eximius-net-ssh 6.3.1

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -0,0 +1,77 @@
+require 'net/ssh/prompt'
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+        # Implements the "keyboard-interactive" SSH authentication method.
+        class KeyboardInteractive < Abstract
+          USERAUTH_INFO_REQUEST  = 60
+          USERAUTH_INFO_RESPONSE = 61
+
+          # Attempt to authenticate the given user for the given service.
+          def authenticate(next_service, username, password = nil)
+            debug { "trying keyboard-interactive" }
+            send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
+
+            prompter = nil
+            loop do
+              message = session.next_message
+
+              case message.type
+              when USERAUTH_SUCCESS
+                debug { "keyboard-interactive succeeded" }
+                prompter.success if prompter
+                return true
+              when USERAUTH_FAILURE
+                debug { "keyboard-interactive failed" }
+
+                raise Net::SSH::Authentication::DisallowedMethod unless
+                  message[:authentications].split(/,/).include? 'keyboard-interactive'
+
+                return false unless interactive?
+
+                password = nil
+                debug { "retrying keyboard-interactive" }
+                send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
+              when USERAUTH_INFO_REQUEST
+                name = message.read_string
+                instruction = message.read_string
+                debug { "keyboard-interactive info request" }
+
+                if password.nil? && interactive? && prompter.nil?
+                  prompter = prompt.start(type: 'keyboard-interactive', name: name, instruction: instruction)
+                end
+
+                _ = message.read_string # lang_tag
+                responses = []
+
+                message.read_long.times do
+                  text = message.read_string
+                  echo = message.read_bool
+                  password_to_send = password || (prompter && prompter.ask(text, echo))
+                  responses << password_to_send
+                end
+
+                # if the password failed the first time around, don't try
+                # and use it on subsequent requests.
+                password = nil
+
+                msg = Buffer.from(:byte, USERAUTH_INFO_RESPONSE, :long, responses.length, :string, responses)
+                send_message(msg)
+              else
+                raise Net::SSH::Exception, "unexpected reply in keyboard interactive: #{message.type} (#{message.inspect})"
+              end
+            end
+          end
+
+          def interactive?
+            options = session.transport.options || {}
+            !options[:non_interactive]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/methods/none.rb

@@ -0,0 +1,34 @@
+require 'net/ssh/errors'
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+        # Implements the "none" SSH authentication method.
+        class None < Abstract
+          # Attempt to authenticate as "none"
+          def authenticate(next_service, user = "", password = "")
+            send_message(userauth_request(user, next_service, "none"))
+            message = session.next_message
+
+            case message.type
+            when USERAUTH_SUCCESS
+              debug { "none succeeded" }
+              return true
+            when USERAUTH_FAILURE
+              debug { "none failed" }
+
+              raise Net::SSH::Authentication::DisallowedMethod unless
+                message[:authentications].split(/,/).include? 'none'
+
+              return false
+            else
+              raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/methods/password.rb

@@ -0,0 +1,80 @@
+require 'net/ssh/errors'
+require 'net/ssh/prompt'
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+        # Implements the "password" SSH authentication method.
+        class Password < Abstract
+          # Attempt to authenticate the given user for the given service. If
+          # the password parameter is nil, this will ask for password
+          def authenticate(next_service, username, password = nil)
+            clear_prompter!
+            retries = 0
+            max_retries = get_max_retries
+            return false if !password && max_retries == 0
+
+            begin
+              password_to_send = password || ask_password(username)
+
+              send_message(userauth_request(username, next_service, "password", false, password_to_send))
+              message = session.next_message
+              retries += 1
+
+              if message.type == USERAUTH_FAILURE
+                debug { "password failed" }
+
+                raise Net::SSH::Authentication::DisallowedMethod unless
+                  message[:authentications].split(/,/).include? 'password'
+
+                password = nil
+              end
+            end until (message.type != USERAUTH_FAILURE || retries >= max_retries)
+
+            case message.type
+            when USERAUTH_SUCCESS
+              debug { "password succeeded" }
+              @prompter.success if @prompter
+              return true
+            when USERAUTH_FAILURE
+              return false
+            when USERAUTH_PASSWD_CHANGEREQ
+              debug { "password change request received, failing" }
+              return false
+            else
+              raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+            end
+          end
+
+          private
+
+          NUMBER_OF_PASSWORD_PROMPTS = 3
+
+          def clear_prompter!
+            @prompt_info = nil
+            @prompter = nil
+          end
+
+          def ask_password(username)
+            host = session.transport.host
+            prompt_info = { type: 'password', user: username, host: host }
+            if @prompt_info != prompt_info
+              @prompt_info = prompt_info
+              @prompter = prompt.start(prompt_info)
+            end
+            echo = false
+            @prompter.ask("#{username}@#{host}'s password:", echo)
+          end
+
+          def get_max_retries
+            options = session.transport.options || {}
+            result = options[:number_of_password_prompts] || NUMBER_OF_PASSWORD_PROMPTS
+            options[:non_interactive] ? 0 : result
+          end
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/methods/publickey.rb

@@ -0,0 +1,137 @@
+require 'net/ssh/buffer'
+require 'net/ssh/errors'
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+        # Implements the "publickey" SSH authentication method.
+        class Publickey < Abstract
+          # Attempts to perform public-key authentication for the given
+          # username, trying each identity known to the key manager. If any of
+          # them succeed, returns +true+, otherwise returns +false+. This
+          # requires the presence of a key manager.
+          def authenticate(next_service, username, password = nil)
+            return false unless key_manager
+
+            key_manager.each_identity do |identity|
+              return true if authenticate_with(identity, next_service, username)
+            end
+
+            return false
+          end
+
+          private
+
+          # Builds a packet that contains the request formatted for sending
+          # a public-key request to the server.
+          def build_request(pub_key, username, next_service, alg, has_sig)
+            blob = Net::SSH::Buffer.new
+            blob.write_key pub_key
+
+            userauth_request(username, next_service, "publickey", has_sig,
+                             alg, blob.to_s)
+          end
+
+          # Builds and sends a request formatted for a public-key
+          # authentication request.
+          def send_request(pub_key, username, next_service, alg, signature = nil)
+            msg = build_request(pub_key, username, next_service, alg,
+                                !signature.nil?)
+            msg.write_string(signature) if signature
+            send_message(msg)
+          end
+
+          def authenticate_with_alg(identity, next_service, username, alg, sig_alg = nil)
+            debug { "trying publickey (#{identity.fingerprint})" }
+            send_request(identity, username, next_service, alg)
+
+            message = session.next_message
+
+            case message.type
+            when USERAUTH_PK_OK
+              buffer = build_request(identity, username, next_service, alg,
+                                     true)
+              sig_data = Net::SSH::Buffer.new
+              sig_data.write_string(session_id)
+              sig_data.append(buffer.to_s)
+
+              sig_blob = key_manager.sign(identity, sig_data, sig_alg)
+
+              send_request(identity, username, next_service, alg, sig_blob.to_s)
+              message = session.next_message
+
+              case message.type
+              when USERAUTH_SUCCESS
+                debug { "publickey succeeded (#{identity.fingerprint})" }
+                return true
+              when USERAUTH_FAILURE
+                debug { "publickey failed (#{identity.fingerprint})" }
+
+                raise Net::SSH::Authentication::DisallowedMethod unless
+                  message[:authentications].split(/,/).include? 'publickey'
+
+                return false
+              else
+                raise Net::SSH::Exception,
+                      "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+              end
+
+            when USERAUTH_FAILURE
+              return false
+            when USERAUTH_SUCCESS
+              return true
+
+            else
+              raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+            end
+          end
+
+          # Attempts to perform public-key authentication for the given
+          # username, with the given identity (public key). Returns +true+ if
+          # successful, or +false+ otherwise.
+          def authenticate_with(identity, next_service, username)
+            type = identity.ssh_type
+            if type == "ssh-rsa"
+              pubkey_algorithms.each do |pk_alg|
+                case pk_alg
+                when "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, pk_alg)
+                    # success
+                    return true
+                  end
+                end
+              end
+            elsif type == "ssh-rsa-cert-v01@openssh.com"
+              pubkey_algorithms.each do |pk_alg|
+                case pk_alg
+                when "rsa-sha2-512-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, "rsa-sha2-512")
+                    # success
+                    return true
+                  end
+                when "rsa-sha2-256-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, "rsa-sha2-256")
+                    # success
+                    return true
+                  end
+                when "ssh-rsa-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg)
+                    # success
+                    return true
+                  end
+                end
+              end
+            elsif authenticate_with_alg(identity, next_service, username, type)
+              # success
+              return true
+            end
+            # failure
+            return false
+          end
+        end
+      end
+    end
+  end
+end