Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@olzie-12/ssh2-streams
Advanced tools
SSH2 and SFTP(v3) client/server protocol streams for node.js.
npm install ssh2-streams
require('ssh2-streams').SSH2Stream
returns an SSH2Stream constructor.
require('ssh2-streams').SFTPStream
returns an SFTPStream constructor.
require('ssh2-streams').utils
returns an object of useful utility functions.
require('ssh2-streams').constants
returns an object containing useful SSH protocol constants.
Client/Server events
header(< object >headerInfo) - Emitted when the protocol header is seen. headerInfo
contains:
greeting - string - (Client-only) An optional greeting message presented by the server.
identRaw - string - The raw identification string sent by the remote party.
versions - object - Contains various information parsed from identRaw
:
protocol - string - The protocol version (always 1.99
or 2.0
) supported by the remote party.
software - string - The software name used by the remote party.
comments - string - Any additional text that comes after the software name.
GLOBAL_REQUEST(< string >reqName, < boolean >wantReply, < mixed >reqData)
CHANNEL_DATA:<channel>(< Buffer >data)
CHANNEL_EXTENDED_DATA:<channel>(< integer >type, < Buffer >data)
CHANNEL_WINDOW_ADJUST:<channel>(< integer >bytesToAdd)
CHANNEL_SUCCESS:<channel>()
CHANNEL_FAILURE:<channel>()
CHANNEL_EOF:<channel>()
CHANNEL_CLOSE:<channel>()
CHANNEL_OPEN_CONFIRMATION:<channel>(< object >channelInfo) - channelInfo
contains:
recipient - integer - The local channel number.
sender - integer - The remote party's channel number.
window - integer - The initial window size for the channel.
packetSize - integer - The maximum packet size for the channel.
CHANNEL_OPEN_FAILURE:<channel>(< object >failInfo) - failInfo
contains:
recipient - integer - The local channel number.
reasonCode - integer - The reason code of the failure.
reason - string - A text representation of the reasonCode
.
description - string - An optional description of the failure.
DISCONNECT(< string >reason, < integer >reasonCode, < string >description)
DEBUG(< string >message)
NEWKEYS()
REQUEST_SUCCESS([< Buffer >resData])
REQUEST_FAILURE()
Client-only events
fingerprint(< Buffer >hostKey, < function >callback) - This event allows you to verify a host's key. If callback
is called with true
, the handshake continues. Otherwise a disconnection will occur if callback
is called with false
. The default behavior is to auto-allow any host key if there are no handlers for this event.
SERVICE_ACCEPT(< string >serviceName)
USERAUTH_PASSWD_CHANGEREQ(< string >message)
USERAUTH_INFO_REQUEST(< string >name, < string >instructions, < string >lang, < array >prompts)
USERAUTH_PK_OK()
USERAUTH_SUCCESS()
USERAUTH_FAILURE(< array >methodsContinue, < boolean >partialSuccess)
USERAUTH_BANNER(< string >message)
CHANNEL_OPEN(< object >channelInfo) - channelInfo
contains:
type - string - The channel type (e.g. x11
, forwarded-tcpip
).
sender - integer - The remote party's channel number.
window - integer - The initial window size for the channel.
packetSize - integer - The maximum packet size for the channel.
data - object - The properties available depend on type
:
x11
:
srcIP - string - Source IP address of X11 connection request.
srcPort - string - Source port of X11 connection request.
forwarded-tcpip
:
srcIP - string - Source IP address of incoming connection.
srcPort - string - Source port of incoming connection.
destIP - string - Destination IP address of incoming connection.
destPort - string - Destination port of incoming connection.
forwarded-streamlocal@openssh.com
:
auth-agent@openssh.com
has no extra data.
CHANNEL_REQUEST:<channel>(< object >reqInfo) - reqInfo
properties depend on reqInfo.request
:
exit-status
:
exit-signal
:
signal - string - The signal name.
coredump - boolean - Was the exit the result of a core dump?
description - string - An optional error message.
Server-only events
SERVICE_REQUEST(< string >serviceName)
USERAUTH_REQUEST(< string >username, < string >serviceName, < string >authMethod, < mixed >authMethodData) - authMethodData
depends on authMethod
:
For password
, it's a string containing the password.
For publickey
, it's an object containing:
keyAlgo - string - The public key algorithm.
key - Buffer - The public key data.
signature - mixed - If set, it is a Buffer containing the signature to be verified.
blob - mixed - If set, it is a Buffer containing the data to sign. The resulting signature is what is compared to signature
.
For hostbased
, it's an object including the properties from publickey
but also:
localHostname - string - The client's hostname to be verified.
localUsername - string - The client's (local) username to be verified.
USERAUTH_INFO_RESPONSE(< array >responses)
GLOBAL_REQUEST(< string >reqName, < boolean >wantReply, < mixed >reqData) - reqData
depends on reqName
:
For tcpip-forward
/cancel-tcpip-forward
, it's an object containing:
bindAddr - string - The IP address to start/stop binding to.
bindPort - string - The port to start/stop binding to.
For streamlocal-forward@openssh.com
/cancel-streamlocal-forward@openssh.com
, it's an object containing:
For no-more-sessions@openssh.com
, there is no reqData
.
For any other requests, it's a Buffer containing raw request-specific data if there is any extra data.
CHANNEL_OPEN(< object >channelInfo) - channelInfo
contains:
type - string - The channel type (e.g. session
, direct-tcpip
).
sender - integer - The remote party's channel number.
window - integer - The initial window size for the channel.
packetSize - integer - The maximum packet size for the channel.
data - object - The properties available depend on type
:
direct-tcpip
:
srcIP - string - Source IP address of outgoing connection.
srcPort - string - Source port of outgoing connection.
destIP - string - Destination IP address of outgoing connection.
destPort - string - Destination port of outgoing connection.
direct-streamlocal@openssh.com
:
session
has no extra data.
CHANNEL_REQUEST:<channel>(< object >reqInfo) - reqInfo
properties depend on reqInfo.request
:
pty-req
:
wantReply - boolean - The client is requesting a response to this request.
term - string - The terminal type name.
cols - integer - The number of columns.
rows - integer - The number of rows.
width - integer - The width in pixels.
height - integer - The height in pixels.
modes - object - The terminal modes.
window-change
:
cols - integer - The number of columns.
rows - integer - The number of rows.
width - integer - The width in pixels.
height - integer - The height in pixels.
x11-req
:
wantReply - boolean - The client is requesting a response to this request.
single - boolean - Whether only a single X11 connection should be allowed.
protocol - string - The X11 authentication protocol to be used.
cookie - string - The hex-encoded X11 authentication cookie.
screen - integer - The screen number for incoming X11 connections.
env
:
wantReply - boolean - The client is requesting a response to this request.
key - string - The environment variable name.
val - string - The environment variable value.
shell
:
exec
:
wantReply - boolean - The client is requesting a response to this request.
command - string - The command to be executed.
subsystem
:
wantReply - boolean - The client is requesting a response to this request.
subsystem - string - The name of the subsystem.
signal
:
SIG
).xon-xoff
:
auth-agent-req@openssh.com
has no reqInfo
.
bytesSent - integer - The number of bytes sent since the last keying. This metric can be useful in determining when to call rekey()
.
bytesReceived - integer - The number of bytes received since the last keying. This metric can be useful in determining when to call rekey()
.
(constructor)(< object >config) - Creates and returns a new SSH2Stream instance. SSH2Stream instances are Duplex streams. config
can contain:
server - boolean - Set to true
to create an instance in server mode. Default: false
hostKeys - object - If in server mode, an object keyed on host key format (see supported serverHostKey
values in algorithms
option below) with values being (decrypted) _Buffer_s or _string_s that contain PEM-encoded (OpenSSH format) host private key(s). Default: (none)
greeting - string - If in server mode, an optional message to send to the user immediately upon connection, before the handshake. Note: Most clients usually ignore this. Default: (none)
banner - string - If in server mode, an optional message to send to the user once, right before authentication begins. Default: (none)
ident - string - A custom software name/version identifier. Default: 'ssh2js' + moduleVersion + 'srv'
(server mode) 'ssh2js' + moduleVersion
(client mode)
maxPacketSize - string - This is the maximum packet size that will be accepted. It should be 35000 bytes or larger to be compatible with other SSH2 implementations. Default: 35000
highWaterMark - integer - This is the highWaterMark
to use for the stream. Default: 32 * 1024
algorithms - object - This option allows you to explicitly override the default transport layer algorithms used for the connection. Each value must be an array of valid algorithms for that category. The order of the algorithms in the arrays are important, with the most favorable being first. Valid keys:
kex - array - Key exchange algorithms.
Default values:
Supported values:
cipher - array - Ciphers.
Default values:
Supported values:
serverHostKey - array - Server host key formats. In server mode, this list must agree with the host private keys set in the hostKeys
config setting.
Default values:
Supported values:
hmac - array - (H)MAC algorithms.
Default values:
Supported values:
compress - array - Compression algorithms.
Default values:
Supported values:
debug - function - Set this to a function that receives a single string argument to get detailed (local) debug information. Default: (none)
Client/Server methods
ping() - boolean - Writes a dummy GLOBAL_REQUEST packet (specifically "keepalive@openssh.com") that requests a reply. Returns false
if you should wait for the continue
event before sending any more traffic.
disconnect([< integer >reasonCode]) - boolean - Writes a disconnect packet and closes the stream. Returns false
if you should wait for the continue
event before sending any more traffic.
rekey() - boolean - Starts the re-keying process. Incoming/Outgoing packets are buffered until the re-keying process has finished. Returns false
to indicate that no more packets should be written until the NEWKEYS
event is seen.
requestSuccess([< Buffer >data]) - boolean - Writes a request success packet. Returns false
if you should wait for the continue
event before sending any more traffic.
requestFailure() - boolean - Writes a request failure packet. Returns false
if you should wait for the continue
event before sending any more traffic.
channelSuccess() - boolean - Writes a channel success packet. Returns false
if you should wait for the continue
event before sending any more traffic.
channelFailure() - boolean - Writes a channel failure packet. Returns false
if you should wait for the continue
event before sending any more traffic.
channelEOF(< integer >channel) - boolean - Writes a channel EOF packet for the given channel
. Returns false
if you should wait for the continue
event before sending any more traffic.
channelClose(< integer >channel) - boolean - Writes a channel close packet for the given channel
. Returns false
if you should wait for the continue
event before sending any more traffic.
channelWindowAdjust(< integer >channel, < integer >amount) - boolean - Writes a channel window adjust packet for the given channel
where amount
is the number of bytes to add to the channel window. Returns false
if you should wait for the continue
event before sending any more traffic.
channelData(< integer >channel, < mixed >data) - boolean - Writes a channel data packet for the given channel
where data
is a Buffer or string. Returns false
if you should wait for the continue
event before sending any more traffic.
channelExtData(< integer >channel, < mixed >data, < integer >type) - boolean - Writes a channel extended data packet for the given channel
where data is a _Buffer_ or _string_. Returns
falseif you should wait for the
continue` event before sending any more traffic.
channelOpenConfirm(< integer >remoteChannel, < integer >localChannel, < integer >initWindow, < integer >maxPacket) - boolean - Writes a channel open confirmation packet. Returns false
if you should wait for the continue
event before sending any more traffic.
channelOpenFail(< integer >remoteChannel, < integer >reasonCode[, < string >description]) - boolean - Writes a channel open failure packet. Returns false
if you should wait for the continue
event before sending any more traffic.
Client-only methods
service(< string >serviceName) - boolean - Writes a service request packet for serviceName
. Returns false
if you should wait for the continue
event before sending any more traffic.
tcpipForward(< string >bindAddr, < integer >bindPort[, < boolean >wantReply]) - boolean - Writes a tcpip forward global request packet. wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic.
cancelTcpipForward(< string >bindAddr, < integer >bindPort[, < boolean >wantReply]) - boolean - Writes a cancel tcpip forward global request packet. wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic.
authPassword(< string >username, < string >password) - boolean - Writes a password userauth request packet. Returns false
if you should wait for the continue
event before sending any more traffic.
authPK(< string >username, < object >pubKey[, < function >cbSign]) - boolean - Writes a publickey userauth request packet. pubKey
is the object returned from using utils.parseKey()
on a private or public key. If cbSign
is not present, a pubkey check userauth packet is written. Otherwise cbSign
is called with (blob, callback)
, where blob
is the data to sign with the private key and the resulting signature Buffer is passed to callback
as the first argument. Returns false
if you should wait for the continue
event before sending any more traffic.
authHostbased(< string >username, < object >pubKey, < string >localHostname, < string >localUsername, < function >cbSign) - boolean - Writes a hostbased userauth request packet. pubKey
is the object returned from using utils.parseKey()
on a private or public key. cbSign
is called with (blob, callback)
, where blob
is the data to sign with the private key and the resulting signature Buffer is passed to callback
as the first argument. Returns false
if you should wait for the continue
event before sending any more traffic.
authKeyboard(< string >username) - boolean - Writes a keyboard-interactive userauth request packet. Returns false
if you should wait for the continue
event before sending any more traffic.
authNone(< string >username) - boolean - Writes a "none" userauth request packet. Returns false
if you should wait for the continue
event before sending any more traffic.
authInfoRes(< array >responses) - boolean - Writes a userauth info response packet. responses
is an array of zero or more strings corresponding to responses to prompts previously sent by the server. Returns false
if you should wait for the continue
event before sending any more traffic.
directTcpip(< integer >channel, < integer >initWindow, < integer >maxPacket, < object >config) - boolean - Writes a direct tcpip channel open packet. config
must contain srcIP
, srcPort
, dstIP
, and dstPort
. Returns false
if you should wait for the continue
event before sending any more traffic.
session(< integer >channel, < integer >initWindow, < integer >maxPacket) - boolean - Writes a session channel open packet. Returns false
if you should wait for the continue
event before sending any more traffic.
openssh_agentForward(< integer >channel[, < boolean >wantReply]) - boolean - Writes an auth-agent-req@openssh.com
channel request packet. wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic.
windowChange(< integer >channel, < integer >rows, < integer >cols, < integer >height, < integer >width) - boolean - Writes a window change channel request packet. Returns false
if you should wait for the continue
event before sending any more traffic.
pty(< integer >channel, < integer >rows, < integer >cols, < integer >height, < integer >width, < string >terminalType, < mixed >terminalModes[, < boolean >wantReply]) - boolean - Writes a pty channel request packet. If terminalType
is falsey, vt100
is used. terminalModes
can be the raw bytes, an object of the terminal modes to set, or a falsey value for no modes. wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic.
env(< integer >channel, < string >key, < mixed >value[, < boolean >wantReply]) - boolean - Writes an env channel request packet. value
can be a string or Buffer. wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic.
shell(< integer >channel[, < boolean >wantReply]) - boolean - Writes a shell channel request packet. wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic.
exec(< integer >channel, < string >command[, < boolean >wantReply]) - boolean - Writes an exec channel request packet. wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic.
signal(< integer >channel, < string >signalName) - boolean - Writes a signal channel request packet. Returns false
if you should wait for the continue
event before sending any more traffic.
x11Forward(< integer >channel, < object >config[, < boolean >wantReply]) - boolean - Writes an X11 forward channel request packet. wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic. config
can contain:
single - boolean - true
if only a single connection should be forwarded.
protocol - string - The name of the X11 authentication method used (e.g. MIT-MAGIC-COOKIE-1
).
cookie - string - The X11 authentication cookie encoded in hexadecimal.
screen - integer - The screen number to forward X11 connections for.
subsystem(< integer >channel, < string >name[, < boolean >wantReply]) - boolean - Writes a subsystem channel request packet. name
is the name of the subsystem (e.g. sftp
or netconf
). wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic.
openssh_noMoreSessions([< boolean >wantReply]) - boolean - Writes a no-more-sessions@openssh.com request packet. wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic.
openssh_streamLocalForward(< string >socketPath[, < boolean >wantReply]) - boolean - Writes a streamlocal-forward@openssh.com request packet. wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic.
openssh_cancelStreamLocalForward(< string >socketPath[, < boolean >wantReply]) - boolean - Writes a cancel-streamlocal-forward@openssh.com request packet. wantReply
defaults to true
. Returns false
if you should wait for the continue
event before sending any more traffic.
openssh_directStreamLocal(< integer >channel, < integer >initWindow, < integer >maxPacket, < object >config) - boolean - Writes a direct-streamlocal@openssh.com channel open packet. config
must contain socketPath
. Returns false
if you should wait for the continue
event before sending any more traffic.
Server-only methods
serviceAccept(< string >serviceName) - boolean - Writes a service accept packet. Returns false
if you should wait for the continue
event before sending any more traffic.
authFailure([< array >authMethods[, < boolean >partialSuccess]]) - boolean - Writes a userauth failure packet. authMethods
is an array of authentication methods that can continue. Returns false
if you should wait for the continue
event before sending any more traffic.
authSuccess() - boolean - Writes a userauth success packet. Returns false
if you should wait for the continue
event before sending any more traffic.
authPKOK(< string >keyAlgorithm, < Buffer >keyData) - boolean - Writes a userauth PK OK packet. Returns false
if you should wait for the continue
event before sending any more traffic.
authInfoReq(< string >name, < string >instructions, < array >prompts) - boolean - Writes a userauth info request packet. prompts
is an array of { prompt: 'Prompt text', echo: true }
objects (prompt
being the prompt text and echo
indicating whether the client's response to the prompt should be echoed to their display). Returns false
if you should wait for the continue
event before sending any more traffic.
forwardedTcpip(< integer >channel, < integer >initWindow, < integer >maxPacket, < object >info) - boolean - Writes a forwarded tcpip channel open packet. info
must contain boundAddr
, boundPort
, remoteAddr
, and remotePort
. Returns false
if you should wait for the continue
event before sending any more traffic.
x11(< integer >channel, < integer >initWindow, < integer >maxPacket, < object >info) - boolean - Writes an X11 channel open packet. info
must contain originAddr
and originPort
. Returns false
if you should wait for the continue
event before sending any more traffic.
openssh_authAgent(< integer >channel, < integer >initWindow, < integer >maxPacket) - boolean - Writes an auth-agent@openssh.com channel open packet. Returns false
if you should wait for the continue
event before sending any more traffic.
openssh_forwardedStreamLocal(< integer >channel, < integer >initWindow, < integer >maxPacket, < object >info) - boolean - Writes an forwarded-streamlocal@openssh.com channel open packet. info
must contain socketPath
. Returns false
if you should wait for the continue
event before sending any more traffic.
exitStatus(< integer >channel, < integer >exitCode) - boolean - Writes an exit status channel request packet. Returns false
if you should wait for the continue
event before sending any more traffic.
exitSignal(< integer >channel, < string >signalName, < boolean >coreDumped, < string >errorMessage) - boolean - Writes an exit signal channel request packet. Returns false
if you should wait for the continue
event before sending any more traffic.
parseKey(< mixed >keyData[, < string >passphrase]) - mixed - Parses a private/public key in OpenSSH, RFC4716, or PPK format. For encrypted private keys, the key will be decrypted with the given passphrase
. The returned value will be an array of objects (currently in the case of modern OpenSSH keys) or an object with these properties and methods:
type - string - The full key type (e.g. 'ssh-rsa'
)
comment - string - The comment for the key
getPrivatePEM() - string - This returns the PEM version of a private key
getPublicPEM() - string - This returns the PEM version of a public key (for either public key or derived from a private key)
getPublicSSH() - string - This returns the SSH version of a public key (for either public key or derived from a private key)
sign(< mixed >data) - mixed - This signs the given data
using this key and returns a Buffer containing the signature on success. On failure, an Error will be returned. data
can be anything accepted by node's sign.update()
.
verify(< mixed >data, < Buffer >signature) - mixed - This verifies a signature
of the given data
using this key and returns true
if the signature could be verified. On failure, either false
will be returned or an Error will be returned upon a more critical failure. data
can be anything accepted by node's verify.update()
.
FAQs
SSH2 and SFTP(v3) client/server protocol streams for node.js
The npm package @olzie-12/ssh2-streams receives a total of 3 weekly downloads. As such, @olzie-12/ssh2-streams popularity was classified as not popular.
We found that @olzie-12/ssh2-streams demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.