• Stars
    star
    389
  • Rank 110,500 (Top 3 %)
  • Language
    Swift
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SwiftNIO SSH is a programmatic implementation of SSH using SwiftNIO

SwiftNIO SSH

This project contains SSH support using SwiftNIO.

What is SwiftNIO SSH?

SwiftNIO SSH is a programmatic implementation of SSH: that is, it is a collection of APIs that allow programmers to implement SSH-speaking endpoints. Critically, this means it is more like libssh2 than openssh. SwiftNIO SSH does not ship production-ready SSH clients and servers, but instead provides the building blocks for building this kind of client and server.

There are a number of reasons to provide a programmatic SSH implementation. One is that SSH has a unique relationship to user interactivity. Technical users are highly accustomed to interacting with SSH interactively, either to run commands on remote machines or to run interactive shells. Having the ability to programmatically respond to these requests enables interesting alternative modes of interaction. As prior examples, we can point to Twisted's Manhole, which uses a programmatic SSH implementation called conch to provide an interactive Python interpreter within a running Python server, or ssh-chat, a SSH server that provides a chat room instead of regular SSH shell functionality. Innovative uses can also be imagined for TCP forwarding.

Another good reason to provide programmatic SSH is that it is not uncommon for services to need to interact with other services in a way that involves running commands. While Process solves this for the local use-case, sometimes the commands that need to be invoked are remote. While Process could launch an ssh client as a sub-process in order to run this invocation, it can be substantially more straightforward to simply invoke SSH directly. This is libssh2's target use-case. SwiftNIO SSH provides the equivalent of the networking and cryptographic layer of libssh2, allowing motivated users to drive SSH sessions directly from within Swift services.

The most recent versions of SwiftNIO SSH support Swift 5.6 and newer. The minimum Swift version supported by SwiftNIO SSH releases are detailed below:

SwiftNIO SSH Minimum Swift Version
0.0.0 ..< 0.3.0 5.1
0.3.0 ..< 0.4.0 5.2
0.4.0 ..< 0.5.0 5.4
0.5.0 ..< 0.6.2 5.5.2
0.6.2 ... 5.6

What does SwiftNIO SSH support?

SwiftNIO SSH supports SSHv2 with the following feature set:

  • All session channel features, including shell and exec channel requests
  • Direct and reverse TCP port forwarding
  • Modern cryptographic primitives only: Ed25519 and ECDSA over the major NIST curves (P256, P384, P521) for asymmetric cryptography, AES-GCM for symmetric cryptography, x25519 for key exchange
  • Password and public key user authentication
  • Supports all platforms supported by SwiftNIO and Swift Crypto

How do I use SwiftNIO SSH?

SwiftNIO SSH provides a SwiftNIO ChannelHandler, NIOSSHHandler. This handler implements the bulk of the SSH protocol directly. Users are not expected to generate SSH messages directly: instead, they interact with the NIOSSHHandler through child channels and delegates.

SSH is a multiplexed protocol: each SSH connection is subdivided into multiple bidirectional communication channels called, appropriately enough, channels. SwiftNIO SSH reflects this construction by using a "child channel" abstraction. When a peer creates a new SSH channel, SwiftNIO SSH will create a new NIO Channel that is used to represent all traffic on that SSH channel. Within this child Channel all events are strictly ordered with respect to one another: however, events in different Channels may be interleaved freely by the implementation.

An active SSH connection therefore looks like this:

β”Œ ─ NIO Channel ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐

β”‚     β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”    β”‚
      β”‚                                β”‚
β”‚     β”‚                                β”‚    β”‚
      β”‚                                β”‚
β”‚     β”‚                                β”‚    β”‚
      β”‚         NIOSSHHandler          │───────────────────────┐
β”‚     β”‚                                β”‚    β”‚                  β”‚
      β”‚                                β”‚                       β”‚
β”‚     β”‚                                β”‚    β”‚                  β”‚
      β”‚                                β”‚                       β”‚
β”‚     β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜    β”‚                  β”‚
                                                               β”‚
β”” ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ β”˜                  β”‚
                                                               β”‚
                                                               β”‚
                                                               β”‚
                                                               β”‚
                                                               β–Ό
                     β”Œβ”€β”€ SSH Child Channel ─────────────────────────────────────────────────────────────┐
                     β”‚                                                                                  β”‚
                     β”‚   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”      β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”     β”œβ”€β”€β”€β”
                     β”‚   β”‚                                β”‚      β”‚                                β”‚     β”‚   β”‚
                     β”‚   β”‚                                β”‚      β”‚                                β”‚     β”‚   β”œβ”€β”€β”€β”
                     β”‚   β”‚                                β”‚      β”‚                                β”‚     β”‚   β”‚   β”‚
                     β”‚   β”‚                                β”‚      β”‚                                β”‚     β”‚   β”‚   β”‚
                     β”‚   β”‚          User Handler          β”‚      β”‚          User Handler          β”‚     β”‚   β”‚   β”‚
                     β”‚   β”‚                                β”‚      β”‚                                β”‚     β”‚   β”‚   β”‚
                     β”‚   β”‚                                β”‚      β”‚                                β”‚     β”‚   β”‚   β”‚
                     β”‚   β”‚                                β”‚      β”‚                                β”‚     β”‚   β”‚   β”‚
                     β”‚   β”‚                                β”‚      β”‚                                β”‚     β”‚   β”‚   β”‚
                     β”‚   β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜      β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜     β”‚   β”‚   β”‚
                     β”‚                                                                                  β”‚   β”‚   β”‚
                     β””β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚   β”‚
                         β”‚                                                                                  β”‚   β”‚
                         β””β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜   β”‚
                             β”‚                                                                                  β”‚
                             β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

An SSH channel is invoked with a channel type. NIOSSH supports three: session, directTCPIP, and forwardedTCPIP. The most common channel type is session: session is used to represent the invocation of a program, whether a specific named program or a shell. The other two channel types are related to TCP port forwarding, and will be discussed later.

An SSH channel operates on a single data type: SSHChannelData. This structure encapsulates the fact that SSH supports both regular and "extended" channel data. The regular channel data (SSHChannelData.DataType.channel) is used for the vast majority of core data. In session channels the .channel data type is used for standard input and standard output: the .stdErr data type is used for standard error (naturally). In TCP forwarding channels, the .channel data type is the only kind used, and represents the forwarded data.

Channel Events

A session channel represents an invocation of a command. Exactly how the channel operates is communicated in a number of inbound user events. The following events are important:

  • SSHChannelRequestEvent.PseudoTerminalRequest: Requests the allocation of a pseudo-terminal.
  • SSHChannelRequestEvent.EnvironmentRequest: Requests a single environment variable for the command invocation. Always sent before the command itself.
  • SSHChannelRequestEvent.ShellRequest: Requests that the command to be invoked is the authenticated user's shell.
  • SSHChannelRequestEvent.ExecRequest: Requests the invocation of a specific command.
  • SSHChannelRequestEvent.ExitStatus: Used to signal that the remote command has exited, and communicates the exit code.
  • SSHChannelRequestEvent.ExitSignal: Used to indicate that the remote command was terminated in response to a signal, and what that signal was.
  • SSHChannelRequestEvent.SignalRequest: Used to send a signal to the remote command.
  • SSHChannelRequestEvent.LocalFlowControlRequest: Used to indicate whether the client is capable of performing Ctrl-Q/Ctrl-S flow control itself.
  • SSHChannelRequestEvent.WindowChangeRequest: Used to communicate a change in the size of the terminal window on the client to the allocated peudo-terminal.
  • SSHChannelRequestEvent.SubsystemRequest: Used to request invocation of a specific subsystem. The meaning of this is specific to individual use-cases.

These events are unused in port forwarding messages. SSH implementations that support .session type channels need to be prepared to handle most or all of these in various ways.

Each of these events also has a wantReply field. This indicates whether the request need a reply to indicate success or failure. If it does, the following two events are used:

  • ChannelSuccessEvent, to communicate success.
  • ChannelFailureEvent, to communicate failure.

Half Closure

The SSH network protocol pervasively uses half-closure in the child channels. NIO Channels typically have half-closure support disabled by default, and SwiftNIO SSH respects this default in its child channels as well. However, if you leave this setting at its default value the SSH child channels will behave extremely unexpectedly. For this reason, it is strongly recommended that all child channels have half closure support enabled:

channel.setOption(ChannelOptions.allowRemoteHalfClosure, true)

This then uses standard NIO half-closure support. The remote peer sending EOF will be communicated with an inbound user event, ChannelEvent.inputClosed. To send EOF yourself, call close(mode: .output).

User Authentication

User authentication is a vital part of SSH. To manage it, SwiftNIO SSH uses a pair of delegate protocols: NIOSSHClientUserAuthenticationDelegate and NIOSSHServerUserAuthenticationDelegate. Clients and servers should provide implementations of these delegate protocols to manage user authentication.

The client protocol is straightforward: SwiftNIO SSH will invoke the method nextAuthenticationType(availableMethods:nextChallengePromise:) on the delegate. The availableMethods will be an instance of NIOSSHAvailableUserAuthenticationMethods communicating which authentication methods the server has suggested will be acceptable. The delegate can then complete nextChallengePromise with either a new authentication request, or with nil to indicate that the client has run out of things to try.

The server protocol is more complex. The delegate must provide a supportedAuthenticationMethods property that communicates which authentication methods are supported by the delegate. Then, each time the client sends a user auth request, the requestReceived(request:responsePromise:) method will be invoked. This may be invoked multiple times in parallel, as clients are allowed to issue auth requests in parallel. The responsePromise should be succeeded with the result of the authentication. There are three results: .success and .failure are straightforward, but in principle the server can require multiple challenges using .partialSuccess(remainingMethods:).

Direct Port Forwarding

Direct port forwarding is port forwarding from client to server. In this mode traditionally the client will listen on a local port, and will forward inbound connections to the server. It will ask that the server forward these connections as outbound connections to a specific host and port.

These channels can be directly opened by clients by using the .directTCPIP channel type.

Remote Port Forwarding and Global Requests

Remote port forwarding is a less-common situation where the client asks the server to listen on a specific address and port, and to forward all inbound connections to the client. As the client needs to request this behaviour, it does so using global requests.

Global requests are initiated using NIOSSHHandler.sendGlobalRequest, and are received and handled by way of a GlobalRequestDelegate. There are two global requests supported today:

  • GlobalRequest.TCPForwardingRequest.listen(host:port:): a request for the server to listen on a given host and port.
  • GlobalRequest.TCPForwardingRequest.cancel(host:port:): a request to cancel the listening on the given host and port.

Servers may be notified of and respond to these requests using a GlobalRequestDelegate. The method to implement here is tcpForwardingRequest(_:handler:promise:). This delegate method will be invoked any time a global request is received. The response to the request is passed into promise.

Forwarded channels are then sent from server to client using the .forwardedTCPIP channel type.

More Repositories

1

swift

The Swift Programming Language
C++
66,491
star
2

ml-stable-diffusion

Stable Diffusion with Core ML on Apple Silicon
Python
16,831
star
3

swift-evolution

This maintains proposals for changes and user-visible enhancements to the Swift Programming Language.
Markdown
15,085
star
4

foundationdb

FoundationDB - the open source, distributed, transactional key-value store
C++
14,444
star
5

turicreate

Turi Create simplifies the development of custom machine learning models.
C++
11,197
star
6

darwin-xnu

The Darwin Kernel (mirror). This repository is a pure mirror and contributions are currently not accepted via pull-requests, please submit your contributions via https://developer.apple.com/bug-reporting/
C
10,558
star
7

pkl

A configuration as code language with rich validation and tooling.
Java
10,223
star
8

swift-package-manager

The Package Manager for the Swift Programming Language
Swift
9,637
star
9

ml-ferret

Python
8,415
star
10

swift-nio

Event-driven network application framework for high performance protocol servers & clients, non-blocking.
Swift
7,274
star
11

corenet

CoreNet: A library for training deep neural networks
Jupyter Notebook
6,968
star
12

swift-algorithms

Commonly used sequence and collection algorithms for Swift
Swift
5,885
star
13

swift-corelibs-foundation

The Foundation Project, providing core utilities, internationalization, and OS independence
C
5,269
star
14

swift-protobuf

Plugin and runtime library for using protobuf with Swift
Swift
4,561
star
15

coremltools

Core ML tools contain supporting tools for Core ML model conversion, editing, and validation.
Python
4,401
star
16

password-manager-resources

A place for creators and users of password managers to collaborate on resources to make password management better.
JavaScript
4,144
star
17

ml-mgie

Python
3,853
star
18

tensorflow_macos

TensorFlow for macOS 11.0+ accelerated using Apple's ML Compute framework.
Shell
3,672
star
19

swift-collections

Commonly used data structures for Swift
Swift
3,651
star
20

ml-depth-pro

Depth Pro: Sharp Monocular Metric Depth in Less Than a Second.
Python
3,436
star
21

swift-argument-parser

Straightforward, type-safe argument parsing for Swift
Swift
3,289
star
22

sourcekit-lsp

Language Server Protocol implementation for Swift and C-based languages
Swift
3,160
star
23

swift-syntax

A set of Swift libraries for parsing, inspecting, generating, and transforming Swift source code.
Swift
3,064
star
24

swift-log

A Logging API for Swift
Swift
2,931
star
25

swift-async-algorithms

Async Algorithms for Swift
Swift
2,895
star
26

swift-markdown

A Swift package for parsing, building, editing, and analyzing Markdown documents.
Swift
2,669
star
27

ml-ane-transformers

Reference implementation of the Transformer architecture optimized for Apple Neural Engine (ANE)
Python
2,527
star
28

swift-corelibs-libdispatch

The libdispatch Project, (a.k.a. Grand Central Dispatch), for concurrency on multicore hardware
C
2,467
star
29

HomeKitADK

C
2,456
star
30

swift-format

Formatting technology for Swift source code
Swift
2,341
star
31

swift-foundation

The Foundation project
Swift
2,302
star
32

homebrew-apple

Ruby
2,240
star
33

cups

Apple CUPS Sources
C
1,926
star
34

axlearn

An Extensible Deep Learning Library
Python
1,840
star
35

ml-fastvit

This repository contains the official implementation of the research paper, "FastViT: A Fast Hybrid Vision Transformer using Structural Reparameterization" ICCV 2023
Python
1,826
star
36

ml-cvnets

CVNets: A library for training computer vision networks
Python
1,777
star
37

sample-food-truck

SwiftUI sample code from WWDC22
Swift
1,738
star
38

swift-numerics

Advanced mathematical types and functions for Swift
Swift
1,669
star
39

swift-book

The Swift Programming Language book
Markdown
1,666
star
40

ml-4m

4M: Massively Multimodal Masked Modeling
Python
1,590
star
41

swift-testing

A modern, expressive testing package for Swift
Swift
1,582
star
42

ml-hypersim

Hypersim: A Photorealistic Synthetic Dataset for Holistic Indoor Scene Understanding
Python
1,495
star
43

swift-crypto

Open-source implementation of a substantial portion of the API of Apple CryptoKit suitable for use on Linux platforms.
C
1,441
star
44

swift-openapi-generator

Generate Swift client and server code from an OpenAPI document.
Swift
1,423
star
45

swift-docker

Docker Official Image packaging for Swift
Dockerfile
1,331
star
46

ml-neuman

Official repository of NeuMan: Neural Human Radiance Field from a Single Video (ECCV 2022)
Python
1,256
star
47

swift-system

Low-level system calls and types for Swift
Swift
1,166
star
48

swift-docc

Documentation compiler that produces rich API reference documentation and interactive tutorials for your Swift framework or package.
Swift
1,140
star
49

swift-corelibs-xctest

The XCTest Project, A Swift core library for providing unit test support
Swift
1,138
star
50

swift-llbuild

A low-level build system, used by Xcode and the Swift Package Manager
C++
1,072
star
51

swift-atomics

Low-level atomic operations for Swift
Swift
1,050
star
52

servicetalk

A networking framework that evolves with your application
Java
910
star
53

swift-http-types

Version-independent HTTP currency types for Swift
Swift
902
star
54

swift-llvm

LLVM
813
star
55

swift-driver

Swift compiler driver reimplementation in Swift
Swift
784
star
56

swift-protobuf-plugin

Moved to apple/swift-protobuf
755
star
57

unityplugins

C#
721
star
58

swift-embedded-examples

A collection of example projects using Embedded Swift
Swift
713
star
59

ml-mobileone

This repository contains the official implementation of the research paper, "An Improved One millisecond Mobile Backbone".
Swift
709
star
60

ml-aim

This repository provides the code and model checkpoints of the research paper: Scalable Pre-training of Large Autoregressive Image Models
Python
693
star
61

swift-lldb

This is the version of LLDB that supports the Swift programming language & REPL.
C++
674
star
62

swift-clang

C++
672
star
63

ml-gaudi

611
star
64

ml-mobileclip

This repository contains the official implementation of the research paper, "MobileCLIP: Fast Image-Text Models through Multi-Modal Reinforced Training" CVPR 2024
Python
605
star
65

swift-metrics

Metrics API for Swift
Swift
602
star
66

swift-distributed-actors

Peer-to-peer cluster implementation for Swift Distributed Actors
Swift
591
star
67

ARKitScenes

This repo accompanies the research paper, ARKitScenes - A Diverse Real-World Dataset for 3D Indoor Scene Understanding Using Mobile RGB-D Data and contains the data, scripts to visualize and process assets, and training code described in our paper.
Python
589
star
68

device-management

Device management schema data for MDM.
580
star
69

sample-backyard-birds

Swift
544
star
70

ml-facelit

Official repository of FaceLit: Neural 3D Relightable Faces (CVPR 2023)
Python
472
star
71

ccs-calendarserver

The Calendar and Contacts Server.
Python
470
star
72

swift-3-api-guidelines-review

Swift
455
star
73

swift-org-website

Swift.org website
SCSS
450
star
74

GCGC

Jupyter Notebook
438
star
75

ml-mdm

Train high-quality text-to-image diffusion models in a data & compute efficient manner
Python
433
star
76

swift-nio-http2

HTTP/2 support for SwiftNIO
Swift
405
star
77

swift-tools-support-core

Contains common infrastructural code for both SwiftPM and llbuild.
Swift
390
star
78

swift-playdate-examples

An Embedded Swift game running on Playdate by Panic
Swift
386
star
79

swift-nio-ssl

TLS Support for SwiftNIO, based on BoringSSL.
C
345
star
80

ml-gmpi

[ECCV 2022, Oral Presentation] Official PyTorch implementation of GMPI
Python
339
star
81

example-package-dealer

Example package for use with the Swift Package Manager
Swift
335
star
82

security-pcc

Private Cloud Compute (PCC)
Swift
334
star
83

swift-collections-benchmark

A benchmarking tool for Swift Collection algorithms
Swift
333
star
84

swift-homomorphic-encryption

Homomorphic Encryption library and applications in Swift
Swift
330
star
85

example-package-playingcard

Example package for use with the Swift Package Manager
Swift
323
star
86

indexstore-db

Index database library for use with sourcekit-lsp
C++
315
star
87

swift-docc-render

Web renderer for Swift-DocC documentation.
JavaScript
307
star
88

ml-hierarchical-confusion-matrix

Neo: Hierarchical Confusion Matrix Visualization (CHI 2022)
TypeScript
302
star
89

swift-docc-plugin

Swift Package Manager command plugin for Swift-DocC
Swift
301
star
90

swift-migration-guide

Markdown
294
star
91

ml-sigma-reparam

Python
292
star
92

pfl-research

Simulation framework for accelerating research in Private Federated Learning
Jupyter Notebook
289
star
93

ml-gsn

Python
284
star
94

swift-llbuild2

A fresh take on a low-level build system API.
Swift
281
star
95

swift-source-compat-suite

The infrastructure and project index comprising the Swift source compatibility suite.
Python
280
star
96

swift-xcode-playground-support

Logging and communication to allow Swift toolchains to communicate with Xcode.
Swift
279
star
97

sample-cloudkit-sharing

Swift
275
star
98

swift-experimental-string-processing

An early experimental general-purpose pattern matching engine for Swift.
Swift
270
star
99

swift-matter-examples

An Embedded Swift Matter application running on ESP32-C6
Swift
266
star
100

pkl-go

Pkl bindings for the Go programming language
Go
263
star