Try to authenticate by password.

This authentication method is normally disabled on SSHv2 server. You should use keyboard-interactive mode.

The ‘password’ value MUST be encoded UTF-8. It is up to the server how to interpret the password and validate it against the password database. However, if you read the password in some other encoding, you MUST convert the password to UTF-8.

Note

Most server implementations do not permit changing the username during authentication. The username should only be set with ssh_options_set() only before you connect to the server.

Parameters:

session

The ssh session to use.

username

The username, this SHOULD be NULL.

password

The password to authenticate in UTF-8.

Returns:

SSH_AUTH_ERROR: A serious error happened.

SSH_AUTH_DENIED: Authentication failed: use another method

SSH_AUTH_PARTIAL: You’ve been partially authenticated, you still have to use another method

SSH_AUTH_SUCCESS: Authentication success

SSH_AUTH_AGAIN: In nonblocking mode, you’ve got to call this again later.

See also:

ssh_userauth_none()

ssh_userauth_kbdint()

int
ssh_userauth_publickey(
    ssh_session session,
    const char* username,
    const ssh_key privkey
)

Authenticate with public/private key.

Note

Most server implementations do not permit changing the username during authentication. The username should only be set with ssh_options_set() only before you connect to the server.

Parameters:

session

The SSH session.

username

The username, this SHOULD be NULL.

privkey

The private key for authentication.

Returns:

SSH_AUTH_ERROR: A serious error happened.

SSH_AUTH_DENIED: The server doesn’t accept that public key as an authentication token. Try another key or another method.

SSH_AUTH_PARTIAL: You’ve been partially authenticated, you still have to use another method.

SSH_AUTH_SUCCESS: The public key is accepted, you want now to use ssh_userauth_pubkey(). SSH_AUTH_AGAIN: In nonblocking mode, you’ve got to call this again later.

int
ssh_userauth_publickey_auto(
    ssh_session session,
    const char* username,
    const char* passphrase
)

Tries to automatically authenticate with public key and “none”.

It may fail, for instance it doesn’t ask for a password and uses a default asker for passphrases (in case the private key is encrypted).

Note

Most server implementations do not permit changing the username during authentication. The username should only be set with ssh_options_set() only before you connect to the server.

Parameters:

session

The SSH session.

username

The username, this SHOULD be NULL.

passphrase

Use this passphrase to unlock the privatekey. Use NULL if you don’t want to use a passphrase or the user should be asked.

Returns:

SSH_AUTH_ERROR: A serious error happened.

SSH_AUTH_DENIED: The server doesn’t accept that public key as an authentication token. Try another key or another method.

SSH_AUTH_PARTIAL: You’ve been partially authenticated, you still have to use another method.

SSH_AUTH_SUCCESS: The public key is accepted, you want now to use ssh_userauth_pubkey(). SSH_AUTH_AGAIN: In nonblocking mode, you’ve got to call this again later.

int
ssh_userauth_try_publickey(
    ssh_session session,
    const char* username,
    const ssh_key pubkey
)

Try to authenticate with the given public key.

To avoid unnecessary processing and user interaction, the following method is provided for querying whether authentication using the ‘pubkey’ would be possible.

Note

Most server implementations do not permit changing the username during authentication. The username should only be set with ssh_options_set() only before you connect to the server.

Parameters:

session

The SSH session.

username

The username, this SHOULD be NULL.

pubkey

The public key to try.

Returns:

SSH_AUTH_ERROR: A serious error happened.

SSH_AUTH_DENIED: The server doesn’t accept that public key as an authentication token. Try another key or another method.

SSH_AUTH_PARTIAL: You’ve been partially authenticated, you still have to use another method.

SSH_AUTH_SUCCESS: The public key is accepted, you want now to use ssh_userauth_pubkey(). SSH_AUTH_AGAIN: In nonblocking mode, you’ve got to call this again later.