crussh 0.1.0

data/lib/crussh/protocol.rb

@@ -0,0 +1,135 @@
+# frozen_string_literal: true
+
+module Crussh
+  module Protocol
+    ALGORITHM_CATEGORIES = [
+      :kex_algorithms,
+      :server_host_key_algorithms,
+      :cipher_client_to_server,
+      :cipher_server_to_client,
+      :mac_client_to_server,
+      :mac_server_to_client,
+      :compression_client_to_server,
+      :compression_server_to_client,
+      :languages_client_to_server,
+      :languages_server_to_client,
+    ].freeze
+
+    # Messages
+
+    DISCONNECT      = 1
+    IGNORE          = 2
+    UNIMPLEMENTED   = 3
+    DEBUG           = 4
+    SERVICE_REQUEST = 5
+    SERVICE_ACCEPT  = 6
+    EXT_INFO        = 7
+
+    KEXINIT         = 20
+    NEWKEYS         = 21
+
+    KEX_ECDH_INIT      = 30
+    KEX_ECDH_REPLY     = 31
+
+    USERAUTH_REQUEST = 50
+    USERAUTH_FAILURE = 51
+    USERAUTH_SUCCESS = 52
+    USERAUTH_BANNER  = 53
+    USERAUTH_PK_OK = 60
+
+    GLOBAL_REQUEST = 80
+    REQUEST_SUCCESS = 81
+    REQUEST_FAILURE = 82
+
+    CHANNEL_OPEN = 90
+    CHANNEL_OPEN_CONFIRMATION = 91
+    CHANNEL_OPEN_FAILURE = 92
+    CHANNEL_WINDOW_ADJUST = 93
+    CHANNEL_DATA = 94
+    CHANNEL_EXTENDED_DATA = 95
+    CHANNEL_EOF = 96
+    CHANNEL_CLOSE = 97
+    CHANNEL_REQUEST = 98
+    CHANNEL_SUCCESS = 99
+    CHANNEL_FAILURE = 100
+
+    PING = 192
+    PONG = 193
+
+    class Message
+      class << self
+        def message_type(type = nil)
+          return @message_type if type.nil?
+
+          @message_type = type
+        end
+
+        def field(name, type, **options)
+          fields << { name:, type:, **options }
+
+          attr_reader(name)
+        end
+
+        def fields
+          @fields ||= []
+        end
+
+        def parse(data)
+          reader = Transport::Reader.new(data)
+
+          wire_message_type = reader.byte
+
+          unless wire_message_type == message_type
+            raise ProtocolError, "Expected #{name}, got message type #{wire_message_type}"
+          end
+
+          values = {}
+          fields.each do |f|
+            values[f[:name]] = read_field(reader, f)
+          end
+
+          new(**values)
+        end
+
+        private
+
+        def read_field(reader, field)
+          case field[:type]
+          when :raw then reader.read(field[:length])
+          when :remaining then reader.remaining
+          else
+            reader.send(field[:type])
+          end
+        end
+      end
+
+      def initialize(**values)
+        self.class.fields.each do |f|
+          value = if values.key?(f[:name])
+            values[f[:name]]
+          elsif f.key?(:default)
+            default = f[:default]
+            default.is_a?(Proc) ? default.call : default
+          else
+            raise ArgumentError, "missing keyword: :#{f[:name]}"
+          end
+
+          instance_variable_set(:"@#{f[:name]}", value)
+        end
+      end
+
+      def serialize
+        writer = Transport::Writer.new
+        writer.byte(self.class.message_type)
+
+        self.class.fields.each do |field|
+          value = instance_variable_get(:"@#{field[:name]}")
+
+          writer.send(field[:type], value)
+        end
+
+        writer.to_s
+      end
+    end
+  end
+end

data/lib/crussh/server/auth_handler.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Crussh
+  class Server
+    class AuthHandler
+      include Auth::DSL
+
+      def initialize(block)
+        @block = block
+      end
+
+      def call(*args)
+        result = instance_exec(*args, &@block)
+        Auth.normalize(result)
+      end
+    end
+  end
+end

data/lib/crussh/server/config.rb

@@ -0,0 +1,157 @@
+# frozen_string_literal: true
+
+module Crussh
+  class Server
+    class Config
+      MIN_PACKET_SIZE = 1024
+      MAX_PACKET_SIZE = 256 * 1024
+      DEFAULT_PACKET_SIZE = 32_768
+      DEFAULT_WINDOW_SIZE = 2 * 1024 * 1024
+
+      def initialize
+        @host = "127.0.0.1"
+        @port = 22
+        @nodelay = false
+        @server_id = SshId.new("Crussh_#{VERSION}")
+
+        @host_keys = []
+        @host_key_files = []
+        @preferred = Preferred.new
+
+        @limits = Limits.new
+        @max_packet_size = DEFAULT_PACKET_SIZE
+        @window_size = DEFAULT_WINDOW_SIZE
+        @channel_buffer_size = 10
+
+        @max_auth_attempts = 6
+        @auth_rejection_time = 1
+        @auth_rejection_time_initial = nil
+
+        @connection_timeout = 10
+        @auth_timeout = nil
+        @inactivity_timeout = nil
+
+        @keepalive_interval = nil
+        @keepalive_max = 3
+
+        @max_connections = nil
+        @max_unauthenticated = nil
+      end
+
+      attr_accessor :host,
+        :port,
+        :server_id,
+        :host_keys,
+        :host_key_files,
+        :preferred,
+        :limits,
+        :max_packet_size,
+        :window_size,
+        :channel_buffer_size,
+        :max_auth_attempts,
+        :auth_rejection_time,
+        :auth_rejection_time_initial,
+        :connection_timeout,
+        :auth_timeout,
+        :inactivity_timeout,
+        :keepalive_interval,
+        :keepalive_max,
+        :max_connections,
+        :max_unauthenticated
+
+      def generate_host_keys!
+        @host_keys << Keys.generate
+        self
+      end
+
+      def dup
+        copy = super
+        copy.instance_variable_set(:@limits, @limits.dup)
+        copy.instance_variable_set(:@host_keys, @host_keys.dup)
+        copy.instance_variable_set(:@host_key_files, @host_key_files.dup)
+        copy.instance_variable_set(:@preferred, @preferred.dup)
+        copy
+      end
+
+      def validate!
+        load_host_key_files!
+
+        validate_host!
+        validate_packet_size!
+        validate_timeouts!
+        validate_limits!
+
+        self
+      end
+
+      def nodelay? = @nodelay
+
+      private
+
+      def load_host_key_files!
+        @host_key_files.each do |path|
+          @host_keys << Keys.from_file(path)
+        end
+      end
+
+      def validate_host!
+        raise ConfigError, "No host keys configured" if @host_keys.empty?
+        raise ConfigError, "host is required" if @host.nil? || @host.empty?
+        raise ConfigError, "port must be between 1 and 65535" unless (1..65535).cover?(@port)
+      end
+
+      def validate_packet_size!
+        if @max_packet_size < MIN_PACKET_SIZE
+          raise ConfigError, "max_packet_size too small (min: #{MIN_PACKET_SIZE})"
+        end
+
+        if @max_packet_size > MAX_PACKET_SIZE
+          raise ConfigError, "max_packet_size too large (max: #{MAX_PACKET_SIZE})"
+        end
+
+        raise ConfigError, "window_size must be positive" if @window_size <= 0
+        raise ConfigError, "channel_buffer_size must be positive" if @channel_buffer_size <= 0
+      end
+
+      def validate_timeouts!
+        if @connection_timeout && @connection_timeout <= 0
+          raise ConfigError, "connection_timeout must be positive"
+        end
+
+        if @auth_timeout && @auth_timeout <= 0
+          raise ConfigError, "auth_timeout must be positive"
+        end
+
+        if @inactivity_timeout && @inactivity_timeout <= 0
+          raise ConfigError, "inactivity_timeout must be positive"
+        end
+
+        if @keepalive_interval && @keepalive_interval <= 0
+          raise ConfigError, "keepalive_interval must be positive"
+        end
+
+        raise ConfigError, "keepalive_max must be positive" if @keepalive_max <= 0
+
+        if @auth_rejection_time&.negative?
+          raise ConfigError, "auth_rejection_time cannot be negative"
+        end
+
+        if @auth_rejection_time_initial&.negative?
+          raise ConfigError, "auth_rejection_time_initial cannot be negative"
+        end
+      end
+
+      def validate_limits!
+        if @max_connections && @max_connections <= 0
+          raise ConfigError, "max_connections must be positive"
+        end
+
+        if @max_unauthenticated && @max_unauthenticated <= 0
+          raise ConfigError, "max_unauthenticated must be positive"
+        end
+
+        raise ConfigError, "max_auth_attempts must be positive" if @max_auth_attempts <= 0
+      end
+    end
+  end
+end

data/lib/crussh/server/layers/connection.rb

@@ -0,0 +1,363 @@
+# frozen_string_literal: true
+
+module Crussh
+  class Server
+    module Layers
+      class Connection
+        def initialize(session)
+          @session = session
+          @channels = {}
+          @next_channel_id = 0
+        end
+
+        def run(task: Async::Task.current)
+          loop do
+            packet = read_with_timeout
+
+            break if packet.nil?
+
+            dispatch(packet)
+          end
+        rescue IOError, Errno::ECONNRESET, Crussh::ConnectionClosed => e
+          Logger.debug(self, "Connection closed", reason: e.class.name)
+        end
+
+        private
+
+        def config = @session.config
+        def server = @session.server
+        def packet_stream = @session.packet_stream
+
+        def read_with_timeout(task: Async::Task.current)
+          return @session.read_packet if config.inactivity_timeout.nil?
+
+          task.with_timeout(config.inactivity_timeout) do
+            @session.read_packet
+          end
+        rescue Async::TimeoutError
+          nil
+        end
+
+        def dispatch(packet)
+          message_type = packet.getbyte(0)
+
+          case message_type
+          when Protocol::CHANNEL_OPEN
+            channel_open(packet)
+          when Protocol::CHANNEL_DATA
+            channel_data(packet)
+          when Protocol::CHANNEL_EXTENDED_DATA
+            channel_extended_data(packet)
+          when Protocol::CHANNEL_EOF
+            channel_eof(packet)
+          when Protocol::CHANNEL_CLOSE
+            channel_close(packet)
+          when Protocol::CHANNEL_REQUEST
+            channel_request(packet)
+          when Protocol::CHANNEL_WINDOW_ADJUST
+            window_adjust(packet)
+          when Protocol::GLOBAL_REQUEST
+            global_request(packet)
+          when Protocol::DISCONNECT
+            disconnect(packet)
+            raise ConnectionClosed, "Client disconnected"
+          else
+            Logger.warn(self, "Unhandled message type", type: message_type)
+            message = Protocol::Unimplemented.new(sequence_number: @session.last_read_sequence)
+            @session.write_packet(message)
+          end
+        end
+
+        def channel_open(packet, task: Async::Task.current)
+          message = Protocol::ChannelOpen.parse(packet)
+          channel_type = message.channel_type.to_sym
+
+          unless server.accepts_channel?(channel_type)
+            send_channel_open_failure(message.sender_channel, :unknown_channel_type)
+            return
+          end
+
+          channel = create_channel(remote_id: message.sender_channel, window_size: message.initial_window_size, max_packet_size: message.maximum_packet_size)
+
+          if channel.nil?
+            send_channel_open_failure(message.sender_channel, :resource_shortage)
+            return
+          end
+
+          target = case message.channel_type
+          when "direct-tcpip"
+            message.direct_tcpip
+          when "forwarded-tcpip"
+            message.forwarded_tcpip
+          when "x11"
+            message.x11
+          end
+
+          unless server.open_channel?(channel_type, channel, target)
+            send_channel_open_failure(message.sender_channel, :administratively_prohibited)
+            @channels.delete(channel.id)
+            return
+          end
+
+          send_channel_open_confirmation(channel, message.sender_channel)
+
+          run_channel(channel_type, channel, target)
+        end
+
+        def create_channel(remote_id:, window_size:, max_packet_size:)
+          id = @next_channel_id
+          @next_channel_id += 1
+
+          channel = Channel.new(
+            session: @session,
+            id: id,
+            remote_id: remote_id,
+            remote_window_size: window_size,
+            local_window_size: config.window_size,
+            max_packet_size: [max_packet_size, config.max_packet_size].min,
+            buffer_size: config.channel_buffer_size,
+          )
+
+          @channels[id] = channel
+          channel
+        end
+
+        def run_channel(channel_type, channel, target)
+          case channel_type
+          when :session
+            nil
+          when :direct_tcpip
+            server.direct_tcpip(channel, target)
+          when :forwarded_tcpip
+            server.forwarded_tcpip(channel, target)
+          when :x11
+            server.x11(channel, target)
+          end
+        rescue => e
+          Logger.error(self, "Channel handler error", e)
+        end
+
+        def channel_data(packet)
+          message = Protocol::ChannelData.parse(packet)
+          channel = @channels[message.recipient_channel]
+          return if channel.nil?
+
+          channel.push_event(Channel::Data.new(data: message.data))
+        end
+
+        def channel_extended_data(packet)
+          message = Protocol::ChannelExtendedData.parse(packet)
+          channel = @channels[message.recipient_channel]
+          return if channel.nil?
+
+          channel.push_event(Channel::ExtendedData.new(data: message.data, type: message.data_type_code))
+        end
+
+        def channel_eof(packet)
+          message = Protocol::ChannelEof.parse(packet)
+          channel = @channels[message.recipient_channel]
+          return if channel.nil?
+
+          channel.push_event(Channel::EOF.new)
+          server.channel_eof(channel) if server.respond_to?(:channel_eof)
+        end
+
+        def channel_close(packet)
+          message = Protocol::ChannelClose.parse(packet)
+          channel = @channels[message.recipient_channel]
+          return if channel.nil?
+
+          channel.close unless channel.closed?
+          @channels.delete(channel.id)
+          channel.push_event(Channel::Closed.new)
+          server.channel_eof(channel) if server.respond_to?(:channel_eof)
+        end
+
+        def window_adjust(packet)
+          message = Protocol::ChannelWindowAdjust.parse(packet)
+          channel = @channels[message.recipient_channel]
+          return if channel.nil?
+
+          channel.adjust_remote_window(message.bytes_to_add)
+        end
+
+        def channel_request(packet)
+          message = Protocol::ChannelRequest.parse(packet)
+          channel = @channels[message.recipient_channel]
+
+          return if channel.nil?
+
+          accepted = case message.request_type
+          when "pty-req"
+            pty_request(channel, message)
+          when "env"
+            env_request(channel, message)
+          when "shell"
+            shell_request(channel)
+          when "exec"
+            exec_request(channel, message)
+          when "subsystem"
+            subsystem_request(channel, message)
+          when "window-change"
+            window_change(channel, message)
+            true
+          when "signal"
+            signal(channel, message)
+            true
+          when "x11-req"
+            x11_request(channel, message)
+          when "auth-agent-req@openssh.com"
+            agent_request(channel)
+          else
+            Logger.warn(self, "Unknown channel request", type: message.request_type)
+            false
+          end
+
+          return unless message.want_reply?
+
+          message = if accepted
+            Protocol::ChannelSuccess.new(recipient_channel: channel.remote_id)
+          else
+            Protocol::ChannelFailure.new(recipient_channel: channel.remote_id)
+          end
+
+          @session.write_packet(message)
+        end
+
+        def pty_request(channel, message)
+          pty = message.pty
+
+          accepted = server.accepts_request?(:pty, channel, term: pty.term, width: pty.width, height: pty.height, pixel_width: pty.pixel_width, pixel_height: pty.pixel_height, modes: pty.modes)
+
+          channel.pty = pty if accepted
+
+          accepted
+        end
+
+        def env_request(channel, message)
+          env = message.env
+
+          accepted = server.accepts_request?(:env, channel, name: env.variable_name, value: env.variable_value)
+
+          channel.set_env(env.variable_name, env.variable_value) if accepted
+
+          accepted
+        end
+
+        def shell_request(channel)
+          return false unless server.has_handler?(:shell)
+
+          Async do
+            server.dispatch_handler(:shell, channel, @session)
+          end
+
+          true
+        end
+
+        def exec_request(channel, message)
+          return false unless server.has_handler?(:exec)
+
+          Async do
+            server.dispatch_handler(:exec, channel, @session, message.command)
+          end
+
+          true
+        end
+
+        def subsystem_request(channel, message)
+          return false unless server.has_handler?(:subsystem)
+
+          Async do
+            server.dispatch_handler(:subsystem, channel, @session, message.subsystem_name)
+          end
+
+          true
+        end
+
+        def window_change(channel, message)
+          window_change = message.window_change
+
+          channel.update_window(window_change)
+        end
+
+        def signal(channel, message)
+          channel.push_event(message.signal)
+        end
+
+        def x11_request(channel, message)
+          x11 = message.x11
+
+          server.accepts_request?(:x11, channel, single_connection: x11.single_connection, protocol: x11.auth_protocol, cookie: x11.auth_cookie, screen: x11.screen_number)
+        end
+
+        def agent_request(channel)
+          server.accepts_request?(:agent, channel)
+        end
+
+        def global_request(packet)
+          message = Protocol::GlobalRequest.parse(packet)
+
+          accepted = case message.request_type
+          when Heartbeat::KEEPALIVE_REQUEST
+            true
+          when "tcpip-forward"
+            tcpip_forward = message.tcpip_forward
+
+            server.respond_to?(:tcpip_forward?) && server.tcpip_forward?(tcpip_forward.address, tcpip_forward.port)
+          when "cancel-tcpip-forward"
+            tcpip_forward = message.tcpip_forward
+
+            server.respond_to?(:cancel_tcpip_forward?) && server.cancel_tcpip_forward?(tcpip_forward.address, tcpip_forward.port)
+          end
+
+          return unless message.want_reply?
+
+          message = if accepted
+            Protocol::RequestSuccess.new(response_data: "")
+          else
+            Protocol::RequestFailure.new
+          end
+
+          @session.write_packet(message)
+        end
+
+        def disconnect(packet)
+          message = Protocol::Disconnect.parse(packet)
+
+          Logger.info(self, "Client disconnected", reason: message.reason_code, description: message.description)
+        end
+
+        def send_channel_open_confirmation(channel, recipient_channel)
+          message = Protocol::ChannelOpenConfirmation.new(
+            recipient_channel:,
+            sender_channel: channel.id,
+            initial_window_size: config.window_size,
+            maximum_packet_size: config.max_packet_size,
+          )
+
+          @session.write_packet(message)
+        end
+
+        REASON_MAP = {
+          administratively_prohibited: 1,
+          connect_failed: 2,
+          unknown_channel_type: 3,
+          resource_shortage: 4,
+        }
+        DESCRIPTION_MAP = {
+          administratively_prohibited: "Administratively Prohibited",
+          connect_failed: "Connect failed",
+          unknown_channel_type: "Unknown channel type",
+          resource_shortage: "No more resources, sorry :(",
+        }
+        def send_channel_open_failure(recipient_channel, reason)
+          reason_code = REASON_MAP[reason]
+          description = DESCRIPTION_MAP[reason]
+
+          message = Protocol::ChannelOpenFailure.new(recipient_channel:, reason_code:, description:)
+          @session.write_packet(message)
+        end
+      end
+    end
+  end
+end