net-ssh 1.1.4 → 2.0.0

data/lib/net/ssh/proxy/socks4.rb

@@ -1,19 +1,3 @@
-#--
-# =============================================================================
-# Copyright (c) 2004,2005 Jamis Buck (jamis@37signals.com)
-# All rights reserved.
-#
-# This source file is distributed as part of the Net::SSH Secure Shell Client
-# library for Ruby. This file (and the library as a whole) may be used only as
-# allowed by either the BSD license, or the Ruby license (or, by association
-# with the Ruby license, the GPL). See the "doc" subdirectory of the Net::SSH
-# distribution for the texts of these licenses.
-# -----------------------------------------------------------------------------
-# net-ssh website : http://net-ssh.rubyforge.org
-# project website: http://rubyforge.org/projects/net-ssh
-# =============================================================================
-#++
-
 require 'socket'
 require 'resolv'
 require 'ipaddr'
@@ -23,25 +7,39 @@ module Net
   module SSH
     module Proxy
 
-      # An implementation of a socket factory that returns a socket which
-      # will tunnel the connection through a SOCKS4 proxy. It allows explicit
-      # specification of the user, but if it is not given it will look in the
-      # SOCKS_USER and CONNECT_USER environment variables as well.
+      # An implementation of a SOCKS4 proxy. To use it, instantiate it, then
+      # pass the instantiated object via the :proxy key to Net::SSH.start:
+      #
+      #   require 'net/ssh/proxy/socks4'
+      #
+      #   proxy = Net::SSH::Proxy::SOCKS4.new('proxy.host', proxy_port, :user => 'user')
+      #   Net::SSH.start('host', 'user', :proxy => proxy) do |ssh|
+      #     ...
+      #   end
       class SOCKS4
 
-        SOCKS_VERSION = 4
+        # The SOCKS protocol version used by this class
+        VERSION = 4
+
+        # The packet type for connection requests
+        CONNECT = 1
+
+        # The status code for a successful connection
+        GRANTED = 90
+
+        # The proxy's host name or IP address, as given to the constructor.
+        attr_reader :proxy_host
 
-        SOCKS_CMD_CONNECT    = 1
+        # The proxy's port number.
+        attr_reader :proxy_port
 
-        SOCKS_GRANTED        = 90
-        SOCKS_REJECTED       = 91
-        SOCKS_IDENTD_REJECT  = 92
-        SOCKS_IDENTD_BAD     = 93
+        # The additional options that were given to the proxy's constructor.
+        attr_reader :options
 
         # Create a new proxy connection to the given proxy host and port.
-        # Optionally, a @:user@ option may be given to identify the username
+        # Optionally, a :user key may be given to identify the username
         # with which to authenticate.
-        def initialize( proxy_host, proxy_port=1080, options={} )
+        def initialize(proxy_host, proxy_port=1080, options={})
           @proxy_host = proxy_host
           @proxy_port = proxy_port
           @options = options
@@ -49,32 +47,21 @@ module Net
 
         # Return a new socket connected to the given host and port via the
         # proxy that was requested when the socket factory was instantiated.
-        def open( host, port )
-          sock = TCPSocket.new( @proxy_host, @proxy_port )
-
-          ip_addr = IPAddr.new( Resolv.getaddress( host ) )
+        def open(host, port)
+          socket = TCPSocket.new(proxy_host, proxy_port)
+          ip_addr = IPAddr.new(Resolv.getaddress(host))
           
-          packet = [ SOCKS_VERSION, SOCKS_CMD_CONNECT,
-                     port.to_i, ip_addr.to_i,
-                     proxy_user, 0 ].pack( "CCnNA*C" )
-          sock.send packet, 0
+          packet = [VERSION, CONNECT, port.to_i, ip_addr.to_i, options[:user]].pack("CCnNZ*")
+          socket.send packet, 0
 
-          version, status, port, ip = sock.recv( 8 ).unpack( "CCnN" )
-          if status != SOCKS_GRANTED
-            sock.close
+          version, status, port, ip = socket.recv(8).unpack("CCnN")
+          if status != GRANTED
+            socket.close
             raise ConnectError, "error connecting to proxy (#{status})"
           end
 
-          return sock
-        end
-
-        def proxy_user
-          return @options[ :user ] if @options[ :user ]
-          return ENV['SOCKS_USER'] if ENV['SOCKS_USER']
-          return ENV['CONNECT_USER'] if ENV['CONNECT_USER']
-          return nil
+          return socket
         end
-        private :proxy_user
 
       end
 

data/lib/net/ssh/proxy/socks5.rb

@@ -1,19 +1,3 @@
-#--
-# =============================================================================
-# Copyright (c) 2004,2005 Jamis Buck (jamis@37signals.com)
-# All rights reserved.
-#
-# This source file is distributed as part of the Net::SSH Secure Shell Client
-# library for Ruby. This file (and the library as a whole) may be used only as
-# allowed by either the BSD license, or the Ruby license (or, by association
-# with the Ruby license, the GPL). See the "doc" subdirectory of the Net::SSH
-# distribution for the texts of these licenses.
-# -----------------------------------------------------------------------------
-# net-ssh website : http://net-ssh.rubyforge.org
-# project website: http://rubyforge.org/projects/net-ssh
-# =============================================================================
-#++
-
 require 'socket'
 require 'net/ssh/proxy/errors'
 
@@ -21,41 +5,55 @@ module Net
   module SSH
     module Proxy
 
-      # An implementation of a socket factory that returns a socket which
-      # will tunnel the connection through a SOCKS5 proxy. It allows explicit
-      # specification of the user and password, but if none are given it
-      # will look in the SOCKS_USER/SOCKS_PASSWORD and
-      # CONNECT_USER/CONNECT_PASSWORD environment variables as well.
+      # An implementation of a SOCKS5 proxy. To use it, instantiate it, then
+      # pass the instantiated object via the :proxy key to Net::SSH.start:
+      #
+      #   require 'net/ssh/proxy/socks5'
+      #
+      #   proxy = Net::SSH::Proxy::SOCKS5.new('proxy.host', proxy_port,
+      #     :user => 'user', :password => "password")
+      #   Net::SSH.start('host', 'user', :proxy => proxy) do |ssh|
+      #     ...
+      #   end
       class SOCKS5
+        # The SOCKS protocol version used by this class
+        VERSION = 5
+
+        # The SOCKS authentication type for requests without authentication
+        METHOD_NO_AUTH = 0
+
+        # The SOCKS authentication type for requests via username/password
+        METHOD_PASSWD = 2
+
+        # The SOCKS authentication type for when there are no supported
+        # authentication methods.
+        METHOD_NONE = 0xFF
+
+        # The SOCKS packet type for requesting a proxy connection.
+        CMD_CONNECT = 1
+
+        # The SOCKS address type for connections via IP address.
+        ATYP_IPV4 = 1
 
-        SOCKS_VERSION = 5
+        # The SOCKS address type for connections via domain name.
+        ATYP_DOMAIN = 3
 
-        SOCKS_METHOD_NO_AUTH = 0
-        SOCKS_METHOD_GSSAPI  = 1
-        SOCKS_METHOD_PASSWD  = 2
+        # The SOCKS response code for a successful operation.
+        SUCCESS = 0
 
-        SOCKS_METHOD_NONE    = 0xFF
-        
-        SOCKS_CMD_CONNECT    = 1
+        # The proxy's host name or IP address
+        attr_reader :proxy_host
 
-        SOCKS_ATYP_IPV4      = 1
-        SOCKS_ATYP_DOMAIN    = 3
-        SOCKS_ATYP_IPV6      = 4
+        # The proxy's port number
+        attr_reader :proxy_port
 
-        SOCKS_SUCCESS        = 0
-        SOCKS_FAILURE        = 1
-        SOCKS_NOT_ALLOWED    = 2
-        SOCKS_NETWORK_UNREACHABLE = 3
-        SOCKS_HOST_UNREACHABLE = 4
-        SOCKS_REFUSED        = 5
-        SOCKS_TTL_EXPIRED    = 6
-        SOCKS_CMD_NOT_SUPPORTED = 7
-        SOCKS_ADDR_NOT_SUPPORTED = 8
+        # The map of options given at initialization
+        attr_reader :options
 
         # Create a new proxy connection to the given proxy host and port.
-        # Optionally, @:user@ and @:password@ options may be given to
+        # Optionally, :user and :password options may be given to
         # identify the username and password with which to authenticate.
-        def initialize( proxy_host, proxy_port=1080, options={} )
+        def initialize(proxy_host, proxy_port=1080, options={})
           @proxy_host = proxy_host
           @proxy_port = proxy_port
           @options = options
@@ -63,96 +61,66 @@ module Net
 
         # Return a new socket connected to the given host and port via the
         # proxy that was requested when the socket factory was instantiated.
-        def open( host, port )
-          sock = TCPSocket.new( @proxy_host, @proxy_port )
+        def open(host, port)
+          socket = TCPSocket.new(proxy_host, proxy_port)
 
-          methods = [ SOCKS_METHOD_NO_AUTH ]
-          methods << SOCKS_METHOD_PASSWD if proxy_user
+          methods = [METHOD_NO_AUTH]
+          methods << METHOD_PASSWD if options[:user]
 
-          packet = [ SOCKS_VERSION, methods.size, *methods ].pack( "C*" )
-          sock.send packet, 0
+          packet = [VERSION, methods.size, *methods].pack("C*")
+          socket.send packet, 0
 
-          version, method = sock.recv( 2 ).unpack( "CC" )
-          if version != 5
-            sock.close
-            raise Net::SSH::Proxy::Error,
-              "invalid SOCKS version (#{version})"
+          version, method = socket.recv(2).unpack("CC")
+          if version != VERSION
+            socket.close
+            raise Net::SSH::Proxy::Error, "invalid SOCKS version (#{version})"
           end
 
-          if method == SOCKS_METHOD_NONE
-            sock.close
-            raise Net::SSH::Proxy::Error,
-              "no supported authorization methods"
+          if method == METHOD_NONE
+            socket.close
+            raise Net::SSH::Proxy::Error, "no supported authorization methods"
           end
 
-          case method
-            when SOCKS_METHOD_NO_AUTH
-              # no method-dependent subnegotiation required
-
-            when SOCKS_METHOD_PASSWD
-              negotiate_password( sock )
-          end
+          negotiate_password(socket) if method == METHOD_PASSWD
 
-          packet = [ SOCKS_VERSION, SOCKS_CMD_CONNECT, 0 ].pack( "C*" )
+          packet = [VERSION, CMD_CONNECT, 0].pack("C*")
 
           if host =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/
-            packet << [ SOCKS_ATYP_IPV4, $1.to_i, $2.to_i,
-                        $3.to_i, $4.to_i ].pack( "C*" )
+            packet << [ATYP_IPV4, $1.to_i, $2.to_i, $3.to_i, $4.to_i].pack("C*")
           else
-            packet << [ SOCKS_ATYP_DOMAIN, host.length, host ].pack( "CCA*" )
+            packet << [ATYP_DOMAIN, host.length, host].pack("CCA*")
           end
 
-          packet << [ port ].pack( "n" )
-          sock.send packet, 0
+          packet << [port].pack("n")
+          socket.send packet, 0
 
-          version, reply, = sock.recv( 4 ).unpack( "C*" )
-          len = sock.recv( 1 )[0]
-          sock.recv( len + 2 )
+          version, reply, = socket.recv(4).unpack("C*")
+          len = socket.recv(1)[0]
+          socket.recv(len + 2)
 
-          unless reply == SOCKS_SUCCESS
-            sock.close
+          unless reply == SUCCESS
+            socket.close
             raise ConnectError, "#{reply}"
           end
 
-          return sock
+          return socket
         end
 
-        # Simple username/password negotiation with the SOCKS5 server.
-        def negotiate_password( socket )
-          user = proxy_user
-          passwd = proxy_password
-
-          packet = [ 0x01,
-                     user.length, user,
-                     passwd.length, passwd ].pack( "CCA*CA*" )
+        private
 
-          socket.send packet, 0
+          # Simple username/password negotiation with the SOCKS5 server.
+          def negotiate_password(socket)
+            packet = [0x01, options[:user].length, options[:user],
+              options[:password].length, options[:password]].pack("CCA*CA*")
+            socket.send packet, 0
 
-          version, status = socket.recv( 2 ).unpack( "CC" )
+            version, status = socket.recv(2).unpack("CC")
 
-          if status != SOCKS_SUCCESS
-            socket.close
-            raise UnauthorizedError, "could not authorize user"
+            if status != SUCCESS
+              socket.close
+              raise UnauthorizedError, "could not authorize user"
+            end
           end
-        end
-        private :negotiate_password
-
-        def proxy_user
-          return @options[ :user ] if @options[ :user ]
-          return ENV['SOCKS_USER'] if ENV['SOCKS_USER']
-          return ENV['CONNECT_USER'] if ENV['CONNECT_USER']
-          return nil
-        end
-        private :proxy_user
-
-        def proxy_password
-          return @options[ :password ] if @options[ :password ]
-          return ENV['SOCKS_PASSWORD'] if ENV['SOCKS_PASSWORD']
-          return ENV['CONNECT_PASSWORD'] if ENV['CONNECT_PASSWORD']
-          return ""
-        end
-        private :proxy_password
-
       end
 
     end

data/lib/net/ssh/service/forward.rb

@@ -0,0 +1,267 @@
+require 'net/ssh/loggable'
+
+module Net; module SSH; module Service
+
+  # This class implements various port forwarding services for use by
+  # Net::SSH clients. The Forward class should never need to be instantiated
+  # directly; instead, it should be accessed via the singleton instance
+  # returned by Connection::Session#forward:
+  #
+  #   ssh.forward.local(1234, "www.capify.org", 80)
+  class Forward
+    include Loggable
+
+    # The underlying connection service instance that the port-forwarding
+    # services employ.
+    attr_reader :session
+
+    # A simple class for representing a requested remote forwarded port.
+    Remote = Struct.new(:host, :port) #:nodoc:
+
+    # Instantiates a new Forward service instance atop the given connection
+    # service session. This will register new channel open handlers to handle
+    # the specialized channels that the SSH port forwarding protocols employ.
+    def initialize(session)
+      @session = session
+      self.logger = session.logger
+      @remote_forwarded_ports = {}
+      @local_forwarded_ports = {}
+      @agent_forwarded = false
+
+      session.on_open_channel('forwarded-tcpip', &method(:forwarded_tcpip))
+      session.on_open_channel('auth-agent', &method(:auth_agent_channel))
+      session.on_open_channel('auth-agent@openssh.com', &method(:auth_agent_channel))
+    end
+
+    # Starts listening for connections on the local host, and forwards them
+    # to the specified remote host/port via the SSH connection. This method
+    # accepts either three or four arguments. When four arguments are given,
+    # they are:
+    #
+    # * the local address to bind to
+    # * the local port to listen on
+    # * the remote host to forward connections to
+    # * the port on the remote host to connect to
+    #
+    # If three arguments are given, it is as if the local bind address is
+    # "127.0.0.1", and the rest are applied as above.
+    #
+    #   ssh.forward.local(1234, "www.capify.org", 80)
+    #   ssh.forward.local("0.0.0.0", 1234, "www.capify.org", 80)
+    def local(*args)
+      if args.length < 3 || args.length > 4
+        raise ArgumentError, "expected 3 or 4 parameters, got #{args.length}"
+      end
+
+      bind_address = "127.0.0.1"
+      bind_address = args.shift if args.first.is_a?(String) && args.first =~ /\D/
+
+      local_port = args.shift.to_i
+      remote_host = args.shift
+      remote_port = args.shift.to_i
+
+      socket = TCPServer.new(bind_address, local_port)
+
+      @local_forwarded_ports[[local_port, bind_address]] = socket
+
+      session.listen_to(socket) do |socket|
+        client = socket.accept
+        debug { "received connection on #{bind_address}:#{local_port}" }
+
+        channel = session.open_channel("direct-tcpip", :string, remote_host, :long, remote_port, :string, bind_address, :long, local_port) do |channel|
+          channel.info { "direct channel established" }
+        end
+
+        prepare_client(client, channel, :local)
+  
+        channel.on_open_failed do |ch, code, description|
+          channel.error { "could not establish direct channel: #{description} (#{code})" }
+          channel[:socket].close
+        end
+      end
+    end
+
+    # Terminates an active local forwarded port. If no such forwarded port
+    # exists, this will raise an exception. Otherwise, the forwarded connection
+    # is terminated.
+    #
+    #   ssh.forward.cancel_local(1234)
+    #   ssh.forward.cancel_local(1234, "0.0.0.0")
+    def cancel_local(port, bind_address="127.0.0.1")
+      socket = @local_forwarded_ports.delete([port, bind_address])
+      socket.shutdown rescue nil
+      socket.close rescue nil
+      session.stop_listening_to(socket)
+    end
+
+    # Returns a list of all active locally forwarded ports. The returned value
+    # is an array of arrays, where each element is a two-element tuple
+    # consisting of the local port and bind address corresponding to the
+    # forwarding port.
+    def active_locals
+      @local_forwarded_ports.keys
+    end
+
+    # Requests that all connections on the given remote-port be forwarded via
+    # the local host to the given port/host. The last argument describes the
+    # bind address on the remote host, and defaults to 127.0.0.1.
+    #
+    # This method will return immediately, but the port will not actually be
+    # forwarded immediately. If the remote server is not able to begin the
+    # listener for this request, an exception will be raised asynchronously.
+    #
+    # If you want to know when the connection is active, it will show up in the
+    # #active_remotes list. If you want to block until the port is active, you
+    # could do something like this:
+    #
+    #   ssh.forward.remote(80, "www.google.com", 1234, "0.0.0.0")
+    #   ssh.loop { !ssh.forward.active_remotes.include?([1234, "0.0.0.0"]) }
+    def remote(port, host, remote_port, remote_host="127.0.0.1")
+      session.send_global_request("tcpip-forward", :string, remote_host, :long, remote_port) do |success, response|
+        if success
+          debug { "remote forward from remote #{remote_host}:#{remote_port} to #{host}:#{port} established" }
+          @remote_forwarded_ports[[remote_port, remote_host]] = Remote.new(host, port)
+        else
+          error { "remote forwarding request failed" }
+          raise Net::SSH::Exception, "remote forwarding request failed"
+        end
+      end
+    end
+
+    # an alias, for token backwards compatibility with the 1.x API
+    alias :remote_to :remote
+
+    # Requests that a remote forwarded port be cancelled. The remote forwarded
+    # port on the remote host, bound to the given address on the remote host,
+    # will be terminated, but not immediately. This method returns immediately
+    # after queueing the request to be sent to the server. If for some reason
+    # the port cannot be cancelled, an exception will be raised (asynchronously).
+    #
+    # If you want to know when the connection has been cancelled, it will no
+    # longer be present in the #active_remotes list. If you want to block until
+    # the port is no longer active, you could do something like this:
+    #
+    #   ssh.forward.cancel_remote(1234, "0.0.0.0")
+    #   ssh.loop { ssh.forward.active_remotes.include?([1234, "0.0.0.0"]) }
+    def cancel_remote(port, host="127.0.0.1")
+      session.send_global_request("cancel-tcpip-forward", :string, host, :long, port) do |success, response|
+        if success
+          @remote_forwarded_ports.delete([port, host])
+        else
+          raise Net::SSH::Exception, "could not cancel remote forward request on #{host}:#{port}"
+        end
+      end
+    end
+
+    # Returns all active forwarded remote ports. The returned value is an
+    # array of two-element tuples, where the first element is the port on the
+    # remote host and the second is the bind address.
+    def active_remotes
+      @remote_forwarded_ports.keys
+    end
+
+    # Enables SSH agent forwarding on the given channel. The forwarded agent
+    # will remain active even after the channel closes--the channel is only
+    # used as the transport for enabling the forwarded connection. You should
+    # never need to call this directly--it is called automatically the first
+    # time a session channel is opened, when the connection was created with
+    # :forward_agent set to true:
+    #
+    #    Net::SSH.start("remote.host", "me", :forwrd_agent => true) do |ssh|
+    #      ssh.open_channel do |ch|
+    #        # agent will be automatically forwarded by this point
+    #      end
+    #      ssh.loop
+    #    end
+    def agent(channel)
+      return if @agent_forwarded
+      @agent_forwarded = true
+
+      channel.send_channel_request("auth-agent-req@openssh.com") do |channel, success|
+        if success
+          debug { "authentication agent forwarding is active" }
+        else
+          channel.send_channel_request("auth-agent-req") do |channel, success|
+            if success
+              debug { "authentication agent forwarding is active" }
+            else
+              error { "could not establish forwarding of authentication agent" }
+            end
+          end
+        end
+      end
+    end
+
+    private
+
+      # Perform setup operations that are common to all forwarded channels.
+      # +client+ is a socket, +channel+ is the channel that was just created,
+      # and +type+ is an arbitrary string describing the type of the channel.
+      def prepare_client(client, channel, type)
+        client.extend(Net::SSH::BufferedIo)
+        client.logger = logger
+
+        session.listen_to(client)
+        channel[:socket] = client
+
+        channel.on_data do |ch, data|
+          ch[:socket].enqueue(data)
+        end
+
+        channel.on_close do |ch|
+          debug { "closing #{type} forwarded channel" }
+          ch[:socket].close if !client.closed?
+          session.stop_listening_to(ch[:socket])
+        end
+
+        channel.on_process do |ch|
+          if ch[:socket].closed?
+            ch.info { "#{type} forwarded connection closed" }
+            ch.close
+          elsif ch[:socket].available > 0
+            data = ch[:socket].read_available(8192)
+            ch.debug { "read #{data.length} bytes from client, sending over #{type} forwarded connection" }
+            ch.send_data(data)
+          end
+        end
+      end
+
+      # The callback used when a new "forwarded-tcpip" channel is requested
+      # by the server.  This will open a new socket to the host/port specified
+      # when the forwarded connection was first requested.
+      def forwarded_tcpip(session, channel, packet)
+        connected_address  = packet.read_string
+        connected_port     = packet.read_long
+        originator_address = packet.read_string
+        originator_port    = packet.read_long
+
+        remote = @remote_forwarded_ports[[connected_port, connected_address]]
+
+        if remote.nil?
+          raise Net::SSH::ChannelOpenFailed.new(1, "unknown request from remote forwarded connection on #{connected_address}:#{connected_port}")
+        end
+
+        client = TCPSocket.new(remote.host, remote.port)
+        info { "connected #{connected_address}:#{connected_port} originator #{originator_address}:#{originator_port}" }
+
+        prepare_client(client, channel, :remote)
+      rescue SocketError => err
+        raise Net::SSH::ChannelOpenFailed.new(2, "could not connect to remote host (#{remote.host}:#{remote.port}): #{err.message}")
+      end
+
+      # The callback used when an auth-agent channel is requested by the server.
+      def auth_agent_channel(session, channel, packet)
+        info { "opening auth-agent channel" }
+        channel[:invisible] = true
+
+        begin
+          agent = Authentication::Agent.connect(logger)
+          prepare_client(agent.socket, channel, :agent)
+        rescue Exception => e
+          error { "attempted to connect to agent but failed: #{e.class.name} (#{e.message})" }
+          raise ChannelOpenFailure.new(2, "could not connect to authentication agent")
+        end
+      end
+  end
+
+end; end; end