net-ssh 2.7.0 → 7.3.0

data/CHANGES.txt

@@ -1,3 +1,390 @@
+=== 7.3.0 rc0
+
+ * aes(128|256)gcm [#946]
+
+=== 7.2.2
+
+  * ruby 3.3.0: base64 fix
+
+=== 7.2.1 rc1
+
+  * feat: allow load of certkey from string [#926]
+  * fix: fix for  Socket#recv returning nil on ruby 3.3.0 [#928]
+
+=== 7.2.0
+
+  * Add debugging information for algorithm of pubkey in use [#918]
+
+=== 7.2.0 rc1
+
+  * Allow IdentityAgent as option to Net::SSH.start [#912]
+
+=== 7.2.0 beta1
+
+  * Support `chacha20-poly1305@opnessh.com` cypher if `RbNaCl` gem is installed [#908]
+
+=== 7.1.0
+
+  * Accept pubkey_algorithms option when starting a new connection [#891]
+
+=== 7.1.0 beta1
+
+  * Don't use the deprecated set_XXX methods on RSA keys. [#875]
+  * Raise error when BCryptPbkdf fails [#876]
+
+=== 7.0.1
+
+  * Drop leftover debug statement [#866]
+
+=== 7.0.0
+
+  * BREAKING: Drop support for Ruby 2.5
+  * Fix decoding of ecdsa-sha2-nistp256 private keys [#657, #854]
+  * Fix missing require [#855]
+  * Support `~` in the path to the SSH agent's unix socket [#850]
+  * Add support for RSA client authentication with SHA-2 [a45f54]
+  * openssl: DSA: don't hardcode expected signature size, see ruby/openssl#483 [23a15c]
+  * Internal housekeeping (rubocop, codecov, remove travis, adding/improving tests)
+
+=== 6.3.0 beta1
+
+  * Support cert based host key auth, fix asterisk in known_hosts [#833]
+  * Support kex dh-group14-sha256  [#795]
+  * Fix StrictHostKeyChecking ssh config parameter translation [#765]
+
+=== 6.2.0 rc1
+
+=== 6.2.0 beta1
+
+  * rsa-sha2-512, rsa-sha2-256 host_key algs [#771]
+  * JRuby aes*-ctr suppport [#767]
+
+=== 6.1.0
+
+  * Adapt to ssh's default behaviors when no username is provided.
+    When Net::SSH.start user is nil and config has no entry
+    we default to Etc.getpwuid.name() instead of Etc.getlogin(). [#749]
+
+=== 6.1.0.rc1
+
+  * Make sha2-{256,512}-etm@openssh.com MAC default again [#761]
+  * Support algorithm subtraction syntax from ssh_config [#751]
+
+=== 6.0.2
+
+  * Fix corrupted hmac issue in etm hmac [#759]
+
+=== 6.0.1
+
+  * Make sha2-{256,512}-etm@openssh.com MAC opt-in as they seems to have issues [#757]
+
+=== 6.0.0
+
+  * Support empty lines and comments in known_hosts [donoghuc, #742]
+  * Add sha2-{256,512}-etm@openssh.com MAC algorithms [graaff, #714]
+
+=== 6.0.0 beta2
+  
+  * Support :certkeys and CertificateFile configuration option  [Anders Carling, #722]
+
+=== 6.0.0 beta1
+
+  * curve25519sha256 support [Florian Wininger ,#690]
+  * disabled insecure algs [Florian Wininger , #709]
+
+=== 5.2.0
+
+=== 5.2.0.rc3
+
+  * Fix check_host_ip read from config
+  * Support ssh-ed25519 in known hosts
+
+=== 5.2.0.rc2
+
+  * Read check_host_ip from ssh config files
+
+=== 5.2.0.rc1
+
+  * Interpret * and ? in know_hosts file [Romain Tartière, #660]
+  * New :check_host_ip so ip checking can be disabled in known hosts [Romain Tartière, #656]
+
+=== 5.1.0
+
+=== 5.1.0.rc1
+
+  * Support new OpenSSH private key format for rsa - bcrypt for rsa (ed25519 already supported) [#646]
+  * Support IdentityAgent is ssh config [Frank Groeneveld, #645]
+  * Improve Match processing in ssh config [Aleksandrs Ļedovskis, #642]
+  * Ignore signature verification when verify_host_key is never [Piotr Kliczewski, #641]
+  * Alg preference was changed to prefer stronger encryptions  [Tray, #637]
+
+=== 5.0.2
+
+  * Fix ctr for jruby [#612]
+
+=== 5.0.1
+
+  * default_keys were not loaded even if no keys or key_data options specified [#607]
+
+=== 5.0.0
+
+ * Breaking change: ed25519 now requires ed25519 gem instead of RbNaCl gem [#563]
+ * Verify_host_key options rename (true, false, :very, :secure depreacted new equivalents are :never, :accept_new_or_local_tunnel :accept_new :always) [Jared Beck, #595]
+
+=== 5.0.0.rc2
+
+ * Add .dll extensions to dlopen on cygwin [#603]
+ * Fix host certificate validation [#601]
+
+=== 5.0.0.rc1
+
+ * Fix larger than 4GB file transfers [#599]
+ * Update HTTP proxy to version 1.1 [Connor Dunn, #597]
+
+=== 5.0.0.beta2
+
+ * Support for sha256 pubkey fingerprint [Tom Maher, #585]
+ * Don't try to load default_keys if key_data option is used [Josh Larson, #589]
+ * Added fingerprint_hash defaulting to SHA256 as fingerprint format, and MD5 can be used as an option [Miklós Fazekas, #591]
+
+=== 5.0.0.beta1
+
+ * Don't leave proxy command as zombie on timeout [DimitriosLisenko, #560]
+ * Use OpenSSL for aes*-ctr for up to 5x throughput improvement [Miklós Fazekas, Harald Sitter, #570]
+ * Optimize slice! usage in CTR for up to 2x throughput improvement [Harald Sitter, #569]
+ * Replace RbNaCl dependency with ed25519 gem [Tony Arcieri ,#563]
+ * Add initial Match support [Kasumi Hanazuki,  #553]
+
+=== 4.2.0.rc2
+
+ * Fix double close bug on auth failure (or ruby 2.2 or earlier) [#538]
+
+=== 4.2.0.rc1
+
+ * Improved logging with proxy command [Dmitriy Ivliev, #530]
+ * Close transport on proxy error [adamruzicka, #526]
+ * Support multiple identity files [Kimura Masayuki, #528]
+ * Move `none` cipher to end of cipher list [Brian Cain, #525]
+ * Deprecate `:paranoid` in favor of `:verify_host_key` [Jared Beck, #524]
+ * Support Multile Include ssh config files [Kasumi Hanazuki, #516]
+ * Support Relative path in ssh confif files [Akinori MUSHA, #510]
+ * add direct-streamlocal@openssh.com support in Forward class [Harald Sitter, #502]
+
+=== 4.1.0
+=== 4.1.0.rc1
+
+ * ProxyJump support [Ryan McGeary, #500]
+ * Fix agent detection on Windows [Christian Koehler, #495]
+
+=== 4.1.0.beta1
+
+ * Fix nil error when libsodium is not there [chapmajs ,#488]
+ * SSH certificate support for client auth [David Bartley, #485]
+
+=== 4.0.1
+=== 4.0.1.rc2
+
+ * ENV["HOME"] might be empty so filter non expandable paths [Matt Casper, #351]
+
+=== 4.0.1.rc1
+
+ * support of rbnacl 4.0 and better error message [#479]
+ * support include in config files [Kimura Masayuki, #475]
+ * fixed issue with ruby 2.2 or older on windows [#472]
+
+=== 4.0.0
+=== 4.0.0.rc3
+
+ * parse `+` character in config files [Christoph Lupprich, #470, #314]
+
+=== 4.0.0.rc2
+
+ * Fixed OpenSSL 2.0/Ruby 2.4.0 warnings [Miklós Fazekas, #468]
+ * Added ssh-ed25519 to KnownHosts:SUPPORTED_TYPE [detatka-kuzlatka-otevrete, Miklós Fazekas, #459]
+ * Allow nil for :passhrase and passing in nil option is now a depreaction warning [Miklós Fazekas, #465]
+
+=== 4.0.0.rc1
+
+ * Allow :password to be nil for capistrano v2 compatibility [Will Bryant, #357]
+ * In next_packet if prefer consuming buffer before filling it again if we have enough data [Miklós Fazekas, #454]
+
+=== 4.0.0.beta4
+
+ * Added exitstatus method to exec's return [Miklós Fazekas, #452]
+ * Don't raise from exec if server closes transport just after channel close [Miklós Fazekas, #450]
+ * Removed java_pageant, as jruby should be using regular pagent impl [Miklós Fazekas, ]
+ * Use SSH_AUTH_SOCK if possible on windows (cygwin) [Miklós Fazekas, Martin Dürst, #365, #361]
+ * HTTPS proxy support [Marcus Ilgner, #432]
+ * Supports ruby 2.4.0.dev new exception type from OpenSSL::PKey.read
+
+=== 4.0.0.beta3
+
+ * Fix Net::SSH::Disconnect exceptions when channels are closed cleanly [Miklos Fazekas, #421, #422]
+
+=== 4.0.0.beta2
+
+ * Fix raiseUnlessLoaded undefined ERROR issue [Miklos Fazekas, #418]
+
+=== 4.0.0.beta1
+
+* Fix pageant [elconas, #235]
+* Relaxed rbnacl,rbnacl-selenium contstraints ang give better errors about them [Miklos Fazekas, #398]
+* Fix UTF-8 encoding issues [Ethan J. Brown, #407]
+
+=== 4.0.0.alpha4
+
+* Experimental event loop abstraction [Miklos Fazekas]
+* RbNacl dependency is optional [Miklos Fazekas]
+* agent_socket_factory option [Alon Goldboim]
+* client sends KEXINIT, it doesn't have to wait for server [Miklos Fazekas]
+* better error message when option is nil [Kane Morgan]
+* prompting can be customized [Miklos Fazekas]
+
+=== 4.0.0.alpha3
+
+* added max_select_wait_time [Eugene Kenny]
+
+=== 4.0.0.alpha2
+
+* when transport closes we're cleaning up channels [Miklos Fazekas]
+
+=== 4.0.0.alpha1
+
+* ed25519 key support [Miklos Fazekas]
+* removed camellia [Miklos Fazekas]
+
+=== 3.1.0
+=== 3.1.0.rc1
+
+* fix Secure#verify [Jean Boussier]
+* use the smallest of don't spend longer time than keepalive if it's configured [Eugene Kenny]
+
+=== 3.1.0.beta3
+
+* forward/on_open_failed should stop listning closed socket otherwise it locks #269 [Miklos Fazekas,Scott McGillivray]
+* fix incorrect pattern handling in config files #310 [Miklos Fazekas]
+
+=== 3.1.0.beta2
+
+* trying to execute something on a not yet opend channel throws nicer messag [Miklos Fazekas]
+* calling close on a not opened channel marks the channel for close [Miklos Fazekas]
+* read keepalive configuration from ssh config files [Miklos Fazekas]
+* send client version on hadshake before waiting for server to reduce handshake time [Miklos Fazekas]
+* allow custom Net::SSH::KnownHosts implementations [Jean Boussier]
+* memoize known host so we only search it once per session [Jean Boussier, Miklos Fazekas]
+
+=== 3.0.2
+=== 3.0.2.rc1
+
+* fixed rare WaitWritable error with proxy commands [Miklos Fazkas, Andre Meij]]
+* if Net::SSH.start user is nil and config has no entry we default to Etc.getlogin
+* Bugfix: CHANNEL_CLOSE was sent before draining ouput buffer #280 [Christopher F. Auston]
+
+=== 3.0.1
+=== 3.0.1.rc1
+
+* Breaking change from 2.* series: exec! without block now returns empty string instread of nil if command has no output [https://github.com/net-ssh/net-ssh/pull/273]
+* Support remote_user as %r in proxy commands [Dominic Scheirlinck]
+* Raise Net::SSH::ConnectionTimeout from connection timeout [Carl Hoerberg]
+
+=== 3.0.0.rc1
+
+* SemVer: Major version change because of dropping of ruby 1.9
+
+=== 2.10.1.rc2
+
+* Win: Use fiddle on ruby 2.1 too [Charlie Savage]
+
+=== 2.10.1.rc1
+
+* Added ruby 2.0 requirement to gemspec [Alex Schultz]
+
+=== 2.10.0
+
+=== 2.10.0-beta2
+
+* Fix :passphrase option with :non_interactive [Jeremy Stanley]
+* Use Socket.tcp with connect_timeout instead of Timeout::timeout [Carl Hörberg]
+* Support for hostname hashes [Jef Mathiot]
+* Ruby 1.9.3 is no longer supported but should moslty work expect for stuff like connect_timeout
+
+=== 2.10.0-beta1
+
+* Fix could not parse PKey error. [Andrey Voronkov]
+* Workaround for threading issue in MRI + singleton method declaration [Matt Brictson]
+* Configuration change: we no longer append all supported algorithms, this is so you can exclude insecure algorithms. If you want to use the old behaviour specify append_all_supported_algorithms => true [voidus, mfazekas]
+* New configuration option: :non_interactive => true in case you prefer an authmethod to fail rather than prompt. [mfazekas]
+* Configuration change: password will now ask for password up to the :number_of_password_prompts times. If you want the
+2.9.1 behaviour of never asking password please set number_of_password_prompts to 0.
+
+=== 2.9.4-beta1
+
+* Use sysread and syswrite on Windows instead of read_nonblock and write [marc-etienne]
+* Windows/peagant: use fiddle on ruby 2.2+/windows [Charlie Savage]
+* Check if ssh key is a file [kiela]
+
+=== 2.9.3
+
+=== 2.9.2-rc3
+
+* Remove advertised algorithms that were not working (curve25519-sha256@libssh.org) [mfazekas]
+
+=== 2.9.2-rc2
+
+* number_of_password_prompts is now accepted as ssh option, by setting it 0 net-ssh will not ask for password for password auth as with previous versions [mfazekas]
+
+=== 2.9.2-rc1
+
+* Documentation fixes and refactoring to keepalive [detiber, mfazekas]
+
+=== 2.9.2-beta
+
+* Remove advertised algorithms that were not working (ssh-rsa-cert-* *ed25519 acm*-gcm@openssh.com) [mfazekas]
+* Unknown algorithms now ignored instead of failed [mfazekas]
+* Configuration change: Asks for password with password auth (up to number_of_password_prompts) [mfazekas]
+* Removed warnings [amatsuda]
+
+=== 2.9.1 / 13 May 2014
+
+* Fix for unknown response from agent on Windows with 64-bit PuTTY [chrahunt]
+* Support negative patterns in host lookup from the SSH config file [nirvdrum]
+
+
+=== 2.9.0 / 30 Apr 2014
+
+* New ciphers [chr4]
+  * Added host keys: ssh-rsa-cert-v01@openssh.com ssh-rsa-cert-v00@openssh.com ssh-ed25519-cert-v01@openssh.com ssh-ed25519
+  * Added HMACs: hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com umac-128-etm@openssh.com
+  * Added Kex: aes256-gcm@openssh.com aes128-gcm@openssh.com curve25519-sha256@libssh.org
+  * Added private key support for id_ed25519
+* IdentiesOnly will not disable ssh_agent - fixes #148 and new fix for #137 [mfazekas]
+* Ignore errors during ssh agent negotiation [simonswine, jasiek]
+* Added an optional "options" argument to test socket open method [jefmathiot]
+* Added gem signing (again) with new cert [delano]
+
+
+=== 2.8.1 / 19 Feb 2014
+
+* Correct location of global known_hosts files [mfischer-zd]
+* Fix for password authentication [blackpond, zachlipton, delano]
+
+
+=== 2.8.0 / 01 Feb 2014
+
+* Handle ssh-rsa and ssh-dss certificate files [bobveznat]
+* Correctly interpret /etc/ssh_config Authentication settings based on openssh /etc/ssh_config system defaults [therealjessesanford, liggitt]
+* Fixed pageant support for Windows [jarredholman]
+* Support %r in ProxyCommand configuration in ssh_config files as defined in OpenSSH [yugui]
+* Don't use ssh-agent if :keys_only is true [SFEley]
+* Fix the bug in keys with comments [bobtfish]
+* Add a failing tests for options in pub keys [bobtfish]
+* Assert that the return value from ssh block is returned [carlhoerberg]
+* Don't close the connection it's already closed [carlhoerberg]
+* Ensure the connection closes even on exception [carlhoerberg]
+* Make the authentication error message more useful [deric]
+* Fix "ConnectionError" typo in lib/net/ssh/proxy/socks5.rb [mirakui]
+* Allow KeyManager to recover from incompatible agents [ecki, delano]
+* Fix for "Authentication Method determination can pick up a class from the root namespace" [dave.sieh]
 
 
 === 2.7.0 / 11 Sep 2013

data/DEVELOPMENT.md

@@ -0,0 +1,23 @@
+### Development notes
+
+## Building/running ssh server in debug mode
+
+clone the openssh server from `https://github.com/openssh/openssh-portable`
+
+```sh
+brew install openssl
+/usr/local/Cellar/openssl@3/3.1.0/bin/openssl
+
+autoreconf
+./configure --with-ssl-dir=/usr/local/Cellar/openssl@3/3.1.0/ --with-audit=debug --enable-debug CPPFLAGS="-DDEBUG -DPACKET_DEBUG" CFLAGS="-g -O0"
+make
+```
+
+To run server in debug mode:
+```sh
+echo '#' > /tmp/sshd_config
+ssh-keygen -t rsa -f /tmp/ssh_host_rsa_key
+# /Users/boga/Work/OSS/NetSSH/openssh-portable/sshd -p 2222 -D -d -d -d -e -f /tmp/sshd_config
+/Users/boga/Work/OSS/NetSSH/openssh-portable/sshd -p 2222 -D -d -d -d -e -f /tmp/sshd_config -h /tmp/ssh_host_rsa_key
+
+```

data/Dockerfile

@@ -0,0 +1,29 @@
+ARG RUBY_VERSION=3.1
+FROM ruby:${RUBY_VERSION}
+
+ARG BUNDLERV=
+
+RUN apt update && apt install -y openssh-server sudo netcat-openbsd \
+  && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_1' \
+  && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_2' \
+  && echo net_ssh_1:foopwd | chpasswd \
+  && echo net_ssh_2:foo2pwd | chpasswd \
+  && mkdir -p /home/net_ssh_1/.ssh \
+  && mkdir -p /home/net_ssh_2/.ssh \
+  && echo "net_ssh_1 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers \
+  && echo "net_ssh_2 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers \
+  && ssh-keygen -f /etc/ssh/users_ca -N ''
+
+ENV INSTALL_PATH="/netssh"
+
+WORKDIR $INSTALL_PATH
+
+COPY Gemfile net-ssh.gemspec $INSTALL_PATH/
+
+COPY lib/net/ssh/version.rb $INSTALL_PATH/lib/net/ssh/version.rb
+
+RUN gem install bundler ${BUNDLERV}  && bundle install
+
+COPY . $INSTALL_PATH/
+
+CMD service ssh start && rake test && NET_SSH_NO_ED25519=1 rake test

data/Dockerfile.openssl3

@@ -0,0 +1,17 @@
+FROM ubuntu:22.04
+
+ENV INSTALL_PATH="/netssh"
+
+RUN apt update && apt install -y openssl ruby ruby-dev git build-essential
+
+WORKDIR $INSTALL_PATH
+
+COPY Gemfile net-ssh.gemspec $INSTALL_PATH/
+
+COPY lib/net/ssh/version.rb $INSTALL_PATH/lib/net/ssh/version.rb
+
+RUN ls -l && gem install bundler && bundle install
+
+COPY . $INSTALL_PATH/
+
+CMD openssl version && ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION' && rake test

data/Gemfile

@@ -0,0 +1,13 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in mygem.gemspec
+gemspec
+
+gem 'byebug', group: %i[development test] if !Gem.win_platform? && RUBY_ENGINE == "ruby"
+
+if ENV["CI"]
+  gem 'codecov', require: false, group: :test
+  gem 'simplecov', require: false, group: :test
+end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/Gemfile.noed25519

@@ -0,0 +1,12 @@
+source 'https://rubygems.org'
+
+ENV['NET_SSH_NO_ED25519'] = 'true'
+# Specify your gem's dependencies in mygem.gemspec
+gemspec
+
+if ENV["CI"] && !Gem.win_platform?
+  gem 'simplecov', require: false, group: :test
+  gem 'codecov', require: false, group: :test
+end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/Gemfile.norbnacl

@@ -0,0 +1,12 @@
+source 'https://rubygems.org'
+
+ENV['NET_SSH_NO_RBNACL'] = 'true'
+# Specify your gem's dependencies in mygem.gemspec
+gemspec
+
+if ENV["CI"] && !Gem.win_platform?
+  gem 'simplecov', require: false, group: :test
+  gem 'codecov', require: false, group: :test
+end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/ISSUE_TEMPLATE.md

@@ -0,0 +1,30 @@
+### Expected behavior
+
+Tell us what should happen
+
+### Actual behavior
+
+Tell us what happens instead.
+
+### System configuration
+
+- net-ssh version
+- Ruby version
+
+### Example App
+
+Please provide an example script that reproduces the problem. This will save maintainers time so they can spend it fixing your issues instead of trying to build a reproduction case from sparse instructions.
+
+You can use this as stating point:
+
+```ruby
+gem 'net-ssh', '= 4.0.0.beta3'
+require 'net/ssh'
+puts Net::SSH::Version::CURRENT
+
+@host = 'localhost'
+@user = ENV['USER']
+Net::SSH.start(@host, @user) do |ssh|
+  puts ssh.exec!('echo "hello"')
+end
+```

data/Manifest

@@ -33,7 +33,6 @@ lib/net/ssh/proxy/errors.rb
 lib/net/ssh/proxy/http.rb
 lib/net/ssh/proxy/socks4.rb
 lib/net/ssh/proxy/socks5.rb
-lib/net/ssh/ruby_compat.rb
 lib/net/ssh/service/forward.rb
 lib/net/ssh/test.rb
 lib/net/ssh/test/channel.rb
@@ -75,10 +74,10 @@ lib/net/ssh/transport/packet_stream.rb
 lib/net/ssh/transport/server_version.rb
 lib/net/ssh/transport/session.rb
 lib/net/ssh/transport/state.rb
-lib/net/ssh/verifiers/lenient.rb
-lib/net/ssh/verifiers/null.rb
-lib/net/ssh/verifiers/secure.rb
-lib/net/ssh/verifiers/strict.rb
+lib/net/ssh/verifiers/accept_new.rb
+lib/net/ssh/verifiers/accept_new_or_local_tunnel.rb
+lib/net/ssh/verifiers/always.rb
+lib/net/ssh/verifiers/never.rb
 lib/net/ssh/version.rb
 net-ssh.gemspec
 setup.rb