net-ssh-kerberos 0.1.2 → 0.1.3

data/LICENSE

@@ -1,20 +1,339 @@
-Copyright (c) 2009 Joe Khoobyar
-
-Permission is hereby granted, free of charge, to any person obtaining
-a copy of this software and associated documentation files (the
-"Software"), to deal in the Software without restriction, including
-without limitation the rights to use, copy, modify, merge, publish,
-distribute, sublicense, and/or sell copies of the Software, and to
-permit persons to whom the Software is furnished to do so, subject to
-the following conditions:
-
-The above copyright notice and this permission notice shall be
-included in all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.

data/README.rdoc

@@ -1,10 +1,27 @@
 = net-ssh-kerberos
 
-Adds Kerberos support to Net::SSH.
+Add Kerberos (password-less) authentication capabilities to Net::SSH, without the need for modifying Net::SSH source code.
 
-Windows support uses Microsoft SSPI for Kerberos integration.
+This is a great way to help get Capistrano to be accepted in mid-to-large size enterprises with strict security rules.
 
-Kerberos support for UNIX and OS X coming soon.
+No more getting locked out of the network because you mis-typed your password - even if your company prohibits
+public key or host-based authentication.  If your organization uses Kerberos (many mid-to-large size corporations do),
+you can use this package to get password-less authentication without breaking your company's security guidelines.
+
+== How to use with Capistrano
+
+Add the following lines to the top of your Capfile (the relevant :auth_method is "gssapi-with-mic")
+
+  require 'net/ssh/kerberos'
+  set :ssh_options, { :auth_methods => %w(gssapi-with-mic publickey hostbased password keyboard-interactive) }
+
+
+== Supported Platforms
+
+- UNIX systems use the GSSAPI for Kerberos 5 integration. (tested on RedHat Linux)
+- Windows systems use Microsoft SSPI for Kerberos 5 integration. (tested on Windows XP)
+- Supports enterprise-level Kerberos-based security (tested with Centrify DC)
+- Cross-forest authentication is supported, including mixed environment (tested with Centrify DC in a mixed Windows/Linux environment)
 
 == Copyright
 

data/VERSION.yml

@@ -1,4 +1,4 @@
 --- 
 :major: 0
 :minor: 1
-:patch: 2
+:patch: 3

data/lib/net/ssh/authentication/methods/gssapi_with_mic.rb

@@ -12,7 +12,6 @@ module Net
           
 	        # OID 1.2.840.113554.1.2.2 - Kerberos 5 (RFC 1964)
           SUPPORTED_OID = "\x06\x09\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
-                          #[ 0x6, 0x9, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x1, 0x2, 0x2 ].pack("C*")
 
           # Attempts to perform gssapi-with-mic Kerberos authentication
           def authenticate(next_service, username, password=nil)

data/lib/net/ssh/kerberos.rb

@@ -1,6 +1,7 @@
 require 'net/ssh'
 require 'net/ssh/kerberos/constants'
 #require 'net/ssh/kerberos/kex'
+
 if RUBY_PLATFORM.include?('win') && ! RUBY_PLATFORM.include?('dar'); then
   begin
     require 'net/ssh/kerberos/sspi'
@@ -12,7 +13,7 @@ if RUBY_PLATFORM.include?('win') && ! RUBY_PLATFORM.include?('dar'); then
     end
   end
 end
-require 'net/ssh/kerberos/gss' unless defined?(Net::SSH::Kerberos::SSPI::Context)
+require 'net/ssh/kerberos/gss'
 require 'net/ssh/authentication/methods/gssapi_with_mic'
 
 module Net

data/lib/net/ssh/kerberos/common/context.rb

@@ -0,0 +1,71 @@
+module Net; module SSH; module Kerberos; module Common; class Context
+
+  class GeneralError < StandardError; end
+
+  class State < Struct.new(:handle, :result, :token, :timestamp)
+    def complete?; result.complete? end
+  end
+
+  attr_reader :cred_name, :cred_krb_name, :server_name, :server_krb_name
+
+  def initialize
+    raise "Don't create this class directly - use a subclass" if self.class == Context
+  end
+
+  def create(user, host)
+    dispose if @credentials or @target or @handle
+
+    creds, name = acquire_current_credentials
+    begin
+      @cred_name = name.to_s.sub(/^[^\\\/]*[\\\/]/, '')
+      @cred_krb_name = @cred_name.gsub('@', '/');
+
+      z = (user.include?('@') ? user.gsub('@','/') : user+'/')
+      unless z.downcase == @cred_krb_name[0,z.length].downcase
+        raise GeneralError, "Credentials mismatch: current is #{@cred_name}, requested is #{user}"
+      end
+      @credentials = creds
+    ensure
+      if @credentials.nil?
+        release_credentials creds
+        @cred_name = @cred_krb_name = nil
+      end
+    end
+
+    @server_name = Socket.gethostbyname(host)[0]
+    @target, @server_krb_name = import_server_name host
+
+    true
+  end
+
+  def credentials?; ! @credentials.nil? end
+  
+  def established?; ! @handle.nil? && (@state.nil? || @state.complete?) end
+  
+  def init(token=nil); raise NotImplementedError, "subclasses must implement this method" end
+  
+  def get_mic(token=nil); raise NotImplementedError, "subclasses must implement this method" end
+  
+  def dispose
+    @handle and delete_context @handle
+    @credentials and release_credentials @credentials
+    @target and release_server_name @target
+  ensure
+    @credentials = @cred_name = @cred_krb_name = nil
+    @target = @server_name = @server_krb_name = nil
+    @handle = @state = nil
+  end 
+
+private
+
+  def acquire_current_credentials; raise NotImplementedError, "subclasses must implement this method" end
+
+  def release_credentials(creds); raise NotImplementedError, "subclasses must implement this method" end
+
+  def import_server_name(host); raise NotImplementedError, "subclasses must implement this method" end
+
+  def release_server_name(target); raise NotImplementedError, "subclasses must implement this method" end
+
+  def delete_context(handle); raise NotImplementedError, "subclasses must implement this method" end
+
+end; end; end; end; end

data/lib/net/ssh/kerberos/constants.rb

@@ -24,7 +24,7 @@ module Net; module SSH; module Kerberos
     USERAUTH_GSSAPI_ERROR             = 64
     USERAUTH_GSSAPI_ERRTOK            = 65
     USERAUTH_GSSAPI_MIC               = 66
-
+    
   end
 end; end; end
 

data/lib/net/ssh/kerberos/gss.rb

@@ -1,7 +1,9 @@
-$stderr.puts "warning: Kerberos support for non-Windows systems is not yet implemented."
+if ! defined? Net::SSH::Kerberos::SSPI::Context
+  $stderr.puts "warning: Kerberos support using GSSAPI is not fully tested."
+end
 
-require 'net/ssh/kerberos/gss/api'
-require 'net/ssh/kerberos/gss/context'
-
-module Net; module SSH; module Kerberos; module GSS
-end; end; end; end
+require 'net/ssh/kerberos/gss/api'
+require 'net/ssh/kerberos/gss/context'
+
+module Net; module SSH; module Kerberos; module GSS
+end; end; end; end

data/lib/net/ssh/kerberos/gss/api.rb

@@ -1,4 +1,163 @@
+require 'dl/import'
+require 'dl/struct'
 
-module Net; module SSH; module Kerberos; module GSS; class API
+module Net; module SSH; module Kerberos; module GSS;
 
-end; end; end; end; end
+  module API
+
+    extend DL::Importable
+
+    def self.struct2(fields, &block)
+      t = struct fields
+      return t unless block_given?
+      t.instance_variable_set :@methods, Module.new(&block)
+      class << t
+        alias :new_struct :new
+        def new(ptr)
+          mem = new_struct(ptr)
+          mem.extend @methods
+          mem
+        end
+      end
+      t
+    end
+
+    if RUBY_PLATFORM =~ /cygwin/
+      dlload('cyggss-1.dll')
+    else
+      dlload('libgssapi_krb5.so')
+    end 
+
+    typealias 'OM_uint32', 'unsigned int'
+    typealias 'size_t', 'unsigned int'
+
+    GssBuffer = struct [ "size_t length", "char *value" ]
+    typealias 'gss_buffer_desc', 'GssBuffer'
+    typealias 'gss_buffer_t', 'gss_buffer_desc *'
+    GssOID = struct2 [ "OM_uint32 length", "char *elements" ] do
+      def to_hex
+        s = elements.to_s
+        s.unpack("H2" * s.length).join ' '
+      end
+    end
+    typealias 'gss_OID_desc', 'GssOID'
+    typealias 'gss_OID', 'gss_OID_desc *'
+    GssOIDSet = struct [ "size_t count", "gss_OID elements" ]
+    typealias 'gss_OID_set_desc', 'GssOIDSet'
+    typealias 'gss_OID_set', 'gss_OID_set_desc *'
+
+    typealias 'gss_ctx_id_t', 'void *'
+    typealias 'gss_cred_id_t', 'void *'
+    typealias 'gss_name_t', 'void *'
+    typealias 'gss_qop_t', 'OM_uint32'
+    typealias 'gss_cred_usage_t', 'int'
+
+    GssNameRef = struct [ "gss_name_t handle" ]
+    GssContextRef = struct [ "gss_ctx_id_t handle" ]
+    GssCredRef = struct [ "gss_cred_id_t handle" ]
+    OM_uint32Ref = struct [ "OM_uint32 value" ]
+    GssCredUsageRef = struct [ "int value" ]
+
+    GssOIDRef = struct2 [ "GssOID *ptr" ] do
+      def oid
+        @oid = GssOID.new(ptr) if (@oid.nil? or @oid.to_ptr != ptr) and ! ptr.nil?
+        @oid
+      end
+    end
+
+    GssOIDSetRef = struct2 [ "GssOIDSet *ptr" ] do
+      def oidset
+        @oidset = GssOIDSet.new(ptr) if (@oidset.nil? or @oidset.to_ptr != ptr) and ! ptr.nil?
+        @oidset
+      end
+    end
+
+    class GssResult < Struct.new(:major, :minor, :status, :calling_error, :routine_error)
+      def initialize(result, minor=nil)
+        self.major = (result >> 16) & 0x0000ffff
+        self.minor = minor.value if minor.respond_to? :value
+        self.status = result & 0x0000ffff
+        self.calling_error = (major >> 8) & 0x00ff
+        self.routine_error = major & 0x00ff
+      end
+
+      def ok?; major.zero? end
+
+      def complete?; status.zero? end
+
+      def incomplete?; false end
+
+      def failure?; major.nonzero? end
+
+      def temporary_failure?
+        routine_error==GSS_S_CREDENTIALS_EXPIRED ||
+          routine_error==GSS_S_CONTEXT_EXPIRED ||
+          routine_error==GSS_S_UNAVAILABLE
+      end
+
+      def to_s; "%#4.4x%4.4x [%#8.8x]" % [major, status, minor] end
+    end
+
+    extern "OM_uint32 gss_acquire_cred (OM_uint32 *, gss_name_t, OM_uint32, gss_OID_set, gss_cred_usage_t, gss_cred_id_t *, gss_OID_set *, OM_uint32 *)"
+    extern "OM_uint32 gss_inquire_cred (OM_uint32 *, gss_cred_id_t, gss_name_t *, OM_uint32 *, gss_cred_usage_t *, gss_OID_set *)"
+    extern "OM_uint32 gss_release_cred (OM_uint32 *, gss_cred_id_t *)"
+    extern "OM_uint32 gss_import_name (OM_uint32 *, gss_buffer_t, gss_OID, gss_name_t *)"
+    extern "OM_uint32 gss_release_name (OM_uint32 *, gss_name_t *)"
+    extern "OM_uint32 gss_display_name (OM_uint32 *, gss_name_t, gss_buffer_t, gss_OID *)"
+    extern "OM_uint32 gss_release_buffer (OM_uint32 *, gss_buffer_t)"
+    extern "OM_uint32 gss_release_oid_set (OM_uint32 *, gss_OID_set *)"
+    extern "OM_uint32 gss_init_sec_context (OM_uint32 *, gss_cred_id_t, gss_ctx_id_t *, gss_name_t, gss_OID, OM_uint32, OM_uint32, void *, gss_buffer_t, gss_OID *, gss_buffer_t, OM_uint32 *, OM_uint32 *)"
+    extern "OM_uint32 gss_delete_sec_context (OM_uint32 *, gss_ctx_id_t *, gss_buffer_t)"
+    extern "OM_uint32 gss_get_mic(OM_uint32 *, gss_ctx_id_t, gss_qop_t, gss_buffer_t, gss_buffer_t)"
+
+    if @LIBS.empty? and ! defined? Net::SSH::Kerberos::SSPI::Context
+      $stderr.puts "error: Failed to a find a supported GSS implementation on this platform (#{RUBY_PLATFORM})"
+    end
+  end
+
+  GSS_C_INITIATE = 1
+
+  GSS_C_DELEG_FLAG      = 1
+  GSS_C_MUTUAL_FLAG     = 2
+  GSS_C_REPLAY_FLAG     = 4
+  GSS_C_SEQUENCE_FLAG   = 8
+  GSS_C_CONF_FLAG       = 16
+  GSS_C_INTEG_FLAG      = 32
+  GSS_C_ANON_FLAG       = 64
+  GSS_C_PROT_READY_FLAG = 128
+  GSS_C_TRANS_FLAG      = 256
+
+  GSS_C_NO_NAME         = nil
+  GSS_C_NO_BUFFER       = nil
+  GSS_C_NO_OID          = nil
+  GSS_C_NO_OID_SET      = nil
+  GSS_C_NO_CONTEXT      = nil
+  GSS_C_NO_CREDENTIAL   = nil
+  GSS_C_NO_CHANNEL_BINDINGS = nil
+  GSS_C_QOP_DEFAULT     = 0
+
+  GSS_S_COMPLETE        = 0
+  GSS_S_CONTINUE_NEEDED = 1
+  GSS_S_DUPLICATE_TOKEN = 2
+  GSS_S_OLD_TOKEN       = 4
+  GSS_S_UNSEQ_TOKEN     = 8
+  GSS_S_GAP_TOKEN       = 16
+
+  #--
+  # GSSAPI / Kerberos 5  OID(s)
+  #++
+  GSS_C_NT_PRINCIPAL = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"
+  GSS_C_NT_MACHINE_UID_NAME = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"
+  GSS_C_NT_STRING_UID_NAME = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"
+  GSS_C_NT_HOSTBASED_SERVICE = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"
+  GSS_C_NT_ANONYMOUS = "\x2b\x06\01\x05\x06\x03"
+  GSS_C_NT_EXPORT_NAME = "\x2b\x06\01\x05\x06\x04"
+  GSS_KRB5_MECH = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
+  GSS_KRB5_MECH_USER2USER = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"
+
+  #--
+  # GSSAPI / Kerberos 5  Deprecated / Proprietary OID(s)
+  #++
+  GSS_C_NT_HOSTBASED_SERVICE_X = "\x2b\x06\x01\x05\x06\x02"
+
+end; end; end; end

data/lib/net/ssh/kerberos/gss/context.rb

@@ -1,7 +1,115 @@
+require 'net/ssh/kerberos/common/context'
 require 'net/ssh/kerberos/gss/api'
 
-module Net; module SSH; module Kerberos; module GSS; class Context
+module Net; module SSH; module Kerberos; module GSS; class Context < Common::Context
 
-  class GeneralError < StandardError; end
+  GssResult = API::GssResult
+
+  def init(token=nil)
+    minor_status = API::OM_uint32Ref.malloc
+
+    mech = API::GssOID.malloc
+    mech.elements = GSS_KRB5_MECH
+    mech.length = GSS_KRB5_MECH.length
+    actual_mech = API::GssOIDRef.malloc
+    buffer = API::GssBuffer.malloc
+    if token.nil?
+      input = GSS_C_NO_BUFFER
+    else
+      input = API::GssBuffer.malloc
+      input.value = token.to_ptr
+      input.length = token.length
+    end
+    if @state.nil? or @state.handle.nil?
+      context = API::GssContextRef.malloc
+      context.handle = GSS_C_NO_CONTEXT
+    else
+      context = @state.handle
+    end
+    result = GssResult.new API.gss_init_sec_context(minor_status, @credentials, context, @target.handle, mech,
+                                                    GSS_C_DELEG_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG, 60,
+                                                    GSS_C_NO_CHANNEL_BINDINGS, input, actual_mech, buffer, nil, nil), minor_status
+    result.failure? and raise GeneralError, "Error initializing security context: #{result.major} #{input.length}"
+    begin
+      @state = State.new(context, result, (buffer.value && buffer.value.to_s(buffer.length).dup), nil)
+      @handle = @state.handle if result.complete?
+      return @state.token
+    ensure
+      API.gss_release_buffer(minor_status, buffer) unless buffer.value.nil?
+    end
+  end
+  
+  def get_mic(token=nil)
+    minor_status = API::OM_uint32Ref.malloc
+    input = API::GssBuffer.malloc
+    input.value = token.to_ptr
+    input.length = token.length
+    output = API::GssBuffer.malloc
+    @state.result = GssResult.new API.gss_get_mic(minor_status, @handle.handle, GSS_C_QOP_DEFAULT, input, output), minor_status
+    unless @state.result.complete? and output
+      raise GeneralError, "Error creating the signature: #{@state.result}"
+    end
+    begin return output.value.to_s(output.length).dup
+    ensure API.gss_release_buffer minor_status, output
+    end
+  end
+
+protected
+
+  def state; @state end
+  
+private
+  
+  def acquire_current_credentials
+    minor_status = API::OM_uint32Ref.malloc
+    creds = API::GssCredRef.malloc
+    result = GssResult.new API.gss_acquire_cred(minor_status, nil, 60, nil, GSS_C_INITIATE, creds, nil, nil), minor_status
+    result.ok? or raise GeneralError, "Error acquiring credentials: #{result}"
+    begin
+      name = API::GssNameRef.malloc
+      result = GssResult.new API.gss_inquire_cred(minor_status, creds.handle, name, nil, nil, nil), minor_status
+      result.ok? or raise GeneralError, "Error inquiring credentials: #{result}"
+      begin
+        buffer = API::GssBuffer.malloc
+        result = GssResult.new API.gss_display_name(minor_status, name.handle, buffer, nil), minor_status
+        result.ok? or raise GeneralError, "Error getting display name: #{result}"
+        begin return [creds, buffer.value.to_s.dup]
+        ensure API.gss_release_buffer API::OM_uint32Ref.malloc, buffer
+        end
+      ensure
+        API.gss_release_name API::OM_uint32Ref.malloc, name
+      end
+    ensure
+      API.gss_release_cred API::OM_uint32Ref.malloc, creds
+    end
+  end
+
+  def release_credentials(creds)
+    creds.nil? or API.gss_release_cred API::OM_uint32Ref.malloc, creds
+  end
+
+  def import_server_name(host)
+    host = 'host@' + host
+    minor_status = API::OM_uint32Ref.malloc
+    buffer = API::GssBuffer.malloc
+    buffer.value = host.to_ptr
+    buffer.length = host.length
+    mech = API::GssOID.malloc
+    mech.elements = GSS_C_NT_HOSTBASED_SERVICE
+    mech.length = GSS_C_NT_HOSTBASED_SERVICE.length
+    target = API::GssNameRef.malloc
+    result = GssResult.new API.gss_import_name(minor_status, buffer, mech, target), minor_status
+    result.failure? and raise GeneralError, "Error importing name: #{result} #{input.inspect}"
+
+    [target, host]
+  end
+
+  def release_server_name(target)
+    target.nil? or API.gss_release_name API::OM_uint32Ref.malloc, target
+  end
+
+  def delete_context(handle)
+    handle.nil? or API.gss_delete_sec_context API::OM_uint32Ref.malloc, handle, nil
+  end
 
 end; end; end; end; end

data/lib/net/ssh/kerberos/sspi/context.rb

@@ -1,44 +1,9 @@
+require 'net/ssh/kerberos/common/context'
 require 'net/ssh/kerberos/sspi/api'
 
-module Net; module SSH; module Kerberos; module SSPI; class Context
-
-  class GeneralError < StandardError; end
+module Net; module SSH; module Kerberos; module SSPI; class Context < Common::Context
 
   include Win32::SSPI
-
-  attr_reader :cred_name, :cred_krb_name, :server_name, :server_krb_name
-
-  def create(user, host)
-    dispose if @credentials or @handle
-    creds = CredHandle.new
-    ts = TimeStamp.new
-
-    result = API::AcquireCredentialsHandle nil, "Kerberos", SECPKG_CRED_OUTBOUND, nil, nil, nil, nil, creds, ts
-    result.ok? or raise GeneralError, "Error acquiring credentials: #{result}"
-    
-		buff = "\0\0\0\0"
-		result = API::QueryCredentialsAttributes creds, SECPKG_CRED_ATTR_NAMES, buff
-    if result.ok?
-      names = buff.to_ptr.ptr
-      begin
-        @cred_name = names.to_s.sub(/^[^\\\/]*[\\\/]/, '')
-        @cred_krb_name = @cred_name.gsub('@', '/');
-        @server_name = Socket.gethostbyname(host)[0]
-        @server_krb_name = "host/" + @server_name
-
-        z = (user.include?('@') ? user.gsub('@','/') : user+'/')
-        unless z.downcase == @cred_krb_name[0,z.length].downcase
-          raise GeneralError, "Credentials mismatch: current is #{@cred_name}, requested is #{user}"
-        end
-        @credentials = creds
-      ensure
-        @credentials or API::FreeCredentialsHandle creds
-        API::FreeContextBuffer names
-      end
-    end
-  end
-
-  def credentials?; ! @credentials.nil? end
   
   def init(token=nil)
     ctx = CtxtHandle.new
@@ -54,34 +19,58 @@ module Net; module SSH; module Kerberos; module SSPI; class Context
     if result.failure?
       input.token and raise GeneralError, "Error initializing security context: #{result} #{input.inspect}"
     end
-    @state = { :handle => ctx, :result => result, :token => output.token, :stamp => ts }
+    @state = State.new(ctx, result, output.token, ts)
     if result.complete?
 			result = API::QueryContextAttributes ctx, SECPKG_ATTR_SIZES, @sizes=SecPkgSizes.new
-			@handle = @state[:handle]
+			@handle = @state.handle
     end
-    @state[:token]
-  end
-  
-  def established?
-    ! @handle.nil? && (@state.nil? || @state[:result].value.zero?)
+    @state.token
   end
   
   def get_mic(token=nil)
     buffers = SecurityBuffer.new 2
     buffers.set_buffer 0, SECBUFFER_DATA, token
     buffers.set_buffer 1, SECBUFFER_TOKEN, nil, @sizes.max_signature
-    @state[:result] = API::MakeSignature @handle, 0, buffers, 0
-    unless @state[:result].ok?
+    @state.result = API::MakeSignature @handle, 0, buffers, 0
+    unless @state.result.complete? and (token = buffers.token(1))
       raise GeneralError, "Error creating the signature: #{result}"
     end
-    return buffers.token(1).dup
+
+    begin return token.dup
+    ensure API::FreeContextBuffer token
+    end
   end
   
-  def dispose()
-    @credentials and API::FreeCredentialsHandle @credentials
-    @handle and API::DeleteSecurityContext @handle
-  ensure
-    @credentials = @handle = nil
-  end 
+private
+  
+  def acquire_current_credentials
+    result = API::AcquireCredentialsHandle nil, "Kerberos", SECPKG_CRED_OUTBOUND, nil, nil, nil, nil,
+                                           creds=CredHandle.new, ts=TimeStamp.new
+    result.ok? or raise GeneralError, "Error acquiring credentials: #{result}"
+    
+		buff = "\0\0\0\0"
+		result = API::QueryCredentialsAttributes creds, SECPKG_CRED_ATTR_NAMES, buff
+    if result.ok?
+      name = buff.to_ptr.ptr
+      begin return [creds, name.to_s.dup]
+      ensure API::FreeContextBuffer name
+      end
+    end
+  end
+
+  def release_credentials(creds)
+    creds.nil? or API::FreeCredentialsHandle creds
+  end
+
+  def import_server_name(host)
+    ['host/'+host, 'host/'+host]
+  end
+
+  def release_server_name(target)
+  end
+
+  def delete_context(handle)
+    handle.nil? or API::DeleteSecurityContext handle
+  end
 
 end; end; end; end; end

data/test/gss_context_test.rb

@@ -0,0 +1,35 @@
+require File.join(File.dirname(__FILE__), 'test_helper.rb')
+
+class GssContextTest < Test::Unit::TestCase
+
+if defined? Net::SSH::Kerberos::GSS::Context
+
+  def setup
+    @gss = Net::SSH::Kerberos::GSS::Context.new 
+  end
+
+  def teardown
+    @gss.dispose
+  end
+
+  def test_create
+    @gss.create ENV['USER'], Socket.gethostbyname(`hostname || echo "localhost"`.strip)[0]
+    assert @gss.credentials?, "Should have acquired credentials"
+  end
+
+  def test_init
+    test_create
+    @gss.init nil
+    state = @gss.send(:state)
+    assert ! state.handle.nil?, "Should have provided an initial context"
+    assert ! state.handle.handle.nil?, "Should have provided an initial context"
+    assert ! state.token.nil?, "Should have built an initial token"
+    assert state.token.length.nonzero?, "Should have built an initial token"
+  end
+
+else
+  $stderr.puts "Skipping GSS tests on this platform: no supported GSSAPI library was loaded."
+end
+
+end
+

data/test/gss_test.rb

@@ -0,0 +1,97 @@
+require File.join(File.dirname(__FILE__), 'test_helper.rb')
+
+class GssTest < Test::Unit::TestCase
+
+  include Net::SSH::Kerberos::GSS
+
+  def test_acquire_cred
+    creds = API::GssCredRef.malloc
+    result = call_and_assert :gss_acquire_cred, nil, 60, nil, GSS_C_INITIATE, creds, nil, nil
+    assert_not_equal 0, creds.handle.to_i, "Should acquire default credentials"
+    begin
+      name = API::GssNameRef.malloc
+      lifetime = API::OM_uint32Ref.malloc
+      usage = API::GssCredUsageRef.malloc
+      oids = API::GssOIDSetRef.malloc
+      result = call_and_assert :gss_inquire_cred, creds.handle, name, nil, usage, oids
+      assert_not_equal 0, name.handle.to_i, "Should provide the internal name"
+      assert_not_equal 0, oids.oidset.count, "Should provide the supported oids"
+      begin
+        buffer = API::GssBuffer.malloc
+        oid = API::GssOIDRef.malloc
+        assert_equal GSS_C_INITIATE, usage.value, "Usage should specify GSS_C_INITIATE"
+        result = call_and_assert :gss_display_name, name.handle, buffer, oid
+        assert_not_equal 0, buffer.value.to_i, "Should provide the display name"
+        begin
+          assert_not_equal 0, oid.ptr.to_i, "Should provide the supported oid"
+          #$stderr.puts "credentials: #{creds.handle.to_i} #{buffer.value} (OID: #{oid.oid.length}, #{oid.oid.to_hex})"
+        ensure
+          result = API.gss_release_buffer API::OM_uint32Ref.malloc, buffer
+        end
+      ensure
+        minor_status = API::OM_uint32Ref.malloc
+        API.gss_release_name minor_status, name
+        API.gss_release_oid_set minor_status, oids
+        assert_equal 0, name.handle.to_i, "Should release the internal name"
+        assert_equal 0, oids.ptr.to_i, "Should release the supported oids"
+      end
+    ensure
+      minor_status = API::OM_uint32Ref.malloc
+      API.gss_release_cred minor_status, creds
+    end
+  end
+  
+  def test_init_sec_context
+    target_name = 'host@'+Socket.gethostbyname(`hostname || echo "localhost"`.strip)[0]
+    buffer = API::GssBuffer.malloc
+    buffer.value = target_name
+    buffer.length = target_name.length
+    mech = API::GssOID.malloc
+    mech.elements = GSS_C_NT_HOSTBASED_SERVICE
+    mech.length = GSS_C_NT_HOSTBASED_SERVICE.length
+    target_name = API::GssNameRef.malloc
+    result = call_and_assert :gss_import_name, buffer, mech, target_name
+    assert_not_equal target_name.handle, GSS_C_NO_NAME, "Should import the name"
+
+    buffer = API::GssBuffer.malloc
+    result = call_and_assert :gss_display_name, target_name.handle, buffer, nil
+    assert_not_equal 0, buffer.value.to_i, "Should provide the display name"
+    #$stderr.puts "target: #{buffer.value} (OID: #{mech.length}, #{mech.to_hex})"
+    call_and_assert :gss_release_buffer, buffer
+
+    mech.elements = GSS_KRB5_MECH
+    mech.length = GSS_KRB5_MECH.length
+    actual_mech = API::GssOIDRef.malloc
+    context = API::GssContextRef.malloc
+    context.handle = GSS_C_NO_CONTEXT
+    buffer.value = nil
+    buffer.length = 0
+    result = call_and_assert :gss_init_sec_context, GSS_C_NO_CREDENTIAL, context, target_name.handle, mech,
+                              GSS_C_DELEG_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG, 60,
+                              GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, actual_mech, buffer, nil, nil
+    assert_not_equal 0, context.handle.to_i, "Should initialize the security context"
+    begin
+      assert_equal GSS_S_CONTINUE_NEEDED, result, "Should need continued initialization of the security context"
+      assert buffer.length > 0, "Should output a token to send to the server"
+      #$stderr.puts "context: (#{buffer.length}) (OID: #{actual_mech.oid.length}, #{actual_mech.oid.to_hex})"
+      call_and_assert :gss_release_buffer, buffer
+    ensure
+      minor_status = API::OM_uint32Ref.malloc
+      API.gss_delete_sec_context minor_status, context, nil
+      if buffer.value.nil?
+        assert_equal 0, context.handle.to_i, "Should delete the security context"
+      end
+    end
+  end
+
+private
+  
+  def call_and_assert(sym, *args)
+    minor_status = API::OM_uint32Ref.malloc
+    result = API.send sym, minor_status, *args
+    assert_equal 0, (result & 0xffff0000), "#{sym} failed: 0x#{result.to_s(16)}"
+    assert_equal 0, minor_status.value, "#{sym} failed: minor status 0x#{minor_status.value.to_s(16)}"
+    result
+  end
+end
+

data/test/sspi_context_test.rb

@@ -1,7 +1,5 @@
 require File.join(File.dirname(__FILE__), 'test_helper.rb')
 
-include Win32::SSPI
-
 class SspiContextTest < Test::Unit::TestCase
 
 if defined? Net::SSH::Kerberos::SSPI::Context
@@ -21,6 +19,8 @@ if defined? Net::SSH::Kerberos::SSPI::Context
 
 else
   $stderr.puts "Skipping SSPI tests on this platform: Windows SSPI was not loaded."
+
+  def test_nothing; assert true end
 end
 
 end

data/test/sspi_test.rb

@@ -1,11 +1,11 @@
 require File.join(File.dirname(__FILE__), 'test_helper.rb')
 
-include Win32::SSPI
-
 class SspiTest < Test::Unit::TestCase
 
 if defined? Net::SSH::Kerberos::SSPI::Context
 
+include Win32::SSPI
+
   def test_query_security_package_info
     pkg_info = SecPkgInfo.new
     result = API::QuerySecurityPackageInfo "Kerberos", pkg_info
@@ -64,6 +64,8 @@ if defined? Net::SSH::Kerberos::SSPI::Context
   end
 else
   $stderr.puts "Skipping SSPI tests on this platform: Windows SSPI was not loaded."
+
+  def test_nothing; assert true end
 end
 
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification 
 name: net-ssh-kerberos
 version: !ruby/object:Gem::Version 
-  version: 0.1.2
+  version: 0.1.3
 platform: ruby
 authors: 
 - Joe Khoobyar
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2009-10-13 00:00:00 -04:00
+date: 2009-10-16 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -50,6 +50,7 @@ files:
 - VERSION.yml
 - lib/net/ssh/authentication/methods/gssapi_with_mic.rb
 - lib/net/ssh/kerberos.rb
+- lib/net/ssh/kerberos/common/context.rb
 - lib/net/ssh/kerberos/constants.rb
 - lib/net/ssh/kerberos/gss.rb
 - lib/net/ssh/kerberos/gss/api.rb
@@ -60,6 +61,8 @@ files:
 - lib/net/ssh/kerberos/sspi.rb
 - lib/net/ssh/kerberos/sspi/api.rb
 - lib/net/ssh/kerberos/sspi/context.rb
+- test/gss_context_test.rb
+- test/gss_test.rb
 - test/net_ssh_kerberos_test.rb
 - test/sspi_context_test.rb
 - test/sspi_test.rb
@@ -93,6 +96,8 @@ signing_key:
 specification_version: 3
 summary: Add Kerberos support to Net::SSH
 test_files: 
+- test/gss_context_test.rb
+- test/gss_test.rb
 - test/net_ssh_kerberos_test.rb
 - test/sspi_context_test.rb
 - test/sspi_test.rb