Class CoreModuleProperties


  • public final class CoreModuleProperties
    extends java.lang.Object
    Configurable properties for sshd-core.
    • Field Detail

      • PROXY_AUTH_CHANNEL_TYPE

        public static final Property<java.lang.String> PROXY_AUTH_CHANNEL_TYPE
        Value that can be set in order to control the type of authentication channel being requested when forwarding a PTY session.
      • CHANNEL_OPEN_TIMEOUT

        public static final Property<java.time.Duration> CHANNEL_OPEN_TIMEOUT
        Value that can be set on the FactoryManager or the session to configure the channel open timeout value (millis).
      • PROXY_CHANNEL_TYPE

        public static final Property<java.lang.String> PROXY_CHANNEL_TYPE
        Value used to configure the type of proxy forwarding channel to be used. See also https://tools.ietf.org/html/draft-ietf-secsh-agent-02
      • AUTH_SOCKET_TIMEOUT

        public static final Property<java.time.Duration> AUTH_SOCKET_TIMEOUT
        Property that can be set on the Session in order to control the authentication timeout (millis).
      • DEFAULT_FORWARDER_BUF_SIZE

        public static final int DEFAULT_FORWARDER_BUF_SIZE
        See Also:
        Constant Field Values
      • PREFERRED_AUTHS

        public static final Property<java.lang.String> PREFERRED_AUTHS
        Ordered comma separated list of authentications methods. Authentications methods accepted by the server will be tried in the given order. If not configured or null/empty, then the session's UserAuthFactoriesManager.getUserAuthFactories() is used as-is
      • PASSWORD_PROMPTS

        public static final Property<java.lang.Integer> PASSWORD_PROMPTS
        Specifies the number of interactive attempts at password or keyboard-interactive user authentication before giving up. The argument to this keyword must be an integer; if <= 0, the value 1 is substituted.
      • CLIENT_IDENTIFICATION

        public static final Property<java.lang.String> CLIENT_IDENTIFICATION
        Key used to retrieve the value of the client identification string. If set, then it is appended to the (standard) "SSH-2.0-" prefix. Otherwise a default is sent that consists of "SSH-2.0-" plus the current SSHD artifact name and version in uppercase - e.g., "SSH-2.0-APACHE-SSHD-1.0.0"
      • SEND_IMMEDIATE_IDENTIFICATION

        public static final Property<java.lang.Boolean> SEND_IMMEDIATE_IDENTIFICATION
        Whether to send the identification string immediately upon session connection being established or wait for the server's identification before sending our own.
        See Also:
        RFC 4253 - section 4.2 - Protocol Version Exchange
      • SEND_IMMEDIATE_KEXINIT

        public static final Property<java.lang.Boolean> SEND_IMMEDIATE_KEXINIT
        Whether to send SSH_MSG_KEXINIT immediately after sending the client identification string or wait until the severer's one has been received.
        See Also:
        SEND_IMMEDIATE_IDENTIFICATION
      • ALLOW_DHG1_KEX_FALLBACK

        public static final Property<java.lang.Boolean> ALLOW_DHG1_KEX_FALLBACK
        Whether allowed to fall back to DH group with SHA-1 KEX if exhausted all available primes for SHA-256.
      • KEX_PROPOSAL_SETUP_TIMEOUT

        @Deprecated
        public static final Property<java.time.Duration> KEX_PROPOSAL_SETUP_TIMEOUT
        Deprecated.
        since 2.14.0
        Unused.
      • HEARTBEAT_INTERVAL

        public static final Property<java.time.Duration> HEARTBEAT_INTERVAL
        Key used to set the heartbeat interval in milliseconds (0 to disable = default)
      • HEARTBEAT_REQUEST

        public static final Property<java.lang.String> HEARTBEAT_REQUEST
        Key used to check the heartbeat request that should be sent to the server
      • HEARTBEAT_REPLY_WAIT

        @Deprecated
        public static final Property<java.time.Duration> HEARTBEAT_REPLY_WAIT
        Deprecated.
        since 2.13.0, use HEARTBEAT_NO_REPLY_MAX instead
        Key used to indicate that the heartbeat request is also expecting a reply - time in milliseconds to wait for the reply. If non-positive then no reply is expected (nor requested).
      • HEARTBEAT_NO_REPLY_MAX

        public static final Property<java.lang.Integer> HEARTBEAT_NO_REPLY_MAX
        Key to set the maximum number of heartbeat messages to send without having received a reply. If > 0, heartbeat messages are sent with a flag that requires the peer to reply. The session will be killed if HEARTBEAT_NO_REPLY_MAX heartbeats have been sent without having received a reply. If <= 0, heartbeat messages will be sent, but no reply is requested or expected, and the client will not kill the session.
        Since:
        2.13.0
      • ABORT_ON_INVALID_CERTIFICATE

        public static final Property<java.lang.Boolean> ABORT_ON_INVALID_CERTIFICATE
        Defines if we should abort in case we encounter an invalid (e.g. expired) openssh certificate.
      • INTERACTIVE_LANGUAGE_TAG

        public static final Property<java.lang.String> INTERACTIVE_LANGUAGE_TAG
        As per RFC-4256: The language tag is deprecated and SHOULD be the empty string. It may be removed in a future revision of this specification. Instead, the server SHOULD select the language to be used based on the tags communicated during key exchange
      • INTERACTIVE_SUBMETHODS

        public static final Property<java.lang.String> INTERACTIVE_SUBMETHODS
        As per RFC-4256: The submethods field is included so the user can give a hint of which actual methods to use. It is a comma-separated list of authentication submethods (software or hardware) that the user prefers. If the client has knowledge of the submethods preferred by the user, presumably through a configuration setting, it MAY use the submethods field to pass this information to the server. Otherwise, it MUST send the empty string. The actual names of the submethods is something the user and the server need to agree upon. Server interpretation of the submethods field is implementation- dependent.
      • REQUEST_EXEC_REPLY

        public static final Property<java.lang.Boolean> REQUEST_EXEC_REPLY
        Configure whether reply for the "exec" request is required
      • INPUT_STREAM_PUMP_CHUNK_SIZE

        public static final Property<java.lang.Integer> INPUT_STREAM_PUMP_CHUNK_SIZE
        On some platforms, a call to always throws an IOException. So we need to protect against that and chunk the call into smaller calls. This problem was found on Windows, JDK 1.6.0_03-b05.
      • REQUEST_SHELL_REPLY

        public static final Property<java.lang.Boolean> REQUEST_SHELL_REPLY
        Configure whether reply for the "shell" request is required
      • REQUEST_SUBSYSTEM_REPLY

        public static final Property<java.lang.Boolean> REQUEST_SUBSYSTEM_REPLY
        Configure whether reply for the "subsystem&quoot; request is required

        Default value for REQUEST_SUBSYSTEM_REPLY - according to RFC4254 section 6.5:

        It is RECOMMENDED that the reply to these messages be requested and checked.

      • PROP_DHGEX_CLIENT_MIN_KEY

        public static final Property<java.lang.Integer> PROP_DHGEX_CLIENT_MIN_KEY
      • PROP_DHGEX_CLIENT_MAX_KEY

        public static final Property<java.lang.Integer> PROP_DHGEX_CLIENT_MAX_KEY
      • PROP_DHGEX_CLIENT_PRF_KEY

        public static final Property<java.lang.Integer> PROP_DHGEX_CLIENT_PRF_KEY
      • WINDOW_SIZE

        public static final Property<java.lang.Long> WINDOW_SIZE
        Key used to retrieve the value of the channel window size in the configuration properties map.
      • WINDOW_TIMEOUT

        public static final Property<java.time.Duration> WINDOW_TIMEOUT
        Key used to retrieve timeout (msec.) to wait for data to become available when reading from a channel. If not set or non-positive then infinite value is assumed
      • BUFFERED_IO_OUTPUT_MAX_PENDING_WRITE_SIZE

        public static final Property<java.lang.Integer> BUFFERED_IO_OUTPUT_MAX_PENDING_WRITE_SIZE
        Key used when creating a BufferedIoOutputStream in order to specify max. allowed unwritten pending bytes. If this value is exceeded then the code waits up to BUFFERED_IO_OUTPUT_MAX_PENDING_WRITE_WAIT for the pending data to be written and thus make room for the new request.
      • BUFFERED_IO_OUTPUT_MAX_PENDING_WRITE_WAIT

        public static final Property<java.time.Duration> BUFFERED_IO_OUTPUT_MAX_PENDING_WRITE_WAIT
        Key used when creating a BufferedIoOutputStream in order to specify max. wait time (msec.) for pending writes to be completed before enqueuing a new request
        See Also:
        BUFFERED_IO_OUTPUT_MAX_PENDING_WRITE_SIZE
      • DEFAULT_MAX_PACKET_SIZE

        public static final long DEFAULT_MAX_PACKET_SIZE
        See Also:
        Constant Field Values
      • MAX_PACKET_SIZE

        public static final Property<java.lang.Long> MAX_PACKET_SIZE
        Key used to retrieve the value of the maximum packet size in the configuration properties map.
      • DEFAULT_LIMIT_PACKET_SIZE

        public static final long DEFAULT_LIMIT_PACKET_SIZE
        See Also:
        Constant Field Values
      • LIMIT_PACKET_SIZE

        public static final Property<java.lang.Long> LIMIT_PACKET_SIZE
        A safety value that is designed to avoid an attack that uses large channel packet sizes
      • NIO_WORKERS

        public static final Property<java.lang.Integer> NIO_WORKERS
        Number of NIO worker threads to use.
      • AUTH_TIMEOUT

        public static final Property<java.time.Duration> AUTH_TIMEOUT
        Key used to retrieve the value of the timeout after which it will close the connection if the other side has not been authenticated - in milliseconds.
      • IDLE_TIMEOUT

        public static final Property<java.time.Duration> IDLE_TIMEOUT
        Key used to retrieve the value of idle timeout after which it will close the connection - in milliseconds.
      • IO_CONNECT_TIMEOUT

        public static final Property<java.time.Duration> IO_CONNECT_TIMEOUT
        Key used to retrieve the value of the socket connect time-out.

        Connection time-outs are generally handled in Apache MINA SSHD at the application level via ConnectFuture.verify(). However, the underlying I/O library may have its own connection time-out. By setting this property on an SshClient or SshServer, users can explicitly set this I/O connection time-out to any value. If the duration is zero or negative, or the property is not set on the client or server, the default of the I/O library used is in effect. These defaults are:

        I/O back-end Default connection time-out
        NIO2 infinite
        MINA 1 minute
        Netty 30 seconds

        The default value of this property is 1 minute.

      • NIO2_READ_TIMEOUT

        public static final Property<java.time.Duration> NIO2_READ_TIMEOUT
        Key used to retrieve the value of the socket read timeout for NIO2 session implementation - in milliseconds.
      • NIO2_MIN_WRITE_TIMEOUT

        public static final Property<java.time.Duration> NIO2_MIN_WRITE_TIMEOUT
        Minimum NIO2 write wait timeout for a single outgoing packet - in milliseconds
      • DISCONNECT_TIMEOUT

        public static final Property<java.time.Duration> DISCONNECT_TIMEOUT
        Key used to retrieve the value of the disconnect timeout which is used when a disconnection is attempted. If the disconnect message has not been sent before the timeout, the underlying socket will be forcibly closed - in milliseconds.
      • CHANNEL_CLOSE_TIMEOUT

        public static final Property<java.time.Duration> CHANNEL_CLOSE_TIMEOUT
        Key used to configure the timeout used when writing a close request on a channel. If the message can not be written before the specified timeout elapses, the channel will be immediately closed. In milliseconds.
      • STOP_WAIT_TIME

        public static final Property<java.time.Duration> STOP_WAIT_TIME
        Timeout (milliseconds) to wait for client / server stop request if immediate stop requested.
      • SOCKET_BACKLOG

        public static final Property<java.lang.Integer> SOCKET_BACKLOG
        Socket backlog. See AsynchronousServerSocketChannel.bind(java.net.SocketAddress, int)
      • SOCKET_KEEPALIVE

        public static final Property<java.lang.Boolean> SOCKET_KEEPALIVE
        Socket keep-alive. See StandardSocketOptions.SO_KEEPALIVE
      • SOCKET_SNDBUF

        public static final Property<java.lang.Integer> SOCKET_SNDBUF
        Socket send buffer size. See StandardSocketOptions.SO_SNDBUF
      • SOCKET_RCVBUF

        public static final Property<java.lang.Integer> SOCKET_RCVBUF
        Socket receive buffer size. See StandardSocketOptions.SO_RCVBUF
      • SOCKET_REUSEADDR

        public static final Property<java.lang.Boolean> SOCKET_REUSEADDR
        Socket reuse address. See StandardSocketOptions.SO_REUSEADDR
      • SOCKET_LINGER

        public static final Property<java.lang.Integer> SOCKET_LINGER
        Socket linger. See StandardSocketOptions.SO_LINGER
      • TCP_NODELAY

        public static final Property<java.lang.Boolean> TCP_NODELAY
        Socket tcp no-delay. See StandardSocketOptions.TCP_NODELAY
      • NIO2_READ_BUFFER_SIZE

        public static final Property<java.lang.Integer> NIO2_READ_BUFFER_SIZE
        Read buffer size in bytes. Has no effect on the Netty transport. The NIO2 transport uses this setting as fixed-size read buffer for all sessions. The MINA transport uses it as the initial read buffer size, MINA requires this to be in the range [64 .. 65536]; if larger, MINA uses 64kB. If not set explicitly on the SshClient or SshServer, or if smaller than 64, MINA will use its built-in default of 2kB.
      • MIN_READ_BUFFER_SIZE

        public static final Property<java.lang.Integer> MIN_READ_BUFFER_SIZE
        Minimum read buffer size in bytes. Has an effect only on the MINA transport and must be in the range [64..65536]. If not set, MINA by default uses 64 bytes as minimal read buffer size.

        If larger than NIO2_READ_BUFFER_SIZE, MINA will use this value also as the initial read buffer size.

      • MAX_IDENTIFICATION_SIZE

        public static final Property<java.lang.Integer> MAX_IDENTIFICATION_SIZE
        Maximum allowed size of the initial identification text sent during the handshake
      • REKEY_BYTES_LIMIT

        public static final Property<java.lang.Long> REKEY_BYTES_LIMIT
        Key re-exchange will be automatically performed after the session has sent or received the given amount of bytes. If non-positive, then disabled.
      • REKEY_TIME_LIMIT

        public static final Property<java.time.Duration> REKEY_TIME_LIMIT
        Key re-exchange will be automatically performed after the specified amount of time has elapsed since the last key exchange - in milliseconds. If non-positive then disabled.
        See Also:
        RFC4253 section 9
      • REKEY_PACKETS_LIMIT

        public static final Property<java.lang.Long> REKEY_PACKETS_LIMIT
        Key re-exchange will be automatically performed after the specified number of packets has been exchanged - positive 64-bit value. If non-positive then disabled.
        See Also:
        RFC4344 section 3.1
      • REKEY_BLOCKS_LIMIT

        public static final Property<java.lang.Long> REKEY_BLOCKS_LIMIT
        Key re-exchange will be automatically performed after the specified number of cipher blocks has been processed - positive 64-bit value. If non-positive then disabled. The default is calculated according to RFC4344 section 3.2
      • IGNORE_MESSAGE_FREQUENCY

        public static final Property<java.lang.Long> IGNORE_MESSAGE_FREQUENCY
        Average number of packets to be skipped before an SSH_MSG_IGNORE message is inserted in the stream. If non-positive, then feature is disabled
        See Also:
        IGNORE_MESSAGE_VARIANCE, RFC4251 section 9.3.1
      • IGNORE_MESSAGE_VARIANCE

        public static final Property<java.lang.Integer> IGNORE_MESSAGE_VARIANCE
        The variance to be used around the configured IGNORE_MESSAGE_FREQUENCY value in order to avoid insertion at a set frequency. If zero, then exact frequency is used. If negative, then the absolute value is used. If greater or equal to the frequency, then assumed to be zero - i.e., no variance
        See Also:
        RFC4251 section 9.3.1
      • IGNORE_MESSAGE_SIZE

        public static final Property<java.lang.Integer> IGNORE_MESSAGE_SIZE
        Minimum size of SSH_MSG_IGNORE payload to send if feature enabled. If non-positive then no message is sent. Otherwise, the actual size is between this size and twice its value
        See Also:
        RFC4251 section 9.3.1
      • AGENT_FORWARDING_TYPE_IETF

        public static final java.lang.String AGENT_FORWARDING_TYPE_IETF
        The agent forwarding type defined by IETF (https://tools.ietf.org/html/draft-ietf-secsh-agent-02).
        See Also:
        Constant Field Values
      • AGENT_FORWARDING_TYPE_OPENSSH

        public static final java.lang.String AGENT_FORWARDING_TYPE_OPENSSH
        The agent forwarding type defined by OpenSSH.
        See Also:
        Constant Field Values
      • WAIT_FOR_SPACE_TIMEOUT

        public static final Property<java.time.Duration> WAIT_FOR_SPACE_TIMEOUT
        Configure max. wait time (millis) to wait for space to become available
      • FORWARD_REQUEST_TIMEOUT

        public static final Property<java.time.Duration> FORWARD_REQUEST_TIMEOUT
        Used to configure the timeout (milliseconds) for receiving a response for the forwarding request
      • SEND_REPLY_FOR_CHANNEL_DATA

        public static final Property<java.lang.Boolean> SEND_REPLY_FOR_CHANNEL_DATA
        RFC4254 does not clearly specify how to handle SSH_MSG_CHANNEL_DATA and SSH_MSG_CHANNEL_EXTENDED_DATA received through an unknown channel. Therefore, we provide a configurable approach to it with the default set to ignore it.
      • MAX_AUTH_REQUESTS

        public static final Property<java.lang.Integer> MAX_AUTH_REQUESTS
        Key used to retrieve the value in the configuration properties map of the maximum number of failed authentication requests before the server closes the connection.
      • WELCOME_BANNER

        public static final Property<java.lang.Object> WELCOME_BANNER
        Key used to retrieve the value of welcome banner that will be displayed when a user connects to the server. If null/empty then no banner will be sent. The value can be one of the following:

        • A File or Path, in which case its contents will be transmitted. Note: if the file is empty or does not exits, no banner will be transmitted.
        • A URI or a string starting with "file:/", in which case it will be converted to a Path and handled accordingly.
        • A string containing a special value indicator - e.g., AUTO_WELCOME_BANNER_VALUE, in which case the relevant banner content will be generated.
        • Any other object whose toString() value yields a non empty string will be used as the banner contents.
        See Also:
        RFC-4252 section 5.4
      • AUTO_WELCOME_BANNER_VALUE

        public static final java.lang.String AUTO_WELCOME_BANNER_VALUE
        Special value that can be set for the WELCOME_BANNER property indicating that the server should generate a banner consisting of the random art of the server's keys (if any are provided). If no server keys are available, then no banner will be sent
        See Also:
        Constant Field Values
      • WELCOME_BANNER_LANGUAGE

        public static final Property<java.lang.String> WELCOME_BANNER_LANGUAGE
        Key used to denote the language code for the welcome banner (if such a banner is configured).
      • WELCOME_BANNER_CHARSET

        public static final Property<java.nio.charset.Charset> WELCOME_BANNER_CHARSET
        The charset to use if the configured welcome banner points to a file - if not specified (either as a string or a Charset then the local default is used.
      • AUTH_METHODS

        public static final Property<java.lang.String> AUTH_METHODS
        This key is used when configuring multi-step authentications. The value needs to be a blank separated list of comma separated list of authentication method names. For example, an argument of publickey,password publickey,keyboard-interactive would require the user to complete public key authentication, followed by either password or keyboard interactive authentication. Only methods that are next in one or more lists are offered at each stage, so for this example, it would not be possible to attempt password or keyboard-interactive authentication before public key.
      • MAX_CONCURRENT_SESSIONS

        public static final Property<java.lang.Integer> MAX_CONCURRENT_SESSIONS
        Key used to retrieve the value of the maximum concurrent open session count per username. If not set, then unlimited
      • SERVER_EXTRA_IDENTIFICATION_LINES

        public static final Property<java.lang.String> SERVER_EXTRA_IDENTIFICATION_LINES
        Key used to retrieve any extra lines to be sent during initial protocol handshake before the identification. The configured string value should use 124 character to denote line breaks
      • SERVER_IDENTIFICATION

        public static final Property<java.lang.String> SERVER_IDENTIFICATION
        Key used to retrieve the value of the server identification string. If set, then it is appended to the (standard) "SSH-2.0-" prefix. Otherwise a default is sent that consists of "SSH-2.0-" plus the current SSHD artifact name and version in uppercase - e.g., "SSH-2.0-APACHE-SSHD-1.0.0"
      • COMMAND_EXIT_TIMEOUT

        public static final Property<java.time.Duration> COMMAND_EXIT_TIMEOUT
        Key used to configure the timeout used when receiving a close request on a channel to wait until the command cleanly exits after setting an EOF on the input stream.
      • MODULI_URL

        public static final Property<java.lang.String> MODULI_URL
        A URL pointing to the moduli file. If not specified, the default internal file will be used.
      • MAX_EXTDATA_BUFSIZE

        public static final Property<java.lang.Integer> MAX_EXTDATA_BUFSIZE
        Maximum amount of extended (a.k.a. STDERR) data allowed to be accumulated until a ChannelDataReceiver for the data is registered
      • PROP_DHGEX_SERVER_MIN_KEY

        public static final Property<java.lang.Integer> PROP_DHGEX_SERVER_MIN_KEY
      • PROP_DHGEX_SERVER_MAX_KEY

        public static final Property<java.lang.Integer> PROP_DHGEX_SERVER_MAX_KEY
      • PUMP_SLEEP_TIME

        public static final Property<java.time.Duration> PUMP_SLEEP_TIME
        Value used by the InvertedShellWrapper to control the "busy-wait" sleep time (millis) on the pumping loop if nothing was pumped - must be positive.
      • BUFFER_SIZE

        public static final Property<java.lang.Integer> BUFFER_SIZE
        Value used by the InvertedShellWrapper to control copy buffer size.
      • X11_OPEN_TIMEOUT

        public static final Property<java.time.Duration> X11_OPEN_TIMEOUT
        Configuration value for the X11ForwardSupport to control the channel open timeout.
      • X11_DISPLAY_OFFSET

        public static final Property<java.lang.Integer> X11_DISPLAY_OFFSET
        Configuration value for the X11ForwardSupport to control from which X11 display number to start looking for a free value.
      • X11_MAX_DISPLAYS

        public static final Property<java.lang.Integer> X11_MAX_DISPLAYS
        Configuration value for the X11ForwardSupport to control up to which (but not including) X11 display number to look or a free value.
      • X11_BASE_PORT

        public static final Property<java.lang.Integer> X11_BASE_PORT
        Configuration value for the X11ForwardSupport to control the base port number for the X11 display number socket binding.
      • X11_BIND_HOST

        public static final Property<java.lang.String> X11_BIND_HOST
        Configuration value for the X11ForwardSupport to control the host used to bind to for the X11 display when looking for a free port.
      • MAX_PROXY_JUMPS

        public static final Property<java.lang.Integer> MAX_PROXY_JUMPS
        Configuration value for the maximum number of proxy jumps to allow in an SSH connection; by default 10. If there are more proxy jumps for an SSH connection, chances are that the proxy chain has a loop.
    • Constructor Detail

      • CoreModuleProperties

        private CoreModuleProperties()