net-ssh-kerberos 0.1.0 → 0.1.2

data/README.rdoc

@@ -1,6 +1,10 @@
 = net-ssh-kerberos
 
-Adds Kerberos support to Net::SSH
+Adds Kerberos support to Net::SSH.
+
+Windows support uses Microsoft SSPI for Kerberos integration.
+
+Kerberos support for UNIX and OS X coming soon.
 
 == Copyright
 

data/VERSION.yml

@@ -1,4 +1,4 @@
 --- 
 :major: 0
 :minor: 1
-:patch: 0
+:patch: 2

data/lib/net/ssh/authentication/methods/gssapi_with_mic.rb

@@ -10,13 +10,15 @@ module Net
         class GssapiWithMic < Abstract
           include Net::SSH::Kerberos::Constants
           
-	        # OID 1.2.840.113554.1.2.2
-          SUPPORTED_OID = #"\x06\x09\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
-              [ 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x1, 0x2, 0x2 ].pack("C*")
+	        # OID 1.2.840.113554.1.2.2 - Kerberos 5 (RFC 1964)
+          SUPPORTED_OID = "\x06\x09\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
+                          #[ 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x1, 0x2, 0x2 ].pack("C*")
 
           # Attempts to perform gssapi-with-mic Kerberos authentication
           def authenticate(next_service, username, password=nil)
-            sspi = nil
+            gss_klass = (defined?(Net::SSH::Kerberos::SSPI::Context) ?
+	                           Net::SSH::Kerberos::SSPI::Context : Net::SSH::Kerberos::GSS::Context)
+            gss = nil
             
             # Try to start gssapi-with-mic authentication.
 	          debug { "trying kerberos authentication" }
@@ -43,14 +45,14 @@ module Net
 	          end
 	          
 	          # Try to complete the handshake.
-	          sspi = Net::SSH::Kerberos::SSPI::GSSContext.new
-	          sspi.create username, hostname
+	          gss = gss_klass.new
+	          gss.create username, hostname
 			      debug { "gssapi-with-mic handshaking" }
-	          until sspi.established?
-	            token = sspi.init(token)
+	          until gss.established?
+	            token = gss.init(token)
 	            if token && token.length > 0
 					      send_message Net::SSH::Buffer.from(:byte, USERAUTH_GSSAPI_TOKEN, :string, token)
-	              unless sspi.established?
+	              unless gss.established?
 	                message = session.next_message
 				          case message.type
 				          when USERAUTH_GSSAPI_ERROR
@@ -72,7 +74,7 @@ module Net
 	          
 	          # Attempt the actual authentication.
 			      debug { "gssapi-with-mic authenticating" }
-					  mic = sspi.get_mic Net::SSH::Buffer.from(:string, session_id, :byte, USERAUTH_REQUEST, :string, username, 
+					  mic = gss.get_mic Net::SSH::Buffer.from(:string, session_id, :byte, USERAUTH_REQUEST, :string, username, 
 				                                             :string, next_service, :string, "gssapi-with-mic").to_s
             if mic.nil?
               info { "gssapi-with-mic failed (context#get_mic)" }
@@ -91,7 +93,7 @@ module Net
 	              raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
 	          end
           ensure
-			      sspi and sspi.dispose
+			      gss and gss.dispose
           end
 
           private

data/lib/net/ssh/kerberos.rb

@@ -1,7 +1,18 @@
 require 'net/ssh'
 require 'net/ssh/kerberos/constants'
 #require 'net/ssh/kerberos/kex'
-require 'net/ssh/kerberos/sspi'
+if RUBY_PLATFORM.include?('win') && ! RUBY_PLATFORM.include?('dar'); then
+  begin
+    require 'net/ssh/kerberos/sspi'
+  rescue Exception => e
+    if RuntimeError === e and e.message =~ /^LoadLibrary: ([^\s]+)/
+      $stderr.puts "error: While loading Kerberos SSPI: failed to load library: #{$1}"
+    else
+      raise e
+    end
+  end
+end
+require 'net/ssh/kerberos/gss' unless defined?(Net::SSH::Kerberos::SSPI::Context)
 require 'net/ssh/authentication/methods/gssapi_with_mic'
 
 module Net

data/lib/net/ssh/kerberos/gss.rb

@@ -0,0 +1,7 @@
+$stderr.puts "warning: Kerberos support for non-Windows systems is not yet implemented."
+
+require 'net/ssh/kerberos/gss/api'
+require 'net/ssh/kerberos/gss/context'
+
+module Net; module SSH; module Kerberos; module GSS
+end; end; end; end

data/lib/net/ssh/kerberos/gss/api.rb

@@ -0,0 +1,4 @@
+
+module Net; module SSH; module Kerberos; module GSS; class API
+
+end; end; end; end; end

data/lib/net/ssh/kerberos/gss/context.rb

@@ -0,0 +1,7 @@
+require 'net/ssh/kerberos/gss/api'
+
+module Net; module SSH; module Kerberos; module GSS; class Context
+
+  class GeneralError < StandardError; end
+
+end; end; end; end; end

data/lib/net/ssh/kerberos/sspi.rb

@@ -1,54 +1,5 @@
 require 'net/ssh/kerberos/sspi/api'
+require 'net/ssh/kerberos/sspi/context'
 
-module Net; module SSH; module Kerberos
-  module SSPI
-
-    class State
-      attr_accessor :name, :realm, :valid
-      alias :valid? :valid
-    end
-
-    # Acquires credentials for SSPI (GSSAPI) authentication, and determines
-    # the credential's username and realm.
-    def sspi_acquire_credentials(state)
-      #SecPkgCredentials_Names names
-      #char *delimiter, *cp
-
-      state.valid? and return true
-
-      #sspi->from_server_token.BufferType = SECBUFFER_TOKEN | SECBUFFER_READONLY;
-
-      # Acquire credentials
-      sspi_acquire_credentials_handle
-      names = sspi_query_credentials_names
-      state.name, state.realm = *names.user_name.split('@')
-
-      #debug(("  FreeContextBuffer(%x)\n", names.sUserName));
-      #result = SSPIResult.new(API::FreeContextBuffer(names.user.to_p))
-      sspi_free_context_buffer names
-      sspi_free_credentials_handle
-
-      # Sometimes, Microsoft SSPI returns a UPN of the form "user@REALM@",
-      # (Seen under WinXP pro after ksetup to a MIT realm). Deal with that.
-      realm.chop if realm[-1] == '@'
-
-      # Initialise the request flags.
-      #sspi->request_flags = ISC_REQ_MUTUAL_AUTH | 
-      #                       ISC_REQ_INTEGRITY |
-      #                       ISC_REQ_CONFIDENTIALITY | 
-      #                       ISC_REQ_ALLOCATE_MEMORY;
-      #if (ssh->cfg.sspi_fwd_ticket)
-      #  sspi->request_flags |= ISC_REQ_DELEGATE;
-
-      if ! sspi_construct_service_name state
-        state.valid = true
-      #if (!sspi_construct_service_name(ssh, sspi)) {
-        #debug(("  FreeCredentialsHandle(%s)\n", HDL(&sspi->credentials)));
-      else
-        sspi_free_credentials_handle
-      end
-    end 
-  end
-end; end; end
-
-
+module Net; module SSH; module Kerberos; module SSPI
+end; end; end; end

data/lib/net/ssh/kerberos/sspi/api.rb

@@ -1,5 +1,5 @@
 require 'win32/sspi'
-require 'dl'
+require 'dl'
 
 module Win32; module SSPI
 
@@ -77,9 +77,43 @@ module Win32; module SSPI
     CompleteAuthToken = Win32API.new("secur32", "CompleteAuthToken", 'pp', 'L')
     MakeSignature = Win32API.new("secur32", "MakeSignature", 'pLpL', 'L')
     FreeContextBuffer = Win32API.new("secur32", "FreeContextBuffer", 'P', 'L')
+
+  private
+
+    def self.method_missing(symbol, *args)
+      return super unless const_defined? symbol and Win32API === (api = const_get(symbol))
+      result = SSPIResult.new api.call(*args)
+      args = (1..(args.length)).inject([]) { |v,n| v << "a#{n}" }.join ', '
+      class_eval "def self.#{symbol}(#{args}); SSPIResult.new #{symbol}.call(#{args}) end"
+      result
+    end
   end
 
   SecPkgCredentialsNames = Struct.new(:user_name)
+
+  class SecurityHandle
+    def nil?; @struct.unpack('Q').first.zero? end
+    alias :to_str :to_p
+  end
+
+  class TimeStamp
+    def nil?; @struct.unpack('Q').first.zero? end
+    alias :to_str :to_p
+  end
+
+  class SSPIResult
+    def ok?; (value & 0x80000000).zero? end
+
+    def complete?; value.zero? end
+
+    def incomplete?; SEC_I_COMPLETE_NEEDED==value || SEC_I_COMPLETE_AND_CONTINUE==value end
+
+    def failure?; (value & 0x80000000).nonzero? end
+
+    def temporary_failure?
+      value==SEC_E_LOGON_DENIED || value==SEC_E_NO_AUTHENTICATING_AUTHORITY || value==SEC_E_NO_CREDENTIALS
+    end
+  end
   
   class SecPkgInfo
     attr_reader :struct
@@ -94,6 +128,7 @@ module Win32; module SSPI
     end
     
     def to_p; @struct ||= "\0" * 4 end
+    alias :to_str :to_p
   end
 
 	class SecPkgSizes
@@ -109,6 +144,7 @@ module Win32; module SSPI
 	  end
 	  
 	  def to_p; @struct ||= "\0" * 16 end
+    alias :to_str :to_p
 	end
 	
 	# Creates binary representaiton of a SecBufferDesc structure,
@@ -167,6 +203,7 @@ module Win32; module SSPI
 	    end.pack("LLP" * @bufferTokens.size)
 	    @struct ||= [SECBUFFER_VERSION, @bufferTokens.size, @sec_buffers].pack("LLP")    
 	  end
+    alias :to_str :to_p
 	
 	private
 	
@@ -189,94 +226,3 @@ module Win32; module SSPI
 	end
 	
 end; end
-
-module Net; module SSH; module Kerberos; module SSPI; class GSSContext
-
-  class GeneralError < StandardError; end
-
-  include Win32::SSPI
-
-  def create(user, host)
-    dispose if @credentials or @handle
-    @credentials = CredHandle.new
-    ts=TimeStamp.new
-
-    result = SSPIResult.new(API::AcquireCredentialsHandle.call(
-                              nil, "Kerberos", SECPKG_CRED_OUTBOUND, nil, nil,
-                              nil, nil, @credentials.to_p, ts.to_p
-                            ))
-    unless result.ok?
-      @credentials = nil
-      raise GeneralError, "Error acquiring credentials: #{result}"
-    end
-    
-		buff = "\0\0\0\0"
-		result = SSPIResult.new(API::QueryCredentialsAttributes.call(@credentials.to_p, SECPKG_CRED_ATTR_NAMES, buff))
-    if result.ok?
-      names = buff.to_ptr.ptr
-      begin
-        @cred_name = names.to_s.sub /^.*\\/, ''
-        @cred_krb_name = @cred_name.gsub '@', '/';
-        @server_name = Socket.gethostbyname(host)[0]
-        @server_krb_name = "host/" + @server_name
-      ensure
-        API::FreeContextBuffer.call(names)
-      end
-    end
-    cred_names = SecPkgCredentialsNames.new(names)
-  end
-  
-  def init(token=nil)
-    ctx = CtxtHandle.new
-    ts = TimeStamp.new
-    prev = @state[:handle].to_p if @state and @state[:handle]
-    req = ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH | ISC_REQ_INTEGRITY
-		output = SecurityBuffer.new
-		input = SecurityBuffer.new(token) if token
-		ctxAttr = "\0" * 4
-		result = SSPIResult.new(API::InitializeSecurityContext.call(@credentials.to_p, prev, @server_krb_name,
-					                      req, 0, SECURITY_NATIVE_DREP, input ? input.to_p : nil,
-					                      0, ctx.to_p, output.to_p, ctxAttr, ts.to_p))
-    if SEC_I_COMPLETE_NEEDED == result || SEC_I_COMPLETE_AND_CONTINUE == result
-			result = SSPIResult.new(API::CompleteAuthToken.call(ctx.to_p, output.to_p))
-    end
-    unless result.ok?
-      input.token
-      raise GeneralError, "Error initializing security context: #{result} #{input.inspect}"
-    end
-    @state = { :handle => ctx, :result => result, :token => output.token, :stamp => ts }
-    if result.value == 0
-      @sizes = SecPkgSizes.new
-			result = SSPIResult.new(API::QueryContextAttributes.call(ctx.to_p, SECPKG_ATTR_SIZES, @sizes.to_p))
-			@handle = @state[:handle]
-    end
-    @state[:token]
-  end
-  
-  def established?
-    @handle && (@handle.upper.nonzero? || @handle.lower.nonzero?) && (@state.nil? || @state[:result].value.zero?)
-  end
-  
-  def get_mic(token=nil)
-    buffers = SecurityBuffer.new 2
-    buffers.set_buffer 0, SECBUFFER_DATA, token
-    buffers.set_buffer 1, SECBUFFER_TOKEN, nil, @sizes.max_signature
-    @state[:result] = SSPIResult.new(API::MakeSignature.call(@handle.to_p, 0, buffers.to_p, 0))
-    unless @state[:result].ok?
-      raise GeneralError, "Error creating the signature: #{result}"
-    end
-    return buffers.token(1).dup
-  end
-  
-  def dispose()
-    if @credentials
-      API::FreeCredentialsHandle.call(@credentials.to_p)
-      @credentials = nil
-    end
-    if @handle
-      API::DeleteSecurityContext.call(@handle.to_p)
-      @handle = nil
-    end
-  end 
-
-end; end; end; end; end

data/lib/net/ssh/kerberos/sspi/context.rb

@@ -0,0 +1,87 @@
+require 'net/ssh/kerberos/sspi/api'
+
+module Net; module SSH; module Kerberos; module SSPI; class Context
+
+  class GeneralError < StandardError; end
+
+  include Win32::SSPI
+
+  attr_reader :cred_name, :cred_krb_name, :server_name, :server_krb_name
+
+  def create(user, host)
+    dispose if @credentials or @handle
+    creds = CredHandle.new
+    ts = TimeStamp.new
+
+    result = API::AcquireCredentialsHandle nil, "Kerberos", SECPKG_CRED_OUTBOUND, nil, nil, nil, nil, creds, ts
+    result.ok? or raise GeneralError, "Error acquiring credentials: #{result}"
+    
+		buff = "\0\0\0\0"
+		result = API::QueryCredentialsAttributes creds, SECPKG_CRED_ATTR_NAMES, buff
+    if result.ok?
+      names = buff.to_ptr.ptr
+      begin
+        @cred_name = names.to_s.sub(/^[^\\\/]*[\\\/]/, '')
+        @cred_krb_name = @cred_name.gsub('@', '/');
+        @server_name = Socket.gethostbyname(host)[0]
+        @server_krb_name = "host/" + @server_name
+
+        z = (user.include?('@') ? user.gsub('@','/') : user+'/')
+        unless z.downcase == @cred_krb_name[0,z.length].downcase
+          raise GeneralError, "Credentials mismatch: current is #{@cred_name}, requested is #{user}"
+        end
+        @credentials = creds
+      ensure
+        @credentials or API::FreeCredentialsHandle creds
+        API::FreeContextBuffer names
+      end
+    end
+  end
+
+  def credentials?; ! @credentials.nil? end
+  
+  def init(token=nil)
+    ctx = CtxtHandle.new
+    ts = TimeStamp.new
+    prev = @state[:handle] if @state
+    req = ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH | ISC_REQ_INTEGRITY
+		output = SecurityBuffer.new
+		input = SecurityBuffer.new(token) if token
+		ctxAttr = "\0" * 4
+		result = API::InitializeSecurityContext @credentials, prev, @server_krb_name, req, 0,
+                                            SECURITY_NATIVE_DREP, input, 0, ctx, output, ctxAttr, ts
+    result = API::CompleteAuthToken ctx, output if result.incomplete?
+    if result.failure?
+      input.token and raise GeneralError, "Error initializing security context: #{result} #{input.inspect}"
+    end
+    @state = { :handle => ctx, :result => result, :token => output.token, :stamp => ts }
+    if result.complete?
+			result = API::QueryContextAttributes ctx, SECPKG_ATTR_SIZES, @sizes=SecPkgSizes.new
+			@handle = @state[:handle]
+    end
+    @state[:token]
+  end
+  
+  def established?
+    ! @handle.nil? && (@state.nil? || @state[:result].value.zero?)
+  end
+  
+  def get_mic(token=nil)
+    buffers = SecurityBuffer.new 2
+    buffers.set_buffer 0, SECBUFFER_DATA, token
+    buffers.set_buffer 1, SECBUFFER_TOKEN, nil, @sizes.max_signature
+    @state[:result] = API::MakeSignature @handle, 0, buffers, 0
+    unless @state[:result].ok?
+      raise GeneralError, "Error creating the signature: #{result}"
+    end
+    return buffers.token(1).dup
+  end
+  
+  def dispose()
+    @credentials and API::FreeCredentialsHandle @credentials
+    @handle and API::DeleteSecurityContext @handle
+  ensure
+    @credentials = @handle = nil
+  end 
+
+end; end; end; end; end

data/test/net_ssh_kerberos_test.rb

@@ -1,7 +1,7 @@
-require 'test_helper'
+require File.join(File.dirname(__FILE__), 'test_helper.rb')
 
 class NetSshKerberosTest < Test::Unit::TestCase
-  def test_something_for_real
-    flunk "hey buddy, you should probably rename this file and start testing for real"
+  def test_net_ssh_integration
+    flunk "write some unit tests for Net::SSH integration"
   end
 end

data/test/sspi_context_test.rb

@@ -0,0 +1,27 @@
+require File.join(File.dirname(__FILE__), 'test_helper.rb')
+
+include Win32::SSPI
+
+class SspiContextTest < Test::Unit::TestCase
+
+if defined? Net::SSH::Kerberos::SSPI::Context
+
+  def setup
+    @gss = Net::SSH::Kerberos::SSPI::Context.new 
+  end
+
+  def teardown
+    @gss.dispose
+  end
+
+  def test_create
+    @gss.create ENV['USER'], Socket.gethostbyname('localhost')[0]
+    assert @gss.credentials?, "Should have acquired credentials"
+  end
+
+else
+  $stderr.puts "Skipping SSPI tests on this platform: Windows SSPI was not loaded."
+end
+
+end
+

data/test/sspi_test.rb

@@ -0,0 +1,70 @@
+require File.join(File.dirname(__FILE__), 'test_helper.rb')
+
+include Win32::SSPI
+
+class SspiTest < Test::Unit::TestCase
+
+if defined? Net::SSH::Kerberos::SSPI::Context
+
+  def test_query_security_package_info
+    pkg_info = SecPkgInfo.new
+    result = API::QuerySecurityPackageInfo "Kerberos", pkg_info
+    assert result.ok?, "QuerySecurityPackageInfo failed: #{result}"
+    assert_equal pkg_info.name, "Kerberos"
+    assert pkg_info.max_token >= 128, "The maximum token size is assumed to be greater than 128 bytes"
+    assert pkg_info.max_token <= 12288, "The maximum token size is assumed to be less than 12288 bytes"
+    result = API::FreeContextBuffer pkg_info
+    assert result.ok?, "FreeContextBuffer failed: #{result}"
+  end
+
+  def test_security_context_initialization
+    creds = SecurityHandle.new
+    ts = TimeStamp.new
+    result = API::AcquireCredentialsHandle nil, "Kerberos", SECPKG_CRED_OUTBOUND, nil, nil, nil, nil, creds, ts
+    unless result.temporary_failure?
+      assert result.ok?, "AcquireCredentialsHandle failed: #{result}"
+      assert ! creds.nil?, "Should acquire a credentials handle"
+      begin
+        buff = "\0\0\0\0"
+        result = API::QueryCredentialsAttributes creds, SECPKG_CRED_ATTR_NAMES, buff
+        assert result.ok?, "QueryCredentialsAttributes failed: #{result}"
+        names = buff.to_ptr.ptr
+        assert ! names.nil?, "Should return the user name."
+        begin
+          ts = TimeStamp.new
+          output = SecurityBuffer.new
+          ctx = CtxtHandle.new
+          ctxAttr = "\0" * 4
+          req = ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH
+          result = API::InitializeSecurityContext creds, nil, 'host/'+Socket.gethostbyname('localhost')[0], 
+                                                  req, 0, SECURITY_NATIVE_DREP, nil, 0, ctx, output, ctxAttr, ts
+          unless result.temporary_failure?
+            assert result.ok?, "InitializeSecurityContext failed: #{result}"
+            begin
+              assert ! ctx.nil?, "Should initialize a context handle"
+              assert ! output.token.nil?, "Should output a token into the buffer"
+              assert output.bufferSize.nonzero?, "Should output a token into the buffer"
+            ensure
+              result = API::DeleteSecurityContext ctx
+              ctx = nil if result.ok?
+            end
+            assert ctx.nil?, "DeleteSecurityContext failed: #{result}"
+          end
+        ensure
+          result = API::FreeContextBuffer names
+          names = nil if result.ok?
+        end
+        assert names.nil?, "FreeContextBuffer failed: #{result}"
+      ensure
+        result = API::FreeCredentialsHandle creds
+        creds = nil if result.ok?
+      end
+      assert creds.nil?, "FreeCredentialsHandle failed: #{result}"
+    end
+  end
+else
+  $stderr.puts "Skipping SSPI tests on this platform: Windows SSPI was not loaded."
+end
+
+end
+

data/test/test_helper.rb

@@ -3,7 +3,7 @@ require 'test/unit'
 
 $LOAD_PATH.unshift(File.dirname(__FILE__))
 $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
-require 'net_ssh_kerberos'
+require 'net/ssh/kerberos'
 
 class Test::Unit::TestCase
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: net-ssh-kerberos
 version: !ruby/object:Gem::Version 
-  version: 0.1.0
+  version: 0.1.2
 platform: ruby
 authors: 
 - Joe Khoobyar
@@ -51,12 +51,18 @@ files:
 - lib/net/ssh/authentication/methods/gssapi_with_mic.rb
 - lib/net/ssh/kerberos.rb
 - lib/net/ssh/kerberos/constants.rb
+- lib/net/ssh/kerberos/gss.rb
+- lib/net/ssh/kerberos/gss/api.rb
+- lib/net/ssh/kerberos/gss/context.rb
 - lib/net/ssh/kerberos/kex.rb
 - lib/net/ssh/kerberos/kex/krb5_diffie_hellman_group1_sha1.rb
 - lib/net/ssh/kerberos/kex/krb5_diffie_hellman_group_exchange_sha1.rb
 - lib/net/ssh/kerberos/sspi.rb
 - lib/net/ssh/kerberos/sspi/api.rb
+- lib/net/ssh/kerberos/sspi/context.rb
 - test/net_ssh_kerberos_test.rb
+- test/sspi_context_test.rb
+- test/sspi_test.rb
 - test/test_helper.rb
 has_rdoc: true
 homepage: http://github.com/joekhoobyar/net-ssh-kerberos
@@ -88,4 +94,6 @@ specification_version: 3
 summary: Add Kerberos support to Net::SSH
 test_files: 
 - test/net_ssh_kerberos_test.rb
+- test/sspi_context_test.rb
+- test/sspi_test.rb
 - test/test_helper.rb