LibSSH+SSHServer: Support basic channels and sessions

LucasChollet · nico · commit 15edb02847e4 · 2026-03-24T19:58:21.000-04:00
This allows a client to execute commands on the server. This is very
minimal and don't support interactive sessions yet.

It is however enough to run simple commands like `uname` over the
network :^)
diff --git a/Userland/Libraries/LibSSH/CMakeLists.txt b/Userland/Libraries/LibSSH/CMakeLists.txt
@@ -4,6 +4,7 @@ set(SOURCES
     IdentificationString.cpp
     KeyExchangeData.cpp
     Peer.cpp
+    Session.cpp
 )
 
 serenity_lib(LibSSH ssh)
diff --git a/Userland/Libraries/LibSSH/Session.cpp b/Userland/Libraries/LibSSH/Session.cpp
@@ -0,0 +1,21 @@
+/*
+ * Copyright (c) 2026, Lucas Chollet <lucas.chollet@serenityos.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#include "Session.h"
+
+namespace SSH {
+
+ErrorOr<Session> Session::create(u32 sender_channel_id, u32 window_size, u32 maximum_packet_size)
+{
+    Session session;
+    session.local_channel_id = sender_channel_id;
+    session.sender_channel_id = sender_channel_id;
+    session.maximum_packet_size = maximum_packet_size;
+    session.window = TRY(ByteBuffer::create_zeroed(window_size));
+    return session;
+}
+
+}
diff --git a/Userland/Libraries/LibSSH/Session.h b/Userland/Libraries/LibSSH/Session.h
@@ -0,0 +1,25 @@
+/*
+ * Copyright (c) 2026, Lucas Chollet <lucas.chollet@serenityos.org>
+ *
+ * SPDX-License-Identifier: BSD-2-Clause
+ */
+
+#pragma once
+
+#include <AK/ByteBuffer.h>
+#include <AK/Error.h>
+
+namespace SSH {
+
+// 6.1.  Opening a Session
+// https://datatracker.ietf.org/doc/html/rfc4254#section-6.1
+struct Session {
+    static ErrorOr<Session> create(u32 sender_channel_id, u32 window_size, u32 maximum_packet_size);
+
+    u32 local_channel_id {};
+    u32 sender_channel_id {};
+    u32 maximum_packet_size {};
+    ByteBuffer window {};
+};
+
+}
diff --git a/Userland/Services/SSHServer/SSHClient.cpp b/Userland/Services/SSHServer/SSHClient.cpp
@@ -12,6 +12,7 @@
 #include <AK/MemoryStream.h>
 #include <AK/Random.h>
 #include <LibCore/Account.h>
+#include <LibCore/Command.h>
 #include <LibCore/Socket.h>
 #include <LibCrypto/Curves/Ed25519.h>
 #include <LibCrypto/Curves/X25519.h>
@@ -23,7 +24,6 @@ namespace SSH::Server {
 
 ErrorOr<void> SSHClient::handle_data(ByteBuffer& data)
 {
-
     switch (m_state) {
     case State::Constructed:
         return handle_protocol_version(data);
@@ -40,7 +40,8 @@ ErrorOr<void> SSHClient::handle_data(ByteBuffer& data)
     case State::WaitingForUserAuthentication:
         return handle_user_authentication(TRY(unpack_generic_message(data)));
     case State::Authentified:
-        return Error::from_string_literal("Draw the rest of the owl");
+        TRY(handle_generic_packet(TRY(unpack_generic_message(data))));
+        return {};
     }
     VERIFY_NOT_REACHED();
 }
@@ -324,4 +325,162 @@ ErrorOr<void> SSHClient::send_user_authentication_success()
     return {};
 }
 
+ErrorOr<void> SSHClient::handle_generic_packet(GenericMessage&& message)
+{
+    switch (message.type) {
+    case MessageID::CHANNEL_OPEN:
+        return handle_channel_open_message(message);
+    case MessageID::CHANNEL_REQUEST:
+        return handle_channel_request(message);
+    default:
+        dbgln_if(SSH_DEBUG, "Unexpected packet: {}", to_underlying(message.type));
+        return Error::from_string_literal("Unexpected packet type");
+    }
+    VERIFY_NOT_REACHED();
+}
+
+// 5.1.  Opening a Channel
+// https://datatracker.ietf.org/doc/html/rfc4254#section-5.1
+ErrorOr<void> SSHClient::handle_channel_open_message(GenericMessage& message)
+{
+    auto channel_type = TRY(decode_string(message.payload));
+    u32 sender_channel_id = TRY(message.payload.read_value<NetworkOrdered<u32>>());
+    u32 initial_window_size = TRY(message.payload.read_value<NetworkOrdered<u32>>());
+    u32 maximum_packet_size = TRY(message.payload.read_value<NetworkOrdered<u32>>());
+
+    dbgln_if(SSH_DEBUG, "Channel open request with: {:s} - {} - {} - {}",
+        channel_type.bytes(), sender_channel_id, initial_window_size, maximum_packet_size);
+
+    if (channel_type != "session"sv.bytes())
+        return Error::from_string_literal("Unexpected channel type");
+
+    m_sessions.empend(TRY(Session::create(sender_channel_id, initial_window_size, maximum_packet_size)));
+
+    TRY(send_channel_open_confirmation(m_sessions.last()));
+
+    return {};
+}
+
+// 5.1.  Opening a Channel
+// https://datatracker.ietf.org/doc/html/rfc4254#section-5.1
+ErrorOr<void> SSHClient::send_channel_open_confirmation(Session const& session)
+{
+    AllocatingMemoryStream stream;
+
+    //  byte      SSH_MSG_CHANNEL_OPEN_CONFIRMATION
+    //  uint32    recipient channel
+    //  uint32    sender channel
+    //  uint32    initial window size
+    //  uint32    maximum packet size
+
+    TRY(stream.write_value(MessageID::CHANNEL_OPEN_CONFIRMATION));
+    // "The 'recipient channel' is the channel number given in the original
+    // open request, and 'sender channel' is the channel number allocated by
+    // the other side."
+    TRY(stream.write_value<NetworkOrdered<u32>>(session.sender_channel_id));
+    TRY(stream.write_value<NetworkOrdered<u32>>(session.local_channel_id));
+
+    TRY(stream.write_value<NetworkOrdered<u32>>(session.window.size()));
+    TRY(stream.write_value<NetworkOrdered<u32>>(session.maximum_packet_size));
+
+    TRY(write_packet(TRY(stream.read_until_eof())));
+    return {};
+}
+
+ErrorOr<Session*> SSHClient::find_session(u32 sender_channel_id)
+{
+    for (auto& session : m_sessions) {
+        if (session.sender_channel_id == sender_channel_id)
+            return &session;
+    }
+    return Error::from_string_literal("Session not found");
+}
+
+// 5.4.  Channel-Specific Requests
+// https://datatracker.ietf.org/doc/html/rfc4254#section-5.4
+ErrorOr<void> SSHClient::handle_channel_request(GenericMessage& message)
+{
+    auto recipient_channel_id = TRY(message.payload.read_value<NetworkOrdered<u32>>());
+    auto request_type = TRY(decode_string(message.payload));
+    auto want_reply = TRY(message.payload.read_value<bool>());
+
+    auto& session = *TRY(find_session(recipient_channel_id));
+
+    dbgln_if(SSH_DEBUG, "CHANNEL_REQUEST id({}): {:s}", session.local_channel_id, request_type.bytes());
+
+    if (request_type == "env"sv.bytes() && !want_reply) {
+        dbgln("FIXME: Ignored channel request: {:s}", request_type.bytes());
+        return {};
+    }
+
+    if (request_type == "exec"sv.bytes()) {
+        auto command = TRY(decode_string(message.payload));
+
+        // FIXME: This is a naive implementation, we should stream the result back
+        //        to the user and not block the event loop during the execution of
+        //        the command.
+        //        We should also use the user's shell rather than hardcoding it.
+
+#ifdef AK_OS_SERENITY
+        auto shell = "/bin/Shell"sv;
+#else
+        auto shell = "/bin/sh"sv;
+#endif
+
+        Vector<ByteString> args;
+        args.append(shell);
+        args.append("-c");
+        args.append(ByteString(command.bytes()));
+
+        Vector<char const*> raw_args;
+        raw_args.ensure_capacity(args.size() + 1);
+        for (auto& arg : args)
+            raw_args.append(arg.characters());
+
+        raw_args.append(nullptr);
+
+        auto child = TRY(Core::Command::create(shell, raw_args.data()));
+        auto output = TRY(child->read_all());
+        auto status = TRY(child->status());
+
+        if (status != Core::Command::ProcessResult::DoneWithZeroExitCode)
+            return Error::from_string_literal("Unable to run command");
+
+        TRY(send_channel_success_message(session));
+        TRY(send_channel_data(session, output.standard_output));
+        TRY(send_channel_close(session));
+        return {};
+    }
+
+    return Error::from_string_literal("Unsupported channel request");
+}
+
+ErrorOr<void> SSHClient::send_channel_success_message(Session const& session)
+{
+    AllocatingMemoryStream stream;
+    TRY(stream.write_value(MessageID::CHANNEL_SUCCESS));
+    TRY(stream.write_value<NetworkOrdered<u32>>(session.local_channel_id));
+    TRY(write_packet(TRY(stream.read_until_eof())));
+    return {};
+}
+
+ErrorOr<void> SSHClient::send_channel_data(Session const& session, ByteBuffer const& data)
+{
+    AllocatingMemoryStream stream;
+    TRY(stream.write_value(MessageID::CHANNEL_DATA));
+    TRY(stream.write_value<NetworkOrdered<u32>>(session.local_channel_id));
+    TRY(encode_string(stream, data));
+    TRY(write_packet(TRY(stream.read_until_eof())));
+    return {};
+}
+
+ErrorOr<void> SSHClient::send_channel_close(Session const& session)
+{
+    AllocatingMemoryStream stream;
+    TRY(stream.write_value(MessageID::CHANNEL_CLOSE));
+    TRY(stream.write_value<NetworkOrdered<u32>>(session.local_channel_id));
+    TRY(write_packet(TRY(stream.read_until_eof())));
+    return {};
+}
+
 } // SSHServer
diff --git a/Userland/Services/SSHServer/SSHClient.h b/Userland/Services/SSHServer/SSHClient.h
@@ -10,6 +10,7 @@
 #include <LibCore/Forward.h>
 #include <LibSSH/KeyExchangeData.h>
 #include <LibSSH/Peer.h>
+#include <LibSSH/Session.h>
 
 namespace SSH::Server {
 
@@ -75,10 +76,22 @@ class SSHClient : public Peer {
     ErrorOr<void> handle_user_authentication(GenericMessage data);
     ErrorOr<void> send_user_authentication_success();
 
+    ErrorOr<void> handle_generic_packet(GenericMessage&&);
+
+    ErrorOr<void> handle_channel_open_message(GenericMessage&);
+    ErrorOr<void> send_channel_open_confirmation(Session const&);
+    ErrorOr<void> handle_channel_request(GenericMessage&);
+    ErrorOr<void> send_channel_success_message(Session const&);
+    ErrorOr<void> send_channel_data(Session const&, ByteBuffer const&);
+    ErrorOr<void> send_channel_close(Session const&);
+    ErrorOr<Session*> find_session(u32 sender_channel_id);
+
     State m_state { State::Constructed };
     Core::TCPSocket& m_tcp_socket;
 
     KeyExchangeData m_key_exchange_data {};
+
+    Vector<Session> m_sessions;
 };
 
 } // SSHServer
diff --git a/Userland/Services/SSHServer/main.cpp b/Userland/Services/SSHServer/main.cpp
@@ -18,8 +18,9 @@ static constexpr auto DEFAULT_PORT = 22;
 
 ErrorOr<int> serenity_main(Main::Arguments args)
 {
-    TRY(Core::System::pledge("stdio accept inet unix rpath"));
+    TRY(Core::System::pledge("stdio accept inet unix rpath proc exec"));
     TRY(Core::System::unveil("/etc/passwd", "r"));
+    TRY(Core::System::unveil("/bin/Shell", "rx"));
     TRY(Core::System::unveil(nullptr, nullptr));
 
     Optional<u32> port {};
@@ -55,6 +56,6 @@ ErrorOr<int> serenity_main(Main::Arguments args)
 
     outln("Listening on {}:{}", tcp_server->local_address().value(), tcp_server->local_port());
 
-    TRY(Core::System::pledge("stdio accept rpath"));
+    TRY(Core::System::pledge("stdio accept rpath proc exec"));
     return loop.exec();
 }

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ set(SOURCES`
`4`	`4`	`IdentificationString.cpp`
`5`	`5`	`KeyExchangeData.cpp`
`6`	`6`	`Peer.cpp`
	`7`	`+ Session.cpp`
`7`	`8`	`)`
`8`	`9`
`9`	`10`	`serenity_lib(LibSSH ssh)`
Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,9 @@ static constexpr auto DEFAULT_PORT = 22;`
`18`	`18`
`19`	`19`	`ErrorOr<int> serenity_main(Main::Arguments args)`
`20`	`20`	`{`
`21`		`- TRY(Core::System::pledge("stdio accept inet unix rpath"));`
	`21`	`+ TRY(Core::System::pledge("stdio accept inet unix rpath proc exec"));`
`22`	`22`	`TRY(Core::System::unveil("/etc/passwd", "r"));`
	`23`	`+ TRY(Core::System::unveil("/bin/Shell", "rx"));`
`23`	`24`	`TRY(Core::System::unveil(nullptr, nullptr));`
`24`	`25`
`25`	`26`	`Optional<u32> port {};`
`@@ -55,6 +56,6 @@ ErrorOr<int> serenity_main(Main::Arguments args)`
`55`	`56`
`56`	`57`	`outln("Listening on {}:{}", tcp_server->local_address().value(), tcp_server->local_port());`
`57`	`58`
`58`		`- TRY(Core::System::pledge("stdio accept rpath"));`
	`59`	`+ TRY(Core::System::pledge("stdio accept rpath proc exec"));`
`59`	`60`	`return loop.exec();`
`60`	`61`	`}`