net-ssh-backports 6.3.0.backports

Sign up to get free protection for your applications and to get access to all the features.
Files changed (111) hide show
  1. checksums.yaml +7 -0
  2. data/.github/workflows/ci.yml +93 -0
  3. data/.gitignore +13 -0
  4. data/.rubocop.yml +21 -0
  5. data/.rubocop_todo.yml +1074 -0
  6. data/.travis.yml +51 -0
  7. data/CHANGES.txt +698 -0
  8. data/Gemfile +13 -0
  9. data/Gemfile.noed25519 +12 -0
  10. data/ISSUE_TEMPLATE.md +30 -0
  11. data/LICENSE.txt +19 -0
  12. data/Manifest +132 -0
  13. data/README.md +287 -0
  14. data/Rakefile +105 -0
  15. data/THANKS.txt +110 -0
  16. data/appveyor.yml +58 -0
  17. data/lib/net/ssh/authentication/agent.rb +284 -0
  18. data/lib/net/ssh/authentication/certificate.rb +183 -0
  19. data/lib/net/ssh/authentication/constants.rb +20 -0
  20. data/lib/net/ssh/authentication/ed25519.rb +185 -0
  21. data/lib/net/ssh/authentication/ed25519_loader.rb +31 -0
  22. data/lib/net/ssh/authentication/key_manager.rb +297 -0
  23. data/lib/net/ssh/authentication/methods/abstract.rb +69 -0
  24. data/lib/net/ssh/authentication/methods/hostbased.rb +72 -0
  25. data/lib/net/ssh/authentication/methods/keyboard_interactive.rb +77 -0
  26. data/lib/net/ssh/authentication/methods/none.rb +34 -0
  27. data/lib/net/ssh/authentication/methods/password.rb +80 -0
  28. data/lib/net/ssh/authentication/methods/publickey.rb +95 -0
  29. data/lib/net/ssh/authentication/pageant.rb +497 -0
  30. data/lib/net/ssh/authentication/pub_key_fingerprint.rb +43 -0
  31. data/lib/net/ssh/authentication/session.rb +163 -0
  32. data/lib/net/ssh/buffer.rb +434 -0
  33. data/lib/net/ssh/buffered_io.rb +202 -0
  34. data/lib/net/ssh/config.rb +406 -0
  35. data/lib/net/ssh/connection/channel.rb +695 -0
  36. data/lib/net/ssh/connection/constants.rb +33 -0
  37. data/lib/net/ssh/connection/event_loop.rb +123 -0
  38. data/lib/net/ssh/connection/keepalive.rb +59 -0
  39. data/lib/net/ssh/connection/session.rb +712 -0
  40. data/lib/net/ssh/connection/term.rb +180 -0
  41. data/lib/net/ssh/errors.rb +106 -0
  42. data/lib/net/ssh/key_factory.rb +218 -0
  43. data/lib/net/ssh/known_hosts.rb +264 -0
  44. data/lib/net/ssh/loggable.rb +62 -0
  45. data/lib/net/ssh/packet.rb +106 -0
  46. data/lib/net/ssh/prompt.rb +62 -0
  47. data/lib/net/ssh/proxy/command.rb +123 -0
  48. data/lib/net/ssh/proxy/errors.rb +16 -0
  49. data/lib/net/ssh/proxy/http.rb +98 -0
  50. data/lib/net/ssh/proxy/https.rb +50 -0
  51. data/lib/net/ssh/proxy/jump.rb +54 -0
  52. data/lib/net/ssh/proxy/socks4.rb +67 -0
  53. data/lib/net/ssh/proxy/socks5.rb +140 -0
  54. data/lib/net/ssh/service/forward.rb +426 -0
  55. data/lib/net/ssh/test/channel.rb +147 -0
  56. data/lib/net/ssh/test/extensions.rb +173 -0
  57. data/lib/net/ssh/test/kex.rb +46 -0
  58. data/lib/net/ssh/test/local_packet.rb +53 -0
  59. data/lib/net/ssh/test/packet.rb +101 -0
  60. data/lib/net/ssh/test/remote_packet.rb +40 -0
  61. data/lib/net/ssh/test/script.rb +180 -0
  62. data/lib/net/ssh/test/socket.rb +65 -0
  63. data/lib/net/ssh/test.rb +94 -0
  64. data/lib/net/ssh/transport/algorithms.rb +502 -0
  65. data/lib/net/ssh/transport/cipher_factory.rb +103 -0
  66. data/lib/net/ssh/transport/constants.rb +40 -0
  67. data/lib/net/ssh/transport/ctr.rb +115 -0
  68. data/lib/net/ssh/transport/hmac/abstract.rb +97 -0
  69. data/lib/net/ssh/transport/hmac/md5.rb +10 -0
  70. data/lib/net/ssh/transport/hmac/md5_96.rb +9 -0
  71. data/lib/net/ssh/transport/hmac/none.rb +13 -0
  72. data/lib/net/ssh/transport/hmac/ripemd160.rb +11 -0
  73. data/lib/net/ssh/transport/hmac/sha1.rb +11 -0
  74. data/lib/net/ssh/transport/hmac/sha1_96.rb +9 -0
  75. data/lib/net/ssh/transport/hmac/sha2_256.rb +11 -0
  76. data/lib/net/ssh/transport/hmac/sha2_256_96.rb +9 -0
  77. data/lib/net/ssh/transport/hmac/sha2_256_etm.rb +12 -0
  78. data/lib/net/ssh/transport/hmac/sha2_512.rb +11 -0
  79. data/lib/net/ssh/transport/hmac/sha2_512_96.rb +9 -0
  80. data/lib/net/ssh/transport/hmac/sha2_512_etm.rb +12 -0
  81. data/lib/net/ssh/transport/hmac.rb +47 -0
  82. data/lib/net/ssh/transport/identity_cipher.rb +57 -0
  83. data/lib/net/ssh/transport/kex/abstract.rb +130 -0
  84. data/lib/net/ssh/transport/kex/abstract5656.rb +72 -0
  85. data/lib/net/ssh/transport/kex/curve25519_sha256.rb +39 -0
  86. data/lib/net/ssh/transport/kex/curve25519_sha256_loader.rb +30 -0
  87. data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha1.rb +37 -0
  88. data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha256.rb +11 -0
  89. data/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb +122 -0
  90. data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb +72 -0
  91. data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb +11 -0
  92. data/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb +39 -0
  93. data/lib/net/ssh/transport/kex/ecdh_sha2_nistp384.rb +21 -0
  94. data/lib/net/ssh/transport/kex/ecdh_sha2_nistp521.rb +21 -0
  95. data/lib/net/ssh/transport/kex.rb +31 -0
  96. data/lib/net/ssh/transport/key_expander.rb +30 -0
  97. data/lib/net/ssh/transport/openssl.rb +253 -0
  98. data/lib/net/ssh/transport/packet_stream.rb +280 -0
  99. data/lib/net/ssh/transport/server_version.rb +77 -0
  100. data/lib/net/ssh/transport/session.rb +354 -0
  101. data/lib/net/ssh/transport/state.rb +208 -0
  102. data/lib/net/ssh/verifiers/accept_new.rb +33 -0
  103. data/lib/net/ssh/verifiers/accept_new_or_local_tunnel.rb +33 -0
  104. data/lib/net/ssh/verifiers/always.rb +58 -0
  105. data/lib/net/ssh/verifiers/never.rb +19 -0
  106. data/lib/net/ssh/version.rb +68 -0
  107. data/lib/net/ssh.rb +330 -0
  108. data/net-ssh-public_cert.pem +20 -0
  109. data/net-ssh.gemspec +44 -0
  110. data/support/ssh_tunnel_bug.rb +65 -0
  111. metadata +271 -0
data/THANKS.txt ADDED
@@ -0,0 +1,110 @@
1
+ Net::SSH was originally written by Jamis Buck <jamis@37signals.com>. It
2
+ is currently maintained by Delano Mandelbaum <delano@solutious.com>. In
3
+ addition, the following individuals are gratefully acknowledged for their
4
+ contributions:
5
+
6
+ GOTOU Yuuzou <gotoyuzo@notwork.org>
7
+ * help and code related to OpenSSL
8
+
9
+ Guillaume Marçais <guillaume.marcais@free.fr>
10
+ * support for communicating with the the PuTTY "pageant" process
11
+
12
+ Daniel Berger <djberg96@yahoo.com>
13
+ * help getting unit tests in earlier Net::SSH versions to pass in Windows
14
+ * initial version of Net::SSH::Config provided inspiration and encouragement
15
+
16
+ Chris Andrews <chris@nodnol.org> and Lee Jensen <lee@outerim.com>
17
+ * support for ssh agent forwarding
18
+
19
+ Hiroshi Nakamura
20
+ * fixed errors with JRuby tests
21
+
22
+ bobveznat
23
+ therealjessesanford
24
+ liggitt
25
+ jarredholman
26
+ yugui
27
+ SFEley
28
+ bobtfish
29
+ carlhoerberg
30
+ deric
31
+ mirakui
32
+ ecki
33
+ Dave Sieh
34
+ metametaclass
35
+ fnordfish
36
+ krishicks
37
+ noric
38
+ GabKlein
39
+ Josh Kalderimis
40
+ voxik
41
+ Olipro
42
+ jansegre
43
+ priteau
44
+ jordimassaguerpla
45
+ Kenichi Kamiya
46
+ Andreas Wolff
47
+ mhuffnagle
48
+ ohrite
49
+ iltempo
50
+ nagachika
51
+ Nobuhiro IMAI
52
+ arturaz
53
+ dubspeed
54
+ Andy Brody
55
+ Marco Sandrini
56
+ Ryosuke Yamazaki
57
+ muffl0n
58
+ pcn
59
+ musybite
60
+ Mark Imbriaco
61
+ Joel Watson
62
+ Woon Jung
63
+ Edmund Haselwanter
64
+ robbebob
65
+ Daniel Pittman
66
+ Markus Roberts
67
+ Gavin Brock
68
+ Rich Lane
69
+ Lee Marlow
70
+ xbaldauf
71
+ Delano Mandelbaum
72
+ Miklós Fazekas
73
+ Andy Lo-A-Foe
74
+ Jason Weathered
75
+ Hans de Graaff
76
+ Travis Reeder
77
+ Akinori MUSHA
78
+ Alex Peuchert
79
+ Daniel Azuma
80
+ Will Bryant
81
+ Gerald Talton
82
+ ckoehler
83
+ Karl Varga
84
+ Denis Bernard
85
+ Steven Hazel
86
+ Alex Holems
87
+ Andrew Babkin
88
+ Bob Cotton
89
+ Yanko Ivanov
90
+ Angel N. Sciortino
91
+ arilerner@mac.com
92
+ David Dollar
93
+ Timo Gatsonides
94
+ Matthew Todd
95
+ Brian Candler
96
+ Francis Sullivan
97
+ James Rosen
98
+ Mike Timm
99
+ guns
100
+ devrandom
101
+ kachick
102
+ Pablo Merino
103
+ thedarkone
104
+ czarneckid
105
+ jbarnette
106
+ watsonian
107
+ Grant Hutchins
108
+ Michael Schubert
109
+ mtrudel
110
+ Aurélien Derouineau
data/appveyor.yml ADDED
@@ -0,0 +1,58 @@
1
+ version: '{build}'
2
+
3
+ skip_tags: true
4
+
5
+ environment:
6
+ matrix:
7
+ - ruby_version: "jruby-9.1.2.0"
8
+ - ruby_version: "26-x64"
9
+ - ruby_version: "25-x64"
10
+ - ruby_version: "24-x64"
11
+ - ruby_version: "23"
12
+ - ruby_version: "23-x64"
13
+
14
+ matrix:
15
+ allow_failures:
16
+ - ruby_version: "jruby-9.1.2.0"
17
+
18
+ #init:
19
+ # - ps: iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
20
+
21
+ #on_finish:
22
+ # - ps: $blockRdp = $true; iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
23
+
24
+
25
+ platform:
26
+ - x86
27
+
28
+ install:
29
+ - SET PATH=C:\Ruby%ruby_version%\bin;%PATH%
30
+ - if "%ruby_version%" == "jruby-9.1.2.0" ( cinst javaruntime -i )
31
+ - if "%ruby_version%" == "jruby-9.1.2.0" ( cinst jruby --version 9.1.2.0 -i --allow-empty-checksums )
32
+ - if "%ruby_version%" == "jruby-9.1.2.0" ( SET "PATH=C:\jruby-9.1.2.0\bin\;%PATH%" )
33
+ - ruby --version
34
+ - gem install bundler --no-document --user-install -v 1.17
35
+ - SET BUNDLE_GEMFILE=Gemfile.noed25519
36
+ - bundle install --retry=3
37
+ - cinst freesshd
38
+ - cinst putty --allow-empty-checksums
39
+ - ps: |
40
+ if ($env:Processor_Architecture -eq "x86")
41
+ {
42
+ dir 'C:\Program Files\'
43
+ dir 'C:\Program Files\freeSSHd'
44
+ cp 'test\win_integration\FreeSSHDService.ini' 'C:\Program Files\freeSSHd\FreeSSHDService.ini'
45
+ & 'C:\Program Files\freeSSHd\FreeSSHDService.exe'
46
+ } else {
47
+ dir 'C:\Program Files (x86)\'
48
+ dir 'C:\Program Files (x86)\freeSSHd'
49
+ cp 'test\win_integration\FreeSSHDService32.ini' 'C:\Program Files (x86)\freeSSHd\FreeSSHDService.ini'
50
+ & 'C:\Program Files (x86)\freeSSHd\FreeSSHDService.exe'
51
+ }
52
+
53
+ test_script:
54
+ - SET BUNDLE_GEMFILE=Gemfile.noed25519
55
+ - SET NET_SSH_RUN_WIN_INTEGRATION_TESTS=YES
56
+ - bundle exec rake test
57
+
58
+ build: off
@@ -0,0 +1,284 @@
1
+ require 'net/ssh/buffer'
2
+ require 'net/ssh/errors'
3
+ require 'net/ssh/loggable'
4
+
5
+ require 'net/ssh/transport/server_version'
6
+ require 'socket'
7
+ require 'rubygems'
8
+
9
+ require 'net/ssh/authentication/pageant' if Gem.win_platform? && RUBY_PLATFORM != "java"
10
+
11
+ module Net
12
+ module SSH
13
+ module Authentication
14
+ # Class for representing agent-specific errors.
15
+ class AgentError < Net::SSH::Exception; end
16
+
17
+ # An exception for indicating that the SSH agent is not available.
18
+ class AgentNotAvailable < AgentError; end
19
+
20
+ # This class implements a simple client for the ssh-agent protocol. It
21
+ # does not implement any specific protocol, but instead copies the
22
+ # behavior of the ssh-agent functions in the OpenSSH library (3.8).
23
+ #
24
+ # This means that although it behaves like a SSH1 client, it also has
25
+ # some SSH2 functionality (like signing data).
26
+ class Agent
27
+ include Loggable
28
+
29
+ # A simple module for extending keys, to allow comments to be specified
30
+ # for them.
31
+ module Comment
32
+ attr_accessor :comment
33
+ end
34
+
35
+ SSH2_AGENT_REQUEST_VERSION = 1
36
+ SSH2_AGENT_REQUEST_IDENTITIES = 11
37
+ SSH2_AGENT_IDENTITIES_ANSWER = 12
38
+ SSH2_AGENT_SIGN_REQUEST = 13
39
+ SSH2_AGENT_SIGN_RESPONSE = 14
40
+ SSH2_AGENT_ADD_IDENTITY = 17
41
+ SSH2_AGENT_REMOVE_IDENTITY = 18
42
+ SSH2_AGENT_REMOVE_ALL_IDENTITIES = 19
43
+ SSH2_AGENT_LOCK = 22
44
+ SSH2_AGENT_UNLOCK = 23
45
+ SSH2_AGENT_ADD_ID_CONSTRAINED = 25
46
+ SSH2_AGENT_FAILURE = 30
47
+ SSH2_AGENT_VERSION_RESPONSE = 103
48
+
49
+ SSH_COM_AGENT2_FAILURE = 102
50
+
51
+ SSH_AGENT_REQUEST_RSA_IDENTITIES = 1
52
+ SSH_AGENT_RSA_IDENTITIES_ANSWER1 = 2
53
+ SSH_AGENT_RSA_IDENTITIES_ANSWER2 = 5
54
+ SSH_AGENT_FAILURE = 5
55
+ SSH_AGENT_SUCCESS = 6
56
+
57
+ SSH_AGENT_CONSTRAIN_LIFETIME = 1
58
+ SSH_AGENT_CONSTRAIN_CONFIRM = 2
59
+
60
+ SSH_AGENT_RSA_SHA2_256 = 0x02
61
+ SSH_AGENT_RSA_SHA2_512 = 0x04
62
+
63
+ # The underlying socket being used to communicate with the SSH agent.
64
+ attr_reader :socket
65
+
66
+ # Instantiates a new agent object, connects to a running SSH agent,
67
+ # negotiates the agent protocol version, and returns the agent object.
68
+ def self.connect(logger=nil, agent_socket_factory = nil, identity_agent = nil)
69
+ agent = new(logger)
70
+ agent.connect!(agent_socket_factory, identity_agent)
71
+ agent.negotiate!
72
+ agent
73
+ end
74
+
75
+ # Creates a new Agent object, using the optional logger instance to
76
+ # report status.
77
+ def initialize(logger=nil)
78
+ self.logger = logger
79
+ end
80
+
81
+ # Connect to the agent process using the socket factory and socket name
82
+ # given by the attribute writers. If the agent on the other end of the
83
+ # socket reports that it is an SSH2-compatible agent, this will fail
84
+ # (it only supports the ssh-agent distributed by OpenSSH).
85
+ def connect!(agent_socket_factory = nil, identity_agent = nil)
86
+ debug { "connecting to ssh-agent" }
87
+ @socket =
88
+ if agent_socket_factory
89
+ agent_socket_factory.call
90
+ elsif identity_agent
91
+ unix_socket_class.open(identity_agent)
92
+ elsif ENV['SSH_AUTH_SOCK'] && unix_socket_class
93
+ unix_socket_class.open(ENV['SSH_AUTH_SOCK'])
94
+ elsif Gem.win_platform? && RUBY_ENGINE != "jruby"
95
+ Pageant::Socket.open
96
+ else
97
+ raise AgentNotAvailable, "Agent not configured"
98
+ end
99
+ rescue StandardError => e
100
+ error { "could not connect to ssh-agent: #{e.message}" }
101
+ raise AgentNotAvailable, $!.message
102
+ end
103
+
104
+ # Attempts to negotiate the SSH agent protocol version. Raises an error
105
+ # if the version could not be negotiated successfully.
106
+ def negotiate!
107
+ # determine what type of agent we're communicating with
108
+ type, body = send_and_wait(SSH2_AGENT_REQUEST_VERSION, :string, Transport::ServerVersion::PROTO_VERSION)
109
+
110
+ raise AgentNotAvailable, "SSH2 agents are not yet supported" if type == SSH2_AGENT_VERSION_RESPONSE
111
+
112
+ if type == SSH2_AGENT_FAILURE
113
+ debug { "Unexpected response type==#{type}, this will be ignored" }
114
+ elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER1 && type != SSH_AGENT_RSA_IDENTITIES_ANSWER2
115
+ raise AgentNotAvailable, "unknown response from agent: #{type}, #{body.to_s.inspect}"
116
+ end
117
+ end
118
+
119
+ # Return an array of all identities (public keys) known to the agent.
120
+ # Each key returned is augmented with a +comment+ property which is set
121
+ # to the comment returned by the agent for that key.
122
+ def identities
123
+ type, body = send_and_wait(SSH2_AGENT_REQUEST_IDENTITIES)
124
+ raise AgentError, "could not get identity count" if agent_failed(type)
125
+ raise AgentError, "bad authentication reply: #{type}" if type != SSH2_AGENT_IDENTITIES_ANSWER
126
+
127
+ identities = []
128
+ body.read_long.times do
129
+ key_str = body.read_string
130
+ comment_str = body.read_string
131
+ begin
132
+ key = Buffer.new(key_str).read_key
133
+ if key.nil?
134
+ error { "ignoring invalid key: #{comment_str}" }
135
+ next
136
+ end
137
+ key.extend(Comment)
138
+ key.comment = comment_str
139
+ identities.push key
140
+ rescue NotImplementedError => e
141
+ error { "ignoring unimplemented key:#{e.message} #{comment_str}" }
142
+ end
143
+ end
144
+
145
+ return identities
146
+ end
147
+
148
+ # Closes this socket. This agent reference is no longer able to
149
+ # query the agent.
150
+ def close
151
+ @socket.close
152
+ end
153
+
154
+ # Using the agent and the given public key, sign the given data. The
155
+ # signature is returned in SSH2 format.
156
+ def sign(key, data, flags = 0)
157
+ type, reply = send_and_wait(SSH2_AGENT_SIGN_REQUEST, :string, Buffer.from(:key, key), :string, data, :long, flags)
158
+
159
+ raise AgentError, "agent could not sign data with requested identity" if agent_failed(type)
160
+ raise AgentError, "bad authentication response #{type}" if type != SSH2_AGENT_SIGN_RESPONSE
161
+
162
+ return reply.read_string
163
+ end
164
+
165
+ # Adds the private key with comment to the agent.
166
+ # If lifetime is given, the key will automatically be removed after lifetime
167
+ # seconds.
168
+ # If confirm is true, confirmation will be required for each agent signing
169
+ # operation.
170
+ def add_identity(priv_key, comment, lifetime: nil, confirm: false)
171
+ constraints = Buffer.new
172
+ if lifetime
173
+ constraints.write_byte(SSH_AGENT_CONSTRAIN_LIFETIME)
174
+ constraints.write_long(lifetime)
175
+ end
176
+ constraints.write_byte(SSH_AGENT_CONSTRAIN_CONFIRM) if confirm
177
+
178
+ req_type = constraints.empty? ? SSH2_AGENT_ADD_IDENTITY : SSH2_AGENT_ADD_ID_CONSTRAINED
179
+ type, = send_and_wait(req_type, :string, priv_key.ssh_type, :raw, blob_for_add(priv_key),
180
+ :string, comment, :raw, constraints)
181
+ raise AgentError, "could not add identity to agent" if type != SSH_AGENT_SUCCESS
182
+ end
183
+
184
+ # Removes key from the agent.
185
+ def remove_identity(key)
186
+ type, = send_and_wait(SSH2_AGENT_REMOVE_IDENTITY, :string, key.to_blob)
187
+ raise AgentError, "could not remove identity from agent" if type != SSH_AGENT_SUCCESS
188
+ end
189
+
190
+ # Removes all identities from the agent.
191
+ def remove_all_identities
192
+ type, = send_and_wait(SSH2_AGENT_REMOVE_ALL_IDENTITIES)
193
+ raise AgentError, "could not remove all identity from agent" if type != SSH_AGENT_SUCCESS
194
+ end
195
+
196
+ # lock the ssh agent with password
197
+ def lock(password)
198
+ type, = send_and_wait(SSH2_AGENT_LOCK, :string, password)
199
+ raise AgentError, "could not lock agent" if type != SSH_AGENT_SUCCESS
200
+ end
201
+
202
+ # unlock the ssh agent with password
203
+ def unlock(password)
204
+ type, = send_and_wait(SSH2_AGENT_UNLOCK, :string, password)
205
+ raise AgentError, "could not unlock agent" if type != SSH_AGENT_SUCCESS
206
+ end
207
+
208
+ private
209
+
210
+ def unix_socket_class
211
+ defined?(UNIXSocket) && UNIXSocket
212
+ end
213
+
214
+ # Send a new packet of the given type, with the associated data.
215
+ def send_packet(type, *args)
216
+ buffer = Buffer.from(*args)
217
+ data = [buffer.length + 1, type.to_i, buffer.to_s].pack("NCA*")
218
+ debug { "sending agent request #{type} len #{buffer.length}" }
219
+ @socket.send data, 0
220
+ end
221
+
222
+ # Read the next packet from the agent. This will return a two-part
223
+ # tuple consisting of the packet type, and the packet's body (which
224
+ # is returned as a Net::SSH::Buffer).
225
+ def read_packet
226
+ buffer = Net::SSH::Buffer.new(@socket.read(4))
227
+ buffer.append(@socket.read(buffer.read_long))
228
+ type = buffer.read_byte
229
+ debug { "received agent packet #{type} len #{buffer.length - 4}" }
230
+ return type, buffer
231
+ end
232
+
233
+ # Send the given packet and return the subsequent reply from the agent.
234
+ # (See #send_packet and #read_packet).
235
+ def send_and_wait(type, *args)
236
+ send_packet(type, *args)
237
+ read_packet
238
+ end
239
+
240
+ # Returns +true+ if the parameter indicates a "failure" response from
241
+ # the agent, and +false+ otherwise.
242
+ def agent_failed(type)
243
+ type == SSH_AGENT_FAILURE ||
244
+ type == SSH2_AGENT_FAILURE ||
245
+ type == SSH_COM_AGENT2_FAILURE
246
+ end
247
+
248
+ def blob_for_add(priv_key)
249
+ # Ideally we'd have something like `to_private_blob` on the various key types, but the
250
+ # nuances with encoding (e.g. `n` and `e` are reversed for RSA keys) make this impractical.
251
+ case priv_key.ssh_type
252
+ when /^ssh-dss$/
253
+ Net::SSH::Buffer.from(:bignum, priv_key.p, :bignum, priv_key.q, :bignum, priv_key.g,
254
+ :bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
255
+ when /^ssh-dss-cert-v01@openssh\.com$/
256
+ Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.priv_key).to_s
257
+ when /^ecdsa\-sha2\-(\w*)$/
258
+ curve_name = OpenSSL::PKey::EC::CurveNameAliasInv[priv_key.group.curve_name]
259
+ Net::SSH::Buffer.from(:string, curve_name, :mstring, priv_key.public_key.to_bn.to_s(2),
260
+ :bignum, priv_key.private_key).to_s
261
+ when /^ecdsa\-sha2\-(\w*)-cert-v01@openssh\.com$/
262
+ Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.private_key).to_s
263
+ when /^ssh-ed25519$/
264
+ Net::SSH::Buffer.from(:string, priv_key.public_key.verify_key.to_bytes,
265
+ :string, priv_key.sign_key.keypair).to_s
266
+ when /^ssh-ed25519-cert-v01@openssh\.com$/
267
+ # Unlike the other certificate types, the public key is included after the certifiate.
268
+ Net::SSH::Buffer.from(:string, priv_key.to_blob,
269
+ :string, priv_key.key.public_key.verify_key.to_bytes,
270
+ :string, priv_key.key.sign_key.keypair).to_s
271
+ when /^ssh-rsa$/
272
+ # `n` and `e` are reversed compared to the ordering in `OpenSSL::PKey::RSA#to_blob`.
273
+ Net::SSH::Buffer.from(:bignum, priv_key.n, :bignum, priv_key.e, :bignum, priv_key.d,
274
+ :bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
275
+ when /^ssh-rsa-cert-v01@openssh\.com$/
276
+ Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.d,
277
+ :bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
278
+ :bignum, priv_key.key.q).to_s
279
+ end
280
+ end
281
+ end
282
+ end
283
+ end
284
+ end
@@ -0,0 +1,183 @@
1
+ require 'securerandom'
2
+
3
+ module Net
4
+ module SSH
5
+ module Authentication
6
+ # Class for representing an SSH certificate.
7
+ #
8
+ # http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.10&content-type=text/plain
9
+ class Certificate
10
+ attr_accessor :nonce
11
+ attr_accessor :key
12
+ attr_accessor :serial
13
+ attr_accessor :type
14
+ attr_accessor :key_id
15
+ attr_accessor :valid_principals
16
+ attr_accessor :valid_after
17
+ attr_accessor :valid_before
18
+ attr_accessor :critical_options
19
+ attr_accessor :extensions
20
+ attr_accessor :reserved
21
+ attr_accessor :signature_key
22
+ attr_accessor :signature
23
+
24
+ # Read a certificate blob associated with a key of the given type.
25
+ def self.read_certblob(buffer, type)
26
+ cert = Certificate.new
27
+ cert.nonce = buffer.read_string
28
+ cert.key = buffer.read_keyblob(type)
29
+ cert.serial = buffer.read_int64
30
+ cert.type = type_symbol(buffer.read_long)
31
+ cert.key_id = buffer.read_string
32
+ cert.valid_principals = buffer.read_buffer.read_all(&:read_string)
33
+ cert.valid_after = Time.at(buffer.read_int64)
34
+
35
+ cert.valid_before = if RUBY_PLATFORM == "java"
36
+ # 0x20c49ba5e353f7 = 0x7fffffffffffffff/1000, the largest value possible for JRuby
37
+ # JRuby Time.at multiplies the arg by 1000, and then stores it in a signed long.
38
+ # 0x20c49ba2d52500 = 292278993-01-01 00:00:00 +0000
39
+ # JRuby 9.1 does not accept the year 292278994 because of edge cases (https://github.com/JodaOrg/joda-time/issues/190)
40
+ Time.at([0x20c49ba2d52500, buffer.read_int64].min)
41
+ else
42
+ Time.at(buffer.read_int64)
43
+ end
44
+
45
+ cert.critical_options = read_options(buffer)
46
+ cert.extensions = read_options(buffer)
47
+ cert.reserved = buffer.read_string
48
+ cert.signature_key = buffer.read_buffer.read_key
49
+ cert.signature = buffer.read_string
50
+ cert
51
+ end
52
+
53
+ def ssh_type
54
+ key.ssh_type + "-cert-v01@openssh.com"
55
+ end
56
+
57
+ def ssh_signature_type
58
+ key.ssh_type
59
+ end
60
+
61
+ # Serializes the certificate (and key).
62
+ def to_blob
63
+ Buffer.from(
64
+ :raw, to_blob_without_signature,
65
+ :string, signature
66
+ ).to_s
67
+ end
68
+
69
+ def ssh_do_sign(data)
70
+ key.ssh_do_sign(data)
71
+ end
72
+
73
+ def ssh_do_verify(sig, data, options = {})
74
+ key.ssh_do_verify(sig, data, options)
75
+ end
76
+
77
+ def to_pem
78
+ key.to_pem
79
+ end
80
+
81
+ def fingerprint
82
+ key.fingerprint
83
+ end
84
+
85
+ # Signs the certificate with key.
86
+ def sign!(key, sign_nonce=nil)
87
+ # ssh-keygen uses 32 bytes of nonce.
88
+ self.nonce = sign_nonce || SecureRandom.random_bytes(32)
89
+ self.signature_key = key
90
+ self.signature = Net::SSH::Buffer.from(
91
+ :string, key.ssh_signature_type,
92
+ :mstring, key.ssh_do_sign(to_blob_without_signature)
93
+ ).to_s
94
+ self
95
+ end
96
+
97
+ def sign(key, sign_nonce=nil)
98
+ cert = clone
99
+ cert.sign!(key, sign_nonce)
100
+ end
101
+
102
+ # Checks whether the certificate's signature was signed by signature key.
103
+ def signature_valid?
104
+ buffer = Buffer.new(signature)
105
+ buffer.read_string # skip signature format
106
+ signature_key.ssh_do_verify(buffer.read_string, to_blob_without_signature)
107
+ end
108
+
109
+ def self.read_options(buffer)
110
+ names = []
111
+ options = buffer.read_buffer.read_all do |b|
112
+ name = b.read_string
113
+ names << name
114
+ data = b.read_string
115
+ data = Buffer.new(data).read_string unless data.empty?
116
+ [name, data]
117
+ end
118
+
119
+ raise ArgumentError, "option/extension names must be in sorted order" if names.sort != names
120
+
121
+ Hash[options]
122
+ end
123
+ private_class_method :read_options
124
+
125
+ def self.type_symbol(type)
126
+ types = { 1 => :user, 2 => :host }
127
+ raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
128
+
129
+ types.fetch(type)
130
+ end
131
+ private_class_method :type_symbol
132
+
133
+ private
134
+
135
+ def type_value(type)
136
+ types = { user: 1, host: 2 }
137
+ raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
138
+
139
+ types.fetch(type)
140
+ end
141
+
142
+ def ssh_time(t)
143
+ # Times in certificates are represented as a uint64.
144
+ [[t.to_i, 0].max, 2 << 64 - 1].min
145
+ end
146
+
147
+ def to_blob_without_signature
148
+ Buffer.from(
149
+ :string, ssh_type,
150
+ :string, nonce,
151
+ :raw, key_without_type,
152
+ :int64, serial,
153
+ :long, type_value(type),
154
+ :string, key_id,
155
+ :string, valid_principals.inject(Buffer.new) { |acc, elem| acc.write_string(elem) }.to_s,
156
+ :int64, ssh_time(valid_after),
157
+ :int64, ssh_time(valid_before),
158
+ :string, options_to_blob(critical_options),
159
+ :string, options_to_blob(extensions),
160
+ :string, reserved,
161
+ :string, signature_key.to_blob
162
+ ).to_s
163
+ end
164
+
165
+ def key_without_type
166
+ # key.to_blob gives us e.g. "ssh-rsa,<key>" but we just want "<key>".
167
+ tmp = Buffer.new(key.to_blob)
168
+ tmp.read_string # skip the underlying key type
169
+ tmp.read
170
+ end
171
+
172
+ def options_to_blob(options)
173
+ options.keys.sort.inject(Buffer.new) do |b, name|
174
+ b.write_string(name)
175
+ data = options.fetch(name)
176
+ data = Buffer.from(:string, data).to_s unless data.empty?
177
+ b.write_string(data)
178
+ end.to_s
179
+ end
180
+ end
181
+ end
182
+ end
183
+ end
@@ -0,0 +1,20 @@
1
+ module Net
2
+ module SSH
3
+ module Authentication
4
+ # Describes the constants used by the Net::SSH::Authentication components
5
+ # of the Net::SSH library. Individual authentication method implemenations
6
+ # may define yet more constants that are specific to their implementation.
7
+ module Constants
8
+ USERAUTH_REQUEST = 50
9
+ USERAUTH_FAILURE = 51
10
+ USERAUTH_SUCCESS = 52
11
+ USERAUTH_BANNER = 53
12
+
13
+ USERAUTH_PASSWD_CHANGEREQ = 60
14
+ USERAUTH_PK_OK = 60
15
+
16
+ USERAUTH_METHOD_RANGE = 60..79
17
+ end
18
+ end
19
+ end
20
+ end