RubyGems - hrr_rb_ssh - Versions diffs - 0.3.0.pre1 → 0.4.2 - Mend

hrr_rb_ssh 0.3.0.pre1 → 0.4.2

Files changed (139) hide show

data/lib/hrr_rb_ssh/algorithm/publickey/ecdsa_sha2/signature.rb CHANGED Viewed

@@ -8,10 +8,8 @@ module HrrRbSsh
   module Algorithm
     class Publickey
       module EcdsaSha2
-        module Signature
-          class << self
-            include Codable
-          end
+        class Signature
+          include Codable
           DEFINITION = [
             [DataType::String, :'public key algorithm name'],
             [DataType::String, :'ecdsa signature blob'],

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_dss.rb CHANGED Viewed

@@ -1,16 +1,19 @@
 # coding: utf-8
 # vim: et ts=2 sw=2
-require 'hrr_rb_ssh/logger'
+require 'hrr_rb_ssh/loggable'
 module HrrRbSsh
   module Algorithm
     class Publickey
       class SshDss < Publickey
+        include Loggable
         NAME = 'ssh-dss'
         DIGEST = 'sha1'
-        def initialize arg
+        def initialize arg, logger: nil
+          self.logger = logger
           begin
             new_by_key_str arg
           rescue OpenSSL::PKey::DSAError
@@ -23,7 +26,7 @@ module HrrRbSsh
         end
         def new_by_public_key_blob public_key_blob
-          public_key_blob_h = PublicKeyBlob.decode(public_key_blob)
+          public_key_blob_h = PublicKeyBlob.new(logger: logger).decode public_key_blob
           @publickey = OpenSSL::PKey::DSA.new
           if @publickey.respond_to?(:set_pqg)
             @publickey.set_pqg public_key_blob_h[:'p'], public_key_blob_h[:'q'], public_key_blob_h[:'g']
@@ -51,24 +54,24 @@ module HrrRbSsh
             :'g'                         => @publickey.g.to_i,
             :'y'                         => @publickey.pub_key.to_i,
           }
-          PublicKeyBlob.encode(public_key_blob_h)
+          PublicKeyBlob.new(logger: logger).encode public_key_blob_h
         end
         def sign signature_blob
           hash = OpenSSL::Digest.digest(self.class::DIGEST, signature_blob)
           sign_der = @publickey.syssign(hash)
-          sign_asn1 = OpenSSL::ASN1.decode(sign_der)
+          sign_asn1 = OpenSSL::ASN1.decode sign_der
           sign_r = sign_asn1.value[0].value.to_s(2).rjust(20, ["00"].pack("H"))
           sign_s = sign_asn1.value[1].value.to_s(2).rjust(20, ["00"].pack("H"))
           signature_h = {
             :'public key algorithm name' => self.class::NAME,
             :'signature blob'            => (sign_r + sign_s),
           }
-          Signature.encode signature_h
+          Signature.new(logger: logger).encode signature_h
         end
         def verify signature, signature_blob
-          signature_h = Signature.decode signature
+          signature_h = Signature.new(logger: logger).decode signature
           sign_r = signature_h[:'signature blob'][ 0, 20]
           sign_s = signature_h[:'signature blob'][20, 20]
           sign_asn1 = OpenSSL::ASN1::Sequence.new(

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_dss/public_key_blob.rb CHANGED Viewed

@@ -8,10 +8,8 @@ module HrrRbSsh
   module Algorithm
     class Publickey
       class SshDss
-        module PublicKeyBlob
-          class << self
-            include Codable
-          end
+        class PublicKeyBlob
+          include Codable
           DEFINITION = [
             [DataType::String, :'public key algorithm name'],
             [DataType::Mpint,  :'p'],

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_dss/signature.rb CHANGED Viewed

@@ -8,10 +8,8 @@ module HrrRbSsh
   module Algorithm
     class Publickey
       class SshDss
-        module Signature
-          class << self
-            include Codable
-          end
+        class Signature
+          include Codable
           DEFINITION = [
             [DataType::String, :'public key algorithm name'],
             [DataType::String, :'signature blob'],

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_rsa.rb CHANGED Viewed

@@ -1,16 +1,19 @@
 # coding: utf-8
 # vim: et ts=2 sw=2
-require 'hrr_rb_ssh/logger'
+require 'hrr_rb_ssh/loggable'
 module HrrRbSsh
   module Algorithm
     class Publickey
       class SshRsa < Publickey
+        include Loggable
         NAME = 'ssh-rsa'
         DIGEST = 'sha1'
-        def initialize arg
+        def initialize arg, logger: nil
+          self.logger = logger
           begin
             new_by_key_str arg
           rescue OpenSSL::PKey::RSAError
@@ -23,7 +26,7 @@ module HrrRbSsh
         end
         def new_by_public_key_blob public_key_blob
-          public_key_blob_h = PublicKeyBlob.decode(public_key_blob)
+          public_key_blob_h = PublicKeyBlob.new(logger: logger).decode public_key_blob
           @publickey = OpenSSL::PKey::RSA.new
           if @publickey.respond_to?(:set_key)
             @publickey.set_key public_key_blob_h[:'n'], public_key_blob_h[:'e'], nil
@@ -43,7 +46,7 @@ module HrrRbSsh
             :'e'                         => @publickey.e.to_i,
             :'n'                         => @publickey.n.to_i,
           }
-          PublicKeyBlob.encode(public_key_blob_h)
+          PublicKeyBlob.new(logger: logger).encode public_key_blob_h
         end
         def sign signature_blob
@@ -51,11 +54,11 @@ module HrrRbSsh
             :'public key algorithm name' => self.class::NAME,
             :'signature blob'            => @publickey.sign(self.class::DIGEST, signature_blob),
           }
-          Signature.encode signature_h
+          Signature.new(logger: logger).encode signature_h
         end
         def verify signature, signature_blob
-          signature_h = Signature.decode signature
+          signature_h = Signature.new(logger: logger).decode signature
           signature_h[:'public key algorithm name'] == self.class::NAME && @publickey.verify(self.class::DIGEST, signature_h[:'signature blob'], signature_blob)
         end
       end

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_rsa/public_key_blob.rb CHANGED Viewed

@@ -8,10 +8,8 @@ module HrrRbSsh
   module Algorithm
     class Publickey
       class SshRsa
-        module PublicKeyBlob
-          class << self
-            include Codable
-          end
+        class PublicKeyBlob
+          include Codable
           DEFINITION = [
             [DataType::String, :'public key algorithm name'],
             [DataType::Mpint,  :'e'],

data/lib/hrr_rb_ssh/algorithm/publickey/ssh_rsa/signature.rb CHANGED Viewed

@@ -8,10 +8,8 @@ module HrrRbSsh
   module Algorithm
     class Publickey
       class SshRsa
-        module Signature
-          class << self
-            include Codable
-          end
+        class Signature
+          include Codable
           DEFINITION = [
             [DataType::String, :'public key algorithm name'],
             [DataType::String, :'signature blob'],

data/lib/hrr_rb_ssh/authentication.rb CHANGED Viewed

@@ -1,27 +1,31 @@
 # coding: utf-8
 # vim: et ts=2 sw=2
-require 'hrr_rb_ssh/logger'
+require 'hrr_rb_ssh/loggable'
 require 'hrr_rb_ssh/message'
 require 'hrr_rb_ssh/error/closed_authentication'
+require 'hrr_rb_ssh/authentication/constant'
 require 'hrr_rb_ssh/authentication/authenticator'
 require 'hrr_rb_ssh/authentication/method'
 module HrrRbSsh
   class Authentication
-    SERVICE_NAME = 'ssh-userauth'
+    include Loggable
+    include Constant
+    def initialize transport, mode, options={}, logger: nil
+      self.logger = logger
-    def initialize transport, options={}
       @transport = transport
+      @mode = mode
       @options = options
-      @logger = Logger.new self.class.name
       @transport.register_acceptable_service SERVICE_NAME
       @closed = nil
       @username = nil
+      @variables = {}
     end
     def send payload
@@ -29,6 +33,7 @@ module HrrRbSsh
       begin
         @transport.send payload
       rescue Error::ClosedTransport
+        close
         raise Error::ClosedAuthentication
       end
     end
@@ -38,19 +43,28 @@ module HrrRbSsh
       begin
         @transport.receive
       rescue Error::ClosedTransport
+        close
         raise Error::ClosedAuthentication
       end
     end
     def start
-      @transport.start
-      authenticate
+      log_info { "start authentication" }
+      begin
+        @transport.start
+        authenticate
+      rescue Error::ClosedTransport
+        close
+        raise Error::ClosedAuthentication
+      end
     end
     def close
       return if @closed
+      log_info { "close authentication" }
       @closed = true
       @transport.close
+      log_info { "authentication closed" }
     end
     def closed?
@@ -62,43 +76,110 @@ module HrrRbSsh
       @username
     end
+    def variables
+      raise Error::ClosedAuthentication if @closed
+      @variables
+    end
     def authenticate
+      case @mode
+      when Mode::SERVER
+        respond_to_authentication
+      when Mode::CLIENT
+        request_authentication
+      end
+    end
+    def respond_to_authentication
+      authentication_methods = (@options['authentication_preferred_authentication_methods'].dup rescue nil) || Method.list_preferred # rescue nil.dup for Ruby version < 2.4
+      log_info { "preferred authentication methods: #{authentication_methods}" }
       loop do
         payload = @transport.receive
         case payload[0,1].unpack("C")[0]
         when Message::SSH_MSG_USERAUTH_REQUEST::VALUE
-          userauth_request_message = Message::SSH_MSG_USERAUTH_REQUEST.decode payload
+          userauth_request_message = Message::SSH_MSG_USERAUTH_REQUEST.new(logger: logger).decode payload
           method_name = userauth_request_message[:'method name']
-          method = Method[method_name].new(@transport, {'session id' => @transport.session_id}.merge(@options))
+          log_info { "authentication method: #{method_name}" }
+          method = Method[method_name].new(@transport, {'session id' => @transport.session_id}.merge(@options), @variables, authentication_methods, logger: logger)
           result = method.authenticate(userauth_request_message)
           case result
-          when TrueClass
-            @logger.info { "verified" }
+          when true, SUCCESS
+            log_info { "verified" }
             send_userauth_success
             @username = userauth_request_message[:'user name']
             @closed = false
             break
-          when FalseClass
-            @logger.info { "verify failed" }
-            send_userauth_failure
+          when PARTIAL_SUCCESS
+            log_info { "partially verified" }
+            authentication_methods.delete method_name
+            log_info { "authentication methods that can continue: #{authentication_methods}" }
+            if authentication_methods.empty?
+              log_info { "verified" }
+              send_userauth_success
+              @username = userauth_request_message[:'user name']
+              @closed = false
+              break
+            else
+              log_info { "continue" }
+              send_userauth_failure authentication_methods, true
+            end
           when String
-            @logger.info { "send method specific message to continue" }
+            log_info { "send method specific message to continue" }
             send_method_specific_message result
+          else # when false, FAILURE
+            log_info { "verify failed" }
+            send_userauth_failure authentication_methods, false
           end
         else
-          @closed = true
-          raise
+          close
+          raise Error::ClosedAuthentication
+        end
+      end
+    end
+    def request_authentication
+      authentication_methods = (@options['authentication_preferred_authentication_methods'].dup rescue nil) || Method.list_preferred # rescue nil.dup for Ruby version < 2.4
+      log_info { "preferred authentication methods: #{authentication_methods}" }
+      next_method_name = "none"
+      log_info { "authentication request begins with none method" }
+      loop do
+        log_info { "authentication method: #{next_method_name}" }
+        method = Method[next_method_name].new(@transport, {'session id' => @transport.session_id}.merge(@options), @variables, authentication_methods, logger: logger)
+        payload = method.request_authentication @options['username'], "ssh-connection"
+        case payload[0,1].unpack("C")[0]
+        when Message::SSH_MSG_USERAUTH_SUCCESS::VALUE
+          log_info { "verified" }
+          @username = @options['username']
+          @closed = false
+          break
+        when Message::SSH_MSG_USERAUTH_FAILURE::VALUE
+          message = Message::SSH_MSG_USERAUTH_FAILURE.new(logger: logger).decode payload
+          partial_success = message[:'partial success']
+          if partial_success
+            log_info { "partially verified" }
+          end
+          authentication_methods_that_can_continue = message[:'authentications that can continue']
+          log_info { "authentication methods that can continue: #{authentication_methods_that_can_continue}" }
+          next_method_name = authentication_methods.find{ |local_m| authentication_methods_that_can_continue.find{ |remote_m| local_m == remote_m } }
+          if next_method_name
+            authentication_methods.delete next_method_name
+            log_info { "continue" }
+          else
+            log_info { "no more available authentication methods" }
+            @closed = true
+            raise "failed authentication"
+          end
         end
       end
     end
-    def send_userauth_failure
+    def send_userauth_failure authentication_methods, partial_success
       message = {
         :'message number'                    => Message::SSH_MSG_USERAUTH_FAILURE::VALUE,
-        :'authentications that can continue' => Method.list_preferred,
-        :'partial success'                   => false,
+        :'authentications that can continue' => authentication_methods,
+        :'partial success'                   => partial_success,
       }
-      payload = Message::SSH_MSG_USERAUTH_FAILURE.encode message
+      payload = Message::SSH_MSG_USERAUTH_FAILURE.new(logger: logger).encode message
       @transport.send payload
     end
@@ -106,7 +187,7 @@ module HrrRbSsh
       message = {
         :'message number' => Message::SSH_MSG_USERAUTH_SUCCESS::VALUE,
       }
-      payload = Message::SSH_MSG_USERAUTH_SUCCESS.encode message
+      payload = Message::SSH_MSG_USERAUTH_SUCCESS.new(logger: logger).encode message
       @transport.send payload
     end

data/lib/hrr_rb_ssh/authentication/constant.rb ADDED Viewed

@@ -0,0 +1,14 @@
+# coding: utf-8
+# vim: et ts=2 sw=2
+module HrrRbSsh
+  class Authentication
+    module Constant
+      SERVICE_NAME = 'ssh-userauth'
+      SUCCESS         = :success
+      PARTIAL_SUCCESS = :partial_success
+      FAILURE         = :failure
+    end
+  end
+end

data/lib/hrr_rb_ssh/authentication/method/keyboard_interactive.rb CHANGED Viewed

@@ -1,29 +1,66 @@
 # coding: utf-8
 # vim: et ts=2 sw=2
-require 'hrr_rb_ssh/logger'
+require 'hrr_rb_ssh/loggable'
 module HrrRbSsh
   class Authentication
     class Method
       class KeyboardInteractive < Method
+        include Loggable
         NAME = 'keyboard-interactive'
         PREFERENCE = 30
-        def initialize transport, options
-          @logger = Logger.new(self.class.name)
+        def initialize transport, options, variables, authentication_methods, logger: nil
+          self.logger = logger
           @transport = transport
-          @authenticator = options.fetch( 'authentication_keyboard_interactive_authenticator', Authenticator.new { false } )
+          @options = options
+          @authenticator = options.fetch( 'authentication_keyboard_interactive_authenticator', Authenticator.new{ false } )
+          @variables = variables
+          @authentication_methods = authentication_methods
         end
         def authenticate userauth_request_message
-          @logger.info { "authenticate" }
-          @logger.debug { "userauth request: " + userauth_request_message.inspect }
+          log_info { "authenticate" }
           username = userauth_request_message[:'user name']
           submethods = userauth_request_message[:'submethods']
-          context = Context.new(@transport, username, submethods)
+          context = Context.new(@transport, username, submethods, @variables, @authentication_methods, logger: logger)
           @authenticator.authenticate context
         end
+        def request_authentication username, service_name
+          message = {
+            :'message number' => Message::SSH_MSG_USERAUTH_REQUEST::VALUE,
+            :"user name"      => username,
+            :"service name"   => service_name,
+            :"method name"    => NAME,
+            :"language tag"   => "",
+            :'submethods'     => "",
+          }
+          payload = Message::SSH_MSG_USERAUTH_REQUEST.new(logger: logger).encode message
+          @transport.send payload
+          payload = @transport.receive
+          case payload[0,1].unpack("C")[0]
+          when Message::SSH_MSG_USERAUTH_INFO_REQUEST::VALUE
+            message = Message::SSH_MSG_USERAUTH_INFO_REQUEST.new(logger: logger).decode payload
+            num_responses = @options['client_authentication_keyboard_interactive'].size
+            message = {
+              :'message number' => Message::SSH_MSG_USERAUTH_INFO_RESPONSE::VALUE,
+              :'num-responses'  => num_responses,
+            }
+            message_responses = @options['client_authentication_keyboard_interactive'].map.with_index{ |response, i|
+              {:"response[#{i+1}]" => response}
+            }.inject(Hash.new){ |a, b| a.merge(b) }
+            message.update(message_responses)
+            payload = Message::SSH_MSG_USERAUTH_INFO_RESPONSE.new(logger: logger).encode message
+            @transport.send payload
+            @transport.receive
+          else
+            payload
+          end
+        end
       end
     end
   end