SSH Server Implementation

[Aeskithan]

Hello,

I customise a ssh server side for some purpose and i m not able to get any clue about how to handle 'tab' for autocompletion.
I m just unable to see any code entry when the client press tab.
I also try to implement keyboard interactive auth for other password in my session but same point at the moment i m not able to see how to raise this method on client side from my server.

I use the base from
https://asyncssh.readthedocs.io/en/latest/#serving-multiple-clients

If one of you have any clues it will be really appreciated

[ronf]

To support autocompletion, you'll want to take a look at:

https://asyncssh.readthedocs.io/en/latest/api.html?highlight=register#asyncssh.SSHLineEditorChannel.register_key

You can pass in '\t' for the key and a handler which accepts the current input line and cursor position and which returns an updated input line and cursor position as a tuple.

This assume you want line editing capability on the user's input and just want to add tab completion to the exiting editing support.

As for supporting keyboard-interactive authentication, you'll need to implement a few different methods in your SSHServer subclass. First, have kbdint_auth_supported() return True whenever you want this form of auth. Then, implement get_kbdint_challenge() to return the challenge you want to send to the user and validate_kbdint_response() to handle the responses sent by the client. The details of the arguments and return values are all covered in the SSHServer documentation starting at https://asyncssh.readthedocs.io/en/latest/api.html?highlight=kbdint_auth_supported#asyncssh.SSHServer.kbdint_auth_supported

[Aeskithan]

Hello,

Thanks for your answer.
For now i use Asyncssh StreamClasses based on your serving multiple clients => https://asyncssh.readthedocs.io/en/latest/#serving-multiple-clients
So i have not implemented SSHLineEditorChannel, do you have any example ?

Same question for auth do you have any example ? (in my app i just need to replace char in password with *** then the password is send to a another custom client and finally sent to a device over serial connection)

My design is Serial Device <=> Phone <=> AsyncSSH Server <=> MultipleClient working on serial device.
And it work well now im looking to add password replace by *** in chat and Tab for autocompletion on serial device

[Aeskithan]

Hey the Tab handler work fine
Here's the code based on https://asyncssh.readthedocs.io/en/latest/#serving-multiple-clients
self._process.stdin is a SSHReader
I add in the async def run(self):
self._process.stdin.channel.register_key("\t", self.tab_handler)
just before:
async for line in self._process.stdin:
-------Omited to simplify--------------
def tab_handler(self, line, taille):
line = line + "TABED"
print(line)
return line ,len(line)
Now i have to pass it to other ssh client then to serial device and manage response ;)

[ronf]

Glad to hear you got the tab handler working! That confirms that you are already using the line editor, which makes sense. It is enabled by default on all server connections where the client requests a PTY. You don't need to subclass SSHLineEditorChannel or set any other configuration options for this.

Regarding the authentication, are you trying to use keyboard-interactive authentication on the your SSHServer, on your outbound SSH clients, or both? If you are trying to use it on both, passing through the challenges and responses, whatever the server does to not echo the password when it prompt for it should carry through to the clients. You won't be able to print "*" when entering the password in that case, but it should disable echo entirely while prompting for the password. In addition to the prompt string, there's a boolean that gets passed for each prompt saying whether to enable echo or not.

If you are prompting for the auth yourself, you should be able to call a set_echo() method on the SSH channel (which is really an SSHLineEditorChannel in this case) before you prompt for the password yourself to achieve a similar result. See https://asyncssh.readthedocs.io/en/latest/#line-editing for an example.

[Aeskithan]

Thanks for your answer i will try echo off for password i think it will be enough.

Regarding my tab handler can you tell me if what i m trying to do is even possible ?
I have
self._process.stdin.channel.register_key("\t", self.tab_handler)
and this async for line in self._process.stdin:
running at same time
When the client press Tab the server need to send it to another client (name == "Device") this client will send the string with \t to a serial device, the serial device answer properly to the SSH client (name =="Device") and finally this client send the response to the server.
For now i m not able to handle this response correctly.
I don't really know how to stop the async for line in self._process.stdin: while i m waiting for the answer in my tab_handler and it raise an exception: 'coroutine' object is not iterable.

Do you think it's possible to do this with asynssh ? (Stop the readline process while my handler is waiting an answer then put it back to run ?)

My quick & dirty code:
async def tab_handler(self, line, taille):
print(line)
print("Ligne tabed ;"+line+";"+str(binascii.hexlify(bytearray(line+"\t", encoding="utf-8"))))
self.send_line_with_tab(line+"\t") # send line with tab to client (name == "Device")
ret = ""
self.hold = True
try:
for client in self._clients:
if client != self:
if client.name == "Device":
print("Try to read")
ret = await client._process.stdin.read(50)

    except Exception as e:
        print("Exce Handler")
        print(str(e))
        pass    
    self.hold = False
    #ret = ""
    #ret =self._process.stdin.read(50)
    print("Ligne ret tabed ;"+ret+";"+str(binascii.hexlify(bytearray(ret, encoding="utf-8"))))
    return line ,len(line)

[ronf]

Right now the handlers in the line editor are plain callbacks, and can't be async coroutines. So, defining them with "async def" isn't going to work, and you are not allowed to "block" in them using await. This is because the line editor itself is hooked into the channel using non-blocking callbacks for all of its processing.

If you wanted to do this, you'd probably need to use the tab_handler to kick off an asynchronous task with asyncio.create_task() and return from the tab_handler without changing the line initially. Then, later, when the task got back the data it needs, it could call process.channel.set_input(line, pos) to replace the current input line. However, there would be a "race" there if the user kept on typing after hitting tab without waiting for the response to come back in that background task. Some of the user's input might be thrown away in that case when the input line was changed. This could get particularly ugly if the user hits before the response comes back.

[Aeskithan]

Hello,
Thanks for the idea but the main loop async for line in self._process.stdin: is consuming all data before my task is able to catch something.
I found a way using and it work not perfectly but i pass the main problem "catching the response"

I will go deeper in asyncssh function because for now after function is call
client._process.channel.set_input(line, len(line))
user have to press a key to see the autocompletion and it was not the case for handler

Thanks for your help i was like a blind guy in a forest ><

asyncio.Event()

global_tabbed = asyncio.Event()
def tab_handler(self, line, taille):
print(line)
print("Ligne tabed ;"+line+";"+str(binascii.hexlify(bytearray(line+"\t", encoding="utf-8"))))
global_tabbed.set()
self.send_line_with_tab(line+"\t")

    return line ,len(line)
   
async def read_tab_response(self, line):  
    print("Async read_tab_response")
    line = line[:-2]
    print("Ligne ret tabed ;"+line+";"+str(binascii.hexlify(bytearray(line, encoding="utf-8"))))
    for client in self._clients:
        if not client.name == "Device":
            print("send to :"+client.name)
            client._process.channel.set_input(line, len(line)) 
    global_tabbed.clear()
async def ssh_capture(self):
    while True:
        try:
            async for line in self._process.stdin:
                print("READ LINE "+str(global_tabbed.is_set()))
                if global_tabbed.is_set():
                    print("Go for tab response")                        
                    if "<!>" in line:
                        list = line.split("<!>")
                        line = list[1]
                        user = list[0]
                    await self.read_tab_response(line)
                else:
                    print("Ligne ;"+line+";"+str(binascii.hexlify(bytearray(line, encoding="utf-8"))))
                    if not line == "\r":
                        user=""
                        if "<!>" in line:
                            list = line.split("<!>")
                            line = list[1]
                            user = list[0]
                        if self.name == "Device":
                            self.broadcast('%s<!>%s' % (user, line))                        
                        else:
                            self.broadcast('%s<!>%s' % (self.name, line))
        except asyncssh.TerminalSizeChanged as e:
            print("Exce 0")
            print(str(e))
            pass

[Aeskithan]

Any solution to have a global variable protected with RLock in async function ?

I try to declare a top file global variable but it seem's instantiated, when i use a variable in a ChatClient instance it work (but each time i want to access this variable i have to look for the good ChatClient first ><)

[ronf]

RLock is meant for threaded applications. It's probably not a good idea to try and use that with asyncio. Asyncio has its own set of synchronization objects that look very similar to the threading locks, semaphores, and events (among others), but they behave differently in terms of the way blocking works so that other async coroutines can run while waiting for the lock. See https://docs.python.org/3/library/asyncio-sync.html for more details.

From what I can see, there's no direct equivalent there to RLock, but there is a plain Lock.

As for protecting global variables, there should be no difference between local and global variables from a lock's point of view. In fact, there's no explciit relationship between a lock and what it protects. It all comes down to what variables you always grab the lock for before accessing. Their scope shouldn't be a factor.

As for consuming all input, I can see how that could happen if you were feeding input via a script, but I wouldn't expect scripted input like that to rely on tab auto-completion. Normally, that would be something you'd provide for interactive use. That said, you might be able to use set_input() to deal with this issue, but you'll still probably need to use register_key() so you can tell when a tab was sent, and you'll need to find your own way of blocking within the "async for" loop so you don't consume input while blocked waiting for the tab response.

[Aeskithan]

Hello,
Do you know where i can find any documentation or RFC about autocompletion (Not on AsyncSSH) ?

As example on a Normal Serial communication when i start 'conf sys' and press tab i got a simple response 'conf system'.
Then start the complex part i start 'conf sys ' then i press tab i got an byte array 1b5bXX44 that represent escape char then [ then the number of char i should remove and a D (That still easy to understand remove XX char then write the next one)
But some time i got some �[K���� or �[6D�[5@
here is an example of Tab hit
conf sys 3g-modem�[8Daccprofile�[9Ddmin�[K����lias����pi-user�[7Drp-table�[8Duto-install�[7Dscript�[K�[7Dmation-action�[6D�[5@destination�[11Dstitch�[K�[6Dtrigger
Providing in putty the list of
conf sys 3g-modem
conf sys accprofile
conf sys admin
conf sys alias
conf sys api-user
conf sys arp-table
conf sys auto-install
conf sys auto-script
conf sys automation-action
conf sys automation-destination
conf sys automation-stitch

And i got the same kind of ESC [ XX sequence on linux tab autocompletion so i assume there's a standard but i m not able to point out the name of this standard and finally got any documentation ...

So if you have any knowledge on this standard name it will be a hudge unblock for me ;)

[ronf]

This looks like standard ANSI escape sequences, as documented at https://en.wikipedia.org/wiki/ANSI_escape_code. For "ESC [" sequences, see the "CSI" section of that doc.

More specifically, ESC [ n D is actually a "move cursor left n cells" and then ESC [ K is "clear to end of line". I don't recognize the sequence with "@" there. There are other "cursor move" sequence for going up (A instead of D), down (B), and right ©, but you probably wouldn't run into those with tab completion redrawing. As you can see from the URL above, there are a LOT of these, but you probably only need to know about a few of them for this use case.

[Aeskithan]

That a great start thanks for the link.
in my need i have this:

SERIAL DEVICE <==> PC with asyncssh client <==== > Asyncssh server <====> putty

So when i press TAB (from putty) it send the Tab to the serial device got the reponse and process it back to putty. At the moment i catch Tab response not in tab_handler because im unable on asynchssh server to wait for the asynchssh client reponse.

Is there a way to wait on a handler for another process response before answering to Putty ?
( at the moment when i press 'conf sys\t' on putty all process work and i get back a 'conf system' but on a new line)
May be my problem is based on a simple fact serial work on a char based and at the moment my asyncssh line work on a line based

[Aeskithan]

The purpose is to have also the possibility to see with multiple putty client the same session for support needs.

Putty guy 1<------+
|
Putty guy 2<------+> Asyncssh Server <------> PC with an Asynchssh Client <---> Serial Device

At the moment i have a correct authent with group mapping and role then after a putty guy choose a group i run
async for line in self._process.stdin:

This code handle only line with \n
I guess my real need is to have a direct char flowing between asyncssh client and putty.

Is there a way to get a function execution when a simple char is received ? based on https://asyncssh.readthedocs.io/en/latest/#serving-multiple-clients
replacing the line async for line in self._process.stdin: by something on char level ?

Thanks for your help it's really apreciated

[ronf]

If you are accessing a physical serial port by opening it as a "tty", you'll need to set something like raw mode on the TTY if you want it to return output immediately rather than waiting for a newline to output. You can use the "tty" module to do this, and more specifically call tty.setraw(fd), where fd is the file descriptor of the serial device. You'll probably also want to set line_editor=False in the AsyncSSH server, if you expect the AsyncSSH client to pass terminal type.

If i understand right, you'll have both "PuTTY" client connections and AsyncSSH client connections (on devices with serial ports) connecting into a shared AsyncSSH server. That means you'll probably need some way to distinguish between the two so that the AsyncSSH server handles them differently. You can probably do this by specify different commands or subsystems to run when the AsyncSSH server receives a new session request. Also, you'll probably need some way for the PuTTY clients to specify which serial device that particular session should be attached to.

[Aeskithan]

I add a property of ChatClient => user in the example of 'ChatClient' https://asyncssh.readthedocs.io/en/latest/#serving-multiple-clients

To start server i use

async def start_server():
await asyncssh.create_server(MySSHServer,'', 8022, server_host_keys=['id_rsa'],
process_factory=ChatClient.handle_client)

class MySSHServer(asyncssh.SSHServer):
def validate_password(self, username, password):
// Do some stuff to authenticate user remotely

The user property contain a role (That retrieved on authentication time on a remote BDD) then Putty user have to chose a group (An AsyncSSHClient & Serial) to be group with.

AsyncSSH Client & Serial got an Echo Off and Putty user an Echo On based on user role

Then after all of this choise they go in the main loop
async for line in self._process.stdin:

When this loop received a message it broacast it to group member.
I also add some CMD handling to change some parameters like speed on serial port from a putty user

All of this is working fine.

So if i user set line_editor=False i will have char input on the loop ?
async for line in self._process.stdin:

[Aeskithan]

Hello,

it's a success at the moment Putty Stdin is in line mode (It help to capture CMD for server or Asyncssh client) and AsyncSSH client is in channel.set_line_mode(False) and it work really fine i have a native autocompletion from Serial to putty without any code need ;)

Thanks a lot

[ronf]

In addition to turning off the line editor, I imagine you probably had to switch from the "async for" reading lines to calls to read() which could get whatever data was outstanding without waiting for a line boundary. If you also set the serial port connection into raw mode and did the same there with read() calls, it should be possible to copy bytes back and forth between the two as soon as the data came in, allowing the TTY on the serial port to send arbitrary escape sequences that would be rendered on all the SSH clients attached to reflect things like auto-completion.

This is actually one case where using the "callback" API might be cleaner and simpler than the higher-level "stream" or "process" APIs, as you wouldn't need to create separate tasks which sat in async read() loops. The data_received() callback would just get called automatically whenever new data came in, and that could call write() on the associated sessions to perform the "broadcast".

[Aeskithan]

Yes that it.
For now my serial send data byte per byte and then now Asynchssh server do the same if the client is Asynchssh client with serial port.

I still did the choice to stay on line basis from putty to Asynchssh Server to AsynchSsh client for Command purpose (like change serial parameters from putty)
while not self.finished:
try:
char_in = await self._process.stdin.read(1)
print("TECH GRP "+str(self.user.groupid)+ " $$" + str(char_in)+";"+str(binascii.hexlify(bytearray(char_in, encoding="utf-8"))))

                self.list_user_in_group_and_send_msg(self.user.groupid, char_in)  
            except asyncssh.TerminalSizeChanged as exc:
                self._process.stdout.write('New window size: %sx%s' %
                                             (exc.width, exc.height))
                if exc.pixwidth and exc.pixheight:
                    self._process.stdout.write(' (%sx%s pixels)' %
                                                 (exc.pixwidth, exc.pixheight))
            except asyncssh.BreakReceived as e:
                self.send_to_tech(self.user.groupid, "003"+ self.sep_cmd)
                pass 

[ronf]

I see. As long as you're not looking for "interactive" auto-completion (where the user presses tab or something like "?" to see possible options), staying in line mode on the connection from PuTTY should work fine. If you made all the connections (both to PuTTY and to the serial device) send data as soon as it arrives while disabling echo and line editing in AsyncSSH for both, you might be able to get closer to the experience of a user connecting to a serial port directly, while still providing the sharing. Multiple users connected at once would see each other's output immediately (even while entering a command), and that would include things like auto-completion. It also has a benefit of not echoing passwords when prompted for them, since it would be the serial device deciding when to echo things.

One other note: Reading a single byte at a time could end up being pretty slow/inefficient when there's a large amount output being provided by the serial device. You should be able to do a read() of a larger number of bytes there while still having it return any pending data immediately. So, if you were to do something like a stdin.read(1024), it would return up to 1024 bytes of data in a single read, but still do so as soon as any data had arrived on that session. Just make sure you specify a maximum length there. If you call stdin.read() with no argument, it will wait until EOF is received before anything is returned, which will probably never happen in your case.

[Aeskithan]

Nice look for the '?' i add a handler to manage it and send only cmd ? and not cmd ?\n and it work fine.
For password echoing yes when 2 putty users are on same group they can see all cmd (including password) so i had a cmd like
pass<$$>thepassword and asynchssh interpret the pass<$$> as a cmd and send only thepassword to serial device

Thanks for the stdin.read(1024) it work really better than stdin.read(1)

I will try the line mode off on putty side because as you mension it will be better to have a closer experience as connecting a serial device directly.
I will also drop my idea about cmd interpret like <$$> for asynchssh and <$> for serial and add a Handler like CTRL + $ to enter a special mode for commands (as it work on solution like dominion SX 2).

Thanks for your help it was really helpful

[ronf]

I don't think Ctrl+$ is a valid key sequence, but I was thinking something similar where you'd go into "command mode" by hitting Ctrl-], similar to "telnet". AsyncSSH lets you enable/disable line editing at any time, so on the PuTTY connections you could turn on line editing right after seeing that keypress, and then turn it off again when the user went back to talking to the serial device, switching between readline() (or iterating on stdin with "async for" when in command mode but then going back to read() with a length the rest of the time.

[Aeskithan]

Yes it work fine i was able to swap line_editing without any problem.
For now i use CTRL+@ because it's byte \0 and it's available only for putty user i never had to use CTRL+@ on a serial device and if i have to do so with this code i will just implement a double CTRL+@ sequence from putty to send a simple one to serial device.
I use AWS Cognito for user management and authentication and asyncssh.PasswordChangeRequired to manage password change with change_password function, that really usefull.

[ronf]

Yeah - Ctrl-@ seems pretty safe for this.

If there's anything else you need or you have other questions, let me know!

[Aeskithan]

I have one more question on the possibility to 'transfert' an ssh connection from a server to another.
Now i have one AsynchSSH server and everyone is connecting on this server but for sementation purpose it can be usefull to transfert a group of connection to another server.

Do you know a 'simple' way to do this without any second authentication need ?

[ronf]

I'd need a little more detail about what kind of connections you had in mind, and whether you were using a custom client to make the connections or you were expecting to be able to forward a connection initiated from a standard client like OpenSSH or PuTTY.

Here are some possible cases:

Client -> Server1 -> Server2, where Server1 stays in the loop for the lifetime of the connection from the Client to Server2 and the SSH authentication is done first between the Client & Server1 and then between Server1 & Server2. In this case, the clients don't need to know how to authenticate to Server2 and don't even need to know traffic is being forwarded. However, both Server1 and Server2 end up seeing all the data. Because the client is unaware of any of this, it works with standard clients.

A variation of this is Client -> Server1 -> Server2 where the client performs the authentication to both Server1 and Server2, and may even tell Server1 where to connect when forwarding the traffic. This is your standard "jump host" or "bastion host" use case. It can work with standard clients, but only if they actively participate in the authentication and forwarding. Also, you're effectively running SSH inside of SSH in this case, with data being encrypted twice. As above, Server1 has to stay in the loop the whole time and will end up having to forward all the data, but what it forwards is opaque since it will be an encrypted data stream between the Client and Server2.

If you want to "transfer" a connection so that something starting off as Client -> Server1 ends up becoming Client -> Server2 with Server1 no longer involved, you need a custom client. After the client authenticates with Server1, it can be sent a message telling it to connect to Server2 instead, causing it to initiate a direct connection to Server2 and then close the connection to Server1. The client is responsible for doing auth on both of these connections, and it's as if the connections were entirely unrelated to one another.

Unfortunately, there's no standard way in SSH to do the above kind of "transfer" in a way where authentication to Server2 is done by Server1 instead of the Client but data then flows directly from the Client to Server2 with Server1 no longer involved. If Server1 does the auth, it must remain in the loop after that shuffling the data back and forth between the Client and Server2. You can't do the key exchange on one connection but then use the agreed-upon key on a different connection.

[Aeskithan]

I think you got my point, the purpose was to have server1 no longer involved without the second authentication need.

The exact need is to have a first server (or set of server) to authenticate and dispatch all group member on the same second server in a second set of server.
Objectives are :
Fault tolerence
Performance management
Maintenance capability

In this image Group 2 can be transfert to server 2.

Is there a possibility to ask a putty client to connect to another server without the need of copy / past url on putty and restart a new putty windows?
Because if it's at least work with 2 authent it's not so bad to start.

[ronf]

Unfortunately, I don't know any way for an SSH server to send a "redirect" back to the client. Other protocols such as HTTP/HTTPS have this, but SSH doesn't. So, you'd need to have a custom client in order to be able to interpret such a message, which probably isn't an option in your application, at least not for the end-user SSH client connections. You could do something like that for connections from the serial port clients, but I'm not sure how useful that is.

If you want to do this as a way for the end users to know have to know in advance which server a given serial connection is associated with, perhaps you could have Server 1 stay in the path forwarding traffic the whole time, though. To get better redundancy and scalability, you could have a pool of servers take on this role, with all of them having the ability to forward end-user connections to ANY of the SSH servers which are accepting requests from the serial port clients. When a serial port client connects to a server, that could be registered somewhere that the end-user servers have access to, so they know where to forward requests to depending on which serial port is requested by an end user.

If you had a single DNS name which resolved to the IP addresses of all of the end-user servers, the load could automatically be spread across all of those servers, giving you redundancy and scalability while also eliminating the need for end users to know which serial port clients were connected where.

[Aeskithan]

Thanks for your answer.

If i understand well a simple diagram with 2 servers can be this with green and red line for real flow

First kind of question:

• What's the real impact on performance to have a SSH proxy (like Server 1 for green connection) if it decrease the impact on CPU than a normal connection then it can be usefull. Put it in math => Direct connection = impact on CPU named X
  For a proxy connection overall CPU will be X + X*proxy ratio (and i hope to have a proxy ratio under 0.4)

For High availability i need to use AWS route 53 DNS to have native health check
With a network load balancer i have native health check and i can may be use an auto scaling group.

For SLA:
Simplifying by skipping Load Balancer
With one server i have a SLA of Y close to 99.5%
With a proxy SLA for one connection is Y * Y so close to 99.0% so under Y
But regarding multiple connections i have a set of connection on a Y and some other to Y * Y
The all set of direct connection have 0.5 * 0.5 failure possibility so 0.25% chance of failure so 99.75% availability with 1/2 of each at 99.5% SLA

With proxy connection the more i increase server number the more i increase proxy quantity.

After few stress test with 30 connections there's no performance issue expected before something close to 200 simultaneous connection on a simple server with 2 vCPU.

All of that to say i will use proxy ;)

[ronf]

Unfortunately, the cost of connecting from Server 1 to Server 2 and forwarding all the bytes is probably not much less expensive than the connection from a PuTTY user to Server 1, as you're really not doing much processing of the data and forwarding from one SSH connection to the other is probably similar in cost to forwarding from an SSH connection to a serial port. In other words, your ratio is probably pretty close to 1, with the overall cost being 2 for the "forwarding" case. You could optimize this in the case where the load balancer happens to connect to the SSH server which has the connection from the serial port you want to connect to, but the rest of the time you'd have to pay this double cost.

Basically, the only reason to do this is to deal with the fact that the load balancer isn't going to be smart enough to choose the "right" server (meaning the one that has the connection from the device with the serial port you want to connect to). In fact, if you allow the PuTTY user to switch from one serial port to another without closing and re-opening the SSH connection, there would be no "right" server to connect to, and you'd definitely need forwarding like this.

Even though the cost is "double", I expect this appliance to be relatively inexpensive. Cost will primarily be in establishing the SSH connections and not what happens after that when forwarding data. So, your cost will be mostly a factor of the number of new SSH connections per second, and not the number of simultaneous connections.

If you hit a limit on simultaneous connections, it'll probably be related to the number of allowed file descriptors a process can open. This value can generally be increased with "ulimit" before you start the AsyncSSH server, though. It should be possible to easily support thousands of connections once you do that.

[Aeskithan]

Hello,

I try to set some environnement from the AsyncSSH client, i rewrite a simple ssh client

class MySSHClientSession(asyncssh.SSHClientSession):
_chan = ""
def data_received(self, data: str, inf) -> None:
print("I got:"+str(data)+" with info "+str(inf))
self.send(data+"TOTOTOTOTOTOO")

def send(self, msg) -> None:
    self._chan.write(msg)
    
def session_started(self):
    print("Session start")
    
def connection_made(self, chan):
    self._chan = chan
    
def connection_lost(self, exc) -> None:
    if exc:
        print('SSH session error: ' + str(exc), file=sys.stderr)

async def run_client() -> None:
async with asyncssh.connect("omited") as conn:
result = await conn.run('env', env={'ROLE': 'TECH', 'LC_COLLATE': 'C'})
print(result.stdout, end='')
chan, session = await conn.create_session(MySSHClientSession, '')
await chan.wait_closed()

try:
asyncio.get_event_loop().run_until_complete(run_client())
except (OSError, asyncssh.Error) as exc:
sys.exit('SSH connection failed: ' + str(exc))

I don't pass the (the environnement is received on server)
await conn.run
i never saw
print("Session start")

Any clue ?

Also when i try i got error on asyncssh.DataType
class MySSHClientSession(asyncssh.SSHClientSession):
def data_received(self, data: str, datatype: asyncssh.DataType) -> None:
print(data, end='')

def connection_lost(self, exc: Optional[Exception]) -> None:
    if exc:
        print('SSH session error: ' + str(exc), file=sys.stderr)

[ronf]

Hmm - I posted a response this morning to this, but it looks like it didn't go through.

Regarding environment variables, see the note associated with the env argument in SSHClientConnectionOptions:

Note: Many SSH servers restrict which environment variables a client is allowed to set. The server’s configuration may need to be edited before environment variables can be successfully set in the remote environment.

Also, it looks like your run_client() function is creating two separate sessions with the calls to conn.run() and conn.create_session(). Once you get the environment support to work by editing the server's config, you're going to need to pass the env argument in the conn.create_session() call if you want the environment variables to be available to the shell started up by that call. Even though both sessions are on the same connection, the environment is separate for each session. You could also pass in env in the call to asyncssh.connect(), and then all future calls which create sessions on that connection would default to passing the value supplied in the connect() if you don't override it.

Regarding not seeing the session_started() callback, you will only see that in your conn.create_session() call, as you aren't passing in a customized session class in the conn.run() call.

Regarding asyncssh.DataType, what error did you see related to that?

[Aeskithan]

The DataType error is
test3.py contain the callback example https://asyncssh.readthedocs.io/en/latest/#simple-client
C:\Users\rapha\Desktop>python test3.py
Traceback (most recent call last):
File "test3.py", line 4, in
class MySSHClientSession(asyncssh.SSHClientSession):
File "test3.py", line 5, in MySSHClientSession
def data_received(self, data: str, datatype: asyncssh.DataType) -> None:
AttributeError: module 'asyncssh' has no attribute 'DataType'

[ronf]

That example works fine here. Did your test file contain "import asyncssh", or as in the example:

import asyncio, asyncssh, sys

The definition of DataType comes from asyncssh/init.py, line 91:

from .session import DataType, SSHClientSession, SSHServerSession

Also, which version of asyncssh do you have installed? To use DataType, you need to use a version which has type hints added.

[Aeskithan]

I m on
pip install asyncssh
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: asyncssh in c:\users\rapha\appdata\roaming\python\python38\site-packages (2.5.0)
Requirement already satisfied: cryptography>=2.8 in c:\users\rapha\appdata\roaming\python\python38\site-packages (from asyncssh) (3.4.6)
Requirement already satisfied: cffi>=1.12 in c:\users\rapha\appdata\roaming\python\python38\site-packages (from cryptography>=2.8->asyncssh) (1.14.2)
Requirement already satisfied: pycparser in c:\users\rapha\appdata\roaming\python\python38\site-packages (from cffi>=1.12->cryptography>=2.8->asyncssh) (2.20)

[ronf]

It looks like you have version 2.5.0 installed, which dates back to the end of 2020. My guess is that was the latest version when you first installed it, but you haven't updated it since then. DataType wasn't added until when type annotations were added in 2.9.0 at the beginning of 2022.

If you want to upgrade to the latest version, run "pip install --upgrade asyncssh". If you run it without the "--upgrade", it'll keep you on the version you currently have installed.

[Aeskithan]

Good point, upgrade clear the problem.
With this version i have no more problem with DataType nor with Environnement.

I have a warning on \asyncssh\crypto\cipher.py:30: CryptographyDeprecationWarning: SEED has been deprecated
from cryptography.hazmat.primitives.ciphers.algorithms import SEED, TripleDES

I try to fix all algo with this in my connect

server_host_key_algs=["ssh-rsa-sha256@ssh.com", "ssh-rsa-sha384@ssh.com", "ssh-rsa-sha512@ssh.com"], encryption_algs=["aes256-gcm@openssh.com","aes128-gcm@openssh.com"],
kex_algs=["diffie-hellman-group15-sha512","gss-group18-sha512"], mac_algs=["hmac-sha2-512-etm@openssh.com","hmac-sha2-256-etm@openssh.com"],
signature_algs=["ssh-rsa-sha384@ssh.com","ssh-rsa-sha512@ssh.com"]

I work on this because i just realize that my Serial / SSH client is still using Paramiko in a thread instead of AsyncSSH CLient.

At the moment i m unable to start the AsyncSSH Client without blocking my other Thread (because most of my code in the client use Thread)

[ronf]

Yeah - the deprecation warning is new in cryptography 37.0.0. The "develop" branch of AsyncSSH hide this, but I haven't produced a new release with that fix yet. You can safely ignore it, or you can downgrade to cryptography 36 if you want to get rid of it without picking up the new version of AsyncSSH.

Regarding threads, it's generally not a good idea to mix threads and async code. If you do, you probably want to use things like the asyncio "executor" feature to run a piece of code in a separate thread while still being able to communicate results back to the main event loop in an async manner. If you go with AsyncSSH for both client & server, though, you may not even need to have multiple threads. As long as both the client & server use the same asyncio event loop, they can both run cooperatively in a single thread.