ddollar-net-ssh 2.0.1

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -0,0 +1,66 @@
+require 'net/ssh/prompt'
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+
+        # Implements the "keyboard-interactive" SSH authentication method.
+        class KeyboardInteractive < Abstract
+          include Prompt
+
+          USERAUTH_INFO_REQUEST  = 60
+          USERAUTH_INFO_RESPONSE = 61
+
+          # Attempt to authenticate the given user for the given service.
+          def authenticate(next_service, username, password=nil)
+            debug { "trying keyboard-interactive" }
+            send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
+
+            loop do
+              message = session.next_message
+
+              case message.type
+              when USERAUTH_SUCCESS
+                debug { "keyboard-interactive succeeded" }
+                return true
+              when USERAUTH_FAILURE
+                debug { "keyboard-interactive failed" }
+                return false
+              when USERAUTH_INFO_REQUEST
+                name = message.read_string
+                instruction = message.read_string
+                debug { "keyboard-interactive info request" }
+
+                unless password
+                  puts(name) unless name.empty?
+                  puts(instruction) unless instruction.empty?
+                end
+
+                lang_tag = message.read_string
+                responses =[]
+  
+                message.read_long.times do
+                  text = message.read_string
+                  echo = message.read_bool
+                  responses << (password || prompt(text, echo))
+                end
+
+                # if the password failed the first time around, don't try
+                # and use it on subsequent requests.
+                password = nil
+
+                msg = Buffer.from(:byte, USERAUTH_INFO_RESPONSE, :long, responses.length, :string, responses)
+                send_message(msg)
+              else
+                raise Net::SSH::Exception, "unexpected reply in keyboard interactive: #{message.type} (#{message.inspect})"
+              end
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/methods/password.rb

@@ -0,0 +1,39 @@
+require 'net/ssh/errors'
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+
+        # Implements the "password" SSH authentication method.
+        class Password < Abstract
+          # Attempt to authenticate the given user for the given service. If
+          # the password parameter is nil, this will never do anything except
+          # return false.
+          def authenticate(next_service, username, password=nil)
+            return false unless password
+
+            send_message(userauth_request(username, next_service, "password", false, password))
+            message = session.next_message
+
+            case message.type
+              when USERAUTH_SUCCESS
+                debug { "password succeeded" }
+                return true
+              when USERAUTH_FAILURE
+                debug { "password failed" }
+                return false
+              when USERAUTH_PASSWD_CHANGEREQ
+                debug { "password change request received, failing" }
+                return false
+              else
+                raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/methods/publickey.rb

@@ -0,0 +1,92 @@
+require 'net/ssh/buffer'
+require 'net/ssh/errors'
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+
+        # Implements the "publickey" SSH authentication method.
+        class Publickey < Abstract
+          # Attempts to perform public-key authentication for the given
+          # username, trying each identity known to the key manager. If any of
+          # them succeed, returns +true+, otherwise returns +false+. This
+          # requires the presence of a key manager.
+          def authenticate(next_service, username, password=nil)
+            return false unless key_manager
+
+            key_manager.identities.each do |identity|
+              return true if authenticate_with(identity, next_service, username)
+            end
+
+            return false
+          end
+
+          private
+
+            # Builds a packet that contains the request formatted for sending
+            # a public-key request to the server.
+            def build_request(pub_key, username, next_service, has_sig)
+              blob = Net::SSH::Buffer.new
+              blob.write_key pub_key
+
+              userauth_request(username, next_service, "publickey", has_sig,
+                pub_key.ssh_type, blob.to_s)
+            end
+
+            # Builds and sends a request formatted for a public-key
+            # authentication request.
+            def send_request(pub_key, username, next_service, signature=nil)
+              msg = build_request(pub_key, username, next_service, !signature.nil?)
+              msg.write_string(signature) if signature
+              send_message(msg)
+            end
+
+            # Attempts to perform public-key authentication for the given
+            # username, with the given identity (public key). Returns +true+ if
+            # successful, or +false+ otherwise.
+            def authenticate_with(identity, next_service, username)
+              debug { "trying publickey (#{identity.fingerprint})" }
+              send_request(identity, username, next_service)
+
+              message = session.next_message
+
+              case message.type
+                when USERAUTH_PK_OK
+                  buffer = build_request(identity, username, next_service, true)
+                  sig_data = Net::SSH::Buffer.new
+                  sig_data.write_string(session_id)
+                  sig_data.append(buffer.to_s)
+
+                  sig_blob = key_manager.sign(identity, sig_data)
+
+                  send_request(identity, username, next_service, sig_blob.to_s)
+                  message = session.next_message
+
+                  case message.type
+                    when USERAUTH_SUCCESS
+                      debug { "publickey succeeded (#{identity.fingerprint})" }
+                      return true
+                    when USERAUTH_FAILURE
+                      debug { "publickey failed (#{identity.fingerprint})" }
+                      return false
+                    else
+                      raise Net::SSH::Exception,
+                        "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+                  end
+
+                when USERAUTH_FAILURE
+                  return false
+
+                else
+                  raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+              end
+            end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/pageant.rb

@@ -0,0 +1,176 @@
+require 'dl/import'
+require 'dl/struct'
+
+require 'net/ssh/errors'
+
+module Net; module SSH; module Authentication
+
+  # This module encapsulates the implementation of a socket factory that
+  # uses the PuTTY "pageant" utility to obtain information about SSH
+  # identities.
+  #
+  # This code is a slightly modified version of the original implementation
+  # by Guillaume Mar�ais (guillaume.marcais@free.fr). It is used and
+  # relicensed by permission.
+  module Pageant
+
+    # From Putty pageant.c
+    AGENT_MAX_MSGLEN = 8192
+    AGENT_COPYDATA_ID = 0x804e50ba
+    
+    # The definition of the Windows methods and data structures used in
+    # communicating with the pageant process.
+    module Win
+      extend DL::Importable
+      
+      dlload 'user32'
+      dlload 'kernel32'
+      
+      typealias("LPCTSTR", "char *")         # From winnt.h
+      typealias("LPVOID", "void *")          # From winnt.h
+      typealias("LPCVOID", "const void *")   # From windef.h
+      typealias("LRESULT", "long")           # From windef.h
+      typealias("WPARAM", "unsigned int *")  # From windef.h
+      typealias("LPARAM", "long *")          # From windef.h
+      typealias("PDWORD_PTR", "long *")      # From basetsd.h
+
+      # From winbase.h, winnt.h
+      INVALID_HANDLE_VALUE = -1
+      NULL = nil
+      PAGE_READWRITE = 0x0004
+      FILE_MAP_WRITE = 2
+      WM_COPYDATA = 74
+
+      SMTO_NORMAL = 0   # From winuser.h
+
+      # args: lpClassName, lpWindowName
+      extern 'HWND FindWindow(LPCTSTR, LPCTSTR)'
+
+      # args: none
+      extern 'DWORD GetCurrentThreadId()'
+
+      # args: hFile, (ignored), flProtect, dwMaximumSizeHigh,
+      #           dwMaximumSizeLow, lpName
+      extern 'HANDLE CreateFileMapping(HANDLE, void *, DWORD, DWORD, ' +
+                                      'DWORD, LPCTSTR)'
+
+      # args: hFileMappingObject, dwDesiredAccess, dwFileOffsetHigh, 
+      #           dwfileOffsetLow, dwNumberOfBytesToMap
+      extern 'LPVOID MapViewOfFile(HANDLE, DWORD, DWORD, DWORD, DWORD)'
+
+      # args: lpBaseAddress
+      extern 'BOOL UnmapViewOfFile(LPCVOID)'
+
+      # args: hObject
+      extern 'BOOL CloseHandle(HANDLE)'
+
+      # args: hWnd, Msg, wParam, lParam, fuFlags, uTimeout, lpdwResult
+      extern 'LRESULT SendMessageTimeout(HWND, UINT, WPARAM, LPARAM, ' +
+                                        'UINT, UINT, PDWORD_PTR)'
+    end
+
+    # This is the pseudo-socket implementation that mimics the interface of
+    # a socket, translating each request into a Windows messaging call to
+    # the pageant daemon. This allows pageant support to be implemented
+    # simply by replacing the socket factory used by the Agent class.
+    class Socket
+
+      private_class_method :new
+
+      # The factory method for creating a new Socket instance. The location
+      # parameter is ignored, and is only needed for compatibility with
+      # the general Socket interface.
+      def self.open(location=nil)
+        new
+      end
+
+      # Create a new instance that communicates with the running pageant 
+      # instance. If no such instance is running, this will cause an error.
+      def initialize
+        @win = Win.findWindow("Pageant", "Pageant")
+
+        if @win == 0
+          raise Net::SSH::Exception,
+            "pageant process not running"
+        end
+
+        @res = nil
+        @pos = 0
+      end
+      
+      # Forwards the data to #send_query, ignoring any arguments after
+      # the first. Returns 0.
+      def send(data, *args)
+        @res = send_query(data)
+        @pos = 0
+      end
+
+      # Packages the given query string and sends it to the pageant
+      # process via the Windows messaging subsystem. The result is
+      # cached, to be returned piece-wise when #read is called.
+      def send_query(query)
+        res = nil
+        filemap = 0
+        ptr = nil
+        id = DL::PtrData.malloc(DL.sizeof("L"))
+
+        mapname = "PageantRequest%08x\000" % Win.getCurrentThreadId()
+        filemap = Win.createFileMapping(Win::INVALID_HANDLE_VALUE, 
+                                        Win::NULL,
+                                        Win::PAGE_READWRITE, 0, 
+                                        AGENT_MAX_MSGLEN, mapname)
+        if filemap == 0
+          raise Net::SSH::Exception,
+            "Creation of file mapping failed"
+        end
+
+        ptr = Win.mapViewOfFile(filemap, Win::FILE_MAP_WRITE, 0, 0, 
+                                AGENT_MAX_MSGLEN)
+
+        if ptr.nil? || ptr.null?
+          raise Net::SSH::Exception, "Mapping of file failed"
+        end
+
+        ptr[0] = query
+        
+        cds = [AGENT_COPYDATA_ID, mapname.size + 1, mapname].
+          pack("LLp").to_ptr
+        succ = Win.sendMessageTimeout(@win, Win::WM_COPYDATA, Win::NULL,
+          cds, Win::SMTO_NORMAL, 5000, id)
+
+        if succ > 0
+          retlen = 4 + ptr.to_s(4).unpack("N")[0]
+          res = ptr.to_s(retlen)
+        end        
+
+        return res
+      ensure
+        Win.unmapViewOfFile(ptr) unless ptr.nil? || ptr.null?
+        Win.closeHandle(filemap) if filemap != 0
+      end
+
+      # Conceptually close the socket. This doesn't really do anthing
+      # significant, but merely complies with the Socket interface.
+      def close
+        @res = nil
+        @pos = 0
+      end
+
+      # Reads +n+ bytes from the cached result of the last query. If +n+
+      # is +nil+, returns all remaining data from the last query.
+      def read(n = nil)
+        return nil unless @res
+        if n.nil?
+          start, @pos = @pos, @res.size
+          return @res[start..-1]
+        else
+          start, @pos = @pos, @pos + n
+          return @res[start, n]
+        end
+      end
+
+    end
+
+  end
+
+end; end; end

data/lib/net/ssh/authentication/session.rb

@@ -0,0 +1,127 @@
+require 'net/ssh/loggable'
+require 'net/ssh/transport/constants'
+require 'net/ssh/authentication/constants'
+require 'net/ssh/authentication/key_manager'
+require 'net/ssh/authentication/methods/publickey'
+require 'net/ssh/authentication/methods/hostbased'
+require 'net/ssh/authentication/methods/password'
+require 'net/ssh/authentication/methods/keyboard_interactive'
+
+module Net; module SSH; module Authentication
+
+  # Represents an authentication session. It manages the authentication of
+  # a user over an established connection (the "transport" object, see
+  # Net::SSH::Transport::Session).
+  #
+  # The use of an authentication session to manage user authentication is
+  # internal to Net::SSH (specifically Net::SSH.start). Consumers of the
+  # Net::SSH library will never need to access this class directly.
+  class Session
+    include Transport::Constants, Constants, Loggable
+
+    # transport layer abstraction
+    attr_reader :transport
+
+    # the list of authentication methods to try
+    attr_reader :auth_methods
+
+    # the list of authentication methods that are allowed
+    attr_reader :allowed_auth_methods
+
+    # a hash of options, given at construction time
+    attr_reader :options
+
+    # Instantiates a new Authentication::Session object over the given
+    # transport layer abstraction.
+    def initialize(transport, options={})
+      self.logger = transport.logger
+      @transport = transport
+
+      @auth_methods = options[:auth_methods] || %w(publickey hostbased password keyboard-interactive)
+      @options = options
+
+      @allowed_auth_methods = @auth_methods
+    end
+
+    # Attempts to authenticate the given user, in preparation for the next
+    # service request. Returns true if an authentication method succeeds in
+    # authenticating the user, and false otherwise.
+    def authenticate(next_service, username, password=nil)
+      debug { "beginning authentication of `#{username}'" }
+
+      transport.send_message(transport.service_request("ssh-userauth"))
+      message = expect_message(SERVICE_ACCEPT)
+
+      key_manager = KeyManager.new(logger, options)
+      keys.each { |key| key_manager.add(key) }
+
+      attempted = []
+
+      @auth_methods.each do |name|
+        next unless @allowed_auth_methods.include?(name)
+        attempted << name
+
+        debug { "trying #{name}" }
+        method = Methods.const_get(name.split(/\W+/).map { |p| p.capitalize }.join).new(self, :key_manager => key_manager)
+
+        return true if method.authenticate(next_service, username, password)
+      end
+
+      error { "all authorization methods failed (tried #{attempted.join(', ')})" }
+      return false
+    ensure
+      key_manager.finish if key_manager
+    end
+
+    # Blocks until a packet is received. It silently handles USERAUTH_BANNER
+    # packets, and will raise an error if any packet is received that is not
+    # valid during user authentication.
+    def next_message
+      loop do
+        packet = transport.next_message
+
+        case packet.type
+        when USERAUTH_BANNER
+          info { packet[:message] }
+          # TODO add a hook for people to retrieve the banner when it is sent
+
+        when USERAUTH_FAILURE
+          @allowed_auth_methods = packet[:authentications].split(/,/)
+          debug { "allowed methods: #{packet[:authentications]}" }
+          return packet
+
+        when USERAUTH_METHOD_RANGE, SERVICE_ACCEPT
+          return packet
+
+        when USERAUTH_SUCCESS
+          transport.hint :authenticated
+          return packet
+
+        else
+          raise Net::SSH::Exception, "unexpected message #{packet.type} (#{packet})"
+        end
+      end
+    end
+
+    # Blocks until a packet is received, and returns it if it is of the given
+    # type. If it is not, an exception is raised.
+    def expect_message(type)
+      message = next_message
+      unless message.type == type
+        raise Net::SSH::Exception, "expected #{type}, got #{message.type} (#{message})"
+      end
+      message
+    end
+
+    private
+
+      # Returns an array of paths to the key files that should be used when
+      # attempting any key-based authentication mechanism.
+      def keys
+        Array(
+          options[:keys] ||
+          %w(~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_rsa)
+        )
+      end
+  end
+end; end; end