net-ssh-krb 0.3.0

Sign up to get free protection for your applications and to get access to all the features.
@@ -0,0 +1,9 @@
1
+ *.sw?
2
+ .buildpath
3
+ .project
4
+ .DS_Store
5
+ coverage
6
+ doc
7
+ rdoc
8
+ pkg
9
+ Capfile
data/Gemfile ADDED
@@ -0,0 +1,5 @@
1
+ source 'http://rubygems.org'
2
+
3
+ gemspec
4
+
5
+ gem 'gssapi'
@@ -0,0 +1,31 @@
1
+ PATH
2
+ remote: .
3
+ specs:
4
+ net-ssh-krb (0.2.7)
5
+ gssapi (~> 1.1.2)
6
+ net-ssh (>= 2.0)
7
+
8
+ GEM
9
+ remote: http://rubygems.org/
10
+ specs:
11
+ diff-lcs (1.2.2)
12
+ ffi (1.6.0)
13
+ gssapi (1.1.2)
14
+ ffi (>= 1.0.1)
15
+ net-ssh (2.6.6)
16
+ rspec (2.13.0)
17
+ rspec-core (~> 2.13.0)
18
+ rspec-expectations (~> 2.13.0)
19
+ rspec-mocks (~> 2.13.0)
20
+ rspec-core (2.13.1)
21
+ rspec-expectations (2.13.0)
22
+ diff-lcs (>= 1.1.3, < 2.0)
23
+ rspec-mocks (2.13.0)
24
+
25
+ PLATFORMS
26
+ ruby
27
+
28
+ DEPENDENCIES
29
+ gssapi
30
+ net-ssh-krb!
31
+ rspec
data/LICENSE ADDED
@@ -0,0 +1,339 @@
1
+ GNU GENERAL PUBLIC LICENSE
2
+ Version 2, June 1991
3
+
4
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
5
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
6
+ Everyone is permitted to copy and distribute verbatim copies
7
+ of this license document, but changing it is not allowed.
8
+
9
+ Preamble
10
+
11
+ The licenses for most software are designed to take away your
12
+ freedom to share and change it. By contrast, the GNU General Public
13
+ License is intended to guarantee your freedom to share and change free
14
+ software--to make sure the software is free for all its users. This
15
+ General Public License applies to most of the Free Software
16
+ Foundation's software and to any other program whose authors commit to
17
+ using it. (Some other Free Software Foundation software is covered by
18
+ the GNU Lesser General Public License instead.) You can apply it to
19
+ your programs, too.
20
+
21
+ When we speak of free software, we are referring to freedom, not
22
+ price. Our General Public Licenses are designed to make sure that you
23
+ have the freedom to distribute copies of free software (and charge for
24
+ this service if you wish), that you receive source code or can get it
25
+ if you want it, that you can change the software or use pieces of it
26
+ in new free programs; and that you know you can do these things.
27
+
28
+ To protect your rights, we need to make restrictions that forbid
29
+ anyone to deny you these rights or to ask you to surrender the rights.
30
+ These restrictions translate to certain responsibilities for you if you
31
+ distribute copies of the software, or if you modify it.
32
+
33
+ For example, if you distribute copies of such a program, whether
34
+ gratis or for a fee, you must give the recipients all the rights that
35
+ you have. You must make sure that they, too, receive or can get the
36
+ source code. And you must show them these terms so they know their
37
+ rights.
38
+
39
+ We protect your rights with two steps: (1) copyright the software, and
40
+ (2) offer you this license which gives you legal permission to copy,
41
+ distribute and/or modify the software.
42
+
43
+ Also, for each author's protection and ours, we want to make certain
44
+ that everyone understands that there is no warranty for this free
45
+ software. If the software is modified by someone else and passed on, we
46
+ want its recipients to know that what they have is not the original, so
47
+ that any problems introduced by others will not reflect on the original
48
+ authors' reputations.
49
+
50
+ Finally, any free program is threatened constantly by software
51
+ patents. We wish to avoid the danger that redistributors of a free
52
+ program will individually obtain patent licenses, in effect making the
53
+ program proprietary. To prevent this, we have made it clear that any
54
+ patent must be licensed for everyone's free use or not licensed at all.
55
+
56
+ The precise terms and conditions for copying, distribution and
57
+ modification follow.
58
+
59
+ GNU GENERAL PUBLIC LICENSE
60
+ TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
61
+
62
+ 0. This License applies to any program or other work which contains
63
+ a notice placed by the copyright holder saying it may be distributed
64
+ under the terms of this General Public License. The "Program", below,
65
+ refers to any such program or work, and a "work based on the Program"
66
+ means either the Program or any derivative work under copyright law:
67
+ that is to say, a work containing the Program or a portion of it,
68
+ either verbatim or with modifications and/or translated into another
69
+ language. (Hereinafter, translation is included without limitation in
70
+ the term "modification".) Each licensee is addressed as "you".
71
+
72
+ Activities other than copying, distribution and modification are not
73
+ covered by this License; they are outside its scope. The act of
74
+ running the Program is not restricted, and the output from the Program
75
+ is covered only if its contents constitute a work based on the
76
+ Program (independent of having been made by running the Program).
77
+ Whether that is true depends on what the Program does.
78
+
79
+ 1. You may copy and distribute verbatim copies of the Program's
80
+ source code as you receive it, in any medium, provided that you
81
+ conspicuously and appropriately publish on each copy an appropriate
82
+ copyright notice and disclaimer of warranty; keep intact all the
83
+ notices that refer to this License and to the absence of any warranty;
84
+ and give any other recipients of the Program a copy of this License
85
+ along with the Program.
86
+
87
+ You may charge a fee for the physical act of transferring a copy, and
88
+ you may at your option offer warranty protection in exchange for a fee.
89
+
90
+ 2. You may modify your copy or copies of the Program or any portion
91
+ of it, thus forming a work based on the Program, and copy and
92
+ distribute such modifications or work under the terms of Section 1
93
+ above, provided that you also meet all of these conditions:
94
+
95
+ a) You must cause the modified files to carry prominent notices
96
+ stating that you changed the files and the date of any change.
97
+
98
+ b) You must cause any work that you distribute or publish, that in
99
+ whole or in part contains or is derived from the Program or any
100
+ part thereof, to be licensed as a whole at no charge to all third
101
+ parties under the terms of this License.
102
+
103
+ c) If the modified program normally reads commands interactively
104
+ when run, you must cause it, when started running for such
105
+ interactive use in the most ordinary way, to print or display an
106
+ announcement including an appropriate copyright notice and a
107
+ notice that there is no warranty (or else, saying that you provide
108
+ a warranty) and that users may redistribute the program under
109
+ these conditions, and telling the user how to view a copy of this
110
+ License. (Exception: if the Program itself is interactive but
111
+ does not normally print such an announcement, your work based on
112
+ the Program is not required to print an announcement.)
113
+
114
+ These requirements apply to the modified work as a whole. If
115
+ identifiable sections of that work are not derived from the Program,
116
+ and can be reasonably considered independent and separate works in
117
+ themselves, then this License, and its terms, do not apply to those
118
+ sections when you distribute them as separate works. But when you
119
+ distribute the same sections as part of a whole which is a work based
120
+ on the Program, the distribution of the whole must be on the terms of
121
+ this License, whose permissions for other licensees extend to the
122
+ entire whole, and thus to each and every part regardless of who wrote it.
123
+
124
+ Thus, it is not the intent of this section to claim rights or contest
125
+ your rights to work written entirely by you; rather, the intent is to
126
+ exercise the right to control the distribution of derivative or
127
+ collective works based on the Program.
128
+
129
+ In addition, mere aggregation of another work not based on the Program
130
+ with the Program (or with a work based on the Program) on a volume of
131
+ a storage or distribution medium does not bring the other work under
132
+ the scope of this License.
133
+
134
+ 3. You may copy and distribute the Program (or a work based on it,
135
+ under Section 2) in object code or executable form under the terms of
136
+ Sections 1 and 2 above provided that you also do one of the following:
137
+
138
+ a) Accompany it with the complete corresponding machine-readable
139
+ source code, which must be distributed under the terms of Sections
140
+ 1 and 2 above on a medium customarily used for software interchange; or,
141
+
142
+ b) Accompany it with a written offer, valid for at least three
143
+ years, to give any third party, for a charge no more than your
144
+ cost of physically performing source distribution, a complete
145
+ machine-readable copy of the corresponding source code, to be
146
+ distributed under the terms of Sections 1 and 2 above on a medium
147
+ customarily used for software interchange; or,
148
+
149
+ c) Accompany it with the information you received as to the offer
150
+ to distribute corresponding source code. (This alternative is
151
+ allowed only for noncommercial distribution and only if you
152
+ received the program in object code or executable form with such
153
+ an offer, in accord with Subsection b above.)
154
+
155
+ The source code for a work means the preferred form of the work for
156
+ making modifications to it. For an executable work, complete source
157
+ code means all the source code for all modules it contains, plus any
158
+ associated interface definition files, plus the scripts used to
159
+ control compilation and installation of the executable. However, as a
160
+ special exception, the source code distributed need not include
161
+ anything that is normally distributed (in either source or binary
162
+ form) with the major components (compiler, kernel, and so on) of the
163
+ operating system on which the executable runs, unless that component
164
+ itself accompanies the executable.
165
+
166
+ If distribution of executable or object code is made by offering
167
+ access to copy from a designated place, then offering equivalent
168
+ access to copy the source code from the same place counts as
169
+ distribution of the source code, even though third parties are not
170
+ compelled to copy the source along with the object code.
171
+
172
+ 4. You may not copy, modify, sublicense, or distribute the Program
173
+ except as expressly provided under this License. Any attempt
174
+ otherwise to copy, modify, sublicense or distribute the Program is
175
+ void, and will automatically terminate your rights under this License.
176
+ However, parties who have received copies, or rights, from you under
177
+ this License will not have their licenses terminated so long as such
178
+ parties remain in full compliance.
179
+
180
+ 5. You are not required to accept this License, since you have not
181
+ signed it. However, nothing else grants you permission to modify or
182
+ distribute the Program or its derivative works. These actions are
183
+ prohibited by law if you do not accept this License. Therefore, by
184
+ modifying or distributing the Program (or any work based on the
185
+ Program), you indicate your acceptance of this License to do so, and
186
+ all its terms and conditions for copying, distributing or modifying
187
+ the Program or works based on it.
188
+
189
+ 6. Each time you redistribute the Program (or any work based on the
190
+ Program), the recipient automatically receives a license from the
191
+ original licensor to copy, distribute or modify the Program subject to
192
+ these terms and conditions. You may not impose any further
193
+ restrictions on the recipients' exercise of the rights granted herein.
194
+ You are not responsible for enforcing compliance by third parties to
195
+ this License.
196
+
197
+ 7. If, as a consequence of a court judgment or allegation of patent
198
+ infringement or for any other reason (not limited to patent issues),
199
+ conditions are imposed on you (whether by court order, agreement or
200
+ otherwise) that contradict the conditions of this License, they do not
201
+ excuse you from the conditions of this License. If you cannot
202
+ distribute so as to satisfy simultaneously your obligations under this
203
+ License and any other pertinent obligations, then as a consequence you
204
+ may not distribute the Program at all. For example, if a patent
205
+ license would not permit royalty-free redistribution of the Program by
206
+ all those who receive copies directly or indirectly through you, then
207
+ the only way you could satisfy both it and this License would be to
208
+ refrain entirely from distribution of the Program.
209
+
210
+ If any portion of this section is held invalid or unenforceable under
211
+ any particular circumstance, the balance of the section is intended to
212
+ apply and the section as a whole is intended to apply in other
213
+ circumstances.
214
+
215
+ It is not the purpose of this section to induce you to infringe any
216
+ patents or other property right claims or to contest validity of any
217
+ such claims; this section has the sole purpose of protecting the
218
+ integrity of the free software distribution system, which is
219
+ implemented by public license practices. Many people have made
220
+ generous contributions to the wide range of software distributed
221
+ through that system in reliance on consistent application of that
222
+ system; it is up to the author/donor to decide if he or she is willing
223
+ to distribute software through any other system and a licensee cannot
224
+ impose that choice.
225
+
226
+ This section is intended to make thoroughly clear what is believed to
227
+ be a consequence of the rest of this License.
228
+
229
+ 8. If the distribution and/or use of the Program is restricted in
230
+ certain countries either by patents or by copyrighted interfaces, the
231
+ original copyright holder who places the Program under this License
232
+ may add an explicit geographical distribution limitation excluding
233
+ those countries, so that distribution is permitted only in or among
234
+ countries not thus excluded. In such case, this License incorporates
235
+ the limitation as if written in the body of this License.
236
+
237
+ 9. The Free Software Foundation may publish revised and/or new versions
238
+ of the General Public License from time to time. Such new versions will
239
+ be similar in spirit to the present version, but may differ in detail to
240
+ address new problems or concerns.
241
+
242
+ Each version is given a distinguishing version number. If the Program
243
+ specifies a version number of this License which applies to it and "any
244
+ later version", you have the option of following the terms and conditions
245
+ either of that version or of any later version published by the Free
246
+ Software Foundation. If the Program does not specify a version number of
247
+ this License, you may choose any version ever published by the Free Software
248
+ Foundation.
249
+
250
+ 10. If you wish to incorporate parts of the Program into other free
251
+ programs whose distribution conditions are different, write to the author
252
+ to ask for permission. For software which is copyrighted by the Free
253
+ Software Foundation, write to the Free Software Foundation; we sometimes
254
+ make exceptions for this. Our decision will be guided by the two goals
255
+ of preserving the free status of all derivatives of our free software and
256
+ of promoting the sharing and reuse of software generally.
257
+
258
+ NO WARRANTY
259
+
260
+ 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
261
+ FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
262
+ OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
263
+ PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
264
+ OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
265
+ MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
266
+ TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
267
+ PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
268
+ REPAIR OR CORRECTION.
269
+
270
+ 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
271
+ WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
272
+ REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
273
+ INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
274
+ OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
275
+ TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
276
+ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
277
+ PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
278
+ POSSIBILITY OF SUCH DAMAGES.
279
+
280
+ END OF TERMS AND CONDITIONS
281
+
282
+ How to Apply These Terms to Your New Programs
283
+
284
+ If you develop a new program, and you want it to be of the greatest
285
+ possible use to the public, the best way to achieve this is to make it
286
+ free software which everyone can redistribute and change under these terms.
287
+
288
+ To do so, attach the following notices to the program. It is safest
289
+ to attach them to the start of each source file to most effectively
290
+ convey the exclusion of warranty; and each file should have at least
291
+ the "copyright" line and a pointer to where the full notice is found.
292
+
293
+ <one line to give the program's name and a brief idea of what it does.>
294
+ Copyright (C) <year> <name of author>
295
+
296
+ This program is free software; you can redistribute it and/or modify
297
+ it under the terms of the GNU General Public License as published by
298
+ the Free Software Foundation; either version 2 of the License, or
299
+ (at your option) any later version.
300
+
301
+ This program is distributed in the hope that it will be useful,
302
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
303
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
304
+ GNU General Public License for more details.
305
+
306
+ You should have received a copy of the GNU General Public License along
307
+ with this program; if not, write to the Free Software Foundation, Inc.,
308
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
309
+
310
+ Also add information on how to contact you by electronic and paper mail.
311
+
312
+ If the program is interactive, make it output a short notice like this
313
+ when it starts in an interactive mode:
314
+
315
+ Gnomovision version 69, Copyright (C) year name of author
316
+ Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
317
+ This is free software, and you are welcome to redistribute it
318
+ under certain conditions; type `show c' for details.
319
+
320
+ The hypothetical commands `show w' and `show c' should show the appropriate
321
+ parts of the General Public License. Of course, the commands you use may
322
+ be called something other than `show w' and `show c'; they could even be
323
+ mouse-clicks or menu items--whatever suits your program.
324
+
325
+ You should also get your employer (if you work as a programmer) or your
326
+ school, if any, to sign a "copyright disclaimer" for the program, if
327
+ necessary. Here is a sample; alter the names:
328
+
329
+ Yoyodyne, Inc., hereby disclaims all copyright interest in the program
330
+ `Gnomovision' (which makes passes at compilers) written by James Hacker.
331
+
332
+ <signature of Ty Coon>, 1 April 1989
333
+ Ty Coon, President of Vice
334
+
335
+ This General Public License does not permit incorporating your program into
336
+ proprietary programs. If your program is a subroutine library, you may
337
+ consider it more useful to permit linking proprietary applications with the
338
+ library. If this is what you want to do, use the GNU Lesser General
339
+ Public License instead of this License.
@@ -0,0 +1,30 @@
1
+ # net-ssh-kerberos
2
+
3
+ Add Kerberos (password-less) authentication capabilities to Net::SSH, without the need for modifying Net::SSH source code.
4
+
5
+ This is a great way to help get Capistrano to be accepted in mid-to-large size enterprises with strict security rules.
6
+
7
+ No more getting locked out of the network because you mis-typed your password - even if your company prohibits
8
+ public key or host-based authentication. If your organization uses Kerberos (many mid-to-large size corporations do),
9
+ you can use this package to get password-less authentication without breaking your company's security guidelines.
10
+
11
+ ## How to use with Capistrano
12
+
13
+ Add the following lines to the top of your Capfile (the relevant :auth_method is "gssapi-with-mic")
14
+
15
+ ```
16
+ require 'net/ssh/kerberos'
17
+ set :ssh_options, { :auth_methods => %w(gssapi-with-mic publickey hostbased password keyboard-interactive) }
18
+ ```
19
+
20
+ ## Contributors
21
+
22
+ - Joe Khoobyar http://github.com/joekhoobyar
23
+ - Joshua Ballanco http://github.com/jballanc
24
+ - Liu Lantao http://github.com/Lax
25
+ - Chris Beer http://github.com/cbeer
26
+ - Linda Julien http://github.com/ljulien
27
+
28
+ ## Copyright
29
+
30
+ Copyright (c) 2009-2011 Joe Khoobyar. See LICENSE for details.
@@ -0,0 +1,2 @@
1
+ require 'rubygems'
2
+ require "bundler/gem_tasks"
@@ -0,0 +1,91 @@
1
+ require 'socket'
2
+ require 'rubygems'
3
+ gem 'net-ssh'
4
+ $:.unshift File.join(File.dirname(__FILE__), '..', 'lib')
5
+ require 'net/ssh'
6
+ require 'net/ssh/errors'
7
+ require 'net/ssh/kerberos'
8
+
9
+ unless Net::SSH::Kerberos::Drivers.available.include? 'GSS'
10
+ $stderr.puts "No drivers supporting GSSAPI could be loaded."
11
+ exit 1
12
+ end
13
+
14
+ include Net::SSH::Kerberos::Drivers::GSS
15
+ include Net::SSH::Kerberos::Constants
16
+
17
+ result = API.gss_acquire_cred nil, 60, nil, GSS_C_INITIATE, nil, nil, 0
18
+ if result.ok?
19
+ creds = API._args_[4]
20
+ $stderr.puts "gss_acquire_cred: (#{result}) => #{creds.to_i}"
21
+ begin
22
+ result = API.gss_inquire_cred creds, nil, 0, 0, nil
23
+ if result.ok?
24
+ name, oids = API._args_[1], API._args_[4]
25
+ $stderr.puts "gss_inquire_cred: (#{result}) #{oids.inspect}"
26
+ begin
27
+ result = API.gss_display_name name, buffer=API::GssBuffer.malloc, nil
28
+ if result.ok?
29
+ oid = API._args_[2]
30
+ $stderr.puts "gss_display_name: (#{result}) #{buffer} #{oid.inspect}"
31
+ result = API.gss_release_buffer buffer
32
+ $stderr.puts "gss_release_buffer: (#{result})"
33
+ else
34
+ $stderr.puts "gss_display_name failed : (#{result})"
35
+ end
36
+ ensure
37
+ result = API.gss_release_oid_set oids
38
+ $stderr.puts "gss_release_oid_set: (#{result})"
39
+ result = API.gss_release_name name
40
+ $stderr.puts "gss_release_name: (#{result})"
41
+ end
42
+ else
43
+ $stderr.puts "gss_inquire_cred failed: (#{result})"
44
+ end
45
+
46
+
47
+ target_name = 'host@'+Socket.gethostbyname(`hostname || echo "localhost"`.strip)[0]
48
+ buffer = API::GssBuffer.malloc
49
+ buffer.value = target_name
50
+ buffer.length = target_name.length
51
+ API.gss_import_name buffer, GSS_C_NT_HOSTBASED_SERVICE, nil
52
+ if result.ok?
53
+ target = API._args_[2]
54
+ $stderr.puts "gss_import_name: (#{result}) #{target.to_i}"
55
+ begin
56
+ result = API.gss_display_name target, buffer, nil
57
+ if result.ok?
58
+ oid = API._args_[2]
59
+ $stderr.puts "gss_display_name: (#{result}) #{buffer} #{oid.inspect}"
60
+ result = API.gss_release_buffer buffer
61
+ $stderr.puts "gss_release_buffer: (#{result})"
62
+ else
63
+ $stderr.puts "gss_display_name failed : (#{result})"
64
+ end
65
+ result = API.gss_init_sec_context creds, GSS_C_NO_CONTEXT, target, GSS_C_KRB5,
66
+ GSS_C_DELEG_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG, 60,
67
+ GSS_C_NO_CHANNEL_BINDINGS, GSS_C_NO_BUFFER, nil, buffer, 0, 0
68
+ if result.ok?
69
+ context, actual_mech = API._args_[1], API._args_[8]
70
+ $stderr.puts "gss_init_sec_context: (#{result}) token.length=#{buffer.length}, #{actual_mech.inspect}"
71
+ result = API.gss_release_buffer buffer
72
+ $stderr.puts "gss_release_buffer: (#{result})"
73
+ result = API.gss_delete_sec_context context, nil
74
+ $stderr.puts "gss_delete_sec_context: (#{result})"
75
+ else
76
+ $stderr.puts "gss_init_sec_context failed : (#{result})"
77
+ end
78
+ ensure
79
+ result = API.gss_release_name target
80
+ $stderr.puts "gss_release_name: (#{result})"
81
+ end
82
+ else
83
+ $stderr.puts "gss_import_name failed: (#{result})"
84
+ end
85
+ ensure
86
+ result = API.gss_release_cred creds
87
+ $stderr.puts "gss_release_cred: (#{result})"
88
+ end
89
+ else
90
+ $stderr.puts "gss_acquire_cred failed: (#{result})"
91
+ end
@@ -0,0 +1,67 @@
1
+ #$DEBUG = 1
2
+
3
+ require 'socket'
4
+ require 'rubygems'
5
+ gem 'net-ssh'
6
+ $:.unshift File.join(File.dirname(__FILE__), '..', 'lib')
7
+ require 'net/ssh'
8
+ require 'net/ssh/errors'
9
+ require 'net/ssh/kerberos'
10
+
11
+ unless Net::SSH::Kerberos::Drivers.available.include? 'SSPI'
12
+ $stderr.puts "No drivers supporting SSPI could be loaded."
13
+ exit 1
14
+ end
15
+
16
+ include Net::SSH::Kerberos::Drivers::SSPI
17
+ include Net::SSH::Kerberos::Constants
18
+
19
+ result = API.querySecurityPackageInfo "Kerberos", nil
20
+ if result.ok?
21
+ pkg_info = API._args_[1]
22
+ $stderr.puts "querySecurityPackageInfo: (#{result}) #{pkg_info.comment} (max_token=#{pkg_info.max_token})"
23
+ @max_token = pkg_info.max_token
24
+ result = API.freeContextBuffer pkg_info.to_ptr
25
+ $stderr.puts "freeContextBuffer: (#{result})"
26
+ else
27
+ $stderr.puts "querySecurityPackageInfo: (#{result})"
28
+ end
29
+
30
+ result = API.acquireCredentialsHandle nil, "Kerberos", SECPKG_CRED_OUTBOUND, nil, nil, nil, nil,
31
+ creds=API::SecHandle.malloc, ts=API::TimeStamp.malloc
32
+ if result.ok?
33
+ $stderr.puts "acquireCredentialsHandle: (#{result})"
34
+ begin
35
+ result = API.queryCredentialsAttributes creds, SECPKG_ATTR_NAMES, nil
36
+ if result.ok?
37
+ names = API._args_[2]
38
+ $stderr.puts "queryCredentialsAttributes: (#{result}) #{names.to_s}"
39
+ result = API.freeContextBuffer names
40
+ $stderr.puts "freeContextBuffer: (#{result})"
41
+
42
+ output = API::SecBufferDesc.create @max_token
43
+ if $DEBUG
44
+ $stderr.puts "SecBufferDesc.create: #{output.inspect} => #{output.buffer(0).inspect} => #{output.buffer(0).data.inspect}"
45
+ end
46
+ result = API.initializeSecurityContext creds, nil, 'host/'+Socket.gethostbyname('localhost')[0],
47
+ ISC_REQ_DELEGATE | ISC_REQ_MUTUAL_AUTH | ISC_REQ_INTEGRITY, 0, SECURITY_NATIVE_DREP,
48
+ nil, 0, ctx=API::SecHandle.malloc, output, 0, ts=API::TimeStamp.malloc
49
+ if result.ok?
50
+ $stderr.puts "initializeSecurityContext: (#{result}) ctx=#{! ctx.nil?} token.length=#{output.buffer(0).length}"
51
+ result = API.deleteSecurityContext ctx
52
+ $stderr.puts "deleteSecurityContext: (#{result})"
53
+ else
54
+ $stderr.puts "initializeSecurityContext: (#{result})"
55
+ end
56
+ else
57
+ $stderr.puts "queryCredentialsAttributes: (#{result})"
58
+ end
59
+ ensure
60
+ result = API.freeCredentialsHandle creds
61
+ $stderr.puts "freeCredentialsHandle : (#{result})"
62
+ end
63
+ else
64
+ $stderr.puts "acquireCredentialsHandle: (#{result})"
65
+ end
66
+
67
+
@@ -0,0 +1,107 @@
1
+ require 'net/ssh/authentication/methods/abstract'
2
+ require 'net/ssh/kerberos/constants'
3
+ require 'gssapi'
4
+
5
+ module Net
6
+ module SSH
7
+ module Authentication
8
+ module Methods
9
+
10
+ # Implements the Kerberos 5 SSH authentication method.
11
+ class GssapiWithMic < Abstract
12
+ include Net::SSH::Kerberos::Constants
13
+
14
+ # Attempts to perform gssapi-with-mic Kerberos authentication
15
+ def authenticate(next_service, username, password=nil)
16
+ gss = nil
17
+
18
+ # Try to start gssapi-with-mic authentication.
19
+ debug { "trying kerberos authentication" }
20
+ req = userauth_request(username, next_service, "gssapi-with-mic")
21
+ req.write_long(1)
22
+ req.write_string(supported_oid = 6.chr + GSS_KRB5_MECH.length.chr + GSS_KRB5_MECH)
23
+ send_message req
24
+ message = session.next_message
25
+ case message.type
26
+ when USERAUTH_GSSAPI_RESPONSE
27
+ debug { "gssapi-with-mic proceeding" }
28
+ when USERAUTH_FAILURE
29
+ info { "gssapi-with-mic failed (USERAUTH_FAILURE)" }
30
+ return false
31
+ else
32
+ raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
33
+ end
34
+
35
+ # Try to match the OID.
36
+ oid = message.read_string
37
+ if oid != supported_oid
38
+ info { "gssapi-with-mic failed (USERAUTH_GSSAPI_RESPONSE)" }
39
+ return false
40
+ end
41
+
42
+ # Try to complete the handshake.
43
+ gss = GSSAPI::Simple.new hostname
44
+
45
+ established = false
46
+ debug { "gssapi-with-mic handshaking" }
47
+ until established
48
+ # :delegate => true always forwards tickets. This may or may not be a good idea, and should really be a user-specified option.
49
+ token = gss.init_context(token, :delegate => true)
50
+ break if token === true
51
+ if token && token.length > 0
52
+ send_message Net::SSH::Buffer.from(:byte, USERAUTH_GSSAPI_TOKEN, :string, token)
53
+
54
+ message = session.next_message
55
+ case message.type
56
+ when USERAUTH_GSSAPI_ERROR
57
+ message = session.next_message
58
+ message.get_long
59
+ message.get_long
60
+ info { "gssapi-with-mic error (USERAUTH_GSSAPI_ERROR) (#{message.read_string})" }
61
+ when USERAUTH_GSSAPI_ERRTOK
62
+ message = session.next_message
63
+ info { "gssapi-with-mic error (USERAUTH_GSSAPI_ERRTOK) (#{message.read_string})" }
64
+ when USERAUTH_FAILURE
65
+ info { "gssapi-with-mic failed (USERAUTH_FAILURE)" }
66
+ return false
67
+ end
68
+ token = message.read_string
69
+
70
+ end
71
+ end
72
+
73
+ # Attempt the actual authentication.
74
+ debug { "gssapi-with-mic authenticating" }
75
+ mic = gss.get_mic Net::SSH::Buffer.from(:string, session_id, :byte, USERAUTH_REQUEST, :string, username,
76
+ :string, next_service, :string, "gssapi-with-mic").to_s
77
+ if mic.nil?
78
+ info { "gssapi-with-mic failed (context#get_mic)" }
79
+ return false
80
+ end
81
+ send_message Net::SSH::Buffer.from(:byte, USERAUTH_GSSAPI_MIC, :string, mic)
82
+ message = session.next_message
83
+ case message.type
84
+ when USERAUTH_SUCCESS
85
+ info { "gssapi-with-mic success" }
86
+ return true
87
+ when USERAUTH_FAILURE
88
+ info { "gssapi-with-mic partial failure (USERAUTH_FAILURE)" }
89
+ return false
90
+ else
91
+ raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
92
+ end
93
+ end
94
+
95
+ private
96
+
97
+ # Returns the hostname as reported by the underlying socket.
98
+ def hostname
99
+ session.transport.host
100
+ end
101
+
102
+ end
103
+
104
+ end
105
+ end
106
+ end
107
+ end
@@ -0,0 +1,7 @@
1
+ require 'net/ssh'
2
+ require 'net/ssh/errors'
3
+
4
+ module Net; module SSH; module Kerberos
5
+ end; end; end
6
+
7
+ require 'net/ssh/authentication/methods/gssapi_with_mic'
@@ -0,0 +1,26 @@
1
+ module Net; module SSH; module Kerberos
2
+ module Constants
3
+
4
+ # GSSAPI Key exchange method specific messages
5
+ KEXGSS_INIT = 30
6
+ KEXGSS_CONTINUE = 31
7
+ KEXGSS_COMPLETE = 32
8
+ KEXGSS_HOSTKEY = 33
9
+ KEXGSS_ERROR = 34
10
+ KEXGSS_GROUPREQ = 40
11
+ KEXGSS_GROUP = 41
12
+
13
+ # GSSAPI User authentication method specific messages
14
+ USERAUTH_GSSAPI_RESPONSE = 60
15
+ USERAUTH_GSSAPI_TOKEN = 61
16
+ USERAUTH_GSSAPI_EXCHANGE_COMPLETE = 63
17
+ USERAUTH_GSSAPI_ERROR = 64
18
+ USERAUTH_GSSAPI_ERRTOK = 65
19
+ USERAUTH_GSSAPI_MIC = 66
20
+
21
+ # GSSAPI constant OID(s)
22
+ GSS_KRB5_MECH = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02"
23
+ GSS_KRB5_MECH_USER2USER = "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x03"
24
+ end
25
+ end; end; end
26
+
@@ -0,0 +1,23 @@
1
+ # -*- encoding: utf-8 -*-
2
+
3
+ Gem::Specification.new do |s|
4
+ s.name = %q{net-ssh-krb}
5
+ s.version = "0.3.0"
6
+ s.authors = ["Joe Khoobyar", "Chris Beer"]
7
+ s.description = %q{Extends Net::SSH by adding Kerberos authentication capability for password-less logins on multiple platforms.
8
+ }
9
+ s.email = %q{joe@ankhcraft.com cabeer@stanford.edu}
10
+ s.extra_rdoc_files = [
11
+ "LICENSE",
12
+ "README.md"
13
+ ]
14
+ s.files = `git ls-files`.split("\n")
15
+ s.test_files = `git ls-files -- {test,spec,features}/*`.split("\n")
16
+ s.homepage = %q{http://github.com/cbeer/net-ssh-kerberos}
17
+ s.summary = %q{Add Kerberos support to Net::SSH}
18
+
19
+ s.add_dependency 'net-ssh', '>= 2.0'
20
+ s.add_dependency 'gssapi', '~> 1.1.2'
21
+ s.add_development_dependency 'rspec'
22
+ end
23
+
@@ -0,0 +1,7 @@
1
+ require 'spec_helper'
2
+ require 'net/ssh'
3
+ describe "run commands on a kerberized server" do
4
+ it "it should work" do
5
+ Net::SSH.start(ENV['KERBEROS_TEST_HOST'], ENV['USER'], :auth_methods => ["gssapi-with-mic", "publickey"]).exec!("whoami").strip.should == ENV['USER']
6
+ end
7
+ end
@@ -0,0 +1,17 @@
1
+ $LOAD_PATH.unshift(File.dirname(__FILE__))
2
+ $LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
3
+
4
+ require 'bundler/setup'
5
+ require 'rspec'
6
+ require 'rspec/autorun'
7
+
8
+ ruby_engine = defined?(RUBY_ENGINE) ? RUBY_ENGINE : "ruby"
9
+ if ENV['COVERAGE'] and RUBY_VERSION =~ /^1.9/ and ruby_engine != "jruby"
10
+ require 'simplecov'
11
+ SimpleCov.start
12
+ end
13
+
14
+ require 'net/ssh/kerberos'
15
+
16
+ RSpec.configure do |config|
17
+ end
metadata ADDED
@@ -0,0 +1,116 @@
1
+ --- !ruby/object:Gem::Specification
2
+ name: net-ssh-krb
3
+ version: !ruby/object:Gem::Version
4
+ version: 0.3.0
5
+ prerelease:
6
+ platform: ruby
7
+ authors:
8
+ - Joe Khoobyar
9
+ - Chris Beer
10
+ autorequire:
11
+ bindir: bin
12
+ cert_chain: []
13
+ date: 2013-04-01 00:00:00.000000000 Z
14
+ dependencies:
15
+ - !ruby/object:Gem::Dependency
16
+ name: net-ssh
17
+ requirement: !ruby/object:Gem::Requirement
18
+ none: false
19
+ requirements:
20
+ - - ! '>='
21
+ - !ruby/object:Gem::Version
22
+ version: '2.0'
23
+ type: :runtime
24
+ prerelease: false
25
+ version_requirements: !ruby/object:Gem::Requirement
26
+ none: false
27
+ requirements:
28
+ - - ! '>='
29
+ - !ruby/object:Gem::Version
30
+ version: '2.0'
31
+ - !ruby/object:Gem::Dependency
32
+ name: gssapi
33
+ requirement: !ruby/object:Gem::Requirement
34
+ none: false
35
+ requirements:
36
+ - - ~>
37
+ - !ruby/object:Gem::Version
38
+ version: 1.1.2
39
+ type: :runtime
40
+ prerelease: false
41
+ version_requirements: !ruby/object:Gem::Requirement
42
+ none: false
43
+ requirements:
44
+ - - ~>
45
+ - !ruby/object:Gem::Version
46
+ version: 1.1.2
47
+ - !ruby/object:Gem::Dependency
48
+ name: rspec
49
+ requirement: !ruby/object:Gem::Requirement
50
+ none: false
51
+ requirements:
52
+ - - ! '>='
53
+ - !ruby/object:Gem::Version
54
+ version: '0'
55
+ type: :development
56
+ prerelease: false
57
+ version_requirements: !ruby/object:Gem::Requirement
58
+ none: false
59
+ requirements:
60
+ - - ! '>='
61
+ - !ruby/object:Gem::Version
62
+ version: '0'
63
+ description: ! 'Extends Net::SSH by adding Kerberos authentication capability for
64
+ password-less logins on multiple platforms.
65
+
66
+ '
67
+ email: joe@ankhcraft.com cabeer@stanford.edu
68
+ executables: []
69
+ extensions: []
70
+ extra_rdoc_files:
71
+ - LICENSE
72
+ - README.md
73
+ files:
74
+ - .gitignore
75
+ - Gemfile
76
+ - Gemfile.lock
77
+ - LICENSE
78
+ - README.md
79
+ - Rakefile
80
+ - example/Capfile
81
+ - example/gss.rb
82
+ - example/sspi.rb
83
+ - lib/net/ssh/authentication/methods/gssapi_with_mic.rb
84
+ - lib/net/ssh/kerberos.rb
85
+ - lib/net/ssh/kerberos/constants.rb
86
+ - net-ssh-kerberos.gemspec
87
+ - spec/integration_spec.rb
88
+ - spec/spec_helper.rb
89
+ homepage: http://github.com/cbeer/net-ssh-kerberos
90
+ licenses: []
91
+ post_install_message:
92
+ rdoc_options: []
93
+ require_paths:
94
+ - lib
95
+ required_ruby_version: !ruby/object:Gem::Requirement
96
+ none: false
97
+ requirements:
98
+ - - ! '>='
99
+ - !ruby/object:Gem::Version
100
+ version: '0'
101
+ required_rubygems_version: !ruby/object:Gem::Requirement
102
+ none: false
103
+ requirements:
104
+ - - ! '>='
105
+ - !ruby/object:Gem::Version
106
+ version: '0'
107
+ requirements: []
108
+ rubyforge_project:
109
+ rubygems_version: 1.8.23
110
+ signing_key:
111
+ specification_version: 3
112
+ summary: Add Kerberos support to Net::SSH
113
+ test_files:
114
+ - spec/integration_spec.rb
115
+ - spec/spec_helper.rb
116
+ has_rdoc: