net-ssh-backports 6.3.0.backports

data/lib/net/ssh/connection/term.rb

@@ -0,0 +1,180 @@
+module Net
+  module SSH
+    module Connection
+      # These constants are used when requesting a pseudo-terminal (via
+      # Net::SSH::Connection::Channel#request_pty). The descriptions for each are
+      # taken directly from RFC 4254 ("The Secure Shell (SSH) Connection Protocol"),
+      # http://tools.ietf.org/html/rfc4254.
+      module Term
+        # Interrupt character; 255 if none. Similarly for the other characters.
+        # Not all of these characters are supported on all systems.
+        VINTR = 1
+
+        # The quit character (sends SIGQUIT signal on POSIX systems).
+        VQUIT = 2
+
+        # Erase the character to left of the cursor.
+        VERASE = 3
+
+        # Kill the current input line.
+        VKILL = 4
+
+        # End-of-file character (sends EOF from the terminal).
+        VEOF = 5
+
+        # End-of-line character in addition to carriage return and/or linefeed.
+        VEOL = 6
+
+        # Additional end-of-line character.
+        VEOL2 = 7
+
+        # Continues paused output (normally control-Q).
+        VSTART = 8
+
+        # Pauses output (normally control-S).
+        VSTOP = 9
+
+        # Suspends the current program.
+        VSUSP = 10
+
+        # Another suspend character.
+        VDSUSP = 11
+
+        # Reprints the current input line.
+        VREPRINT = 12
+
+        # Erases a word left of cursor.
+        VWERASE = 13
+
+        # Enter the next character typed literally, even if it is a special
+        # character.
+        VLNEXT = 14
+
+        # Character to flush output.
+        VFLUSH = 15
+
+        # Switch to a different shell layer.
+        VSWITCH = 16
+
+        # Prints system status line (load, command, pid, etc).
+        VSTATUS = 17
+
+        # Toggles the flushing of terminal output.
+        VDISCARD = 18
+
+        # The ignore parity flag. The parameter SHOULD be 0 if this flag is FALSE,
+        # and 1 if it is TRUE.
+        IGNPAR = 30
+
+        # Mark parity and framing errors.
+        PARMRK = 31
+
+        # Enable checking of parity errors.
+        INPCK = 32
+
+        # Strip 8th bit off characters.
+        ISTRIP = 33
+
+        # Map NL into CR on input.
+        INCLR = 34
+
+        # Ignore CR on input.
+        IGNCR = 35
+
+        # Map CR to NL on input.
+        ICRNL = 36
+
+        # Translate uppercase characters to lowercase.
+        IUCLC = 37
+
+        # Enable output flow control.
+        IXON = 38
+
+        # Any char will restart after stop.
+        IXANY = 39
+
+        # Enable input flow control.
+        IXOFF = 40
+
+        # Ring bell on input queue full.
+        IMAXBEL = 41
+
+        # Enable signals INTR, QUIT, [D]SUSP.
+        ISIG = 50
+
+        # Canonicalize input lines.
+        ICANON = 51
+
+        # Enable input and output of uppercase characters by preceding their
+        # lowercase equivalents with "\".
+        XCASE = 52
+
+        # Enable echoing.
+        ECHO = 53
+
+        # Visually erase chars.
+        ECHOE = 54
+
+        # Kill character discards current line.
+        ECHOK = 55
+
+        # Echo NL even if ECHO is off.
+        ECHONL = 56
+
+        # Don't flush after interrupt.
+        NOFLSH = 57
+
+        # Stop background jobs from output.
+        TOSTOP = 58
+
+        # Enable extensions.
+        IEXTEN = 59
+
+        # Echo control characters as ^(Char).
+        ECHOCTL = 60
+
+        # Visual erase for line kill.
+        ECHOKE = 61
+
+        # Retype pending input.
+        PENDIN = 62
+
+        # Enable output processing.
+        OPOST = 70
+
+        # Convert lowercase to uppercase.
+        OLCUC = 71
+
+        # Map NL to CR-NL.
+        ONLCR = 72
+
+        # Translate carriage return to newline (output).
+        OCRNL = 73
+
+        # Translate newline to carriage return-newline (output).
+        ONOCR = 74
+
+        # Newline performs a carriage return (output).
+        ONLRET = 75
+
+        # 7 bit mode.
+        CS7 = 90
+
+        # 8 bit mode.
+        CS8 = 91
+
+        # Parity enable.
+        PARENB = 92
+
+        # Odd parity, else even.
+        PARODD = 93
+
+        # Specifies the input baud rate in bits per second.
+        TTY_OP_ISPEED = 128
+
+        # Specifies the output baud rate in bits per second.
+        TTY_OP_OSPEED = 129
+      end
+    end
+  end
+end

data/lib/net/ssh/errors.rb

@@ -0,0 +1,106 @@
+module Net
+  module SSH
+    # A general exception class, to act as the ancestor of all other Net::SSH
+    # exception classes.
+    class Exception < ::RuntimeError; end
+
+    # This exception is raised when authentication fails (whether it be
+    # public key authentication, password authentication, or whatever).
+    class AuthenticationFailed < Net::SSH::Exception; end
+
+    # This exception is raised when a connection attempt times out.
+    class ConnectionTimeout < Net::SSH::Exception; end
+
+    # This exception is raised when the remote host has disconnected
+    # unexpectedly.
+    class Disconnect < Net::SSH::Exception; end
+
+    # This exception is raised when the remote host has disconnected/
+    # timeouted unexpectedly.
+    class Timeout < Disconnect; end
+
+    # This exception is primarily used internally, but if you have a channel
+    # request handler (see Net::SSH::Connection::Channel#on_request) that you
+    # want to fail in such a way that the server knows it failed, you can
+    # raise this exception in the handler and Net::SSH will translate that into
+    # a "channel failure" message.
+    class ChannelRequestFailed < Net::SSH::Exception; end
+
+    # This is exception is primarily used internally, but if you have a channel
+    # open handler (see Net::SSH::Connection::Session#on_open_channel) and you
+    # want to fail in such a way that the server knows it failed, you can
+    # raise this exception in the handler and Net::SSH will translate that into
+    # a "channel open failed" message.
+    class ChannelOpenFailed < Net::SSH::Exception
+      attr_reader :code, :reason
+
+      def initialize(code, reason)
+        @code, @reason = code, reason
+        super "#{reason} (#{code})"
+      end
+    end
+
+    # Base class for host key exceptions. When rescuing this exception, you can
+    # inspect the key fingerprint and, if you want to proceed anyway, simply call
+    # the remember_host! method on the exception, and then retry.
+    class HostKeyError < Net::SSH::Exception
+      # the callback to use when #remember_host! is called
+      attr_writer :callback #:nodoc:
+
+      # situation-specific data describing the host (see #host, #port, etc.)
+      attr_writer :data #:nodoc:
+
+      # An accessor for getting at the data that was used to look up the host
+      # (see also #fingerprint, #host, #port, #ip, and #key).
+      def [](key)
+        @data && @data[key]
+      end
+
+      # Returns the fingerprint of the key for the host, which either was not
+      # found or did not match.
+      def fingerprint
+        @data && @data[:fingerprint]
+      end
+
+      # Returns the host name for the remote host, as reported by the socket.
+      def host
+        @data && @data[:peer] && @data[:peer][:host]
+      end
+
+      # Returns the port number for the remote host, as reported by the socket.
+      def port
+        @data && @data[:peer] && @data[:peer][:port]
+      end
+
+      # Returns the IP address of the remote host, as reported by the socket.
+      def ip
+        @data && @data[:peer] && @data[:peer][:ip]
+      end
+
+      # Returns the key itself, as reported by the remote host.
+      def key
+        @data && @data[:key]
+      end
+
+      # Tell Net::SSH to record this host and key in the known hosts file, so
+      # that subsequent connections will remember them.
+      def remember_host!
+        @callback.call
+      end
+    end
+
+    # Raised when the cached key for a particular host does not match the
+    # key given by the host, which can be indicative of a man-in-the-middle
+    # attack. When rescuing this exception, you can inspect the key fingerprint
+    # and, if you want to proceed anyway, simply call the remember_host!
+    # method on the exception, and then retry.
+    class HostKeyMismatch < HostKeyError; end
+
+    # Raised when there is no cached key for a particular host, which probably
+    # means that the host has simply not been seen before.
+    # When rescuing this exception, you can inspect the key fingerprint and, if
+    # you want to proceed anyway, simply call the remember_host! method on the
+    # exception, and then retry.
+    class HostKeyUnknown < HostKeyError; end
+  end
+end

data/lib/net/ssh/key_factory.rb

@@ -0,0 +1,218 @@
+require 'net/ssh/transport/openssl'
+require 'net/ssh/prompt'
+
+require 'net/ssh/authentication/ed25519_loader'
+
+module Net
+  module SSH
+    # A factory class for returning new Key classes. It is used for obtaining
+    # OpenSSL key instances via their SSH names, and for loading both public and
+    # private keys. It used used primarily by Net::SSH itself, internally, and
+    # will rarely (if ever) be directly used by consumers of the library.
+    #
+    #   klass = Net::SSH::KeyFactory.get("rsa")
+    #   assert klass.is_a?(OpenSSL::PKey::RSA)
+    #
+    #   key = Net::SSH::KeyFactory.load_public_key("~/.ssh/id_dsa.pub")
+    class KeyFactory
+      # Specifies the mapping of SSH names to OpenSSL key classes.
+      MAP = {
+        'dh'    => OpenSSL::PKey::DH,
+        'rsa'   => OpenSSL::PKey::RSA,
+        'dsa'   => OpenSSL::PKey::DSA,
+        'ecdsa' => OpenSSL::PKey::EC
+      }
+      MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
+
+      class <<self
+        # Fetch an OpenSSL key instance by its SSH name. It will be a new,
+        # empty key of the given type.
+        def get(name)
+          MAP.fetch(name).new
+        end
+
+        # Loads a private key from a file. It will correctly determine
+        # whether the file describes an RSA or DSA key, and will load it
+        # appropriately. The new key is returned. If the key itself is
+        # encrypted (requiring a passphrase to use), the user will be
+        # prompted to enter their password unless passphrase works.
+        def load_private_key(filename, passphrase=nil, ask_passphrase=true, prompt=Prompt.default)
+          data = File.read(File.expand_path(filename))
+          load_data_private_key(data, passphrase, ask_passphrase, filename, prompt)
+        end
+
+        # Loads a private key. It will correctly determine
+        # whether the file describes an RSA or DSA key, and will load it
+        # appropriately. The new key is returned. If the key itself is
+        # encrypted (requiring a passphrase to use), the user will be
+        # prompted to enter their password unless passphrase works.
+        def load_data_private_key(data, passphrase=nil, ask_passphrase=true, filename="", prompt=Prompt.default)
+          key_type = classify_key(data, filename)
+
+          encrypted_key = nil
+          tries = 0
+
+          prompter = nil
+          result =
+            begin
+              key_type.read(data, passphrase || 'invalid')
+            rescue *key_type.error_classes => e
+              encrypted_key = !!key_type.encrypted_key?(data, e) if encrypted_key.nil?
+              if encrypted_key && ask_passphrase
+                tries += 1
+                if tries <= 3
+                  prompter ||= prompt.start(type: 'private_key', filename: filename, sha: Digest::SHA256.digest(data))
+                  passphrase = prompter.ask("Enter passphrase for #{filename}:", false)
+                  retry
+                else
+                  raise
+                end
+              else
+                raise
+              end
+            end
+          prompter.success if prompter
+          result
+        end
+
+        # Loads a public key from a file. It will correctly determine whether
+        # the file describes an RSA or DSA key, and will load it
+        # appropriately. The new public key is returned.
+        def load_public_key(filename)
+          data = File.read(File.expand_path(filename))
+          load_data_public_key(data, filename)
+        end
+
+        # Loads a public key. It will correctly determine whether
+        # the file describes an RSA or DSA key, and will load it
+        # appropriately. The new public key is returned.
+        def load_data_public_key(data, filename="")
+          fields = data.split(/ /)
+
+          blob = nil
+          begin
+            blob = fields.shift
+          end while !blob.nil? && !/^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp\d+)(-cert-v01@openssh\.com)?$/.match(blob)
+          blob = fields.shift
+
+          raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?
+
+          blob = blob.unpack("m*").first
+          reader = Net::SSH::Buffer.new(blob)
+          reader.read_key or raise OpenSSL::PKey::PKeyError, "not a public key #{filename.inspect}"
+        end
+
+        private
+
+        # rubocop:disable Style/Documentation, Lint/DuplicateMethods
+        class KeyType
+          def self.read(key_data, passphrase)
+            raise Exception, "TODO subclasses should implement read"
+          end
+
+          def self.error_classes
+            raise Exception, "TODO subclasses should implement read"
+          end
+
+          def self.encrypted_key?(data, error)
+            raise Exception, "TODO subclasses should implement is_encrypted_key"
+          end
+        end
+
+        class OpenSSHPrivateKeyType < KeyType
+          def self.read(key_data, passphrase)
+            Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader.read(key_data, passphrase)
+          end
+
+          def self.error_classes
+            [Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError]
+          end
+
+          def self.encrypted_key?(key_data, decode_error)
+            decode_error.is_a?(Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError) && decode_error.encrypted_key?
+          end
+        end
+
+        class OpenSSLKeyTypeBase < KeyType
+          def self.open_ssl_class
+            raise Exception, "TODO: subclasses should implement"
+          end
+
+          def self.read(key_data, passphrase)
+            open_ssl_class.new(key_data, passphrase)
+          end
+
+          def self.encrypted_key?(key_data, error)
+            key_data.match(/ENCRYPTED/)
+          end
+        end
+
+        class OpenSSLPKeyType < OpenSSLKeyTypeBase
+          def self.read(key_data, passphrase)
+            open_ssl_class.read(key_data, passphrase)
+          end
+
+          def self.open_ssl_class
+            OpenSSL::PKey
+          end
+
+          def self.error_classes
+            [ArgumentError, OpenSSL::PKey::PKeyError]
+          end
+        end
+
+        class OpenSSLDSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::DSA
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::DSAError]
+          end
+        end
+
+        class OpenSSLRSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::RSA
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::RSAError]
+          end
+        end
+
+        class OpenSSLECKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::EC
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::ECError]
+          end
+        end
+        # rubocop:enable Style/Documentation, Lint/DuplicateMethods
+
+        # Determine whether the file describes an RSA or DSA key, and return how load it
+        # appropriately.
+        def classify_key(data, filename)
+          if data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
+            Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("OpenSSH keys only supported if ED25519 is available")
+            return OpenSSHPrivateKeyType
+          elsif OpenSSL::PKey.respond_to?(:read)
+            return OpenSSLPKeyType
+          elsif data.match(/-----BEGIN DSA PRIVATE KEY-----/)
+            return OpenSSLDSAKeyType
+          elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
+            return OpenSSLRSAKeyType
+          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/)
+            return OpenSSLECKeyType
+          elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
+            raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
+          else
+            raise OpenSSL::PKey::PKeyError, "not a private key (#{filename})"
+          end
+        end
+      end
+    end
+  end
+end