Rebex SSH Shell

SSH shell, tunneling, telnet, ANSI terminal emulation library for .NET

Download 30-day free trial Buy from $699

More .NET libraries

Rebex SFTP
SFTP client
Rebex SSH Pack
SSH Shell + SFTP + SSH server
Rebex Total Pack
All Rebex .NET libraries together

Back to feature list...

Authentication modes

Username and password

Password-based authentication is simple:

C#
VB.NET

// connect to a server and verify fingerprint
var ssh = new Rebex.Net.Ssh();
ssh.Connect(hostname);

// log in
ssh.Login(username, password);

' connect to a server and verify fingerprint
Dim ssh = New Rebex.Net.Ssh()
ssh.Connect(hostname)

' log in
ssh.Login(username, password)

In addition to password authentication, this method supports simple forms of keyboard-interactive authentication methods as well.

Public/private key authentication

Asymmetric cryptography makes it possible to authenticate using a private key without revealing it to the server (or anyone else) - only the corresponding public key needs to be associated with your account. Use SshPrivateKey class for this kind of authentication:

C#
VB.NET

// connect to a server and verify fingerprint
var ssh = new Rebex.Net.Ssh();
ssh.Connect(hostname);

// load the private key
SshPrivateKey privateKey = new SshPrivateKey("my_key.ppk", "key_password");

// log in
ssh.Login(username, privateKey);

' connect to a server and verify fingerprint
Dim ssh = New Rebex.Net.Ssh()
ssh.Connect(hostname)

' load the private key
Dim privateKey As New SshPrivateKey("my_key.ppk", "key_password")

' log in
ssh.Login(username, privateKey)

How do you get the private key? Usually, you generate it yourself, either using Rebex KeyGenerator sample, our key-generator API or a third-party utility (most SSH vendors provide one). Once generated, the corresponding public key has to be associated with your account (this is server-specific, consult your server administrator if needed).

Note: In case you already have your private key, just load it into the SshPrivateKey object - it supports lot of private key formats.

X.509 certificate authentication

Some SSH servers - such as Rebex Buru SFTP Server, VanDyke VShell or Tectia SSH Server - support authentication using X.509 certificates. Simply load the certificate with an associated private key into the SshPrivateKey object and pass it to the Login method.

C#
VB.NET

// connect to a server and verify fingerprint
var ssh = new Rebex.Net.Ssh();
ssh.Connect(hostname, port);

// load X.509 certificate
Certificate x509 = Rebex.Security.Certificates.Certificate.LoadPfx(certPath, certPassword);

// wrap X.509 certificate to SshPrivateKey
SshPrivateKey privateKey = new SshPrivateKey(x509);

// log in
ssh.Login(username, privateKey);

' connect to a server and verify fingerprint
Dim ssh = New Rebex.Net.Ssh()
ssh.Connect(hostname, port)

' load X.509 certificate
Dim x509 As Certificate = Rebex.Security.Certificates.Certificate.LoadPfx(certPath, certPassword)

' wrap X.509 certificate to SshPrivateKey
Dim privateKey As New SshPrivateKey(x509)

' log in
ssh.Login(username, privateKey)

Tip: You can use .NET's X509Certificate2 object as well instead of our Certificate object.

GSSAPI

GSSAPI support makes it possible to use Kerberos or NTLM authentication mechanisms, both in single sign-on mode and username/password(/domain)-based mode.

Note: GSSAPI is only supported on Windows platforms.

Single sign-on

With single sign-on, the current user can authenticate without having to enter his password. Single sign-on is only possible with Kerberos or NTLM authentication mechanisms on servers that support them (through GSSAPI). Additionally, both the client and server machines must be part of the same domain (or a domain trust has to be implemented).

Note: Single sign-on is only supported on Windows platforms.

Kerberos authentication

If the server supports Kerberos authentication, it is possible to use GSSAPI Kerberos v5 authentication mechanism.

// connect to a server and verify fingerprint
var ssh = new Rebex.Net.Ssh();
ssh.Connect(hostname);

// initialize GSSAPI for Kerberos single sign-on
var credentials = new SshGssApiCredentials();
credentials.SetMechanisms(SshGssApiMechanisms.KerberosV5);

// log in using Kerberos single sign-on
ssh.Login(credentials);

' connect to a server and verify fingerprint
Dim ssh = New Rebex.Net.Ssh()
ssh.Connect(hostname)

' initialize GSSAPI for Kerberos single sign-on
Dim credentials = New SshGssApiCredentials()
credentials.SetMechanisms(SshGssApiMechanisms.KerberosV5)

' log in using Kerberos single sign-on
ssh.Login(credentials)

Kerberos with username/password/domain

C#
VB.NET

// connect to a server and verify fingerprint
var ssh = new Rebex.Net.Ssh();
ssh.Connect(hostname);

// initialize GSSAPI for Kerberos authentication
var credentials = new SshGssApiCredentials(username, password, domain);
credentials.SetMechanisms(SshGssApiMechanisms.KerberosV5);

// log in using Kerberos
ssh.Login(credentials);

' connect to a server and verify fingerprint
Dim ssh = New Rebex.Net.Ssh()
ssh.Connect(hostname)

' initialize GSSAPI for Kerberos authentication
Dim credentials = New SshGssApiCredentials(username, password, domain)
credentials.SetMechanisms(SshGssApiMechanisms.KerberosV5)

' log in using Kerberos
ssh.Login(credentials)

Note: Kerberos is only supported on Windows platforms. However, it's possible to authenticate Windows-based clients to Unix-based servers using Kerberos.

NTLM authentication

If the server supports NTLM authentication, it is possible to use GSSAPI NTLM authentication mechanism.

NTLM with single sign-on

C#
VB.NET

// connect to a server and verify fingerprint
var ssh = new Rebex.Net.Ssh();
ssh.Connect(hostname);

// initialize GSSAPI for NTLM single sign-on
var credentials = new SshGssApiCredentials();
credentials.SetMechanisms(SshGssApiMechanisms.Ntlm);

// log in using NTLM single sign-on
ssh.Login(credentials);

' connect to a server and verify fingerprint
Dim ssh = New Rebex.Net.Ssh()
ssh.Connect(hostname)

' initialize GSSAPI for NTLM single sign-on
Dim credentials = New SshGssApiCredentials()
credentials.SetMechanisms(SshGssApiMechanisms.Ntlm)

' log in using NTLM single sign-on
ssh.Login(credentials)

NTLM with username/password/domain

C#
VB.NET

// connect to a server and verify fingerprint
var ssh = new Rebex.Net.Ssh();
ssh.Connect(hostname);

// initialize GSSAPI for NTLM authentication
var credentials = new SshGssApiCredentials(username, password, domain);
credentials.SetMechanisms(SshGssApiMechanisms.Ntlm);

// log in using NTLM single sign-on
ssh.Login(credentials);

' connect to a server and verify fingerprint
Dim ssh = New Rebex.Net.Ssh()
ssh.Connect(hostname)

' initialize GSSAPI for NTLM authentication
Dim credentials = New SshGssApiCredentials(username, password, domain)
credentials.SetMechanisms(SshGssApiMechanisms.Ntlm)

' log in using NTLM single sign-on
ssh.Login(credentials)

Note: On non-Windows platforms (Linux, Android, macOS, iOS), NTLM is only available with NTLM plugin.

Advanced keyboard-interactive authentication

In most cases, password-based authentication will take care of servers that use keyboard-interactive authentication method. To handle rare cases where the server utilizes interactive authentication to ask non-trivial questions, register an AuthenticationRequest event handler both to get notified about them and to answer them.

Note: Login method's username and password arguments are optional. If you omit them, the event handler will be called when required.

C#
VB.NET

// connect to a server and verify fingerprint
var ssh = new Rebex.Net.Ssh();
ssh.Connect(hostname);

// register AuthenticationRequest event handler
ssh.AuthenticationRequest += client_AuthenticationRequest;

// log in (alternatively, omit username and password as well)
ssh.Login(username, password);

' connect to a server and verify fingerprint
Dim ssh = New Rebex.Net.Ssh()
ssh.Connect(hostname)

' register AuthenticationRequest event handler
AddHandler ssh.AuthenticationRequest, AddressOf client_AuthenticationRequest

' log in (alternatively, omit username and password as well)
ssh.Login(username, password)

The event handler implementing the actual logic:

C#
VB.NET

void client_AuthenticationRequest(object sender, SshAuthenticationRequestEventArgs e)
{
    Console.WriteLine("Server: {0}", e.Name);
    Console.WriteLine("Instructions: {0}", e.Instructions);

    foreach (SshAuthenticationRequestItem item in e.Items)
    {
        // display question
        Console.Write(item.Prompt);

        // set answer
        item.Response = Console.ReadLine();
    }
}

Private Sub client_AuthenticationRequest(sender As Object, e As SshAuthenticationRequestEventArgs)
    Console.WriteLine("Server: {0}", e.Name)
    Console.WriteLine("Instructions: {0}", e.Instructions)

    For Each item As SshAuthenticationRequestItem In e.Items
        ' display question
        Console.Write(item.Prompt)

        ' set answer
        item.Response = Console.ReadLine()
    Next
End Sub

Telnet authentication

Authentication is not a part of the Telnet protocol. Most servers ask for a username and password. Some don't require any authentication at all. Other behavior is rare but perfectly possible as well. To authenticate to a telnet server, you need to know whether the server you are connecting to requires any authentication and how it is performed. It is then up to you to authenticate properly.

The following code connects and authenticates to a telnet server that prints a welcome message and then asks for a username and password. Once connected, the code assumes the server provides a well-behaved shell, and tries detecting its prompt automatically.

Check out Scripting features for an overview of terminal scripting capabilities.

C#
VB.NET

// create the telnet client
Telnet client = new Telnet(hostname);

// connect and get a scripting object
Scripting scripting = client.StartScripting();

// wait for "login" prompt
scripting.WaitFor(ScriptEvent.FromString("ogin:"));

// send user name
scripting.SendCommand(username);

// wait for "password" prompt
scripting.WaitFor(ScriptEvent.FromString("assword:"));

// send password
scripting.SendCommand(password);

// detect prompt
scripting.DetectPrompt();

// start sending commands and processing responses
// ...

' create the telnet client
Dim client As New Telnet(hostname)

' connect and get a scripting object
Dim scripting As Scripting = client.StartScripting()

' wait for "login" prompt
scripting.WaitFor(ScriptEvent.FromString("ogin:"))

' send user name
scripting.SendCommand(username)

' wait for "password" prompt
scripting.WaitFor(ScriptEvent.FromString("assword:"))

' send password
scripting.SendCommand(password)

' detect prompt
scripting.DetectPrompt()

' start sending commands and processing responses
' ...

Note: When using VirtualTerminal class, or when using TerminalControl class in non-interactive mode, you have to authenticate this way as well. However, instead of calling Telnet.StartScripting, use the Scripting object provided by VirtualTerminal or TerminalControl object's Scripting property.

We support Telnet/SSL as well.

Serial ports and authentication

When connecting over a serial port, authentication is not part of the underlying communication protocol. Most devices simply ask for a username and password over the terminal. Some don't require any authentication at all. Other behavior is rare but perfectly possible as well. To authenticate to a device, you need to know whether it requires any authentication and how it is performed. It is then up to you to authenticate properly.

The following code connects and authenticates to a device that prints a welcome message and then asks for a username and password. Once connected, the code assumes the device provides a well-behaved shell, and tries detecting its prompt automatically.