Rebex SSH Shell
SSH shell, tunneling, telnet, ANSI terminal emulation library for .NET
Download 30-day free trial Buy from $699More .NET libraries
-
Rebex SFTP
SFTP client
-
Rebex SSH Pack
SSH Shell + SFTP + SSH server
-
Rebex Total Pack
All Rebex .NET libraries together
Back to feature list...
SSH core
On this page:
Ssh
object runs on top of SshSession
object.
The SshSession
object represents an SSH connection and provides some useful additional capabilities not accessible through Ssh
object.
SSH session sharing
Session sharing is a useful feature of the SSH protocol. It's possible
to share a single SSH connection between several instances of Ssh
objects and Sftp
/Scp
objects
(parts of Rebex SFTP) or to establish
SSH tunnels.
This makes it possible to transfer files, run SSH shell sessions, and tunnel TCP connections over a single SSH session.
To create a shared session, connect and authenticate an SshSession
object.
Then, instead of calling Connect
and Login
for each Ssh
, Sftp
or Scp
object,
use Bind
to attach it to the shared SshSession
.
// establish the shared SSH connection var session = new Rebex.Net.SshSession(); session.Connect(hostname); // check session.Fingerprint here // authenticate session.Authenticate(username, password); // bind an SSH object to the SSH session var ssh = new Rebex.Net.Ssh(); ssh.Bind(session); // bind an SFTP object to the SSH session Sftp sftp = new Sftp(); sftp.Bind(session);
' establish the shared SSH connection Dim session = New Rebex.Net.SshSession() session.Connect(hostname) ' check session.Fingerprint here ' authenticate session.Authenticate(username, password) ' bind an SSH object to the SSH session Dim ssh As New Ssh() ssh.Bind(session) ' bind an SFTP object to the SSH session Dim sftp As New Sftp() sftp.Bind(session)
Changing password
Some SSH servers make it possible to change user's password programmatically. This feature is accessible through SshSession
object's ChangePassword
method.
Please note that password can only be changed before the authentication has begun.
// connect to an SSH server but don't log in var session = new SshSession(); session.Connect(hostname, port); // try changing the password SshPasswordChangeResult result = session.ChangePassword(username, password, newPassword); // check the result switch (result) { case SshPasswordChangeResult.Success: // password changed; // now you are logged on using the new password break; case SshPasswordChangeResult.ChangedButNotAuthenticated: // password changed; // you should authenticate explicitly session.Authenticate(username, newPassword); break; case SshPasswordChangeResult.Failure: // password not changed throw new Exception("Password change failed."); }
' connect to an SSH server but don't log in Dim session = New SshSession() session.Connect(hostname, port) ' try changing the password Dim result As SshPasswordChangeResult = session.ChangePassword(username, password, newPassword) ' check the result Select Case result Case SshPasswordChangeResult.Success ' password changed; ' now you are logged on using the new password Exit Select Case SshPasswordChangeResult.ChangedButNotAuthenticated ' password changed; ' you should authenticate explicitly session.Authenticate(username, newPassword) Exit Select Case SshPasswordChangeResult.Failure ' password not changed Throw New Exception("Password change failed.") End Select
Keep-alive packet (pinging SSH server)
Some firewall/router devices have a habit of dropping connections that have been inactive for a certain amount of time (such as 30 minutes). To prevent this, the client can send a special ignore packet periodically to keep the connection alive.
To send such packet, use SshSession.KeepAlive
method. For a sample code to send the packet periodically,
check out this forum post.
Key re-exchange
SSH recommends changing encryption/decryption keys after each gigabyte of transmitted data or after each hour of connection time (whichever comes sooner).
To achieve this, the client or server can initiate a key re-exchange process. This involves a public key operation that requires
a fair amount of processing power; it is not initiated by Rebex Terminal Emulation automatically. To start a key re-exchange, simply call SshSession.Negotiate
method.
Usually, however, it's the server that initiates the re-exchange. Rebex Terminal Emulation handles it transparently and there is no need to explicitly enable this feature.
SSH ciphers
Rebex SSH Shell's SSH core supports a number of security algorithms. Use Ssh.Settings.SshParameters
property to specify all kinds of SSH ciphers:
Key Exchange Ciphers
Use SshParameters.KeyExchangeAlgorithms
property to enable/disable whole categories of key exchange ciphers.
If you need more control over key exchange ciphers, use SshParameters.SetKeyExchangeAlgorithms(...)
method to specify supported ciphers in order of preference.
The following table lists supported key exchange ciphers:
Cipher ID | Key length | Description | Note |
---|---|---|---|
diffie-hellman-group-exchange-sha256 | Negotiated | Diffie Hellman with group exchange and SHA-256 hash | Available on all* platforms. |
diffie-hellman-group16-sha512 | 4096 bits | Diffie Hellman with Oakley Group 16 and SHA-512 hash | Available on all* platforms. |
diffie-hellman-group15-sha512 | 3072 bits | Diffie Hellman with Oakley Group 15 and SHA-512 hash | Available on all* platforms. |
diffie-hellman-group14-sha256 | 2048 bits | Diffie Hellman with Oakley Group 14 and SHA-256 hash | Available on all* platforms. |
diffie-hellman-group-exchange-sha1 | Negotiated | Diffie Hellman with group exchange and SHA-1 hash | Available on all* platforms. |
diffie-hellman-group14-sha1 | 2048 bits | Diffie Hellman with Oakley Group 14 and SHA-1 hash | Available on all* platforms. |
diffie-hellman-group1-sha1 | 1024 bits | Diffie Hellman with Oakley Group 2 and SHA-1 hash | Available on all platforms. Insecure. Disabled by default. |
ecdh-sha2-nistp256 | 256 bits | Elliptic Curve Diffie Hellman with NIST P-256 curve and SHA-256 hash | Available on Windows 10/11, Windows Server 2016/2019/2022 and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms. |
ecdh-sha2-nistp384 | 384 bits | Elliptic Curve Diffie Hellman with NIST P-384 curve and SHA-384 hash |
Available on Windows 10/11, Windows Server 2016/2019/2022 and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
ecdh-sha2-nistp521 | 521 bits | Elliptic Curve Diffie Hellman with NIST P-521 curve and SHA-512 hash |
Available on Windows 10/11, Windows Server 2016/2019/2022 and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
ecdh-sha2-1.3.132.0.10 | 256 bits | Elliptic Curve Diffie Hellman with secp256k1 curve and SHA-256 hash |
Available on Windows 10/11 and Windows Server 2016/2019/2022.
Disabled by default. |
curve25519-sha256 (curve25519-sha256@libssh.org) |
256 bits | Elliptic Curve Diffie-Hellman on Curve25519 with SHA-256 hash | Available on Windows 10/11 and Windows Server 2016/2019/2022. External plugin needed for other platforms. |
Host Key Algorithms
Use SshParameters.HostKeyAlgorithms
property to enable/disable whole categories of host key algorithms.
If you need more control over host key algorithms, use SshParameters.SetHostKeyAlgorithms(...)
method to specify supported algorithms in order of preference.
The following table lists supported host key algorithms:
Algorithm ID | Description | Note |
---|---|---|
rsa-sha2-256 | RSA with SHA-256 hash | Available on all platforms. |
rsa-sha2-512 | RSA with SHA-512 hash | Available on all platforms. |
ssh-dss | NIST Digital Signature Algorithm (DSA) with SHA-1 hash | Available on all platforms. |
ssh-rsa | RSA with SHA-1 hash | Available on all platforms. |
ssh-rsa-sha256@ssh.com | RSA with SHA-256 hash | Available on all platforms. |
x509v3-rsa2048-sha256 | X.509 certificate with RSA (2048-bit or larger key) and SHA-256 hash | Available on all platforms. |
x509v3-sign-rsa-sha256@ssh.com | X.509 certificate with RSA and SHA-256 hash | Available on all platforms. |
x509v3-sign-rsa | X.509 certificate with RSA and SHA-1 hash | Available on all platforms. |
x509v3-sign-dss | X.509 certificate with DSA and SHA-1 hash | Available on all platforms. |
ssh-ed25519 | Ed25519, an Edwards-curve Digital Signature Algorithm (EdDSA) | Available on all platforms. |
ecdsa-sha2-nistp256 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-256 curve with SHA-256 hash | Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms. |
ecdsa-sha2-nistp384 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-384 curve with SHA-384 hash |
Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
ecdsa-sha2-nistp521 | Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-521 curve with SHA-512 hash |
Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
ecdsa-sha2-1.3.132.0.10 | Elliptic Curve Digital Signature Algorithm (ECDSA) on secp256k1 curve with SHA-256 hash |
Available on Windows 10/11 and Windows Server 2016/2019/2022.
Disabled by default. |
x509v3-ecdsa-sha2-nistp256 | X.509 certificate with Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-256 curve with SHA-256 hash | Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms. |
x509v3-ecdsa-sha2-nistp384 | X.509 certificate with Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-384 curve with SHA-384 hash |
Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
x509v3-ecdsa-sha2-nistp521 | X.509 certificate with Elliptic Curve Digital Signature Algorithm (ECDSA) on NIST P-521 curve with SHA-512 hash |
Available on Windows** and on Linux with .NET Core 2.1 or later. External plugin needed for other platforms.
Disabled by default. |
Encryption Ciphers
Use SshParameters.EncryptionAlgorithms
and SshParameters.EncryptionModes
properties to enable/disable whole categories of encryption ciphers.
If you need more control over encryption ciphers, use SshParameters.SetEncryptionAlgorithms(...)
method to specify supported ciphers in order of preference.
The following table lists supported encryption ciphers:
Cipher ID | Description | Note |
---|---|---|
aes256-gcm@openssh.com | AES in GCM mode with 256-bit key | |
aes128-gcm@openssh.com | AES in GCM mode with 128-bit key | |
chacha20-poly1305@openssh.com | ChaCha20/Poly1305 AEAD cipher with 256-bit key | |
aes256-ctr | AES in CTR mode with 256-bit key | |
aes192-ctr | AES in CTR mode with 192-bit key | |
aes128-ctr | AES in CTR mode with 128-bit key | |
aes256-cbc | AES in CBC mode with 256-bit key | |
aes192-cbc | AES in CBC mode with 192-bit key | |
aes128-cbc | AES in CBC mode with 128-bit key | |
3des-ctr | TripleDES in CTR mode | |
3des-cbc | TripleDES in CBC mode | |
twofish256-ctr | Twofish in CTR mode with 256-bit key | |
twofish192-ctr | Twofish in CTR mode with 192-bit key | |
twofish128-ctr | Twofish in CTR mode with 128-bit key | |
twofish256-cbc | Twofish in CBC mode with 256-bit key | |
twofish192-cbc | Twofish in CBC mode with 192-bit key | |
twofish128-cbc | Twofish in CBC mode with 128-bit key | |
twofish-cbc | Twofish in CBC mode with 256-bit key | |
blowfish-ctr | Twofish in CTR mode with 256-bit key | Disabled by default. |
blowfish-cbc | Blowfish in CBC mode with 128-bit key | Disabled by default. |
arcfour256 | ArcFour (RC4) stream cipher (with discard step) with 256-bit key | Disabled by default. |
arcfour128 | ArcFour (RC4) stream cipher (with discard step) with 128-bit key | Disabled by default. |
arcfour | ArcFour (RC4) stream cipher with 128-bit key | Disabled by default. |
MAC Ciphers
Use SshParameters.MacAlgorithms
property to enable/disable whole categories of message authentication code (MAC) ciphers.
If you need more control over MAC ciphers, use SshParameters.SetMacAlgorithms(...)
method to specify supported ciphers in order of preference.
The following table lists supported MAC ciphers:
Cipher ID | Description | Note |
---|---|---|
hmac-sha2-256-etm@openssh.com | SHA-256 (ETM mode) | |
hmac-sha2-256 | SHA-256 | |
hmac-sha2-512-etm@openssh.com | SHA-512 (ETM mode) | |
hmac-sha2-512 | SHA-512 | |
hmac-sha1 | SHA-1 | |
hmac-md5 | MD5 | Disabled by default. |
hmac-sha1-96 | SHA-1 (trimmed to 96 bits) | Disabled by default. |
hmac-md5-96 | MD5 (trimmed to 96 bits) | Disabled by default. |
* Might be very slow on legacy Windows CE platforms
** Windows 7 SP1 and higher, or Windows Embedded Compact 2013
Server ciphers information
To retrieve lists of SSH ciphers supported by your SSH server, connect to it and inspect the Sftp.SshSession.ServerInfo
property:
var ssh = new Ssh(); ssh.Connect("test.rebex.net"); SshServerInfo serverInfo = ssh.Session.ServerInfo; Console.WriteLine("Key exchange algorithms: " + string.Join(", ", serverInfo.KeyExchangeAlgorithms)); Console.WriteLine("Host key algorithms: " + string.Join(", ", serverInfo.ServerHostKeyAlgorithms)); Console.WriteLine("MAC algorithms (server -> client): " + string.Join(", ", serverInfo.MacAlgorithmsServerToClient)); Console.WriteLine("MAC algorithms (client -> server): " + string.Join(", ", serverInfo.MacAlgorithmsClientToServer)); Console.WriteLine("Encryption algorithms (server -> client): " + string.Join(", ", serverInfo.EncryptionAlgorithmsServerToClient)); Console.WriteLine("Encryption algorithms (client -> server): " + string.Join(", ", serverInfo.EncryptionAlgorithmsClientToServer)); Console.WriteLine("Compression algorithms (server -> client): " + string.Join(", ", serverInfo.CompressionAlgorithmsServerToClient)); Console.WriteLine("Compression algorithms (client -> server): " + string.Join(", ", serverInfo.CompressionAlgorithmsClientToServer));
Dim ssh As New Ssh() ssh.Connect("test.rebex.net") Dim serverInfo As SshServerInfo = ssh.Session.ServerInfo Console.WriteLine("Key exchange algorithms: " + String.Join(", ", serverInfo.KeyExchangeAlgorithms)) Console.WriteLine("Host key algorithms: " + String.Join(", ", serverInfo.ServerHostKeyAlgorithms)) Console.WriteLine("MAC algorithms (server -> client): " + String.Join(", ", serverInfo.MacAlgorithmsServerToClient)) Console.WriteLine("MAC algorithms (client -> server): " + String.Join(", ", serverInfo.MacAlgorithmsClientToServer)) Console.WriteLine("Encryption algorithms (server -> client): " + String.Join(", ", serverInfo.EncryptionAlgorithmsServerToClient)) Console.WriteLine("Encryption algorithms (client -> server): " + String.Join(", ", serverInfo.EncryptionAlgorithmsClientToServer)) Console.WriteLine("Compression algorithms (server -> client): " + String.Join(", ", serverInfo.CompressionAlgorithmsServerToClient)) Console.WriteLine("Compression algorithms (client -> server): " + String.Join(", ", serverInfo.CompressionAlgorithmsClientToServer))
Back to feature list...