minmb-net-ssh 2.5.1

data/lib/net/ssh/authentication/methods/abstract.rb

@@ -0,0 +1,60 @@
+require 'net/ssh/buffer'
+require 'net/ssh/errors'
+require 'net/ssh/loggable'
+require 'net/ssh/authentication/constants'
+
+module Net; module SSH; module Authentication; module Methods
+
+  # The base class of all user authentication methods. It provides a few
+  # bits of common functionality.
+  class Abstract
+    include Constants, Loggable
+
+    # The authentication session object
+    attr_reader :session
+
+    # The key manager object. Not all authentication methods will require
+    # this.
+    attr_reader :key_manager
+
+    # Instantiates a new authentication method.
+    def initialize(session, options={})
+      @session = session
+      @key_manager = options[:key_manager]
+      @options = options
+      self.logger = session.logger
+    end
+
+    # Returns the session-id, as generated during the first key exchange of
+    # an SSH connection.
+    def session_id
+      session.transport.algorithms.session_id
+    end
+
+    # Sends a message via the underlying transport layer abstraction. This
+    # will block until the message is completely sent.
+    def send_message(msg)
+      session.transport.send_message(msg)
+    end
+
+    # Creates a new USERAUTH_REQUEST packet. The extra arguments on the end
+    # must be either boolean values or strings, and are tacked onto the end
+    # of the packet. The new packet is returned, ready for sending.
+    def userauth_request(username, next_service, auth_method, *others)
+      buffer = Net::SSH::Buffer.from(:byte, USERAUTH_REQUEST,
+        :string, username, :string, next_service, :string, auth_method)
+
+      others.each do |value|
+        case value
+        when true, false then buffer.write_bool(value)
+        when String      then buffer.write_string(value)
+        else raise ArgumentError, "don't know how to write #{value.inspect}"
+        end
+      end
+
+      buffer
+    end
+
+  end
+
+end; end; end; end

data/lib/net/ssh/authentication/methods/hostbased.rb

@@ -0,0 +1,75 @@
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+
+        # Implements the host-based SSH authentication method.
+        class Hostbased < Abstract
+          include Constants
+
+          # Attempts to perform host-based authorization of the user by trying
+          # all known keys.
+          def authenticate(next_service, username, password=nil)
+            return false unless key_manager
+
+            key_manager.each_identity do |identity|
+              return true if authenticate_with(identity, next_service,
+                username, key_manager)
+            end
+
+            return false
+          end
+
+          private
+
+            # Returns the hostname as reported by the underlying socket.
+            def hostname
+              session.transport.socket.client_name
+            end
+
+            # Attempts to perform host-based authentication of the user, using
+            # the given host identity (key).
+            def authenticate_with(identity, next_service, username, key_manager)
+              debug { "trying hostbased (#{identity.fingerprint})" }
+              client_username = ENV['USER'] || username
+
+              req = build_request(identity, next_service, username, "#{hostname}.", client_username)
+              sig_data = Buffer.from(:string, session_id, :raw, req)
+
+              sig = key_manager.sign(identity, sig_data.to_s)
+
+              message = Buffer.from(:raw, req, :string, sig)
+
+              send_message(message)
+              message = session.next_message
+
+              case message.type
+                when USERAUTH_SUCCESS
+                  info { "hostbased succeeded (#{identity.fingerprint})" }
+                  return true
+                when USERAUTH_FAILURE
+                  info { "hostbased failed (#{identity.fingerprint})" }
+
+                  raise Net::SSH::Authentication::DisallowedMethod unless
+                    message[:authentications].split(/,/).include? 'hostbased'
+
+                  return false
+                else
+                  raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+              end
+            end
+
+            # Build the "core" hostbased request string.
+            def build_request(identity, next_service, username, hostname, client_username)
+              userauth_request(username, next_service, "hostbased", identity.ssh_type,
+                Buffer.from(:key, identity).to_s, hostname, client_username).to_s
+            end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -0,0 +1,70 @@
+require 'net/ssh/prompt'
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+
+        # Implements the "keyboard-interactive" SSH authentication method.
+        class KeyboardInteractive < Abstract
+          include Prompt
+
+          USERAUTH_INFO_REQUEST  = 60
+          USERAUTH_INFO_RESPONSE = 61
+
+          # Attempt to authenticate the given user for the given service.
+          def authenticate(next_service, username, password=nil)
+            debug { "trying keyboard-interactive" }
+            send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
+
+            loop do
+              message = session.next_message
+
+              case message.type
+              when USERAUTH_SUCCESS
+                debug { "keyboard-interactive succeeded" }
+                return true
+              when USERAUTH_FAILURE
+                debug { "keyboard-interactive failed" }
+
+                raise Net::SSH::Authentication::DisallowedMethod unless
+                  message[:authentications].split(/,/).include? 'keyboard-interactive'
+
+                return false
+              when USERAUTH_INFO_REQUEST
+                name = message.read_string
+                instruction = message.read_string
+                debug { "keyboard-interactive info request" }
+
+                unless password
+                  puts(name) unless name.empty?
+                  puts(instruction) unless instruction.empty?
+                end
+
+                lang_tag = message.read_string
+                responses =[]
+  
+                message.read_long.times do
+                  text = message.read_string
+                  echo = message.read_bool
+                  responses << (password || prompt(text, echo))
+                end
+
+                # if the password failed the first time around, don't try
+                # and use it on subsequent requests.
+                password = nil
+
+                msg = Buffer.from(:byte, USERAUTH_INFO_RESPONSE, :long, responses.length, :string, responses)
+                send_message(msg)
+              else
+                raise Net::SSH::Exception, "unexpected reply in keyboard interactive: #{message.type} (#{message.inspect})"
+              end
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/methods/password.rb

@@ -0,0 +1,43 @@
+require 'net/ssh/errors'
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+
+        # Implements the "password" SSH authentication method.
+        class Password < Abstract
+          # Attempt to authenticate the given user for the given service. If
+          # the password parameter is nil, this will never do anything except
+          # return false.
+          def authenticate(next_service, username, password=nil)
+            return false unless password
+
+            send_message(userauth_request(username, next_service, "password", false, password))
+            message = session.next_message
+
+            case message.type
+              when USERAUTH_SUCCESS
+                debug { "password succeeded" }
+                return true
+              when USERAUTH_FAILURE
+                debug { "password failed" }
+
+                raise Net::SSH::Authentication::DisallowedMethod unless
+                  message[:authentications].split(/,/).include? 'password'
+
+                return false
+              when USERAUTH_PASSWD_CHANGEREQ
+                debug { "password change request received, failing" }
+                return false
+              else
+                raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+            end
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/methods/publickey.rb

@@ -0,0 +1,96 @@
+require 'net/ssh/buffer'
+require 'net/ssh/errors'
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+
+        # Implements the "publickey" SSH authentication method.
+        class Publickey < Abstract
+          # Attempts to perform public-key authentication for the given
+          # username, trying each identity known to the key manager. If any of
+          # them succeed, returns +true+, otherwise returns +false+. This
+          # requires the presence of a key manager.
+          def authenticate(next_service, username, password=nil)
+            return false unless key_manager
+
+            key_manager.each_identity do |identity|
+              return true if authenticate_with(identity, next_service, username)
+            end
+
+            return false
+          end
+
+          private
+
+            # Builds a packet that contains the request formatted for sending
+            # a public-key request to the server.
+            def build_request(pub_key, username, next_service, has_sig)
+              blob = Net::SSH::Buffer.new
+              blob.write_key pub_key
+
+              userauth_request(username, next_service, "publickey", has_sig,
+                pub_key.ssh_type, blob.to_s)
+            end
+
+            # Builds and sends a request formatted for a public-key
+            # authentication request.
+            def send_request(pub_key, username, next_service, signature=nil)
+              msg = build_request(pub_key, username, next_service, !signature.nil?)
+              msg.write_string(signature) if signature
+              send_message(msg)
+            end
+
+            # Attempts to perform public-key authentication for the given
+            # username, with the given identity (public key). Returns +true+ if
+            # successful, or +false+ otherwise.
+            def authenticate_with(identity, next_service, username)
+              debug { "trying publickey (#{identity.fingerprint})" }
+              send_request(identity, username, next_service)
+
+              message = session.next_message
+
+              case message.type
+                when USERAUTH_PK_OK
+                  buffer = build_request(identity, username, next_service, true)
+                  sig_data = Net::SSH::Buffer.new
+                  sig_data.write_string(session_id)
+                  sig_data.append(buffer.to_s)
+
+                  sig_blob = key_manager.sign(identity, sig_data)
+
+                  send_request(identity, username, next_service, sig_blob.to_s)
+                  message = session.next_message
+
+                  case message.type
+                    when USERAUTH_SUCCESS
+                      debug { "publickey succeeded (#{identity.fingerprint})" }
+                      return true
+                    when USERAUTH_FAILURE
+                      debug { "publickey failed (#{identity.fingerprint})" }
+
+                      raise Net::SSH::Authentication::DisallowedMethod unless
+                        message[:authentications].split(/,/).include? 'publickey'
+
+                      return false
+                    else
+                      raise Net::SSH::Exception,
+                        "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+                  end
+
+                when USERAUTH_FAILURE
+                  return false
+
+                else
+                  raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+              end
+            end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/pageant.rb

@@ -0,0 +1,301 @@
+require 'dl/import'
+
+if RUBY_VERSION < "1.9"
+  require 'dl/struct'
+end
+
+if RUBY_VERSION =~ /^1.9/
+  require 'dl/types'
+  require 'dl'
+end
+
+require 'net/ssh/errors'
+
+module Net; module SSH; module Authentication
+
+  # This module encapsulates the implementation of a socket factory that
+  # uses the PuTTY "pageant" utility to obtain information about SSH
+  # identities.
+  #
+  # This code is a slightly modified version of the original implementation
+  # by Guillaume Mar�ais (guillaume.marcais@free.fr). It is used and
+  # relicensed by permission.
+  module Pageant
+
+    # From Putty pageant.c
+    AGENT_MAX_MSGLEN = 8192
+    AGENT_COPYDATA_ID = 0x804e50ba
+
+    # The definition of the Windows methods and data structures used in
+    # communicating with the pageant process.
+    module Win
+      if RUBY_VERSION < "1.9"
+        extend DL::Importable
+
+        dlload 'user32'
+        dlload 'kernel32'
+      end
+
+      if RUBY_VERSION =~ /^1.9/
+        extend DL::Importer
+        dlload 'user32','kernel32'
+        include DL::Win32Types
+      end
+
+      typealias("LPCTSTR", "char *")         # From winnt.h
+      typealias("LPVOID", "void *")          # From winnt.h
+      typealias("LPCVOID", "const void *")   # From windef.h
+      typealias("LRESULT", "long")           # From windef.h
+      typealias("WPARAM", "unsigned int *")  # From windef.h
+      typealias("LPARAM", "long *")          # From windef.h
+      typealias("PDWORD_PTR", "long *")      # From basetsd.h
+
+      # From winbase.h, winnt.h
+      INVALID_HANDLE_VALUE = -1
+      NULL = nil
+      PAGE_READWRITE = 0x0004
+      FILE_MAP_WRITE = 2
+      WM_COPYDATA = 74
+
+      SMTO_NORMAL = 0   # From winuser.h
+
+      # args: lpClassName, lpWindowName
+      extern 'HWND FindWindow(LPCTSTR, LPCTSTR)'
+
+      # args: none
+      extern 'DWORD GetCurrentThreadId()'
+
+      # args: hFile, (ignored), flProtect, dwMaximumSizeHigh,
+      #           dwMaximumSizeLow, lpName
+      extern 'HANDLE CreateFileMapping(HANDLE, void *, DWORD, DWORD, ' +
+        'DWORD, LPCTSTR)'
+
+      # args: hFileMappingObject, dwDesiredAccess, dwFileOffsetHigh, 
+      #           dwfileOffsetLow, dwNumberOfBytesToMap
+      extern 'LPVOID MapViewOfFile(HANDLE, DWORD, DWORD, DWORD, DWORD)'
+
+      # args: lpBaseAddress
+      extern 'BOOL UnmapViewOfFile(LPCVOID)'
+
+      # args: hObject
+      extern 'BOOL CloseHandle(HANDLE)'
+
+      # args: hWnd, Msg, wParam, lParam, fuFlags, uTimeout, lpdwResult
+      extern 'LRESULT SendMessageTimeout(HWND, UINT, WPARAM, LPARAM, ' +
+        'UINT, UINT, PDWORD_PTR)'
+      if RUBY_VERSION < "1.9"
+        alias_method :FindWindow,:findWindow
+        module_function :FindWindow
+      end
+    end
+
+    # This is the pseudo-socket implementation that mimics the interface of
+    # a socket, translating each request into a Windows messaging call to
+    # the pageant daemon. This allows pageant support to be implemented
+    # simply by replacing the socket factory used by the Agent class.
+    class Socket
+
+      private_class_method :new
+
+      # The factory method for creating a new Socket instance. The location
+      # parameter is ignored, and is only needed for compatibility with
+      # the general Socket interface.
+      def self.open(location=nil)
+        new
+      end
+
+      # Create a new instance that communicates with the running pageant 
+      # instance. If no such instance is running, this will cause an error.
+      def initialize
+        @win = Win.FindWindow("Pageant", "Pageant")
+
+        if @win == 0
+          raise Net::SSH::Exception,
+            "pageant process not running"
+        end
+
+        @pending_query = nil
+        @res = nil
+        @pos = 0
+      end
+
+      # Forwards the data to #send_query, ignoring any arguments after
+      # the first. Returns 0.
+      def send(data, *args)
+        @res = send_query(data)
+        @pos = 0
+      end
+
+      # Packages the given query string and sends it to the pageant
+      # process via the Windows messaging subsystem. The result is
+      # cached, to be returned piece-wise when #read is called.
+      def send_query(query)
+        res = nil
+        filemap = 0
+        ptr = nil
+        id = DL::PtrData.malloc(DL.sizeof("L"))
+
+        mapname = "PageantRequest%08x\000" % Win.getCurrentThreadId()
+        filemap = Win.createFileMapping(Win::INVALID_HANDLE_VALUE, 
+                                        Win::NULL,
+                                        Win::PAGE_READWRITE, 0, 
+                                        AGENT_MAX_MSGLEN, mapname)
+        if filemap == 0
+          raise Net::SSH::Exception,
+            "Creation of file mapping failed"
+        end
+
+        ptr = Win.mapViewOfFile(filemap, Win::FILE_MAP_WRITE, 0, 0, 
+                                AGENT_MAX_MSGLEN)
+
+        if ptr.nil? || ptr.null?
+          raise Net::SSH::Exception, "Mapping of file failed"
+        end
+
+        ptr[0] = query
+
+        cds = [AGENT_COPYDATA_ID, mapname.size + 1, mapname].
+          pack("LLp").to_ptr
+        succ = Win.sendMessageTimeout(@win, Win::WM_COPYDATA, Win::NULL,
+                                      cds, Win::SMTO_NORMAL, 5000, id)
+
+        if succ > 0
+          retlen = 4 + ptr.to_s(4).unpack("N")[0]
+          res = ptr.to_s(retlen)
+        end        
+
+        return res
+      ensure
+        Win.unmapViewOfFile(ptr) unless ptr.nil? || ptr.null?
+        Win.closeHandle(filemap) if filemap != 0
+      end
+
+      # Conceptually close the socket. This doesn't really do anthing
+      # significant, but merely complies with the Socket interface.
+      def close
+        # hack. probably need to move closed state to a flag,
+        # since ready and closed will look equivalent
+        # also basically we never need to actually be closed
+
+        # @res = nil
+        @pos = 0
+      end
+
+      # Conceptually asks if the socket is closed. As with #close,
+      # this doesn't really do anything significant, but merely
+      # complies with the Socket interface.
+      def closed?
+        @res.nil? && @pos.zero?
+      end
+
+      # Reads +n+ bytes from the cached result of the last query. If +n+
+      # is +nil+, returns all remaining data from the last query.
+      def read(n = nil)
+        return nil unless @res
+
+        if n.nil?
+          start, @pos = @pos, @res.size
+          return @res[start..-1]
+        else
+          start, @pos = @pos, @pos + n
+          return @res[start, n]
+        end
+      end
+
+      # methods we need since they dont come from buffer/buffered_io any more
+      def available
+        return @res.nil? ? 0 : @res.length - @pos
+      end
+
+      def read_available(n=nil)
+        read(n)
+      end
+
+      def fill(n=nil)
+        @res = read(n)
+        return @res.length
+      end
+
+      def enqueue(data)
+        @pending_query = (@pending_query || '') + data
+      end
+
+      def send_pending
+        return if @pending_query.nil?
+
+        @res = send_query(@pending_query)
+        @pos = 0
+        @pending_query = nil
+      end
+
+      def shutdown(reason)
+        #no op
+      end
+    end
+
+    # Socket changes for Ruby 1.9
+    # Functionality is the same as Ruby 1.8 but it includes the new calls to 
+    # the DL module as well as other pointer transformations
+    class Socket19 < Socket
+      # Packages the given query string and sends it to the pageant
+      # process via the Windows messaging subsystem. The result is
+      # cached, to be returned piece-wise when #read is called.
+      def send_query(query)
+        query = @always_query || query
+
+        res = nil
+        filemap = 0
+        ptr = nil
+        id = DL.malloc(DL::SIZEOF_LONG)
+
+        mapname = "PageantRequest%08x\000" % Win.GetCurrentThreadId()
+
+        filemap = Win.CreateFileMapping(Win::INVALID_HANDLE_VALUE, 
+                                        Win::NULL,
+                                        Win::PAGE_READWRITE, 0, 
+                                        AGENT_MAX_MSGLEN, mapname)
+
+        if filemap == 0 || filemap == Win::INVALID_HANDLE_VALUE
+          raise Net::SSH::Exception,
+            "Creation of file mapping failed"
+        end
+
+        ptr = Win.MapViewOfFile(filemap, Win::FILE_MAP_WRITE, 0, 0, 
+                                0)
+
+        if ptr.nil? || ptr.null?
+          raise Net::SSH::Exception, "Mapping of file failed"
+        end
+
+        DL::CPtr.new(ptr)[0,query.size]=query
+
+        cds = DL::CPtr.to_ptr [AGENT_COPYDATA_ID, mapname.size + 1, mapname].
+          pack("LLp")
+        succ = Win.SendMessageTimeout(@win, Win::WM_COPYDATA, Win::NULL,
+                                      cds, Win::SMTO_NORMAL, 5000, id)
+
+        if succ > 0
+          retlen = 4 + ptr.to_s(4).unpack("N")[0]
+          res = ptr.to_s(retlen)
+        end        
+
+        return res
+      ensure
+        Win.UnmapViewOfFile(ptr) unless ptr.nil? || ptr.null?
+        Win.CloseHandle(filemap) if filemap != 0
+      end
+    end
+
+    # Selects which socket to use depending on the ruby version
+    # This is needed due changes in the DL module.
+    def self.socket_factory
+      if RUBY_VERSION < "1.9"
+        Socket
+      else
+        Socket19
+      end
+    end
+
+  end
+
+end; end; end