@electerm/ssh2 0.8.11 → 1.5.0

package/lib/client.js

@@ -1,1240 +1,1565 @@
-var crypto = require('crypto');
-var Socket = require('net').Socket;
-var dnsLookup = require('dns').lookup;
-var EventEmitter = require('events').EventEmitter;
-var inherits = require('util').inherits;
-var HASHES = crypto.getHashes();
-
-var ssh2_streams = require('ssh2-streams');
-var SSH2Stream = ssh2_streams.SSH2Stream;
-var SFTPStream = ssh2_streams.SFTPStream;
-var consts = ssh2_streams.constants;
-var BUGS = consts.BUGS;
-var ALGORITHMS = consts.ALGORITHMS;
-var EDDSA_SUPPORTED = consts.EDDSA_SUPPORTED;
-var parseKey = ssh2_streams.utils.parseKey;
-
-var HTTPAgents = require('./http-agents');
-var Channel = require('./Channel');
-var agentQuery = require('./agent');
-var SFTPWrapper = require('./SFTPWrapper');
-var readUInt32BE = require('./buffer-helpers').readUInt32BE;
-
-var MAX_CHANNEL = Math.pow(2, 32) - 1;
-var RE_OPENSSH = /^OpenSSH_(?:(?![0-4])\d)|(?:\d{2,})/;
-var DEBUG_NOOP = function(msg) {};
-
-function Client() {
-  if (!(this instanceof Client))
-    return new Client();
-
-  EventEmitter.call(this);
-
-  this.config = {
-    host: undefined,
-    port: undefined,
-    localAddress: undefined,
-    localPort: undefined,
-    forceIPv4: undefined,
-    forceIPv6: undefined,
-    keepaliveCountMax: undefined,
-    keepaliveInterval: undefined,
-    readyTimeout: undefined,
-
-    username: undefined,
-    password: undefined,
-    privateKey: undefined,
-    tryKeyboard: undefined,
-    agent: undefined,
-    allowAgentFwd: undefined,
-    authHandler: undefined,
-
-    hostHashAlgo: undefined,
-    hostHashCb: undefined,
-    strictVendor: undefined,
-    debug: undefined
-  };
-
-  this._readyTimeout = undefined;
-  this._channels = undefined;
-  this._callbacks = undefined;
-  this._forwarding = undefined;
-  this._forwardingUnix = undefined;
-  this._acceptX11 = undefined;
-  this._agentFwdEnabled = undefined;
-  this._curChan = undefined;
-  this._remoteVer = undefined;
-
-  this._sshstream = undefined;
-  this._sock = undefined;
-  this._resetKA = undefined;
-}
-inherits(Client, EventEmitter);
-
-Client.prototype.connect = function(cfg) {
-  var self = this;
+// TODO:
+//    * add `.connected` or similar property to allow immediate connection
+//      status checking
+//    * add/improve debug output during user authentication phase
+'use strict';
+
+const {
+  createHash,
+  getHashes,
+  randomFillSync,
+} = require('crypto');
+const { Socket } = require('net');
+const { lookup: dnsLookup } = require('dns');
+const EventEmitter = require('events');
+const HASHES = getHashes();
+
+const {
+  COMPAT,
+  CHANNEL_EXTENDED_DATATYPE: { STDERR },
+  CHANNEL_OPEN_FAILURE,
+  DEFAULT_CIPHER,
+  DEFAULT_COMPRESSION,
+  DEFAULT_KEX,
+  DEFAULT_MAC,
+  DEFAULT_SERVER_HOST_KEY,
+  DISCONNECT_REASON,
+  DISCONNECT_REASON_BY_VALUE,
+  SUPPORTED_CIPHER,
+  SUPPORTED_COMPRESSION,
+  SUPPORTED_KEX,
+  SUPPORTED_MAC,
+  SUPPORTED_SERVER_HOST_KEY,
+} = require('./protocol/constants.js');
+const { init: cryptoInit } = require('./protocol/crypto.js');
+const Protocol = require('./protocol/Protocol.js');
+const { parseKey } = require('./protocol/keyParser.js');
+const { SFTP } = require('./protocol/SFTP.js');
+const {
+  bufferCopy,
+  makeBufferParser,
+  makeError,
+  readUInt32BE,
+  sigSSHToASN1,
+  writeUInt32BE,
+} = require('./protocol/utils.js');
+
+const { AgentContext, createAgent, isAgent } = require('./agent.js');
+const {
+  Channel,
+  MAX_WINDOW,
+  PACKET_SIZE,
+  windowAdjust,
+  WINDOW_THRESHOLD,
+} = require('./Channel.js');
+const {
+  ChannelManager,
+  generateAlgorithmList,
+  isWritable,
+  onChannelOpenFailure,
+  onCHANNEL_CLOSE,
+} = require('./utils.js');
+
+const bufferParser = makeBufferParser();
+const sigParser = makeBufferParser();
+const RE_OPENSSH = /^OpenSSH_(?:(?![0-4])\d)|(?:\d{2,})/;
+const noop = (err) => {};
+
+class Client extends EventEmitter {
+  constructor() {
+    super();
+
+    this.config = {
+      host: undefined,
+      port: undefined,
+      localAddress: undefined,
+      localPort: undefined,
+      forceIPv4: undefined,
+      forceIPv6: undefined,
+      keepaliveCountMax: undefined,
+      keepaliveInterval: undefined,
+      readyTimeout: undefined,
+      ident: undefined,
+
+      username: undefined,
+      password: undefined,
+      privateKey: undefined,
+      tryKeyboard: undefined,
+      agent: undefined,
+      allowAgentFwd: undefined,
+      authHandler: undefined,
+
+      hostHashAlgo: undefined,
+      hostHashCb: undefined,
+      strictVendor: undefined,
+      debug: undefined
+    };
 
-  if (this._sock && this._sock.writable) {
-    this.once('close', function() {
-      self.connect(cfg);
-    });
-    this.end();
-    return;
+    this._agent = undefined;
+    this._readyTimeout = undefined;
+    this._chanMgr = undefined;
+    this._callbacks = undefined;
+    this._forwarding = undefined;
+    this._forwardingUnix = undefined;
+    this._acceptX11 = undefined;
+    this._agentFwdEnabled = undefined;
+    this._remoteVer = undefined;
+
+    this._protocol = undefined;
+    this._sock = undefined;
+    this._resetKA = undefined;
   }
 
-  this.config.host = cfg.hostname || cfg.host || 'localhost';
-  this.config.port = cfg.port || 22;
-  this.config.localAddress = (typeof cfg.localAddress === 'string'
-                              ? cfg.localAddress
-                              : undefined);
-  this.config.localPort = (typeof cfg.localPort === 'string'
-                           || typeof cfg.localPort === 'number'
-                           ? cfg.localPort
-                           : undefined);
-  this.config.forceIPv4 = cfg.forceIPv4 || false;
-  this.config.forceIPv6 = cfg.forceIPv6 || false;
-  this.config.keepaliveCountMax = (typeof cfg.keepaliveCountMax === 'number'
-                                   && cfg.keepaliveCountMax >= 0
-                                   ? cfg.keepaliveCountMax
-                                   : 3);
-  this.config.keepaliveInterval = (typeof cfg.keepaliveInterval === 'number'
-                                   && cfg.keepaliveInterval > 0
-                                   ? cfg.keepaliveInterval
-                                   : 0);
-  this.config.readyTimeout = (typeof cfg.readyTimeout === 'number'
-                              && cfg.readyTimeout >= 0
-                              ? cfg.readyTimeout
-                              : 20000);
-
-  var algorithms = {
-    kex: undefined,
-    kexBuf: undefined,
-    cipher: undefined,
-    cipherBuf: undefined,
-    serverHostKey: undefined,
-    serverHostKeyBuf: undefined,
-    hmac: undefined,
-    hmacBuf: undefined,
-    compress: undefined,
-    compressBuf: undefined
-  };
-  var i;
-  if (typeof cfg.algorithms === 'object' && cfg.algorithms !== null) {
-    var algosSupported;
-    var algoList;
-
-    algoList = cfg.algorithms.kex;
-    if (Array.isArray(algoList) && algoList.length > 0) {
-      algosSupported = ALGORITHMS.SUPPORTED_KEX;
-      for (i = 0; i < algoList.length; ++i) {
-        if (algosSupported.indexOf(algoList[i]) === -1)
-          throw new Error('Unsupported key exchange algorithm: ' + algoList[i]);
-      }
-      algorithms.kex = algoList;
+  connect(cfg) {
+    if (this._sock && isWritable(this._sock)) {
+      this.once('close', () => {
+        this.connect(cfg);
+      });
+      this.end();
+      return this;
     }
 
-    algoList = cfg.algorithms.cipher;
-    if (Array.isArray(algoList) && algoList.length > 0) {
-      algosSupported = ALGORITHMS.SUPPORTED_CIPHER;
-      for (i = 0; i < algoList.length; ++i) {
-        if (algosSupported.indexOf(algoList[i]) === -1)
-          throw new Error('Unsupported cipher algorithm: ' + algoList[i]);
-      }
-      algorithms.cipher = algoList;
+    this.config.host = cfg.hostname || cfg.host || 'localhost';
+    this.config.port = cfg.port || 22;
+    this.config.localAddress = (typeof cfg.localAddress === 'string'
+                                ? cfg.localAddress
+                                : undefined);
+    this.config.localPort = (typeof cfg.localPort === 'string'
+                             || typeof cfg.localPort === 'number'
+                             ? cfg.localPort
+                             : undefined);
+    this.config.forceIPv4 = cfg.forceIPv4 || false;
+    this.config.forceIPv6 = cfg.forceIPv6 || false;
+    this.config.keepaliveCountMax = (typeof cfg.keepaliveCountMax === 'number'
+                                     && cfg.keepaliveCountMax >= 0
+                                     ? cfg.keepaliveCountMax
+                                     : 3);
+    this.config.keepaliveInterval = (typeof cfg.keepaliveInterval === 'number'
+                                     && cfg.keepaliveInterval > 0
+                                     ? cfg.keepaliveInterval
+                                     : 0);
+    this.config.readyTimeout = (typeof cfg.readyTimeout === 'number'
+                                && cfg.readyTimeout >= 0
+                                ? cfg.readyTimeout
+                                : 20000);
+    this.config.ident = (typeof cfg.ident === 'string'
+                         || Buffer.isBuffer(cfg.ident)
+                         ? cfg.ident
+                         : undefined);
+
+    const algorithms = {
+      kex: undefined,
+      serverHostKey: undefined,
+      cs: {
+        cipher: undefined,
+        mac: undefined,
+        compress: undefined,
+        lang: [],
+      },
+      sc: undefined,
+    };
+    let allOfferDefaults = true;
+    if (typeof cfg.algorithms === 'object' && cfg.algorithms !== null) {
+      algorithms.kex = generateAlgorithmList(cfg.algorithms.kex,
+                                             DEFAULT_KEX,
+                                             SUPPORTED_KEX);
+      if (algorithms.kex !== DEFAULT_KEX)
+        allOfferDefaults = false;
+
+      algorithms.serverHostKey =
+        generateAlgorithmList(cfg.algorithms.serverHostKey,
+                              DEFAULT_SERVER_HOST_KEY,
+                              SUPPORTED_SERVER_HOST_KEY);
+      if (algorithms.serverHostKey !== DEFAULT_SERVER_HOST_KEY)
+        allOfferDefaults = false;
+
+      algorithms.cs.cipher = generateAlgorithmList(cfg.algorithms.cipher,
+                                                   DEFAULT_CIPHER,
+                                                   SUPPORTED_CIPHER);
+      if (algorithms.cs.cipher !== DEFAULT_CIPHER)
+        allOfferDefaults = false;
+
+      algorithms.cs.mac = generateAlgorithmList(cfg.algorithms.hmac,
+                                                DEFAULT_MAC,
+                                                SUPPORTED_MAC);
+      if (algorithms.cs.mac !== DEFAULT_MAC)
+        allOfferDefaults = false;
+
+      algorithms.cs.compress = generateAlgorithmList(cfg.algorithms.compress,
+                                                     DEFAULT_COMPRESSION,
+                                                     SUPPORTED_COMPRESSION);
+      if (algorithms.cs.compress !== DEFAULT_COMPRESSION)
+        allOfferDefaults = false;
+
+      if (!allOfferDefaults)
+        algorithms.sc = algorithms.cs;
     }
 
-    algoList = cfg.algorithms.serverHostKey;
-    if (Array.isArray(algoList) && algoList.length > 0) {
-      algosSupported = ALGORITHMS.SUPPORTED_SERVER_HOST_KEY;
-      for (i = 0; i < algoList.length; ++i) {
-        if (algosSupported.indexOf(algoList[i]) === -1) {
-          throw new Error('Unsupported server host key algorithm: '
-                           + algoList[i]);
-        }
-      }
-      algorithms.serverHostKey = algoList;
-    }
+    if (typeof cfg.username === 'string')
+      this.config.username = cfg.username;
+    else if (typeof cfg.user === 'string')
+      this.config.username = cfg.user;
+    else
+      throw new Error('Invalid username');
 
-    algoList = cfg.algorithms.hmac;
-    if (Array.isArray(algoList) && algoList.length > 0) {
-      algosSupported = ALGORITHMS.SUPPORTED_HMAC;
-      for (i = 0; i < algoList.length; ++i) {
-        if (algosSupported.indexOf(algoList[i]) === -1)
-          throw new Error('Unsupported HMAC algorithm: ' + algoList[i]);
-      }
-      algorithms.hmac = algoList;
-    }
+    this.config.password = (typeof cfg.password === 'string'
+                            ? cfg.password
+                            : undefined);
+    this.config.privateKey = (typeof cfg.privateKey === 'string'
+                              || Buffer.isBuffer(cfg.privateKey)
+                              ? cfg.privateKey
+                              : undefined);
+    this.config.localHostname = (typeof cfg.localHostname === 'string'
+                                 ? cfg.localHostname
+                                 : undefined);
+    this.config.localUsername = (typeof cfg.localUsername === 'string'
+                                 ? cfg.localUsername
+                                 : undefined);
+    this.config.tryKeyboard = (cfg.tryKeyboard === true);
+    if (typeof cfg.agent === 'string' && cfg.agent.length)
+      this.config.agent = createAgent(cfg.agent);
+    else if (isAgent(cfg.agent))
+      this.config.agent = cfg.agent;
+    else
+      this.config.agent = undefined;
+    this.config.allowAgentFwd = (cfg.agentForward === true
+                                 && this.config.agent !== undefined);
+    let authHandler = this.config.authHandler = (
+      typeof cfg.authHandler === 'function'
+      || Array.isArray(cfg.authHandler)
+      ? cfg.authHandler
+      : undefined
+    );
 
-    algoList = cfg.algorithms.compress;
-    if (Array.isArray(algoList) && algoList.length > 0) {
-      algosSupported = ALGORITHMS.SUPPORTED_COMPRESS;
-      for (i = 0; i < algoList.length; ++i) {
-        if (algosSupported.indexOf(algoList[i]) === -1)
-          throw new Error('Unsupported compression algorithm: ' + algoList[i]);
-      }
-      algorithms.compress = algoList;
-    }
-  }
-  if (algorithms.compress === undefined) {
-    if (cfg.compress) {
-      algorithms.compress = ['zlib@openssh.com', 'zlib'];
-      if (cfg.compress !== 'force')
-        algorithms.compress.push('none');
-    } else if (cfg.compress === false)
-      algorithms.compress = ['none'];
-  }
+    this.config.strictVendor = (typeof cfg.strictVendor === 'boolean'
+                                ? cfg.strictVendor
+                                : true);
 
-  if (typeof cfg.username === 'string')
-    this.config.username = cfg.username;
-  else if (typeof cfg.user === 'string')
-    this.config.username = cfg.user;
-  else
-    throw new Error('Invalid username');
-
-  this.config.password = (typeof cfg.password === 'string'
-                          ? cfg.password
-                          : undefined);
-  this.config.privateKey = (typeof cfg.privateKey === 'string'
-                            || Buffer.isBuffer(cfg.privateKey)
-                            ? cfg.privateKey
-                            : undefined);
-  this.config.localHostname = (typeof cfg.localHostname === 'string'
-                               && cfg.localHostname.length
-                               ? cfg.localHostname
-                               : undefined);
-  this.config.localUsername = (typeof cfg.localUsername === 'string'
-                               && cfg.localUsername.length
-                               ? cfg.localUsername
-                               : undefined);
-  this.config.tryKeyboard = (cfg.tryKeyboard === true);
-  this.config.agent = (typeof cfg.agent === 'string' && cfg.agent.length
-                       ? cfg.agent
-                       : undefined);
-  this.config.allowAgentFwd = (cfg.agentForward === true
-                               && this.config.agent !== undefined);
-  var authHandler = this.config.authHandler = (
-    typeof cfg.authHandler === 'function' ? cfg.authHandler : undefined
-  );
+    const debug = this.config.debug = (typeof cfg.debug === 'function'
+                                       ? cfg.debug
+                                       : undefined);
 
-  this.config.strictVendor = (typeof cfg.strictVendor === 'boolean'
-                              ? cfg.strictVendor
-                              : true);
-
-  var debug = this.config.debug = (typeof cfg.debug === 'function'
-                                   ? cfg.debug
-                                   : DEBUG_NOOP);
-
-  if (cfg.agentForward === true && !this.config.allowAgentFwd)
-    throw new Error('You must set a valid agent path to allow agent forwarding');
-
-  var callbacks = this._callbacks = [];
-  this._channels = {};
-  this._forwarding = {};
-  this._forwardingUnix = {};
-  this._acceptX11 = 0;
-  this._agentFwdEnabled = false;
-  this._curChan = -1;
-  this._remoteVer = undefined;
-  var privateKey;
-
-  if (this.config.privateKey) {
-    privateKey = parseKey(this.config.privateKey, cfg.passphrase);
-    if (privateKey instanceof Error)
-      throw new Error('Cannot parse privateKey: ' + privateKey.message);
-    if (Array.isArray(privateKey))
-      privateKey = privateKey[0]; // OpenSSH's newer format only stores 1 key for now
-    if (privateKey.getPrivatePEM() === null)
-      throw new Error('privateKey value does not contain a (valid) private key');
-  }
+    if (cfg.agentForward === true && !this.config.allowAgentFwd) {
+      throw new Error(
+        'You must set a valid agent path to allow agent forwarding'
+      );
+    }
 
-  var stream = this._sshstream = new SSH2Stream({
-    algorithms: algorithms,
-    debug: (debug === DEBUG_NOOP ? undefined : debug)
-  });
-  var sock = this._sock = (cfg.sock || new Socket());
-
-  // drain stderr if we are connection hopping using an exec stream
-  if (this._sock.stderr && typeof this._sock.stderr.resume === 'function')
-    this._sock.stderr.resume();
-
-  // keepalive-related
-  var kainterval = this.config.keepaliveInterval;
-  var kacountmax = this.config.keepaliveCountMax;
-  var kacount = 0;
-  var katimer;
-  function sendKA() {
-    if (++kacount > kacountmax) {
-      clearInterval(katimer);
-      if (sock.readable) {
-        var err = new Error('Keepalive timeout');
-        err.level = 'client-timeout';
-        self.emit('error', err);
-        sock.destroy();
+    let callbacks = this._callbacks = [];
+    this._chanMgr = new ChannelManager(this);
+    this._forwarding = {};
+    this._forwardingUnix = {};
+    this._acceptX11 = 0;
+    this._agentFwdEnabled = false;
+    this._agent = (this.config.agent ? this.config.agent : undefined);
+    this._remoteVer = undefined;
+    let privateKey;
+
+    if (this.config.privateKey) {
+      privateKey = parseKey(this.config.privateKey, cfg.passphrase);
+      if (privateKey instanceof Error)
+        throw new Error(`Cannot parse privateKey: ${privateKey.message}`);
+      if (Array.isArray(privateKey)) {
+        // OpenSSH's newer format only stores 1 key for now
+        privateKey = privateKey[0];
+      }
+      if (privateKey.getPrivatePEM() === null) {
+        throw new Error(
+          'privateKey value does not contain a (valid) private key'
+        );
       }
-      return;
-    }
-    if (sock.writable) {
-      // append dummy callback to keep correct callback order
-      callbacks.push(resetKA);
-      stream.ping();
-    } else
-      clearInterval(katimer);
-  }
-  function resetKA() {
-    if (kainterval > 0) {
-      kacount = 0;
-      clearInterval(katimer);
-      if (sock.writable)
-        katimer = setInterval(sendKA, kainterval);
     }
-  }
-  this._resetKA = resetKA;
-
-  stream.on('USERAUTH_BANNER', function(msg) {
-    self.emit('banner', msg);
-  });
 
-  sock.on('connect', function() {
-    debug('DEBUG: Client: Connected');
-    self.emit('connect');
-    if (!cfg.sock)
-      stream.pipe(sock).pipe(stream);
-  }).on('timeout', function() {
-    self.emit('timeout');
-  }).on('error', function(err) {
-    clearTimeout(self._readyTimeout);
-    err.level = 'client-socket';
-    self.emit('error', err);
-  }).on('end', function() {
-    stream.unpipe(sock);
-    clearTimeout(self._readyTimeout);
-    clearInterval(katimer);
-    self.emit('end');
-  }).on('close', function() {
-    stream.unpipe(sock);
-    clearTimeout(self._readyTimeout);
-    clearInterval(katimer);
-    self.emit('close');
-
-    // notify outstanding channel requests of disconnection ...
-    var callbacks_ = callbacks;
-    var err = new Error('No response from server');
-    callbacks = self._callbacks = [];
-    for (i = 0; i < callbacks_.length; ++i)
-      callbacks_[i](err);
-
-    // simulate error for any channels waiting to be opened. this is safe
-    // against successfully opened channels because the success and failure
-    // event handlers are automatically removed when a success/failure response
-    // is received
-    var channels = self._channels;
-    var chanNos = Object.keys(channels);
-    self._channels = {};
-    for (i = 0; i < chanNos.length; ++i) {
-      var ev1 = stream.emit('CHANNEL_OPEN_FAILURE:' + chanNos[i], err);
-      // emitting CHANNEL_CLOSE should be safe too and should help for any
-      // special channels which might otherwise keep the process alive, such
-      // as agent forwarding channels which have open unix sockets ...
-      var ev2 = stream.emit('CHANNEL_CLOSE:' + chanNos[i]);
-      var earlyCb;
-      if (!ev1 && !ev2 && (earlyCb = channels[chanNos[i]])
-          && typeof earlyCb === 'function') {
-        earlyCb(err);
+    let hostVerifier;
+    if (typeof cfg.hostVerifier === 'function') {
+      const hashCb = cfg.hostVerifier;
+      let hasher;
+      if (HASHES.indexOf(cfg.hostHash) !== -1) {
+        // Default to old behavior of hashing on user's behalf
+        hasher = createHash(cfg.hostHash);
       }
+      hostVerifier = (key, verify) => {
+        if (hasher) {
+          hasher.update(key);
+          key = hasher.digest('hex');
+        }
+        const ret = hashCb(key, verify);
+        if (ret !== undefined)
+          verify(ret);
+      };
     }
-  });
-  stream.on('drain', function() {
-    self.emit('drain');
-  }).once('header', function(header) {
-    self._remoteVer = header.versions.software;
-    if (header.greeting)
-      self.emit('greeting', header.greeting);
-  }).on('continue', function() {
-    self.emit('continue');
-  }).on('error', function(err) {
-    if (err.level === undefined)
-      err.level = 'protocol';
-    else if (err.level === 'handshake')
-      clearTimeout(self._readyTimeout);
-    self.emit('error', err);
-  }).on('end', function() {
-    sock.resume();
-  });
 
-  if (typeof cfg.hostVerifier === 'function') {
-    if (HASHES.indexOf(cfg.hostHash) === -1)
-      throw new Error('Invalid host hash algorithm: ' + cfg.hostHash);
-    var hashCb = cfg.hostVerifier;
-    var hasher = crypto.createHash(cfg.hostHash);
-    stream.once('fingerprint', function(key, verify) {
-      hasher.update(key);
-      var ret = hashCb(hasher.digest('hex'), verify);
-      if (ret !== undefined)
-        verify(ret);
+    const sock = this._sock = (cfg.sock || new Socket());
+    let ready = false;
+    let sawHeader = false;
+    if (this._protocol)
+      this._protocol.cleanup();
+    const DEBUG_HANDLER = (!debug ? undefined : (p, display, msg) => {
+      debug(`Debug output from server: ${JSON.stringify(msg)}`);
     });
-  }
-
-  // begin authentication handling =============================================
-  var curAuth;
-  var curPartial = null;
-  var curAuthsLeft = null;
-  var agentKeys;
-  var agentKeyPos = 0;
-  var authsAllowed = ['none'];
-  if (this.config.password !== undefined)
-    authsAllowed.push('password');
-  if (privateKey !== undefined)
-    authsAllowed.push('publickey');
-  if (this.config.agent !== undefined)
-    authsAllowed.push('agent');
-  if (this.config.tryKeyboard)
-    authsAllowed.push('keyboard-interactive');
-  if (this.config.tryKeyboard && this.config.password) {
-    authsAllowed.push('password');
-  }
-  if (privateKey !== undefined
-      && this.config.localHostname !== undefined
-      && this.config.localUsername !== undefined) {
-    authsAllowed.push('hostbased');
-  }
-
-  if (authHandler === undefined) {
-    var authPos = 0;
-    authHandler = function authHandler(authsLeft, partial, cb) {
-      if (authPos === authsAllowed.length)
-        return false;
-      return authsAllowed[authPos++];
-    };
-  }
-
-  var hasSentAuth = false;
-  function doNextAuth(authName) {
-    hasSentAuth = true;
-    if (authName === false) {
-      stream.removeListener('USERAUTH_FAILURE', onUSERAUTH_FAILURE);
-      stream.removeListener('USERAUTH_PK_OK', onUSERAUTH_PK_OK);
-      var err = new Error('All configured authentication methods failed');
-      err.level = 'client-authentication';
-      self.emit('error', err);
-      if (stream.writable)
-        self.end();
-      return;
-    }
-    if (authsAllowed.indexOf(authName) === -1)
-      throw new Error('Authentication method not allowed: ' + authName);
-    curAuth = authName;
-    switch (curAuth) {
-      case 'password':
-        stream.authPassword(self.config.username, self.config.password);
-      break;
-      case 'publickey':
-        stream.authPK(self.config.username, privateKey);
-        stream.once('USERAUTH_PK_OK', onUSERAUTH_PK_OK);
-      break;
-      case 'hostbased':
-        function hostbasedCb(buf, cb) {
-          var signature = privateKey.sign(buf);
-          if (signature instanceof Error) {
-            signature.message = 'Error while signing data with privateKey: '
-                                + signature.message;
-            signature.level = 'client-authentication';
-            self.emit('error', signature);
-            return tryNextAuth();
-          }
-
-          cb(signature);
+    const proto = this._protocol = new Protocol({
+      ident: this.config.ident,
+      offer: (allOfferDefaults ? undefined : algorithms),
+      onWrite: (data) => {
+        if (isWritable(sock))
+          sock.write(data);
+      },
+      onError: (err) => {
+        if (err.level === 'handshake')
+          clearTimeout(this._readyTimeout);
+        if (!proto._destruct)
+          sock.removeAllListeners('data');
+        this.emit('error', err);
+        try {
+          sock.end();
+        } catch {}
+      },
+      onHeader: (header) => {
+        sawHeader = true;
+        this._remoteVer = header.versions.software;
+        if (header.greeting)
+          this.emit('greeting', header.greeting);
+      },
+      onHandshakeComplete: (negotiated) => {
+        this.emit('handshake', negotiated);
+        if (!ready) {
+          ready = true;
+          proto.service('ssh-userauth');
         }
-        stream.authHostbased(self.config.username,
-                             privateKey,
-                             self.config.localHostname,
-                             self.config.localUsername,
-                             hostbasedCb);
-      break;
-      case 'agent':
-        agentQuery(self.config.agent, function(err, keys) {
-          if (err) {
-            err.level = 'agent';
-            self.emit('error', err);
-            agentKeys = undefined;
-            return tryNextAuth();
-          } else if (keys.length === 0) {
-            debug('DEBUG: Agent: No keys stored in agent');
-            agentKeys = undefined;
-            return tryNextAuth();
+      },
+      debug,
+      hostVerifier,
+      messageHandlers: {
+        DEBUG: DEBUG_HANDLER,
+        DISCONNECT: (p, reason, desc) => {
+          if (reason !== DISCONNECT_REASON.BY_APPLICATION) {
+            if (!desc) {
+              desc = DISCONNECT_REASON_BY_VALUE[reason];
+              if (desc === undefined)
+                desc = `Unexpected disconnection reason: ${reason}`;
+            }
+            const err = new Error(desc);
+            err.code = reason;
+            this.emit('error', err);
+          }
+          sock.end();
+        },
+        SERVICE_ACCEPT: (p, name) => {
+          if (name === 'ssh-userauth')
+            tryNextAuth();
+        },
+        USERAUTH_BANNER: (p, msg) => {
+          this.emit('banner', msg);
+        },
+        USERAUTH_SUCCESS: (p) => {
+          // Start keepalive mechanism
+          resetKA();
+
+          clearTimeout(this._readyTimeout);
+
+          this.emit('ready');
+        },
+        USERAUTH_FAILURE: (p, authMethods, partialSuccess) => {
+          if (curAuth.type === 'agent') {
+            const pos = curAuth.agentCtx.pos();
+            debug && debug(`Client: Agent key #${pos + 1} failed`);
+            return tryNextAgentKey();
           }
 
-          agentKeys = keys;
-          agentKeyPos = 0;
-
-          stream.authPK(self.config.username, keys[0]);
-          stream.once('USERAUTH_PK_OK', onUSERAUTH_PK_OK);
-        });
-      break;
-      case 'keyboard-interactive':
-        stream.authKeyboard(self.config.username);
-        stream.on('USERAUTH_INFO_REQUEST', onUSERAUTH_INFO_REQUEST);
-      break;
-      case 'none':
-        stream.authNone(self.config.username);
-      break;
-    }
-  }
-  function tryNextAuth() {
-    hasSentAuth = false;
-    var auth = authHandler(curAuthsLeft, curPartial, doNextAuth);
-    if (hasSentAuth || auth === undefined)
-      return;
-    doNextAuth(auth);
-  }
-  function tryNextAgentKey() {
-    if (curAuth === 'agent') {
-      if (agentKeyPos >= agentKeys.length)
-        return;
-      if (++agentKeyPos >= agentKeys.length) {
-        debug('DEBUG: Agent: No more keys left to try');
-        debug('DEBUG: Client: agent auth failed');
-        agentKeys = undefined;
-        tryNextAuth();
-      } else {
-        debug('DEBUG: Agent: Trying key #' + (agentKeyPos + 1));
-        stream.authPK(self.config.username, agentKeys[agentKeyPos]);
-        stream.once('USERAUTH_PK_OK', onUSERAUTH_PK_OK);
-      }
-    }
-  }
-  function onUSERAUTH_INFO_REQUEST(name, instructions, lang, prompts) {
-    var nprompts = (Array.isArray(prompts) ? prompts.length : 0);
-    if (nprompts === 0) {
-      debug('DEBUG: Client: Sending automatic USERAUTH_INFO_RESPONSE');
-      return stream.authInfoRes();
-    }
-    // we sent a keyboard-interactive user authentication request and now the
-    // server is sending us the prompts we need to present to the user
-    self.emit('keyboard-interactive',
+          debug && debug(`Client: ${curAuth.type} auth failed`);
+
+          curPartial = partialSuccess;
+          curAuthsLeft = authMethods;
+          tryNextAuth();
+        },
+        USERAUTH_PASSWD_CHANGEREQ: (p, prompt) => {
+          if (curAuth.type === 'password') {
+            // TODO: support a `changePrompt()` on `curAuth` that defaults to
+            // emitting 'change password' as before
+            this.emit('change password', prompt, (newPassword) => {
+              proto.authPassword(
+                this.config.username,
+                this.config.password,
+                newPassword
+              );
+            });
+          }
+        },
+        USERAUTH_PK_OK: (p) => {
+          if (curAuth.type === 'agent') {
+            const key = curAuth.agentCtx.currentKey();
+            proto.authPK(curAuth.username, key, (buf, cb) => {
+              curAuth.agentCtx.sign(key, buf, {}, (err, signed) => {
+                if (err) {
+                  err.level = 'agent';
+                  this.emit('error', err);
+                } else {
+                  return cb(signed);
+                }
+
+                tryNextAgentKey();
+              });
+            });
+          } else if (curAuth.type === 'publickey') {
+            proto.authPK(curAuth.username, curAuth.key, (buf, cb) => {
+              const signature = curAuth.key.sign(buf);
+              if (signature instanceof Error) {
+                signature.message =
+                  `Error signing data with key: ${signature.message}`;
+                signature.level = 'client-authentication';
+                this.emit('error', signature);
+                return tryNextAuth();
+              }
+              cb(signature);
+            });
+          }
+        },
+        USERAUTH_INFO_REQUEST: (p, name, instructions, prompts) => {
+          if (curAuth.type === 'keyboard-interactive') {
+            const nprompts = (Array.isArray(prompts) ? prompts.length : 0);
+            if (nprompts === 0) {
+              debug && debug(
+                'Client: Sending automatic USERAUTH_INFO_RESPONSE'
+              );
+              proto.authInfoRes();
+              return;
+            }
+            // We sent a keyboard-interactive user authentication request and
+            // now the server is sending us the prompts we need to present to
+            // the user
+            curAuth.prompt(
               name,
               instructions,
-              lang,
+              '',
               prompts,
-              function(answers) {
-                stream.authInfoRes(answers);
-              }
-    );
-  }
-  function onUSERAUTH_PK_OK() {
-    if (curAuth === 'agent') {
-      var agentKey = agentKeys[agentKeyPos];
-      var keyLen = readUInt32BE(agentKey, 0);
-      var pubKeyFullType = agentKey.toString('ascii', 4, 4 + keyLen);
-      var pubKeyType = pubKeyFullType.slice(4);
-      // Check that we support the key type first
-      // TODO: move key type checking logic to ssh2-streams
-      switch (pubKeyFullType) {
-        case 'ssh-rsa':
-        case 'ssh-dss':
-        case 'ecdsa-sha2-nistp256':
-        case 'ecdsa-sha2-nistp384':
-        case 'ecdsa-sha2-nistp521':
-          break;
-        default:
-          if (EDDSA_SUPPORTED && pubKeyFullType === 'ssh-ed25519')
-            break;
-          debug('DEBUG: Agent: Skipping unsupported key type: '
-                + pubKeyFullType);
-          return tryNextAgentKey();
-      }
-      stream.authPK(self.config.username, 
-                    agentKey,
-                    function(buf, cb) {
-        agentQuery(self.config.agent,
-                   agentKey,
-                   pubKeyType,
-                   buf,
-                   function(err, signed) {
-          if (err) {
-            err.level = 'agent';
-            self.emit('error', err);
-          } else {
-            var sigFullTypeLen = readUInt32BE(signed, 0);
-            if (4 + sigFullTypeLen + 4 < signed.length) {
-              var sigFullType = signed.toString('ascii', 4, 4 + sigFullTypeLen);
-              if (sigFullType !== pubKeyFullType) {
-                err = new Error('Agent key/signature type mismatch');
-                err.level = 'agent';
-                self.emit('error', err);
-              } else {
-                // skip algoLen + algo + sigLen
-                return cb(signed.slice(4 + sigFullTypeLen + 4));
+              (answers) => {
+                proto.authInfoRes(answers);
               }
+            );
+          }
+        },
+        REQUEST_SUCCESS: (p, data) => {
+          if (callbacks.length)
+            callbacks.shift()(false, data);
+        },
+        REQUEST_FAILURE: (p) => {
+          if (callbacks.length)
+            callbacks.shift()(true);
+        },
+        GLOBAL_REQUEST: (p, name, wantReply, data) => {
+          switch (name) {
+            case 'hostkeys-00@openssh.com':
+              // Automatically verify keys before passing to end user
+              hostKeysProve(this, data, (err, keys) => {
+                if (err)
+                  return;
+                this.emit('hostkeys', keys);
+              });
+              if (wantReply)
+                proto.requestSuccess();
+              break;
+            default:
+              // Auto-reject all other global requests, this can be especially
+              // useful if the server is sending us dummy keepalive global
+              // requests
+              if (wantReply)
+                proto.requestFailure();
+          }
+        },
+        CHANNEL_OPEN: (p, info) => {
+          // Handle incoming requests from server, typically a forwarded TCP or
+          // X11 connection
+          onCHANNEL_OPEN(this, info);
+        },
+        CHANNEL_OPEN_CONFIRMATION: (p, info) => {
+          const channel = this._chanMgr.get(info.recipient);
+          if (typeof channel !== 'function')
+            return;
+
+          const isSFTP = (channel.type === 'sftp');
+          const type = (isSFTP ? 'session' : channel.type);
+          const chanInfo = {
+            type,
+            incoming: {
+              id: info.recipient,
+              window: MAX_WINDOW,
+              packetSize: PACKET_SIZE,
+              state: 'open'
+            },
+            outgoing: {
+              id: info.sender,
+              window: info.window,
+              packetSize: info.packetSize,
+              state: 'open'
             }
+          };
+          const instance = (
+            isSFTP
+            ? new SFTP(this, chanInfo, { debug })
+            : new Channel(this, chanInfo)
+          );
+          this._chanMgr.update(info.recipient, instance);
+          channel(undefined, instance);
+        },
+        CHANNEL_OPEN_FAILURE: (p, recipient, reason, description) => {
+          const channel = this._chanMgr.get(recipient);
+          if (typeof channel !== 'function')
+            return;
+
+          const info = { reason, description };
+          onChannelOpenFailure(this, recipient, info, channel);
+        },
+        CHANNEL_DATA: (p, recipient, data) => {
+          const channel = this._chanMgr.get(recipient);
+          if (typeof channel !== 'object' || channel === null)
+            return;
+
+          // The remote party should not be sending us data if there is no
+          // window space available ...
+          // TODO: raise error on data with not enough window?
+          if (channel.incoming.window === 0)
+            return;
+
+          channel.incoming.window -= data.length;
+
+          if (channel.push(data) === false) {
+            channel._waitChanDrain = true;
+            return;
           }
 
-          tryNextAgentKey();
-        });
-      });
-    } else if (curAuth === 'publickey') {
-      stream.authPK(self.config.username, privateKey, function(buf, cb) {
-        var signature = privateKey.sign(buf);
-        if (signature instanceof Error) {
-          signature.message = 'Error while signing data with privateKey: '
-                              + signature.message;
-          signature.level = 'client-authentication';
-          self.emit('error', signature);
-          return tryNextAuth();
-        }
-        cb(signature);
-      });
-    }
-  }
-  function onUSERAUTH_FAILURE(authsLeft, partial) {
-    stream.removeListener('USERAUTH_PK_OK', onUSERAUTH_PK_OK);
-    stream.removeListener('USERAUTH_INFO_REQUEST', onUSERAUTH_INFO_REQUEST);
-    if (curAuth === 'agent') {
-      debug('DEBUG: Client: Agent key #' + (agentKeyPos + 1) + ' failed');
-      return tryNextAgentKey();
-    } else {
-      debug('DEBUG: Client: ' + curAuth + ' auth failed');
-    }
+          if (channel.incoming.window <= WINDOW_THRESHOLD)
+            windowAdjust(channel);
+        },
+        CHANNEL_EXTENDED_DATA: (p, recipient, data, type) => {
+          if (type !== STDERR)
+            return;
 
-    curPartial = partial;
-    curAuthsLeft = authsLeft;
-    tryNextAuth();
-  }
-  stream.once('USERAUTH_SUCCESS', function() {
-    stream.removeListener('USERAUTH_FAILURE', onUSERAUTH_FAILURE);
-    stream.removeListener('USERAUTH_INFO_REQUEST', onUSERAUTH_INFO_REQUEST);
+          const channel = this._chanMgr.get(recipient);
+          if (typeof channel !== 'object' || channel === null)
+            return;
 
-    // start keepalive mechanism
-    resetKA();
+          // The remote party should not be sending us data if there is no
+          // window space available ...
+          // TODO: raise error on data with not enough window?
+          if (channel.incoming.window === 0)
+            return;
 
-    clearTimeout(self._readyTimeout);
+          channel.incoming.window -= data.length;
+
+          if (!channel.stderr.push(data)) {
+            channel._waitChanDrain = true;
+            return;
+          }
 
-    self.emit('ready');
-  }).on('USERAUTH_FAILURE', onUSERAUTH_FAILURE);
-  // end authentication handling ===============================================
+          if (channel.incoming.window <= WINDOW_THRESHOLD)
+            windowAdjust(channel);
+        },
+        CHANNEL_WINDOW_ADJUST: (p, recipient, amount) => {
+          const channel = this._chanMgr.get(recipient);
+          if (typeof channel !== 'object' || channel === null)
+            return;
+
+          // The other side is allowing us to send `amount` more bytes of data
+          channel.outgoing.window += amount;
+
+          if (channel._waitWindow) {
+            channel._waitWindow = false;
+
+            if (channel._chunk) {
+              channel._write(channel._chunk, null, channel._chunkcb);
+            } else if (channel._chunkcb) {
+              channel._chunkcb();
+            } else if (channel._chunkErr) {
+              channel.stderr._write(channel._chunkErr,
+                                    null,
+                                    channel._chunkcbErr);
+            } else if (channel._chunkcbErr) {
+              channel._chunkcbErr();
+            }
+          }
+        },
+        CHANNEL_SUCCESS: (p, recipient) => {
+          const channel = this._chanMgr.get(recipient);
+          if (typeof channel !== 'object' || channel === null)
+            return;
+
+          this._resetKA();
+
+          if (channel._callbacks.length)
+            channel._callbacks.shift()(false);
+        },
+        CHANNEL_FAILURE: (p, recipient) => {
+          const channel = this._chanMgr.get(recipient);
+          if (typeof channel !== 'object' || channel === null)
+            return;
+
+          this._resetKA();
+
+          if (channel._callbacks.length)
+            channel._callbacks.shift()(true);
+        },
+        CHANNEL_REQUEST: (p, recipient, type, wantReply, data) => {
+          const channel = this._chanMgr.get(recipient);
+          if (typeof channel !== 'object' || channel === null)
+            return;
+
+          const exit = channel._exit;
+          if (exit.code !== undefined)
+            return;
+          switch (type) {
+            case 'exit-status':
+              channel.emit('exit', exit.code = data);
+              return;
+            case 'exit-signal':
+              channel.emit('exit',
+                           exit.code = null,
+                           exit.signal = `SIG${data.signal}`,
+                           exit.dump = data.coreDumped,
+                           exit.desc = data.errorMessage);
+              return;
+          }
 
-  // handle initial handshake completion
-  stream.once('ready', function() {
-    stream.service('ssh-userauth');
-    stream.once('SERVICE_ACCEPT', function(svcName) {
-      if (svcName === 'ssh-userauth')
-        tryNextAuth();
+          // Keepalive request? OpenSSH will send one as a channel request if
+          // there is a channel open
+
+          if (wantReply)
+            p.channelFailure(channel.outgoing.id);
+        },
+        CHANNEL_EOF: (p, recipient) => {
+          const channel = this._chanMgr.get(recipient);
+          if (typeof channel !== 'object' || channel === null)
+            return;
+
+          if (channel.incoming.state !== 'open')
+            return;
+          channel.incoming.state = 'eof';
+
+          if (channel.readable)
+            channel.push(null);
+          if (channel.stderr.readable)
+            channel.stderr.push(null);
+        },
+        CHANNEL_CLOSE: (p, recipient) => {
+          onCHANNEL_CLOSE(this, recipient, this._chanMgr.get(recipient));
+        },
+      },
     });
-  });
 
-  // handle incoming requests from server, typically a forwarded TCP or X11
-  // connection
-  stream.on('CHANNEL_OPEN', function(info) {
-    onCHANNEL_OPEN(self, info);
-  });
+    sock.pause();
+
+    // TODO: check keepalive implementation
+    // Keepalive-related
+    const kainterval = this.config.keepaliveInterval;
+    const kacountmax = this.config.keepaliveCountMax;
+    let kacount = 0;
+    let katimer;
+    const sendKA = () => {
+      if (++kacount > kacountmax) {
+        clearInterval(katimer);
+        if (sock.readable) {
+          const err = new Error('Keepalive timeout');
+          err.level = 'client-timeout';
+          this.emit('error', err);
+          sock.destroy();
+        }
+        return;
+      }
+      if (isWritable(sock)) {
+        // Append dummy callback to keep correct callback order
+        callbacks.push(resetKA);
+        proto.ping();
+      } else {
+        clearInterval(katimer);
+      }
+    };
+    function resetKA() {
+      if (kainterval > 0) {
+        kacount = 0;
+        clearInterval(katimer);
+        if (isWritable(sock))
+          katimer = setInterval(sendKA, kainterval);
+      }
+    }
+    this._resetKA = resetKA;
 
-  // handle responses for tcpip-forward and other global requests
-  stream.on('REQUEST_SUCCESS', function(data) {
-    if (callbacks.length)
-      callbacks.shift()(false, data);
-  }).on('REQUEST_FAILURE', function() {
-    if (callbacks.length)
-      callbacks.shift()(true);
-  });
+    const onDone = (() => {
+      let called = false;
+      return () => {
+        if (called)
+          return;
+        called = true;
+        if (wasConnected && !sawHeader) {
+          const err =
+            makeError('Connection lost before handshake', 'protocol', true);
+          this.emit('error', err);
+        }
+      };
+    })();
+    const onConnect = (() => {
+      let called = false;
+      return () => {
+        if (called)
+          return;
+        called = true;
+
+        wasConnected = true;
+        debug && debug('Socket connected');
+        this.emit('connect');
+
+        cryptoInit.then(() => {
+          proto.start();
+          sock.on('data', (data) => {
+            try {
+              proto.parse(data, 0, data.length);
+            } catch (ex) {
+              this.emit('error', ex);
+              try {
+                if (isWritable(sock))
+                  sock.end();
+              } catch {}
+            }
+          });
 
-  stream.on('GLOBAL_REQUEST', function(name, wantReply, data) {
-    // auto-reject all global requests, this can be especially useful if the
-    // server is sending us dummy keepalive global requests
-    if (wantReply)
-      stream.requestFailure();
-  });
+          // Drain stderr if we are connection hopping using an exec stream
+          if (sock.stderr && typeof sock.stderr.resume === 'function')
+            sock.stderr.resume();
+
+          sock.resume();
+        }).catch((err) => {
+          this.emit('error', err);
+          try {
+            if (isWritable(sock))
+              sock.end();
+          } catch {}
+        });
+      };
+    })();
+    let wasConnected = false;
+    sock.on('connect', onConnect)
+        .on('timeout', () => {
+      this.emit('timeout');
+    }).on('error', (err) => {
+      debug && debug(`Socket error: ${err.message}`);
+      clearTimeout(this._readyTimeout);
+      err.level = 'client-socket';
+      this.emit('error', err);
+    }).on('end', () => {
+      debug && debug('Socket ended');
+      onDone();
+      proto.cleanup();
+      clearTimeout(this._readyTimeout);
+      clearInterval(katimer);
+      this.emit('end');
+    }).on('close', () => {
+      debug && debug('Socket closed');
+      onDone();
+      proto.cleanup();
+      clearTimeout(this._readyTimeout);
+      clearInterval(katimer);
+      this.emit('close');
 
-  if (!cfg.sock) {
-    var host = this.config.host;
-    var forceIPv4 = this.config.forceIPv4;
-    var forceIPv6 = this.config.forceIPv6;
+      // Notify outstanding channel requests of disconnection ...
+      const callbacks_ = callbacks;
+      callbacks = this._callbacks = [];
+      const err = new Error('No response from server');
+      for (let i = 0; i < callbacks_.length; ++i)
+        callbacks_[i](err);
 
-    debug('DEBUG: Client: Trying '
-          + host
-          + ' on port '
-          + this.config.port
-          + ' ...');
+      // Simulate error for any channels waiting to be opened
+      this._chanMgr.cleanup(err);
+    });
 
-    function doConnect() {
-      startTimeout();
-      self._sock.connect({
-        host: host,
-        port: self.config.port,
-        localAddress: self.config.localAddress,
-        localPort: self.config.localPort
-      });
-      self._sock.setNoDelay(true);
-      self._sock.setMaxListeners(0);
-      self._sock.setTimeout(typeof cfg.timeout === 'number' ? cfg.timeout : 0);
+    // Begin authentication handling ===========================================
+    let curAuth;
+    let curPartial = null;
+    let curAuthsLeft = null;
+    const authsAllowed = ['none'];
+    if (this.config.password !== undefined)
+      authsAllowed.push('password');
+    if (privateKey !== undefined)
+      authsAllowed.push('publickey');
+    if (this._agent !== undefined)
+      authsAllowed.push('agent');
+    if (this.config.tryKeyboard)
+      authsAllowed.push('keyboard-interactive');
+    if (privateKey !== undefined
+        && this.config.localHostname !== undefined
+        && this.config.localUsername !== undefined) {
+      authsAllowed.push('hostbased');
     }
 
-    if ((!forceIPv4 && !forceIPv6) || (forceIPv4 && forceIPv6))
-      doConnect();
-    else {
-      dnsLookup(host, (forceIPv4 ? 4 : 6), function(err, address, family) {
-        if (err) {
-          var error = new Error('Error while looking up '
-                                + (forceIPv4 ? 'IPv4' : 'IPv6')
-                                + ' address for host '
-                                + host
-                                + ': ' + err);
-          clearTimeout(self._readyTimeout);
-          error.level = 'client-dns';
-          self.emit('error', error);
-          self.emit('close');
-          return;
-        }
-        host = address;
-        doConnect();
-      });
-    }
-  } else {
-    startTimeout();
-    stream.pipe(sock).pipe(stream);
-  }
+    if (Array.isArray(authHandler))
+      authHandler = makeSimpleAuthHandler(authHandler);
+    else if (typeof authHandler !== 'function')
+      authHandler = makeSimpleAuthHandler(authsAllowed);
 
-  function startTimeout() {
-    if (self.config.readyTimeout > 0) {
-      self._readyTimeout = setTimeout(function() {
-        var err = new Error('Timed out while waiting for handshake');
-        err.level = 'client-timeout';
-        self.emit('error', err);
-        sock.destroy();
-      }, self.config.readyTimeout);
-    }
-  }
-};
-
-Client.prototype.end = function() {
-  if (this._sock
-      && this._sock.writable
-      && this._sshstream
-      && this._sshstream.writable)
-    return this._sshstream.disconnect();
-  return false;
-};
-
-Client.prototype.destroy = function() {
-  this._sock && this._sock.destroy();
-};
-
-Client.prototype.exec = function(cmd, opts, cb) {
-  if (!this._sock
-      || !this._sock.writable
-      || !this._sshstream
-      || !this._sshstream.writable)
-    throw new Error('Not connected');
+    let hasSentAuth = false;
+    const doNextAuth = (nextAuth) => {
+      if (hasSentAuth)
+        return;
+      hasSentAuth = true;
 
-  if (typeof opts === 'function') {
-    cb = opts;
-    opts = {};
-  }
+      if (nextAuth === false) {
+        const err = new Error('All configured authentication methods failed');
+        err.level = 'client-authentication';
+        this.emit('error', err);
+        this.end();
+        return;
+      }
 
-  var self = this;
-  var extraOpts = { allowHalfOpen: (opts.allowHalfOpen !== false) };
+      if (typeof nextAuth === 'string') {
+        // Remain backwards compatible with original `authHandler()` usage,
+        // which only supported passing names of next method to try using data
+        // from the `connect()` config object
 
-  return openChannel(this, 'session', extraOpts, function(err, chan) {
-    if (err)
-      return cb(err);
+        const type = nextAuth;
+        if (authsAllowed.indexOf(type) === -1)
+          return skipAuth(`Authentication method not allowed: ${type}`);
 
-    var todo = [];
+        const username = this.config.username;
+        switch (type) {
+          case 'password':
+            nextAuth = { type, username, password: this.config.password };
+            break;
+          case 'publickey':
+            nextAuth = { type, username, key: privateKey };
+            break;
+          case 'hostbased':
+            nextAuth = {
+              type,
+              username,
+              key: privateKey,
+              localHostname: this.config.localHostname,
+              localUsername: this.config.localUsername,
+            };
+            break;
+          case 'agent':
+            nextAuth = {
+              type,
+              username,
+              agentCtx: new AgentContext(this._agent),
+            };
+            break;
+          case 'keyboard-interactive':
+            nextAuth = {
+              type,
+              username,
+              prompt: (...args) => this.emit('keyboard-interactive', ...args),
+            };
+            break;
+          case 'none':
+            nextAuth = { type, username };
+            break;
+          default:
+            return skipAuth(
+              `Skipping unsupported authentication method: ${nextAuth}`
+            );
+        }
+      } else if (typeof nextAuth !== 'object' || nextAuth === null) {
+        return skipAuth(
+          `Skipping invalid authentication attempt: ${nextAuth}`
+        );
+      } else {
+        const username = nextAuth.username;
+        if (typeof username !== 'string') {
+          return skipAuth(
+            `Skipping invalid authentication attempt: ${nextAuth}`
+          );
+        }
+        const type = nextAuth.type;
+        switch (type) {
+          case 'password': {
+            const { password } = nextAuth;
+            if (typeof password !== 'string' && !Buffer.isBuffer(password))
+              return skipAuth('Skipping invalid password auth attempt');
+            nextAuth = { type, username, password };
+            break;
+          }
+          case 'publickey': {
+            const key = parseKey(nextAuth.key, nextAuth.passphrase);
+            if (key instanceof Error)
+              return skipAuth('Skipping invalid key auth attempt');
+            if (!key.isPrivateKey())
+              return skipAuth('Skipping non-private key');
+            nextAuth = { type, username, key };
+            break;
+          }
+          case 'hostbased': {
+            const { localHostname, localUsername } = nextAuth;
+            const key = parseKey(nextAuth.key, nextAuth.passphrase);
+            if (key instanceof Error
+                || typeof localHostname !== 'string'
+                || typeof localUsername !== 'string') {
+              return skipAuth('Skipping invalid hostbased auth attempt');
+            }
+            if (!key.isPrivateKey())
+              return skipAuth('Skipping non-private key');
+            nextAuth = { type, username, key, localHostname, localUsername };
+            break;
+          }
+          case 'agent': {
+            let agent = nextAuth.agent;
+            if (typeof agent === 'string' && agent.length) {
+              agent = createAgent(agent);
+            } else if (!isAgent(agent)) {
+              return skipAuth(
+                `Skipping invalid agent: ${nextAuth.agent}`
+              );
+            }
+            nextAuth = { type, username, agentCtx: new AgentContext(agent) };
+            break;
+          }
+          case 'keyboard-interactive': {
+            const { prompt } = nextAuth;
+            if (typeof prompt !== 'function') {
+              return skipAuth(
+                'Skipping invalid keyboard-interactive auth attempt'
+              );
+            }
+            nextAuth = { type, username, prompt };
+            break;
+          }
+          case 'none':
+            nextAuth = { type, username };
+            break;
+          default:
+            return skipAuth(
+              `Skipping unsupported authentication method: ${nextAuth}`
+            );
+        }
+      }
+      curAuth = nextAuth;
+
+      // Begin authentication method's process
+      try {
+        const username = curAuth.username;
+        switch (curAuth.type) {
+          case 'password':
+            proto.authPassword(username, curAuth.password);
+            break;
+          case 'publickey':
+            proto.authPK(username, curAuth.key);
+            break;
+          case 'hostbased':
+            proto.authHostbased(username,
+                                curAuth.key,
+                                curAuth.localHostname,
+                                curAuth.localUsername,
+                                (buf, cb) => {
+              const signature = curAuth.key.sign(buf);
+              if (signature instanceof Error) {
+                signature.message =
+                  `Error while signing with key: ${signature.message}`;
+                signature.level = 'client-authentication';
+                this.emit('error', signature);
+                return tryNextAuth();
+              }
 
-    function reqCb(err) {
-      if (err) {
-        chan.close();
-        return cb(err);
+              cb(signature);
+            });
+            break;
+          case 'agent':
+            curAuth.agentCtx.init((err) => {
+              if (err) {
+                err.level = 'agent';
+                this.emit('error', err);
+                return tryNextAuth();
+              }
+              tryNextAgentKey();
+            });
+            break;
+          case 'keyboard-interactive':
+            proto.authKeyboard(username);
+            break;
+          case 'none':
+            proto.authNone(username);
+            break;
+        }
+      } finally {
+        hasSentAuth = false;
       }
-      if (todo.length)
-        todo.shift()();
+    };
+
+    function skipAuth(msg) {
+      debug && debug(msg);
+      process.nextTick(tryNextAuth);
     }
 
-    if (self.config.allowAgentFwd === true
-        || (opts
-            && opts.agentForward === true
-            && self.config.agent !== undefined)) {
-      todo.push(function() {
-        reqAgentFwd(chan, reqCb);
-      });
+    function tryNextAuth() {
+      hasSentAuth = false;
+      const auth = authHandler(curAuthsLeft, curPartial, doNextAuth);
+      if (hasSentAuth || auth === undefined)
+        return;
+      doNextAuth(auth);
     }
 
-    if (typeof opts === 'object' && opts !== null) {
-      if (typeof opts.env === 'object' && opts.env !== null)
-        reqEnv(chan, opts.env);
-      if ((typeof opts.pty === 'object' && opts.pty !== null)
-          || opts.pty === true) {
-        todo.push(function() { reqPty(chan, opts.pty, reqCb); });
+    const tryNextAgentKey = () => {
+      if (curAuth.type === 'agent') {
+        const key = curAuth.agentCtx.nextKey();
+        if (key === false) {
+          debug && debug('Agent: No more keys left to try');
+          debug && debug('Client: agent auth failed');
+          tryNextAuth();
+        } else {
+          const pos = curAuth.agentCtx.pos();
+          debug && debug(`Agent: Trying key #${pos + 1}`);
+          proto.authPK(curAuth.username, key);
+        }
       }
-      if ((typeof opts.x11 === 'object' && opts.x11 !== null)
-          || opts.x11 === 'number'
-          || opts.x11 === true) {
-        todo.push(function() { reqX11(chan, opts.x11, reqCb); });
+    };
+
+    const startTimeout = () => {
+      if (this.config.readyTimeout > 0) {
+        this._readyTimeout = setTimeout(() => {
+          const err = new Error('Timed out while waiting for handshake');
+          err.level = 'client-timeout';
+          this.emit('error', err);
+          sock.destroy();
+        }, this.config.readyTimeout);
       }
-    }
+    };
 
-    todo.push(function() { reqExec(chan, cmd, opts, cb); });
-    todo.shift()();
-  });
-};
-
-Client.prototype.shell = function(wndopts, opts, cb) {
-  if (!this._sock
-      || !this._sock.writable
-      || !this._sshstream
-      || !this._sshstream.writable)
-    throw new Error('Not connected');
-
-  // start an interactive terminal/shell session
-  var self = this;
-
-  if (typeof wndopts === 'function') {
-    cb = wndopts;
-    wndopts = opts = undefined;
-  } else if (typeof opts === 'function') {
-    cb = opts;
-    opts = undefined;
-  }
-  if (wndopts && (wndopts.x11 !== undefined || wndopts.env !== undefined)) {
-    opts = wndopts;
-    wndopts = undefined;
-  }
+    if (!cfg.sock) {
+      let host = this.config.host;
+      const forceIPv4 = this.config.forceIPv4;
+      const forceIPv6 = this.config.forceIPv6;
 
-  return openChannel(this, 'session', function(err, chan) {
-    if (err)
-      return cb(err);
+      debug && debug(`Client: Trying ${host} on port ${this.config.port} ...`);
 
-    var todo = [];
+      const doConnect = () => {
+        startTimeout();
+        sock.connect({
+          host,
+          port: this.config.port,
+          localAddress: this.config.localAddress,
+          localPort: this.config.localPort
+        });
+        sock.setNoDelay(true);
+        sock.setMaxListeners(0);
+        sock.setTimeout(typeof cfg.timeout === 'number' ? cfg.timeout : 0);
+      };
 
-    function reqCb(err) {
-      if (err) {
-        chan.close();
-        return cb(err);
+      if ((!forceIPv4 && !forceIPv6) || (forceIPv4 && forceIPv6)) {
+        doConnect();
+      } else {
+        dnsLookup(host, (forceIPv4 ? 4 : 6), (err, address, family) => {
+          if (err) {
+            const type = (forceIPv4 ? 'IPv4' : 'IPv6');
+            const error = new Error(
+              `Error while looking up ${type} address for '${host}': ${err}`
+            );
+            clearTimeout(this._readyTimeout);
+            error.level = 'client-dns';
+            this.emit('error', error);
+            this.emit('close');
+            return;
+          }
+          host = address;
+          doConnect();
+        });
+      }
+    } else {
+      // Custom socket passed in
+      startTimeout();
+      if (typeof sock.connecting === 'boolean') {
+        // net.Socket
+
+        if (!sock.connecting) {
+          // Already connected
+          onConnect();
+        }
+      } else {
+        // Assume socket/stream is already "connected"
+        onConnect();
       }
-      if (todo.length)
-        todo.shift()();
     }
 
-    if (self.config.allowAgentFwd === true
-        || (opts
-            && opts.agentForward === true
-            && self.config.agent !== undefined)) {
-      todo.push(function() { reqAgentFwd(chan, reqCb); });
+    return this;
+  }
+
+  end() {
+    if (this._sock && isWritable(this._sock)) {
+      this._protocol.disconnect(DISCONNECT_REASON.BY_APPLICATION);
+      this._sock.end();
     }
+    return this;
+  }
 
-    if (wndopts !== false)
-      todo.push(function() { reqPty(chan, wndopts, reqCb); });
+  destroy() {
+    this._sock && isWritable(this._sock) && this._sock.destroy();
+    return this;
+  }
 
-    if (typeof opts === 'object' && opts !== null) {
-      if (typeof opts.env === 'object' && opts.env !== null)
-        reqEnv(chan, opts.env);
-      if ((typeof opts.x11 === 'object' && opts.x11 !== null)
-          || opts.x11 === 'number'
-          || opts.x11 === true) {
-        todo.push(function() { reqX11(chan, opts.x11, reqCb); });
-      }
+  exec(cmd, opts, cb) {
+    if (!this._sock || !isWritable(this._sock))
+      throw new Error('Not connected');
+
+    if (typeof opts === 'function') {
+      cb = opts;
+      opts = {};
     }
 
-    todo.push(function() { reqShell(chan, cb); });
-    todo.shift()();
-  });
-};
-
-Client.prototype.subsys = function(name, cb) {
-  if (!this._sock
-      || !this._sock.writable
-      || !this._sshstream
-      || !this._sshstream.writable)
-    throw new Error('Not connected');
-
-	return openChannel(this, 'session', function(err, chan) {
-		if (err)
-			return cb(err);
-
-		reqSubsystem(chan, name, function(err, stream) {
-			if (err)
-				return cb(err);
-
-			cb(undefined, stream);
-		});
-	});
-};
-
-Client.prototype.sftp = function(cb) {
-  if (!this._sock
-      || !this._sock.writable
-      || !this._sshstream
-      || !this._sshstream.writable)
-    throw new Error('Not connected');
-
-  var self = this;
-
-  // start an SFTP session
-  return openChannel(this, 'session', function(err, chan) {
-    if (err)
-      return cb(err);
-
-    reqSubsystem(chan, 'sftp', function(err, stream) {
-      if (err)
-        return cb(err);
-
-      var serverIdentRaw = self._sshstream._state.incoming.identRaw;
-      var cfg = { debug: self.config.debug };
-      var sftp = new SFTPStream(cfg, serverIdentRaw);
-
-      function onError(err) {
-        sftp.removeListener('ready', onReady);
-        stream.removeListener('exit', onExit);
+    const extraOpts = { allowHalfOpen: (opts.allowHalfOpen !== false) };
+
+    openChannel(this, 'session', extraOpts, (err, chan) => {
+      if (err) {
         cb(err);
+        return;
       }
 
-      function onReady() {
-        sftp.removeListener('error', onError);
-        stream.removeListener('exit', onExit);
-        cb(undefined, new SFTPWrapper(sftp));
-      }
+      const todo = [];
 
-      function onExit(code, signal) {
-        sftp.removeListener('ready', onReady);
-        sftp.removeListener('error', onError);
-        var msg;
-        if (typeof code === 'number') {
-          msg = 'Received exit code '
-                + code
-                + ' while establishing SFTP session';
-        } else {
-          msg = 'Received signal '
-                + signal
-                + ' while establishing SFTP session';
+      function reqCb(err) {
+        if (err) {
+          chan.close();
+          cb(err);
+          return;
         }
-        var err = new Error(msg);
-        err.code = code;
-        err.signal = signal;
-        cb(err);
+        if (todo.length)
+          todo.shift()();
       }
 
-      sftp.once('error', onError)
-          .once('ready', onReady)
-          .once('close', function() {
-            stream.end();
-          });
+      if (this.config.allowAgentFwd === true
+          || (opts
+              && opts.agentForward === true
+              && this._agent !== undefined)) {
+        todo.push(() => reqAgentFwd(chan, reqCb));
+      }
 
-      // OpenSSH server sends an exit-status if there was a problem spinning up
-      // an sftp server child process, so we listen for that here in order to
-      // properly raise an error.
-      stream.once('exit', onExit);
+      if (typeof opts === 'object' && opts !== null) {
+        if (typeof opts.env === 'object' && opts.env !== null)
+          reqEnv(chan, opts.env);
+        if ((typeof opts.pty === 'object' && opts.pty !== null)
+            || opts.pty === true) {
+          todo.push(() => reqPty(chan, opts.pty, reqCb));
+        }
+        if ((typeof opts.x11 === 'object' && opts.x11 !== null)
+            || opts.x11 === 'number'
+            || opts.x11 === true) {
+          todo.push(() => reqX11(chan, opts.x11, reqCb));
+        }
+      }
 
-      sftp.pipe(stream).pipe(sftp);
+      todo.push(() => reqExec(chan, cmd, opts, cb));
+      todo.shift()();
     });
-  });
-};
 
-Client.prototype.forwardIn = function(bindAddr, bindPort, cb) {
-  if (!this._sock
-      || !this._sock.writable
-      || !this._sshstream
-      || !this._sshstream.writable)
-    throw new Error('Not connected');
+    return this;
+  }
 
-  // send a request for the server to start forwarding TCP connections to us
-  // on a particular address and port
+  shell(wndopts, opts, cb) {
+    if (!this._sock || !isWritable(this._sock))
+      throw new Error('Not connected');
 
-  var self = this;
-  var wantReply = (typeof cb === 'function');
+    if (typeof wndopts === 'function') {
+      cb = wndopts;
+      wndopts = opts = undefined;
+    } else if (typeof opts === 'function') {
+      cb = opts;
+      opts = undefined;
+    }
+    if (wndopts && (wndopts.x11 !== undefined || wndopts.env !== undefined)) {
+      opts = wndopts;
+      wndopts = undefined;
+    }
 
-  if (wantReply) {
-    this._callbacks.push(function(had_err, data) {
-      if (had_err) {
-        return cb(had_err !== true
-                  ? had_err
-                  : new Error('Unable to bind to ' + bindAddr + ':' + bindPort));
+    openChannel(this, 'session', (err, chan) => {
+      if (err) {
+        cb(err);
+        return;
       }
 
-      var realPort = bindPort;
-      if (bindPort === 0 && data && data.length >= 4) {
-        realPort = readUInt32BE(data, 0);
-        if (!(self._sshstream.remoteBugs & BUGS.DYN_RPORT_BUG))
-          bindPort = realPort;
+      const todo = [];
+
+      function reqCb(err) {
+        if (err) {
+          chan.close();
+          cb(err);
+          return;
+        }
+        if (todo.length)
+          todo.shift()();
       }
 
-      self._forwarding[bindAddr + ':' + bindPort] = realPort;
+      if (this.config.allowAgentFwd === true
+          || (opts
+              && opts.agentForward === true
+              && this._agent !== undefined)) {
+        todo.push(() => reqAgentFwd(chan, reqCb));
+      }
 
-      cb(undefined, realPort);
-    });
-  }
+      if (wndopts !== false)
+        todo.push(() => reqPty(chan, wndopts, reqCb));
 
-  return this._sshstream.tcpipForward(bindAddr, bindPort, wantReply);
-};
+      if (typeof opts === 'object' && opts !== null) {
+        if (typeof opts.env === 'object' && opts.env !== null)
+          reqEnv(chan, opts.env);
+        if ((typeof opts.x11 === 'object' && opts.x11 !== null)
+            || opts.x11 === 'number'
+            || opts.x11 === true) {
+          todo.push(() => reqX11(chan, opts.x11, reqCb));
+        }
+      }
 
-Client.prototype.unforwardIn = function(bindAddr, bindPort, cb) {
-  if (!this._sock
-      || !this._sock.writable
-      || !this._sshstream
-      || !this._sshstream.writable)
-    throw new Error('Not connected');
+      todo.push(() => reqShell(chan, cb));
+      todo.shift()();
+    });
 
-  // send a request to stop forwarding us new connections for a particular
-  // address and port
+    return this;
+  }
 
-  var self = this;
-  var wantReply = (typeof cb === 'function');
+  subsys(name, cb) {
+    if (!this._sock || !isWritable(this._sock))
+      throw new Error('Not connected');
 
-  if (wantReply) {
-    this._callbacks.push(function(had_err) {
-      if (had_err) {
-        return cb(had_err !== true
-                  ? had_err
-                  : new Error('Unable to unbind from '
-                              + bindAddr + ':' + bindPort));
+    openChannel(this, 'session', (err, chan) => {
+      if (err) {
+        cb(err);
+        return;
       }
 
-      delete self._forwarding[bindAddr + ':' + bindPort];
+      reqSubsystem(chan, name, (err, stream) => {
+        if (err) {
+          cb(err);
+          return;
+        }
 
-      cb();
+        cb(undefined, stream);
+      });
     });
-  }
-
-  return this._sshstream.cancelTcpipForward(bindAddr, bindPort, wantReply);
-};
-
-Client.prototype.forwardOut = function(srcIP, srcPort, dstIP, dstPort, cb) {
-  if (!this._sock
-      || !this._sock.writable
-      || !this._sshstream
-      || !this._sshstream.writable)
-    throw new Error('Not connected');
 
-  // send a request to forward a TCP connection to the server
-
-  var cfg = {
-    srcIP: srcIP,
-    srcPort: srcPort,
-    dstIP: dstIP,
-    dstPort: dstPort
-  };
+    return this;
+  }
 
-  return openChannel(this, 'direct-tcpip', cfg, cb);
-};
+  forwardIn(bindAddr, bindPort, cb) {
+    if (!this._sock || !isWritable(this._sock))
+      throw new Error('Not connected');
 
-Client.prototype.openssh_noMoreSessions = function(cb) {
-  if (!this._sock
-      || !this._sock.writable
-      || !this._sshstream
-      || !this._sshstream.writable)
-    throw new Error('Not connected');
+    // Send a request for the server to start forwarding TCP connections to us
+    // on a particular address and port
 
-  var wantReply = (typeof cb === 'function');
+    const wantReply = (typeof cb === 'function');
 
-  if (!this.config.strictVendor
-      || (this.config.strictVendor && RE_OPENSSH.test(this._remoteVer))) {
     if (wantReply) {
-      this._callbacks.push(function(had_err) {
+      this._callbacks.push((had_err, data) => {
         if (had_err) {
-          return cb(had_err !== true
-                    ? had_err
-                    : new Error('Unable to disable future sessions'));
+          cb(had_err !== true
+             ? had_err
+             : new Error(`Unable to bind to ${bindAddr}:${bindPort}`));
+          return;
         }
 
-        cb();
+        let realPort = bindPort;
+        if (bindPort === 0 && data && data.length >= 4) {
+          realPort = readUInt32BE(data, 0);
+          if (!(this._protocol._compatFlags & COMPAT.DYN_RPORT_BUG))
+            bindPort = realPort;
+        }
+
+        this._forwarding[`${bindAddr}:${bindPort}`] = realPort;
+
+        cb(undefined, realPort);
       });
     }
 
-    return this._sshstream.openssh_noMoreSessions(wantReply);
-  } else if (wantReply) {
-    process.nextTick(function() {
-      cb(new Error('strictVendor enabled and server is not OpenSSH or compatible version'));
-    });
+    this._protocol.tcpipForward(bindAddr, bindPort, wantReply);
+
+    return this;
   }
 
-  return true;
-};
+  unforwardIn(bindAddr, bindPort, cb) {
+    if (!this._sock || !isWritable(this._sock))
+      throw new Error('Not connected');
 
-Client.prototype.openssh_forwardInStreamLocal = function(socketPath, cb) {
-  if (!this._sock
-      || !this._sock.writable
-      || !this._sshstream
-      || !this._sshstream.writable)
-    throw new Error('Not connected');
+    // Send a request to stop forwarding us new connections for a particular
+    // address and port
 
-  var wantReply = (typeof cb === 'function');
-  var self = this;
+    const wantReply = (typeof cb === 'function');
 
-  if (!this.config.strictVendor
-      || (this.config.strictVendor && RE_OPENSSH.test(this._remoteVer))) {
     if (wantReply) {
-      this._callbacks.push(function(had_err) {
+      this._callbacks.push((had_err) => {
         if (had_err) {
-          return cb(had_err !== true
-                    ? had_err
-                    : new Error('Unable to bind to ' + socketPath));
+          cb(had_err !== true
+             ? had_err
+             : new Error(`Unable to unbind from ${bindAddr}:${bindPort}`));
+          return;
         }
-        self._forwardingUnix[socketPath] = true;
+
+        delete this._forwarding[`${bindAddr}:${bindPort}`];
+
         cb();
       });
     }
 
-    return this._sshstream.openssh_streamLocalForward(socketPath, wantReply);
-  } else if (wantReply) {
-    process.nextTick(function() {
-      cb(new Error('strictVendor enabled and server is not OpenSSH or compatible version'));
-    });
+    this._protocol.cancelTcpipForward(bindAddr, bindPort, wantReply);
+
+    return this;
   }
 
-  return true;
-};
+  forwardOut(srcIP, srcPort, dstIP, dstPort, cb) {
+    if (!this._sock || !isWritable(this._sock))
+      throw new Error('Not connected');
 
-Client.prototype.openssh_unforwardInStreamLocal = function(socketPath, cb) {
-  if (!this._sock
-      || !this._sock.writable
-      || !this._sshstream
-      || !this._sshstream.writable)
-    throw new Error('Not connected');
+    // Send a request to forward a TCP connection to the server
 
-  var wantReply = (typeof cb === 'function');
-  var self = this;
+    const cfg = {
+      srcIP: srcIP,
+      srcPort: srcPort,
+      dstIP: dstIP,
+      dstPort: dstPort
+    };
 
-  if (!this.config.strictVendor
-      || (this.config.strictVendor && RE_OPENSSH.test(this._remoteVer))) {
-    if (wantReply) {
-      this._callbacks.push(function(had_err) {
-        if (had_err) {
-          return cb(had_err !== true
-                    ? had_err
-                    : new Error('Unable to unbind on ' + socketPath));
-        }
-        delete self._forwardingUnix[socketPath];
-        cb();
-      });
-    }
+    if (typeof cb !== 'function')
+      cb = noop;
 
-    return this._sshstream.openssh_cancelStreamLocalForward(socketPath,
-                                                            wantReply);
-  } else if (wantReply) {
-    process.nextTick(function() {
-      cb(new Error('strictVendor enabled and server is not OpenSSH or compatible version'));
-    });
-  }
+    openChannel(this, 'direct-tcpip', cfg, cb);
 
-  return true;
-};
-
-Client.prototype.openssh_forwardOutStreamLocal = function(socketPath, cb) {
-  if (!this._sock
-      || !this._sock.writable
-      || !this._sshstream
-      || !this._sshstream.writable)
-    throw new Error('Not connected');
-
-  if (!this.config.strictVendor
-      || (this.config.strictVendor && RE_OPENSSH.test(this._remoteVer))) {
-    var cfg = { socketPath: socketPath };
-    return openChannel(this, 'direct-streamlocal@openssh.com', cfg, cb);
-  } else {
-    process.nextTick(function() {
-      cb(new Error('strictVendor enabled and server is not OpenSSH or compatible version'));
-    });
+    return this;
   }
 
-  return true;
-};
+  openssh_noMoreSessions(cb) {
+    if (!this._sock || !isWritable(this._sock))
+      throw new Error('Not connected');
+
+    const wantReply = (typeof cb === 'function');
+
+    if (!this.config.strictVendor
+        || (this.config.strictVendor && RE_OPENSSH.test(this._remoteVer))) {
+      if (wantReply) {
+        this._callbacks.push((had_err) => {
+          if (had_err) {
+            cb(had_err !== true
+               ? had_err
+               : new Error('Unable to disable future sessions'));
+            return;
+          }
 
-function openChannel(self, type, opts, cb) {
-  // ask the server to open a channel for some purpose
-  // (e.g. session (sftp, exec, shell), or forwarding a TCP connection
-  var localChan = nextChannel(self);
-  var initWindow = Channel.MAX_WINDOW;
-  var maxPacket = Channel.PACKET_SIZE;
-  var ret = true;
+          cb();
+        });
+      }
 
-  if (localChan === false)
-    return cb(new Error('No free channels available'));
+      this._protocol.openssh_noMoreSessions(wantReply);
+      return this;
+    }
 
-  if (typeof opts === 'function') {
-    cb = opts;
-    opts = {};
-  }
+    if (!wantReply)
+      return this;
+
+    process.nextTick(
+      cb,
+      new Error(
+        'strictVendor enabled and server is not OpenSSH or compatible version'
+      )
+    );
 
-  self._channels[localChan] = cb;
-
-  var sshstream = self._sshstream;
-  sshstream.once('CHANNEL_OPEN_CONFIRMATION:' + localChan, onSuccess)
-           .once('CHANNEL_OPEN_FAILURE:' + localChan, onFailure)
-           .once('CHANNEL_CLOSE:' + localChan, onFailure);
-
-  if (type === 'session')
-    ret = sshstream.session(localChan, initWindow, maxPacket);
-  else if (type === 'direct-tcpip')
-    ret = sshstream.directTcpip(localChan, initWindow, maxPacket, opts);
-  else if (type === 'direct-streamlocal@openssh.com') {
-    ret = sshstream.openssh_directStreamLocal(localChan,
-                                              initWindow,
-                                              maxPacket,
-                                              opts);
+    return this;
   }
 
-  return ret;
+  openssh_forwardInStreamLocal(socketPath, cb) {
+    if (!this._sock || !isWritable(this._sock))
+      throw new Error('Not connected');
+
+    const wantReply = (typeof cb === 'function');
+
+    if (!this.config.strictVendor
+        || (this.config.strictVendor && RE_OPENSSH.test(this._remoteVer))) {
+      if (wantReply) {
+        this._callbacks.push((had_err) => {
+          if (had_err) {
+            cb(had_err !== true
+               ? had_err
+               : new Error(`Unable to bind to ${socketPath}`));
+            return;
+          }
+          this._forwardingUnix[socketPath] = true;
+          cb();
+        });
+      }
 
-  function onSuccess(info) {
-    sshstream.removeListener('CHANNEL_OPEN_FAILURE:' + localChan, onFailure);
-    sshstream.removeListener('CHANNEL_CLOSE:' + localChan, onFailure);
+      this._protocol.openssh_streamLocalForward(socketPath, wantReply);
+      return this;
+    }
 
-    var chaninfo = {
-      type: type,
-      incoming: {
-        id: localChan,
-        window: initWindow,
-        packetSize: maxPacket,
-        state: 'open'
-      },
-      outgoing: {
-        id: info.sender,
-        window: info.window,
-        packetSize: info.packetSize,
-        state: 'open'
+    if (!wantReply)
+      return this;
+
+    process.nextTick(
+      cb,
+      new Error(
+        'strictVendor enabled and server is not OpenSSH or compatible version'
+      )
+    );
+
+    return this;
+  }
+
+  openssh_unforwardInStreamLocal(socketPath, cb) {
+    if (!this._sock || !isWritable(this._sock))
+      throw new Error('Not connected');
+
+    const wantReply = (typeof cb === 'function');
+
+    if (!this.config.strictVendor
+        || (this.config.strictVendor && RE_OPENSSH.test(this._remoteVer))) {
+      if (wantReply) {
+        this._callbacks.push((had_err) => {
+          if (had_err) {
+            cb(had_err !== true
+               ? had_err
+               : new Error(`Unable to unbind from ${socketPath}`));
+            return;
+          }
+          delete this._forwardingUnix[socketPath];
+          cb();
+        });
       }
-    };
-    cb(undefined, new Channel(chaninfo, self));
+
+      this._protocol.openssh_cancelStreamLocalForward(socketPath, wantReply);
+      return this;
+    }
+
+    if (!wantReply)
+      return this;
+
+    process.nextTick(
+      cb,
+      new Error(
+        'strictVendor enabled and server is not OpenSSH or compatible version'
+      )
+    );
+
+    return this;
   }
 
-  function onFailure(info) {
-    sshstream.removeListener('CHANNEL_OPEN_CONFIRMATION:' + localChan,
-                             onSuccess);
-    sshstream.removeListener('CHANNEL_OPEN_FAILURE:' + localChan, onFailure);
-    sshstream.removeListener('CHANNEL_CLOSE:' + localChan, onFailure);
-
-    delete self._channels[localChan];
-
-    var err;
-    if (info instanceof Error)
-      err = info;
-    else if (typeof info === 'object' && info !== null) {
-      err = new Error('(SSH) Channel open failure: ' + info.description);
-      err.reason = info.reason;
-      err.lang = info.lang;
-    } else {
-      err = new Error('(SSH) Channel open failure: '
-                      + 'server closed channel unexpectedly');
-      err.reason = err.lang = '';
+  openssh_forwardOutStreamLocal(socketPath, cb) {
+    if (!this._sock || !isWritable(this._sock))
+      throw new Error('Not connected');
+
+    if (typeof cb !== 'function')
+      cb = noop;
+
+    if (!this.config.strictVendor
+        || (this.config.strictVendor && RE_OPENSSH.test(this._remoteVer))) {
+      openChannel(this, 'direct-streamlocal@openssh.com', { socketPath }, cb);
+      return this;
     }
-    cb(err);
+    process.nextTick(
+      cb,
+      new Error(
+        'strictVendor enabled and server is not OpenSSH or compatible version'
+      )
+    );
+
+    return this;
+  }
+
+  sftp(cb) {
+    if (!this._sock || !isWritable(this._sock))
+      throw new Error('Not connected');
+
+    openChannel(this, 'sftp', (err, sftp) => {
+      if (err) {
+        cb(err);
+        return;
+      }
+
+      reqSubsystem(sftp, 'sftp', (err, sftp_) => {
+        if (err) {
+          cb(err);
+          return;
+        }
+
+        function removeListeners() {
+          sftp.removeListener('ready', onReady);
+          sftp.removeListener('error', onError);
+          sftp.removeListener('exit', onExit);
+          sftp.removeListener('close', onExit);
+        }
+
+        function onReady() {
+          // TODO: do not remove exit/close in case remote end closes the
+          // channel abruptly and we need to notify outstanding callbacks
+          removeListeners();
+          cb(undefined, sftp);
+        }
+
+        function onError(err) {
+          removeListeners();
+          cb(err);
+        }
+
+        function onExit(code, signal) {
+          removeListeners();
+          let msg;
+          if (typeof code === 'number')
+            msg = `Received exit code ${code} while establishing SFTP session`;
+          else if (signal !== undefined)
+            msg = `Received signal ${signal} while establishing SFTP session`;
+          else
+            msg = 'Received unexpected SFTP session termination';
+          const err = new Error(msg);
+          err.code = code;
+          err.signal = signal;
+          cb(err);
+        }
+
+        sftp.on('ready', onReady)
+            .on('error', onError)
+            .on('exit', onExit)
+            .on('close', onExit);
+
+        sftp._init();
+      });
+    });
+
+    return this;
   }
 }
 
-function nextChannel(self) {
-  // get the next available channel number
+function openChannel(self, type, opts, cb) {
+  // Ask the server to open a channel for some purpose
+  // (e.g. session (sftp, exec, shell), or forwarding a TCP connection
+  const initWindow = MAX_WINDOW;
+  const maxPacket = PACKET_SIZE;
 
-  // optimized path
-  if (self._curChan < MAX_CHANNEL)
-    return ++self._curChan;
+  if (typeof opts === 'function') {
+    cb = opts;
+    opts = {};
+  }
+
+  const wrapper = (err, stream) => {
+    cb(err, stream);
+  };
+  wrapper.type = type;
 
-  // slower lookup path
-  for (var i = 0, channels = self._channels; i < MAX_CHANNEL; ++i)
-    if (!channels[i])
-      return i;
+  const localChan = self._chanMgr.add(wrapper);
 
-  return false;
+  if (localChan === -1) {
+    cb(new Error('No free channels available'));
+    return;
+  }
+
+  switch (type) {
+    case 'session':
+    case 'sftp':
+      self._protocol.session(localChan, initWindow, maxPacket);
+      break;
+    case 'direct-tcpip':
+      self._protocol.directTcpip(localChan, initWindow, maxPacket, opts);
+      break;
+    case 'direct-streamlocal@openssh.com':
+      self._protocol.openssh_directStreamLocal(
+        localChan, initWindow, maxPacket, opts
+      );
+      break;
+    default:
+      throw new Error(`Unsupported channel type: ${type}`);
+  }
 }
 
 function reqX11(chan, screen, cb) {
-  // asks server to start sending us X11 connections
-  var cfg = {
+  // Asks server to start sending us X11 connections
+  const cfg = {
     single: false,
     protocol: 'MIT-MAGIC-COOKIE-1',
     cookie: undefined,
@@ -1253,29 +1578,29 @@ function reqX11(chan, screen, cb) {
     if (typeof screen.cookie === 'string')
       cfg.cookie = screen.cookie;
     else if (Buffer.isBuffer(screen.cookie))
-      cfg.cookie = screen.cookie.toString('hex');
+      cfg.cookie = screen.cookie.hexSlice(0, screen.cookie.length);
   }
   if (cfg.cookie === undefined)
     cfg.cookie = randomCookie();
 
-  var wantReply = (typeof cb === 'function');
+  const wantReply = (typeof cb === 'function');
 
   if (chan.outgoing.state !== 'open') {
-    wantReply && cb(new Error('Channel is not open'));
-    return true;
+    if (wantReply)
+      cb(new Error('Channel is not open'));
+    return;
   }
 
   if (wantReply) {
-    chan._callbacks.push(function(had_err) {
+    chan._callbacks.push((had_err) => {
       if (had_err) {
-        return cb(had_err !== true
-                  ? had_err
-                  : new Error('Unable to request X11'));
+        cb(had_err !== true ? had_err : new Error('Unable to request X11'));
+        return;
       }
 
       chan._hasX11 = true;
       ++chan._client._acceptX11;
-      chan.once('close', function() {
+      chan.once('close', () => {
         if (chan._client._acceptX11)
           --chan._client._acceptX11;
       });
@@ -1284,20 +1609,20 @@ function reqX11(chan, screen, cb) {
     });
   }
 
-  return chan._client._sshstream.x11Forward(chan.outgoing.id, cfg, wantReply);
+  chan._client._protocol.x11Forward(chan.outgoing.id, cfg, wantReply);
 }
 
 function reqPty(chan, opts, cb) {
-  var rows = 24;
-  var cols = 80;
-  var width = 640;
-  var height = 480;
-  var term = 'vt100';
-  var modes = null;
-
-  if (typeof opts === 'function')
+  let rows = 24;
+  let cols = 80;
+  let width = 640;
+  let height = 480;
+  let term = 'vt100';
+  let modes = null;
+
+  if (typeof opts === 'function') {
     cb = opts;
-  else if (typeof opts === 'object' && opts !== null) {
+  } else if (typeof opts === 'object' && opts !== null) {
     if (typeof opts.rows === 'number')
       rows = opts.rows;
     if (typeof opts.cols === 'number')
@@ -1312,149 +1637,154 @@ function reqPty(chan, opts, cb) {
       modes = opts.modes;
   }
 
-  var wantReply = (typeof cb === 'function');
+  const wantReply = (typeof cb === 'function');
 
   if (chan.outgoing.state !== 'open') {
-    wantReply && cb(new Error('Channel is not open'));
-    return true;
+    if (wantReply)
+      cb(new Error('Channel is not open'));
+    return;
   }
 
   if (wantReply) {
-    chan._callbacks.push(function(had_err) {
+    chan._callbacks.push((had_err) => {
       if (had_err) {
-        return cb(had_err !== true
-                  ? had_err
-                  : new Error('Unable to request a pseudo-terminal'));
+        cb(had_err !== true
+           ? had_err
+           : new Error('Unable to request a pseudo-terminal'));
+        return;
       }
       cb();
     });
   }
 
-  return chan._client._sshstream.pty(chan.outgoing.id,
-                                     rows,
-                                     cols,
-                                     height,
-                                     width,
-                                     term,
-                                     modes,
-                                     wantReply);
+  chan._client._protocol.pty(chan.outgoing.id,
+                             rows,
+                             cols,
+                             height,
+                             width,
+                             term,
+                             modes,
+                             wantReply);
 }
 
 function reqAgentFwd(chan, cb) {
-  var wantReply = (typeof cb === 'function');
+  const wantReply = (typeof cb === 'function');
 
   if (chan.outgoing.state !== 'open') {
     wantReply && cb(new Error('Channel is not open'));
-    return true;
-  } else if (chan._client._agentFwdEnabled) {
+    return;
+  }
+  if (chan._client._agentFwdEnabled) {
     wantReply && cb(false);
-    return true;
+    return;
   }
 
   chan._client._agentFwdEnabled = true;
 
-  chan._callbacks.push(function(had_err) {
+  chan._callbacks.push((had_err) => {
     if (had_err) {
       chan._client._agentFwdEnabled = false;
-      wantReply && cb(had_err !== true
-                      ? had_err
-                      : new Error('Unable to request agent forwarding'));
+      if (wantReply) {
+        cb(had_err !== true
+           ? had_err
+           : new Error('Unable to request agent forwarding'));
+      }
       return;
     }
 
-    wantReply && cb();
+    if (wantReply)
+      cb();
   });
 
-  return chan._client._sshstream.openssh_agentForward(chan.outgoing.id, true);
+  chan._client._protocol.openssh_agentForward(chan.outgoing.id, true);
 }
 
 function reqShell(chan, cb) {
   if (chan.outgoing.state !== 'open') {
     cb(new Error('Channel is not open'));
-    return true;
+    return;
   }
-  chan._callbacks.push(function(had_err) {
+
+  chan._callbacks.push((had_err) => {
     if (had_err) {
-      return cb(had_err !== true
-                ? had_err
-                : new Error('Unable to open shell'));
+      cb(had_err !== true ? had_err : new Error('Unable to open shell'));
+      return;
     }
     chan.subtype = 'shell';
     cb(undefined, chan);
   });
 
-  return chan._client._sshstream.shell(chan.outgoing.id, true);
+  chan._client._protocol.shell(chan.outgoing.id, true);
 }
 
 function reqExec(chan, cmd, opts, cb) {
   if (chan.outgoing.state !== 'open') {
     cb(new Error('Channel is not open'));
-    return true;
+    return;
   }
-  chan._callbacks.push(function(had_err) {
+
+  chan._callbacks.push((had_err) => {
     if (had_err) {
-      return cb(had_err !== true
-                ? had_err
-                : new Error('Unable to exec'));
+      cb(had_err !== true ? had_err : new Error('Unable to exec'));
+      return;
     }
     chan.subtype = 'exec';
     chan.allowHalfOpen = (opts.allowHalfOpen !== false);
     cb(undefined, chan);
   });
 
-  return chan._client._sshstream.exec(chan.outgoing.id, cmd, true);
+  chan._client._protocol.exec(chan.outgoing.id, cmd, true);
 }
 
 function reqEnv(chan, env) {
   if (chan.outgoing.state !== 'open')
-    return true;
-  var ret = true;
-  var keys = Object.keys(env || {});
-  var key;
-  var val;
-
-  for (var i = 0, len = keys.length; i < len; ++i) {
-    key = keys[i];
-    val = env[key];
-    ret = chan._client._sshstream.env(chan.outgoing.id, key, val, false);
-  }
+    return;
+
+  const keys = Object.keys(env || {});
 
-  return ret;
+  for (let i = 0; i < keys.length; ++i) {
+    const key = keys[i];
+    const val = env[key];
+    chan._client._protocol.env(chan.outgoing.id, key, val, false);
+  }
 }
 
 function reqSubsystem(chan, name, cb) {
   if (chan.outgoing.state !== 'open') {
     cb(new Error('Channel is not open'));
-    return true;
+    return;
   }
-  chan._callbacks.push(function(had_err) {
+
+  chan._callbacks.push((had_err) => {
     if (had_err) {
-      return cb(had_err !== true
-                ? had_err
-                : new Error('Unable to start subsystem: ' + name));
+      cb(had_err !== true
+         ? had_err
+         : new Error(`Unable to start subsystem: ${name}`));
+      return;
     }
     chan.subtype = 'subsystem';
     cb(undefined, chan);
   });
 
-  return chan._client._sshstream.subsystem(chan.outgoing.id, name, true);
+  chan._client._protocol.subsystem(chan.outgoing.id, name, true);
 }
 
+// TODO: inline implementation into single call site
 function onCHANNEL_OPEN(self, info) {
-  // the server is trying to open a channel with us, this is usually when
+  // The server is trying to open a channel with us, this is usually when
   // we asked the server to forward us connections on some port and now they
   // are asking us to accept/deny an incoming connection on their side
 
-  var localChan = false;
-  var reason;
+  let localChan = -1;
+  let reason;
 
-  function accept() {
-    var chaninfo = {
+  const accept = () => {
+    const chanInfo = {
       type: info.type,
       incoming: {
         id: localChan,
-        window: Channel.MAX_WINDOW,
-        packetSize: Channel.PACKET_SIZE,
+        window: MAX_WINDOW,
+        packetSize: PACKET_SIZE,
         state: 'open'
       },
       outgoing: {
@@ -1464,111 +1794,221 @@ function onCHANNEL_OPEN(self, info) {
         state: 'open'
       }
     };
-    var stream = new Channel(chaninfo, self);
+    const stream = new Channel(self, chanInfo);
+    self._chanMgr.update(localChan, stream);
 
-    self._sshstream.channelOpenConfirm(info.sender,
-                                       localChan,
-                                       Channel.MAX_WINDOW,
-                                       Channel.PACKET_SIZE);
+    self._protocol.channelOpenConfirm(info.sender,
+                                      localChan,
+                                      MAX_WINDOW,
+                                      PACKET_SIZE);
     return stream;
-  }
-  function reject() {
+  };
+  const reject = () => {
     if (reason === undefined) {
-      if (localChan === false)
-        reason = consts.CHANNEL_OPEN_FAILURE.RESOURCE_SHORTAGE;
+      if (localChan === -1)
+        reason = CHANNEL_OPEN_FAILURE.RESOURCE_SHORTAGE;
       else
-        reason = consts.CHANNEL_OPEN_FAILURE.CONNECT_FAILED;
+        reason = CHANNEL_OPEN_FAILURE.CONNECT_FAILED;
     }
 
-    self._sshstream.channelOpenFail(info.sender, reason, '', '');
-  }
+    if (localChan !== -1)
+      self._chanMgr.remove(localChan);
 
-  if (info.type === 'forwarded-tcpip'
-      || info.type === 'x11'
-      || info.type === 'auth-agent@openssh.com'
-      || info.type === 'forwarded-streamlocal@openssh.com') {
-
-    // check for conditions for automatic rejection
-    var rejectConn = (
-     (info.type === 'forwarded-tcpip'
-      && self._forwarding[info.data.destIP
-                         + ':'
-                         + info.data.destPort] === undefined)
-     || (info.type === 'forwarded-streamlocal@openssh.com'
-         && self._forwardingUnix[info.data.socketPath] === undefined)
-     || (info.type === 'x11' && self._acceptX11 === 0)
-     || (info.type === 'auth-agent@openssh.com'
-         && !self._agentFwdEnabled)
-    );
+    self._protocol.channelOpenFail(info.sender, reason, '');
+  };
+  const reserveChannel = () => {
+    localChan = self._chanMgr.add();
+
+    if (localChan === -1) {
+      reason = CHANNEL_OPEN_FAILURE.RESOURCE_SHORTAGE;
+      if (self.config.debug) {
+        self.config.debug(
+          'Client: Automatic rejection of incoming channel open: '
+            + 'no channels available'
+        );
+      }
+    }
 
-    if (!rejectConn) {
-      localChan = nextChannel(self);
+    return (localChan !== -1);
+  };
 
-      if (localChan === false) {
-        self.config.debug('DEBUG: Client: Automatic rejection of incoming channel open: no channels available');
-        rejectConn = true;
-      } else
-        self._channels[localChan] = true;
-    } else {
-      reason = consts.CHANNEL_OPEN_FAILURE.ADMINISTRATIVELY_PROHIBITED;
-      self.config.debug('DEBUG: Client: Automatic rejection of incoming channel open: unexpected channel open for: '
-                        + info.type);
+  const data = info.data;
+  switch (info.type) {
+    case 'forwarded-tcpip': {
+      const val = self._forwarding[`${data.destIP}:${data.destPort}`];
+      if (val !== undefined && reserveChannel()) {
+        if (data.destPort === 0)
+          data.destPort = val;
+        self.emit('tcp connection', data, accept, reject);
+        return;
+      }
+      break;
     }
+    case 'forwarded-streamlocal@openssh.com':
+      if (self._forwardingUnix[data.socketPath] !== undefined
+          && reserveChannel()) {
+        self.emit('unix connection', data, accept, reject);
+        return;
+      }
+      break;
+    case 'auth-agent@openssh.com':
+      if (self._agentFwdEnabled
+          && typeof self._agent.getStream === 'function'
+          && reserveChannel()) {
+        self._agent.getStream((err, stream) => {
+          if (err)
+            return reject();
+
+          const upstream = accept();
+          upstream.pipe(stream).pipe(upstream);
+        });
+        return;
+      }
+      break;
+    case 'x11':
+      if (self._acceptX11 !== 0 && reserveChannel()) {
+        self.emit('x11', data, accept, reject);
+        return;
+      }
+      break;
+    default:
+      // Automatically reject any unsupported channel open requests
+      reason = CHANNEL_OPEN_FAILURE.UNKNOWN_CHANNEL_TYPE;
+      if (self.config.debug) {
+        self.config.debug(
+          'Client: Automatic rejection of unsupported incoming channel open '
+            + `type: ${info.type}`
+        );
+      }
+  }
+
+  if (reason === undefined) {
+    reason = CHANNEL_OPEN_FAILURE.ADMINISTRATIVELY_PROHIBITED;
+    if (self.config.debug) {
+       self.config.debug(
+        'Client: Automatic rejection of unexpected incoming channel open for: '
+          + info.type
+      );
+    }
+  }
+
+  reject();
+}
+
+const randomCookie = (() => {
+  const buffer = Buffer.allocUnsafe(16);
+  return () => {
+    randomFillSync(buffer, 0, 16);
+    return buffer.hexSlice(0, 16);
+  };
+})();
+
+function makeSimpleAuthHandler(authList) {
+  if (!Array.isArray(authList))
+    throw new Error('authList must be an array');
 
-    // TODO: automatic rejection after some timeout?
+  let a = 0;
+  return (authsLeft, partialSuccess, cb) => {
+    if (a === authList.length)
+      return false;
+    return authList[a++];
+  };
+}
+
+function hostKeysProve(client, keys_, cb) {
+  if (!client._sock || !isWritable(client._sock))
+    return;
 
-    if (rejectConn)
-      reject();
+  if (typeof cb !== 'function')
+    cb = noop;
 
-    if (localChan !== false) {
-      if (info.type === 'forwarded-tcpip') {
-        if (info.data.destPort === 0) {
-          info.data.destPort = self._forwarding[info.data.destIP
-                                                + ':'
-                                                + info.data.destPort];
+  if (!Array.isArray(keys_))
+    throw new TypeError('Invalid keys argument type');
+
+  const keys = [];
+  for (const key of keys_) {
+    const parsed = parseKey(key);
+    if (parsed instanceof Error)
+      throw parsed;
+    keys.push(parsed);
+  }
+
+  if (!client.config.strictVendor
+      || (client.config.strictVendor && RE_OPENSSH.test(client._remoteVer))) {
+    client._callbacks.push((had_err, data) => {
+      if (had_err) {
+        cb(had_err !== true
+           ? had_err
+           : new Error('Server failed to prove supplied keys'));
+        return;
+      }
+
+      // TODO: move all of this parsing/verifying logic out of the client?
+      const ret = [];
+      let keyIdx = 0;
+      bufferParser.init(data, 0);
+      while (bufferParser.avail()) {
+        if (keyIdx === keys.length)
+          break;
+        const key = keys[keyIdx++];
+        const keyPublic = key.getPublicSSH();
+
+        const sigEntry = bufferParser.readString();
+        sigParser.init(sigEntry, 0);
+        const type = sigParser.readString(true);
+        let value = sigParser.readString();
+
+        let algo;
+        if (type !== key.type) {
+          if (key.type === 'ssh-rsa') {
+            switch (type) {
+              case 'rsa-sha2-256':
+                algo = 'sha256';
+                break;
+              case 'rsa-sha2-512':
+                algo = 'sha512';
+                break;
+              default:
+                continue;
+            }
+          } else {
+            continue;
+          }
         }
-        self.emit('tcp connection', info.data, accept, reject);
-      } else if (info.type === 'x11') {
-        self.emit('x11', info.data, accept, reject);
-      } else if (info.type === 'forwarded-streamlocal@openssh.com') {
-        self.emit('unix connection', info.data, accept, reject);
-      } else {
-        agentQuery(self.config.agent, accept, reject);
+
+        const sessionID = client._protocol._kex.sessionID;
+        const verifyData = Buffer.allocUnsafe(
+          4 + 29 + 4 + sessionID.length + 4 + keyPublic.length
+        );
+        let p = 0;
+        writeUInt32BE(verifyData, 29, p);
+        verifyData.utf8Write('hostkeys-prove-00@openssh.com', p += 4, 29);
+        writeUInt32BE(verifyData, sessionID.length, p += 29);
+        bufferCopy(sessionID, verifyData, 0, sessionID.length, p += 4);
+        writeUInt32BE(verifyData, keyPublic.length, p += sessionID.length);
+        bufferCopy(keyPublic, verifyData, 0, keyPublic.length, p += 4);
+
+        if (!(value = sigSSHToASN1(value, type)))
+          continue;
+        if (key.verify(verifyData, value, algo) === true)
+          ret.push(key);
       }
-    }
-  } else {
-    // automatically reject any unsupported channel open requests
-    self.config.debug('DEBUG: Client: Automatic rejection of incoming channel open: unsupported type: '
-                      + info.type);
-    reason = consts.CHANNEL_OPEN_FAILURE.UNKNOWN_CHANNEL_TYPE;
-    reject();
-  }
-}
+      sigParser.clear();
+      bufferParser.clear();
 
-var randomCookie = (function() {
-  if (typeof crypto.randomFillSync === 'function') {
-    var buffer = Buffer.alloc(16);
-    return function randomCookie() {
-      crypto.randomFillSync(buffer, 0, 16);
-      return buffer.toString('hex');
-    };
-  } else {
-    return function randomCookie() {
-      return crypto.randomBytes(16).toString('hex');
-    };
+      cb(null, ret);
+    });
+
+    client._protocol.openssh_hostKeysProve(keys);
+    return;
   }
-})();
 
-Client.Client = Client;
-Client.Server = require('./server');
-// pass some useful utilities on to end user (e.g. parseKey())
-Client.utils = ssh2_streams.utils;
-// expose useful SFTPStream constants for sftp server usage
-Client.SFTP_STATUS_CODE = SFTPStream.STATUS_CODE;
-Client.SFTP_OPEN_MODE = SFTPStream.OPEN_MODE;
-// expose http(s).Agent implementations to allow easy tunneling of HTTP(S)
-// requests
-Client.HTTPAgent = HTTPAgents.SSHTTPAgent;
-Client.HTTPSAgent = HTTPAgents.SSHTTPSAgent;
-
-module.exports = Client; // backwards compatibility
+  process.nextTick(
+    cb,
+    new Error(
+      'strictVendor enabled and server is not OpenSSH or compatible version'
+    )
+  );
+}
+
+module.exports = Client;