RubyGems - hrr_rb_ssh - Versions diffs - 0.3.0.pre1 → 0.4.2 - Mend

hrr_rb_ssh 0.3.0.pre1 → 0.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (139) hide show

data/lib/hrr_rb_ssh/algorithm/publickey/ecdsa_sha2/signature.rb CHANGED Viewed

@@ -8,10 +8,8 @@ module HrrRbSsh
   module Algorithm
     class Publickey
       module EcdsaSha2
-        module Signature
-          class << self
-            include Codable
-          end
+        class Signature
+          include Codable
           DEFINITION = [
             [DataType::String, :'public key algorithm name'],
             [DataType::String, :'ecdsa signature blob'],

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_dss.rb CHANGED Viewed

@@ -1,16 +1,19 @@
 # coding: utf-8
 # vim: et ts=2 sw=2
-require 'hrr_rb_ssh/logger'
+require 'hrr_rb_ssh/loggable'
 module HrrRbSsh
   module Algorithm
     class Publickey
       class SshDss < Publickey
+        include Loggable
         NAME = 'ssh-dss'
         DIGEST = 'sha1'
-        def initialize arg
+        def initialize arg, logger: nil
+          self.logger = logger
           begin
             new_by_key_str arg
           rescue OpenSSL::PKey::DSAError
@@ -23,7 +26,7 @@ module HrrRbSsh
         end
         def new_by_public_key_blob public_key_blob
-          public_key_blob_h = PublicKeyBlob.decode(public_key_blob)
+          public_key_blob_h = PublicKeyBlob.new(logger: logger).decode public_key_blob
           @publickey = OpenSSL::PKey::DSA.new
           if @publickey.respond_to?(:set_pqg)
             @publickey.set_pqg public_key_blob_h[:'p'], public_key_blob_h[:'q'], public_key_blob_h[:'g']
@@ -51,24 +54,24 @@ module HrrRbSsh
             :'g'                         => @publickey.g.to_i,
             :'y'                         => @publickey.pub_key.to_i,
           }
-          PublicKeyBlob.encode(public_key_blob_h)
+          PublicKeyBlob.new(logger: logger).encode public_key_blob_h
         end
         def sign signature_blob
           hash = OpenSSL::Digest.digest(self.class::DIGEST, signature_blob)
           sign_der = @publickey.syssign(hash)
-          sign_asn1 = OpenSSL::ASN1.decode(sign_der)
+          sign_asn1 = OpenSSL::ASN1.decode sign_der
           sign_r = sign_asn1.value[0].value.to_s(2).rjust(20, ["00"].pack("H"))
           sign_s = sign_asn1.value[1].value.to_s(2).rjust(20, ["00"].pack("H"))
           signature_h = {
             :'public key algorithm name' => self.class::NAME,
             :'signature blob'            => (sign_r + sign_s),
           }
-          Signature.encode signature_h
+          Signature.new(logger: logger).encode signature_h
         end
         def verify signature, signature_blob
-          signature_h = Signature.decode signature
+          signature_h = Signature.new(logger: logger).decode signature
           sign_r = signature_h[:'signature blob'][ 0, 20]
           sign_s = signature_h[:'signature blob'][20, 20]
           sign_asn1 = OpenSSL::ASN1::Sequence.new(

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_dss/public_key_blob.rb CHANGED Viewed

@@ -8,10 +8,8 @@ module HrrRbSsh
   module Algorithm
     class Publickey
       class SshDss
-        module PublicKeyBlob
-          class << self
-            include Codable
-          end
+        class PublicKeyBlob
+          include Codable
           DEFINITION = [
             [DataType::String, :'public key algorithm name'],
             [DataType::Mpint,  :'p'],

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_dss/signature.rb CHANGED Viewed

@@ -8,10 +8,8 @@ module HrrRbSsh
   module Algorithm
     class Publickey
       class SshDss
-        module Signature
-          class << self
-            include Codable
-          end
+        class Signature
+          include Codable
           DEFINITION = [
             [DataType::String, :'public key algorithm name'],
             [DataType::String, :'signature blob'],

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_rsa.rb CHANGED Viewed

@@ -1,16 +1,19 @@
 # coding: utf-8
 # vim: et ts=2 sw=2
-require 'hrr_rb_ssh/logger'
+require 'hrr_rb_ssh/loggable'
 module HrrRbSsh
   module Algorithm
     class Publickey
       class SshRsa < Publickey
+        include Loggable
         NAME = 'ssh-rsa'
         DIGEST = 'sha1'
-        def initialize arg
+        def initialize arg, logger: nil
+          self.logger = logger
           begin
             new_by_key_str arg
           rescue OpenSSL::PKey::RSAError
@@ -23,7 +26,7 @@ module HrrRbSsh
         end
         def new_by_public_key_blob public_key_blob
-          public_key_blob_h = PublicKeyBlob.decode(public_key_blob)
+          public_key_blob_h = PublicKeyBlob.new(logger: logger).decode public_key_blob
           @publickey = OpenSSL::PKey::RSA.new
           if @publickey.respond_to?(:set_key)
             @publickey.set_key public_key_blob_h[:'n'], public_key_blob_h[:'e'], nil
@@ -43,7 +46,7 @@ module HrrRbSsh
             :'e'                         => @publickey.e.to_i,
             :'n'                         => @publickey.n.to_i,
           }
-          PublicKeyBlob.encode(public_key_blob_h)
+          PublicKeyBlob.new(logger: logger).encode public_key_blob_h
         end
         def sign signature_blob
@@ -51,11 +54,11 @@ module HrrRbSsh
             :'public key algorithm name' => self.class::NAME,
             :'signature blob'            => @publickey.sign(self.class::DIGEST, signature_blob),
           }
-          Signature.encode signature_h
+          Signature.new(logger: logger).encode signature_h
         end
         def verify signature, signature_blob
-          signature_h = Signature.decode signature
+          signature_h = Signature.new(logger: logger).decode signature
           signature_h[:'public key algorithm name'] == self.class::NAME && @publickey.verify(self.class::DIGEST, signature_h[:'signature blob'], signature_blob)
         end
       end

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_rsa/public_key_blob.rb CHANGED Viewed

@@ -8,10 +8,8 @@ module HrrRbSsh
   module Algorithm
     class Publickey
       class SshRsa
-        module PublicKeyBlob
-          class << self
-            include Codable
-          end
+        class PublicKeyBlob
+          include Codable
           DEFINITION = [
             [DataType::String, :'public key algorithm name'],
             [DataType::Mpint,  :'e'],

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_rsa/signature.rb CHANGED Viewed

@@ -8,10 +8,8 @@ module HrrRbSsh
   module Algorithm
     class Publickey
       class SshRsa
-        module Signature
-          class << self
-            include Codable
-          end
+        class Signature
+          include Codable
           DEFINITION = [
             [DataType::String, :'public key algorithm name'],
             [DataType::String, :'signature blob'],

data/lib/hrr_rb_ssh/authentication.rb CHANGED Viewed

@@ -1,27 +1,31 @@
 # coding: utf-8
 # vim: et ts=2 sw=2
-require 'hrr_rb_ssh/logger'
+require 'hrr_rb_ssh/loggable'
 require 'hrr_rb_ssh/message'
 require 'hrr_rb_ssh/error/closed_authentication'
+require 'hrr_rb_ssh/authentication/constant'
 require 'hrr_rb_ssh/authentication/authenticator'
 require 'hrr_rb_ssh/authentication/method'
 module HrrRbSsh
   class Authentication
-    SERVICE_NAME = 'ssh-userauth'
+    include Loggable
+    include Constant
+    def initialize transport, mode, options={}, logger: nil
+      self.logger = logger
-    def initialize transport, options={}
       @transport = transport
+      @mode = mode
       @options = options
-      @logger = Logger.new self.class.name
       @transport.register_acceptable_service SERVICE_NAME
       @closed = nil
       @username = nil
+      @variables = {}
     end
     def send payload
@@ -29,6 +33,7 @@ module HrrRbSsh
       begin
         @transport.send payload
       rescue Error::ClosedTransport
+        close
         raise Error::ClosedAuthentication
       end
     end
@@ -38,19 +43,28 @@ module HrrRbSsh
       begin
         @transport.receive
       rescue Error::ClosedTransport
+        close
         raise Error::ClosedAuthentication
       end
     end
     def start
-      @transport.start
-      authenticate
+      log_info { "start authentication" }
+      begin
+        @transport.start
+        authenticate
+      rescue Error::ClosedTransport
+        close
+        raise Error::ClosedAuthentication
+      end
     end
     def close
       return if @closed
+      log_info { "close authentication" }
       @closed = true
       @transport.close
+      log_info { "authentication closed" }
     end
     def closed?
@@ -62,43 +76,110 @@ module HrrRbSsh
       @username
     end
+    def variables
+      raise Error::ClosedAuthentication if @closed
+      @variables
+    end
     def authenticate
+      case @mode
+      when Mode::SERVER
+        respond_to_authentication
+      when Mode::CLIENT
+        request_authentication
+      end
+    end
+    def respond_to_authentication
+      authentication_methods = (@options['authentication_preferred_authentication_methods'].dup rescue nil) || Method.list_preferred # rescue nil.dup for Ruby version < 2.4
+      log_info { "preferred authentication methods: #{authentication_methods}" }
       loop do
         payload = @transport.receive
         case payload[0,1].unpack("C")[0]
         when Message::SSH_MSG_USERAUTH_REQUEST::VALUE
-          userauth_request_message = Message::SSH_MSG_USERAUTH_REQUEST.decode payload
+          userauth_request_message = Message::SSH_MSG_USERAUTH_REQUEST.new(logger: logger).decode payload
           method_name = userauth_request_message[:'method name']
-          method = Method[method_name].new(@transport, {'session id' => @transport.session_id}.merge(@options))
+          log_info { "authentication method: #{method_name}" }
+          method = Method[method_name].new(@transport, {'session id' => @transport.session_id}.merge(@options), @variables, authentication_methods, logger: logger)
           result = method.authenticate(userauth_request_message)
           case result
-          when TrueClass
-            @logger.info { "verified" }
+          when true, SUCCESS
+            log_info { "verified" }
             send_userauth_success
             @username = userauth_request_message[:'user name']
             @closed = false
             break
-          when FalseClass
-            @logger.info { "verify failed" }
-            send_userauth_failure
+          when PARTIAL_SUCCESS
+            log_info { "partially verified" }
+            authentication_methods.delete method_name
+            log_info { "authentication methods that can continue: #{authentication_methods}" }
+            if authentication_methods.empty?
+              log_info { "verified" }
+              send_userauth_success
+              @username = userauth_request_message[:'user name']
+              @closed = false
+              break
+            else
+              log_info { "continue" }
+              send_userauth_failure authentication_methods, true
+            end
           when String
-            @logger.info { "send method specific message to continue" }
+            log_info { "send method specific message to continue" }
             send_method_specific_message result
+          else # when false, FAILURE
+            log_info { "verify failed" }
+            send_userauth_failure authentication_methods, false
           end
         else
-          @closed = true
-          raise
+          close
+          raise Error::ClosedAuthentication
+        end
+      end
+    end
+    def request_authentication
+      authentication_methods = (@options['authentication_preferred_authentication_methods'].dup rescue nil) || Method.list_preferred # rescue nil.dup for Ruby version < 2.4
+      log_info { "preferred authentication methods: #{authentication_methods}" }
+      next_method_name = "none"
+      log_info { "authentication request begins with none method" }
+      loop do
+        log_info { "authentication method: #{next_method_name}" }
+        method = Method[next_method_name].new(@transport, {'session id' => @transport.session_id}.merge(@options), @variables, authentication_methods, logger: logger)
+        payload = method.request_authentication @options['username'], "ssh-connection"
+        case payload[0,1].unpack("C")[0]
+        when Message::SSH_MSG_USERAUTH_SUCCESS::VALUE
+          log_info { "verified" }
+          @username = @options['username']
+          @closed = false
+          break
+        when Message::SSH_MSG_USERAUTH_FAILURE::VALUE
+          message = Message::SSH_MSG_USERAUTH_FAILURE.new(logger: logger).decode payload
+          partial_success = message[:'partial success']
+          if partial_success
+            log_info { "partially verified" }
+          end
+          authentication_methods_that_can_continue = message[:'authentications that can continue']
+          log_info { "authentication methods that can continue: #{authentication_methods_that_can_continue}" }
+          next_method_name = authentication_methods.find{ |local_m| authentication_methods_that_can_continue.find{ |remote_m| local_m == remote_m } }
+          if next_method_name
+            authentication_methods.delete next_method_name
+            log_info { "continue" }
+          else
+            log_info { "no more available authentication methods" }
+            @closed = true
+            raise "failed authentication"
+          end
         end
       end
     end
-    def send_userauth_failure
+    def send_userauth_failure authentication_methods, partial_success
       message = {
         :'message number'                    => Message::SSH_MSG_USERAUTH_FAILURE::VALUE,
-        :'authentications that can continue' => Method.list_preferred,
-        :'partial success'                   => false,
+        :'authentications that can continue' => authentication_methods,
+        :'partial success'                   => partial_success,
       }
-      payload = Message::SSH_MSG_USERAUTH_FAILURE.encode message
+      payload = Message::SSH_MSG_USERAUTH_FAILURE.new(logger: logger).encode message
       @transport.send payload
     end
@@ -106,7 +187,7 @@ module HrrRbSsh
       message = {
         :'message number' => Message::SSH_MSG_USERAUTH_SUCCESS::VALUE,
       }
-      payload = Message::SSH_MSG_USERAUTH_SUCCESS.encode message
+      payload = Message::SSH_MSG_USERAUTH_SUCCESS.new(logger: logger).encode message
       @transport.send payload
     end

data/lib/hrr_rb_ssh/authentication/constant.rb ADDED Viewed

@@ -0,0 +1,14 @@
+# coding: utf-8
+# vim: et ts=2 sw=2
+module HrrRbSsh
+  class Authentication
+    module Constant
+      SERVICE_NAME = 'ssh-userauth'
+      SUCCESS         = :success
+      PARTIAL_SUCCESS = :partial_success
+      FAILURE         = :failure
+    end
+  end
+end

data/lib/hrr_rb_ssh/authentication/method/keyboard_interactive.rb CHANGED Viewed

@@ -1,29 +1,66 @@
 # coding: utf-8
 # vim: et ts=2 sw=2
-require 'hrr_rb_ssh/logger'
+require 'hrr_rb_ssh/loggable'
 module HrrRbSsh
   class Authentication
     class Method
       class KeyboardInteractive < Method
+        include Loggable
         NAME = 'keyboard-interactive'
         PREFERENCE = 30
-        def initialize transport, options
-          @logger = Logger.new(self.class.name)
+        def initialize transport, options, variables, authentication_methods, logger: nil
+          self.logger = logger
           @transport = transport
-          @authenticator = options.fetch( 'authentication_keyboard_interactive_authenticator', Authenticator.new { false } )
+          @options = options
+          @authenticator = options.fetch( 'authentication_keyboard_interactive_authenticator', Authenticator.new{ false } )
+          @variables = variables
+          @authentication_methods = authentication_methods
         end
         def authenticate userauth_request_message
-          @logger.info { "authenticate" }
-          @logger.debug { "userauth request: " + userauth_request_message.inspect }
+          log_info { "authenticate" }
           username = userauth_request_message[:'user name']
           submethods = userauth_request_message[:'submethods']
-          context = Context.new(@transport, username, submethods)
+          context = Context.new(@transport, username, submethods, @variables, @authentication_methods, logger: logger)
           @authenticator.authenticate context
         end
+        def request_authentication username, service_name
+          message = {
+            :'message number' => Message::SSH_MSG_USERAUTH_REQUEST::VALUE,
+            :"user name"      => username,
+            :"service name"   => service_name,
+            :"method name"    => NAME,
+            :"language tag"   => "",
+            :'submethods'     => "",
+          }
+          payload = Message::SSH_MSG_USERAUTH_REQUEST.new(logger: logger).encode message
+          @transport.send payload
+          payload = @transport.receive
+          case payload[0,1].unpack("C")[0]
+          when Message::SSH_MSG_USERAUTH_INFO_REQUEST::VALUE
+            message = Message::SSH_MSG_USERAUTH_INFO_REQUEST.new(logger: logger).decode payload
+            num_responses = @options['client_authentication_keyboard_interactive'].size
+            message = {
+              :'message number' => Message::SSH_MSG_USERAUTH_INFO_RESPONSE::VALUE,
+              :'num-responses'  => num_responses,
+            }
+            message_responses = @options['client_authentication_keyboard_interactive'].map.with_index{ |response, i|
+              {:"response[#{i+1}]" => response}
+            }.inject(Hash.new){ |a, b| a.merge(b) }
+            message.update(message_responses)
+            payload = Message::SSH_MSG_USERAUTH_INFO_RESPONSE.new(logger: logger).encode message
+            @transport.send payload
+            @transport.receive
+          else
+            payload
+          end
+        end
       end
     end
   end