RubyGems - net-ssh - Versions diffs - 3.2.0.rc2 → 7.1.0 - Mend

net-ssh 3.2.0.rc2 → 7.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (204) hide show

checksums.yaml +5 -5
checksums.yaml.gz.sig +2 -2
data/.dockerignore +6 -0
data/.github/config/rubocop_linter_action.yml +4 -0
data/.github/workflows/ci-with-docker.yml +44 -0
data/.github/workflows/ci.yml +87 -0
data/.github/workflows/rubocop.yml +16 -0
data/.gitignore +13 -0
data/.rubocop.yml +22 -0
data/.rubocop_todo.yml +1081 -0
data/CHANGES.txt +228 -7
data/Dockerfile +27 -0
data/Dockerfile.openssl3 +17 -0
data/Gemfile +13 -0
data/Gemfile.noed25519 +12 -0
data/ISSUE_TEMPLATE.md +30 -0
data/Manifest +4 -5
data/README.md +297 -0
data/Rakefile +125 -74
data/SECURITY.md +4 -0
data/appveyor.yml +58 -0
data/docker-compose.yml +23 -0
data/lib/net/ssh/authentication/agent.rb +279 -18
data/lib/net/ssh/authentication/certificate.rb +183 -0
data/lib/net/ssh/authentication/constants.rb +17 -15
data/lib/net/ssh/authentication/ed25519.rb +186 -0
data/lib/net/ssh/authentication/ed25519_loader.rb +31 -0
data/lib/net/ssh/authentication/key_manager.rb +86 -39
data/lib/net/ssh/authentication/methods/abstract.rb +67 -48
data/lib/net/ssh/authentication/methods/hostbased.rb +34 -37
data/lib/net/ssh/authentication/methods/keyboard_interactive.rb +13 -13
data/lib/net/ssh/authentication/methods/none.rb +16 -19
data/lib/net/ssh/authentication/methods/password.rb +27 -17
data/lib/net/ssh/authentication/methods/publickey.rb +96 -55
data/lib/net/ssh/authentication/pageant.rb +471 -367
data/lib/net/ssh/authentication/pub_key_fingerprint.rb +43 -0
data/lib/net/ssh/authentication/session.rb +131 -121
data/lib/net/ssh/buffer.rb +399 -300
data/lib/net/ssh/buffered_io.rb +154 -150
data/lib/net/ssh/config.rb +308 -185
data/lib/net/ssh/connection/channel.rb +635 -613
data/lib/net/ssh/connection/constants.rb +29 -29
data/lib/net/ssh/connection/event_loop.rb +123 -0
data/lib/net/ssh/connection/keepalive.rb +55 -51
data/lib/net/ssh/connection/session.rb +620 -551
data/lib/net/ssh/connection/term.rb +125 -123
data/lib/net/ssh/errors.rb +101 -99
data/lib/net/ssh/key_factory.rb +197 -105
data/lib/net/ssh/known_hosts.rb +214 -127
data/lib/net/ssh/loggable.rb +50 -49
data/lib/net/ssh/packet.rb +83 -79
data/lib/net/ssh/prompt.rb +50 -81
data/lib/net/ssh/proxy/command.rb +105 -90
data/lib/net/ssh/proxy/errors.rb +12 -10
data/lib/net/ssh/proxy/http.rb +82 -79
data/lib/net/ssh/proxy/https.rb +50 -0
data/lib/net/ssh/proxy/jump.rb +54 -0
data/lib/net/ssh/proxy/socks4.rb +2 -6
data/lib/net/ssh/proxy/socks5.rb +14 -17
data/lib/net/ssh/service/forward.rb +370 -317
data/lib/net/ssh/test/channel.rb +145 -136
data/lib/net/ssh/test/extensions.rb +131 -110
data/lib/net/ssh/test/kex.rb +34 -32
data/lib/net/ssh/test/local_packet.rb +46 -44
data/lib/net/ssh/test/packet.rb +89 -70
data/lib/net/ssh/test/remote_packet.rb +32 -30
data/lib/net/ssh/test/script.rb +156 -142
data/lib/net/ssh/test/socket.rb +49 -48
data/lib/net/ssh/test.rb +82 -77
data/lib/net/ssh/transport/algorithms.rb +441 -360
data/lib/net/ssh/transport/cipher_factory.rb +96 -98
data/lib/net/ssh/transport/constants.rb +32 -24
data/lib/net/ssh/transport/ctr.rb +42 -22
data/lib/net/ssh/transport/hmac/abstract.rb +81 -63
data/lib/net/ssh/transport/hmac/md5.rb +0 -2
data/lib/net/ssh/transport/hmac/md5_96.rb +0 -2
data/lib/net/ssh/transport/hmac/none.rb +0 -2
data/lib/net/ssh/transport/hmac/ripemd160.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1_96.rb +0 -2
data/lib/net/ssh/transport/hmac/sha2_256.rb +7 -11
data/lib/net/ssh/transport/hmac/sha2_256_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_256_etm.rb +12 -0
data/lib/net/ssh/transport/hmac/sha2_512.rb +6 -9
data/lib/net/ssh/transport/hmac/sha2_512_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_512_etm.rb +12 -0
data/lib/net/ssh/transport/hmac.rb +14 -12
data/lib/net/ssh/transport/identity_cipher.rb +54 -52
data/lib/net/ssh/transport/kex/abstract.rb +130 -0
data/lib/net/ssh/transport/kex/abstract5656.rb +72 -0
data/lib/net/ssh/transport/kex/curve25519_sha256.rb +39 -0
data/lib/net/ssh/transport/kex/curve25519_sha256_loader.rb +30 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha1.rb +33 -40
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha256.rb +11 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb +119 -213
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb +53 -61
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb +5 -9
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb +36 -90
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp384.rb +18 -10
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp521.rb +18 -10
data/lib/net/ssh/transport/kex.rb +15 -12
data/lib/net/ssh/transport/key_expander.rb +24 -20
data/lib/net/ssh/transport/openssl.rb +161 -124
data/lib/net/ssh/transport/packet_stream.rb +225 -185
data/lib/net/ssh/transport/server_version.rb +55 -56
data/lib/net/ssh/transport/session.rb +306 -255
data/lib/net/ssh/transport/state.rb +178 -176
data/lib/net/ssh/verifiers/accept_new.rb +33 -0
data/lib/net/ssh/verifiers/accept_new_or_local_tunnel.rb +33 -0
data/lib/net/ssh/verifiers/always.rb +58 -0
data/lib/net/ssh/verifiers/never.rb +19 -0
data/lib/net/ssh/version.rb +55 -53
data/lib/net/ssh.rb +110 -47
data/net-ssh-public_cert.pem +18 -18
data/net-ssh.gemspec +36 -205
data/support/ssh_tunnel_bug.rb +5 -5
data.tar.gz.sig +0 -0
metadata +153 -118
metadata.gz.sig +0 -0
data/.travis.yml +0 -18
data/README.rdoc +0 -182
data/lib/net/ssh/authentication/agent/java_pageant.rb +0 -85
data/lib/net/ssh/authentication/agent/socket.rb +0 -178
data/lib/net/ssh/ruby_compat.rb +0 -46
data/lib/net/ssh/verifiers/lenient.rb +0 -30
data/lib/net/ssh/verifiers/null.rb +0 -12
data/lib/net/ssh/verifiers/secure.rb +0 -52
data/lib/net/ssh/verifiers/strict.rb +0 -24
data/setup.rb +0 -1585
data/support/arcfour_check.rb +0 -20
data/test/README.txt +0 -18
data/test/authentication/methods/common.rb +0 -28
data/test/authentication/methods/test_abstract.rb +0 -51
data/test/authentication/methods/test_hostbased.rb +0 -114
data/test/authentication/methods/test_keyboard_interactive.rb +0 -121
data/test/authentication/methods/test_none.rb +0 -41
data/test/authentication/methods/test_password.rb +0 -95
data/test/authentication/methods/test_publickey.rb +0 -148
data/test/authentication/test_agent.rb +0 -232
data/test/authentication/test_key_manager.rb +0 -240
data/test/authentication/test_session.rb +0 -107
data/test/common.rb +0 -125
data/test/configs/auth_off +0 -5
data/test/configs/auth_on +0 -4
data/test/configs/empty +0 -0
data/test/configs/eqsign +0 -3
data/test/configs/exact_match +0 -8
data/test/configs/host_plus +0 -10
data/test/configs/multihost +0 -4
data/test/configs/negative_match +0 -6
data/test/configs/nohost +0 -19
data/test/configs/numeric_host +0 -4
data/test/configs/proxy_remote_user +0 -2
data/test/configs/send_env +0 -2
data/test/configs/substitutes +0 -8
data/test/configs/wild_cards +0 -14
data/test/connection/test_channel.rb +0 -487
data/test/connection/test_session.rb +0 -564
data/test/integration/README.txt +0 -17
data/test/integration/Vagrantfile +0 -12
data/test/integration/common.rb +0 -63
data/test/integration/playbook.yml +0 -56
data/test/integration/test_forward.rb +0 -637
data/test/integration/test_id_rsa_keys.rb +0 -96
data/test/integration/test_proxy.rb +0 -93
data/test/known_hosts/github +0 -1
data/test/known_hosts/github_hash +0 -1
data/test/manual/test_pageant.rb +0 -37
data/test/start/test_connection.rb +0 -53
data/test/start/test_options.rb +0 -57
data/test/start/test_transport.rb +0 -28
data/test/start/test_user_nil.rb +0 -27
data/test/test_all.rb +0 -12
data/test/test_buffer.rb +0 -433
data/test/test_buffered_io.rb +0 -63
data/test/test_config.rb +0 -268
data/test/test_key_factory.rb +0 -191
data/test/test_known_hosts.rb +0 -66
data/test/transport/hmac/test_md5.rb +0 -41
data/test/transport/hmac/test_md5_96.rb +0 -27
data/test/transport/hmac/test_none.rb +0 -34
data/test/transport/hmac/test_ripemd160.rb +0 -36
data/test/transport/hmac/test_sha1.rb +0 -36
data/test/transport/hmac/test_sha1_96.rb +0 -27
data/test/transport/hmac/test_sha2_256.rb +0 -37
data/test/transport/hmac/test_sha2_256_96.rb +0 -27
data/test/transport/hmac/test_sha2_512.rb +0 -37
data/test/transport/hmac/test_sha2_512_96.rb +0 -27
data/test/transport/kex/test_diffie_hellman_group14_sha1.rb +0 -13
data/test/transport/kex/test_diffie_hellman_group1_sha1.rb +0 -150
data/test/transport/kex/test_diffie_hellman_group_exchange_sha1.rb +0 -96
data/test/transport/kex/test_diffie_hellman_group_exchange_sha256.rb +0 -19
data/test/transport/kex/test_ecdh_sha2_nistp256.rb +0 -161
data/test/transport/kex/test_ecdh_sha2_nistp384.rb +0 -38
data/test/transport/kex/test_ecdh_sha2_nistp521.rb +0 -38
data/test/transport/test_algorithms.rb +0 -328
data/test/transport/test_cipher_factory.rb +0 -443
data/test/transport/test_hmac.rb +0 -34
data/test/transport/test_identity_cipher.rb +0 -40
data/test/transport/test_packet_stream.rb +0 -1762
data/test/transport/test_server_version.rb +0 -74
data/test/transport/test_session.rb +0 -331
data/test/transport/test_state.rb +0 -181
data/test/verifiers/test_secure.rb +0 -40

data/lib/net/ssh/key_factory.rb CHANGED Viewed

@@ -1,126 +1,218 @@
 require 'net/ssh/transport/openssl'
 require 'net/ssh/prompt'
-module Net; module SSH
-  # A factory class for returning new Key classes. It is used for obtaining
-  # OpenSSL key instances via their SSH names, and for loading both public and
-  # private keys. It used used primarily by Net::SSH itself, internally, and
-  # will rarely (if ever) be directly used by consumers of the library.
-  #
-  #   klass = Net::SSH::KeyFactory.get("rsa")
-  #   assert klass.is_a?(OpenSSL::PKey::RSA)
-  #
-  #   key = Net::SSH::KeyFactory.load_public_key("~/.ssh/id_dsa.pub")
-  class KeyFactory
-    # Specifies the mapping of SSH names to OpenSSL key classes.
-    MAP = {
-      "dh"  => OpenSSL::PKey::DH,
-      "rsa" => OpenSSL::PKey::RSA,
-      "dsa" => OpenSSL::PKey::DSA,
-    }
-    if defined?(OpenSSL::PKey::EC)
-      MAP["ecdsa"] = OpenSSL::PKey::EC
-    end
+require 'net/ssh/authentication/ed25519_loader'
-    class <<self
-      include Prompt
+module Net
+  module SSH
+    # A factory class for returning new Key classes. It is used for obtaining
+    # OpenSSL key instances via their SSH names, and for loading both public and
+    # private keys. It used used primarily by Net::SSH itself, internally, and
+    # will rarely (if ever) be directly used by consumers of the library.
+    #
+    #   klass = Net::SSH::KeyFactory.get("rsa")
+    #   assert klass.is_a?(OpenSSL::PKey::RSA)
+    #
+    #   key = Net::SSH::KeyFactory.load_public_key("~/.ssh/id_dsa.pub")
+    class KeyFactory
+      # Specifies the mapping of SSH names to OpenSSL key classes.
+      MAP = {
+        'dh' => OpenSSL::PKey::DH,
+        'rsa' => OpenSSL::PKey::RSA,
+        'dsa' => OpenSSL::PKey::DSA,
+        'ecdsa' => OpenSSL::PKey::EC
+      }
+      MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
-      # Fetch an OpenSSL key instance by its SSH name. It will be a new,
-      # empty key of the given type.
-      def get(name)
-        MAP.fetch(name).new
-      end
+      class << self
+        # Fetch an OpenSSL key instance by its SSH name. It will be a new,
+        # empty key of the given type.
+        def get(name)
+          MAP.fetch(name).new
+        end
-      # Loads a private key from a file. It will correctly determine
-      # whether the file describes an RSA or DSA key, and will load it
-      # appropriately. The new key is returned. If the key itself is
-      # encrypted (requiring a passphrase to use), the user will be
-      # prompted to enter their password unless passphrase works.
-      def load_private_key(filename, passphrase=nil, ask_passphrase=true)
-        data = File.read(File.expand_path(filename))
-        load_data_private_key(data, passphrase, ask_passphrase, filename)
-      end
+        # Loads a private key from a file. It will correctly determine
+        # whether the file describes an RSA or DSA key, and will load it
+        # appropriately. The new key is returned. If the key itself is
+        # encrypted (requiring a passphrase to use), the user will be
+        # prompted to enter their password unless passphrase works.
+        def load_private_key(filename, passphrase = nil, ask_passphrase = true, prompt = Prompt.default)
+          data = File.read(File.expand_path(filename))
+          load_data_private_key(data, passphrase, ask_passphrase, filename, prompt)
+        end
-      # Loads a private key. It will correctly determine
-      # whether the file describes an RSA or DSA key, and will load it
-      # appropriately. The new key is returned. If the key itself is
-      # encrypted (requiring a passphrase to use), the user will be
-      # prompted to enter their password unless passphrase works.
-      def load_data_private_key(data, passphrase=nil, ask_passphrase=true, filename="")
-        if OpenSSL::PKey.respond_to?(:read)
-          pkey_read = true
-          error_class = ArgumentError
-        else
-          pkey_read = false
-          if data.match(/-----BEGIN DSA PRIVATE KEY-----/)
-            key_type = OpenSSL::PKey::DSA
-            error_class = OpenSSL::PKey::DSAError
-          elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
-            key_type = OpenSSL::PKey::RSA
-            error_class = OpenSSL::PKey::RSAError
-          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/) && defined?(OpenSSL::PKey::EC)
-            key_type = OpenSSL::PKey::EC
-            error_class = OpenSSL::PKey::ECError
-          elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
-            raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
-          else
-            raise OpenSSL::PKey::PKeyError, "not a private key (#{filename})"
+        # Loads a private key. It will correctly determine
+        # whether the file describes an RSA or DSA key, and will load it
+        # appropriately. The new key is returned. If the key itself is
+        # encrypted (requiring a passphrase to use), the user will be
+        # prompted to enter their password unless passphrase works.
+        def load_data_private_key(data, passphrase = nil, ask_passphrase = true, filename = "", prompt = Prompt.default)
+          key_type = classify_key(data, filename)
+          encrypted_key = nil
+          tries = 0
+          prompter = nil
+          result =
+            begin
+              key_type.read(data, passphrase || 'invalid')
+            rescue *key_type.error_classes => e
+              encrypted_key = !!key_type.encrypted_key?(data, e) if encrypted_key.nil?
+              if encrypted_key && ask_passphrase
+                tries += 1
+                if tries <= 3
+                  prompter ||= prompt.start(type: 'private_key', filename: filename, sha: Digest::SHA256.digest(data))
+                  passphrase = prompter.ask("Enter passphrase for #{filename}:", false)
+                  retry
+                else
+                  raise
+                end
+              else
+                raise
+              end
+            end
+          prompter.success if prompter
+          result
+        end
+        # Loads a public key from a file. It will correctly determine whether
+        # the file describes an RSA or DSA key, and will load it
+        # appropriately. The new public key is returned.
+        def load_public_key(filename)
+          data = File.read(File.expand_path(filename))
+          load_data_public_key(data, filename)
+        end
+        # Loads a public key. It will correctly determine whether
+        # the file describes an RSA or DSA key, and will load it
+        # appropriately. The new public key is returned.
+        def load_data_public_key(data, filename = "")
+          fields = data.split(/ /)
+          blob = nil
+          begin
+            blob = fields.shift
+          end while !blob.nil? && !/^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp\d+)(-cert-v01@openssh\.com)?$/.match(blob)
+          blob = fields.shift
+          raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?
+          blob = blob.unpack("m*").first
+          reader = Net::SSH::Buffer.new(blob)
+          reader.read_key or raise OpenSSL::PKey::PKeyError, "not a public key #{filename.inspect}"
+        end
+        private
+        # rubocop:disable Style/Documentation, Lint/DuplicateMethods
+        class KeyType
+          def self.read(key_data, passphrase)
+            raise Exception, "TODO subclasses should implement read"
+          end
+          def self.error_classes
+            raise Exception, "TODO subclasses should implement read"
+          end
+          def self.encrypted_key?(data, error)
+            raise Exception, "TODO subclasses should implement is_encrypted_key"
           end
         end
-        encrypted_key = data.match(/ENCRYPTED/)
-        tries = 0
+        class OpenSSHPrivateKeyType < KeyType
+          def self.read(key_data, passphrase)
+            Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader.read(key_data, passphrase)
+          end
-        begin
-          if pkey_read
-            return OpenSSL::PKey.read(data, passphrase || 'invalid')
-          else
-            return key_type.new(data, passphrase || 'invalid')
-          end
-        rescue error_class
-          if encrypted_key && ask_passphrase
-            tries += 1
-            if tries <= 3
-              passphrase = prompt("Enter passphrase for #{filename}:", false)
-              retry
-            else
-              raise
-            end
-          else
-            raise
+          def self.error_classes
+            [Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError]
+          end
+          def self.encrypted_key?(key_data, decode_error)
+            decode_error.is_a?(Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError) && decode_error.encrypted_key?
           end
         end
-      end
-      # Loads a public key from a file. It will correctly determine whether
-      # the file describes an RSA or DSA key, and will load it
-      # appropriately. The new public key is returned.
-      def load_public_key(filename)
-        data = File.read(File.expand_path(filename))
-        load_data_public_key(data, filename)
-      end
+        class OpenSSLKeyTypeBase < KeyType
+          def self.open_ssl_class
+            raise Exception, "TODO: subclasses should implement"
+          end
-      # Loads a public key. It will correctly determine whether
-      # the file describes an RSA or DSA key, and will load it
-      # appropriately. The new public key is returned.
-      def load_data_public_key(data, filename="")
-        fields = data.split(/ /)
+          def self.read(key_data, passphrase)
+            open_ssl_class.new(key_data, passphrase)
+          end
-        blob = nil
-        begin
-          blob = fields.shift
-        end while !blob.nil? && !/^(ssh-(rsa|dss)|ecdsa-sha2-nistp\d+)$/.match(blob)
-        blob = fields.shift
+          def self.encrypted_key?(key_data, error)
+            key_data.match(/ENCRYPTED/)
+          end
+        end
+        class OpenSSLPKeyType < OpenSSLKeyTypeBase
+          def self.read(key_data, passphrase)
+            open_ssl_class.read(key_data, passphrase)
+          end
+          def self.open_ssl_class
+            OpenSSL::PKey
+          end
-        raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?
+          def self.error_classes
+            [ArgumentError, OpenSSL::PKey::PKeyError]
+          end
+        end
+        class OpenSSLDSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::DSA
+          end
+          def self.error_classes
+            [OpenSSL::PKey::DSAError]
+          end
+        end
+        class OpenSSLRSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::RSA
+          end
-        blob = blob.unpack("m*").first
-        reader = Net::SSH::Buffer.new(blob)
-        reader.read_key or raise OpenSSL::PKey::PKeyError, "not a public key #{filename.inspect}"
+          def self.error_classes
+            [OpenSSL::PKey::RSAError]
+          end
+        end
+        class OpenSSLECKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::EC
+          end
+          def self.error_classes
+            [OpenSSL::PKey::ECError]
+          end
+        end
+        # rubocop:enable Style/Documentation, Lint/DuplicateMethods
+        # Determine whether the file describes an RSA or DSA key, and return how load it
+        # appropriately.
+        def classify_key(data, filename)
+          if data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
+            Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("OpenSSH keys only supported if ED25519 is available")
+            return OpenSSHPrivateKeyType
+          elsif OpenSSL::PKey.respond_to?(:read)
+            return OpenSSLPKeyType
+          elsif data.match(/-----BEGIN DSA PRIVATE KEY-----/)
+            return OpenSSLDSAKeyType
+          elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
+            return OpenSSLRSAKeyType
+          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/)
+            return OpenSSLECKeyType
+          elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
+            raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
+          else
+            raise OpenSSL::PKey::PKeyError, "not a private key (#{filename})"
+          end
+        end
       end
     end
   end
-end; end
+end