net-ssh-kerberos 0.1.0

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Joe Khoobyar
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,7 @@
+= net-ssh-kerberos
+
+Adds Kerberos support to Net::SSH
+
+== Copyright
+
+Copyright (c) 2009 Joe Khoobyar. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,62 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "net-ssh-kerberos"
+    gem.summary = %Q{Add Kerberos support to Net::SSH}
+    gem.description = <<-EOTEXT
+Adds support for Microsoft Kerberos (SSPI) with the Net:SSH gem.
+EOTEXT
+    gem.email = "joe@ankhcraft.com"
+    gem.homepage = "http://github.com/joekhoobyar/net-ssh-kerberos"
+    gem.authors = ["Joe Khoobyar"]
+    gem.rubyforge_project = 'net-ssh-krb'
+    gem.add_runtime_dependency(%q<net-ssh>, [">= 2.0"])
+    gem.add_runtime_dependency(%q<rubysspi>, [">= 1.3"])
+
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+rescue LoadError
+  puts "Jeweler not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+end
+
+require 'rake/testtask'
+Rake::TestTask.new(:test) do |test|
+  test.libs << 'lib' << 'test'
+  test.pattern = 'test/**/*_test.rb'
+  test.verbose = true
+end
+
+begin
+  require 'rcov/rcovtask'
+  Rcov::RcovTask.new do |test|
+    test.libs << 'test'
+    test.pattern = 'test/**/*_test.rb'
+    test.verbose = true
+  end
+rescue LoadError
+  task :rcov do
+    abort "RCov is not available. In order to run rcov, you must: sudo gem install spicycode-rcov"
+  end
+end
+
+
+task :default => :test
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  if File.exist?('VERSION.yml')
+    config = YAML.load(File.read('VERSION.yml'))
+    version = "#{config[:major]}.#{config[:minor]}.#{config[:patch]}"
+  else
+    version = ""
+  end
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "Net-ssh-kerberos #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+

data/VERSION.yml

@@ -0,0 +1,4 @@
+--- 
+:major: 0
+:minor: 1
+:patch: 0

data/lib/net/ssh/authentication/methods/gssapi_with_mic.rb

@@ -0,0 +1,109 @@
+require 'net/ssh/authentication/methods/abstract'
+require 'net/ssh/kerberos/constants'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+
+        # Implements the Kerberos 5 SSH authentication method.
+        class GssapiWithMic < Abstract
+          include Net::SSH::Kerberos::Constants
+          
+	        # OID 1.2.840.113554.1.2.2
+          SUPPORTED_OID = #"\x06\x09\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
+              [ 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x1, 0x2, 0x2 ].pack("C*")
+
+          # Attempts to perform gssapi-with-mic Kerberos authentication
+          def authenticate(next_service, username, password=nil)
+            sspi = nil
+            
+            # Try to start gssapi-with-mic authentication.
+	          debug { "trying kerberos authentication" }
+	          req = userauth_request(username, next_service, "gssapi-with-mic")
+	          req.write_long 1
+	          req.write_string SUPPORTED_OID
+	          send_message req
+	          message = session.next_message
+	          case message.type
+	            when USERAUTH_GSSAPI_RESPONSE
+	              debug { "gssapi-with-mic proceeding" }
+	            when USERAUTH_FAILURE
+	              info { "gssapi-with-mic failed (USERAUTH_FAILURE)" }
+	              return false
+	            else
+	              raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+	          end
+	          
+	          # Try to match the OID.
+	          oid = message.read_string
+	          if oid != SUPPORTED_OID
+              info { "gssapi-with-mic failed (USERAUTH_GSSAPI_RESPONSE)" }
+              return false
+	          end
+	          
+	          # Try to complete the handshake.
+	          sspi = Net::SSH::Kerberos::SSPI::GSSContext.new
+	          sspi.create username, hostname
+			      debug { "gssapi-with-mic handshaking" }
+	          until sspi.established?
+	            token = sspi.init(token)
+	            if token && token.length > 0
+					      send_message Net::SSH::Buffer.from(:byte, USERAUTH_GSSAPI_TOKEN, :string, token)
+	              unless sspi.established?
+	                message = session.next_message
+				          case message.type
+				          when USERAUTH_GSSAPI_ERROR
+			              message = session.next_message
+			              message.get_long
+			              message.get_long
+				            info { "gssapi-with-mic error (USERAUTH_GSSAPI_ERROR) (#{message.read_string})" }
+				          when USERAUTH_GSSAPI_ERRTOK
+			              message = session.next_message
+				            info { "gssapi-with-mic error (USERAUTH_GSSAPI_ERRTOK) (#{message.read_string})" }
+				          when USERAUTH_FAILURE
+				            info { "gssapi-with-mic failed (USERAUTH_FAILURE)" }
+				            return false
+				          end
+	                token = message.read_string
+	              end
+	            end
+	          end
+	          
+	          # Attempt the actual authentication.
+			      debug { "gssapi-with-mic authenticating" }
+					  mic = sspi.get_mic Net::SSH::Buffer.from(:string, session_id, :byte, USERAUTH_REQUEST, :string, username, 
+				                                             :string, next_service, :string, "gssapi-with-mic").to_s
+            if mic.nil?
+              info { "gssapi-with-mic failed (context#get_mic)" }
+              return false
+            end
+			      send_message Net::SSH::Buffer.from(:byte, USERAUTH_GSSAPI_MIC, :string, mic)
+            message = session.next_message
+	          case message.type
+	            when USERAUTH_SUCCESS
+	              info { "gssapi-with-mic success" }
+	              return true
+	            when USERAUTH_FAILURE
+	              info { "gssapi-with-mic partial failure (USERAUTH_FAILURE)" }
+	              return false
+	            else
+	              raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+	          end
+          ensure
+			      sspi and sspi.dispose
+          end
+
+          private
+
+            # Returns the hostname as reported by the underlying socket.
+            def hostname
+              session.transport.host
+            end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/net/ssh/kerberos.rb

@@ -0,0 +1,12 @@
+require 'net/ssh'
+require 'net/ssh/kerberos/constants'
+#require 'net/ssh/kerberos/kex'
+require 'net/ssh/kerberos/sspi'
+require 'net/ssh/authentication/methods/gssapi_with_mic'
+
+module Net
+  module SSH
+    module Kerberos
+    end
+  end
+end

data/lib/net/ssh/kerberos/constants.rb

@@ -0,0 +1,30 @@
+module Net; module SSH; module Kerberos
+  module Constants
+
+
+    #--
+    # GSSAPI Key exchange method specific messages
+    #++
+
+    KEXGSS_INIT                       = 30
+    KEXGSS_CONTINUE                   = 31
+    KEXGSS_COMPLETE                   = 32
+    KEXGSS_HOSTKEY                    = 33
+    KEXGSS_ERROR                      = 34
+    KEXGSS_GROUPREQ                   = 40
+    KEXGSS_GROUP                      = 41
+
+    #--
+    # GSSAPI User authentication method specific messages
+    #++
+
+    USERAUTH_GSSAPI_RESPONSE          = 60
+    USERAUTH_GSSAPI_TOKEN             = 61
+    USERAUTH_GSSAPI_EXCHANGE_COMPLETE = 63
+    USERAUTH_GSSAPI_ERROR             = 64
+    USERAUTH_GSSAPI_ERRTOK            = 65
+    USERAUTH_GSSAPI_MIC               = 66
+
+  end
+end; end; end
+

data/lib/net/ssh/kerberos/kex.rb

@@ -0,0 +1,17 @@
+require 'net/ssh/kerberos/kex/krb5_diffie_hellman_group1_sha1'
+require 'net/ssh/kerberos/kex/krb5_diffie_hellman_group_exchange_sha1'
+
+module Net; module SSH; module Kerberos
+  module Kex
+    
+    GSS_MAP = {
+      'gss-group1-sha1-toWM5Slw5Ew8Mqkay+al2g==' => KRB5DiffieHellmanGroup1SHA1,
+      'gss-gex-sha1-toWM5Slw5Ew8Mqkay+al2g==' => KRB5DiffieHellmanGroupExchangeSHA1
+    }
+
+    Net::SSH::Transport::Kex::MAP.update GSS_MAP
+    Net::SSH::Transport::ALGORITHMS[:kex] << GSS_MAP.keys
+
+  end
+end; end; end
+

data/lib/net/ssh/kerberos/kex/krb5_diffie_hellman_group1_sha1.rb

@@ -0,0 +1,9 @@
+module Net; module SSH; module Kerberos; module Kex
+    
+  class KRB5DiffieHellmanGroup1SHA1 < Net::SSH::Transport::Kex::DiffieHellmanGroup1SHA1
+    
+  end
+    
+
+end; end; end; end
+

data/lib/net/ssh/kerberos/kex/krb5_diffie_hellman_group_exchange_sha1.rb

@@ -0,0 +1,9 @@
+module Net; module SSH; module Kerberos; module Kex
+    
+  class KRB5DiffieHellmanGroupExchangeSHA1 < Net::SSH::Transport::Kex::DiffieHellmanGroupExchangeSHA1
+    
+  end
+    
+
+end; end; end; end
+

data/lib/net/ssh/kerberos/sspi.rb

@@ -0,0 +1,54 @@
+require 'net/ssh/kerberos/sspi/api'
+
+module Net; module SSH; module Kerberos
+  module SSPI
+
+    class State
+      attr_accessor :name, :realm, :valid
+      alias :valid? :valid
+    end
+
+    # Acquires credentials for SSPI (GSSAPI) authentication, and determines
+    # the credential's username and realm.
+    def sspi_acquire_credentials(state)
+      #SecPkgCredentials_Names names
+      #char *delimiter, *cp
+
+      state.valid? and return true
+
+      #sspi->from_server_token.BufferType = SECBUFFER_TOKEN | SECBUFFER_READONLY;
+
+      # Acquire credentials
+      sspi_acquire_credentials_handle
+      names = sspi_query_credentials_names
+      state.name, state.realm = *names.user_name.split('@')
+
+      #debug(("  FreeContextBuffer(%x)\n", names.sUserName));
+      #result = SSPIResult.new(API::FreeContextBuffer(names.user.to_p))
+      sspi_free_context_buffer names
+      sspi_free_credentials_handle
+
+      # Sometimes, Microsoft SSPI returns a UPN of the form "user@REALM@",
+      # (Seen under WinXP pro after ksetup to a MIT realm). Deal with that.
+      realm.chop if realm[-1] == '@'
+
+      # Initialise the request flags.
+      #sspi->request_flags = ISC_REQ_MUTUAL_AUTH | 
+      #                       ISC_REQ_INTEGRITY |
+      #                       ISC_REQ_CONFIDENTIALITY | 
+      #                       ISC_REQ_ALLOCATE_MEMORY;
+      #if (ssh->cfg.sspi_fwd_ticket)
+      #  sspi->request_flags |= ISC_REQ_DELEGATE;
+
+      if ! sspi_construct_service_name state
+        state.valid = true
+      #if (!sspi_construct_service_name(ssh, sspi)) {
+        #debug(("  FreeCredentialsHandle(%s)\n", HDL(&sspi->credentials)));
+      else
+        sspi_free_credentials_handle
+      end
+    end 
+  end
+end; end; end
+
+

data/lib/net/ssh/kerberos/sspi/api.rb

@@ -0,0 +1,282 @@
+require 'win32/sspi'
+require 'dl'
+
+module Win32; module SSPI
+
+  SECPKG_CRED_ATTR_NAMES = 1
+
+  ISC_REQ_DELEGATE                = 0x00000001
+  ISC_REQ_MUTUAL_AUTH             = 0x00000002
+  ISC_REQ_INTEGRITY               = 0x00010000
+
+  SECPKG_ATTR_AUTHORITY = 6
+  SECPKG_ATTR_CONNECTION_INFO = 90
+  SECPKG_ATTR_ISSUER_LIST = 80
+  SECPKG_ATTR_ISSUER_LIST_EX = 89
+  SECPKG_ATTR_KEY_INFO = 5
+  SECPKG_ATTR_LIFESPAN = 2
+  SECPKG_ATTR_LOCAL_CERT_CONTEXT = 84
+  SECPKG_ATTR_LOCAL_CRED = 82
+  SECPKG_ATTR_NAMES = 1
+  SECPKG_ATTR_PROTO_INFO = 7
+  SECPKG_ATTR_REMOTE_CERT_CONTEXT = 83
+  SECPKG_ATTR_REMOTE_CRED = 81
+  SECPKG_ATTR_SIZES = 0
+  SECPKG_ATTR_STREAM_SIZES = 4
+  
+  # Buffer types
+  SECBUFFER_EMPTY = 0
+  SECBUFFER_DATA = 1
+  SECBUFFER_TOKEN = 2
+  SECBUFFER_PKG_PARAMS = 3
+  SECBUFFER_MISSING = 4
+  SECBUFFER_EXTRA = 5
+  SECBUFFER_STREAM_TRAILER = 6
+  SECBUFFER_STREAM_HEADER = 7
+  SECBUFFER_PADDING = 9
+  SECBUFFER_STREAM = 10
+  SECBUFFER_MECHLIST = 11
+  SECBUFFER_MECHLIST_SIGNATURE = 12
+  SECBUFFER_TARGET = 13
+  SECBUFFER_CHANNEL_BINDINGS = 14
+  SECBUFFER_CHANGE_PASS_RESPONSE = 15
+  SECBUFFER_TARGET_HOST = 16
+  SECBUFFER_READONLY = 0x80000000
+  SECBUFFER_READONLY_WITH_CHECKSUM = 0x10000000
+  SECBUFFER_ATTRMASK = 0xf0000000
+  
+  # Good results
+  SEC_E_OK = 0x00000000
+  SEC_I_RENEGOTIATE = 590625;
+  SEC_I_COMPLETE_AND_CONTINUE = 590612;
+  SEC_I_COMPLETE_NEEDED = 590611;
+  SEC_I_CONTINUE_NEEDED = 590610;
+  SEC_I_INCOMPLETE_CREDENTIALS = 590624;
+
+  # These are generally returned by InitializeSecurityContext
+  SEC_E_INSUFFICIENT_MEMORY = 0x80090300
+  SEC_E_INTERNAL_ERROR = 0x80090304
+  SEC_E_INVALID_HANDLE = 0x80090301
+  SEC_E_INVALID_TOKEN = 0x80090308
+  SEC_E_LOGON_DENIED = 0x8009030C
+  SEC_E_NO_AUTHENTICATING_AUTHORITY = 0x80090311
+  SEC_E_NO_CREDENTIALS = 0x8009030E
+  SEC_E_TARGET_UNKNOWN = 0x80090303
+  SEC_E_UNSUPPORTED_FUNCTION = 0x80090302
+  SEC_E_WRONG_PRINCIPAL = 0x80090322
+
+  # These are generally returned by AcquireCredentialsHandle
+  SEC_E_NOT_OWNER = 0x80090306
+  SEC_E_SECPKG_NOT_FOUND = 0x80090305
+  SEC_E_UNKNOWN_CREDENTIALS = 0x8009030D
+
+  module API
+    QuerySecurityPackageInfo = Win32API.new("secur32", "QuerySecurityPackageInfoA", 'pp', 'L')
+    QueryCredentialsAttributes = Win32API.new("secur32", "QueryCredentialsAttributesA", 'pLp', 'L')
+    QueryContextAttributes = Win32API.new("secur32", "QueryContextAttributesA", 'pLp', 'L')
+    CompleteAuthToken = Win32API.new("secur32", "CompleteAuthToken", 'pp', 'L')
+    MakeSignature = Win32API.new("secur32", "MakeSignature", 'pLpL', 'L')
+    FreeContextBuffer = Win32API.new("secur32", "FreeContextBuffer", 'P', 'L')
+  end
+
+  SecPkgCredentialsNames = Struct.new(:user_name)
+  
+  class SecPkgInfo
+    attr_reader :struct
+    
+    def capabilities; unpacked[0] end
+    def max_token; unpacked[2] end
+    def name; unpacked[3] end
+    def comment; unpacked[4] end 
+    
+    def unpacked;
+      @unpacked ||= @struct.to_ptr.ptr.to_a("LLL", 3) + (@struct.to_ptr.ptr + 12).to_a("SS", 2)
+    end
+    
+    def to_p; @struct ||= "\0" * 4 end
+  end
+
+	class SecPkgSizes
+	  attr_reader :struct
+	  
+	  def max_token; unpacked[0] end
+	  def max_signature; unpacked[1] end
+	  def block_size; unpacked[2] end 
+	  def security_trailer; unpacked[3] end
+	  
+	  def unpacked;
+	    @unpacked ||= @struct.unpack("LLLL")
+	  end
+	  
+	  def to_p; @struct ||= "\0" * 16 end
+	end
+	
+	# Creates binary representaiton of a SecBufferDesc structure,
+	# including the SecBuffer contained inside.
+	class SecurityBuffer
+	
+	  def initialize(buffers=nil)
+	    case buffers
+	    when String
+		    @bufferTokens = [ buffers.dup ]
+		    @bufferSizes = [ buffers.length ]
+		    @bufferTypes = [ SECBUFFER_TOKEN ]
+		  when Fixnum
+		    @bufferTokens = [ "\0" * TOKENBUFSIZE ] * buffers
+		    @bufferSizes = [ TOKENBUFSIZE ] * buffers
+		    @bufferTypes = [ SECBUFFER_TOKEN ] * buffers
+		  when NilClass
+		    @bufferTokens = [ "\0" * TOKENBUFSIZE ]
+		    @bufferSizes = [ TOKENBUFSIZE ]
+		    @bufferTypes = [ SECBUFFER_TOKEN ]
+	    else
+	      raise ArgumentError
+		  end
+	  end
+	  
+	  def bufferSize(n=0)
+	    unpack
+	    @bufferSizes[n]
+	  end
+	  
+	  def bufferType(n=0)
+	    unpack
+	    @bufferTypes[n]
+	  end
+	  
+	  def token(n=0)
+	    unpack
+	    @bufferTokens[n]
+	  end
+	  
+	  def set_buffer(n=0, type=SECBUFFER_TOKEN, token=nil, size=nil)
+	    @bufferTypes[n] = type
+	    @bufferSizes[n] = size || (token.nil? ? 0 : token.length)
+	    @bufferTokens[n] = (token.nil? && size && size > 0) ? "\0" * (size+1) : token
+	  end
+	  
+	  def to_p
+	    # Assumption is that when to_p is called we are going to get a packed structure. Therefore,
+	    # set @unpacked back to nil so we know to unpack when accessors are next accessed.
+	    @unpacked = nil
+	    # Assignment of inner structure to variable is very important here. Without it,
+	    # will not be able to unpack changes to the structure. Alternative, nested unpacks,
+	    # does not work (i.e. @struct.unpack("LLP12")[2].unpack("LLP12") results in "no associated pointer")
+	    @sec_buffers ||= @bufferTokens.inject([]) do |v,t|
+	      v.push @bufferSizes[v.size / 3], @bufferTypes[v.size / 3], t
+	    end.pack("LLP" * @bufferTokens.size)
+	    @struct ||= [SECBUFFER_VERSION, @bufferTokens.size, @sec_buffers].pack("LLP")    
+	  end
+	
+	private
+	
+	  # Unpacks the SecurityBufferDesc structure into member variables. We
+	  # only want to do this once per struct, so the struct is deleted
+	  # after unpacking. 
+	  def unpack
+	    if ! @unpacked && @sec_buffers && @struct
+	      d = @sec_buffers.unpack("LLL" * @bufferTokens.size)
+	      k = ''; 0.upto(@bufferTokens.size - 1) do |n| k << "LLP#{d[n * 3]}" end
+	      d = @sec_buffers.unpack(k)
+	      0.upto(@bufferTokens.size - 1) do |n| @bufferSizes[n] = d[n * 3] end
+	      0.upto(@bufferTokens.size - 1) do |n| @bufferTypes[n] = d[n * 3 + 1] end
+	      0.upto(@bufferTokens.size - 1) do |n| @bufferTokens[n] = d[n * 3 + 2] end
+	      @struct = nil
+	      @sec_buffers = nil
+	      @unpacked = true
+	    end
+	  end
+	end
+	
+end; end
+
+module Net; module SSH; module Kerberos; module SSPI; class GSSContext
+
+  class GeneralError < StandardError; end
+
+  include Win32::SSPI
+
+  def create(user, host)
+    dispose if @credentials or @handle
+    @credentials = CredHandle.new
+    ts=TimeStamp.new
+
+    result = SSPIResult.new(API::AcquireCredentialsHandle.call(
+                              nil, "Kerberos", SECPKG_CRED_OUTBOUND, nil, nil,
+                              nil, nil, @credentials.to_p, ts.to_p
+                            ))
+    unless result.ok?
+      @credentials = nil
+      raise GeneralError, "Error acquiring credentials: #{result}"
+    end
+    
+		buff = "\0\0\0\0"
+		result = SSPIResult.new(API::QueryCredentialsAttributes.call(@credentials.to_p, SECPKG_CRED_ATTR_NAMES, buff))
+    if result.ok?
+      names = buff.to_ptr.ptr
+      begin
+        @cred_name = names.to_s.sub /^.*\\/, ''
+        @cred_krb_name = @cred_name.gsub '@', '/';
+        @server_name = Socket.gethostbyname(host)[0]
+        @server_krb_name = "host/" + @server_name
+      ensure
+        API::FreeContextBuffer.call(names)
+      end
+    end
+    cred_names = SecPkgCredentialsNames.new(names)
+  end
+  
+  def init(token=nil)
+    ctx = CtxtHandle.new
+    ts = TimeStamp.new
+    prev = @state[:handle].to_p if @state and @state[:handle]
+    req = ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH | ISC_REQ_INTEGRITY
+		output = SecurityBuffer.new
+		input = SecurityBuffer.new(token) if token
+		ctxAttr = "\0" * 4
+		result = SSPIResult.new(API::InitializeSecurityContext.call(@credentials.to_p, prev, @server_krb_name,
+					                      req, 0, SECURITY_NATIVE_DREP, input ? input.to_p : nil,
+					                      0, ctx.to_p, output.to_p, ctxAttr, ts.to_p))
+    if SEC_I_COMPLETE_NEEDED == result || SEC_I_COMPLETE_AND_CONTINUE == result
+			result = SSPIResult.new(API::CompleteAuthToken.call(ctx.to_p, output.to_p))
+    end
+    unless result.ok?
+      input.token
+      raise GeneralError, "Error initializing security context: #{result} #{input.inspect}"
+    end
+    @state = { :handle => ctx, :result => result, :token => output.token, :stamp => ts }
+    if result.value == 0
+      @sizes = SecPkgSizes.new
+			result = SSPIResult.new(API::QueryContextAttributes.call(ctx.to_p, SECPKG_ATTR_SIZES, @sizes.to_p))
+			@handle = @state[:handle]
+    end
+    @state[:token]
+  end
+  
+  def established?
+    @handle && (@handle.upper.nonzero? || @handle.lower.nonzero?) && (@state.nil? || @state[:result].value.zero?)
+  end
+  
+  def get_mic(token=nil)
+    buffers = SecurityBuffer.new 2
+    buffers.set_buffer 0, SECBUFFER_DATA, token
+    buffers.set_buffer 1, SECBUFFER_TOKEN, nil, @sizes.max_signature
+    @state[:result] = SSPIResult.new(API::MakeSignature.call(@handle.to_p, 0, buffers.to_p, 0))
+    unless @state[:result].ok?
+      raise GeneralError, "Error creating the signature: #{result}"
+    end
+    return buffers.token(1).dup
+  end
+  
+  def dispose()
+    if @credentials
+      API::FreeCredentialsHandle.call(@credentials.to_p)
+      @credentials = nil
+    end
+    if @handle
+      API::DeleteSecurityContext.call(@handle.to_p)
+      @handle = nil
+    end
+  end 
+
+end; end; end; end; end

data/test/net_ssh_kerberos_test.rb

@@ -0,0 +1,7 @@
+require 'test_helper'
+
+class NetSshKerberosTest < Test::Unit::TestCase
+  def test_something_for_real
+    flunk "hey buddy, you should probably rename this file and start testing for real"
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,9 @@
+require 'rubygems'
+require 'test/unit'
+
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'net_ssh_kerberos'
+
+class Test::Unit::TestCase
+end

metadata

@@ -0,0 +1,91 @@
+--- !ruby/object:Gem::Specification 
+name: net-ssh-kerberos
+version: !ruby/object:Gem::Version 
+  version: 0.1.0
+platform: ruby
+authors: 
+- Joe Khoobyar
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2009-10-13 00:00:00 -04:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: net-ssh
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "2.0"
+    version: 
+- !ruby/object:Gem::Dependency 
+  name: rubysspi
+  type: :runtime
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: "1.3"
+    version: 
+description: |
+  Adds support for Microsoft Kerberos (SSPI) with the Net:SSH gem.
+
+email: joe@ankhcraft.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION.yml
+- lib/net/ssh/authentication/methods/gssapi_with_mic.rb
+- lib/net/ssh/kerberos.rb
+- lib/net/ssh/kerberos/constants.rb
+- lib/net/ssh/kerberos/kex.rb
+- lib/net/ssh/kerberos/kex/krb5_diffie_hellman_group1_sha1.rb
+- lib/net/ssh/kerberos/kex/krb5_diffie_hellman_group_exchange_sha1.rb
+- lib/net/ssh/kerberos/sspi.rb
+- lib/net/ssh/kerberos/sspi/api.rb
+- test/net_ssh_kerberos_test.rb
+- test/test_helper.rb
+has_rdoc: true
+homepage: http://github.com/joekhoobyar/net-ssh-kerberos
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: net-ssh-krb
+rubygems_version: 1.3.4
+signing_key: 
+specification_version: 3
+summary: Add Kerberos support to Net::SSH
+test_files: 
+- test/net_ssh_kerberos_test.rb
+- test/test_helper.rb