net-ssh-net-ssh 2.0.12

Sign up to get free protection for your applications and to get access to all the features.
Files changed (105) hide show
  1. data/CHANGELOG.rdoc +137 -0
  2. data/Manifest +104 -0
  3. data/README.rdoc +110 -0
  4. data/Rakefile +79 -0
  5. data/THANKS.rdoc +16 -0
  6. data/lib/net/ssh.rb +215 -0
  7. data/lib/net/ssh/authentication/agent.rb +176 -0
  8. data/lib/net/ssh/authentication/constants.rb +18 -0
  9. data/lib/net/ssh/authentication/key_manager.rb +193 -0
  10. data/lib/net/ssh/authentication/methods/abstract.rb +60 -0
  11. data/lib/net/ssh/authentication/methods/hostbased.rb +71 -0
  12. data/lib/net/ssh/authentication/methods/keyboard_interactive.rb +66 -0
  13. data/lib/net/ssh/authentication/methods/password.rb +39 -0
  14. data/lib/net/ssh/authentication/methods/publickey.rb +92 -0
  15. data/lib/net/ssh/authentication/pageant.rb +183 -0
  16. data/lib/net/ssh/authentication/session.rb +134 -0
  17. data/lib/net/ssh/buffer.rb +340 -0
  18. data/lib/net/ssh/buffered_io.rb +149 -0
  19. data/lib/net/ssh/config.rb +181 -0
  20. data/lib/net/ssh/connection/channel.rb +625 -0
  21. data/lib/net/ssh/connection/constants.rb +33 -0
  22. data/lib/net/ssh/connection/session.rb +596 -0
  23. data/lib/net/ssh/connection/term.rb +178 -0
  24. data/lib/net/ssh/errors.rb +85 -0
  25. data/lib/net/ssh/key_factory.rb +102 -0
  26. data/lib/net/ssh/known_hosts.rb +129 -0
  27. data/lib/net/ssh/loggable.rb +61 -0
  28. data/lib/net/ssh/packet.rb +102 -0
  29. data/lib/net/ssh/prompt.rb +93 -0
  30. data/lib/net/ssh/proxy/errors.rb +14 -0
  31. data/lib/net/ssh/proxy/http.rb +94 -0
  32. data/lib/net/ssh/proxy/socks4.rb +70 -0
  33. data/lib/net/ssh/proxy/socks5.rb +129 -0
  34. data/lib/net/ssh/ruby_compat.rb +7 -0
  35. data/lib/net/ssh/service/forward.rb +267 -0
  36. data/lib/net/ssh/test.rb +89 -0
  37. data/lib/net/ssh/test/channel.rb +129 -0
  38. data/lib/net/ssh/test/extensions.rb +152 -0
  39. data/lib/net/ssh/test/kex.rb +44 -0
  40. data/lib/net/ssh/test/local_packet.rb +51 -0
  41. data/lib/net/ssh/test/packet.rb +81 -0
  42. data/lib/net/ssh/test/remote_packet.rb +38 -0
  43. data/lib/net/ssh/test/script.rb +157 -0
  44. data/lib/net/ssh/test/socket.rb +59 -0
  45. data/lib/net/ssh/transport/algorithms.rb +384 -0
  46. data/lib/net/ssh/transport/cipher_factory.rb +84 -0
  47. data/lib/net/ssh/transport/constants.rb +30 -0
  48. data/lib/net/ssh/transport/hmac.rb +31 -0
  49. data/lib/net/ssh/transport/hmac/abstract.rb +78 -0
  50. data/lib/net/ssh/transport/hmac/md5.rb +12 -0
  51. data/lib/net/ssh/transport/hmac/md5_96.rb +11 -0
  52. data/lib/net/ssh/transport/hmac/none.rb +15 -0
  53. data/lib/net/ssh/transport/hmac/sha1.rb +13 -0
  54. data/lib/net/ssh/transport/hmac/sha1_96.rb +11 -0
  55. data/lib/net/ssh/transport/identity_cipher.rb +55 -0
  56. data/lib/net/ssh/transport/kex.rb +13 -0
  57. data/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb +208 -0
  58. data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb +77 -0
  59. data/lib/net/ssh/transport/openssl.rb +128 -0
  60. data/lib/net/ssh/transport/packet_stream.rb +230 -0
  61. data/lib/net/ssh/transport/server_version.rb +69 -0
  62. data/lib/net/ssh/transport/session.rb +276 -0
  63. data/lib/net/ssh/transport/state.rb +206 -0
  64. data/lib/net/ssh/verifiers/lenient.rb +30 -0
  65. data/lib/net/ssh/verifiers/null.rb +12 -0
  66. data/lib/net/ssh/verifiers/strict.rb +53 -0
  67. data/lib/net/ssh/version.rb +62 -0
  68. data/net-ssh.gemspec +128 -0
  69. data/setup.rb +1585 -0
  70. data/test/authentication/methods/common.rb +28 -0
  71. data/test/authentication/methods/test_abstract.rb +51 -0
  72. data/test/authentication/methods/test_hostbased.rb +114 -0
  73. data/test/authentication/methods/test_keyboard_interactive.rb +98 -0
  74. data/test/authentication/methods/test_password.rb +50 -0
  75. data/test/authentication/methods/test_publickey.rb +127 -0
  76. data/test/authentication/test_agent.rb +205 -0
  77. data/test/authentication/test_key_manager.rb +105 -0
  78. data/test/authentication/test_session.rb +93 -0
  79. data/test/common.rb +106 -0
  80. data/test/configs/eqsign +3 -0
  81. data/test/configs/exact_match +8 -0
  82. data/test/configs/wild_cards +14 -0
  83. data/test/connection/test_channel.rb +452 -0
  84. data/test/connection/test_session.rb +488 -0
  85. data/test/test_all.rb +6 -0
  86. data/test/test_buffer.rb +336 -0
  87. data/test/test_buffered_io.rb +63 -0
  88. data/test/test_config.rb +84 -0
  89. data/test/test_key_factory.rb +67 -0
  90. data/test/transport/hmac/test_md5.rb +39 -0
  91. data/test/transport/hmac/test_md5_96.rb +25 -0
  92. data/test/transport/hmac/test_none.rb +34 -0
  93. data/test/transport/hmac/test_sha1.rb +34 -0
  94. data/test/transport/hmac/test_sha1_96.rb +25 -0
  95. data/test/transport/kex/test_diffie_hellman_group1_sha1.rb +146 -0
  96. data/test/transport/kex/test_diffie_hellman_group_exchange_sha1.rb +92 -0
  97. data/test/transport/test_algorithms.rb +302 -0
  98. data/test/transport/test_cipher_factory.rb +171 -0
  99. data/test/transport/test_hmac.rb +34 -0
  100. data/test/transport/test_identity_cipher.rb +40 -0
  101. data/test/transport/test_packet_stream.rb +435 -0
  102. data/test/transport/test_server_version.rb +68 -0
  103. data/test/transport/test_session.rb +315 -0
  104. data/test/transport/test_state.rb +173 -0
  105. metadata +162 -0
@@ -0,0 +1,276 @@
1
+ require 'socket'
2
+ require 'timeout'
3
+
4
+ require 'net/ssh/errors'
5
+ require 'net/ssh/loggable'
6
+ require 'net/ssh/version'
7
+ require 'net/ssh/transport/algorithms'
8
+ require 'net/ssh/transport/constants'
9
+ require 'net/ssh/transport/packet_stream'
10
+ require 'net/ssh/transport/server_version'
11
+ require 'net/ssh/verifiers/null'
12
+ require 'net/ssh/verifiers/strict'
13
+ require 'net/ssh/verifiers/lenient'
14
+
15
+ module Net; module SSH; module Transport
16
+
17
+ # The transport layer represents the lowest level of the SSH protocol, and
18
+ # implements basic message exchanging and protocol initialization. It will
19
+ # never be instantiated directly (unless you really know what you're about),
20
+ # but will instead be created for you automatically when you create a new
21
+ # SSH session via Net::SSH.start.
22
+ class Session
23
+ include Constants, Loggable
24
+
25
+ # The standard port for the SSH protocol.
26
+ DEFAULT_PORT = 22
27
+
28
+ # The host to connect to, as given to the constructor.
29
+ attr_reader :host
30
+
31
+ # The port number to connect to, as given in the options to the constructor.
32
+ # If no port number was given, this will default to DEFAULT_PORT.
33
+ attr_reader :port
34
+
35
+ # The underlying socket object being used to communicate with the remote
36
+ # host.
37
+ attr_reader :socket
38
+
39
+ # The ServerVersion instance that encapsulates the negotiated protocol
40
+ # version.
41
+ attr_reader :server_version
42
+
43
+ # The Algorithms instance used to perform key exchanges.
44
+ attr_reader :algorithms
45
+
46
+ # The host-key verifier object used to verify host keys, to ensure that
47
+ # the connection is not being spoofed.
48
+ attr_reader :host_key_verifier
49
+
50
+ # The hash of options that were given to the object at initialization.
51
+ attr_reader :options
52
+
53
+ # Instantiates a new transport layer abstraction. This will block until
54
+ # the initial key exchange completes, leaving you with a ready-to-use
55
+ # transport session.
56
+ def initialize(host, options={})
57
+ self.logger = options[:logger]
58
+
59
+ @host = host
60
+ @port = options[:port] || DEFAULT_PORT
61
+ @options = options
62
+
63
+ debug { "establishing connection to #{@host}:#{@port}" }
64
+ factory = options[:proxy] || TCPSocket
65
+ @socket = timeout(options[:timeout] || 0) { factory.open(@host, @port) }
66
+ @socket.extend(PacketStream)
67
+ @socket.logger = @logger
68
+
69
+ debug { "connection established" }
70
+
71
+ @queue = []
72
+
73
+ @host_key_verifier = select_host_key_verifier(options[:paranoid])
74
+
75
+ @server_version = ServerVersion.new(socket, logger)
76
+
77
+ @algorithms = Algorithms.new(self, options)
78
+ wait { algorithms.initialized? }
79
+ end
80
+
81
+ # Returns the host (and possibly IP address) in a format compatible with
82
+ # SSH known-host files.
83
+ def host_as_string
84
+ @host_as_string ||= begin
85
+ string = "#{host}"
86
+ string = "[#{string}]:#{port}" if port != DEFAULT_PORT
87
+ if socket.peer_ip != host
88
+ string2 = socket.peer_ip
89
+ string2 = "[#{string2}]:#{port}" if port != DEFAULT_PORT
90
+ string << "," << string2
91
+ end
92
+ string
93
+ end
94
+ end
95
+
96
+ # Returns true if the underlying socket has been closed.
97
+ def closed?
98
+ socket.closed?
99
+ end
100
+
101
+ # Cleans up (see PacketStream#cleanup) and closes the underlying socket.
102
+ def close
103
+ socket.cleanup
104
+ socket.close
105
+ end
106
+
107
+ # Performs a "hard" shutdown of the connection. In general, this should
108
+ # never be done, but it might be necessary (in a rescue clause, for instance,
109
+ # when the connection needs to close but you don't know the status of the
110
+ # underlying protocol's state).
111
+ def shutdown!
112
+ error { "forcing connection closed" }
113
+ socket.close
114
+ end
115
+
116
+ # Returns a new service_request packet for the given service name, ready
117
+ # for sending to the server.
118
+ def service_request(service)
119
+ Net::SSH::Buffer.from(:byte, SERVICE_REQUEST, :string, service)
120
+ end
121
+
122
+ # Requests a rekey operation, and blocks until the operation completes.
123
+ # If a rekey is already pending, this returns immediately, having no
124
+ # effect.
125
+ def rekey!
126
+ if !algorithms.pending?
127
+ algorithms.rekey!
128
+ wait { algorithms.initialized? }
129
+ end
130
+ end
131
+
132
+ # Returns immediately if a rekey is already in process. Otherwise, if a
133
+ # rekey is needed (as indicated by the socket, see PacketStream#if_needs_rekey?)
134
+ # one is performed, causing this method to block until it completes.
135
+ def rekey_as_needed
136
+ return if algorithms.pending?
137
+ socket.if_needs_rekey? { rekey! }
138
+ end
139
+
140
+ # Returns a hash of information about the peer (remote) side of the socket,
141
+ # including :ip, :port, :host, and :canonized (see #host_as_string).
142
+ def peer
143
+ @peer ||= { :ip => socket.peer_ip, :port => @port.to_i, :host => @host, :canonized => host_as_string }
144
+ end
145
+
146
+ # Blocks until a new packet is available to be read, and returns that
147
+ # packet. See #poll_message.
148
+ def next_message
149
+ poll_message(:block)
150
+ end
151
+
152
+ # Tries to read the next packet from the socket. If mode is :nonblock (the
153
+ # default), this will not block and will return nil if there are no packets
154
+ # waiting to be read. Otherwise, this will block until a packet is
155
+ # available. Note that some packet types (DISCONNECT, IGNORE, UNIMPLEMENTED,
156
+ # DEBUG, and KEXINIT) are handled silently by this method, and will never
157
+ # be returned.
158
+ #
159
+ # If a key-exchange is in process and a disallowed packet type is
160
+ # received, it will be enqueued and otherwise ignored. When a key-exchange
161
+ # is not in process, and consume_queue is true, packets will be first
162
+ # read from the queue before the socket is queried.
163
+ def poll_message(mode=:nonblock, consume_queue=true)
164
+ loop do
165
+ if consume_queue && @queue.any? && algorithms.allow?(@queue.first)
166
+ return @queue.shift
167
+ end
168
+
169
+ packet = socket.next_packet(mode)
170
+ return nil if packet.nil?
171
+
172
+ case packet.type
173
+ when DISCONNECT
174
+ raise Net::SSH::Disconnect, "disconnected: #{packet[:description]} (#{packet[:reason_code]})"
175
+
176
+ when IGNORE
177
+ debug { "IGNORE packet recieved: #{packet[:data].inspect}" }
178
+
179
+ when UNIMPLEMENTED
180
+ lwarn { "UNIMPLEMENTED: #{packet[:number]}" }
181
+
182
+ when DEBUG
183
+ send(packet[:always_display] ? :fatal : :debug) { packet[:message] }
184
+
185
+ when KEXINIT
186
+ algorithms.accept_kexinit(packet)
187
+
188
+ else
189
+ return packet if algorithms.allow?(packet)
190
+ push(packet)
191
+ end
192
+ end
193
+ end
194
+
195
+ # Waits (blocks) until the given block returns true. If no block is given,
196
+ # this just waits long enough to see if there are any pending packets. Any
197
+ # packets read are enqueued (see #push).
198
+ def wait
199
+ loop do
200
+ break if block_given? && yield
201
+ message = poll_message(:nonblock, false)
202
+ push(message) if message
203
+ break if !block_given?
204
+ end
205
+ end
206
+
207
+ # Adds the given packet to the packet queue. If the queue is non-empty,
208
+ # #poll_message will return packets from the queue in the order they
209
+ # were received.
210
+ def push(packet)
211
+ @queue.push(packet)
212
+ end
213
+
214
+ # Sends the given message via the packet stream, blocking until the
215
+ # entire message has been sent.
216
+ def send_message(message)
217
+ socket.send_packet(message)
218
+ end
219
+
220
+ # Enqueues the given message, such that it will be sent at the earliest
221
+ # opportunity. This does not block, but returns immediately.
222
+ def enqueue_message(message)
223
+ socket.enqueue_packet(message)
224
+ end
225
+
226
+ # Configure's the packet stream's client state with the given set of
227
+ # options. This is typically used to define the cipher, compression, and
228
+ # hmac algorithms to use when sending packets to the server.
229
+ def configure_client(options={})
230
+ socket.client.set(options)
231
+ end
232
+
233
+ # Configure's the packet stream's server state with the given set of
234
+ # options. This is typically used to define the cipher, compression, and
235
+ # hmac algorithms to use when reading packets from the server.
236
+ def configure_server(options={})
237
+ socket.server.set(options)
238
+ end
239
+
240
+ # Sets a new hint for the packet stream, which the packet stream may use
241
+ # to change its behavior. (See PacketStream#hints).
242
+ def hint(which, value=true)
243
+ socket.hints[which] = value
244
+ end
245
+
246
+ public
247
+
248
+ # this method is primarily for use in tests
249
+ attr_reader :queue #:nodoc:
250
+
251
+ private
252
+
253
+ # Instantiates a new host-key verification class, based on the value of
254
+ # the parameter. When true or nil, the default Lenient verifier is
255
+ # returned. If it is false, the Null verifier is returned, and if it is
256
+ # :very, the Strict verifier is returned. If the argument happens to
257
+ # respond to :verify, it is returned directly. Otherwise, an exception
258
+ # is raised.
259
+ def select_host_key_verifier(paranoid)
260
+ case paranoid
261
+ when true, nil then
262
+ Net::SSH::Verifiers::Lenient.new
263
+ when false then
264
+ Net::SSH::Verifiers::Null.new
265
+ when :very then
266
+ Net::SSH::Verifiers::Strict.new
267
+ else
268
+ if paranoid.respond_to?(:verify)
269
+ paranoid
270
+ else
271
+ raise ArgumentError, "argument to :paranoid is not valid: #{paranoid.inspect}"
272
+ end
273
+ end
274
+ end
275
+ end
276
+ end; end; end
@@ -0,0 +1,206 @@
1
+ require 'zlib'
2
+ require 'net/ssh/transport/cipher_factory'
3
+ require 'net/ssh/transport/hmac'
4
+
5
+ module Net; module SSH; module Transport
6
+
7
+ # Encapsulates state information about one end of an SSH connection. Such
8
+ # state includes the packet sequence number, the algorithms in use, how
9
+ # many packets and blocks have been processed since the last reset, and so
10
+ # forth. This class will never be instantiated directly, but is used as
11
+ # part of the internal state of the PacketStream module.
12
+ class State
13
+ # The socket object that owns this state object.
14
+ attr_reader :socket
15
+
16
+ # The next packet sequence number for this socket endpoint.
17
+ attr_reader :sequence_number
18
+
19
+ # The hmac algorithm in use for this endpoint.
20
+ attr_reader :hmac
21
+
22
+ # The compression algorithm in use for this endpoint.
23
+ attr_reader :compression
24
+
25
+ # The compression level to use when compressing data (or nil, for the default).
26
+ attr_reader :compression_level
27
+
28
+ # The number of packets processed since the last call to #reset!
29
+ attr_reader :packets
30
+
31
+ # The number of data blocks processed since the last call to #reset!
32
+ attr_reader :blocks
33
+
34
+ # The cipher algorithm in use for this socket endpoint.
35
+ attr_reader :cipher
36
+
37
+ # The block size for the cipher
38
+ attr_reader :block_size
39
+
40
+ # The role that this state plays (either :client or :server)
41
+ attr_reader :role
42
+
43
+ # The maximum number of packets that this endpoint wants to process before
44
+ # needing a rekey.
45
+ attr_accessor :max_packets
46
+
47
+ # The maximum number of blocks that this endpoint wants to process before
48
+ # needing a rekey.
49
+ attr_accessor :max_blocks
50
+
51
+ # The user-specified maximum number of bytes that this endpoint ought to
52
+ # process before needing a rekey.
53
+ attr_accessor :rekey_limit
54
+
55
+ # Creates a new state object, belonging to the given socket. Initializes
56
+ # the algorithms to "none".
57
+ def initialize(socket, role)
58
+ @socket = socket
59
+ @role = role
60
+ @sequence_number = @packets = @blocks = 0
61
+ @cipher = CipherFactory.get("none")
62
+ @block_size = 8
63
+ @hmac = HMAC.get("none")
64
+ @compression = nil
65
+ @compressor = @decompressor = nil
66
+ @next_iv = ""
67
+ end
68
+
69
+ # A convenience method for quickly setting multiple values in a single
70
+ # command.
71
+ def set(values)
72
+ values.each do |key, value|
73
+ instance_variable_set("@#{key}", value)
74
+ end
75
+ reset!
76
+ end
77
+
78
+ def update_cipher(data)
79
+ result = cipher.update(data)
80
+ update_next_iv(role == :client ? result : data)
81
+ return result
82
+ end
83
+
84
+ def final_cipher
85
+ result = cipher.final
86
+ update_next_iv(role == :client ? result : "", true)
87
+ return result
88
+ end
89
+
90
+ # Increments the counters. The sequence number is incremented (and remapped
91
+ # so it always fits in a 32-bit integer). The number of packets and blocks
92
+ # are also incremented.
93
+ def increment(packet_length)
94
+ @sequence_number = (@sequence_number + 1) & 0xFFFFFFFF
95
+ @packets += 1
96
+ @blocks += (packet_length + 4) / @block_size
97
+ end
98
+
99
+ # The compressor object to use when compressing data. This takes into account
100
+ # the desired compression level.
101
+ def compressor
102
+ @compressor ||= Zlib::Deflate.new(compression_level || Zlib::DEFAULT_COMPRESSION)
103
+ end
104
+
105
+ # The decompressor object to use when decompressing data.
106
+ def decompressor
107
+ @decompressor ||= Zlib::Inflate.new(nil)
108
+ end
109
+
110
+ # Returns true if data compression/decompression is enabled. This will
111
+ # return true if :standard compression is selected, or if :delayed
112
+ # compression is selected and the :authenticated hint has been received
113
+ # by the socket.
114
+ def compression?
115
+ compression == :standard || (compression == :delayed && socket.hints[:authenticated])
116
+ end
117
+
118
+ # Compresses the data. If no compression is in effect, this will just return
119
+ # the data unmodified, otherwise it uses #compressor to compress the data.
120
+ def compress(data)
121
+ data = data.to_s
122
+ return data unless compression?
123
+ compressor.deflate(data, Zlib::SYNC_FLUSH)
124
+ end
125
+
126
+ # Deompresses the data. If no compression is in effect, this will just return
127
+ # the data unmodified, otherwise it uses #decompressor to decompress the data.
128
+ def decompress(data)
129
+ data = data.to_s
130
+ return data unless compression?
131
+ decompressor.inflate(data)
132
+ end
133
+
134
+ # Resets the counters on the state object, but leaves the sequence_number
135
+ # unchanged. It also sets defaults for and recomputes the max_packets and
136
+ # max_blocks values.
137
+ def reset!
138
+ @packets = @blocks = 0
139
+
140
+ @max_packets ||= 1 << 31
141
+
142
+ @block_size = cipher.name == "RC4" ? 8 : cipher.block_size
143
+
144
+ if max_blocks.nil?
145
+ # cargo-culted from openssh. the idea is that "the 2^(blocksize*2)
146
+ # limit is too expensive for 3DES, blowfish, etc., so enforce a 1GB
147
+ # limit for small blocksizes."
148
+ if @block_size >= 16
149
+ @max_blocks = 1 << (@block_size * 2)
150
+ else
151
+ @max_blocks = (1 << 30) / @block_size
152
+ end
153
+
154
+ # if a limit on the # of bytes has been given, convert that into a
155
+ # minimum number of blocks processed.
156
+
157
+ if rekey_limit
158
+ @max_blocks = [@max_blocks, rekey_limit / @block_size].min
159
+ end
160
+ end
161
+
162
+ cleanup
163
+ end
164
+
165
+ # Closes any the compressor and/or decompressor objects that have been
166
+ # instantiated.
167
+ def cleanup
168
+ if @compressor
169
+ @compressor.finish if !@compressor.finished?
170
+ @compressor.close
171
+ end
172
+
173
+ if @decompressor
174
+ # we call reset here so that we don't get warnings when we try to
175
+ # close the decompressor
176
+ @decompressor.reset
177
+ @decompressor.close
178
+ end
179
+
180
+ @compressor = @decompressor = nil
181
+ end
182
+
183
+ # Returns true if the number of packets processed exceeds the maximum
184
+ # number of packets, or if the number of blocks processed exceeds the
185
+ # maximum number of blocks.
186
+ def needs_rekey?
187
+ max_packets && packets > max_packets ||
188
+ max_blocks && blocks > max_blocks
189
+ end
190
+
191
+ private
192
+
193
+ def update_next_iv(data, reset=false)
194
+ @next_iv << data
195
+ @next_iv = @next_iv[-cipher.iv_len..-1]
196
+
197
+ if reset
198
+ cipher.reset
199
+ cipher.iv = @next_iv
200
+ end
201
+
202
+ return data
203
+ end
204
+ end
205
+
206
+ end; end; end