net-ssh 2.9.2 → 4.0.0

data/lib/net/ssh/authentication/agent.rb

@@ -2,22 +2,182 @@ require 'net/ssh/buffer'
 require 'net/ssh/errors'
 require 'net/ssh/loggable'
 
-module Net; module SSH; module Authentication
-  PLATFORM = File::ALT_SEPARATOR \
-    ? RUBY_PLATFORM =~ /java/ ? :java_win32 : :win32 \
-    : RUBY_PLATFORM =~ /java/ ? :java : :unix
+require 'net/ssh/transport/server_version'
+require 'socket'
+require 'rubygems'
 
-  # A trivial exception class for representing agent-specific errors.
-  class AgentError < Net::SSH::Exception; end
+require 'net/ssh/authentication/pageant' if Gem.win_platform? && RUBY_PLATFORM != "java"
 
+module Net; module SSH; module Authentication
+  # Class for representing agent-specific errors.
+  class AgentError < Net::SSH::Exception; end
   # An exception for indicating that the SSH agent is not available.
   class AgentNotAvailable < AgentError; end
-end; end; end
 
-case Net::SSH::Authentication::PLATFORM
-when :java_win32
-  # Java pageant requires whole different agent.
-  require 'net/ssh/authentication/agent/java_pageant'
-else
-  require 'net/ssh/authentication/agent/socket'
-end
+  # This class implements a simple client for the ssh-agent protocol. It
+  # does not implement any specific protocol, but instead copies the
+  # behavior of the ssh-agent functions in the OpenSSH library (3.8).
+  #
+  # This means that although it behaves like a SSH1 client, it also has
+  # some SSH2 functionality (like signing data).
+  class Agent
+    include Loggable
+
+    # A simple module for extending keys, to allow comments to be specified
+    # for them.
+    module Comment
+      attr_accessor :comment
+    end
+
+    SSH2_AGENT_REQUEST_VERSION    = 1
+    SSH2_AGENT_REQUEST_IDENTITIES = 11
+    SSH2_AGENT_IDENTITIES_ANSWER  = 12
+    SSH2_AGENT_SIGN_REQUEST       = 13
+    SSH2_AGENT_SIGN_RESPONSE      = 14
+    SSH2_AGENT_FAILURE            = 30
+    SSH2_AGENT_VERSION_RESPONSE   = 103
+
+    SSH_COM_AGENT2_FAILURE        = 102
+
+    SSH_AGENT_REQUEST_RSA_IDENTITIES = 1
+    SSH_AGENT_RSA_IDENTITIES_ANSWER1 = 2
+    SSH_AGENT_RSA_IDENTITIES_ANSWER2 = 5
+    SSH_AGENT_FAILURE                = 5
+
+    # The underlying socket being used to communicate with the SSH agent.
+    attr_reader :socket
+
+    # Instantiates a new agent object, connects to a running SSH agent,
+    # negotiates the agent protocol version, and returns the agent object.
+    def self.connect(logger=nil, agent_socket_factory = nil)
+      agent = new(logger)
+      agent.connect!(agent_socket_factory)
+      agent.negotiate!
+      agent
+    end
+
+    # Creates a new Agent object, using the optional logger instance to
+    # report status.
+    def initialize(logger=nil)
+      self.logger = logger
+    end
+
+    # Connect to the agent process using the socket factory and socket name
+    # given by the attribute writers. If the agent on the other end of the
+    # socket reports that it is an SSH2-compatible agent, this will fail
+    # (it only supports the ssh-agent distributed by OpenSSH).
+    def connect!(agent_socket_factory = nil)
+      debug { "connecting to ssh-agent" }
+      @socket =
+        if agent_socket_factory
+          agent_socket_factory.call
+        elsif ENV['SSH_AUTH_SOCK'] && defined?(unix_socket_class)
+          unix_socket_class.open(ENV['SSH_AUTH_SOCK'])
+        elsif Gem.win_platform? && RUBY_ENGINE != "jruby"
+          Pageant::Socket.open
+        else
+          raise AgentNotAvailable, "Agent not configured"
+        end
+    rescue StandardError => e
+      error { "could not connect to ssh-agent: #{e.message}" }
+      raise AgentNotAvailable, $!.message
+    end
+
+    # Attempts to negotiate the SSH agent protocol version. Raises an error
+    # if the version could not be negotiated successfully.
+    def negotiate!
+      # determine what type of agent we're communicating with
+      type, body = send_and_wait(SSH2_AGENT_REQUEST_VERSION, :string, Transport::ServerVersion::PROTO_VERSION)
+
+      raise AgentNotAvailable, "SSH2 agents are not yet supported" if type == SSH2_AGENT_VERSION_RESPONSE
+      if type == SSH2_AGENT_FAILURE
+        debug { "Unexpected response type==#{type}, this will be ignored" }
+      elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER1 && type != SSH_AGENT_RSA_IDENTITIES_ANSWER2
+        raise AgentNotAvailable, "unknown response from agent: #{type}, #{body.to_s.inspect}"
+      end
+    end
+
+    # Return an array of all identities (public keys) known to the agent.
+    # Each key returned is augmented with a +comment+ property which is set
+    # to the comment returned by the agent for that key.
+    def identities
+      type, body = send_and_wait(SSH2_AGENT_REQUEST_IDENTITIES)
+      raise AgentError, "could not get identity count" if agent_failed(type)
+      raise AgentError, "bad authentication reply: #{type}" if type != SSH2_AGENT_IDENTITIES_ANSWER
+
+      identities = []
+      body.read_long.times do
+        key_str = body.read_string
+        comment_str = body.read_string
+        begin
+          key = Buffer.new(key_str).read_key
+          key.extend(Comment)
+          key.comment = comment_str
+          identities.push key
+        rescue NotImplementedError => e
+          error { "ignoring unimplemented key:#{e.message} #{comment_str}" }
+        end
+      end
+
+      return identities
+    end
+
+    # Closes this socket. This agent reference is no longer able to
+    # query the agent.
+    def close
+      @socket.close
+    end
+
+    # Using the agent and the given public key, sign the given data. The
+    # signature is returned in SSH2 format.
+    def sign(key, data)
+      type, reply = send_and_wait(SSH2_AGENT_SIGN_REQUEST, :string, Buffer.from(:key, key), :string, data, :long, 0)
+
+      raise AgentError, "agent could not sign data with requested identity" if agent_failed(type)
+      raise AgentError, "bad authentication response #{type}" if type != SSH2_AGENT_SIGN_RESPONSE
+
+      return reply.read_string
+    end
+
+    private
+
+    def unix_socket_class
+      UNIXSocket
+    end
+
+    # Send a new packet of the given type, with the associated data.
+    def send_packet(type, *args)
+      buffer = Buffer.from(*args)
+      data = [buffer.length + 1, type.to_i, buffer.to_s].pack("NCA*")
+      debug { "sending agent request #{type} len #{buffer.length}" }
+      @socket.send data, 0
+    end
+
+    # Read the next packet from the agent. This will return a two-part
+    # tuple consisting of the packet type, and the packet's body (which
+    # is returned as a Net::SSH::Buffer).
+    def read_packet
+      buffer = Net::SSH::Buffer.new(@socket.read(4))
+      buffer.append(@socket.read(buffer.read_long))
+      type = buffer.read_byte
+      debug { "received agent packet #{type} len #{buffer.length-4}" }
+      return type, buffer
+    end
+
+    # Send the given packet and return the subsequent reply from the agent.
+    # (See #send_packet and #read_packet).
+    def send_and_wait(type, *args)
+      send_packet(type, *args)
+      read_packet
+    end
+
+    # Returns +true+ if the parameter indicates a "failure" response from
+    # the agent, and +false+ otherwise.
+    def agent_failed(type)
+      type == SSH_AGENT_FAILURE ||
+        type == SSH2_AGENT_FAILURE ||
+        type == SSH_COM_AGENT2_FAILURE
+    end
+  end
+
+end; end; end

data/lib/net/ssh/authentication/ed25519.rb

@@ -0,0 +1,137 @@
+gem 'rbnacl-libsodium', '>= 1.0.10'
+gem 'rbnacl', '>= 3.2.0', '< 4.0'
+gem 'bcrypt_pbkdf', '~> 1.0.0' unless RUBY_PLATFORM == "java"
+
+require 'rbnacl/libsodium'
+require 'rbnacl'
+require 'rbnacl/signatures/ed25519/verify_key'
+require 'rbnacl/signatures/ed25519/signing_key'
+
+require 'rbnacl/hash'
+
+require 'base64'
+
+require 'net/ssh/transport/cipher_factory'
+require 'bcrypt_pbkdf' unless RUBY_PLATFORM == "java"
+
+module Net; module SSH; module Authentication
+module ED25519
+  class SigningKeyFromFile < RbNaCl::Signatures::Ed25519::SigningKey
+    def initialize(pk,sk)
+      @signing_key = sk
+      @verify_key = RbNaCl::Signatures::Ed25519::VerifyKey.new(pk)
+    end
+  end
+
+  class PubKey
+    def initialize(data)
+      @verify_key = RbNaCl::Signatures::Ed25519::VerifyKey.new(data)
+    end
+
+    def self.read_keyblob(buffer)
+      PubKey.new(buffer.read_string)
+    end
+
+    def to_blob
+      Net::SSH::Buffer.from(:mstring,"ssh-ed25519",:string,@verify_key.to_bytes).to_s
+    end
+
+    def ssh_type
+      "ssh-ed25519"
+    end
+
+    def ssh_do_verify(sig,data)
+      @verify_key.verify(sig,data)
+    end
+
+    def to_pem
+      # TODO this is not pem
+      ssh_type + Base64.encode64(@verify_key.to_bytes)
+    end
+
+    def fingerprint
+      @fingerprint ||= OpenSSL::Digest::MD5.hexdigest(to_blob).scan(/../).join(":")
+    end
+  end
+
+  class PrivKey
+    CipherFactory = Net::SSH::Transport::CipherFactory
+
+    MBEGIN = "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+    MEND = "-----END OPENSSH PRIVATE KEY-----\n"
+    MAGIC = "openssh-key-v1"
+
+    def initialize(datafull,password)
+      raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
+      raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
+      datab64 = datafull[MBEGIN.size ... -MEND.size]
+      data = Base64.decode64(datab64)
+      raise ArgumentError.new("Expected #{MAGIC} at start of decoded private key") unless data.start_with?(MAGIC)
+      buffer = Net::SSH::Buffer.new(data[MAGIC.size+1 .. -1])
+
+      ciphername = buffer.read_string
+      raise ArgumentError.new("#{ciphername} in private key is not supported") unless
+        CipherFactory.supported?(ciphername)
+
+      kdfname = buffer.read_string
+      raise ArgumentError.new("Expected #{kdfname} to be or none or bcrypt") unless %w(none bcrypt).include?(kdfname)
+
+      kdfopts = Net::SSH::Buffer.new(buffer.read_string)
+      num_keys = buffer.read_long
+      raise ArgumentError.new("Only 1 key is supported in ssh keys #{num_keys} was in private key") unless num_keys == 1
+      _pubkey = buffer.read_string
+
+      len = buffer.read_long
+
+      keylen, blocksize, ivlen = CipherFactory.get_lengths(ciphername, iv_len: true)
+      raise ArgumentError.new("Private key len:#{len} is not a multiple of #{blocksize}") if
+        ((len < blocksize) || ((blocksize > 0) && (len % blocksize) != 0))
+
+      if kdfname == 'bcrypt'
+        salt = kdfopts.read_string
+        rounds = kdfopts.read_long
+
+        raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
+        key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
+      else
+        key = '\x00' * (keylen + ivlen)
+      end
+
+      cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv:key[keylen...keylen+ivlen], decrypt: true)
+
+      decoded = cipher.update(buffer.remainder_as_buffer.to_s)
+      decoded << cipher.final
+
+      decoded = Net::SSH::Buffer.new(decoded)
+      check1 = decoded.read_long
+      check2 = decoded.read_long
+
+      raise ArgumentError, "Decrypt failed on private key" if (check1 != check2)
+
+      _type_name = decoded.read_string
+      pk = decoded.read_string
+      sk = decoded.read_string
+      _comment = decoded.read_string
+
+      @pk = pk
+      @sign_key = SigningKeyFromFile.new(pk,sk)
+    end
+
+    def public_key
+      PubKey.new(@pk)
+    end
+
+    def ssh_do_sign(data)
+      @sign_key.sign(data)
+    end
+
+    def self.read(data,password)
+      self.new(data,password)
+    end
+
+    def self.read_keyblob(buffer)
+      ED25519::PubKey.read_keyblob(buffer)
+    end
+  end
+end
+end; end; end

data/lib/net/ssh/authentication/ed25519_loader.rb

@@ -0,0 +1,21 @@
+module Net; module SSH; module Authentication
+
+# Loads ED25519 support which requires optinal dependecies like
+# rbnacl-libsodium, rbnacl, bcrypt_pbkdf
+module ED25519Loader
+
+begin
+  require 'net/ssh/authentication/ed25519'
+  LOADED = true
+  ERROR = nil
+rescue LoadError => e
+  ERROR = e
+  LOADED = false
+end
+
+def self.raiseUnlessLoaded(message)
+  raise NotImplementedError, "#{message} -- see #{ERROR}" unless LOADED
+end
+
+end
+end; end; end

data/lib/net/ssh/authentication/key_manager.rb

@@ -98,7 +98,7 @@ module Net
         def each_identity
           prepared_identities = prepare_identities_from_files + prepare_identities_from_data
 
-          user_identities = load_identities(prepared_identities, false)
+          user_identities = load_identities(prepared_identities, false, true)
 
           if agent
             agent.identities.each do |key|
@@ -108,13 +108,13 @@ module Net
               user_identities.delete(corresponding_user_identity) if corresponding_user_identity
 
               if !options[:keys_only] || corresponding_user_identity
-                known_identities[key] = { :from => :agent }
+                known_identities[key] = { from: :agent }
                 yield key
               end
             end
           end
 
-          user_identities = load_identities(user_identities, true)
+          user_identities = load_identities(user_identities, !options[:non_interactive], false)
 
           user_identities.each do |identity|
             key = identity.delete(:public_key)
@@ -139,15 +139,15 @@ module Net
 
           if info[:key].nil? && info[:from] == :file
             begin
-              info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], true)
-            rescue Exception, OpenSSL::OpenSSLError => e
+              info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], !options[:non_interactive])
+            rescue OpenSSL::OpenSSLError, Exception => e
               raise KeyManagerError, "the given identity is known, but the private key could not be loaded: #{e.class} (#{e.message})"
             end
           end
 
           if info[:key]
             return Net::SSH::Buffer.from(:string, identity.ssh_type,
-              :string, info[:key].ssh_do_sign(data.to_s)).to_s
+              :mstring, info[:key].ssh_do_sign(data.to_s)).to_s
           end
 
           if info[:from] == :agent
@@ -176,7 +176,7 @@ module Net
         # or if the agent is otherwise not available.
         def agent
           return unless use_agent?
-          @agent ||= Agent.connect(logger)
+          @agent ||= Agent.connect(logger, options[:agent_socket_factory])
         rescue AgentNotAvailable
           @use_agent = false
           nil
@@ -187,52 +187,58 @@ module Net
         # Prepares identities from user key_files for loading, preserving their order and sources.
         def prepare_identities_from_files
           key_files.map do |file|
-            public_key_file = file + ".pub"
-            if File.readable?(public_key_file)
-              { :load_from => :pubkey_file, :file => file }
-            elsif File.readable?(file)
-              { :load_from => :privkey_file, :file => file }
+            if readable_file?(file)
+              identity = {}
+              public_key_file = file + ".pub"
+              if readable_file?(public_key_file)
+                identity[:load_from] = :pubkey_file
+                identity[:pubkey_file] = public_key_file
+              else
+                identity[:load_from] = :privkey_file
+              end
+              identity.merge(privkey_file: file)
             end
           end.compact
         end
 
+        def readable_file?(path)
+          File.file?(path) && File.readable?(path)
+        end
+
         # Prepared identities from user key_data, preserving their order and sources.
         def prepare_identities_from_data
           key_data.map do |data|
-            { :load_from => :data, :data => data }
+            { load_from: :data, data: data }
           end
         end
 
-        # Load prepared identities. Private key decryption errors ignored if passphrase was not prompted.
-        def load_identities(identities, ask_passphrase)
+        # Load prepared identities. Private key decryption errors ignored if ignore_decryption_errors
+        def load_identities(identities, ask_passphrase, ignore_decryption_errors)
           identities.map do |identity|
             begin
               case identity[:load_from]
               when :pubkey_file
-                key = KeyFactory.load_public_key(identity[:file] + ".pub")
-                { :public_key => key, :from => :file, :file => identity[:file] }
+                key = KeyFactory.load_public_key(identity[:pubkey_file])
+                { public_key: key, from: :file, file: identity[:privkey_file] }
               when :privkey_file
-                private_key = KeyFactory.load_private_key(identity[:file], options[:passphrase], ask_passphrase)
+                private_key = KeyFactory.load_private_key(identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt])
                 key = private_key.send(:public_key)
-                { :public_key => key, :from => :file, :file => identity[:file], :key => private_key }
+                { public_key: key, from: :file, file: identity[:privkey_file], key: private_key }
               when :data
-                private_key = KeyFactory.load_data_private_key(identity[:data], options[:passphrase], ask_passphrase)
+                private_key = KeyFactory.load_data_private_key(identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt])
                 key = private_key.send(:public_key)
-                { :public_key => key, :from => :key_data, :data => identity[:data], :key => private_key }
+                { public_key: key, from: :key_data, data: identity[:data], key: private_key }
               else
                 identity
               end
 
-            rescue OpenSSL::PKey::RSAError, OpenSSL::PKey::DSAError, OpenSSL::PKey::ECError => e
-              if ask_passphrase
+            rescue OpenSSL::PKey::RSAError, OpenSSL::PKey::DSAError, OpenSSL::PKey::ECError, OpenSSL::PKey::PKeyError, ArgumentError => e
+              if ignore_decryption_errors
+                identity
+              else
                 process_identity_loading_error(identity, e)
                 nil
-              else
-                identity
               end
-            rescue ArgumentError => e
-              process_identity_loading_error(identity, e)
-              nil
             rescue Exception => e
               process_identity_loading_error(identity, e)
               nil
@@ -243,9 +249,9 @@ module Net
         def process_identity_loading_error(identity, e)
           case identity[:load_from]
           when :pubkey_file
-            error { "could not load public key file `#{identity[:file]}': #{e.class} (#{e.message})" }
+            error { "could not load public key file `#{identity[:pubkey_file]}': #{e.class} (#{e.message})" }
           when :privkey_file
-            error { "could not load private key file `#{identity[:file]}': #{e.class} (#{e.message})" }
+            error { "could not load private key file `#{identity[:privkey_file]}': #{e.class} (#{e.message})" }
           else
             raise e
           end

data/lib/net/ssh/authentication/methods/abstract.rb

@@ -22,6 +22,7 @@ module Net; module SSH; module Authentication; module Methods
       @session = session
       @key_manager = options[:key_manager]
       @options = options
+      @prompt = options[:password_prompt]
       self.logger = session.logger
     end
 
@@ -55,6 +56,9 @@ module Net; module SSH; module Authentication; module Methods
       buffer
     end
 
+    private
+
+    attr_reader :prompt
   end
 
 end; end; end; end

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -8,8 +8,6 @@ module Net
 
         # Implements the "keyboard-interactive" SSH authentication method.
         class KeyboardInteractive < Abstract
-          include Prompt
-
           USERAUTH_INFO_REQUEST  = 60
           USERAUTH_INFO_RESPONSE = 61
 
@@ -18,12 +16,14 @@ module Net
             debug { "trying keyboard-interactive" }
             send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
 
+            prompter = nil
             loop do
               message = session.next_message
 
               case message.type
               when USERAUTH_SUCCESS
                 debug { "keyboard-interactive succeeded" }
+                prompter.success if prompter
                 return true
               when USERAUTH_FAILURE
                 debug { "keyboard-interactive failed" }
@@ -31,24 +31,27 @@ module Net
                 raise Net::SSH::Authentication::DisallowedMethod unless
                   message[:authentications].split(/,/).include? 'keyboard-interactive'
 
-                return false
+                return false unless interactive?
+                password = nil
+                debug { "retrying keyboard-interactive" }
+                send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
               when USERAUTH_INFO_REQUEST
                 name = message.read_string
                 instruction = message.read_string
                 debug { "keyboard-interactive info request" }
 
-                unless password
-                  puts(name) unless name.empty?
-                  puts(instruction) unless instruction.empty?
+                if password.nil? && interactive? && prompter.nil?
+                  prompter = prompt.start(type: 'keyboard-interactive', name: name, instruction: instruction)
                 end
 
                 _ = message.read_string # lang_tag
                 responses =[]
-  
+
                 message.read_long.times do
                   text = message.read_string
                   echo = message.read_bool
-                  responses << (password || prompt(text, echo))
+                  password_to_send = password || (prompter && prompter.ask(text, echo))
+                  responses << password_to_send
                 end
 
                 # if the password failed the first time around, don't try
@@ -62,8 +65,12 @@ module Net
               end
             end
           end
-        end
 
+          def interactive?
+            options = session.transport.options || {}
+            !options[:non_interactive]
+          end
+        end
       end
     end
   end

data/lib/net/ssh/authentication/methods/password.rb

@@ -9,11 +9,10 @@ module Net
 
         # Implements the "password" SSH authentication method.
         class Password < Abstract
-          include Prompt
-
           # Attempt to authenticate the given user for the given service. If
           # the password parameter is nil, this will ask for password
           def authenticate(next_service, username, password=nil)
+            clear_prompter!
             retries = 0
             max_retries =  get_max_retries
             return false if !password && max_retries == 0
@@ -37,6 +36,7 @@ module Net
             case message.type
               when USERAUTH_SUCCESS
                 debug { "password succeeded" }
+                @prompter.success if @prompter
                 return true
               when USERAUTH_FAILURE
                 return false
@@ -52,13 +52,26 @@ module Net
 
           NUMBER_OF_PASSWORD_PROMPTS = 3
 
+          def clear_prompter!
+            @prompt_info = nil
+            @prompter = nil
+          end
+
           def ask_password(username)
+            host = session.transport.host
+            prompt_info = {type: 'password', user: username, host: host}
+            if @prompt_info != prompt_info
+              @prompt_info = prompt_info
+              @prompter = prompt.start(prompt_info)
+            end
             echo = false
-            prompt("#{username}@#{session.transport.host}'s password:", echo)
+            @prompter.ask("#{username}@#{host}'s password:", echo)
           end
 
           def get_max_retries
-            (session.transport.options||{})[:number_of_password_prompts] || NUMBER_OF_PASSWORD_PROMPTS
+            options = session.transport.options || {}
+            result = options[:number_of_password_prompts] || NUMBER_OF_PASSWORD_PROMPTS
+            options[:non_interactive] ? 0 : result
           end
         end