NAME

Net::SSH::Perl - Perl client Interface to SSH

SYNOPSIS

use Net::SSH::Perl;
my $ssh = Net::SSH::Perl->new($host);
$ssh->login($user, $pass);
my($stdout, $stderr, $exit) = $ssh->cmd($cmd);

DESCRIPTION

Net::SSH::Perl is an all-Perl module implementing an ssh client. It enables you to simply and securely execute commands on remote machines, and receive the STDOUT, STDERR, and exit status of that remote command.

It contains built-in support for various methods of authenticating with the server (password authentication, RSA challenge-response authentication, etc.). It completely implements the I/O buffering, packet transport, and user authentication layers of the SSH protocol, and makes use of external Perl libraries (in the Crypt:: family of modules) to handle encryption of all data sent across the insecure network. It can also read your existing SSH configuration files (/etc/ssh_config, etc.), RSA identity files, known hosts files, etc.

One advantage to using Net::SSH::Perl over wrapper-style implementations of ssh clients is that it saves on process overhead: you no longer need to fork and execute a separate process in order to connect to an sshd. Depending on the amount of time and memory needed to fork a process, this win can be quite substantial; particularly if you're running in a persistent Perl environment (mod_perl, for example), where forking a new process is a drain on process and memory resources.

It also simplifies the process of using password-based authentications; when writing a wrapper around ssh you probably need to use Expect to control the ssh client and give it your password. Net::SSH::Perl has built-in support for the authentication protocols, so there's no longer any hassle of communicating with any external processes.

BASIC USAGE

Usage of Net::SSH::Perl is very simple.

Net::SSH::Perl->new($host, %params)

To set up a new connection, call the new method, which connects to $host and returns a Net::SSH::Perl object.

new accepts the following named parameters in %params:

  • cipher

    Specifies the name of the encryption cipher that you wish to use for this connection. This must be one of the supported ciphers (currently, IDEA, DES, DES3, and Blowfish); specifying an unsupported cipher is a fatal error. The default cipher is IDEA.

  • port

    The port of the sshd daemon to which you wish to connect; if not specified, this is assumed to be the default ssh port.

  • debug

    Set to a true value if you want debugging messages printed out while the connection is being opened. These can be helpful in trying to determine connection problems, etc. The messages are similar (and in some cases exact) to those written out by the ssh client when you use the -v option.

    Defaults to false.

  • interactive

    Set to a true value if you're using Net::SSH interactively. This is used in determining whether or not to display password prompts, for example. It's basically the inverse of the BatchMode parameter in ssh configuration.

    Defaults to false.

  • privileged

    Set to a true value if you want to bind to a privileged port locally. You'll need this if you plan to use Rhosts or Rhosts-RSA authentication, because the remote server requires the client to connect on a privileged port. Of course, to bind to a privileged port you'll need to be root.

    If you don't provide this parameter, and Net::SSH::Perl detects that you're running as root, this will automatically be set to true. Otherwise it defaults to false.

  • identity_files

    A list of RSA identity files to be used in RSA authentication. The value of this argument should be a reference to an array of strings, each string identifying the location of an identity file.

    If you don't provide this, RSA authentication defaults to using "$ENV{HOME}/.ssh/identity".

  • compression

    If set to a true value, compression is turned on for the session (assuming that the server supports it).

    Compression is off by default.

    Note that compression requires that you have the Compress::Zlib module installed on your system. If the module can't be loaded successfully, compression is disabled; you'll receive a warning stating as much if you having debugging on (debug set to 1), and you try to turn on compression.

  • compression_level

    Specifies the compression level to use if compression is enabled (note that you must provide both the compression and compression_level arguments to set the level; providing only this argument will not turn on encryption).

    The default value is 6.

  • use_pty

    Set this to 1 if you want to request a pseudo tty on the remote machine. This is really only useful if you're setting up a shell connection (see the shell method, below); and in that case, unless you've explicitly declined a pty (by setting use_pty to 0), this will be set automatically to 1. In other words, you probably won't need to use this, often.

    The default is 1 if you're starting up a shell, and 0 otherwise.

  • options

    Used to specify additional options to the configuration settings; useful for specifying options for which there is no separate constructor argument. This is analogous to the -o command line flag to the ssh program.

    If used, the value should be a reference to a list of option directives in the format used in the config file. For example:

    my $ssh = Net::SSH::Perl->new("host", options => [
        "BatchMode yes", "RhostsAuthentication no" ]);

$ssh->login([ $user [, $password ] ])

Sets the username and password to be used when authenticating with the sshd daemon. The username $user is required for all authentication protocols (to identify yourself to the remote server), but if you don't supply it the username of the user executing the program is used.

The password $password is needed only for password authentication (it's not used for RSA passphrase authentication, though perhaps it should be). And if you're running in an interactive session and you've not provided a password, you'll be prompted for one.

($out, $err, $exit) = $ssh->cmd($cmd, [ $stdin ])

Runs the command $cmd on the remote server and returns the stdout, stderr, and exit status of that command.

If $stdin is provided, it's supplied to the remote command $cmd on standard input.

NOTE: the ssh protocol does not easily support (so far as I know) running multiple commands per connection, unless those commands are chained together so that the remote shell can evaluate them. Because of this, a new socket connection is created each time you call cmd, and disposed of afterwards. In other words, this code:

my $ssh = Net::SSH::Perl->new("host1");
$ssh->login("user1", "pass1");

$ssh->cmd("foo");
$ssh->cmd("bar");

will actually connect to the sshd on the first invocation of cmd, then disconnect; then connect again on the second invocation of cmd, then disconnect again.

This is less than ideal, obviously. Future version of Net::SSH::Perl may find ways around that.

$ssh->shell

Opens up an interactive shell on the remote machine and connects it to your STDIN. This is most effective when used with a pseudo tty; otherwise you won't get a command line prompt, and it won't look much like a shell. For this reason--unless you've specifically declined one--a pty will be requested from the remote machine, even if you haven't set the use_pty argument to new (described above).

This is really only useful in an interactive program.

In addition, you'll probably want to set your terminal to raw input before calling this method. This lets Net::SSH::Perl process each character and send it off to the remote machine, as you type it.

To do so, use Term::ReadKey in your program:

use Term::ReadKey;
ReadMode('raw');
$ssh->shell;
ReadMode('restore');

In fact, you may want to place the restore line in an END block, in case your program exits prior to reaching that line.

If you need an example, take a look at eg/pssh, which uses almost this exact code to implement an ssh shell.

$ssh->register_handler($packet_type, $subref)

Registers an anonymous subroutine handler $subref to handle packets of type $packet_type during the client loop. The client loop is entered after the client has sent a command to the remote server, and after any STDIN data has been sent; it consists of reading packets from the server (STDOUT packets, STDERR packets, etc.) until the server sends the exit status of the command executed remotely. At this point the client exits the client loop and disconnects from the server.

When you call the cmd method, the client loop by default simply sticks STDOUT packets into a scalar variable and returns that value to the caller. It does the same for STDERR packets, and for the process exit status. (See the docs for cmd).

You can, however, override that default behavior, and instead process the packets yourself as they come in. You do this by calling the register_handler method and giving it a packet type $packet_type and a subroutine reference $subref. Your subroutine will receive as arguments the Net::SSH::Perl object (with an open connection to the sshd), and a Net::SSH::Perl::Packet object, which represents the packet read from the server.

$packet_type should be an integer constant; you can import the list of constants into your namespace by explicitly loading the Net::SSH::Perl::Constants module:

use Net::SSH::Perl::Constants qw( :msg );

This will load all of the MSG constants into your namespace so that you can use them when registering the handler. To do that, use this method. For example:

$ssh->register_handler(SSH_SMSG_STDOUT_DATA, sub {
    my($ssh, $packet) = @_;
    print "I received this: ", $packet->get_str;
});

To learn about the methods that you can call on the packet object, take a look at the Net::SSH::Perl::Packet docs, as well as the Net::SSH::Perl::Buffer docs (the get_* and put_* methods).

Obviously, writing these handlers requires some knowledge of the contents of each packet. For that, read through the SSH RFC, which explains each packet type in detail. There's a get_* method for each datatype that you may need to read from a packet.

ADVANCED METHODS

Your basic SSH needs will hopefully be met by the methods listed above. If they're not, however, you may want to use some of the additional methods listed here. Some of these are aimed at end-users, while others are probably more useful for actually writing an authentication module, or a cipher, etc.

$ssh->config

Returns the Net::SSH::Perl::Config object managing the configuration data for this SSH object. This is constructed from data passed in to the constructor new (see above), merged with data read from the user and system configuration files. See the Net::SSH::Perl::Config docs for details on methods you can call on this object (you'll probably be more interested in the get and set methods).

$ssh->sock

Returns the socket connection to sshd. If your client is not connected, dies.

$ssh->debug($msg)

If debugging is turned on for this session (see the debug parameter to the new method, above), writes $msg to STDERR. Otherwise nothing is done.

$ssh->incoming_data

Incoming data buffer, an object of type Net::SSH::Perl::Buffer. Returns the buffer object.

The idea behind this is that we our socket is non-blocking, so we buffer input and periodically check back to see if we've read a full packet. If we have a full packet, we rip it out of the incoming data buffer and process it, returning it to the caller who presumably asked for it.

This data "belongs" to the underlying packet layer in Net::SSH::Perl::Packet. Unless you really know what you're doing you probably don't want to disturb that data.

$ssh->set_cipher($cipher_name)

Sets the cipher for the SSH session $ssh to $cipher_name (which must be a valid cipher name), and turns on encryption for that session.

$ssh->send_cipher

Returns the "send" cipher object. This is the object that encrypts outgoing data.

If it's not defined, encryption is not turned on for the session.

$ssh->receive_cipher

Returns the "receive" cipher object. This is the object that decrypts incoming data.

If it's not defined, encryption is not turned on for the session.

NOTE: the send and receive ciphers and two different objects, each with its own internal state (initialization vector, in particular). Thus they cannot be interchanged.

$ssh->compression([ $level ])

Without arguments, returns the current compression level for the session. If given an argument $level, sets the compression level and turns on compression for the session.

Note that this should not be used to turn compression off. In fact, I don't think there's a way to turn compression off. But in other words, don't try giving this method a value of 0 and expect that to turn off compression. It won't.

If the return value of this method is undefined or 0, compression is turned off.

$ssh->send_compression

Returns the "send" compression object/stream. This is a Compress::Zlib deflation (compression) stream; we keep it around because it contains state that needs to be used throughout the session.

$ssh->receive_compression

Returns the "receive" compression object/stream. This is a Compress::Zlib inflation (uncompression) stream; we keep it around because it contains state that needs to be used throughout the session.

$ssh->session_key

Returns the session key, which is simply 32 bytes of random data and is used as the encryption/decryption key.

$ssh->session_id

Returns the session ID, which is generated from the server's host and server keys, and from the check bytes that it sends along with the keys. The server may require the session ID to be passed along in other packets, as well (for example, when responding to RSA challenges).

$packet = $ssh->packet_start($packet_type)

Starts building a new packet of type $packet_type. This is just a handy method for lazy people. Internally it calls Net::SSH::Perl::Packet::new, so take a look at those docs for more details.

SUPPORT

For samples/tutorials, take a look at the scripts in eg/ in the distribution directory.

If you have any questions, code samples, bug reports, or feedback, please email them to:

ben@rhumba.pair.com

AUTHOR & COPYRIGHT

Benjamin Trott, ben@rhumba.pair.com

Except where otherwise noted, Net::SSH::Perl is Copyright 2001 Benjamin Trott. All rights reserved. Net::SSH::Perl is free software; you may redistribute it and/or modify it under the same terms as Perl itself.