minmb-net-ssh 2.5.1

data/lib/net/ssh/proxy/socks5.rb

@@ -0,0 +1,142 @@
+require 'socket'
+require 'net/ssh/ruby_compat'
+require 'net/ssh/proxy/errors'
+
+module Net
+  module SSH
+    module Proxy
+
+      # An implementation of a SOCKS5 proxy. To use it, instantiate it, then
+      # pass the instantiated object via the :proxy key to Net::SSH.start:
+      #
+      #   require 'net/ssh/proxy/socks5'
+      #
+      #   proxy = Net::SSH::Proxy::SOCKS5.new('proxy.host', proxy_port,
+      #     :user => 'user', :password => "password")
+      #   Net::SSH.start('host', 'user', :proxy => proxy) do |ssh|
+      #     ...
+      #   end
+      class SOCKS5
+        # The SOCKS protocol version used by this class
+        VERSION = 5
+
+        # The SOCKS authentication type for requests without authentication
+        METHOD_NO_AUTH = 0
+
+        # The SOCKS authentication type for requests via username/password
+        METHOD_PASSWD = 2
+
+        # The SOCKS authentication type for when there are no supported
+        # authentication methods.
+        METHOD_NONE = 0xFF
+
+        # The SOCKS packet type for requesting a proxy connection.
+        CMD_CONNECT = 1
+
+        # The SOCKS address type for connections via IP address.
+        ATYP_IPV4 = 1
+
+        # The SOCKS address type for connections via domain name.
+        ATYP_DOMAIN = 3
+
+        # The SOCKS response code for a successful operation.
+        SUCCESS = 0
+
+        # The proxy's host name or IP address
+        attr_reader :proxy_host
+
+        # The proxy's port number
+        attr_reader :proxy_port
+
+        # The map of options given at initialization
+        attr_reader :options
+
+        # Create a new proxy connection to the given proxy host and port.
+        # Optionally, :user and :password options may be given to
+        # identify the username and password with which to authenticate.
+        def initialize(proxy_host, proxy_port=1080, options={})
+          @proxy_host = proxy_host
+          @proxy_port = proxy_port
+          @options = options
+        end
+
+        # Return a new socket connected to the given host and port via the
+        # proxy that was requested when the socket factory was instantiated.
+        def open(host, port)
+          socket = TCPSocket.new(proxy_host, proxy_port)
+
+          methods = [METHOD_NO_AUTH]
+          methods << METHOD_PASSWD if options[:user]
+
+          packet = [VERSION, methods.size, *methods].pack("C*")
+          socket.send packet, 0
+
+          version, method = socket.recv(2).unpack("CC")
+          if version != VERSION
+            socket.close
+            raise Net::SSH::Proxy::Error, "invalid SOCKS version (#{version})"
+          end
+
+          if method == METHOD_NONE
+            socket.close
+            raise Net::SSH::Proxy::Error, "no supported authorization methods"
+          end
+
+          negotiate_password(socket) if method == METHOD_PASSWD
+
+          packet = [VERSION, CMD_CONNECT, 0].pack("C*")
+
+          if host =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/
+            packet << [ATYP_IPV4, $1.to_i, $2.to_i, $3.to_i, $4.to_i].pack("C*")
+          else
+            packet << [ATYP_DOMAIN, host.length, host].pack("CCA*")
+          end
+
+          packet << [port].pack("n")
+          socket.send packet, 0
+          
+          version, reply, = socket.recv(2).unpack("C*")
+          socket.recv(1)
+          address_type = socket.recv(1).getbyte(0)
+          case address_type
+          when 1
+            socket.recv(4)  # get four bytes for IPv4 address
+          when 3
+            len = socket.recv(1).getbyte(0)
+            hostname = socket.recv(len)
+          when 4
+            ipv6addr hostname = socket.recv(16)
+          else
+            socket.close
+            raise ConnectionError, "Illegal response type"
+          end
+          portnum = socket.recv(2)
+          
+          unless reply == SUCCESS
+            socket.close
+            raise ConnectError, "#{reply}"
+          end
+
+          return socket
+        end
+
+        private
+
+          # Simple username/password negotiation with the SOCKS5 server.
+          def negotiate_password(socket)
+            packet = [0x01, options[:user].length, options[:user],
+              options[:password].length, options[:password]].pack("CCA*CA*")
+            socket.send packet, 0
+
+            version, status = socket.recv(2).unpack("CC")
+
+            if status != SUCCESS
+              socket.close
+              raise UnauthorizedError, "could not authorize user"
+            end
+          end
+      end
+
+    end
+  end
+end

data/lib/net/ssh/ruby_compat.rb

@@ -0,0 +1,77 @@
+require 'thread'
+
+class String
+  if RUBY_VERSION < "1.9"
+    def getbyte(index)
+      self[index]
+    end
+    def setbyte(index, c)
+      self[index] = c
+    end
+  end
+  if RUBY_VERSION < "1.8.7"
+    def bytesize
+      self.size
+    end
+  end
+end
+
+module Net; module SSH
+  
+  # This class contains miscellaneous patches and workarounds
+  # for different ruby implementations.
+  class Compat
+    
+    # A workaround for an IO#select threading bug in certain versions of MRI 1.8.
+    # See: http://net-ssh.lighthouseapp.com/projects/36253/tickets/1-ioselect-threading-bug-in-ruby-18
+    # The root issue is documented here: http://redmine.ruby-lang.org/issues/show/1993
+    if RUBY_VERSION >= '1.9' || RUBY_PLATFORM == 'java'
+      
+      # problem: Pageant sockets aren't real sockets/don't inherit from IO, so we can't call IO.select on them
+      # solution: when a Pageant socket is found in the readers/writers array, slice it out then merge it back in before returning (just assume it's always ready)
+      # unfortunately this fix will also need to be ported to any other library that reaches in to Net::SSH and select's its sockets (like Capistrano)
+      # this is slightly more verbose than necessary, but it's useful for debugging
+      def self.io_select(*params)
+        read_array = params[0]
+        write_array = params[1]
+        error_array = params[2]
+        timeout = params[3]
+
+        read_sockets = read_array.nil? ? [] : read_array.reject {|s| s.class.name =~ /Pageant/ }
+        read_pageant = read_array.nil? ? [] : read_array.select {|s| s.class.name =~ /Pageant/ }
+
+        write_sockets = write_array.nil? ? [] : write_array.reject {|s| s.class.name =~ /Pageant/ }
+        write_pageant = write_array.nil? ? [] : write_array.select {|s| s.class.name =~ /Pageant/ }
+
+        result = IO.select(read_sockets, write_sockets, error_array, timeout)
+
+        if result.nil?
+          return nil
+        else
+          ready_read_sockets = result[0]
+          ready_write_sockets = result[1]
+          ready_error_array_only_sockets = result[2]
+
+          return [ready_read_sockets | read_pageant, ready_write_sockets | write_pageant, ready_error_array_only_sockets]
+        end
+      end
+    else
+      SELECT_MUTEX = Mutex.new
+      def self.io_select(*params)
+        # It should be safe to wrap calls in a mutex when the timeout is 0
+        # (that is, the call is not supposed to block).
+        # We leave blocking calls unprotected to avoid causing deadlocks.
+        # This should still catch the main case for Capistrano users.
+        if params[3] == 0
+          SELECT_MUTEX.synchronize do
+            IO.select(*params)
+          end
+        else
+          IO.select(*params)
+        end
+      end
+    end
+    
+  end
+  
+end; end

data/lib/net/ssh/service/forward.rb

@@ -0,0 +1,327 @@
+# -*- coding: utf-8 -*-
+require 'net/ssh/loggable'
+
+module Net; module SSH; module Service
+
+  # This class implements various port forwarding services for use by
+  # Net::SSH clients. The Forward class should never need to be instantiated
+  # directly; instead, it should be accessed via the singleton instance
+  # returned by Connection::Session#forward:
+  #
+  #   ssh.forward.local(1234, "www.capify.org", 80)
+  class Forward
+    include Loggable
+
+    # The underlying connection service instance that the port-forwarding
+    # services employ.
+    attr_reader :session
+
+    # A simple class for representing a requested remote forwarded port.
+    Remote = Struct.new(:host, :port) #:nodoc:
+
+    # Instantiates a new Forward service instance atop the given connection
+    # service session. This will register new channel open handlers to handle
+    # the specialized channels that the SSH port forwarding protocols employ.
+    def initialize(session)
+      @session = session
+      self.logger = session.logger
+      @remote_forwarded_ports = {}
+      @local_forwarded_ports = {}
+      @agent_forwarded = false
+
+      session.on_open_channel('forwarded-tcpip', &method(:forwarded_tcpip))
+      session.on_open_channel('auth-agent', &method(:auth_agent_channel))
+      session.on_open_channel('auth-agent@openssh.com', &method(:auth_agent_channel))
+    end
+
+    # Starts listening for connections on the local host, and forwards them
+    # to the specified remote host/port via the SSH connection. This method
+    # accepts either three or four arguments. When four arguments are given,
+    # they are:
+    #
+    # * the local address to bind to
+    # * the local port to listen on
+    # * the remote host to forward connections to
+    # * the port on the remote host to connect to
+    #
+    # If three arguments are given, it is as if the local bind address is
+    # "127.0.0.1", and the rest are applied as above.
+    #
+    #   ssh.forward.local(1234, "www.capify.org", 80)
+    #   ssh.forward.local("0.0.0.0", 1234, "www.capify.org", 80)
+    def local(*args)
+      if args.length < 3 || args.length > 4
+        raise ArgumentError, "expected 3 or 4 parameters, got #{args.length}"
+      end
+
+      local_port_type = :long
+
+      socket = begin
+        if args.first.class == UNIXServer
+          local_port_type = :string
+          args.shift
+        else
+          bind_address = "127.0.0.1"
+          bind_address = args.shift if args.first.is_a?(String) && args.first =~ /\D/
+          local_port = args.shift.to_i
+          local_port_type = :long
+          TCPServer.new(bind_address, local_port)
+        end
+      end
+
+      remote_host = args.shift
+      remote_port = args.shift.to_i
+
+      @local_forwarded_ports[[local_port, bind_address]] = socket
+
+      session.listen_to(socket) do |server|
+        client = server.accept
+        debug { "received connection on #{socket}" }
+
+        channel = session.open_channel("direct-tcpip", :string, remote_host, :long, remote_port, :string, bind_address, local_port_type, local_port) do |achannel|
+          achannel.info { "direct channel established" }
+        end
+
+        prepare_client(client, channel, :local)
+  
+        channel.on_open_failed do |ch, code, description|
+          channel.error { "could not establish direct channel: #{description} (#{code})" }
+          channel[:socket].close
+        end
+      end
+    end
+
+    # Terminates an active local forwarded port. If no such forwarded port
+    # exists, this will raise an exception. Otherwise, the forwarded connection
+    # is terminated.
+    #
+    #   ssh.forward.cancel_local(1234)
+    #   ssh.forward.cancel_local(1234, "0.0.0.0")
+    def cancel_local(port, bind_address="127.0.0.1")
+      socket = @local_forwarded_ports.delete([port, bind_address])
+      socket.shutdown rescue nil
+      socket.close rescue nil
+      session.stop_listening_to(socket)
+    end
+
+    # Returns a list of all active locally forwarded ports. The returned value
+    # is an array of arrays, where each element is a two-element tuple
+    # consisting of the local port and bind address corresponding to the
+    # forwarding port.
+    def active_locals
+      @local_forwarded_ports.keys
+    end
+
+    # Requests that all connections on the given remote-port be forwarded via
+    # the local host to the given port/host. The last argument describes the
+    # bind address on the remote host, and defaults to 127.0.0.1.
+    #
+    # This method will return immediately, but the port will not actually be
+    # forwarded immediately. If the remote server is not able to begin the
+    # listener for this request, an exception will be raised asynchronously.
+    #
+    # If you want to know when the connection is active, it will show up in the
+    # #active_remotes list. If you want to block until the port is active, you
+    # could do something like this:
+    #
+    #   ssh.forward.remote(80, "www.google.com", 1234, "0.0.0.0")
+    #   ssh.loop { !ssh.forward.active_remotes.include?([1234, "0.0.0.0"]) }
+    def remote(port, host, remote_port, remote_host="127.0.0.1")
+      session.send_global_request("tcpip-forward", :string, remote_host, :long, remote_port) do |success, response|
+        if success
+          debug { "remote forward from remote #{remote_host}:#{remote_port} to #{host}:#{port} established" }
+          @remote_forwarded_ports[[remote_port, remote_host]] = Remote.new(host, port)
+        else
+          error { "remote forwarding request failed" }
+          raise Net::SSH::Exception, "remote forwarding request failed"
+        end
+      end
+    end
+
+    # an alias, for token backwards compatibility with the 1.x API
+    alias :remote_to :remote
+
+    # Requests that a remote forwarded port be cancelled. The remote forwarded
+    # port on the remote host, bound to the given address on the remote host,
+    # will be terminated, but not immediately. This method returns immediately
+    # after queueing the request to be sent to the server. If for some reason
+    # the port cannot be cancelled, an exception will be raised (asynchronously).
+    #
+    # If you want to know when the connection has been cancelled, it will no
+    # longer be present in the #active_remotes list. If you want to block until
+    # the port is no longer active, you could do something like this:
+    #
+    #   ssh.forward.cancel_remote(1234, "0.0.0.0")
+    #   ssh.loop { ssh.forward.active_remotes.include?([1234, "0.0.0.0"]) }
+    def cancel_remote(port, host="127.0.0.1")
+      session.send_global_request("cancel-tcpip-forward", :string, host, :long, port) do |success, response|
+        if success
+          @remote_forwarded_ports.delete([port, host])
+        else
+          raise Net::SSH::Exception, "could not cancel remote forward request on #{host}:#{port}"
+        end
+      end
+    end
+
+    # Returns all active forwarded remote ports. The returned value is an
+    # array of two-element tuples, where the first element is the port on the
+    # remote host and the second is the bind address.
+    def active_remotes
+      @remote_forwarded_ports.keys
+    end
+
+    # Enables SSH agent forwarding on the given channel. The forwarded agent
+    # will remain active even after the channel closes--the channel is only
+    # used as the transport for enabling the forwarded connection. You should
+    # never need to call this directly--it is called automatically the first
+    # time a session channel is opened, when the connection was created with
+    # :forward_agent set to true:
+    #
+    #    Net::SSH.start("remote.host", "me", :forwrd_agent => true) do |ssh|
+    #      ssh.open_channel do |ch|
+    #        # agent will be automatically forwarded by this point
+    #      end
+    #      ssh.loop
+    #    end
+    def agent(channel)
+      return if @agent_forwarded
+      @agent_forwarded = true
+
+      channel.send_channel_request("auth-agent-req@openssh.com") do |achannel, success|
+        if success
+          debug { "authentication agent forwarding is active" }
+        else
+          achannel.send_channel_request("auth-agent-req") do |a2channel, success2|
+            if success2
+              debug { "authentication agent forwarding is active" }
+            else
+              error { "could not establish forwarding of authentication agent" }
+            end
+          end
+        end
+      end
+    end
+
+    private
+      
+      # Perform setup operations that are common to all forwarded channels.
+      # +client+ is a socket, +channel+ is the channel that was just created,
+      # and +type+ is an arbitrary string describing the type of the channel.
+      def prepare_client(client, channel, type)
+
+        # TODO: consider, should there be an override of this method which is Pageant specific, even though that would mean mild reimplementation
+        # would mean: no shutdown in eof
+        # no casing around class name right here
+
+        # Since Pageant sockets aren't real sockets,
+        # the client object doesn't need (and shouln't have) these modules included
+        if (client.class.name =~ /Pageant/).nil?
+          client.extend(Net::SSH::BufferedIo)
+          client.extend(Net::SSH::ForwardedBufferedIo)
+          client.logger = logger
+        end
+
+        session.listen_to(client)
+        channel[:socket] = client
+
+        channel.on_data do |ch, data|  
+          debug { "data: enqueueing #{data.length} bytes on #{type} forwarded channel" }
+          ch[:socket].enqueue(data)
+        end
+        
+        # Handles server close on the sending side by Miklós Fazekas
+        channel.on_eof do |ch|
+          debug { "eof #{type} on #{type} forwarded channel" }
+          begin
+            ch[:socket].send_pending
+
+            ch[:socket].shutdown Socket::SHUT_WR
+            ch[:socket].close
+          rescue IOError => e
+            if e.message =~ /closed/ then
+              debug { "epipe in on_eof => shallowing exception:#{e}" }
+            else
+              raise
+            end
+          rescue Errno::EPIPE => e
+            debug { "epipe in on_eof => shallowing exception:#{e}" }
+          rescue Errno::ENOTCONN => e
+            debug { "enotconn in on_eof => shallowing exception:#{e}" }
+          end
+        end
+        
+        channel.on_close do |ch|
+          debug { "closing #{type} forwarded channel" }
+          ch[:socket].close if !client.closed?
+          session.stop_listening_to(ch[:socket])
+        end
+
+        channel.on_process do |ch|
+          ch.debug { "processing #{type} forwarded connection" }
+
+          if ch[:socket].closed?
+            ch.info { "#{type} forwarded connection closed" }
+            ch.close
+          else
+            # For pageant sockets, the recieved and queued data (from on_data above) should be "sent" immediately
+            # That way, the read operation below is successful with that result
+
+            # Alternatively, instead of enqueuing the message in on_data, send_query could be called directly,
+            # so the pageant's response data would be available here as well.
+            # This requires special consideration when data is split into muliple segments (ex: carriage return split issue)
+            # Todo: figure out why the forwarding message starting with 000001920D... seemed to break consistantly after the first four bytes (followed by \r, in the next segment)
+            if ch[:socket].available == 0 && ch[:socket].class.name =~ /Pageant/ 
+              ch.debug { "Pageant socket: no data to read, so send pending" }
+              ch[:socket].send_pending
+            end
+
+            available = ch[:socket].available
+            if available > 0
+              ch.debug { "Pageant socket: now there are #{available} bytes" } if ch[:socket].class.name =~ /Pageant/
+              data = ch[:socket].read_available(available > 0 ? available : 8192)
+              ch.debug { "read #{data.length} bytes from client, sending over #{type} forwarded connection" }
+              ch.send_data(data)
+            end
+          end
+        end
+      end
+
+      # The callback used when a new "forwarded-tcpip" channel is requested
+      # by the server.  This will open a new socket to the host/port specified
+      # when the forwarded connection was first requested.
+      def forwarded_tcpip(session, channel, packet)
+        connected_address  = packet.read_string
+        connected_port     = packet.read_long
+        originator_address = packet.read_string
+        originator_port    = packet.read_long
+
+        remote = @remote_forwarded_ports[[connected_port, connected_address]]
+
+        if remote.nil?
+          raise Net::SSH::ChannelOpenFailed.new(1, "unknown request from remote forwarded connection on #{connected_address}:#{connected_port}")
+        end
+
+        client = TCPSocket.new(remote.host, remote.port)
+        info { "connected #{connected_address}:#{connected_port} originator #{originator_address}:#{originator_port}" }
+
+        prepare_client(client, channel, :remote)
+      rescue SocketError => err
+        raise Net::SSH::ChannelOpenFailed.new(2, "could not connect to remote host (#{remote.host}:#{remote.port}): #{err.message}")
+      end
+
+      # The callback used when an auth-agent channel is requested by the server.
+      def auth_agent_channel(session, channel, packet)
+        info { "opening auth-agent channel" }
+        channel[:invisible] = true
+
+        begin
+          agent = Authentication::Agent.connect(logger)
+          prepare_client(agent.socket, channel, :agent)
+        rescue Exception => e
+          error { "attempted to connect to agent but failed: #{e.class.name} (#{e.message})" }
+          raise Net::SSH::ChannelOpenFailed.new(2, "could not connect to authentication agent")
+        end
+      end
+  end
+
+end; end; end