hrr_rb_ssh 0.2.0 → 0.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fa22df4a3d01a18e8f66b69b73f5b189233de3d4c755f1d371f15043c0202c8f
-  data.tar.gz: e426371cf62d6d6705915a58b5811774e984be1f55b1e2f11db5925d0f14d08f
+  metadata.gz: 61d3c0613da093138597cc6a8e7ba24168e7374b0fffd31d26d58efabc234224
+  data.tar.gz: 60c45a6fb8eedc3cdadfa42bb79f686a42bbe955623637199e08bce44272d805
 SHA512:
-  metadata.gz: 3e47080fab89ae9eafab849adf065dfa4a2f58f18f189aaef269d4b8d50729acad8d7d0c5306e462e583200878da878b84b4579a63788e8dd9859501102c1440
-  data.tar.gz: 974b64d45859b689e6965d98ab749375ed082f6bbc72bc1ee59c1c2e6a8e59ca8bf7e25ff1304a6e9eb415763457dc9678447e363300d3106c63a84a7a9bbd03
+  metadata.gz: bde652be2f850130028aecca6f6dc401e334198aa73f7fa28dcd88fa059a79378bf2e0b1d075c134fc49403aad491b6d49d4d4cbc53098bd12459f27829293b1
+  data.tar.gz: acf3496654c007e03ef390cfd1057b99ba85d0f82c965eea31647ea8bd919b4362783039405922bcb3243ab2ff0fc269e53a4faf05ebde8a0039210ebecffd15

data/README.md

@@ -19,6 +19,7 @@ hrr_rb_ssh is a pure Ruby SSH 2.0 server implementation.
         - [Defining authentications](#defining-authentications)
             - [Password authentication](#password-authentication)
             - [Publickey authentication](#publickey-authentication)
+            - [Keyboard-interactive authentication](#keyboard-interactive-authentication)
             - [None authentication (NOT recomended)](#none-authentication-not-recomended)
         - [Handling session channel requests](#handling-session-channel-requests)
             - [Reference request handlers](#reference-request-handlers)
@@ -180,9 +181,38 @@ The `context` variable in public key authentication context provides the `#verif
 
 And public keys that is in OpenSSH public key format is now available. To use OpenSSH public keys, it is easy to use $USER_HOME/.ssh/authorized_keys file.
 
+##### Keyboard-interactive authentication
+
+The third one is keyboard-interactive authentication. This is also known as challenge-response authentication.
+
+To define a keyboard-interactive authentication, the `HrrRbSsh::Authentication::Authenticator.new { |context| ... }` block is used as well.  When the block returns `true`, then the authentication succeeded as well. However, `context` variable behaves differently.
+
+```ruby
+auth_keyboard_interactive = HrrRbSsh::Authentication::Authenticator.new { |context|
+  user_name        = 'user1'
+  req_name         = 'demo keyboard interactive authentication'
+  req_instruction  = 'demo instruction'
+  req_language_tag = ''
+  req_prompts = [
+    #[prompt[n], echo[n]]
+    ['Password1: ', false],
+    ['Password2: ', true],
+  ]
+  info_response = context.info_request req_name, req_instruction, req_language_tag, req_prompts
+  context.username == user_name && info_response.responses == ['password1', 'password2']
+}
+options['authentication_keyboard_interactive_authenticator'] = auth_keyboard_interactive
+```
+
+The `context` variable in keyboard-interactive authentication context does NOT provides the `#verify` method. Instead, `#info_request` method is available. Since keyboard-interactive authentication has multiple times interactions between server and client, the values in responses needs to be verified respectively.
+
+The `#info_request` method takes four arguments: name, instruction, language tag, and prompts. The name, instruction, and language tag can be empty string. The prompts needs to have at least one charactor for prompt message, and `true` or `false` value to specify whether echo back is enabled or not.
+
+The responses are listed in the same order as request prompts.
+
 ##### None authentication (NOT recomended)
 
-The third one is none authentication. None authentication is usually NOT used.
+The last one is none authentication. None authentication is usually NOT used.
 
 To define a none authentication, the `HrrRbSsh::Authentication::Authenticator.new { |context| ... }` block is used as well.  When the block returns `true`, then the authentication succeeded as well. However, `context` variable behaves differently.
 
@@ -316,6 +346,7 @@ The following features are currently supported.
     - ecdsa-sha2-nistp256
     - ecdsa-sha2-nistp384
     - ecdsa-sha2-nistp521
+- Keyboard interactive (generic interactive / challenge response) authentication
 
 ### Transport layer
 

data/demo/server.rb

@@ -46,6 +46,19 @@ def start_service io, logger=nil
       context.verify user, pass
     }
   }
+  auth_keyboard_interactive = HrrRbSsh::Authentication::Authenticator.new { |context|
+    user_name        = 'user1'
+    req_name         = 'demo keyboard interactive authentication'
+    req_instruction  = 'demo instruction'
+    req_language_tag = ''
+    req_prompts = [
+      #[prompt[n], echo[n]]
+      ['Password1: ', false],
+      ['Password2: ', true],
+    ]
+    info_response = context.info_request req_name, req_instruction, req_language_tag, req_prompts
+    context.username == user_name && info_response.responses == ['password1', 'password2']
+  }
 
 
   options = {}
@@ -65,9 +78,10 @@ OfeosJOO9twerD7pPhmXREkygblPsEXaVA==
 -----END EC PRIVATE KEY-----
   EOB
 
-  options['authentication_none_authenticator']      = auth_none
-  options['authentication_publickey_authenticator'] = auth_publickey
-  options['authentication_password_authenticator']  = auth_password
+  options['authentication_none_authenticator']                 = auth_none
+  options['authentication_publickey_authenticator']            = auth_publickey
+  options['authentication_password_authenticator']             = auth_password
+  options['authentication_keyboard_interactive_authenticator'] = auth_keyboard_interactive
 
   options['connection_channel_request_pty_req']       = HrrRbSsh::Connection::RequestHandler::ReferencePtyReqRequestHandler.new
   options['connection_channel_request_env']           = HrrRbSsh::Connection::RequestHandler::ReferenceEnvRequestHandler.new

data/lib/hrr_rb_ssh/authentication/method/keyboard_interactive/context.rb

@@ -0,0 +1,36 @@
+# coding: utf-8
+# vim: et ts=2 sw=2
+
+require 'hrr_rb_ssh/logger'
+require 'hrr_rb_ssh/authentication/method/keyboard_interactive/info_request'
+require 'hrr_rb_ssh/authentication/method/keyboard_interactive/info_response'
+
+module HrrRbSsh
+  class Authentication
+    class Method
+      class KeyboardInteractive
+        class Context
+          attr_reader \
+            :username,
+            :submethods,
+            :info_response
+
+          def initialize transport, username, submethods
+            @transport = transport
+            @username = username
+            @submethods = submethods
+
+            @logger = Logger.new self.class.name
+          end
+
+          def info_request name, instruction, language_tag, prompts
+            @logger.info { "send userauth info request" }
+            @transport.send InfoRequest.new(name, instruction, language_tag, prompts).to_payload
+            @logger.info { "receive userauth info response" }
+            @info_response = InfoResponse.new @transport.receive
+          end
+        end
+      end
+    end
+  end
+end

data/lib/hrr_rb_ssh/authentication/method/keyboard_interactive/info_request.rb

@@ -0,0 +1,45 @@
+# coding: utf-8
+# vim: et ts=2 sw=2
+
+require 'hrr_rb_ssh/logger'
+require 'hrr_rb_ssh/message'
+
+module HrrRbSsh
+  class Authentication
+    class Method
+      class KeyboardInteractive
+        class InfoRequest
+          def initialize name, instruction, language_tag, prompts
+            @name         = name
+            @instruction  = instruction
+            @language_tag = language_tag
+            @prompts      = prompts
+
+            @logger = Logger.new self.class.name
+          end
+
+          def to_message
+            message = {
+              :'message number' => Message::SSH_MSG_USERAUTH_INFO_REQUEST::VALUE,
+              :'name'           => @name,
+              :'instruction'    => @instruction,
+              :'language tag'   => @language_tag,
+              :'num-prompts'    => @prompts.size,
+            }
+            message_prompts = @prompts.map.with_index{ |(prompt, echo), i|
+              [
+                [:"prompt[#{i+1}]", prompt],
+                [:"echo[#{i+1}]",   echo],
+              ].to_h
+            }.inject(Hash.new){ |a, b| a.merge(b) }
+            message.merge(message_prompts)
+          end
+
+          def to_payload
+            Message::SSH_MSG_USERAUTH_INFO_REQUEST.encode self.to_message
+          end
+        end
+      end
+    end
+  end
+end

data/lib/hrr_rb_ssh/authentication/method/keyboard_interactive/info_response.rb

@@ -0,0 +1,29 @@
+# coding: utf-8
+# vim: et ts=2 sw=2
+
+require 'hrr_rb_ssh/message'
+
+module HrrRbSsh
+  class Authentication
+    class Method
+      class KeyboardInteractive
+        class InfoResponse
+          attr_reader \
+            :num_responses,
+            :responses
+
+          def initialize payload
+            case payload[0,1].unpack("C")[0]
+            when Message::SSH_MSG_USERAUTH_INFO_RESPONSE::VALUE
+              message = Message::SSH_MSG_USERAUTH_INFO_RESPONSE.decode payload
+              @num_responses = message[:'num-responses']
+              @responses = Array.new(message[:'num-responses']){ |i| message[:"response[#{i+1}]"] }
+            else
+              raise "Expected SSH_MSG_USERAUTH_INFO_RESPONSE, but got message number #{payload[0,1].unpack("C")[0]}"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/hrr_rb_ssh/authentication/method/keyboard_interactive.rb

@@ -0,0 +1,32 @@
+# coding: utf-8
+# vim: et ts=2 sw=2
+
+require 'hrr_rb_ssh/logger'
+
+module HrrRbSsh
+  class Authentication
+    class Method
+      class KeyboardInteractive < Method
+        NAME = 'keyboard-interactive'
+        PREFERENCE = 30
+
+        def initialize transport, options
+          @logger = Logger.new(self.class.name)
+          @transport = transport
+          @authenticator = options.fetch( 'authentication_keyboard_interactive_authenticator', Authenticator.new { false } )
+        end
+
+        def authenticate userauth_request_message
+          @logger.info { "authenticate" }
+          @logger.debug { "userauth request: " + userauth_request_message.inspect }
+          username = userauth_request_message[:'user name']
+          submethods = userauth_request_message[:'submethods']
+          context = Context.new(@transport, username, submethods)
+          @authenticator.authenticate context
+        end
+      end
+    end
+  end
+end
+
+require 'hrr_rb_ssh/authentication/method/keyboard_interactive/context'

data/lib/hrr_rb_ssh/authentication/method/none.rb

@@ -10,7 +10,7 @@ module HrrRbSsh
         NAME = 'none'
         PREFERENCE = 0
 
-        def initialize options
+        def initialize transport, options
           @logger = Logger.new(self.class.name)
           @authenticator = options.fetch( 'authentication_none_authenticator', Authenticator.new { false } )
         end

data/lib/hrr_rb_ssh/authentication/method/password.rb

@@ -10,7 +10,7 @@ module HrrRbSsh
         NAME = 'password'
         PREFERENCE = 10
 
-        def initialize options
+        def initialize transport, options
           @logger = Logger.new(self.class.name)
           @authenticator = options.fetch( 'authentication_password_authenticator', Authenticator.new { false } )
         end

data/lib/hrr_rb_ssh/authentication/method/publickey.rb

@@ -10,7 +10,7 @@ module HrrRbSsh
         NAME = 'publickey'
         PREFERENCE = 20
 
-        def initialize options
+        def initialize transport, options
           @logger = Logger.new(self.class.name)
           @session_id = options['session id']
           @authenticator = options.fetch( 'authentication_publickey_authenticator', Authenticator.new { false } )

data/lib/hrr_rb_ssh/authentication/method.rb

@@ -17,3 +17,4 @@ end
 require 'hrr_rb_ssh/authentication/method/none'
 require 'hrr_rb_ssh/authentication/method/password'
 require 'hrr_rb_ssh/authentication/method/publickey'
+require 'hrr_rb_ssh/authentication/method/keyboard_interactive'

data/lib/hrr_rb_ssh/authentication.rb

@@ -69,7 +69,7 @@ module HrrRbSsh
         when Message::SSH_MSG_USERAUTH_REQUEST::VALUE
           userauth_request_message = Message::SSH_MSG_USERAUTH_REQUEST.decode payload
           method_name = userauth_request_message[:'method name']
-          method = Method[method_name].new({'session id' => @transport.session_id}.merge(@options))
+          method = Method[method_name].new(@transport, {'session id' => @transport.session_id}.merge(@options))
           result = method.authenticate(userauth_request_message)
           case result
           when TrueClass

data/lib/hrr_rb_ssh/message/050_ssh_msg_userauth_request.rb

@@ -43,11 +43,19 @@ module HrrRbSsh
         [DataType::String,    :'plaintext password'],
       ]
 
+      KEYBOARD_INTERACTIVE_DEFINITION = [
+        #[DataType, Field Name]
+        #[DataType::String,   :'method name' : "keyboard-interactive"],
+        [DataType::String,    :'language tag'],
+        [DataType::String,    :'submethods'],
+      ]
+
       CONDITIONAL_DEFINITION = {
         # Field Name => {Field Value => Conditional Definition}
         :'method name' => {
-          "publickey" => PUBLICKEY_DEFINITION,
-          "password"  => PASSWORD_DEFINITION,
+          "publickey"             => PUBLICKEY_DEFINITION,
+          "password"              => PASSWORD_DEFINITION,
+          "keyboard-interactive"  => KEYBOARD_INTERACTIVE_DEFINITION,
         },
         :'with signature' => {
           true => PUBLICKEY_SIGNATURE_DEFINITION,

data/lib/hrr_rb_ssh/message/060_ssh_msg_userauth_info_request.rb

@@ -0,0 +1,43 @@
+# coding: utf-8
+# vim: et ts=2 sw=2
+
+require 'hrr_rb_ssh/data_type'
+require 'hrr_rb_ssh/codable'
+
+module HrrRbSsh
+  module Message
+    module SSH_MSG_USERAUTH_INFO_REQUEST
+      class << self
+        include Codable
+      end
+
+      ID    = self.name.split('::').last
+      VALUE = 60
+
+      DEFINITION = [
+        #[DataType, Field Name]
+        [DataType::Byte,      :'message number'],
+        [DataType::String,    :'name'],
+        [DataType::String,    :'instruction'],
+        [DataType::String,    :'language tag'],
+        [DataType::Uint32,    :'num-prompts'],
+      ]
+
+      PER_NUM_PROMPTS_DEFINITION = Hash.new{ |hash, key|
+        Array.new(key){ |i|
+          [
+            #[DataType, Field Name]
+            #[DataType::String,   :'num-prompts' : "> 0"],
+            [DataType::String,    :"prompt[#{i+1}]"],
+            [DataType::Boolean,   :"echo[#{i+1}]"],
+          ]
+        }.inject(:+)
+      }
+
+      CONDITIONAL_DEFINITION = {
+        # Field Name => {Field Value => Conditional Definition}
+        :'num-prompts' => PER_NUM_PROMPTS_DEFINITION,
+      }
+    end
+  end
+end

data/lib/hrr_rb_ssh/message/061_ssh_msg_userauth_info_response.rb

@@ -0,0 +1,39 @@
+# coding: utf-8
+# vim: et ts=2 sw=2
+
+require 'hrr_rb_ssh/data_type'
+require 'hrr_rb_ssh/codable'
+
+module HrrRbSsh
+  module Message
+    module SSH_MSG_USERAUTH_INFO_RESPONSE
+      class << self
+        include Codable
+      end
+
+      ID    = self.name.split('::').last
+      VALUE = 61
+
+      DEFINITION = [
+        #[DataType, Field Name]
+        [DataType::Byte,      :'message number'],
+        [DataType::Uint32,    :'num-responses'],
+      ]
+
+      PER_NUM_RESPONSES_DEFINITION = Hash.new{ |hash, key|
+        Array.new(key){ |i|
+          [
+            #[DataType, Field Name]
+            #[DataType::String,   :'num-responses' : "> 0"],
+            [DataType::String,    :"response[#{i+1}]"],
+          ]
+        }.inject(:+)
+      }
+
+      CONDITIONAL_DEFINITION = {
+        # Field Name => {Field Value => Conditional Definition}
+        :'num-responses' => PER_NUM_RESPONSES_DEFINITION,
+      }
+    end
+  end
+end

data/lib/hrr_rb_ssh/message.rb

@@ -22,6 +22,8 @@ require 'hrr_rb_ssh/message/050_ssh_msg_userauth_request'
 require 'hrr_rb_ssh/message/051_ssh_msg_userauth_failure'
 require 'hrr_rb_ssh/message/052_ssh_msg_userauth_success'
 require 'hrr_rb_ssh/message/060_ssh_msg_userauth_pk_ok'
+require 'hrr_rb_ssh/message/060_ssh_msg_userauth_info_request'
+require 'hrr_rb_ssh/message/061_ssh_msg_userauth_info_response'
 require 'hrr_rb_ssh/message/080_ssh_msg_global_request.rb'
 require 'hrr_rb_ssh/message/081_ssh_msg_request_success.rb'
 require 'hrr_rb_ssh/message/082_ssh_msg_request_failure.rb'

data/lib/hrr_rb_ssh/version.rb

@@ -2,5 +2,5 @@
 # vim: et ts=2 sw=2
 
 module HrrRbSsh
-  VERSION = "0.2.0"
+  VERSION = "0.2.1"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hrr_rb_ssh
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.2.1
 platform: ruby
 authors:
 - hirura
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-19 00:00:00.000000000 Z
+date: 2018-05-27 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -104,6 +104,10 @@ files:
 - lib/hrr_rb_ssh/authentication.rb
 - lib/hrr_rb_ssh/authentication/authenticator.rb
 - lib/hrr_rb_ssh/authentication/method.rb
+- lib/hrr_rb_ssh/authentication/method/keyboard_interactive.rb
+- lib/hrr_rb_ssh/authentication/method/keyboard_interactive/context.rb
+- lib/hrr_rb_ssh/authentication/method/keyboard_interactive/info_request.rb
+- lib/hrr_rb_ssh/authentication/method/keyboard_interactive/info_response.rb
 - lib/hrr_rb_ssh/authentication/method/none.rb
 - lib/hrr_rb_ssh/authentication/method/none/context.rb
 - lib/hrr_rb_ssh/authentication/method/password.rb
@@ -183,7 +187,9 @@ files:
 - lib/hrr_rb_ssh/message/050_ssh_msg_userauth_request.rb
 - lib/hrr_rb_ssh/message/051_ssh_msg_userauth_failure.rb
 - lib/hrr_rb_ssh/message/052_ssh_msg_userauth_success.rb
+- lib/hrr_rb_ssh/message/060_ssh_msg_userauth_info_request.rb
 - lib/hrr_rb_ssh/message/060_ssh_msg_userauth_pk_ok.rb
+- lib/hrr_rb_ssh/message/061_ssh_msg_userauth_info_response.rb
 - lib/hrr_rb_ssh/message/080_ssh_msg_global_request.rb
 - lib/hrr_rb_ssh/message/081_ssh_msg_request_success.rb
 - lib/hrr_rb_ssh/message/082_ssh_msg_request_failure.rb