net-ssh 0.5.0

data/lib/net/ssh/transport/version-negotiator.rb

@@ -0,0 +1,73 @@
+#--
+# =============================================================================
+# Copyright (c) 2004, Jamis Buck (jgb3@email.byu.edu)
+# All rights reserved.
+#
+# This source file is distributed as part of the Net::SSH Secure Shell Client
+# library for Ruby. This file (and the library as a whole) may be used only as
+# allowed by either the BSD license, or the Ruby license (or, by association
+# with the Ruby license, the GPL). See the "doc" subdirectory of the Net::SSH
+# distribution for the texts of these licenses.
+# -----------------------------------------------------------------------------
+# net-ssh website : http://net-ssh.rubyforge.org
+# project website: http://rubyforge.org/projects/net-ssh
+# =============================================================================
+#++
+
+require 'net/ssh/errors'
+
+module Net
+  module SSH
+    module Transport
+
+      # Manages the negotiation of the version strings between client and
+      # server.
+      class VersionNegotiator
+
+        # For processing the version header. The version reported by the server
+        # must match this pattern.
+        VERSION_LINE = /^SSH-/
+
+        # Only versions matching this pattern are supported by Net::SSH.
+        REQUIRED_VERSION_PATTERN = /^SSH-(1.99|2.0)-/
+
+        # An array of lines returned by the server prior to reporting the
+        # version.
+        attr_reader :header_lines
+
+        # Creates a new VersionNegotiator object that logs to the given logger
+        # instance.
+        def initialize( logger )
+          @logger = logger
+        end
+
+        # Negotiate version information over the given socket. This will
+        # return the version reported by the server.
+        def negotiate( socket, version )
+          server_version = ""
+          @header_lines = []
+
+          loop do
+            server_version = socket.readline
+            break if server_version.nil? || VERSION_LINE.match( server_version )
+            @header_lines << server_version
+          end
+
+          if !REQUIRED_VERSION_PATTERN.match( server_version )
+            raise Net::SSH::Exception,
+              "incompatible ssh version #{server_version.inspect}"
+          end
+
+          if @logger.debug?
+            @logger.debug "remote server is #{server_version.chomp.inspect}"
+          end
+          socket.print "#{version}\r\n"
+
+          return server_version.chomp
+        end
+
+      end
+
+    end
+  end
+end

data/lib/net/ssh/userauth/agent.rb

@@ -0,0 +1,218 @@
+#--
+# =============================================================================
+# Copyright (c) 2004, Jamis Buck (jgb3@email.byu.edu)
+# All rights reserved.
+#
+# This source file is distributed as part of the Net::SSH Secure Shell Client
+# library for Ruby. This file (and the library as a whole) may be used only as
+# allowed by either the BSD license, or the Ruby license (or, by association
+# with the Ruby license, the GPL). See the "doc" subdirectory of the Net::SSH
+# distribution for the texts of these licenses.
+# -----------------------------------------------------------------------------
+# net-ssh website : http://net-ssh.rubyforge.org
+# project website: http://rubyforge.org/projects/net-ssh
+# =============================================================================
+#++
+
+require 'net/ssh/errors'
+require 'net/ssh/transport/session'
+
+module Net
+  module SSH
+    module UserAuth
+
+      # A trivial exception class for representing agent-specific errors.
+      class AgentError < Net::SSH::Exception; end
+
+      # This class implements a simple client for the ssh-agent protocol. It
+      # does not implement any specific protocol, but instead copies the
+      # behavior of the ssh-agent functions in the OpenSSH library (3.8).
+      #
+      # This means that although it behaves like a SSH1 client, it also has
+      # some SSH2 functionality (like signing data).
+      #
+      # Also, this class relies on there being a UNIXSocket that the active
+      # ssh-agent is listening on. It expects that socket to exist at the
+      # location described by the SSH_AUTH_SOCK environment variable. Because
+      # of the dependency on UNIXSocket, the agent is not available under
+      # Windows, and I have no immediate plans to implement support for
+      # PuTTy's "pageant" utility.
+      class Agent
+        SSH2_AGENT_REQUEST_VERSION    = 1
+        SSH2_AGENT_REQUEST_IDENTITIES = 11
+        SSH2_AGENT_IDENTITIES_ANSWER  = 12
+        SSH2_AGENT_SIGN_REQUEST       = 13
+        SSH2_AGENT_SIGN_RESPONSE      = 14
+        SSH2_AGENT_FAILURE            = 30
+        SSH2_AGENT_VERSION_RESPONSE   = 103
+
+        SSH_COM_AGENT2_FAILURE        = 102
+
+        SSH_AGENT_REQUEST_RSA_IDENTITIES = 1
+        SSH_AGENT_RSA_IDENTITIES_ANSWER  = 2
+        SSH_AGENT_FAILURE                = 5
+
+        # The socket factory used to connect to the agent process. It must
+        # respond to #open, and accept a single parameter (the name of the
+        # socket to open).
+        attr_writer :socket_factory
+
+        # The name of the socket to open.
+        attr_writer :socket_name
+
+        # The version of the SSH protocol version to report.
+        attr_writer :version
+
+        # The buffer factory to use to obtain buffer instances.
+        attr_writer :buffers
+
+        # The key factory to use to obtain key instances.
+        attr_writer :keys
+
+        # Connect to the agent process using the socket factory and socket name
+        # given by the attribute writers. If the agent on the other end of the
+        # socket reports that it is an SSH2-compatible agent, this will fail
+        # (it only supports the ssh-agent distributed by OpenSSH).
+        def connect!
+          @socket = @socket_factory.open( @socket_name )
+
+          # determine what type of agent we're communicating with
+          buffer = @buffers.writer
+          buffer.write_string Net::SSH::Transport::Session.version
+          type, body = send_with_reply SSH2_AGENT_REQUEST_VERSION, buffer
+
+          if type == SSH2_AGENT_VERSION_RESPONSE
+            raise NotImplementedError, "SSH2 agents are not yet supported"
+          elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER
+            raise AgentError,
+              "unknown response from agent: #{type}, #{body.to_s.inspect}"
+          end
+        end
+
+        # Return an array of all identities (public keys) known to the agent.
+        # Each key returned is augmented with a +comment+ property which is set
+        # to the comment returned by the agent for that key.
+        def identities
+          case @version
+            when 1
+              code1 = SSH_AGENT_REQUEST_RSA_IDENTITIES
+              code2 = SSH_AGENT_RSA_IDENTITIES_ANSWER
+            when 2
+              code1 = SSH2_AGENT_REQUEST_IDENTITIES
+              code2 = SSH2_AGENT_IDENTITIES_ANSWER
+            else
+              raise NotImplementedError, "SSH version #{@version}"
+          end
+
+          type, body = send_with_reply code1
+          raise AgentError,
+            "could not get identity count" if agent_failed( type )
+          raise AgentError, "bad authentication reply: #{type}" if type != code2
+
+          identities = []
+          body.read_long.times do
+            case @version
+              when 1
+                key = @keys.get( "rsa" )
+                bits = body.read_long
+                key.e = body.read_bignum
+                key.n = body.read_bignum
+              when 2
+                blob = @buffers.reader( body.read_string )
+                key = blob.read_key
+            end
+
+            unless key.respond_to?( :comment= )
+              key.instance_eval <<-EVAL
+                def comment=(cmt)
+                  @comment = cmt
+                end
+              EVAL
+            end
+
+            unless key.respond_to?( :comment )
+              key.instance_eval <<-EVAL
+                def comment
+                  @comment
+                end
+              EVAL
+            end
+
+            key.comment = body.read_string
+            identities.push key
+          end
+
+          return identities
+        end
+
+        # Closes this socket. This agent reference is no longer able to
+        # query the agent.
+        def close
+          @socket.close
+        end
+
+        # Using the agent and the given public key, sign the given data. The
+        # signature is returned in SSH2 format.
+        def sign( key, data )
+          blob = @buffers.writer
+          blob.write_key key
+
+          packet_data = @buffers.writer
+          packet_data.write_string blob.to_s
+          packet_data.write_string data.to_s
+          packet_data.write_long 0
+
+          type, reply = send_with_reply SSH2_AGENT_SIGN_REQUEST, packet_data
+          if agent_failed( type )
+            raise AgentError,
+              "agent could not sign data with requested identity"
+          elsif type != SSH2_AGENT_SIGN_RESPONSE
+            raise AgentError, "bad authentication response #{type}"
+          end
+
+          return reply.read_string
+        end
+
+        # Send a new packet of the given type, with the associated data.
+        def send_packet( type, data=nil )
+          buffer = @buffers.writer
+          buffer.write_long( ( data ? data.length : 0 ) + 1 )
+          buffer.write_byte type.to_i
+          buffer.write data.to_s if data
+          @socket.send buffer.to_s, 0
+        end
+        private :send_packet
+
+        # Read the next packet from the agent. This will return a two-part
+        # tuple consisting of the packet type, and the packet's body (which
+        # is returned as a Net::SSH::Util::ReaderBuffer).
+        def read_packet
+          length = @socket.read( 4 ).unpack( "N" ).first - 1
+          type = @socket.read( 1 ).unpack( "C" ).first
+          reader = @buffers.reader( @socket.read( length ) )
+          return type, reader
+        end
+        private :read_packet
+
+        # Send the given packet and return the subsequent reply from the agent.
+        # (See #send_packet and #read_packet).
+        def send_with_reply( type, data=nil )
+          send_packet type, data
+          read_packet
+        end
+        private :send_with_reply
+
+        # Returns +true+ if the parameter indicates a "failure" response from
+        # the agent, and +false+ otherwise.
+        def agent_failed( type )
+          type == SSH_AGENT_FAILURE ||
+          type == SSH2_AGENT_FAILURE ||
+          type == SSH_COM_AGENT2_FAILURE
+        end
+        private :agent_failed
+
+      end
+
+    end
+  end
+end

data/lib/net/ssh/userauth/constants.rb

@@ -0,0 +1,35 @@
+#--
+# =============================================================================
+# Copyright (c) 2004, Jamis Buck (jgb3@email.byu.edu)
+# All rights reserved.
+#
+# This source file is distributed as part of the Net::SSH Secure Shell Client
+# library for Ruby. This file (and the library as a whole) may be used only as
+# allowed by either the BSD license, or the Ruby license (or, by association
+# with the Ruby license, the GPL). See the "doc" subdirectory of the Net::SSH
+# distribution for the texts of these licenses.
+# -----------------------------------------------------------------------------
+# net-ssh website : http://net-ssh.rubyforge.org
+# project website: http://rubyforge.org/projects/net-ssh
+# =============================================================================
+#++
+
+module Net
+  module SSH
+    module UserAuth
+
+      module Constants
+
+        USERAUTH_REQUEST          = 50
+        USERAUTH_FAILURE          = 51
+        USERAUTH_SUCCESS          = 52
+        USERAUTH_BANNER           = 53
+
+        USERAUTH_PASSWD_CHANGEREQ = 60
+        USERAUTH_PK_OK            = 60
+
+      end
+
+    end
+  end
+end

data/lib/net/ssh/userauth/driver.rb

@@ -0,0 +1,176 @@
+#--
+# =============================================================================
+# Copyright (c) 2004, Jamis Buck (jgb3@email.byu.edu)
+# All rights reserved.
+#
+# This source file is distributed as part of the Net::SSH Secure Shell Client
+# library for Ruby. This file (and the library as a whole) may be used only as
+# allowed by either the BSD license, or the Ruby license (or, by association
+# with the Ruby license, the GPL). See the "doc" subdirectory of the Net::SSH
+# distribution for the texts of these licenses.
+# -----------------------------------------------------------------------------
+# net-ssh website : http://net-ssh.rubyforge.org
+# project website: http://rubyforge.org/projects/net-ssh
+# =============================================================================
+#++
+
+require 'net/ssh/errors'
+require 'net/ssh/userauth/constants'
+require 'net/ssh/transport/constants'
+require 'ostruct'
+
+module Net
+  module SSH
+    module UserAuth
+
+      # A wrapper around the transport layer that represents the functionality
+      # of user authentication.
+      class Driver
+
+        include Net::SSH::UserAuth::Constants
+        include Net::SSH::Transport::Constants
+
+        # The UserKeyManager instance used by the auth service.
+        attr_writer :key_manager
+
+        # The SSH (transport) session to use for communication.
+        attr_writer :session
+
+        # The array of auth-method names (as strings), giving the order in
+        # which each auth-method will be tried.
+        attr_reader :order
+
+        # Create a new user-auth service on top of the given session.
+        def initialize( log, buffers, methods, order )
+          @log = log
+          @buffers = buffers
+          @methods = methods
+          @on_banner = proc { |msg,lang| puts msg }
+          @order = order.dup
+        end
+
+        # Causes the set of on-disk key files to be used to be set to the
+        # given array. Any key files that were specified previously are
+        # lost.
+        def set_key_files( files )
+          @key_manager.clear!
+          files.each { |file| @key_manager << file }
+        end
+
+        # Causes the set of on-disk host key files to be used to be set to the
+        # given array. Any host key files that were specified previously are
+        # lost.
+        def set_host_key_files( files )
+          @key_manager.clear_host!
+          files.each { |file| @key_manager.add_host_key file }
+        end
+
+        # Changes the set of authentication methods to try to the given array.
+        # Methods are tried in the order in which they are listed in the
+        # array.
+        def set_auth_method_order( *methods )
+          @order = methods.flatten
+        end
+
+        # Specify the callback to use when the server sends a banner message
+        # at login time.
+        def on_banner( &block )
+          @on_banner = block
+        end
+
+        # Sends the message by delegating to the session's #send_message
+        # method. (This is a convenience method for the authentication
+        # implementations.)
+        def send_message( message )
+          @session.send_message message
+        end
+
+        # Wraps the Net::SSH::Transport::Session#wait_for_message method,
+        # doing special checking for authentication-related messages.
+        def wait_for_message
+          loop do
+            type, buffer = @session.wait_for_message
+
+            case type
+              when USERAUTH_BANNER
+                message = buffer.read_string
+                language = buffer.read_string
+
+                if @log.debug?
+                  @log.debug "got USERAUTH_BANNER (#{message}:#{language})"
+                end
+
+                @on_banner.call( message, language )
+
+              when USERAUTH_FAILURE
+                authentications = buffer.read_string
+                partial_success = buffer.read_bool
+                return OpenStruct.new( :message_type    => type,
+                                       :authentications => authentications,
+                                       :partial_success => partial_success )
+
+              when USERAUTH_SUCCESS
+                return OpenStruct.new( :message_type => type )
+
+              when SERVICE_ACCEPT
+                return OpenStruct.new( :message_type => type,
+                                       :service_name => buffer.read_string )
+              
+              # authmethod-specific codes
+              when 60..79
+                return OpenStruct.new( :message_type => type,
+                                       :buffer       => buffer )
+
+              else
+                raise Net::SSH::Exception,
+                      "unexpected message type '#{type}' (#{buffer.to_s})"
+            end
+          end
+        end
+
+        # Processes the authentication of the given username. The
+        # 'next_service' parameter should be set to the SSH service that will
+        # be requested once the authentication succeeds (usually
+        # 'ssh-connection').
+        #
+        # This will return +true+ if the user is accepted by the server, and
+        # +false+ otherwise.
+        def authenticate( next_service, username, password=nil )
+          msg = @buffers.writer
+          msg.write_byte SERVICE_REQUEST
+          msg.write_string "ssh-userauth"
+          send_message msg
+
+          message = wait_for_message
+          unless message.message_type == SERVICE_ACCEPT
+            raise Net::SSH::Exception,
+              "expected SERVICE_ACCEPT, got #{message.inspect}"
+          end
+
+          data = { :password => password,
+                   :key_manager => @key_manager }
+
+          @order.each do |auth_method|
+            @log.debug "trying #{auth_method.inspect}" if @log.debug?
+
+            impl = @methods[ auth_method.downcase.gsub(/-/,"_").intern ]
+            if impl.nil?
+              raise NotImplementedError,
+                "`#{auth_method}' authentication is not implemented"
+            end
+
+            return true if impl.authenticate( next_service, username, data )
+          end
+
+          @log.debug "all authorization methods failed" if @log.debug?
+          return false
+
+        ensure
+          @key_manager.finish
+        end
+
+      end
+
+    end
+  end
+end