net-ssh 2.7.0 → 7.3.0

data/lib/net/ssh/authentication/agent.rb

@@ -2,22 +2,283 @@ require 'net/ssh/buffer'
 require 'net/ssh/errors'
 require 'net/ssh/loggable'
 
-module Net; module SSH; module Authentication
-  PLATFORM = File::ALT_SEPARATOR \
-    ? RUBY_PLATFORM =~ /java/ ? :java_win32 : :win32 \
-    : RUBY_PLATFORM =~ /java/ ? :java : :unix
-
-  # A trivial exception class for representing agent-specific errors.
-  class AgentError < Net::SSH::Exception; end
-
-  # An exception for indicating that the SSH agent is not available.
-  class AgentNotAvailable < AgentError; end
-end; end; end
-
-case Net::SSH::Authentication::PLATFORM
-when :java_win32
-  # Java pageant requires whole different agent.
-  require 'net/ssh/authentication/agent/java_pageant'
-else
-  require 'net/ssh/authentication/agent/socket'
+require 'net/ssh/transport/server_version'
+require 'socket'
+require 'rubygems'
+
+require 'net/ssh/authentication/pageant' if Gem.win_platform? && RUBY_PLATFORM != "java"
+
+module Net
+  module SSH
+    module Authentication
+      # Class for representing agent-specific errors.
+      class AgentError < Net::SSH::Exception; end
+
+      # An exception for indicating that the SSH agent is not available.
+      class AgentNotAvailable < AgentError; end
+
+      # This class implements a simple client for the ssh-agent protocol. It
+      # does not implement any specific protocol, but instead copies the
+      # behavior of the ssh-agent functions in the OpenSSH library (3.8).
+      #
+      # This means that although it behaves like a SSH1 client, it also has
+      # some SSH2 functionality (like signing data).
+      class Agent
+        include Loggable
+
+        # A simple module for extending keys, to allow comments to be specified
+        # for them.
+        module Comment
+          attr_accessor :comment
+        end
+
+        SSH2_AGENT_REQUEST_VERSION       = 1
+        SSH2_AGENT_REQUEST_IDENTITIES    = 11
+        SSH2_AGENT_IDENTITIES_ANSWER     = 12
+        SSH2_AGENT_SIGN_REQUEST          = 13
+        SSH2_AGENT_SIGN_RESPONSE         = 14
+        SSH2_AGENT_ADD_IDENTITY          = 17
+        SSH2_AGENT_REMOVE_IDENTITY       = 18
+        SSH2_AGENT_REMOVE_ALL_IDENTITIES = 19
+        SSH2_AGENT_LOCK                  = 22
+        SSH2_AGENT_UNLOCK                = 23
+        SSH2_AGENT_ADD_ID_CONSTRAINED    = 25
+        SSH2_AGENT_FAILURE               = 30
+        SSH2_AGENT_VERSION_RESPONSE      = 103
+
+        SSH_COM_AGENT2_FAILURE = 102
+
+        SSH_AGENT_REQUEST_RSA_IDENTITIES = 1
+        SSH_AGENT_RSA_IDENTITIES_ANSWER1 = 2
+        SSH_AGENT_RSA_IDENTITIES_ANSWER2 = 5
+        SSH_AGENT_FAILURE                = 5
+        SSH_AGENT_SUCCESS                = 6
+
+        SSH_AGENT_CONSTRAIN_LIFETIME = 1
+        SSH_AGENT_CONSTRAIN_CONFIRM  = 2
+
+        SSH_AGENT_RSA_SHA2_256 = 0x02
+        SSH_AGENT_RSA_SHA2_512 = 0x04
+
+        # The underlying socket being used to communicate with the SSH agent.
+        attr_reader :socket
+
+        # Instantiates a new agent object, connects to a running SSH agent,
+        # negotiates the agent protocol version, and returns the agent object.
+        def self.connect(logger = nil, agent_socket_factory = nil, identity_agent = nil)
+          agent = new(logger)
+          agent.connect!(agent_socket_factory, identity_agent)
+          agent.negotiate!
+          agent
+        end
+
+        # Creates a new Agent object, using the optional logger instance to
+        # report status.
+        def initialize(logger = nil)
+          self.logger = logger
+        end
+
+        # Connect to the agent process using the socket factory and socket name
+        # given by the attribute writers. If the agent on the other end of the
+        # socket reports that it is an SSH2-compatible agent, this will fail
+        # (it only supports the ssh-agent distributed by OpenSSH).
+        def connect!(agent_socket_factory = nil, identity_agent = nil)
+          debug { "connecting to ssh-agent" }
+          @socket =
+            if agent_socket_factory
+              agent_socket_factory.call
+            elsif identity_agent
+              unix_socket_class.open(File.expand_path(identity_agent))
+            elsif ENV['SSH_AUTH_SOCK'] && unix_socket_class
+              unix_socket_class.open(File.expand_path(ENV['SSH_AUTH_SOCK']))
+            elsif Gem.win_platform? && RUBY_ENGINE != "jruby"
+              Pageant::Socket.open
+            else
+              raise AgentNotAvailable, "Agent not configured"
+            end
+        rescue StandardError => e
+          error { "could not connect to ssh-agent: #{e.message}" }
+          raise AgentNotAvailable, $!.message
+        end
+
+        # Attempts to negotiate the SSH agent protocol version. Raises an error
+        # if the version could not be negotiated successfully.
+        def negotiate!
+          # determine what type of agent we're communicating with
+          type, body = send_and_wait(SSH2_AGENT_REQUEST_VERSION, :string, Transport::ServerVersion::PROTO_VERSION)
+
+          raise AgentNotAvailable, "SSH2 agents are not yet supported" if type == SSH2_AGENT_VERSION_RESPONSE
+
+          if type == SSH2_AGENT_FAILURE
+            debug { "Unexpected response type==#{type}, this will be ignored" }
+          elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER1 && type != SSH_AGENT_RSA_IDENTITIES_ANSWER2
+            raise AgentNotAvailable, "unknown response from agent: #{type}, #{body.to_s.inspect}"
+          end
+        end
+
+        # Return an array of all identities (public keys) known to the agent.
+        # Each key returned is augmented with a +comment+ property which is set
+        # to the comment returned by the agent for that key.
+        def identities
+          type, body = send_and_wait(SSH2_AGENT_REQUEST_IDENTITIES)
+          raise AgentError, "could not get identity count" if agent_failed(type)
+          raise AgentError, "bad authentication reply: #{type}" if type != SSH2_AGENT_IDENTITIES_ANSWER
+
+          identities = []
+          body.read_long.times do
+            key_str = body.read_string
+            comment_str = body.read_string
+            begin
+              key = Buffer.new(key_str).read_key
+              if key.nil?
+                error { "ignoring invalid key: #{comment_str}" }
+                next
+              end
+              key.extend(Comment)
+              key.comment = comment_str
+              identities.push key
+            rescue NotImplementedError => e
+              error { "ignoring unimplemented key:#{e.message} #{comment_str}" }
+            end
+          end
+
+          return identities
+        end
+
+        # Closes this socket. This agent reference is no longer able to
+        # query the agent.
+        def close
+          @socket.close
+        end
+
+        # Using the agent and the given public key, sign the given data. The
+        # signature is returned in SSH2 format.
+        def sign(key, data, flags = 0)
+          type, reply = send_and_wait(SSH2_AGENT_SIGN_REQUEST, :string, Buffer.from(:key, key), :string, data, :long, flags)
+
+          raise AgentError, "agent could not sign data with requested identity" if agent_failed(type)
+          raise AgentError, "bad authentication response #{type}" if type != SSH2_AGENT_SIGN_RESPONSE
+
+          return reply.read_string
+        end
+
+        # Adds the private key with comment to the agent.
+        # If lifetime is given, the key will automatically be removed after lifetime
+        # seconds.
+        # If confirm is true, confirmation will be required for each agent signing
+        # operation.
+        def add_identity(priv_key, comment, lifetime: nil, confirm: false)
+          constraints = Buffer.new
+          if lifetime
+            constraints.write_byte(SSH_AGENT_CONSTRAIN_LIFETIME)
+            constraints.write_long(lifetime)
+          end
+          constraints.write_byte(SSH_AGENT_CONSTRAIN_CONFIRM) if confirm
+
+          req_type = constraints.empty? ? SSH2_AGENT_ADD_IDENTITY : SSH2_AGENT_ADD_ID_CONSTRAINED
+          type, = send_and_wait(req_type, :string, priv_key.ssh_type, :raw, blob_for_add(priv_key),
+                                :string, comment, :raw, constraints)
+          raise AgentError, "could not add identity to agent" if type != SSH_AGENT_SUCCESS
+        end
+
+        # Removes key from the agent.
+        def remove_identity(key)
+          type, = send_and_wait(SSH2_AGENT_REMOVE_IDENTITY, :string, key.to_blob)
+          raise AgentError, "could not remove identity from agent" if type != SSH_AGENT_SUCCESS
+        end
+
+        # Removes all identities from the agent.
+        def remove_all_identities
+          type, = send_and_wait(SSH2_AGENT_REMOVE_ALL_IDENTITIES)
+          raise AgentError, "could not remove all identity from agent" if type != SSH_AGENT_SUCCESS
+        end
+
+        # lock the ssh agent with password
+        def lock(password)
+          type, = send_and_wait(SSH2_AGENT_LOCK, :string, password)
+          raise AgentError, "could not lock agent" if type != SSH_AGENT_SUCCESS
+        end
+
+        # unlock the ssh agent with password
+        def unlock(password)
+          type, = send_and_wait(SSH2_AGENT_UNLOCK, :string, password)
+          raise AgentError, "could not unlock agent" if type != SSH_AGENT_SUCCESS
+        end
+
+        private
+
+        def unix_socket_class
+          defined?(UNIXSocket) && UNIXSocket
+        end
+
+        # Send a new packet of the given type, with the associated data.
+        def send_packet(type, *args)
+          buffer = Buffer.from(*args)
+          data = [buffer.length + 1, type.to_i, buffer.to_s].pack("NCA*")
+          debug { "sending agent request #{type} len #{buffer.length}" }
+          @socket.send data, 0
+        end
+
+        # Read the next packet from the agent. This will return a two-part
+        # tuple consisting of the packet type, and the packet's body (which
+        # is returned as a Net::SSH::Buffer).
+        def read_packet
+          buffer = Net::SSH::Buffer.new(@socket.read(4))
+          buffer.append(@socket.read(buffer.read_long))
+          type = buffer.read_byte
+          debug { "received agent packet #{type} len #{buffer.length - 4}" }
+          return type, buffer
+        end
+
+        # Send the given packet and return the subsequent reply from the agent.
+        # (See #send_packet and #read_packet).
+        def send_and_wait(type, *args)
+          send_packet(type, *args)
+          read_packet
+        end
+
+        # Returns +true+ if the parameter indicates a "failure" response from
+        # the agent, and +false+ otherwise.
+        def agent_failed(type)
+          type == SSH_AGENT_FAILURE ||
+            type == SSH2_AGENT_FAILURE ||
+            type == SSH_COM_AGENT2_FAILURE
+        end
+
+        def blob_for_add(priv_key)
+          # Ideally we'd have something like `to_private_blob` on the various key types, but the
+          # nuances with encoding (e.g. `n` and `e` are reversed for RSA keys) make this impractical.
+          case priv_key.ssh_type
+          when /^ssh-dss$/
+            Net::SSH::Buffer.from(:bignum, priv_key.p, :bignum, priv_key.q, :bignum, priv_key.g,
+                                  :bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
+          when /^ssh-dss-cert-v01@openssh\.com$/
+            Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.priv_key).to_s
+          when /^ecdsa\-sha2\-(\w*)$/
+            curve_name = OpenSSL::PKey::EC::CurveNameAliasInv[priv_key.group.curve_name]
+            Net::SSH::Buffer.from(:string, curve_name, :mstring, priv_key.public_key.to_bn.to_s(2),
+                                  :bignum, priv_key.private_key).to_s
+          when /^ecdsa\-sha2\-(\w*)-cert-v01@openssh\.com$/
+            Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.private_key).to_s
+          when /^ssh-ed25519$/
+            Net::SSH::Buffer.from(:string, priv_key.public_key.verify_key.to_bytes,
+                                  :string, priv_key.sign_key.keypair).to_s
+          when /^ssh-ed25519-cert-v01@openssh\.com$/
+            # Unlike the other certificate types, the public key is included after the certifiate.
+            Net::SSH::Buffer.from(:string, priv_key.to_blob,
+                                  :string, priv_key.key.public_key.verify_key.to_bytes,
+                                  :string, priv_key.key.sign_key.keypair).to_s
+          when /^ssh-rsa$/
+            # `n` and `e` are reversed compared to the ordering in `OpenSSL::PKey::RSA#to_blob`.
+            Net::SSH::Buffer.from(:bignum, priv_key.n, :bignum, priv_key.e, :bignum, priv_key.d,
+                                  :bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
+          when /^ssh-rsa-cert-v01@openssh\.com$/
+            Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.d,
+                                  :bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
+                                  :bignum, priv_key.key.q).to_s
+          end
+        end
+      end
+    end
+  end
 end

data/lib/net/ssh/authentication/certificate.rb

@@ -0,0 +1,183 @@
+require 'securerandom'
+
+module Net
+  module SSH
+    module Authentication
+      # Class for representing an SSH certificate.
+      #
+      # http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.10&content-type=text/plain
+      class Certificate
+        attr_accessor :nonce
+        attr_accessor :key
+        attr_accessor :serial
+        attr_accessor :type
+        attr_accessor :key_id
+        attr_accessor :valid_principals
+        attr_accessor :valid_after
+        attr_accessor :valid_before
+        attr_accessor :critical_options
+        attr_accessor :extensions
+        attr_accessor :reserved
+        attr_accessor :signature_key
+        attr_accessor :signature
+
+        # Read a certificate blob associated with a key of the given type.
+        def self.read_certblob(buffer, type)
+          cert = Certificate.new
+          cert.nonce = buffer.read_string
+          cert.key = buffer.read_keyblob(type)
+          cert.serial = buffer.read_int64
+          cert.type = type_symbol(buffer.read_long)
+          cert.key_id = buffer.read_string
+          cert.valid_principals = buffer.read_buffer.read_all(&:read_string)
+          cert.valid_after = Time.at(buffer.read_int64)
+
+          cert.valid_before = if RUBY_PLATFORM == "java"
+                                # 0x20c49ba5e353f7 = 0x7fffffffffffffff/1000, the largest value possible for JRuby
+                                # JRuby Time.at multiplies the arg by 1000, and then stores it in a signed long.
+                                # 0x20c49ba2d52500 = 292278993-01-01 00:00:00 +0000
+                                # JRuby 9.1 does not accept the year 292278994 because of edge cases (https://github.com/JodaOrg/joda-time/issues/190)
+                                Time.at([0x20c49ba2d52500, buffer.read_int64].min)
+                              else
+                                Time.at(buffer.read_int64)
+                              end
+
+          cert.critical_options = read_options(buffer)
+          cert.extensions = read_options(buffer)
+          cert.reserved = buffer.read_string
+          cert.signature_key = buffer.read_buffer.read_key
+          cert.signature = buffer.read_string
+          cert
+        end
+
+        def ssh_type
+          key.ssh_type + "-cert-v01@openssh.com"
+        end
+
+        def ssh_signature_type
+          key.ssh_type
+        end
+
+        # Serializes the certificate (and key).
+        def to_blob
+          Buffer.from(
+            :raw, to_blob_without_signature,
+            :string, signature
+          ).to_s
+        end
+
+        def ssh_do_sign(data, sig_alg = nil)
+          key.ssh_do_sign(data, sig_alg)
+        end
+
+        def ssh_do_verify(sig, data, options = {})
+          key.ssh_do_verify(sig, data, options)
+        end
+
+        def to_pem
+          key.to_pem
+        end
+
+        def fingerprint
+          key.fingerprint
+        end
+
+        # Signs the certificate with key.
+        def sign!(key, sign_nonce = nil)
+          # ssh-keygen uses 32 bytes of nonce.
+          self.nonce = sign_nonce || SecureRandom.random_bytes(32)
+          self.signature_key = key
+          self.signature = Net::SSH::Buffer.from(
+            :string, key.ssh_signature_type,
+            :mstring, key.ssh_do_sign(to_blob_without_signature)
+          ).to_s
+          self
+        end
+
+        def sign(key, sign_nonce = nil)
+          cert = clone
+          cert.sign!(key, sign_nonce)
+        end
+
+        # Checks whether the certificate's signature was signed by signature key.
+        def signature_valid?
+          buffer = Buffer.new(signature)
+          sig_format = buffer.read_string
+          signature_key.ssh_do_verify(buffer.read_string, to_blob_without_signature, host_key: sig_format)
+        end
+
+        def self.read_options(buffer)
+          names = []
+          options = buffer.read_buffer.read_all do |b|
+            name = b.read_string
+            names << name
+            data = b.read_string
+            data = Buffer.new(data).read_string unless data.empty?
+            [name, data]
+          end
+
+          raise ArgumentError, "option/extension names must be in sorted order" if names.sort != names
+
+          Hash[options]
+        end
+        private_class_method :read_options
+
+        def self.type_symbol(type)
+          types = { 1 => :user, 2 => :host }
+          raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+
+          types.fetch(type)
+        end
+        private_class_method :type_symbol
+
+        private
+
+        def type_value(type)
+          types = { user: 1, host: 2 }
+          raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+
+          types.fetch(type)
+        end
+
+        def ssh_time(t)
+          # Times in certificates are represented as a uint64.
+          [[t.to_i, 0].max, 2 << 64 - 1].min
+        end
+
+        def to_blob_without_signature
+          Buffer.from(
+            :string, ssh_type,
+            :string, nonce,
+            :raw, key_without_type,
+            :int64, serial,
+            :long, type_value(type),
+            :string, key_id,
+            :string, valid_principals.inject(Buffer.new) { |acc, elem| acc.write_string(elem) }.to_s,
+            :int64, ssh_time(valid_after),
+            :int64, ssh_time(valid_before),
+            :string, options_to_blob(critical_options),
+            :string, options_to_blob(extensions),
+            :string, reserved,
+            :string, signature_key.to_blob
+          ).to_s
+        end
+
+        def key_without_type
+          # key.to_blob gives us e.g. "ssh-rsa,<key>" but we just want "<key>".
+          tmp = Buffer.new(key.to_blob)
+          tmp.read_string # skip the underlying key type
+          tmp.read
+        end
+
+        def options_to_blob(options)
+          options.keys.sort.inject(Buffer.new) do |b, name|
+            b.write_string(name)
+            data = options.fetch(name)
+            data = Buffer.from(:string, data).to_s unless data.empty?
+            b.write_string(data)
+          end.to_s
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/constants.rb

@@ -1,18 +1,20 @@
-module Net; module SSH; module Authentication
+module Net
+  module SSH
+    module Authentication
+      # Describes the constants used by the Net::SSH::Authentication components
+      # of the Net::SSH library. Individual authentication method implemenations
+      # may define yet more constants that are specific to their implementation.
+      module Constants
+        USERAUTH_REQUEST          = 50
+        USERAUTH_FAILURE          = 51
+        USERAUTH_SUCCESS          = 52
+        USERAUTH_BANNER           = 53
 
-  # Describes the constants used by the Net::SSH::Authentication components
-  # of the Net::SSH library. Individual authentication method implemenations
-  # may define yet more constants that are specific to their implementation.
-  module Constants
-    USERAUTH_REQUEST          = 50
-    USERAUTH_FAILURE          = 51
-    USERAUTH_SUCCESS          = 52
-    USERAUTH_BANNER           = 53
+        USERAUTH_PASSWD_CHANGEREQ = 60
+        USERAUTH_PK_OK            = 60
 
-    USERAUTH_PASSWD_CHANGEREQ = 60
-    USERAUTH_PK_OK            = 60
-
-    USERAUTH_METHOD_RANGE     = 60..79
+        USERAUTH_METHOD_RANGE     = 60..79
+      end
+    end
   end
-
-end; end; end
+end