net-ssh-krb 0.3.0

data/.gitignore

@@ -0,0 +1,9 @@
+*.sw?
+.buildpath
+.project
+.DS_Store
+coverage
+doc
+rdoc
+pkg
+Capfile

data/Gemfile

@@ -0,0 +1,5 @@
+source 'http://rubygems.org'
+
+gemspec
+
+gem 'gssapi'

data/Gemfile.lock

@@ -0,0 +1,31 @@
+PATH
+  remote: .
+  specs:
+    net-ssh-krb (0.2.7)
+      gssapi (~> 1.1.2)
+      net-ssh (>= 2.0)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    diff-lcs (1.2.2)
+    ffi (1.6.0)
+    gssapi (1.1.2)
+      ffi (>= 1.0.1)
+    net-ssh (2.6.6)
+    rspec (2.13.0)
+      rspec-core (~> 2.13.0)
+      rspec-expectations (~> 2.13.0)
+      rspec-mocks (~> 2.13.0)
+    rspec-core (2.13.1)
+    rspec-expectations (2.13.0)
+      diff-lcs (>= 1.1.3, < 2.0)
+    rspec-mocks (2.13.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  gssapi
+  net-ssh-krb!
+  rspec

data/LICENSE

@@ -0,0 +1,339 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) year name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.

data/README.md

@@ -0,0 +1,30 @@
+# net-ssh-kerberos
+
+Add Kerberos (password-less) authentication capabilities to Net::SSH, without the need for modifying Net::SSH source code.
+
+This is a great way to help get Capistrano to be accepted in mid-to-large size enterprises with strict security rules.
+
+No more getting locked out of the network because you mis-typed your password - even if your company prohibits
+public key or host-based authentication.  If your organization uses Kerberos (many mid-to-large size corporations do),
+you can use this package to get password-less authentication without breaking your company's security guidelines.
+
+## How to use with Capistrano
+
+Add the following lines to the top of your Capfile (the relevant :auth_method is "gssapi-with-mic")
+
+```
+  require 'net/ssh/kerberos'
+  set :ssh_options, { :auth_methods => %w(gssapi-with-mic publickey hostbased password keyboard-interactive) }
+```
+
+## Contributors
+
+- Joe Khoobyar    http://github.com/joekhoobyar
+- Joshua Ballanco http://github.com/jballanc
+- Liu Lantao      http://github.com/Lax
+- Chris Beer	  http://github.com/cbeer
+- Linda Julien    http://github.com/ljulien
+
+## Copyright
+
+Copyright (c) 2009-2011 Joe Khoobyar. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,2 @@
+require 'rubygems'
+require "bundler/gem_tasks"

data/example/gss.rb

@@ -0,0 +1,91 @@
+require 'socket'
+require 'rubygems'
+gem 'net-ssh'
+$:.unshift File.join(File.dirname(__FILE__), '..', 'lib')
+require 'net/ssh'
+require 'net/ssh/errors'
+require 'net/ssh/kerberos'
+
+unless Net::SSH::Kerberos::Drivers.available.include? 'GSS'
+  $stderr.puts "No drivers supporting GSSAPI could be loaded."
+  exit 1
+end
+
+include Net::SSH::Kerberos::Drivers::GSS
+include Net::SSH::Kerberos::Constants
+
+result = API.gss_acquire_cred nil, 60, nil, GSS_C_INITIATE, nil, nil, 0
+if result.ok?
+  creds = API._args_[4]
+  $stderr.puts "gss_acquire_cred: (#{result}) => #{creds.to_i}"
+  begin
+    result = API.gss_inquire_cred creds, nil, 0, 0, nil
+    if result.ok?
+      name, oids = API._args_[1], API._args_[4]
+      $stderr.puts "gss_inquire_cred: (#{result}) #{oids.inspect}"
+      begin
+        result = API.gss_display_name name, buffer=API::GssBuffer.malloc, nil
+        if result.ok?
+          oid = API._args_[2]
+          $stderr.puts "gss_display_name: (#{result}) #{buffer} #{oid.inspect}"
+          result = API.gss_release_buffer buffer
+          $stderr.puts "gss_release_buffer: (#{result})"
+        else
+          $stderr.puts "gss_display_name failed : (#{result})"
+        end
+      ensure
+        result = API.gss_release_oid_set oids
+        $stderr.puts "gss_release_oid_set: (#{result})"
+        result = API.gss_release_name name
+        $stderr.puts "gss_release_name: (#{result})"
+      end
+    else
+      $stderr.puts "gss_inquire_cred failed: (#{result})"
+    end
+
+
+    target_name = 'host@'+Socket.gethostbyname(`hostname || echo "localhost"`.strip)[0]
+    buffer = API::GssBuffer.malloc
+    buffer.value = target_name
+    buffer.length = target_name.length
+    API.gss_import_name buffer, GSS_C_NT_HOSTBASED_SERVICE, nil
+    if result.ok?
+      target = API._args_[2]
+      $stderr.puts "gss_import_name: (#{result}) #{target.to_i}"
+      begin
+        result = API.gss_display_name target, buffer, nil
+        if result.ok?
+          oid = API._args_[2]
+          $stderr.puts "gss_display_name: (#{result}) #{buffer} #{oid.inspect}"
+          result = API.gss_release_buffer buffer
+          $stderr.puts "gss_release_buffer: (#{result})"
+        else
+          $stderr.puts "gss_display_name failed : (#{result})"
+        end
+        result = API.gss_init_sec_context creds, GSS_C_NO_CONTEXT, target, GSS_C_KRB5,
+                                          GSS_C_DELEG_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG, 60,
+                                          GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, nil, buffer, 0, 0
+        if result.ok?
+          context, actual_mech = API._args_[1], API._args_[8]
+          $stderr.puts "gss_init_sec_context: (#{result}) token.length=#{buffer.length}, #{actual_mech.inspect}"
+          result = API.gss_release_buffer buffer
+          $stderr.puts "gss_release_buffer: (#{result})"
+          result = API.gss_delete_sec_context context, nil
+          $stderr.puts "gss_delete_sec_context: (#{result})"
+        else
+          $stderr.puts "gss_init_sec_context failed : (#{result})"
+        end
+      ensure
+        result = API.gss_release_name target
+        $stderr.puts "gss_release_name: (#{result})"
+      end
+    else
+      $stderr.puts "gss_import_name failed: (#{result})"
+    end
+  ensure
+    result = API.gss_release_cred creds
+    $stderr.puts "gss_release_cred: (#{result})"
+  end
+else
+  $stderr.puts "gss_acquire_cred failed: (#{result})"
+end

data/example/sspi.rb

@@ -0,0 +1,67 @@
+#$DEBUG = 1
+
+require 'socket'
+require 'rubygems'
+gem 'net-ssh'
+$:.unshift File.join(File.dirname(__FILE__), '..', 'lib')
+require 'net/ssh'
+require 'net/ssh/errors'
+require 'net/ssh/kerberos'
+
+unless Net::SSH::Kerberos::Drivers.available.include? 'SSPI'
+  $stderr.puts "No drivers supporting SSPI could be loaded."
+  exit 1
+end
+
+include Net::SSH::Kerberos::Drivers::SSPI
+include Net::SSH::Kerberos::Constants
+
+result = API.querySecurityPackageInfo "Kerberos", nil
+if result.ok?
+  pkg_info = API._args_[1]
+  $stderr.puts "querySecurityPackageInfo: (#{result}) #{pkg_info.comment} (max_token=#{pkg_info.max_token})"
+  @max_token = pkg_info.max_token
+  result = API.freeContextBuffer pkg_info.to_ptr
+  $stderr.puts "freeContextBuffer: (#{result})"
+else
+  $stderr.puts "querySecurityPackageInfo: (#{result})"
+end
+
+result = API.acquireCredentialsHandle nil, "Kerberos", SECPKG_CRED_OUTBOUND, nil, nil, nil, nil,
+                                      creds=API::SecHandle.malloc, ts=API::TimeStamp.malloc
+if result.ok?
+  $stderr.puts "acquireCredentialsHandle: (#{result})"
+  begin
+    result = API.queryCredentialsAttributes creds, SECPKG_ATTR_NAMES, nil
+    if result.ok?
+      names = API._args_[2]
+      $stderr.puts "queryCredentialsAttributes: (#{result}) #{names.to_s}"
+      result = API.freeContextBuffer names
+      $stderr.puts "freeContextBuffer: (#{result})"
+
+      output = API::SecBufferDesc.create @max_token
+      if $DEBUG
+        $stderr.puts "SecBufferDesc.create: #{output.inspect} => #{output.buffer(0).inspect} => #{output.buffer(0).data.inspect}"
+      end
+      result = API.initializeSecurityContext creds, nil, 'host/'+Socket.gethostbyname('localhost')[0], 
+                                             ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH | ISC_REQ_INTEGRITY, 0, SECURITY_NATIVE_DREP,
+                                             nil, 0, ctx=API::SecHandle.malloc, output, 0, ts=API::TimeStamp.malloc
+      if result.ok?
+        $stderr.puts "initializeSecurityContext: (#{result}) ctx=#{! ctx.nil?} token.length=#{output.buffer(0).length}"
+        result = API.deleteSecurityContext ctx
+        $stderr.puts "deleteSecurityContext: (#{result})"
+      else
+        $stderr.puts "initializeSecurityContext: (#{result})"
+      end
+    else
+      $stderr.puts "queryCredentialsAttributes: (#{result})"
+    end
+  ensure
+    result = API.freeCredentialsHandle creds
+    $stderr.puts "freeCredentialsHandle : (#{result})"
+  end
+else
+  $stderr.puts "acquireCredentialsHandle: (#{result})"
+end
+
+

data/lib/net/ssh/authentication/methods/gssapi_with_mic.rb

@@ -0,0 +1,107 @@
+require 'net/ssh/authentication/methods/abstract'
+require 'net/ssh/kerberos/constants'
+require 'gssapi'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+
+        # Implements the Kerberos 5 SSH authentication method.
+        class GssapiWithMic < Abstract
+          include Net::SSH::Kerberos::Constants
+          
+          # Attempts to perform gssapi-with-mic Kerberos authentication
+          def authenticate(next_service, username, password=nil)
+              gss = nil
+            
+            # Try to start gssapi-with-mic authentication.
+	          debug { "trying kerberos authentication" }
+	          req = userauth_request(username, next_service, "gssapi-with-mic")
+	          req.write_long(1)
+	          req.write_string(supported_oid = 6.chr + GSS_KRB5_MECH.length.chr + GSS_KRB5_MECH)
+	          send_message req
+	          message = session.next_message
+	          case message.type
+	            when USERAUTH_GSSAPI_RESPONSE
+	              debug { "gssapi-with-mic proceeding" }
+	            when USERAUTH_FAILURE
+	              info { "gssapi-with-mic failed (USERAUTH_FAILURE)" }
+	              return false
+	            else
+	              raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+	          end
+	          
+	          # Try to match the OID.
+	          oid = message.read_string
+	          if oid != supported_oid
+              info { "gssapi-with-mic failed (USERAUTH_GSSAPI_RESPONSE)" }
+              return false
+	          end
+	          
+	          # Try to complete the handshake.
+	          gss = GSSAPI::Simple.new hostname
+
+              established = false
+			      debug { "gssapi-with-mic handshaking" }
+	          until established
+	            # :delegate => true always forwards tickets.  This may or may not be a good idea, and should really be a user-specified option.
+	            token = gss.init_context(token, :delegate => true)
+	            break if token === true
+	            if token && token.length > 0
+					      send_message Net::SSH::Buffer.from(:byte, USERAUTH_GSSAPI_TOKEN, :string, token)
+	            
+	                message = session.next_message
+				          case message.type
+				          when USERAUTH_GSSAPI_ERROR
+			              message = session.next_message
+			              message.get_long
+			              message.get_long
+				            info { "gssapi-with-mic error (USERAUTH_GSSAPI_ERROR) (#{message.read_string})" }
+				          when USERAUTH_GSSAPI_ERRTOK
+			              message = session.next_message
+				            info { "gssapi-with-mic error (USERAUTH_GSSAPI_ERRTOK) (#{message.read_string})" }
+				          when USERAUTH_FAILURE
+				            info { "gssapi-with-mic failed (USERAUTH_FAILURE)" }
+				            return false
+				          end
+	                token = message.read_string
+	              
+	            end
+	          end
+	          
+	          # Attempt the actual authentication.
+			      debug { "gssapi-with-mic authenticating" }
+					  mic = gss.get_mic Net::SSH::Buffer.from(:string, session_id, :byte, USERAUTH_REQUEST, :string, username, 
+				                                             :string, next_service, :string, "gssapi-with-mic").to_s
+            if mic.nil?
+              info { "gssapi-with-mic failed (context#get_mic)" }
+              return false
+            end
+			      send_message Net::SSH::Buffer.from(:byte, USERAUTH_GSSAPI_MIC, :string, mic)
+            message = session.next_message
+	          case message.type
+	            when USERAUTH_SUCCESS
+	              info { "gssapi-with-mic success" }
+	              return true
+	            when USERAUTH_FAILURE
+	              info { "gssapi-with-mic partial failure (USERAUTH_FAILURE)" }
+	              return false
+	            else
+	              raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+	          end
+          end
+
+          private
+
+            # Returns the hostname as reported by the underlying socket.
+            def hostname
+              session.transport.host
+            end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/net/ssh/kerberos.rb

@@ -0,0 +1,7 @@
+require 'net/ssh'
+require 'net/ssh/errors'
+
+module Net; module SSH; module Kerberos
+end; end; end
+
+require 'net/ssh/authentication/methods/gssapi_with_mic'

data/lib/net/ssh/kerberos/constants.rb

@@ -0,0 +1,26 @@
+module Net; module SSH; module Kerberos
+  module Constants
+
+    # GSSAPI Key exchange method specific messages
+    KEXGSS_INIT                       = 30
+    KEXGSS_CONTINUE                   = 31
+    KEXGSS_COMPLETE                   = 32
+    KEXGSS_HOSTKEY                    = 33
+    KEXGSS_ERROR                      = 34
+    KEXGSS_GROUPREQ                   = 40
+    KEXGSS_GROUP                      = 41
+
+    # GSSAPI User authentication method specific messages
+    USERAUTH_GSSAPI_RESPONSE          = 60
+    USERAUTH_GSSAPI_TOKEN             = 61
+    USERAUTH_GSSAPI_EXCHANGE_COMPLETE = 63
+    USERAUTH_GSSAPI_ERROR             = 64
+    USERAUTH_GSSAPI_ERRTOK            = 65
+    USERAUTH_GSSAPI_MIC               = 66
+    
+    # GSSAPI constant OID(s)
+	  GSS_KRB5_MECH = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
+	  GSS_KRB5_MECH_USER2USER = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"
+  end
+end; end; end
+

data/net-ssh-kerberos.gemspec

@@ -0,0 +1,23 @@
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{net-ssh-krb}
+  s.version = "0.3.0"
+  s.authors = ["Joe Khoobyar", "Chris Beer"]
+  s.description = %q{Extends Net::SSH by adding Kerberos authentication capability for password-less logins on multiple platforms.
+}
+  s.email = %q{joe@ankhcraft.com cabeer@stanford.edu}
+  s.extra_rdoc_files = [
+    "LICENSE",
+    "README.md"
+  ]
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.homepage = %q{http://github.com/cbeer/net-ssh-kerberos}
+  s.summary = %q{Add Kerberos support to Net::SSH}
+
+  s.add_dependency 'net-ssh', '>= 2.0'
+  s.add_dependency 'gssapi', '~> 1.1.2'
+  s.add_development_dependency 'rspec'
+end
+

data/spec/integration_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper'
+require 'net/ssh'
+describe "run commands on a kerberized server" do
+  it "it should work" do
+    Net::SSH.start(ENV['KERBEROS_TEST_HOST'], ENV['USER'], :auth_methods => ["gssapi-with-mic", "publickey"]).exec!("whoami").strip.should == ENV['USER']
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,17 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+
+require 'bundler/setup'
+require 'rspec'
+require 'rspec/autorun'
+
+ruby_engine = defined?(RUBY_ENGINE) ? RUBY_ENGINE : "ruby"
+if ENV['COVERAGE'] and RUBY_VERSION =~ /^1.9/ and ruby_engine != "jruby"
+  require 'simplecov'
+  SimpleCov.start
+end
+
+require 'net/ssh/kerberos'
+
+RSpec.configure do |config|
+end

metadata

@@ -0,0 +1,116 @@
+--- !ruby/object:Gem::Specification
+name: net-ssh-krb
+version: !ruby/object:Gem::Version
+  version: 0.3.0
+  prerelease: 
+platform: ruby
+authors:
+- Joe Khoobyar
+- Chris Beer
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-04-01 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: gssapi
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.1.2
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: ! 'Extends Net::SSH by adding Kerberos authentication capability for
+  password-less logins on multiple platforms.
+
+'
+email: joe@ankhcraft.com cabeer@stanford.edu
+executables: []
+extensions: []
+extra_rdoc_files:
+- LICENSE
+- README.md
+files:
+- .gitignore
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- Rakefile
+- example/Capfile
+- example/gss.rb
+- example/sspi.rb
+- lib/net/ssh/authentication/methods/gssapi_with_mic.rb
+- lib/net/ssh/kerberos.rb
+- lib/net/ssh/kerberos/constants.rb
+- net-ssh-kerberos.gemspec
+- spec/integration_spec.rb
+- spec/spec_helper.rb
+homepage: http://github.com/cbeer/net-ssh-kerberos
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.23
+signing_key: 
+specification_version: 3
+summary: Add Kerberos support to Net::SSH
+test_files:
+- spec/integration_spec.rb
+- spec/spec_helper.rb
+has_rdoc: