net-ssh-backports 6.3.0.backports

data/lib/net/ssh/authentication/pageant.rb

@@ -0,0 +1,497 @@
+if RUBY_VERSION < "1.9"
+  require 'dl/import'
+  require 'dl/struct'
+elsif RUBY_VERSION < "2.1"
+  require 'dl/import'
+  require 'dl/types'
+  require 'dl'
+else
+  require 'fiddle'
+  require 'fiddle/types'
+  require 'fiddle/import'
+
+  # For now map DL to Fiddler versus updating all the code below
+  module DL
+    CPtr ||= Fiddle::Pointer
+    if RUBY_PLATFORM != "java"
+      RUBY_FREE ||= Fiddle::RUBY_FREE
+    end
+  end
+end
+
+require 'net/ssh/errors'
+
+module Net
+  module SSH
+    module Authentication
+      # This module encapsulates the implementation of a socket factory that
+      # uses the PuTTY "pageant" utility to obtain information about SSH
+      # identities.
+      #
+      # This code is a slightly modified version of the original implementation
+      # by Guillaume Marçais (guillaume.marcais@free.fr). It is used and
+      # relicensed by permission.
+      module Pageant
+        # From Putty pageant.c
+        AGENT_MAX_MSGLEN = 8192
+        AGENT_COPYDATA_ID = 0x804e50ba
+
+        # The definition of the Windows methods and data structures used in
+        # communicating with the pageant process.
+        module Win # rubocop:disable Metrics/ModuleLength
+          # Compatibility on initialization
+          if RUBY_VERSION < "1.9"
+            extend DL::Importable
+
+            dlload 'user32.dll'
+            dlload 'kernel32.dll'
+            dlload 'advapi32.dll'
+
+            SIZEOF_DWORD = DL.sizeof('L')
+          elsif RUBY_VERSION < "2.1"
+            extend DL::Importer
+            dlload 'user32.dll','kernel32.dll', 'advapi32.dll'
+            include DL::Win32Types
+
+            SIZEOF_DWORD = DL::SIZEOF_LONG
+          else
+            extend Fiddle::Importer
+            dlload 'user32.dll','kernel32.dll', 'advapi32.dll'
+            include Fiddle::Win32Types
+            SIZEOF_DWORD = Fiddle::SIZEOF_LONG
+          end
+
+          if RUBY_ENGINE == "jruby"
+            typealias("HANDLE", "void *") # From winnt.h
+            typealias("PHANDLE", "void *") # From winnt.h
+            typealias("ULONG_PTR", "unsigned long*")
+          end
+          typealias("LPCTSTR", "char *")         # From winnt.h
+          typealias("LPVOID", "void *")          # From winnt.h
+          typealias("LPCVOID", "const void *")   # From windef.h
+          typealias("LRESULT", "long")           # From windef.h
+          typealias("WPARAM", "unsigned int *")  # From windef.h
+          typealias("LPARAM", "long *")          # From windef.h
+          typealias("PDWORD_PTR", "long *")      # From basetsd.h
+          typealias("USHORT", "unsigned short")  # From windef.h
+
+          # From winbase.h, winnt.h
+          INVALID_HANDLE_VALUE = -1
+          NULL = nil
+          PAGE_READWRITE = 0x0004
+          FILE_MAP_WRITE = 2
+          WM_COPYDATA = 74
+
+          SMTO_NORMAL = 0 # From winuser.h
+
+          SUFFIX = if RUBY_ENGINE == "jruby"
+                     "A"
+                   else
+                     ""
+                   end
+
+          # args: lpClassName, lpWindowName
+          extern "HWND FindWindow#{SUFFIX}(LPCTSTR, LPCTSTR)"
+
+          # args: none
+          extern 'DWORD GetCurrentThreadId()'
+
+          # args: hFile, (ignored), flProtect, dwMaximumSizeHigh,
+          #           dwMaximumSizeLow, lpName
+          extern "HANDLE CreateFileMapping#{SUFFIX}(HANDLE, void *, DWORD, " +
+            "DWORD, DWORD, LPCTSTR)"
+
+          # args: hFileMappingObject, dwDesiredAccess, dwFileOffsetHigh,
+          #           dwfileOffsetLow, dwNumberOfBytesToMap
+          extern 'LPVOID MapViewOfFile(HANDLE, DWORD, DWORD, DWORD, DWORD)'
+
+          # args: lpBaseAddress
+          extern 'BOOL UnmapViewOfFile(LPCVOID)'
+
+          # args: hObject
+          extern 'BOOL CloseHandle(HANDLE)'
+
+          # args: hWnd, Msg, wParam, lParam, fuFlags, uTimeout, lpdwResult
+          extern "LRESULT SendMessageTimeout#{SUFFIX}(HWND, UINT, WPARAM, LPARAM, " +
+            "UINT, UINT, PDWORD_PTR)"
+
+          # args: none
+          extern 'DWORD GetLastError()'
+
+          # args: none
+          extern 'HANDLE GetCurrentProcess()'
+
+          # args: hProcessHandle, dwDesiredAccess, (out) phNewTokenHandle
+          extern 'BOOL OpenProcessToken(HANDLE, DWORD, PHANDLE)'
+
+          # args: hTokenHandle, uTokenInformationClass,
+          #           (out) lpTokenInformation, dwTokenInformationLength
+          #           (out) pdwInfoReturnLength
+          extern 'BOOL GetTokenInformation(HANDLE, UINT, LPVOID, DWORD, ' +
+            'PDWORD)'
+
+          # args: (out) lpSecurityDescriptor, dwRevisionLevel
+          extern 'BOOL InitializeSecurityDescriptor(LPVOID, DWORD)'
+
+          # args: (out) lpSecurityDescriptor, lpOwnerSid, bOwnerDefaulted
+          extern 'BOOL SetSecurityDescriptorOwner(LPVOID, LPVOID, BOOL)'
+
+          # args: pSecurityDescriptor
+          extern 'BOOL IsValidSecurityDescriptor(LPVOID)'
+
+          # Constants needed for security attribute retrieval.
+          # Specifies the access mask corresponding to the desired access
+          # rights.
+          TOKEN_QUERY = 0x8
+
+          # The value of TOKEN_USER from the TOKEN_INFORMATION_CLASS enum.
+          TOKEN_USER_INFORMATION_CLASS = 1
+
+          # The initial revision level assigned to the security descriptor.
+          REVISION = 1
+
+          # Structs for security attribute functions.
+          # Holds the retrieved user access token.
+          TOKEN_USER = struct ['void * SID', 'DWORD ATTRIBUTES']
+
+          # Contains the security descriptor, this gets passed to the
+          # function that constructs the shared memory map.
+          SECURITY_ATTRIBUTES = struct ['DWORD nLength',
+                                        'LPVOID lpSecurityDescriptor',
+                                        'BOOL bInheritHandle']
+
+          # The security descriptor holds security information.
+          SECURITY_DESCRIPTOR = struct ['UCHAR Revision', 'UCHAR Sbz1',
+                                        'USHORT Control', 'LPVOID Owner',
+                                        'LPVOID Group', 'LPVOID Sacl',
+                                        'LPVOID Dacl']
+
+          # The COPYDATASTRUCT is used to send WM_COPYDATA messages
+          COPYDATASTRUCT = if RUBY_ENGINE == "jruby"
+                             struct ['ULONG_PTR dwData', 'DWORD cbData', 'LPVOID lpData']
+                           else
+                             struct ['uintptr_t dwData', 'DWORD cbData', 'LPVOID lpData']
+                           end
+
+          # Compatibility for security attribute retrieval.
+          if RUBY_VERSION < "1.9"
+            # Alias functions to > 1.9 capitalization
+            %w[findWindow
+               getCurrentProcess
+               initializeSecurityDescriptor
+               setSecurityDescriptorOwner
+               isValidSecurityDescriptor
+               openProcessToken
+               getTokenInformation
+               getLastError
+               getCurrentThreadId
+               createFileMapping
+               mapViewOfFile
+               sendMessageTimeout
+               unmapViewOfFile
+               closeHandle].each do |name|
+              new_name = name[0].chr.upcase + name[1..name.length]
+              alias_method new_name, name
+              module_function new_name
+            end
+
+            def self.malloc_ptr(size)
+              return DL.malloc(size)
+            end
+
+            def self.get_ptr(data)
+              return data.to_ptr
+            end
+
+            def self.set_ptr_data(ptr, data)
+              ptr[0] = data
+            end
+          elsif RUBY_ENGINE == "jruby"
+            %w[FindWindow CreateFileMapping SendMessageTimeout].each do |name|
+              alias_method name, name + "A"
+              module_function name
+            end
+            # :nodoc:
+            module LibC
+              extend FFI::Library
+              ffi_lib FFI::Library::LIBC
+              attach_function :malloc, [:size_t], :pointer
+              attach_function :free, [:pointer], :void
+            end
+
+            def self.malloc_ptr(size)
+              Fiddle::Pointer.new(LibC.malloc(size), size, LibC.method(:free))
+            end
+
+            def self.get_ptr(ptr)
+              return data.address
+            end
+
+            def self.set_ptr_data(ptr, data)
+              ptr.write_string_length(data, data.size)
+            end
+          else
+            def self.malloc_ptr(size)
+              return DL::CPtr.malloc(size, DL::RUBY_FREE)
+            end
+
+            def self.get_ptr(data)
+              return DL::CPtr.to_ptr data
+            end
+
+            def self.set_ptr_data(ptr, data)
+              DL::CPtr.new(ptr)[0,data.size] = data
+            end
+          end
+
+          def self.get_security_attributes_for_user
+            user = get_current_user
+
+            psd_information = malloc_ptr(Win::SECURITY_DESCRIPTOR.size)
+            raise_error_if_zero(
+              Win.InitializeSecurityDescriptor(psd_information,
+                                               Win::REVISION)
+            )
+            raise_error_if_zero(
+              Win.SetSecurityDescriptorOwner(psd_information, get_sid_ptr(user),
+                                             0)
+            )
+            raise_error_if_zero(
+              Win.IsValidSecurityDescriptor(psd_information)
+            )
+
+            sa = Win::SECURITY_ATTRIBUTES.new(to_struct_ptr(malloc_ptr(Win::SECURITY_ATTRIBUTES.size)))
+            sa.nLength = Win::SECURITY_ATTRIBUTES.size
+            sa.lpSecurityDescriptor = psd_information.to_i
+            sa.bInheritHandle = 1
+
+            return sa
+          end
+
+          if RUBY_ENGINE == "jruby"
+            def self.ptr_to_s(ptr, size)
+              ret = ptr.to_s(size)
+              ret << "\x00" while ret.size < size
+              ret
+            end
+
+            def self.ptr_to_handle(phandle)
+              phandle.ptr
+            end
+
+            def self.ptr_to_dword(ptr)
+              first = ptr.ptr.to_i
+              second = ptr_to_s(ptr,Win::SIZEOF_DWORD).unpack('L')[0]
+              raise "Error" unless first == second
+
+              first
+            end
+
+            def self.to_token_user(ptoken_information)
+              TOKEN_USER.new(ptoken_information.to_ptr)
+            end
+
+            def self.to_struct_ptr(ptr)
+              ptr.to_ptr
+            end
+
+            def self.get_sid(user)
+              ptr_to_s(user.to_ptr.ptr,Win::SIZEOF_DWORD).unpack('L')[0]
+            end
+
+            def self.get_sid_ptr(user)
+              user.to_ptr.ptr
+            end
+          else
+            def self.get_sid(user)
+              user.SID
+            end
+
+            def self.ptr_to_handle(phandle)
+              phandle.ptr.to_i
+            end
+
+            def self.to_struct_ptr(ptr)
+              ptr
+            end
+
+            def self.ptr_to_dword(ptr)
+              ptr.to_s(Win::SIZEOF_DWORD).unpack('L')[0]
+            end
+
+            def self.to_token_user(ptoken_information)
+              TOKEN_USER.new(ptoken_information)
+            end
+
+            def self.get_sid_ptr(user)
+              user.SID
+            end
+          end
+
+          def self.get_current_user
+            token_handle = open_process_token(Win.GetCurrentProcess,
+                                              Win::TOKEN_QUERY)
+            token_user = get_token_information(token_handle,
+                            Win::TOKEN_USER_INFORMATION_CLASS)
+            return token_user
+          end
+
+          def self.open_process_token(process_handle, desired_access)
+            ptoken_handle = malloc_ptr(Win::SIZEOF_DWORD)
+
+            raise_error_if_zero(
+              Win.OpenProcessToken(process_handle, desired_access,
+                                   ptoken_handle)
+            )
+            token_handle = ptr_to_handle(ptoken_handle)
+            return token_handle
+          end
+
+          def self.get_token_information(token_handle,
+                                         token_information_class)
+            # Hold the size of the information to be returned
+            preturn_length = malloc_ptr(Win::SIZEOF_DWORD)
+
+            # Going to throw an INSUFFICIENT_BUFFER_ERROR, but that is ok
+            # here. This is retrieving the size of the information to be
+            # returned.
+            Win.GetTokenInformation(token_handle,
+                                    token_information_class,
+                                    Win::NULL, 0, preturn_length)
+            ptoken_information = malloc_ptr(ptr_to_dword(preturn_length))
+
+            # This call is going to write the requested information to
+            # the memory location referenced by token_information.
+            raise_error_if_zero(
+              Win.GetTokenInformation(token_handle,
+                                      token_information_class,
+                                      ptoken_information,
+                                      ptoken_information.size,
+                                      preturn_length)
+            )
+
+            return to_token_user(ptoken_information)
+          end
+
+          def self.raise_error_if_zero(result)
+            if result == 0
+              raise "Windows error: #{Win.GetLastError}"
+            end
+          end
+
+          # Get a null-terminated string given a string.
+          def self.get_cstr(str)
+            return str + "\000"
+          end
+        end
+
+        # This is the pseudo-socket implementation that mimics the interface of
+        # a socket, translating each request into a Windows messaging call to
+        # the pageant daemon. This allows pageant support to be implemented
+        # simply by replacing the socket factory used by the Agent class.
+        class Socket
+          private_class_method :new
+
+          # The factory method for creating a new Socket instance.
+          def self.open
+            new
+          end
+
+          # Create a new instance that communicates with the running pageant
+          # instance. If no such instance is running, this will cause an error.
+          def initialize
+            @win = Win.FindWindow("Pageant", "Pageant")
+
+            if @win.to_i == 0
+              raise Net::SSH::Exception,
+                "pageant process not running"
+            end
+
+            @input_buffer = Net::SSH::Buffer.new
+            @output_buffer = Net::SSH::Buffer.new
+          end
+
+          # Forwards the data to #send_query, ignoring any arguments after
+          # the first.
+          def send(data, *args)
+            @input_buffer.append(data)
+
+            ret = data.length
+
+            while true
+              return ret if @input_buffer.length < 4
+
+              msg_length = @input_buffer.read_long + 4
+              @input_buffer.reset!
+
+              return ret if @input_buffer.length < msg_length
+
+              msg = @input_buffer.read!(msg_length)
+              @output_buffer.append(send_query(msg))
+            end
+          end
+
+          # Reads +n+ bytes from the cached result of the last query. If +n+
+          # is +nil+, returns all remaining data from the last query.
+          def read(n = nil)
+            @output_buffer.read(n)
+          end
+
+          def close; end
+
+          # Packages the given query string and sends it to the pageant
+          # process via the Windows messaging subsystem. The result is
+          # cached, to be returned piece-wise when #read is called.
+          def send_query(query)
+            res = nil
+            filemap = 0
+            ptr = nil
+            id = Win.malloc_ptr(Win::SIZEOF_DWORD)
+
+            mapname = "PageantRequest%08x" % Win.GetCurrentThreadId()
+            security_attributes = Win.get_ptr Win.get_security_attributes_for_user
+
+            filemap = Win.CreateFileMapping(Win::INVALID_HANDLE_VALUE,
+                                            security_attributes,
+                                            Win::PAGE_READWRITE, 0,
+                                            AGENT_MAX_MSGLEN, mapname)
+
+            if filemap == 0 || filemap == Win::INVALID_HANDLE_VALUE
+              raise Net::SSH::Exception,
+                "Creation of file mapping failed with error: #{Win.GetLastError}"
+            end
+
+            ptr = Win.MapViewOfFile(filemap, Win::FILE_MAP_WRITE, 0, 0,
+                                    0)
+
+            if ptr.nil? || ptr.null?
+              raise Net::SSH::Exception, "Mapping of file failed"
+            end
+
+            Win.set_ptr_data(ptr, query)
+
+            # using struct to achieve proper alignment and field size on 64-bit platform
+            cds = Win::COPYDATASTRUCT.new(Win.malloc_ptr(Win::COPYDATASTRUCT.size))
+            cds.dwData = AGENT_COPYDATA_ID
+            cds.cbData = mapname.size + 1
+            cds.lpData = Win.get_cstr(mapname)
+            succ = Win.SendMessageTimeout(@win, Win::WM_COPYDATA, Win::NULL,
+                                          cds.to_ptr, Win::SMTO_NORMAL, 5000, id)
+
+            if succ > 0
+              retlen = 4 + ptr.to_s(4).unpack("N")[0]
+              res = ptr.to_s(retlen)
+            else
+              raise Net::SSH::Exception, "Message failed with error: #{Win.GetLastError}"
+            end
+
+            return res
+          ensure
+            Win.UnmapViewOfFile(ptr) unless ptr.nil? || ptr.null?
+            Win.CloseHandle(filemap) if filemap != 0
+          end
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/pub_key_fingerprint.rb

@@ -0,0 +1,43 @@
+require 'openssl'
+
+module Net
+  module SSH
+    module Authentication
+      # Public key fingerprinting utility module - internal not part of API.
+      # This is included in pubkey classes and called from there. All RSA, DSA, and ECC keys
+      # are supported.
+      #
+      #     require 'net/ssh'
+      #     my_pubkey_text = File.read('/path/to/id_ed25519.pub')
+      #        #=> "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDB2NBh4GJPPUN1kXPMu8b633Xcv55WoKC3OkBjFAbzJ alice@example.com"
+      #     my_pubkey = Net::SSH::KeyFactory.load_data_public_key(my_pubkey_text)
+      #        #=> #<Net::SSH::Authentication::ED25519::PubKey:0x00007fc8e91819b0
+      #     my_pubkey.fingerprint
+      #        #=> "2f:7f:97:21:76:a4:0f:38:c4:fe:d8:b4:6a:39:72:30"
+      #     my_pubkey.fingerprint('SHA256')
+      #        #=> "SHA256:u6mXnY8P1b0FODGp8mckqOB33u8+jvkSCtJbD5Q9klg"
+      module PubKeyFingerprint # :nodoc:
+        # Return the key's fingerprint.  Algorithm may be either +MD5+ (default),
+        # or +SHA256+. For +SHA256+, fingerprints are in the same format
+        # returned by OpenSSH's <tt>`ssh-add -l -E SHA256`</tt>, i.e.,
+        # trailing base64 padding '=' characters are stripped and the
+        # literal string +SHA256:+ is prepended.
+        def fingerprint(algorithm='MD5')
+          @fingerprint ||= {}
+          @fingerprint[algorithm] ||= PubKeyFingerprint.fingerprint(to_blob, algorithm)
+        end
+
+        def self.fingerprint(blob, algorithm='MD5')
+          case algorithm.to_s.upcase
+          when 'MD5'
+            OpenSSL::Digest.hexdigest(algorithm, blob).scan(/../).join(":")
+          when 'SHA256'
+            "SHA256:#{Base64.encode64(OpenSSL::Digest.digest(algorithm, blob)).chomp.gsub(/=+\z/, '')}"
+          else
+            raise OpenSSL::Digest::DigestError, "unsupported ssh key digest #{algorithm}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/session.rb

@@ -0,0 +1,163 @@
+require 'net/ssh/loggable'
+require 'net/ssh/transport/constants'
+require 'net/ssh/authentication/constants'
+require 'net/ssh/authentication/key_manager'
+require 'net/ssh/authentication/methods/none'
+require 'net/ssh/authentication/methods/publickey'
+require 'net/ssh/authentication/methods/hostbased'
+require 'net/ssh/authentication/methods/password'
+require 'net/ssh/authentication/methods/keyboard_interactive'
+
+module Net
+  module SSH
+    module Authentication
+      # Raised if the current authentication method is not allowed
+      class DisallowedMethod < Net::SSH::Exception
+      end
+
+      # Represents an authentication session. It manages the authentication of
+      # a user over an established connection (the "transport" object, see
+      # Net::SSH::Transport::Session).
+      #
+      # The use of an authentication session to manage user authentication is
+      # internal to Net::SSH (specifically Net::SSH.start). Consumers of the
+      # Net::SSH library will never need to access this class directly.
+      class Session
+        include Loggable
+        include Constants
+        include Transport::Constants
+
+        # transport layer abstraction
+        attr_reader :transport
+
+        # the list of authentication methods to try
+        attr_reader :auth_methods
+
+        # the list of authentication methods that are allowed
+        attr_reader :allowed_auth_methods
+
+        # a hash of options, given at construction time
+        attr_reader :options
+
+        # Instantiates a new Authentication::Session object over the given
+        # transport layer abstraction.
+        def initialize(transport, options={})
+          self.logger = transport.logger
+          @transport = transport
+
+          @auth_methods = options[:auth_methods] || Net::SSH::Config.default_auth_methods
+          @options = options
+
+          @allowed_auth_methods = @auth_methods
+        end
+
+        # Attempts to authenticate the given user, in preparation for the next
+        # service request. Returns true if an authentication method succeeds in
+        # authenticating the user, and false otherwise.
+        def authenticate(next_service, username, password=nil)
+          debug { "beginning authentication of `#{username}'" }
+
+          transport.send_message(transport.service_request("ssh-userauth"))
+          expect_message(SERVICE_ACCEPT)
+
+          key_manager = KeyManager.new(logger, options)
+          keys.each { |key| key_manager.add(key) } unless keys.empty?
+          keycerts.each { |keycert| key_manager.add_keycert(keycert) } unless keycerts.empty?
+          key_data.each { |key2| key_manager.add_key_data(key2) } unless key_data.empty?
+          default_keys.each { |key| key_manager.add(key) } unless options.key?(:keys) || options.key?(:key_data)
+
+          attempted = []
+
+          @auth_methods.each do |name|
+            next unless @allowed_auth_methods.include?(name)
+
+            attempted << name
+
+            debug { "trying #{name}" }
+            begin
+              auth_class = Methods.const_get(name.split(/\W+/).map { |p| p.capitalize }.join)
+              method = auth_class.new(self, key_manager: key_manager, password_prompt: options[:password_prompt])
+            rescue NameError
+              debug {"Mechanism #{name} was requested, but isn't a known type.  Ignoring it."}
+              next
+            end
+
+            return true if method.authenticate(next_service, username, password)
+          rescue Net::SSH::Authentication::DisallowedMethod
+          end
+
+          error { "all authorization methods failed (tried #{attempted.join(', ')})" }
+          return false
+        ensure
+          key_manager.finish if key_manager
+        end
+
+        # Blocks until a packet is received. It silently handles USERAUTH_BANNER
+        # packets, and will raise an error if any packet is received that is not
+        # valid during user authentication.
+        def next_message
+          loop do
+            packet = transport.next_message
+
+            case packet.type
+            when USERAUTH_BANNER
+              info { packet[:message] }
+            # TODO add a hook for people to retrieve the banner when it is sent
+
+            when USERAUTH_FAILURE
+              @allowed_auth_methods = packet[:authentications].split(/,/)
+              debug { "allowed methods: #{packet[:authentications]}" }
+              return packet
+
+            when USERAUTH_METHOD_RANGE, SERVICE_ACCEPT
+              return packet
+
+            when USERAUTH_SUCCESS
+              transport.hint :authenticated
+              return packet
+
+            else
+              raise Net::SSH::Exception, "unexpected message #{packet.type} (#{packet})"
+            end
+          end
+        end
+
+        # Blocks until a packet is received, and returns it if it is of the given
+        # type. If it is not, an exception is raised.
+        def expect_message(type)
+          message = next_message
+          raise Net::SSH::Exception, "expected #{type}, got #{message.type} (#{message})" unless message.type == type
+
+          message
+        end
+
+        private
+
+        # Returns an array of paths to the key files usually defined
+        # by system default.
+        def default_keys
+          %w[~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa
+             ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa]
+        end
+
+        # Returns an array of paths to the key files that should be used when
+        # attempting any key-based authentication mechanism.
+        def keys
+          Array(options[:keys])
+        end
+
+        # Returns an array of paths to the keycert files that should be used when
+        # attempting any key-based authentication mechanism.
+        def keycerts
+          Array(options[:keycerts])
+        end
+
+        # Returns an array of the key data that should be used when
+        # attempting any key-based authentication mechanism.
+        def key_data
+          Array(options[:key_data])
+        end
+      end
+    end
+  end
+end