library/binding for sftp?

library/binding for sftp?

[Stephen Leake]

I'm working on an application that transfers files between Windows and
Android. The only common protocol among the devices I have is
ssh/scp/sftp.

I can't find an sftp library; I can only find the sftp command line
application. I can use that, and redirect the output to files, but
that's cumbersome.

Is anyone aware of an sftp library, preferably with an Ada binding?

I could try to hack the sftp application source into a library, but I'm
hoping someone's already done that :)

-- 
-- Stephe

Re: library/binding for sftp?

[Dmitry A. Kazakov]

On Mon, 05 Aug 2013 08:41:42 -0400, Stephen Leake wrote:

> I'm working on an application that transfers files between Windows and
> Android. The only common protocol among the devices I have is
> ssh/scp/sftp.

If you are writing an application anyway, why don't you just open a socket
and send whatever you want over it? Sending a file over socket should be
20-30 Ada lines long.

BTW, rsync?

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: library/binding for sftp?

[Jeffrey Carter]

On 08/05/2013 05:41 AM, Stephen Leake wrote:
>
> Is anyone aware of an sftp library, preferably with an Ada binding?

There's an Ada binding to libcurl, which can do that.

http://hg.stronglytyped.org/curl-ada

http://www.almroth.com/adacurl/index.html

-- 
Jeff Carter
"Help! Help! I'm being repressed!"
Monty Python & the Holy Grail
67

Re: library/binding for sftp?

[Stephen Leake]

"Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:

> On Mon, 05 Aug 2013 08:41:42 -0400, Stephen Leake wrote:
>
>> I'm working on an application that transfers files between Windows and
>> Android. The only common protocol among the devices I have is
>> ssh/scp/sftp.
>
> If you are writing an application anyway, why don't you just open a socket
> and send whatever you want over it? Sending a file over socket should be
> 20-30 Ada lines long.

Because the device requires ssh authentication.

I did not include TCP in the list of common protocols for a reason!

-- 
-- Stephe

Re: library/binding for sftp?

[Stephen Leake]

Jeffrey Carter <spam.jrcarter.not@spam.not.acm.org> writes:

> On 08/05/2013 05:41 AM, Stephen Leake wrote:
>>
>> Is anyone aware of an sftp library, preferably with an Ada binding?
>
> There's an Ada binding to libcurl, which can do that.
>
> http://hg.stronglytyped.org/curl-ada
>
> http://www.almroth.com/adacurl/index.html

Excellent. I had forgotten that cURL supports ssh.

-- 
-- Stephe

Re: library/binding for sftp?

[Dmitry A. Kazakov]

On Tue, 06 Aug 2013 01:24:27 -0500, Stephen Leake wrote:

> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
> 
>> On Mon, 05 Aug 2013 08:41:42 -0400, Stephen Leake wrote:
>>
>>> I'm working on an application that transfers files between Windows and
>>> Android. The only common protocol among the devices I have is
>>> ssh/scp/sftp.
>>
>> If you are writing an application anyway, why don't you just open a socket
>> and send whatever you want over it? Sending a file over socket should be
>> 20-30 Ada lines long.
> 
> Because the device requires ssh authentication.

I don't understand this. You cannot bind to a port under android?

Anyway, quick search shows rsync:

https://play.google.com/store/apps/details?id=eu.kowalczuk.rsync4android&hl=en

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: library/binding for sftp?

[Stephen Leake]

"Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:

> On Tue, 06 Aug 2013 01:24:27 -0500, Stephen Leake wrote:
>
>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>> 
>>> On Mon, 05 Aug 2013 08:41:42 -0400, Stephen Leake wrote:
>>>
>>>> I'm working on an application that transfers files between Windows and
>>>> Android. The only common protocol among the devices I have is
>>>> ssh/scp/sftp.
>>>
>>> If you are writing an application anyway, why don't you just open a socket
>>> and send whatever you want over it? Sending a file over socket should be
>>> 20-30 Ada lines long.
>> 
>> Because the device requires ssh authentication.
>
> I don't understand this. You cannot bind to a port under android?

I can. But then i'd have to re-implement security, authentication, and
file transfer. Why do all that when sftp is available?

> Anyway, quick search shows rsync:
>
> https://play.google.com/store/apps/details?id=eu.kowalczuk.rsync4android&hl=en

sftp is more efficient; it only transfers the files I need transfered.

-- 
-- Stephe

Re: library/binding for sftp?

[Dmitry A. Kazakov]

On Wed, 07 Aug 2013 05:06:44 -0500, Stephen Leake wrote:

> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
> 
>> On Tue, 06 Aug 2013 01:24:27 -0500, Stephen Leake wrote:
>>
>>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>>> 
>>>> On Mon, 05 Aug 2013 08:41:42 -0400, Stephen Leake wrote:
>>>>
>>>>> I'm working on an application that transfers files between Windows and
>>>>> Android. The only common protocol among the devices I have is
>>>>> ssh/scp/sftp.
>>>>
>>>> If you are writing an application anyway, why don't you just open a socket
>>>> and send whatever you want over it? Sending a file over socket should be
>>>> 20-30 Ada lines long.
>>> 
>>> Because the device requires ssh authentication.
>>
>> I don't understand this. You cannot bind to a port under android?
> 
> I can. But then i'd have to re-implement security, authentication, and
> file transfer.

What for? It is your program you know you are running it.

The best security ever is a protocol nobody else knows.

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: library/binding for sftp?

[Simon Clubley]

On 2013-08-07, Dmitry A. Kazakov <mailbox@dmitry-kazakov.de> wrote:
> On Wed, 07 Aug 2013 05:06:44 -0500, Stephen Leake wrote:
>
>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>> 
>>> On Tue, 06 Aug 2013 01:24:27 -0500, Stephen Leake wrote:
>>>> 
>>>> Because the device requires ssh authentication.
>>>
>>> I don't understand this. You cannot bind to a port under android?
>> 
>> I can. But then i'd have to re-implement security, authentication, and
>> file transfer.
>
> What for? It is your program you know you are running it.
>
> The best security ever is a protocol nobody else knows.
>

What if he needs to transmit data over a untrusted link or if site
policy requires end to end encryption ?

BTW, I don't agree with security by obscurity. I prefer security
protocols which are publicly available and have survived being
probed for vulnerabilities.

Simon.

-- 
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world

Re: library/binding for sftp?

[Björn Persson]

[-- Attachment #1: Type: text/plain, Size: 269 bytes --]

Dmitry A. Kazakov wrote:
> The best security ever is a protocol nobody else knows.

Jeez! Please tell me that was an attempt to joke! If obscurity really is
your idea of security, then I'll have to remember to avoid your code
like the plague.

Björn Persson


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: library/binding for sftp?

[Dmitry A. Kazakov]

On Wed, 7 Aug 2013 17:15:25 +0000 (UTC), Simon Clubley wrote:

> On 2013-08-07, Dmitry A. Kazakov <mailbox@dmitry-kazakov.de> wrote:
>> On Wed, 07 Aug 2013 05:06:44 -0500, Stephen Leake wrote:
>>
>>> "Dmitry A. Kazakov" <mailbox@dmitry-kazakov.de> writes:
>>> 
>>>> On Tue, 06 Aug 2013 01:24:27 -0500, Stephen Leake wrote:
>>>>> 
>>>>> Because the device requires ssh authentication.
>>>>
>>>> I don't understand this. You cannot bind to a port under android?
>>> 
>>> I can. But then i'd have to re-implement security, authentication, and
>>> file transfer.
>>
>> What for? It is your program you know you are running it.
>>
>> The best security ever is a protocol nobody else knows.
> 
> What if he needs to transmit data over a untrusted link or if site
> policy requires end to end encryption ?

What if any of the devices may get confiscated? What if a judge require to
put down all passwords? Maybe it is better to stash data into mp3 files
covered as songs and transfer such files unencrypted?

> BTW, I don't agree with security by obscurity. I prefer security
> protocols which are publicly available and have survived being
> probed for vulnerabilities.

Of course, just because you’re paranoid doesn’t mean they’re not after you.
But it is always a balance between the price of the information and the
price of breaking into. Security by obscurity has a very good ratio in THIS
concrete case, likely better than of any publicly available protocol.

P.S. Remember the code talkers story.

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: library/binding for sftp?

[Alan Jump]

On Wednesday, August 7, 2013 12:57:37 PM UTC-7, Dmitry A. Kazakov wrote:
> Of course, just because youοΏ½re paranoid doesnοΏ½t mean theyοΏ½re not after you.
> But it is always a balance between the price of the information and the
> price of breaking into. Security by obscurity has a very good ratio in THIS
> concrete case, likely better than of any publicly available protocol.
> 
> P.S. Remember the code talkers story.

There's a world of difference between knowing the technique and knowing the specific encoding material. One can know how to use a one-time pad for encryption or decryption, but without possessing the specific key material, the result will still be a jumble of numbers.

The same can be applied to security protocols. Think "asymmetric keys".

 - -
73 de N5ILN
Alan

Re: library/binding for sftp?

[Dmitry A. Kazakov]

On Wed, 7 Aug 2013 13:09:17 -0700 (PDT), Alan Jump wrote:

> There's a world of difference between knowing the technique and knowing
> the specific encoding material.

Yep, and obscurity means that others don't know the technique even if the
technique itself is stunningly simple.

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: library/binding for sftp?

[Alan Jump]

On Wednesday, August 7, 2013 1:26:24 PM UTC-7, Dmitry A. Kazakov wrote:

> Yep, and obscurity means that others don't know the technique even if the
> technique itself is stunningly simple.

It also means no one but you can implement it. But there are up sides and down sides to that, and to me, the down sides outweigh the up sides. Doubly so since I'm a FOSS proponent.

 - -
73 de N5ILN
Alan

Re: library/binding for sftp?

[Dennis Lee Bieber]

On Wed, 7 Aug 2013 21:57:37 +0200, "Dmitry A. Kazakov"
<mailbox@dmitry-kazakov.de> declaimed the following:

>
>What if any of the devices may get confiscated? What if a judge require to
>put down all passwords? Maybe it is better to stash data into mp3 files
>covered as songs and transfer such files unencrypted?
>
	Now you are getting into the realms of steganography
-- 
	Wulfraed                 Dennis Lee Bieber         AF6VN
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/

Re: library/binding for sftp?

[Björn Persson]

Alan Jump wrote:
> On Wednesday, August 7, 2013 1:26:24 PM UTC-7, Dmitry A. Kazakov
> wrote:
> 
> > Yep, and obscurity means that others don't know the technique even
> > if the technique itself is stunningly simple.
> 
> It also means no one but you can implement it.

That's not true. Free software developers have reverse-engineered
several proprietary protocols and written compatible free
implementations. One prominent example is Samba, a free implementation
of Microsoft's proprietary file sharing protocol SMB.

Of course a public standard protocol is always preferable. I
reverse-engineered a protocol myself once. I was given a sample dump of
the communication between two programs, and wrote a filter that could
be inserted between them to modify the messages in transit. My code had
a lot of conditionals to allow for all the variation I saw in the dump.
A couple years later, when I got to see some source code, it turned out
that my code was unnecessarily complex. It allowed for combinations
that would never occur. So a protocol specification is better but
reverse-engineering is also possible when there is no specification.

Eavesdropping doesn't even require a complete protocol implementation.
It will certainly not be hard for spies to get the sensitive data out
of a simple but undocumented file transfer protocol, even if there are
some protocol details that they haven't quite figured out.

Björn Persson

Re: library/binding for sftp?

[Dmitry A. Kazakov]

On Thu, 8 Aug 2013 11:14:04 +0200, Björn Persson wrote:

> It will certainly not be hard for spies to get the sensitive data out
> of a simple but undocumented file transfer protocol, even if there are
> some protocol details that they haven't quite figured out.

Firstly, there is no protection against targeted attack. Secondly,
regarding spies, they aren't any good in programming. Obscuring is the best
method against unfocused surveillance which works only with known
protocols.

-- 
Regards,
Dmitry A. Kazakov
http://www.dmitry-kazakov.de

Re: library/binding for sftp?

[Björn Persson]

Dmitry A. Kazakov wrote:
> Firstly, there is no protection against targeted attack. Secondly,
> regarding spies, they aren't any good in programming. Obscuring is
> the best method against unfocused surveillance which works only with
> known protocols.

Four false statements in a row.

Dmitry isn't going to change his mind so I won't debate this with him
further, but to everybody else: Don't listen to Dmitry. He doesn't
understand basic information security and is giving dangerous advice.

Björn Persson

Re: library/binding for sftp?

[Randy Brukardt]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2162 bytes --]

"Björn Persson" <bjorn@xn--rombobjrn-67a.se> wrote in message 
news:20130808133709.09dfef98@hactar.xn--rombobjrn-67a.se...
Dmitry A. Kazakov wrote:
>> Firstly, there is no protection against targeted attack. Secondly,
>> regarding spies, they aren't any good in programming. Obscuring is
>> the best method against unfocused surveillance which works only with
>> known protocols.
>
>Four false statements in a row.

There are only three here, and the first is generally accepted as true (see 
below).

>Dmitry isn't going to change his mind so I won't debate this with him
>further, but to everybody else: Don't listen to Dmitry. He doesn't
>understand basic information security and is giving dangerous advice.

Then you better debate it with me, because at least part of Dmitry's advice 
matches what I would give.

Everything I read about security says that there is "no practical defense 
against a determined attacker". That's a bit more nuanced than Dmitry's 
statement, but it's repeated all of the time by the security experts I read. 
You might be able to stop such an attack by unplugging all of your internet 
connections and shutting down all of your computers, but even that isn't 
certain. And who can do that for long?

And Dmitry's point about spies (like the NSA) using "known protocols" is 
certainly true. They are much less likely to generally monitor what they 
don't know about. Of course, if they are targetting you directly, see 
statement 1.

Honestly, your attitude is dangerously naive. Probably the best strategy of 
all is to have no secrets that need protecting, as in today's environment 
you should assume all information is being read (or could be read) by 
someone.

When RRS was doing business with the NSA back in the 1980s, we used to 
occassionally talk to the light fixtures to remind ourselves of the 
possibility of survialence. We thought it was reasonably likely that we were 
spied upon even then, and it's 100 times easier today (we didn't have a 
network - we used sneaker-net - and weren't connected to any public network 
until we started working on Ada 9x).

                                              Randy.

Re: library/binding for sftp?

[Alan Jump]

On Thursday, August 8, 2013 12:18:09 PM UTC-7, Randy Brukardt wrote:
> Everything I read about security says that there is "no practical defense 
> against a determined attacker". That's a bit more nuanced than Dmitry's 
> statement, but it's repeated all of the time by the security experts I read. 
> You might be able to stop such an attack by unplugging all of your internet 
> connections and shutting down all of your computers, but even that isn't 
> certain. And who can do that for long?

You're close. The only truly secure computer is one that has NEVER had power applied to it. But since that fairly effectively eliminates the usefulness of a computer as anything except a really expensive doorstop, the best we can do is minimize the risks, since it's become impossible to completely eliminate them.

> And Dmitry's point about spies (like the NSA) using "known protocols" is 
> certainly true. They are much less likely to generally monitor what they 
> don't know about. Of course, if they are targetting you directly, see 
> statement 1.

I have nothing to fear from the NSA. What I fear in doing any sort of contract work is industrial espionage, which is a much more common occurrence, especially if one is on contract with a multinational (which, thank Ghu, I am not). 

> Honestly, your attitude is dangerously naive. Probably the best strategy of 
> all is to have no secrets that need protecting, as in today's environment 
> you should assume all information is being read (or could be read) by 
> someone.

Having no secrets to conceal is very close to being as impossible as concealing every secret one has indefinitely.

> When RRS was doing business with the NSA back in the 1980s, we used to 
> occassionally talk to the light fixtures to remind ourselves of the 
> possibility of survialence. We thought it was reasonably likely that we were 
> spied upon even then, and it's 100 times easier today (we didn't have a 
> network - we used sneaker-net - and weren't connected to any public network 
> until we started working on Ada 9x).

As stated before, the best one can hope for in this so-called "modern" era is to minimize the risks, and part of that is minimizing the damage which can be done by compromised data, be it at rest or in motion. I'd much prefer to place a certain level of trust into peer-reviewed, thoroughly-tested algorithms than in an internally-developed process of unknown and untried effectiveness. I say "unknown and untried" because internally-developed security processes seldom, if ever, are revealed to the computing public at large as having been compromised...they simply quietly go away, and may or may not appear in security textbooks a few years later as examples of what not to do.

Just my 2p worth.

 - -
73 de N5ILN
Alan

Re: library/binding for sftp?

[Björn Persson]

Randy Brukardt wrote:
> "Björn Persson" <bjorn@xn--rombobjrn-67a.se> wrote in message 
> news:20130808133709.09dfef98@hactar.xn--rombobjrn-67a.se...
> Dmitry A. Kazakov wrote:
> >> Firstly, there is no protection against targeted attack. Secondly,
> >> regarding spies, they aren't any good in programming. Obscuring is
> >> the best method against unfocused surveillance which works only
> >> with known protocols.
> >
> >Four false statements in a row.
> 
> There are only three here,

Three sentences, but I see two statements in the third sentence.


> >Dmitry isn't going to change his mind so I won't debate this with him
> >further, but to everybody else: Don't listen to Dmitry. He doesn't
> >understand basic information security and is giving dangerous advice.
> 
> Then you better debate it with me, because at least part of Dmitry's
> advice matches what I would give.
> 
> Everything I read about security says that there is "no practical
> defense against a determined attacker". That's a bit more nuanced
> than Dmitry's statement, but it's repeated all of the time by the
> security experts I read. You might be able to stop such an attack by
> unplugging all of your internet connections and shutting down all of
> your computers, but even that isn't certain. And who can do that for
> long?

Let's try to remember the context now. I may have pruned my previous
post too much, so I'll repeat the statement that Dmitry replied to:

| It will certainly not be hard for spies to get the sensitive data out
| of a simple but undocumented file transfer protocol, even if there are
| some protocol details that they haven't quite figured out.

The context was file transfer protocols and Dmitry was arguing that
"just open a socket and send whatever you want over it" would somehow
be more secure than SFTP. I read all of Dmitry's statements in that
context and understood "targeted attack" to mean an attack on a file
transfer protocol. It is not true that there is nothing you can do to
protect a file transfer protocol. One-time pad encryption is one form
of protection that exists. It's mathematically proven to be unbreakable
if it's done right, but has some drawbacks that make it impractical in
many cases. There are also several more practical encryption algorithms
(that for example SFTP uses) that none of the cryptologists who work
openly have been able to break so far, which shows that they are at
least very difficult to break. Those haven't been mathematically
proven, but it's wrong to dismiss them as "no protection".

But it's possible that I misunderstood that statement and your
interpretation is closer to what Dmitry meant. His statement still
isn't literally true. It's true that there is no *totally secure*
defense against a determined attacker *with sufficient resources*, but
that's not the same as there being "no protection" at all. You can have
various degrees of protection, just not total protection. Anyway I
don't see how this is an argument against SFTP. You wouldn't be able to
fend off a squad of paratroopers coming to take your disk, so don't
bother to authenticate your file transfers? That's just silly.


> And Dmitry's point about spies (like the NSA) using "known protocols"
> is certainly true. They are much less likely to generally monitor
> what they don't know about. Of course, if they are targetting you
> directly, see statement 1.

Of course spies use knowledge of protocols to assemble packets into
messages and conversations. They'd be stupid if they didn't, and now
that Edward Snowden has told us about Xkeyscore we know that at least
the NSA does. It is however naïve to assume that they spy *only* on
selected "known" protocols. If I were in charge of a surveillance
agency I would make sure to scan even unknown protocols for selected
keywords, and to have unknown protocols analyzed to turn them into
known protocols. I would also map out who communicates with whom
regardless of protocols, and watch for changes in traffic patterns, for
example traffic surges indicating that something has happened. I don't
have any proof that surveillance agencies around the world actually do
those things, but they'd be stupid if they didn't. Snowden might know,
if you can reach him to ask.

The simplistic "just connect to a socket" protocol doesn't even qualify
as an unknown protocol by the way. It's the data channel of FTP, just
(probably) on another port.


I'll finish by returning to the beginning of your message where you
said:

> at least part of Dmitry's advice matches what I would give.

Not every statement is advice. Dmitry's actual advice was, paraphrased:
"Don't bother with encryption. Invent a proprietary protocol where you
send everything in the clear. That will protect your secrets better
than any encryption. Don't bother with authentication. Nobody will
figure out how to connect with your proprietary protocol, so you can
assume that all connections are legitimate." That's the advice that I'm
calling dangerous. Does that match the advice you would give?

Björn Persson

Re: library/binding for sftp?

[Björn Persson]

Alan Jump wrote:
> I'd much prefer to place a certain level of trust into peer-reviewed,
> thoroughly-tested algorithms than in an internally-developed process
> of unknown and untried effectiveness.

This is wise. Anyone can come up with a cipher that he himself cannot
break, but that doesn't mean that no one else can break it. I don't
remember who said that first, possibly Bruce Schneier, but it's a truth
you should always keep in mind when people are promoting their own
proprietary ciphers and security schemes.

Björn Persson

Re: library/binding for sftp?

[Randy Brukardt]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 8235 bytes --]

"Björn Persson" <bjorn@xn--rombobjrn-67a.se> wrote in message 
news:20130809104904.6ca91de2@hactar.xn--rombobjrn-67a.se...
>Randy Brukardt wrote:
>> "Björn Persson" <bjorn@xn--rombobjrn-67a.se> wrote in message
>> news:20130808133709.09dfef98@hactar.xn--rombobjrn-67a.se...
>> Dmitry A. Kazakov wrote:
>> >> Firstly, there is no protection against targeted attack. Secondly,
>> >> regarding spies, they aren't any good in programming. Obscuring is
>> >> the best method against unfocused surveillance which works only
>> >> with known protocols.
>> >
>> >Four false statements in a row.
>>
>> There are only three here,
>
>Three sentences, but I see two statements in the third sentence.

There is only one in the third sentence that I see. "best method". The rest 
is a definition.

...
>Let's try to remember the context now. I may have pruned my previous
>post too much, so I'll repeat the statement that Dmitry replied to:

...
>The context was file transfer protocols and Dmitry was arguing that
>"just open a socket and send whatever you want over it" would somehow
>be more secure than SFTP. I read all of Dmitry's statements in that
>context and understood "targeted attack" to mean an attack on a file
>transfer protocol.

That's certainly not how I read Dmitry's messages. Perhaps I was reading 
something into them that wasn't there, but my understanding was that he was 
saying that opening a socket and sending data in a custom protocol would be 
as secure as SFTP, so why bother with the fancy file transfer protocol 
(especially if you're not dealing with files)?

A custom protocol certainly wouldn't have to send plain text.

...
>But it's possible that I misunderstood that statement and your
>interpretation is closer to what Dmitry meant. His statement still
>isn't literally true. It's true that there is no *totally secure*
>defense against a determined attacker *with sufficient resources*, but
>that's not the same as there being "no protection" at all.

It's fairly close, as anyone with a stolen credit card can have sufficient 
resources these days. (Amazon and other clous are cheap and easy.)

>You can have various degrees of protection, just not total protection. 
>Anyway I
>don't see how this is an argument against SFTP. You wouldn't be able to
>fend off a squad of paratroopers coming to take your disk, so don't
>bother to authenticate your file transfers? That's just silly.

There are clearly levels of security. One of them is the "determined 
attacker", and if that is your concern, there isn't much really worth doing.

The other is the general attacker. They're just looking for easy targets, 
and for that the story of the two hikers and the grizzly bear applies (Two 
hikers encounter a grizzly bear which charges them. One of the hikers starts 
to run. The other yells "why are you running, you can't outrun a grizzly 
bear!?", The first hiker replies "No, but I can outrun you!".) You only have 
to have enough security so that you are outrunning a decent percentage of 
the other computers on the internet. So long as it is harder to attack your 
computers than many others, attackers will look elsewhere.

>> And Dmitry's point about spies (like the NSA) using "known protocols"
>> is certainly true. They are much less likely to generally monitor
>> what they don't know about. Of course, if they are targetting you
>> directly, see statement 1.
>
>Of course spies use knowledge of protocols to assemble packets into
>messages and conversations. They'd be stupid if they didn't, and now
>that Edward Snowden has told us about Xkeyscore we know that at least
>the NSA does. It is however naïve to assume that they spy *only* on
>selected "known" protocols. If I were in charge of a surveillance
>agency I would make sure to scan even unknown protocols for selected
>keywords, and to have unknown protocols analyzed to turn them into
>known protocols. I would also map out who communicates with whom
>regardless of protocols, and watch for changes in traffic patterns, for
>example traffic surges indicating that something has happened. I don't
>have any proof that surveillance agencies around the world actually do
>those things, but they'd be stupid if they didn't. Snowden might know,
>if you can reach him to ask.

Sure, you can't hide completely. But why make it easy for them? Just encrypt 
everything and send it directly using sockets (no obvious protocol to 
analyze). If they want you, it will be easy for them to figure it out, but 
most likely, they don't want you (yet), and the gibberish data will be 
unlikely to trigger any filters.

>The simplistic "just connect to a socket" protocol doesn't even qualify
>as an unknown protocol by the way. It's the data channel of FTP, just
>(probably) on another port.

True enough. There is no "unknown protocol" per-se, but there is a port 
sending unstructured data (to an generic scanner). That's what I'm talking 
about, and I presumed Dmitry was talking about (he's not an idiot).

>I'll finish by returning to the beginning of your message where you said:

> at least part of Dmitry's advice matches what I would give.
>
>Not every statement is advice. Dmitry's actual advice was, paraphrased:
>"Don't bother with encryption. Invent a proprietary protocol where you
>send everything in the clear. That will protect your secrets better
>than any encryption. Don't bother with authentication. Nobody will
>figure out how to connect with your proprietary protocol, so you can
>assume that all connections are legitimate." That's the advice that I'm
>calling dangerous. Does that match the advice you would give?

I'd call that dangerous if someone actually gave that advice. But that's not 
close to my understanding of what Dmitry was recommending.

First of all, he's talking about communication in a private application with 
low-value data (not credit card numbers or the like). In that case, the most 
important thing is to have as much code as possible in your direct control. 
For me, that means that unknown libraries ought to be avoided; I want 
everything written in Ada that I can put through checking tools and bring 
all of the advantages of Ada to bear. Something like 75% of the long-lived 
bugs in code I've involved with is in interfacing code. (By "long-lived", I 
mean bugs that don't immediately show up on the first run.) Straight Ada 
code is many, many times more likely to be correct than anything using a 
library.

So, for instance, faced with a choice of using several unknown SFTP 
libraries (both an Ada binding and the library proper, both of which may 
have errors), or using a simple socket connection and Ada libraries for 
encryption and the like, I certainly would lean toward the latter.

Second, I certainly don't think he said anything about skipping encryption. 
It's trivial to encrypt your data with one of the existing encryption 
algorithms written in Ada. (The original AES algorithm proposal was written 
in Ada, and it makes a very good library; I think every Ada programmer 
should have it in their toolbox. Nothing "roll-your-own" about that.)

Third, if your data is valuable enough that it needs authentication 
permission, I think you should think about 100 times about putting it 
on-line in the first place. Authentication will stop script-kiddie attacks, 
but that's about all. If there is much value/danger from having it on-line, 
then don't put it on-line. (What possible good could come from 
Internet-connected door locks? To take one obvious and current example. It's 
a high-value target, and it is guarenteed to be broken into repeatedly, no 
matter how much care the manufacturers put into it. Just don't do it.)

Obviously, many people disagree with me on the value of sharing. And I 
certainly agree that public applications (which includes anything sold to 
the public, even for "private" use) need to use high-security solutions. I 
just don't think that there exist any solutions high-security enough for 
truly critical data.

The real mitigation is to decrease the value of "secrets", but that takes 
algorithmic and operational changes that few want to make. Thus no-security 
will remain the norm.

                                              Randy.

Re: library/binding for sftp?

[Randy Brukardt]

"Alan Jump" <alan.jump@gmail.com> wrote in message 
news:2d28eb38-0cbc-4f43-983c-d11318614491@googlegroups.com...
On Thursday, August 8, 2013 12:18:09 PM UTC-7, Randy Brukardt wrote:
...
>> Honestly, your attitude is dangerously naive. Probably the best strategy 
>> of
>> all is to have no secrets that need protecting, as in today's environment
>> you should assume all information is being read (or could be read) by
>> someone.
>
>Having no secrets to conceal is very close to being as impossible as 
>concealing
>every secret one has indefinitely.

True, but it ought to be the goal. One important mitigation is to use the 
value of time to decrease the value of secrets. If the value of a secret 
drops to zero aftter a short time, that makes it useless to attackers unless 
they get it in the appropriate time. That makes attacks much harder, and 
unless the secret is extremely high-value, they won't bother. (The worst 
thing for security is long-lived high-value secrets like credit card 
numbers. There is no realistic hope of securing something like that. [Yes, 
PCI-DSS is a load of baloney -- its all about blaming merchants for being 
unable to do the impossible (and forcing them to spend a lot of money to 
attempt to do the impossible) while saving the bankers from spending the 
money needed to eliminate the actual cause of the problem.])

And I'm dubious that a lot of things ought to be on-line in the first place. 
Why would anyone want to make their door locks or toilet attackable?? (Both 
recently in the news.) The former is such a high-value target that no amount 
of security on the software would ever be enough. Some things are better 
done the old-fashioned way!

                                                   Randy.

Re: library/binding for sftp?

[Stefan.Lucks]

On Fri, 9 Aug 2013, Randy Brukardt wrote:

>>>>> Firstly, there is no protection against targeted attack. Secondly,
>>>>> regarding spies, they aren't any good in programming. Obscuring is
>>>>> the best method against unfocused surveillance which works only
>>>>> with known protocols.
>>>>
>>>> Four false statements in a row.
>>>
>>> There are only three here,
>>
>> Three sentences, but I see two statements in the third sentence.
>
> There is only one in the third sentence that I see. "best method". The rest
> is a definition.

Randy, I see two statements in the third sentence, and no definition:

1. obscuring is the best method against unfocused surveillance
2. unfocused surveillance works only with known protocols.

I question the first statement.

The second one is dangerously wrong, and there are plenty of 
counterexamples.

One common error frequently found in homegrown protocols is encrypting 
some stuff while leaving other sensitive information in the clear. E.g., 
older versions of WinZip did support the encryption of files, while 
including plain filenames in the archives. (I am not sure about recent 
versions of WinZip.) Any protocol based on sending "encrypted" archives 
would trivially leave the filenames open even for unfocused surveillance 
operations -- if that was fishing for filenames.


------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
     <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--

Re: library/binding for sftp?

[AdaMagica]

> One common error frequently found in homegrown protocols is encrypting 
> some stuff while leaving other sensitive information in the clear. E.g., 
> older versions of WinZip did support the encryption of files, while 
> including plain filenames in the archives. (I am not sure about recent 
> versions of WinZip.)

It still does. I encrypt the zip file again, then the file names are gone.

Re: library/binding for sftp?

[Randy Brukardt]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1640 bytes --]

<Stefan.Lucks@uni-weimar.de> wrote in message 
news:alpine.DEB.2.10.1308191900320.24091@debian...
On Fri, 9 Aug 2013, Randy Brukardt wrote:

>>>>> Firstly, there is no protection against targeted attack. Secondly,
>>>>> regarding spies, they aren't any good in programming. Obscuring is
>>>>> the best method against unfocused surveillance which works only
>>>>> with known protocols.
>>>>
>>>> Four false statements in a row.
>>>
>>> There are only three here,
>>
>> Three sentences, but I see two statements in the third sentence.
>
> There is only one in the third sentence that I see. "best method". The 
> rest
> is a definition.

Randy, I see two statements in the third sentence, and no definition:

1. obscuring is the best method against unfocused surveillance
2. unfocused surveillance works only with known protocols.

I question the first statement.

The second one is dangerously wrong, and there are plenty of
counterexamples.

One common error frequently found in homegrown protocols is encrypting
some stuff while leaving other sensitive information in the clear. E.g.,
older versions of WinZip did support the encryption of files, while
including plain filenames in the archives. (I am not sure about recent
versions of WinZip.) Any protocol based on sending "encrypted" archives
would trivially leave the filenames open even for unfocused surveillance
operations -- if that was fishing for filenames.


------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
     <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--

Re: library/binding for sftp?

[Randy Brukardt]

<Stefan.Lucks@uni-weimar.de> wrote in message 
news:alpine.DEB.2.10.1308191900320.24091@debian...
On Fri, 9 Aug 2013, Randy Brukardt wrote:

>>>>>> Firstly, there is no protection against targeted attack. Secondly,
>>>>>> regarding spies, they aren't any good in programming. Obscuring is
>>>>>> the best method against unfocused surveillance which works only
>>>>>> with known protocols.
>>>>>
>>>>> Four false statements in a row.
>>>>
>>>> There are only three here,
>>>
>>> Three sentences, but I see two statements in the third sentence.
>>
>> There is only one in the third sentence that I see. "best method". The 
>> rest
>> is a definition.
>
>Randy, I see two statements in the third sentence, and no definition:
>
>1. obscuring is the best method against unfocused surveillance
>2. unfocused surveillance works only with known protocols.
>
>I question the first statement.

Right.

>The second one is dangerously wrong, and there are plenty of
>counterexamples.

I view it as a definition. You're forgetting that packet inspection and the 
like (the basis of "unfocused surveillance") depend completely on "known 
protocols", since TCP/IP and the various routing protocols are surely "known 
protocols". It's impossible to send anything over the Internet (public or 
local) without using many known protocols.

If you truly are using only "unknown protocols", then you're by definition 
using a private wired connection, and clearly only a determined attacker 
would have access to that. And there is no defense against such attackers; 
the most you can do is annoy them enough that hopefully they'll look for an 
easier target.

>One common error frequently found in homegrown protocols is encrypting
>some stuff while leaving other sensitive information in the clear. E.g.,
>older versions of WinZip did support the encryption of files, while
>including plain filenames in the archives. (I am not sure about recent
>versions of WinZip.) Any protocol based on sending "encrypted" archives
>would trivially leave the filenames open even for unfocused surveillance
>operations -- if that was fishing for filenames.

This is where I always lose it. Filenames being sensitive information? Only 
if the programmers in question are complete idiots. (And I realize there are 
plenty of them out there.) I can't imagine any value being associated with 
knowing that there is a file name "J2Typ_De.Ads" that makes up part of the 
Janus/Ada compiler. Sure, perhaps a dedicated attacker might find out some 
program that you're using in that way, but there are thousands of ways for 
such attackers to get in. Plugging one has no effect whatsoever.

Besides, anyone who puts anything sensitive in the cloud for long-term 
storage is going to be a victim sooner or later. ("Sensitive" here meaning 
with long-lived value, like credit card numbers.) Sooner or later, any of 
these things will be broken (and that's assuming that the NSA doesn't 
already require backdoors, which seems likely).

It's now known that the NSA tracks pretty much every internet connection. 
Sending anything over the Internet is guarenteed to leave a trace, so if 
that is "sensitive information" to you, simply don't do it. And if you have 
*truly* sensitive information, don't put it on the Internet (ever!), and try 
not to put it on a computer, either.

I've been talking about information that you'd rather not have people see 
(which for me, is almost anything I do) but doesn't need NSA-grade 
protection. I don't care if the NSA sees that I'm corresponding with you 
here, but if I wanted to keep them (and everyone else) from simple content 
scans, I'd use a custom protocol. (I think it's likely that they can read 
SSH transactions, but I don't think they can do that in real-time.)

If you need public connections, then surely use SSH. But you can surely do 
better.

In truth, though, it's probably all pointless. The government (anybodies 
government) will soon ban computers that they can't control. It seems likely 
that Windows 8 in particular is full of backdoors (indeed, it seems to have 
a frontdoor in terms of the "Microsoft account" which clearly allows 
Microsoft and thus the NSA to track logons and location for almost every new 
Windows computer). I would expect that will be done by essentially 
preventing anyone that has an unapproved computer from connecting in any way 
to the Internet. And then the enslavement of the masses will be complete. 
("1984" was far too kind as to our future.)

                                                Randy.

Re: library/binding for sftp?

[Georg Bauhaus]

On 20.08.13 01:15, Randy Brukardt wrote:
> If you truly are using only "unknown protocols", then you're by definition
> using a private wired connection, and clearly only a determined attacker
> would have access to that. And there is no defense against such attackers;
> the most you can do is annoy them enough that hopefully they'll look for an
> easier target.

This view surely phrases protection using ciphers as protection
using physical privacy... and presupposes hackers' determinations,
as might have been the case of
http://en.wikipedia.org/wiki/DigiNotar . As can be concluded from
the case, physical measures have not prevented ensuing bankruptcy!

I'll offer 10,-€ (yes, that's little in view of your average incomes,
but is worth some beer) for solving this unknown protocol.

SYN1Bo3AHS7SYO3FP9FXN1H7CEK1eR

__
<smallprint>Professional cryptographers, please refrain from
acting quickly.</smallprint>

Re: library/binding for sftp?

[Stefan.Lucks]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 3032 bytes --]

On Mon, 19 Aug 2013, Randy Brukardt wrote:

> <Stefan.Lucks@uni-weimar.de> wrote in message
> news:alpine.DEB.2.10.1308191900320.24091@debian...
> On Fri, 9 Aug 2013, Randy Brukardt wrote:
>
>> 1. obscuring is the best method against unfocused surveillance
>> 2. unfocused surveillance works only with known protocols.
>>
>> I question the first statement.
>
> Right.
>
>> The second one is dangerously wrong, and there are plenty of
>> counterexamples.
>
> I view it as a definition.

Hu?

> If you truly are using only "unknown protocols", then you're by definition
> using a private wired connection,

Randy, please check your logic. The sentence in question was
   "unfocused surveillance which works only with known protocols".
This is logically equivalent to
   "unfocused surveillance does not work if at least one protocol is
    unknown."

I claim that using a homemade protocol over an existing physical and 
transport layer can (and actually is likely to) be less secure than a 
well-evaluated and publicly known security protocol.

The statement you are trying to defend is logically different
   "unfocused surveillance does not work if all protocols are
    unknown."

This is not a definition -- but it is a statement I can agree with.

> This is where I always lose it. Filenames being sensitive information? Only
> if the programmers in question are complete idiots. (And I realize there are
> plenty of them out there.)

Not really. Any security application or a security protocol is designed 
around a threat model. It is impossible to protect the user from any 
threat one can imagine -- so the user has to be aware what are the threats 
the protocol protects her from.

> I can't imagine any value being associated with knowing that there is a 
> file name "J2Typ_De.Ads" that makes up part of the Janus/Ada compiler.

Imagine you send or receive a file with the name dxtiddfh887876y2012.xls, 
where "dxtiddfh887876y2012" happens to be the reference number of a file 
Snowden copied from the NSA computers.Even if the content of the file has 
been well encrypted, the filename would earn you some "friendly visits" 
...

> Besides, anyone who puts anything sensitive in the cloud for long-term
> storage is going to be a victim sooner or later.

Agreed! But the topic was on protocols, i.e., data in transit, rather than 
long-term storage.

> If you need public connections, then surely use SSH.

Agreed. Which is what the OP has been asking about, namely sftp (which is 
ftp + ssh).

> In truth, though, it's probably all pointless. The government (anybodies
> government) will soon ban computers that they can't control.

I am fairly optimistic that this will not happen in Europe. I am not so 
sure about the US.


------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
     <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--

Re: library/binding for sftp?

[Randy Brukardt]

<Stefan.Lucks@uni-weimar.de> wrote in message 
news:alpine.DEB.2.10.1308200931020.28419@debian...
On Mon, 19 Aug 2013, Randy Brukardt wrote:

...
>> If you truly are using only "unknown protocols", then you're by 
>> definition
>> using a private wired connection,
>
>Randy, please check your logic. The sentence in question was
>   "unfocused surveillance which works only with known protocols".
>This is logically equivalent to
>   "unfocused surveillance does not work if at least one protocol is
>    unknown."

I don't see this at all. There is nothing in the original sentence which 
implies exclusivity. So long as there is a known protocol in use, unfocused 
surveillance may work. (Whether there are other, unknown protocols in use, 
or whether all protocols are known, is irrelevant.) That's because the 
surveillance of TCP/IP (for instance) may not need to know anything about 
the other protocols in use to work (for instance, if only the routing is of 
interest, the contents of the packets is irrelevant).

So you are arguing with a straw man, definitely not what Dmitry originally 
said. (What he meant I don't know, of course.)

I know from working on the Ada Standard that it is quite reasonable for 
readers to get two different meanings out of the same set of English text. 
For the Ada Standard, we usually apply the so-called "Dewar rule", which 
states that the Ada Standard does not include nonsense. (And then we often 
try to clarify the wording.) I might be guilty of applying that rule to 
Dmitry's text - if there are multiple plausible readings, I'm assuming that 
the most sensible one was meant.

>I claim that using a homemade protocol over an existing physical and
>transport layer can (and actually is likely to) be less secure than a
>well-evaluated and publicly known security protocol.

And I claim it is irrelevant. The use of the public internet is never very 
secure and you can be certain that at least basic behavior is monitored.

>The statement you are trying to defend is logically different
>   "unfocused surveillance does not work if all protocols are
>    unknown."
>
>This is not a definition -- but it is a statement I can agree with.

Good, because it is what was originally said. :-) Or more accurately, the 
original statement had nothing to say about whether or not all protocols are 
unknown.

...
>> In truth, though, it's probably all pointless. The government (anybodies
>> government) will soon ban computers that they can't control.
>
>I am fairly optimistic that this will not happen in Europe. I am not so
>sure about the US.

I don't much care about the world outside of the US, at least as far as 
living goes. (It's impractical to move somewhere where I don't understand 
the language, and all English-speaking countries are as bad or worse than 
the US.)

                                    Randy.

Re: library/binding for sftp?

[Stefan.Lucks]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 2129 bytes --]

On Tue, 20 Aug 2013, Randy Brukardt wrote:

>> Randy, please check your logic. The sentence in question was
>>   "unfocused surveillance which works only with known protocols".
>> This is logically equivalent to
>>   "unfocused surveillance does not work if at least one protocol is
>>    unknown."
>
> I don't see this at all. There is nothing in the original sentence which
> implies exclusivity.

My reading of the original sentence is different from yours'. Especially 
when I take the original question about sftp into context. But we can 
agree to disagree on this point.

BTW, the Dewar rule makes sense for the Ada standards -- or other 
standards as well -- but applying it to usenet postings is a stretch. ;-)

> And I claim it is irrelevant. The use of the public internet is never very
> secure and you can be certain that at least basic behavior is monitored.

Whatever you mean by "basic behaviour": You *can* communicate securely 
over the internet, for some very reasonable notions of "secure". But 
firstly, there is no "absolute security", and secondly, you pay a price. 
Often, the price is inconvenience. In any case, your "we are all doomed" 
attitude is too pessimistic.

> I don't much care about the world outside of the US, at least as far as
> living goes. (It's impractical to move somewhere where I don't understand
> the language, and all English-speaking countries are as bad or worse than
> the US.)

What about Ireland?

Also, the Republic of Malta might be an option for you (yes, they actually 
speak English there), and, in a few years, Scotland could became 
independent as well.

But hey, it is not so bad in the US! You have a secret court that secretly 
decides that it is secretly OK to secretly spy at you. So everything is 
secretly legal, isn't it? (Well, this has become off topic for c.l.a, but 
I just couldn't resist.)

------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
     <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--

Re: library/binding for sftp?

[Alan Jump]

On Wednesday, August 21, 2013 12:27:30 AM UTC-7, Stefan...@uni-weimar.de wrote:
> On Tue, 20 Aug 2013, Randy Brukardt wrote:
> 
[snip] 
> 
> ------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------

One final thought which goes directly back to the OP's questions.

I'd love to see an Ada binding for SFTP or a similar relatively-secure transfer protocol released to an open-source repository. It would certainly relieve in-house developers from having to come up with their own implementations, and by placing such in an open-source repository, it would invite inspection from outside which may reveal dangerous flaws prior to widespread deployment.

Even though data transfers may be monitored, and with sufficient effort the contents of the packets extracted, there's absolutely nothing that says one can't implement one or more additional encryption layers prior to transmission. Think "belt and suspenders". Or, in a more relevant comparison, encrypting an email using GPG, Enigma, one-time pad, or whatever, then sending it via an encrypted VPN tunnel.

Just my 2p worth. Save up the change for a pint.

- -
73 de N5ILN
Alan

Re: library/binding for sftp?

[Per Sandberg]

[-- Attachment #1: Type: text/plain, Size: 1389 bytes --]


gcc -fdump-ada-spec =>

It requires a wrapper to be Ada not C written in Ada but anyway.

/Per

On Wed, 21 Aug 2013 09:46:55 -0700 (PDT)
Alan Jump <alan.jump@gmail.com> wrote:

> On Wednesday, August 21, 2013 12:27:30 AM UTC-7,
> Stefan...@uni-weimar.de wrote:
> > On Tue, 20 Aug 2013, Randy Brukardt wrote:
> > 
> [snip] 
> > 
> > ------  I  love  the  taste  of  Cryptanalysis  in  the morning!
> > ------
> 
> One final thought which goes directly back to the OP's questions.
> 
> I'd love to see an Ada binding for SFTP or a similar
> relatively-secure transfer protocol released to an open-source
> repository. It would certainly relieve in-house developers from
> having to come up with their own implementations, and by placing such
> in an open-source repository, it would invite inspection from outside
> which may reveal dangerous flaws prior to widespread deployment.
> 
> Even though data transfers may be monitored, and with sufficient
> effort the contents of the packets extracted, there's absolutely
> nothing that says one can't implement one or more additional
> encryption layers prior to transmission. Think "belt and suspenders".
> Or, in a more relevant comparison, encrypting an email using GPG,
> Enigma, one-time pad, or whatever, then sending it via an encrypted
> VPN tunnel.
> 
> Just my 2p worth. Save up the change for a pint.
> 
> - -
> 73 de N5ILN
> Alan


[-- Attachment #2: libssh2_h.ads --]
[-- Type: text/x-adasrc, Size: 47013 bytes --]

pragma Ada_2005;
pragma Style_Checks (Off);

with Interfaces.C; use Interfaces.C;
with Interfaces.C.Extensions;
with Interfaces.C.Strings;
with System;

package libssh2_h is
   package time_h is

      subtype clock_t is long;  -- time.h:60

      subtype time_t is long;  -- time.h:76

      subtype clockid_t is int;  -- time.h:92

      subtype timer_t is System.Address;  -- time.h:104

      type timespec is record
         tv_sec : aliased long;  -- time.h:122
         tv_nsec : aliased long;  -- time.h:123
      end record;
      pragma Convention (C_Pass_By_Copy, timespec);  -- time.h:120

   end time_h;


   package bits_stat_h is

      --  unsupported macro: st_atime st_atim.tv_sec
      --  unsupported macro: st_mtime st_mtim.tv_sec
      --  unsupported macro: st_ctime st_ctim.tv_sec

      UTIME_NOW : constant := ((2 ** 30) - 1);  --  bits/stat.h:209
      UTIME_OMIT : constant := ((2 ** 30) - 2);  --  bits/stat.h:210

      type stat_uu_unused_array is array (0 .. 2) of aliased long;
      type stat is record
         st_dev : aliased unsigned_long;  -- bits/stat.h:48
         st_ino : aliased unsigned_long;  -- bits/stat.h:53
         st_nlink : aliased unsigned_long;  -- bits/stat.h:61
         st_mode : aliased unsigned;  -- bits/stat.h:62
         st_uid : aliased unsigned;  -- bits/stat.h:64
         st_gid : aliased unsigned;  -- bits/stat.h:65
         uu_pad0 : aliased int;  -- bits/stat.h:67
         st_rdev : aliased unsigned_long;  -- bits/stat.h:69
         st_size : aliased long;  -- bits/stat.h:74
         st_blksize : aliased long;  -- bits/stat.h:78
         st_blocks : aliased long;  -- bits/stat.h:80
         st_atim : aliased time_h.timespec;  -- bits/stat.h:91
         st_mtim : aliased time_h.timespec;  -- bits/stat.h:92
         st_ctim : aliased time_h.timespec;  -- bits/stat.h:93
         uu_unused : aliased stat_uu_unused_array;  -- bits/stat.h:106
      end record;
      pragma Convention (C_Pass_By_Copy, stat);  -- bits/stat.h:46

      type stat64_uu_unused_array is array (0 .. 2) of aliased long;
      type stat64 is record
         st_dev : aliased unsigned_long;  -- bits/stat.h:121
         st_ino : aliased unsigned_long;  -- bits/stat.h:123
         st_nlink : aliased unsigned_long;  -- bits/stat.h:124
         st_mode : aliased unsigned;  -- bits/stat.h:125
         st_uid : aliased unsigned;  -- bits/stat.h:132
         st_gid : aliased unsigned;  -- bits/stat.h:133
         uu_pad0 : aliased int;  -- bits/stat.h:135
         st_rdev : aliased unsigned_long;  -- bits/stat.h:136
         st_size : aliased long;  -- bits/stat.h:137
         st_blksize : aliased long;  -- bits/stat.h:143
         st_blocks : aliased long;  -- bits/stat.h:144
         st_atim : aliased time_h.timespec;  -- bits/stat.h:152
         st_mtim : aliased time_h.timespec;  -- bits/stat.h:153
         st_ctim : aliased time_h.timespec;  -- bits/stat.h:154
         uu_unused : aliased stat64_uu_unused_array;  -- bits/stat.h:167
      end record;
      pragma Convention (C_Pass_By_Copy, stat64);  -- bits/stat.h:119

   end bits_stat_h;

   LIBSSH2_H : constant := 1;  --  libssh2.h:41

   LIBSSH2_COPYRIGHT : aliased constant String := "2004-2010 The libssh2 project and its contributors." & ASCII.NUL;  --  libssh2.h:43

   LIBSSH2_VERSION : aliased constant String := "1.2.7" & ASCII.NUL;  --  libssh2.h:49

   LIBSSH2_VERSION_MAJOR : constant := 1;  --  libssh2.h:53
   LIBSSH2_VERSION_MINOR : constant := 2;  --  libssh2.h:54
   LIBSSH2_VERSION_PATCH : constant := 7;  --  libssh2.h:55

   LIBSSH2_VERSION_NUM : constant := 16#010207#;  --  libssh2.h:72

   LIBSSH2_TIMESTAMP : aliased constant String := "Tue Aug 17 21:11:33 UTC 2010" & ASCII.NUL;  --  libssh2.h:83
   --  unsupported macro: LIBSSH2_SSH_BANNER "SSH-2.0-libssh2_" LIBSSH2_VERSION
   --  unsupported macro: LIBSSH2_SSH_DEFAULT_BANNER LIBSSH2_SSH_BANNER
   --  unsupported macro: LIBSSH2_SSH_DEFAULT_BANNER_WITH_CRLF LIBSSH2_SSH_DEFAULT_BANNER "\r\n"

   LIBSSH2_DH_GEX_MINGROUP : constant := 1024;  --  libssh2.h:142
   LIBSSH2_DH_GEX_OPTGROUP : constant := 1536;  --  libssh2.h:143
   LIBSSH2_DH_GEX_MAXGROUP : constant := 2048;  --  libssh2.h:144

   LIBSSH2_TERM_WIDTH : constant := 80;  --  libssh2.h:147
   LIBSSH2_TERM_HEIGHT : constant := 24;  --  libssh2.h:148
   LIBSSH2_TERM_WIDTH_PX : constant := 0;  --  libssh2.h:149
   LIBSSH2_TERM_HEIGHT_PX : constant := 0;  --  libssh2.h:150

   LIBSSH2_SOCKET_POLL_UDELAY : constant := 250000;  --  libssh2.h:153

   LIBSSH2_SOCKET_POLL_MAXLOOPS : constant := 120;  --  libssh2.h:155

   LIBSSH2_PACKET_MAXCOMP : constant := 32000;  --  libssh2.h:159

   LIBSSH2_PACKET_MAXDECOMP : constant := 40000;  --  libssh2.h:163

   LIBSSH2_PACKET_MAXPAYLOAD : constant := 40000;  --  libssh2.h:167
   --  arg-macro: procedure LIBSSH2_ALLOC_FUNC (name)
   --    void *name(size_t count, void **abstract)
   --  arg-macro: procedure LIBSSH2_REALLOC_FUNC (name)
   --    void *name(void *ptr, size_t count, void **abstract)
   --  arg-macro: procedure LIBSSH2_FREE_FUNC (name)
   --    void name(void *ptr, void **abstract)
   --  arg-macro: procedure LIBSSH2_USERAUTH_PUBLICKEY_SIGN_FUNC (name)
   --    int name(LIBSSH2_SESSION *session, unsigned char **sig, size_t *sig_len, const unsigned char *data, size_t data_len, void **abstract)
   --  arg-macro: procedure LIBSSH2_USERAUTH_KBDINT_RESPONSE_FUNC (name_)
   --    void name_(const char* name, int name_len, const char* instruction, int instruction_len, int num_prompts, const LIBSSH2_USERAUTH_KBDINT_PROMPT* prompts, LIBSSH2_USERAUTH_KBDINT_RESPONSE* responses, void **abstract)
   --  arg-macro: procedure LIBSSH2_IGNORE_FUNC (name)
   --    void name(LIBSSH2_SESSION *session, const char *message, int message_len, void **abstract)
   --  arg-macro: procedure LIBSSH2_DEBUG_FUNC (name)
   --    void name(LIBSSH2_SESSION *session, int always_display, const char *message, int message_len, const char *language, int language_len, void **abstract)
   --  arg-macro: procedure LIBSSH2_DISCONNECT_FUNC (name)
   --    void name(LIBSSH2_SESSION *session, int reason, const char *message, int message_len, const char *language, int language_len, void **abstract)
   --  arg-macro: procedure LIBSSH2_PASSWD_CHANGEREQ_FUNC (name)
   --    void name(LIBSSH2_SESSION *session, char **newpw, int *newpw_len, void **abstract)
   --  arg-macro: procedure LIBSSH2_MACERROR_FUNC (name)
   --    int name(LIBSSH2_SESSION *session, const char *packet, int packet_len, void **abstract)
   --  arg-macro: procedure LIBSSH2_X11_OPEN_FUNC (name)
   --    void name(LIBSSH2_SESSION *session, LIBSSH2_CHANNEL *channel, const char *shost, int sport, void **abstract)
   --  arg-macro: procedure LIBSSH2_CHANNEL_CLOSE_FUNC (name)
   --    void name(LIBSSH2_SESSION *session, void **session_abstract, LIBSSH2_CHANNEL *channel, void **channel_abstract)

   LIBSSH2_CALLBACK_IGNORE : constant := 0;  --  libssh2.h:232
   LIBSSH2_CALLBACK_DEBUG : constant := 1;  --  libssh2.h:233
   LIBSSH2_CALLBACK_DISCONNECT : constant := 2;  --  libssh2.h:234
   LIBSSH2_CALLBACK_MACERROR : constant := 3;  --  libssh2.h:235
   LIBSSH2_CALLBACK_X11 : constant := 4;  --  libssh2.h:236

   LIBSSH2_METHOD_KEX : constant := 0;  --  libssh2.h:239
   LIBSSH2_METHOD_HOSTKEY : constant := 1;  --  libssh2.h:240
   LIBSSH2_METHOD_CRYPT_CS : constant := 2;  --  libssh2.h:241
   LIBSSH2_METHOD_CRYPT_SC : constant := 3;  --  libssh2.h:242
   LIBSSH2_METHOD_MAC_CS : constant := 4;  --  libssh2.h:243
   LIBSSH2_METHOD_MAC_SC : constant := 5;  --  libssh2.h:244
   LIBSSH2_METHOD_COMP_CS : constant := 6;  --  libssh2.h:245
   LIBSSH2_METHOD_COMP_SC : constant := 7;  --  libssh2.h:246
   LIBSSH2_METHOD_LANG_CS : constant := 8;  --  libssh2.h:247
   LIBSSH2_METHOD_LANG_SC : constant := 9;  --  libssh2.h:248

   LIBSSH2_FLAG_SIGPIPE : constant := 16#00000001#;  --  libssh2.h:251

   LIBSSH2_POLLFD_SOCKET : constant := 1;  --  libssh2.h:274
   LIBSSH2_POLLFD_CHANNEL : constant := 2;  --  libssh2.h:275
   LIBSSH2_POLLFD_LISTENER : constant := 3;  --  libssh2.h:276

   LIBSSH2_POLLFD_POLLIN : constant := 16#0001#;  --  libssh2.h:281

   LIBSSH2_POLLFD_POLLPRI : constant := 16#0002#;  --  libssh2.h:284

   LIBSSH2_POLLFD_POLLEXT : constant := 16#0002#;  --  libssh2.h:286

   LIBSSH2_POLLFD_POLLOUT : constant := 16#0004#;  --  libssh2.h:288

   LIBSSH2_POLLFD_POLLERR : constant := 16#0008#;  --  libssh2.h:291
   LIBSSH2_POLLFD_POLLHUP : constant := 16#0010#;  --  libssh2.h:292
   LIBSSH2_POLLFD_SESSION_CLOSED : constant := 16#0010#;  --  libssh2.h:293
   LIBSSH2_POLLFD_POLLNVAL : constant := 16#0020#;  --  libssh2.h:294

   LIBSSH2_POLLFD_POLLEX : constant := 16#0040#;  --  libssh2.h:296

   LIBSSH2_POLLFD_CHANNEL_CLOSED : constant := 16#0080#;  --  libssh2.h:298
   LIBSSH2_POLLFD_LISTENER_CLOSED : constant := 16#0080#;  --  libssh2.h:299

   LIBSSH2_SESSION_BLOCK_INBOUND : constant := 16#0001#;  --  libssh2.h:303
   LIBSSH2_SESSION_BLOCK_OUTBOUND : constant := 16#0002#;  --  libssh2.h:304

   LIBSSH2_HOSTKEY_HASH_MD5 : constant := 1;  --  libssh2.h:307
   LIBSSH2_HOSTKEY_HASH_SHA1 : constant := 2;  --  libssh2.h:308

   LIBSSH2_HOSTKEY_TYPE_UNKNOWN : constant := 0;  --  libssh2.h:311
   LIBSSH2_HOSTKEY_TYPE_RSA : constant := 1;  --  libssh2.h:312
   LIBSSH2_HOSTKEY_TYPE_DSS : constant := 2;  --  libssh2.h:313

   SSH_DISCONNECT_HOST_NOT_ALLOWED_TO_CONNECT : constant := 1;  --  libssh2.h:316
   SSH_DISCONNECT_PROTOCOL_ERROR : constant := 2;  --  libssh2.h:317
   SSH_DISCONNECT_KEY_EXCHANGE_FAILED : constant := 3;  --  libssh2.h:318
   SSH_DISCONNECT_RESERVED : constant := 4;  --  libssh2.h:319
   SSH_DISCONNECT_MAC_ERROR : constant := 5;  --  libssh2.h:320
   SSH_DISCONNECT_COMPRESSION_ERROR : constant := 6;  --  libssh2.h:321
   SSH_DISCONNECT_SERVICE_NOT_AVAILABLE : constant := 7;  --  libssh2.h:322
   SSH_DISCONNECT_PROTOCOL_VERSION_NOT_SUPPORTED : constant := 8;  --  libssh2.h:323
   SSH_DISCONNECT_HOST_KEY_NOT_VERIFIABLE : constant := 9;  --  libssh2.h:324
   SSH_DISCONNECT_CONNECTION_LOST : constant := 10;  --  libssh2.h:325
   SSH_DISCONNECT_BY_APPLICATION : constant := 11;  --  libssh2.h:326
   SSH_DISCONNECT_TOO_MANY_CONNECTIONS : constant := 12;  --  libssh2.h:327
   SSH_DISCONNECT_AUTH_CANCELLED_BY_USER : constant := 13;  --  libssh2.h:328
   SSH_DISCONNECT_NO_MORE_AUTH_METHODS_AVAILABLE : constant := 14;  --  libssh2.h:329
   SSH_DISCONNECT_ILLEGAL_USER_NAME : constant := 15;  --  libssh2.h:330

   LIBSSH2_ERROR_NONE : constant := 0;  --  libssh2.h:333
   LIBSSH2_ERROR_SOCKET_NONE : constant := -1;  --  libssh2.h:334
   LIBSSH2_ERROR_BANNER_NONE : constant := -2;  --  libssh2.h:335
   LIBSSH2_ERROR_BANNER_SEND : constant := -3;  --  libssh2.h:336
   LIBSSH2_ERROR_INVALID_MAC : constant := -4;  --  libssh2.h:337
   LIBSSH2_ERROR_KEX_FAILURE : constant := -5;  --  libssh2.h:338
   LIBSSH2_ERROR_ALLOC : constant := -6;  --  libssh2.h:339
   LIBSSH2_ERROR_SOCKET_SEND : constant := -7;  --  libssh2.h:340
   LIBSSH2_ERROR_KEY_EXCHANGE_FAILURE : constant := -8;  --  libssh2.h:341
   LIBSSH2_ERROR_TIMEOUT : constant := -9;  --  libssh2.h:342
   LIBSSH2_ERROR_HOSTKEY_INIT : constant := -10;  --  libssh2.h:343
   LIBSSH2_ERROR_HOSTKEY_SIGN : constant := -11;  --  libssh2.h:344
   LIBSSH2_ERROR_DECRYPT : constant := -12;  --  libssh2.h:345
   LIBSSH2_ERROR_SOCKET_DISCONNECT : constant := -13;  --  libssh2.h:346
   LIBSSH2_ERROR_PROTO : constant := -14;  --  libssh2.h:347
   LIBSSH2_ERROR_PASSWORD_EXPIRED : constant := -15;  --  libssh2.h:348
   LIBSSH2_ERROR_FILE : constant := -16;  --  libssh2.h:349
   LIBSSH2_ERROR_METHOD_NONE : constant := -17;  --  libssh2.h:350
   LIBSSH2_ERROR_AUTHENTICATION_FAILED : constant := -18;  --  libssh2.h:351
   --  unsupported macro: LIBSSH2_ERROR_PUBLICKEY_UNRECOGNIZED LIBSSH2_ERROR_AUTHENTICATION_FAILED

   LIBSSH2_ERROR_PUBLICKEY_UNVERIFIED : constant := -19;  --  libssh2.h:353
   LIBSSH2_ERROR_CHANNEL_OUTOFORDER : constant := -20;  --  libssh2.h:354
   LIBSSH2_ERROR_CHANNEL_FAILURE : constant := -21;  --  libssh2.h:355
   LIBSSH2_ERROR_CHANNEL_REQUEST_DENIED : constant := -22;  --  libssh2.h:356
   LIBSSH2_ERROR_CHANNEL_UNKNOWN : constant := -23;  --  libssh2.h:357
   LIBSSH2_ERROR_CHANNEL_WINDOW_EXCEEDED : constant := -24;  --  libssh2.h:358
   LIBSSH2_ERROR_CHANNEL_PACKET_EXCEEDED : constant := -25;  --  libssh2.h:359
   LIBSSH2_ERROR_CHANNEL_CLOSED : constant := -26;  --  libssh2.h:360
   LIBSSH2_ERROR_CHANNEL_EOF_SENT : constant := -27;  --  libssh2.h:361
   LIBSSH2_ERROR_SCP_PROTOCOL : constant := -28;  --  libssh2.h:362
   LIBSSH2_ERROR_ZLIB : constant := -29;  --  libssh2.h:363
   LIBSSH2_ERROR_SOCKET_TIMEOUT : constant := -30;  --  libssh2.h:364
   LIBSSH2_ERROR_SFTP_PROTOCOL : constant := -31;  --  libssh2.h:365
   LIBSSH2_ERROR_REQUEST_DENIED : constant := -32;  --  libssh2.h:366
   LIBSSH2_ERROR_METHOD_NOT_SUPPORTED : constant := -33;  --  libssh2.h:367
   LIBSSH2_ERROR_INVAL : constant := -34;  --  libssh2.h:368
   LIBSSH2_ERROR_INVALID_POLL_TYPE : constant := -35;  --  libssh2.h:369
   LIBSSH2_ERROR_PUBLICKEY_PROTOCOL : constant := -36;  --  libssh2.h:370
   LIBSSH2_ERROR_EAGAIN : constant := -37;  --  libssh2.h:371
   LIBSSH2_ERROR_BUFFER_TOO_SMALL : constant := -38;  --  libssh2.h:372
   LIBSSH2_ERROR_BAD_USE : constant := -39;  --  libssh2.h:373
   LIBSSH2_ERROR_COMPRESS : constant := -40;  --  libssh2.h:374
   LIBSSH2_ERROR_OUT_OF_BOUNDARY : constant := -41;  --  libssh2.h:375
   LIBSSH2_ERROR_AGENT_PROTOCOL : constant := -42;  --  libssh2.h:376

   LIBSSH2_INIT_NO_CRYPTO : constant := 16#0001#;  --  libssh2.h:379
   --  arg-macro: procedure libssh2_session_init ()
   --    libssh2_session_init_ex(NULL, NULL, NULL, NULL)
   --  arg-macro: procedure libssh2_session_disconnect (session, descrilibssh2_session_disconnect_ex((session), SSH_DISCONNECT_BY_APPLICATION, (description), "")
   --    libssh2_session_disconnect_ex((session), SSH_DISCONNECT_BY_APPLICATION, (description), "")
   --  arg-macro: procedure libssh2_userauth_password (session, usernalibssh2_userauth_password_ex((session), (username), strlen(username), (password), strlen(password), NULL)
   --    libssh2_userauth_password_ex((session), (username), strlen(username), (password), strlen(password), NULL)
   --  arg-macro: procedure libssh2_userauth_publickey_fromfile (session, usernalibssh2_userauth_publickey_fromfile_ex((session), (username), strlen(username), (publickey), (privatekey), (passphrase))
   --    libssh2_userauth_publickey_fromfile_ex((session), (username), strlen(username), (publickey), (privatekey), (passphrase))
   --  arg-macro: procedure libssh2_userauth_hostbased_fromfile (session, usernalibssh2_userauth_hostbased_fromfile_ex((session), (username), strlen(username), (publickey), (privatekey), (passphrase), (hostname), strlen(hostname), (username), strlen(username))
   --    libssh2_userauth_hostbased_fromfile_ex((session), (username), strlen(username), (publickey), (privatekey), (passphrase), (hostname), strlen(hostname), (username), strlen(username))
   --  arg-macro: procedure libssh2_userauth_keyboard_interactive (session, usernalibssh2_userauth_keyboard_interactive_ex((session), (username), strlen(username), (response_callback))
   --    libssh2_userauth_keyboard_interactive_ex((session), (username), strlen(username), (response_callback))

   LIBSSH2_CHANNEL_WINDOW_DEFAULT : constant := 65536;  --  libssh2.h:529
   LIBSSH2_CHANNEL_PACKET_DEFAULT : constant := 32768;  --  libssh2.h:530
   LIBSSH2_CHANNEL_MINADJUST : constant := 1024;  --  libssh2.h:531

   LIBSSH2_CHANNEL_EXTENDED_DATA_NORMAL : constant := 0;  --  libssh2.h:534
   LIBSSH2_CHANNEL_EXTENDED_DATA_IGNORE : constant := 1;  --  libssh2.h:535
   LIBSSH2_CHANNEL_EXTENDED_DATA_MERGE : constant := 2;  --  libssh2.h:536

   SSH_EXTENDED_DATA_STDERR : constant := 1;  --  libssh2.h:538
   --  unsupported macro: LIBSSH2CHANNEL_EAGAIN LIBSSH2_ERROR_EAGAIN
   --  arg-macro: procedure libssh2_channel_open_session (session)
   --    libssh2_channel_open_ex((session), "session", sizeof("session") - 1, LIBSSH2_CHANNEL_WINDOW_DEFAULT, LIBSSH2_CHANNEL_PACKET_DEFAULT, NULL, 0)
   --  arg-macro: procedure libssh2_channel_direct_tcpip (session, host, libssh2_channel_direct_tcpip_ex((session), (host), (port), "127.0.0.1", 22)
   --    libssh2_channel_direct_tcpip_ex((session), (host), (port), "127.0.0.1", 22)
   --  arg-macro: procedure libssh2_channel_forward_listen (session, port)
   --    libssh2_channel_forward_listen_ex((session), NULL, (port), NULL, 16)
   --  arg-macro: procedure libssh2_channel_setenv (channel, varnamlibssh2_channel_setenv_ex((channel), (varname), strlen(varname), (value), strlen(value))
   --    libssh2_channel_setenv_ex((channel), (varname), strlen(varname), (value), strlen(value))
   --  arg-macro: procedure libssh2_channel_request_pty (channel, term)
   --    libssh2_channel_request_pty_ex((channel), (term), strlen(term), NULL, 0, LIBSSH2_TERM_WIDTH, LIBSSH2_TERM_HEIGHT, LIBSSH2_TERM_WIDTH_PX, LIBSSH2_TERM_HEIGHT_PX)
   --  arg-macro: procedure libssh2_channel_request_pty_size (channel, width,libssh2_channel_request_pty_size_ex( (channel), (width), (height), 0, 0)
   --    libssh2_channel_request_pty_size_ex( (channel), (width), (height), 0, 0)
   --  arg-macro: procedure libssh2_channel_x11_req (channel, screenlibssh2_channel_x11_req_ex((channel), 0, NULL, NULL, (screen_number))
   --    libssh2_channel_x11_req_ex((channel), 0, NULL, NULL, (screen_number))
   --  arg-macro: procedure libssh2_channel_shell (channel)
   --    libssh2_channel_process_startup((channel), "shell", sizeof("shell") - 1, NULL, 0)
   --  arg-macro: procedure libssh2_channel_exec (channel, commanlibssh2_channel_process_startup((channel), "exec", sizeof("exec") - 1, (command), strlen(command))
   --    libssh2_channel_process_startup((channel), "exec", sizeof("exec") - 1, (command), strlen(command))
   --  arg-macro: procedure libssh2_channel_subsystem (channel, subsyslibssh2_channel_process_startup((channel), "subsystem", sizeof("subsystem") - 1, (subsystem), strlen(subsystem))
   --    libssh2_channel_process_startup((channel), "subsystem", sizeof("subsystem") - 1, (subsystem), strlen(subsystem))
   --  arg-macro: procedure libssh2_channel_read (channel, buf, blibssh2_channel_read_ex((channel), 0, (buf), (buflen))
   --    libssh2_channel_read_ex((channel), 0, (buf), (buflen))
   --  arg-macro: procedure libssh2_channel_read_stderr (channel, buf, blibssh2_channel_read_ex((channel), SSH_EXTENDED_DATA_STDERR, (buf), (buflen))
   --    libssh2_channel_read_ex((channel), SSH_EXTENDED_DATA_STDERR, (buf), (buflen))
   --  arg-macro: procedure libssh2_channel_window_read (channel)
   --    libssh2_channel_window_read_ex((channel), NULL, NULL)
   --  arg-macro: procedure libssh2_channel_write (channel, buf, blibssh2_channel_write_ex((channel), 0, (buf), (buflen))
   --    libssh2_channel_write_ex((channel), 0, (buf), (buflen))
   --  arg-macro: procedure libssh2_channel_write_stderr (channel, buf, blibssh2_channel_write_ex((channel), SSH_EXTENDED_DATA_STDERR, (buf), (buflen))
   --    libssh2_channel_write_ex((channel), SSH_EXTENDED_DATA_STDERR, (buf), (buflen))
   --  arg-macro: procedure libssh2_channel_window_write (channel)
   --    libssh2_channel_window_write_ex((channel), NULL)
   --  arg-macro: procedure libssh2_channel_ignore_extended_data (channel, ignorelibssh2_channel_handle_extended_data((channel), (ignore) ? LIBSSH2_CHANNEL_EXTENDED_DATA_IGNORE : LIBSSH2_CHANNEL_EXTENDED_DATA_NORMAL )
   --    libssh2_channel_handle_extended_data((channel), (ignore) ? LIBSSH2_CHANNEL_EXTENDED_DATA_IGNORE : LIBSSH2_CHANNEL_EXTENDED_DATA_NORMAL )

   LIBSSH2_CHANNEL_FLUSH_EXTENDED_DATA : constant := -1;  --  libssh2.h:696
   LIBSSH2_CHANNEL_FLUSH_ALL : constant := -2;  --  libssh2.h:697
   --  arg-macro: procedure libssh2_channel_flush (channel)
   --    libssh2_channel_flush_ex((channel), 0)
   --  arg-macro: procedure libssh2_channel_flush_stderr (channel)
   --    libssh2_channel_flush_ex((channel), SSH_EXTENDED_DATA_STDERR)
   --  arg-macro: procedure libssh2_scp_send (session, path, libssh2_scp_send_ex((session), (path), (mode), (size), 0, 0)
   --    libssh2_scp_send_ex((session), (path), (mode), (size), 0, 0)

   HAVE_LIBSSH2_KNOWNHOST_API : constant := 16#010101#;  --  libssh2.h:733
   HAVE_LIBSSH2_VERSION_API : constant := 16#010100#;  --  libssh2.h:734

   LIBSSH2_KNOWNHOST_TYPE_MASK : constant := 16#ffff#;  --  libssh2.h:776
   LIBSSH2_KNOWNHOST_TYPE_PLAIN : constant := 1;  --  libssh2.h:777
   LIBSSH2_KNOWNHOST_TYPE_SHA1 : constant := 2;  --  libssh2.h:778
   LIBSSH2_KNOWNHOST_TYPE_CUSTOM : constant := 3;  --  libssh2.h:779
   --  unsupported macro: LIBSSH2_KNOWNHOST_KEYENC_MASK (3<<16)

   LIBSSH2_KNOWNHOST_KEYENC_RAW : constant := (2**16);  --  libssh2.h:783
   --  unsupported macro: LIBSSH2_KNOWNHOST_KEYENC_BASE64 (2<<16)
   --  unsupported macro: LIBSSH2_KNOWNHOST_KEY_MASK (3<<18)

   LIBSSH2_KNOWNHOST_KEY_SHIFT : constant := 18;  --  libssh2.h:788
   LIBSSH2_KNOWNHOST_KEY_RSA1 : constant := (2**18);  --  libssh2.h:789
   --  unsupported macro: LIBSSH2_KNOWNHOST_KEY_SSHRSA (2<<18)
   --  unsupported macro: LIBSSH2_KNOWNHOST_KEY_SSHDSS (3<<18)

   LIBSSH2_KNOWNHOST_CHECK_MATCH : constant := 0;  --  libssh2.h:854
   LIBSSH2_KNOWNHOST_CHECK_MISMATCH : constant := 1;  --  libssh2.h:855
   LIBSSH2_KNOWNHOST_CHECK_NOTFOUND : constant := 2;  --  libssh2.h:856
   LIBSSH2_KNOWNHOST_CHECK_FAILURE : constant := 3;  --  libssh2.h:857

   LIBSSH2_KNOWNHOST_FILE_OPENSSH : constant := 1;  --  libssh2.h:917

   HAVE_LIBSSH2_AGENT_API : constant := 16#010202#;  --  libssh2.h:972

   LIBSSH2_TRACE_TRANS : constant := (2**1);  --  libssh2.h:1093
   LIBSSH2_TRACE_KEX : constant := (2**2);  --  libssh2.h:1094
   LIBSSH2_TRACE_AUTH : constant := (2**3);  --  libssh2.h:1095
   LIBSSH2_TRACE_CONN : constant := (2**4);  --  libssh2.h:1096
   LIBSSH2_TRACE_SCP : constant := (2**5);  --  libssh2.h:1097
   LIBSSH2_TRACE_SFTP : constant := (2**6);  --  libssh2.h:1098
   LIBSSH2_TRACE_ERROR : constant := (2**7);  --  libssh2.h:1099
   LIBSSH2_TRACE_PUBLICKEY : constant := (2**8);  --  libssh2.h:1100
   LIBSSH2_TRACE_SOCKET : constant := (2**9);  --  libssh2.h:1101

   subtype libssh2_uint64_t is Extensions.unsigned_long_long;  -- libssh2.h:130

   subtype libssh2_int64_t is Long_Long_Integer;  -- libssh2.h:131

   type u_LIBSSH2_USERAUTH_KBDINT_PROMPT is record
      text : Interfaces.C.Strings.chars_ptr;  -- libssh2.h:177
      length : aliased unsigned;  -- libssh2.h:178
      echo : aliased unsigned_char;  -- libssh2.h:179
   end record;
   pragma Convention (C_Pass_By_Copy, u_LIBSSH2_USERAUTH_KBDINT_PROMPT);  -- libssh2.h:175

   subtype LIBSSH2_USERAUTH_KBDINT_PROMPT is u_LIBSSH2_USERAUTH_KBDINT_PROMPT;

   type u_LIBSSH2_USERAUTH_KBDINT_RESPONSE is record
      text : Interfaces.C.Strings.chars_ptr;  -- libssh2.h:184
      length : aliased unsigned;  -- libssh2.h:185
   end record;
   pragma Convention (C_Pass_By_Copy, u_LIBSSH2_USERAUTH_KBDINT_RESPONSE);  -- libssh2.h:182

   subtype LIBSSH2_USERAUTH_KBDINT_RESPONSE is u_LIBSSH2_USERAUTH_KBDINT_RESPONSE;

   --  skipped empty struct u_LIBSSH2_SESSION

   --  skipped empty struct LIBSSH2_SESSION

   --  skipped empty struct u_LIBSSH2_CHANNEL

   --  skipped empty struct LIBSSH2_CHANNEL

   --  skipped empty struct u_LIBSSH2_LISTENER

   --  skipped empty struct LIBSSH2_LISTENER

   --  skipped empty struct u_LIBSSH2_KNOWNHOSTS

   --  skipped empty struct LIBSSH2_KNOWNHOSTS

   --  skipped empty struct u_LIBSSH2_AGENT

   --  skipped empty struct LIBSSH2_AGENT

   type anon_14 (discr : unsigned := 0) is record
      case discr is
         when 0 =>
            socket : aliased int;  -- libssh2.h:263
         when 1 =>
            channel : System.Address;  -- libssh2.h:264
         when others =>
            listener : System.Address;  -- libssh2.h:265
      end case;
   end record;
   pragma Convention (C_Pass_By_Copy, anon_14);
   pragma Unchecked_Union (anon_14);
   type u_LIBSSH2_POLLFD is record
      c_type : aliased unsigned_char;  -- libssh2.h:260
      fd : anon_14;  -- libssh2.h:267
      events : aliased unsigned_long;  -- libssh2.h:269
      revents : aliased unsigned_long;  -- libssh2.h:270
   end record;
   pragma Convention (C_Pass_By_Copy, u_LIBSSH2_POLLFD);  -- libssh2.h:259

   subtype LIBSSH2_POLLFD is u_LIBSSH2_POLLFD;

   function libssh2_init (flags : int) return int;  -- libssh2.h:395
   pragma Import (C, libssh2_init, "libssh2_init");

   procedure libssh2_exit;  -- libssh2.h:402
   pragma Import (C, libssh2_exit, "libssh2_exit");

   function libssh2_session_init_ex
     (my_alloc : access function (arg1 : size_t; arg2 : System.Address) return System.Address;
      my_free : access procedure (arg1 : System.Address; arg2 : System.Address);
      my_realloc : access function
        (arg1 : System.Address;
         arg2 : size_t;
         arg3 : System.Address) return System.Address;
      c_abstract : System.Address) return System.Address;  -- libssh2.h:406
   pragma Import (C, libssh2_session_init_ex, "libssh2_session_init_ex");

   function libssh2_session_abstract (session : System.Address) return System.Address;  -- libssh2.h:411
   pragma Import (C, libssh2_session_abstract, "libssh2_session_abstract");

   function libssh2_session_callback_set
     (session : System.Address;
      cbtype : int;
      callback : System.Address) return System.Address;  -- libssh2.h:413
   pragma Import (C, libssh2_session_callback_set, "libssh2_session_callback_set");

   function libssh2_banner_set (session : System.Address; banner : Interfaces.C.Strings.chars_ptr) return int;  -- libssh2.h:415
   pragma Import (C, libssh2_banner_set, "libssh2_banner_set");

   function libssh2_session_startup (session : System.Address; sock : int) return int;  -- libssh2.h:418
   pragma Import (C, libssh2_session_startup, "libssh2_session_startup");

   function libssh2_session_disconnect_ex
     (session : System.Address;
      reason : int;
      description : Interfaces.C.Strings.chars_ptr;
      lang : Interfaces.C.Strings.chars_ptr) return int;  -- libssh2.h:419
   pragma Import (C, libssh2_session_disconnect_ex, "libssh2_session_disconnect_ex");

   function libssh2_session_free (session : System.Address) return int;  -- libssh2.h:427
   pragma Import (C, libssh2_session_free, "libssh2_session_free");

   function libssh2_hostkey_hash (session : System.Address; hash_type : int) return Interfaces.C.Strings.chars_ptr;  -- libssh2.h:429
   pragma Import (C, libssh2_hostkey_hash, "libssh2_hostkey_hash");

   function libssh2_session_hostkey
     (session : System.Address;
      len : access size_t;
      c_type : access int) return Interfaces.C.Strings.chars_ptr;  -- libssh2.h:432
   pragma Import (C, libssh2_session_hostkey, "libssh2_session_hostkey");

   function libssh2_session_method_pref
     (session : System.Address;
      method_type : int;
      prefs : Interfaces.C.Strings.chars_ptr) return int;  -- libssh2.h:435
   pragma Import (C, libssh2_session_method_pref, "libssh2_session_method_pref");

   function libssh2_session_methods (session : System.Address; method_type : int) return Interfaces.C.Strings.chars_ptr;  -- libssh2.h:438
   pragma Import (C, libssh2_session_methods, "libssh2_session_methods");

   function libssh2_session_last_error
     (session : System.Address;
      errmsg : System.Address;
      errmsg_len : access int;
      want_buf : int) return int;  -- libssh2.h:440
   pragma Import (C, libssh2_session_last_error, "libssh2_session_last_error");

   function libssh2_session_last_errno (session : System.Address) return int;  -- libssh2.h:443
   pragma Import (C, libssh2_session_last_errno, "libssh2_session_last_errno");

   function libssh2_session_block_directions (session : System.Address) return int;  -- libssh2.h:444
   pragma Import (C, libssh2_session_block_directions, "libssh2_session_block_directions");

   function libssh2_session_flag
     (session : System.Address;
      flag : int;
      value : int) return int;  -- libssh2.h:446
   pragma Import (C, libssh2_session_flag, "libssh2_session_flag");

   function libssh2_userauth_list
     (session : System.Address;
      username : Interfaces.C.Strings.chars_ptr;
      username_len : unsigned) return Interfaces.C.Strings.chars_ptr;  -- libssh2.h:450
   pragma Import (C, libssh2_userauth_list, "libssh2_userauth_list");

   function libssh2_userauth_authenticated (session : System.Address) return int;  -- libssh2.h:453
   pragma Import (C, libssh2_userauth_authenticated, "libssh2_userauth_authenticated");

   function libssh2_userauth_password_ex
     (session : System.Address;
      username : Interfaces.C.Strings.chars_ptr;
      username_len : unsigned;
      password : Interfaces.C.Strings.chars_ptr;
      password_len : unsigned;
      passwd_change_cb : access procedure
        (arg1 : System.Address;
         arg2 : System.Address;
         arg3 : access int;
         arg4 : System.Address)) return int;  -- libssh2.h:455
   pragma Import (C, libssh2_userauth_password_ex, "libssh2_userauth_password_ex");

   function libssh2_userauth_publickey_fromfile_ex
     (session : System.Address;
      username : Interfaces.C.Strings.chars_ptr;
      username_len : unsigned;
      publickey : Interfaces.C.Strings.chars_ptr;
      privatekey : Interfaces.C.Strings.chars_ptr;
      passphrase : Interfaces.C.Strings.chars_ptr) return int;  -- libssh2.h:467
   pragma Import (C, libssh2_userauth_publickey_fromfile_ex, "libssh2_userauth_publickey_fromfile_ex");

   function libssh2_userauth_publickey
     (session : System.Address;
      username : Interfaces.C.Strings.chars_ptr;
      pubkeydata : access unsigned_char;
      pubkeydata_len : size_t;
      sign_callback : access function
        (arg1 : System.Address;
         arg2 : System.Address;
         arg3 : access size_t;
         arg4 : access unsigned_char;
         arg5 : size_t;
         arg6 : System.Address) return int;
      c_abstract : System.Address) return int;  -- libssh2.h:481
   pragma Import (C, libssh2_userauth_publickey, "libssh2_userauth_publickey");

   function libssh2_userauth_hostbased_fromfile_ex
     (session : System.Address;
      username : Interfaces.C.Strings.chars_ptr;
      username_len : unsigned;
      publickey : Interfaces.C.Strings.chars_ptr;
      privatekey : Interfaces.C.Strings.chars_ptr;
      passphrase : Interfaces.C.Strings.chars_ptr;
      hostname : Interfaces.C.Strings.chars_ptr;
      hostname_len : unsigned;
      local_username : Interfaces.C.Strings.chars_ptr;
      local_username_len : unsigned) return int;  -- libssh2.h:489
   pragma Import (C, libssh2_userauth_hostbased_fromfile_ex, "libssh2_userauth_hostbased_fromfile_ex");

   function libssh2_userauth_keyboard_interactive_ex
     (session : System.Address;
      username : Interfaces.C.Strings.chars_ptr;
      username_len : unsigned;
      response_callback : access procedure
        (arg1 : Interfaces.C.Strings.chars_ptr;
         arg2 : int;
         arg3 : Interfaces.C.Strings.chars_ptr;
         arg4 : int;
         arg5 : int;
         arg6 : System.Address;
         arg7 : access LIBSSH2_USERAUTH_KBDINT_RESPONSE;
         arg8 : System.Address)) return int;  -- libssh2.h:515
   pragma Import (C, libssh2_userauth_keyboard_interactive_ex, "libssh2_userauth_keyboard_interactive_ex");

   function libssh2_poll
     (fds : access LIBSSH2_POLLFD;
      nfds : unsigned;
      timeout : long) return int;  -- libssh2.h:525
   pragma Import (C, libssh2_poll, "libssh2_poll");

   function libssh2_channel_open_ex
     (session : System.Address;
      channel_type : Interfaces.C.Strings.chars_ptr;
      channel_type_len : unsigned;
      window_size : unsigned;
      packet_size : unsigned;
      message : Interfaces.C.Strings.chars_ptr;
      message_len : unsigned) return System.Address;  -- libssh2.h:544
   pragma Import (C, libssh2_channel_open_ex, "libssh2_channel_open_ex");

   function libssh2_channel_direct_tcpip_ex
     (session : System.Address;
      host : Interfaces.C.Strings.chars_ptr;
      port : int;
      shost : Interfaces.C.Strings.chars_ptr;
      sport : int) return System.Address;  -- libssh2.h:555
   pragma Import (C, libssh2_channel_direct_tcpip_ex, "libssh2_channel_direct_tcpip_ex");

   function libssh2_channel_forward_listen_ex
     (session : System.Address;
      host : Interfaces.C.Strings.chars_ptr;
      port : int;
      bound_port : access int;
      queue_maxsize : int) return System.Address;  -- libssh2.h:561
   pragma Import (C, libssh2_channel_forward_listen_ex, "libssh2_channel_forward_listen_ex");

   function libssh2_channel_forward_cancel (listener : System.Address) return int;  -- libssh2.h:566
   pragma Import (C, libssh2_channel_forward_cancel, "libssh2_channel_forward_cancel");

   function libssh2_channel_forward_accept (listener : System.Address) return System.Address;  -- libssh2.h:569
   pragma Import (C, libssh2_channel_forward_accept, "libssh2_channel_forward_accept");

   function libssh2_channel_setenv_ex
     (channel : System.Address;
      varname : Interfaces.C.Strings.chars_ptr;
      varname_len : unsigned;
      value : Interfaces.C.Strings.chars_ptr;
      value_len : unsigned) return int;  -- libssh2.h:571
   pragma Import (C, libssh2_channel_setenv_ex, "libssh2_channel_setenv_ex");

   function libssh2_channel_request_pty_ex
     (channel : System.Address;
      term : Interfaces.C.Strings.chars_ptr;
      term_len : unsigned;
      modes : Interfaces.C.Strings.chars_ptr;
      modes_len : unsigned;
      width : int;
      height : int;
      width_px : int;
      height_px : int) return int;  -- libssh2.h:581
   pragma Import (C, libssh2_channel_request_pty_ex, "libssh2_channel_request_pty_ex");

   function libssh2_channel_request_pty_size_ex
     (channel : System.Address;
      width : int;
      height : int;
      width_px : int;
      height_px : int) return int;  -- libssh2.h:593
   pragma Import (C, libssh2_channel_request_pty_size_ex, "libssh2_channel_request_pty_size_ex");

   function libssh2_channel_x11_req_ex
     (channel : System.Address;
      single_connection : int;
      auth_proto : Interfaces.C.Strings.chars_ptr;
      auth_cookie : Interfaces.C.Strings.chars_ptr;
      screen_number : int) return int;  -- libssh2.h:600
   pragma Import (C, libssh2_channel_x11_req_ex, "libssh2_channel_x11_req_ex");

   function libssh2_channel_process_startup
     (channel : System.Address;
      request : Interfaces.C.Strings.chars_ptr;
      request_len : unsigned;
      message : Interfaces.C.Strings.chars_ptr;
      message_len : unsigned) return int;  -- libssh2.h:608
   pragma Import (C, libssh2_channel_process_startup, "libssh2_channel_process_startup");

   function libssh2_channel_read_ex
     (channel : System.Address;
      stream_id : int;
      buf : Interfaces.C.Strings.chars_ptr;
      buflen : size_t) return long;  -- libssh2.h:624
   pragma Import (C, libssh2_channel_read_ex, "libssh2_channel_read_ex");

   function libssh2_poll_channel_read (channel : System.Address; extended : int) return int;  -- libssh2.h:632
   pragma Import (C, libssh2_poll_channel_read, "libssh2_poll_channel_read");

   function libssh2_channel_window_read_ex
     (channel : System.Address;
      read_avail : access unsigned_long;
      window_size_initial : access unsigned_long) return unsigned_long;  -- libssh2.h:636
   pragma Import (C, libssh2_channel_window_read_ex, "libssh2_channel_window_read_ex");

   function libssh2_channel_receive_window_adjust
     (channel : System.Address;
      adjustment : unsigned_long;
      force : unsigned_char) return unsigned_long;  -- libssh2.h:644
   pragma Import (C, libssh2_channel_receive_window_adjust, "libssh2_channel_receive_window_adjust");

   function libssh2_channel_receive_window_adjust2
     (channel : System.Address;
      adjustment : unsigned_long;
      force : unsigned_char;
      storewindow : access unsigned) return int;  -- libssh2.h:649
   pragma Import (C, libssh2_channel_receive_window_adjust2, "libssh2_channel_receive_window_adjust2");

   function libssh2_channel_write_ex
     (channel : System.Address;
      stream_id : int;
      buf : Interfaces.C.Strings.chars_ptr;
      buflen : size_t) return long;  -- libssh2.h:654
   pragma Import (C, libssh2_channel_write_ex, "libssh2_channel_write_ex");

   function libssh2_channel_window_write_ex (channel : System.Address; window_size_initial : access unsigned_long) return unsigned_long;  -- libssh2.h:664
   pragma Import (C, libssh2_channel_window_write_ex, "libssh2_channel_window_write_ex");

   procedure libssh2_session_set_blocking (session : System.Address; blocking : int);  -- libssh2.h:669
   pragma Import (C, libssh2_session_set_blocking, "libssh2_session_set_blocking");

   function libssh2_session_get_blocking (session : System.Address) return int;  -- libssh2.h:671
   pragma Import (C, libssh2_session_get_blocking, "libssh2_session_get_blocking");

   procedure libssh2_channel_set_blocking (channel : System.Address; blocking : int);  -- libssh2.h:673
   pragma Import (C, libssh2_channel_set_blocking, "libssh2_channel_set_blocking");

   procedure libssh2_channel_handle_extended_data (channel : System.Address; ignore_mode : int);  -- libssh2.h:677
   pragma Import (C, libssh2_channel_handle_extended_data, "libssh2_channel_handle_extended_data");

   function libssh2_channel_handle_extended_data2 (channel : System.Address; ignore_mode : int) return int;  -- libssh2.h:679
   pragma Import (C, libssh2_channel_handle_extended_data2, "libssh2_channel_handle_extended_data2");

   function libssh2_channel_flush_ex (channel : System.Address; streamid : int) return int;  -- libssh2.h:698
   pragma Import (C, libssh2_channel_flush_ex, "libssh2_channel_flush_ex");

   function libssh2_channel_get_exit_status (channel : System.Address) return int;  -- libssh2.h:704
   pragma Import (C, libssh2_channel_get_exit_status, "libssh2_channel_get_exit_status");

   function libssh2_channel_send_eof (channel : System.Address) return int;  -- libssh2.h:705
   pragma Import (C, libssh2_channel_send_eof, "libssh2_channel_send_eof");

   function libssh2_channel_eof (channel : System.Address) return int;  -- libssh2.h:706
   pragma Import (C, libssh2_channel_eof, "libssh2_channel_eof");

   function libssh2_channel_wait_eof (channel : System.Address) return int;  -- libssh2.h:707
   pragma Import (C, libssh2_channel_wait_eof, "libssh2_channel_wait_eof");

   function libssh2_channel_close (channel : System.Address) return int;  -- libssh2.h:708
   pragma Import (C, libssh2_channel_close, "libssh2_channel_close");

   function libssh2_channel_wait_closed (channel : System.Address) return int;  -- libssh2.h:709
   pragma Import (C, libssh2_channel_wait_closed, "libssh2_channel_wait_closed");

   function libssh2_channel_free (channel : System.Address) return int;  -- libssh2.h:710
   pragma Import (C, libssh2_channel_free, "libssh2_channel_free");

   function libssh2_scp_recv
     (session : System.Address;
      path : Interfaces.C.Strings.chars_ptr;
      sb : access bits_stat_h.stat) return System.Address;  -- libssh2.h:712
   pragma Import (C, libssh2_scp_recv, "libssh2_scp_recv");

   function libssh2_scp_send_ex
     (session : System.Address;
      path : Interfaces.C.Strings.chars_ptr;
      mode : int;
      size : size_t;
      mtime : long;
      atime : long) return System.Address;  -- libssh2.h:715
   pragma Import (C, libssh2_scp_send_ex, "libssh2_scp_send_ex");

   function libssh2_scp_send64
     (session : System.Address;
      path : Interfaces.C.Strings.chars_ptr;
      mode : int;
      size : libssh2_int64_t;
      mtime : time_h.time_t;
      atime : time_h.time_t) return System.Address;  -- libssh2.h:720
   pragma Import (C, libssh2_scp_send64, "libssh2_scp_send64");

   function libssh2_base64_decode
     (session : System.Address;
      dest : System.Address;
      dest_len : access unsigned;
      src : Interfaces.C.Strings.chars_ptr;
      src_len : unsigned) return int;  -- libssh2.h:726
   pragma Import (C, libssh2_base64_decode, "libssh2_base64_decode");

   function get_libssh2_version (req_version_num : int) return Interfaces.C.Strings.chars_ptr;  -- libssh2.h:731
   pragma Import (C, get_libssh2_version, "libssh2_version");

   type libssh2_knownhost is record
      magic : aliased unsigned;  -- libssh2.h:737
      node : System.Address;  -- libssh2.h:738
      name : Interfaces.C.Strings.chars_ptr;  -- libssh2.h:739
      key : Interfaces.C.Strings.chars_ptr;  -- libssh2.h:740
      typemask : aliased int;  -- libssh2.h:741
   end record;
   pragma Convention (C_Pass_By_Copy, libssh2_knownhost);  -- libssh2.h:736

   function libssh2_knownhost_init (session : System.Address) return System.Address;  -- libssh2.h:751
   pragma Import (C, libssh2_knownhost_init, "libssh2_knownhost_init");

   function libssh2_knownhost_add
     (hosts : System.Address;
      host : Interfaces.C.Strings.chars_ptr;
      salt : Interfaces.C.Strings.chars_ptr;
      key : Interfaces.C.Strings.chars_ptr;
      keylen : size_t;
      typemask : int;
      store : System.Address) return int;  -- libssh2.h:794
   pragma Import (C, libssh2_knownhost_add, "libssh2_knownhost_add");

   function libssh2_knownhost_addc
     (hosts : System.Address;
      host : Interfaces.C.Strings.chars_ptr;
      salt : Interfaces.C.Strings.chars_ptr;
      key : Interfaces.C.Strings.chars_ptr;
      keylen : size_t;
      comment : Interfaces.C.Strings.chars_ptr;
      commentlen : size_t;
      typemask : int;
      store : System.Address) return int;  -- libssh2.h:828
   pragma Import (C, libssh2_knownhost_addc, "libssh2_knownhost_addc");

   function libssh2_knownhost_check
     (hosts : System.Address;
      host : Interfaces.C.Strings.chars_ptr;
      key : Interfaces.C.Strings.chars_ptr;
      keylen : size_t;
      typemask : int;
      knownhost : System.Address) return int;  -- libssh2.h:860
   pragma Import (C, libssh2_knownhost_check, "libssh2_knownhost_check");

   function libssh2_knownhost_checkp
     (hosts : System.Address;
      host : Interfaces.C.Strings.chars_ptr;
      port : int;
      key : Interfaces.C.Strings.chars_ptr;
      keylen : size_t;
      typemask : int;
      knownhost : System.Address) return int;  -- libssh2.h:868
   pragma Import (C, libssh2_knownhost_checkp, "libssh2_knownhost_checkp");

   function libssh2_knownhost_del (hosts : System.Address; c_entry : access libssh2_knownhost) return int;  -- libssh2.h:882
   pragma Import (C, libssh2_knownhost_del, "libssh2_knownhost_del");

   procedure libssh2_knownhost_free (hosts : System.Address);  -- libssh2.h:892
   pragma Import (C, libssh2_knownhost_free, "libssh2_knownhost_free");

   function libssh2_knownhost_readline
     (hosts : System.Address;
      line : Interfaces.C.Strings.chars_ptr;
      len : size_t;
      c_type : int) return int;  -- libssh2.h:903
   pragma Import (C, libssh2_knownhost_readline, "libssh2_knownhost_readline");

   function libssh2_knownhost_readfile
     (hosts : System.Address;
      filename : Interfaces.C.Strings.chars_ptr;
      c_type : int) return int;  -- libssh2.h:920
   pragma Import (C, libssh2_knownhost_readfile, "libssh2_knownhost_readfile");

   function libssh2_knownhost_writeline
     (hosts : System.Address;
      known : access libssh2_knownhost;
      buffer : Interfaces.C.Strings.chars_ptr;
      buflen : size_t;
      outlen : access size_t;
      c_type : int) return int;  -- libssh2.h:936
   pragma Import (C, libssh2_knownhost_writeline, "libssh2_knownhost_writeline");

   function libssh2_knownhost_writefile
     (hosts : System.Address;
      filename : Interfaces.C.Strings.chars_ptr;
      c_type : int) return int;  -- libssh2.h:952
   pragma Import (C, libssh2_knownhost_writefile, "libssh2_knownhost_writefile");

   function libssh2_knownhost_get
     (hosts : System.Address;
      store : System.Address;
      prev : access libssh2_knownhost) return int;  -- libssh2.h:968
   pragma Import (C, libssh2_knownhost_get, "libssh2_knownhost_get");

   type libssh2_agent_publickey is record
      magic : aliased unsigned;  -- libssh2.h:975
      node : System.Address;  -- libssh2.h:976
      blob : access unsigned_char;  -- libssh2.h:977
      blob_len : aliased size_t;  -- libssh2.h:978
      comment : Interfaces.C.Strings.chars_ptr;  -- libssh2.h:979
   end record;
   pragma Convention (C_Pass_By_Copy, libssh2_agent_publickey);  -- libssh2.h:974

   function libssh2_agent_init (session : System.Address) return System.Address;  -- libssh2.h:989
   pragma Import (C, libssh2_agent_init, "libssh2_agent_init");

   function libssh2_agent_connect (agent : System.Address) return int;  -- libssh2.h:999
   pragma Import (C, libssh2_agent_connect, "libssh2_agent_connect");

   function libssh2_agent_list_identities (agent : System.Address) return int;  -- libssh2.h:1009
   pragma Import (C, libssh2_agent_list_identities, "libssh2_agent_list_identities");

   function libssh2_agent_get_identity
     (agent : System.Address;
      store : System.Address;
      prev : access libssh2_agent_publickey) return int;  -- libssh2.h:1024
   pragma Import (C, libssh2_agent_get_identity, "libssh2_agent_get_identity");

   function libssh2_agent_userauth
     (agent : System.Address;
      username : Interfaces.C.Strings.chars_ptr;
      identity : access libssh2_agent_publickey) return int;  -- libssh2.h:1036
   pragma Import (C, libssh2_agent_userauth, "libssh2_agent_userauth");

   function libssh2_agent_disconnect (agent : System.Address) return int;  -- libssh2.h:1048
   pragma Import (C, libssh2_agent_disconnect, "libssh2_agent_disconnect");

   procedure libssh2_agent_free (agent : System.Address);  -- libssh2.h:1057
   pragma Import (C, libssh2_agent_free, "libssh2_agent_free");

   procedure libssh2_keepalive_config
     (session : System.Address;
      want_reply : int;
      interval : unsigned);  -- libssh2.h:1073
   pragma Import (C, libssh2_keepalive_config, "libssh2_keepalive_config");

   function libssh2_keepalive_send (session : System.Address; seconds_to_next : access int) return int;  -- libssh2.h:1085
   pragma Import (C, libssh2_keepalive_send, "libssh2_keepalive_send");

   function libssh2_trace (session : System.Address; bitmask : int) return int;  -- libssh2.h:1092
   pragma Import (C, libssh2_trace, "libssh2_trace");

   type libssh2_trace_handler_func is access procedure
     (arg1 : System.Address;
      arg2 : System.Address;
      arg3 : Interfaces.C.Strings.chars_ptr;
      arg4 : size_t);
   pragma Convention (C, libssh2_trace_handler_func);  -- libssh2.h:1103

   function libssh2_trace_sethandler
     (session : System.Address;
      context : System.Address;
      callback : libssh2_trace_handler_func) return int;  -- libssh2.h:1107
   pragma Import (C, libssh2_trace_sethandler, "libssh2_trace_sethandler");

end libssh2_h;

Re: library/binding for sftp?

[David Thompson]

On Tue, 20 Aug 2013 10:14:47 +0200, Stefan.Lucks@uni-weimar.de wrote:

> On Mon, 19 Aug 2013, Randy Brukardt wrote:

<snip: other issues about security>

> > If you need public connections, then surely use SSH.
> 
> Agreed. Which is what the OP has been asking about, namely sftp (which is 
> ftp + ssh).
> 
Not quite. SFTP is a new protocol which provides functions similar to
and clearly based on FTP, run over SSH, but SFTP is not the same as
FTP over SSH (which is technically possible but rarely if ever used).

As a user you can generally ignore the difference -- you still type
DIR and GET and PUT and it looks about the same -- but if you are
implementing the protocol it makes a big difference and even if you're
just binding to an existing implementation, which was the start to
this thread, some differences may be significant.

Re: library/binding for sftp?

[Stefan.Lucks]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 1492 bytes --]

On Sat, 24 Aug 2013, David Thompson wrote:

> Date: Sat, 24 Aug 2013 04:06:46 -0400
> From: David Thompson <dave.thompson2@verizon.net>
> Newsgroups: comp.lang.ada
> Subject: Re: library/binding for sftp?
> 
> On Tue, 20 Aug 2013 10:14:47 +0200, Stefan.Lucks@uni-weimar.de wrote:
>
>> On Mon, 19 Aug 2013, Randy Brukardt wrote:
>
> <snip: other issues about security>
>
>>> If you need public connections, then surely use SSH.
>>
>> Agreed. Which is what the OP has been asking about, namely sftp (which is
>> ftp + ssh).
>>
> Not quite. SFTP is a new protocol which provides functions similar to
> and clearly based on FTP, run over SSH, but SFTP is not the same as
> FTP over SSH (which is technically possible but rarely if ever used).

I am aware of that. SFTP uses SSH and provides the FTP functionality, to 
the user, but inenally it is very different from the awfully complex FTP 
over SSH.

> As a user you can generally ignore the difference -- you still type
> DIR and GET and PUT and it looks about the same -- but if you are
> implementing the protocol it makes a big difference and even if you're
> just binding to an existing implementation, which was the start to
> this thread, some differences may be significant.



>

------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
     <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--

Re: library/binding for sftp?

[Randy Brukardt]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2253 bytes --]

<Stefan.Lucks@uni-weimar.de> wrote in message 
news:alpine.DEB.2.10.1308210902070.1344@debian...
On Tue, 20 Aug 2013, Randy Brukardt wrote:

...
>> And I claim it is irrelevant. The use of the public internet is never 
>> very
>> secure and you can be certain that at least basic behavior is monitored.
>
>Whatever you mean by "basic behaviour": You *can* communicate securely
>over the internet, for some very reasonable notions of "secure". But
>firstly, there is no "absolute security", and secondly, you pay a price.
>Often, the price is inconvenience. In any case, your "we are all doomed"
>attitude is too pessimistic.

"Basic behavior" means, at a minimum, who is connecting to whom. Systems 
like Tor help, but as recently proven, don't necessarily hide that behavior.

I've never been accused of being too optimistic about anything, but 
unfortunately, I find that I often *am* too optimistic in reality. (For 
example: "I can build an Ada compiler." Sure, but other people can build it 
faster, and it turns out it doesn't matter at all if yours is better.)

>> I don't much care about the world outside of the US, at least as far as
>> living goes. (It's impractical to move somewhere where I don't understand
>> the language, and all English-speaking countries are as bad or worse than
>> the US.)
>
>What about Ireland?

Don't they mainly use some language whose name I forget? Or is that mainly 
ceremonial?

In any case, they have the same problem as Canada: too close to a "bad" 
country, who is in position to strong-arm them if necessary.

>Also, the Republic of Malta might be an option for you (yes, they actually
>speak English there), and, in a few years, Scotland could became
>independent as well.
>
>But hey, it is not so bad in the US! You have a secret court that secretly
>decides that it is secretly OK to secretly spy at you. So everything is
>secretly legal, isn't it? (Well, this has become off topic for c.l.a, but
>I just couldn't resist.)

I rest my case. ;-)

                             Randy.


------  I  love  the  taste  of  Cryptanalysis  in  the morning!  ------
     <http://www.uni-weimar.de/cms/medien/mediensicherheit/home.html>
--Stefan.Lucks (at) uni-weimar.de, Bauhaus-Universität Weimar, Germany--

Re: library/binding for sftp?

[Oliver Kleinke]

> I'll offer 10,-€ (yes, that's little in view of your average incomes,
> but is worth some beer) for solving this unknown protocol.
> 
> SYN1Bo3AHS7SYO3FP9FXN1H7CEK1eR


Found your riddle yesterday and tried to solve it.. can you offer a
hint? 1,3,7,3,9,1,7,1 -- those are the second digits of prime numbers,
is that of importance? I assume that it is a polyalphabetic
substitution cipher with the number or prime in front of each group
being the key or an offset, correct?

Re: library/binding for sftp?

[Georg Bauhaus]

On 13.09.13 11:58, Oliver Kleinke wrote:
>> I'll offer 10,-€ (yes, that's little in view of your average incomes,
>> but is worth some beer) for solving this unknown protocol.
>>
>> SYN1Bo3AHS7SYO3FP9FXN1H7CEK1eR
>
>
> Found your riddle yesterday and tried to solve it.. can you offer a
> hint? 1,3,7,3,9,1,7,1 -- those are the second digits of prime numbers,
> is that of importance? I assume that it is a polyalphabetic
> substitution cipher with the number or prime in front of each group
> being the key or an offset, correct?
>

These include some good stabs. A little simplification here and
a mathematical interpretation of polyalphabet there should
get you closer.