RubyGems - net-ssh - Versions diffs - 3.2.0.rc2 → 7.1.0 - Mend

net-ssh 3.2.0.rc2 → 7.1.0

Files changed (204) hide show

checksums.yaml +5 -5
checksums.yaml.gz.sig +2 -2
data/.dockerignore +6 -0
data/.github/config/rubocop_linter_action.yml +4 -0
data/.github/workflows/ci-with-docker.yml +44 -0
data/.github/workflows/ci.yml +87 -0
data/.github/workflows/rubocop.yml +16 -0
data/.gitignore +13 -0
data/.rubocop.yml +22 -0
data/.rubocop_todo.yml +1081 -0
data/CHANGES.txt +228 -7
data/Dockerfile +27 -0
data/Dockerfile.openssl3 +17 -0
data/Gemfile +13 -0
data/Gemfile.noed25519 +12 -0
data/ISSUE_TEMPLATE.md +30 -0
data/Manifest +4 -5
data/README.md +297 -0
data/Rakefile +125 -74
data/SECURITY.md +4 -0
data/appveyor.yml +58 -0
data/docker-compose.yml +23 -0
data/lib/net/ssh/authentication/agent.rb +279 -18
data/lib/net/ssh/authentication/certificate.rb +183 -0
data/lib/net/ssh/authentication/constants.rb +17 -15
data/lib/net/ssh/authentication/ed25519.rb +186 -0
data/lib/net/ssh/authentication/ed25519_loader.rb +31 -0
data/lib/net/ssh/authentication/key_manager.rb +86 -39
data/lib/net/ssh/authentication/methods/abstract.rb +67 -48
data/lib/net/ssh/authentication/methods/hostbased.rb +34 -37
data/lib/net/ssh/authentication/methods/keyboard_interactive.rb +13 -13
data/lib/net/ssh/authentication/methods/none.rb +16 -19
data/lib/net/ssh/authentication/methods/password.rb +27 -17
data/lib/net/ssh/authentication/methods/publickey.rb +96 -55
data/lib/net/ssh/authentication/pageant.rb +471 -367
data/lib/net/ssh/authentication/pub_key_fingerprint.rb +43 -0
data/lib/net/ssh/authentication/session.rb +131 -121
data/lib/net/ssh/buffer.rb +399 -300
data/lib/net/ssh/buffered_io.rb +154 -150
data/lib/net/ssh/config.rb +308 -185
data/lib/net/ssh/connection/channel.rb +635 -613
data/lib/net/ssh/connection/constants.rb +29 -29
data/lib/net/ssh/connection/event_loop.rb +123 -0
data/lib/net/ssh/connection/keepalive.rb +55 -51
data/lib/net/ssh/connection/session.rb +620 -551
data/lib/net/ssh/connection/term.rb +125 -123
data/lib/net/ssh/errors.rb +101 -99
data/lib/net/ssh/key_factory.rb +197 -105
data/lib/net/ssh/known_hosts.rb +214 -127
data/lib/net/ssh/loggable.rb +50 -49
data/lib/net/ssh/packet.rb +83 -79
data/lib/net/ssh/prompt.rb +50 -81
data/lib/net/ssh/proxy/command.rb +105 -90
data/lib/net/ssh/proxy/errors.rb +12 -10
data/lib/net/ssh/proxy/http.rb +82 -79
data/lib/net/ssh/proxy/https.rb +50 -0
data/lib/net/ssh/proxy/jump.rb +54 -0
data/lib/net/ssh/proxy/socks4.rb +2 -6
data/lib/net/ssh/proxy/socks5.rb +14 -17
data/lib/net/ssh/service/forward.rb +370 -317
data/lib/net/ssh/test/channel.rb +145 -136
data/lib/net/ssh/test/extensions.rb +131 -110
data/lib/net/ssh/test/kex.rb +34 -32
data/lib/net/ssh/test/local_packet.rb +46 -44
data/lib/net/ssh/test/packet.rb +89 -70
data/lib/net/ssh/test/remote_packet.rb +32 -30
data/lib/net/ssh/test/script.rb +156 -142
data/lib/net/ssh/test/socket.rb +49 -48
data/lib/net/ssh/test.rb +82 -77
data/lib/net/ssh/transport/algorithms.rb +441 -360
data/lib/net/ssh/transport/cipher_factory.rb +96 -98
data/lib/net/ssh/transport/constants.rb +32 -24
data/lib/net/ssh/transport/ctr.rb +42 -22
data/lib/net/ssh/transport/hmac/abstract.rb +81 -63
data/lib/net/ssh/transport/hmac/md5.rb +0 -2
data/lib/net/ssh/transport/hmac/md5_96.rb +0 -2
data/lib/net/ssh/transport/hmac/none.rb +0 -2
data/lib/net/ssh/transport/hmac/ripemd160.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1_96.rb +0 -2
data/lib/net/ssh/transport/hmac/sha2_256.rb +7 -11
data/lib/net/ssh/transport/hmac/sha2_256_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_256_etm.rb +12 -0
data/lib/net/ssh/transport/hmac/sha2_512.rb +6 -9
data/lib/net/ssh/transport/hmac/sha2_512_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_512_etm.rb +12 -0
data/lib/net/ssh/transport/hmac.rb +14 -12
data/lib/net/ssh/transport/identity_cipher.rb +54 -52
data/lib/net/ssh/transport/kex/abstract.rb +130 -0
data/lib/net/ssh/transport/kex/abstract5656.rb +72 -0
data/lib/net/ssh/transport/kex/curve25519_sha256.rb +39 -0
data/lib/net/ssh/transport/kex/curve25519_sha256_loader.rb +30 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha1.rb +33 -40
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha256.rb +11 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb +119 -213
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb +53 -61
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb +5 -9
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb +36 -90
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp384.rb +18 -10
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp521.rb +18 -10
data/lib/net/ssh/transport/kex.rb +15 -12
data/lib/net/ssh/transport/key_expander.rb +24 -20
data/lib/net/ssh/transport/openssl.rb +161 -124
data/lib/net/ssh/transport/packet_stream.rb +225 -185
data/lib/net/ssh/transport/server_version.rb +55 -56
data/lib/net/ssh/transport/session.rb +306 -255
data/lib/net/ssh/transport/state.rb +178 -176
data/lib/net/ssh/verifiers/accept_new.rb +33 -0
data/lib/net/ssh/verifiers/accept_new_or_local_tunnel.rb +33 -0
data/lib/net/ssh/verifiers/always.rb +58 -0
data/lib/net/ssh/verifiers/never.rb +19 -0
data/lib/net/ssh/version.rb +55 -53
data/lib/net/ssh.rb +110 -47
data/net-ssh-public_cert.pem +18 -18
data/net-ssh.gemspec +36 -205
data/support/ssh_tunnel_bug.rb +5 -5
data.tar.gz.sig +0 -0
metadata +153 -118
metadata.gz.sig +0 -0
data/.travis.yml +0 -18
data/README.rdoc +0 -182
data/lib/net/ssh/authentication/agent/java_pageant.rb +0 -85
data/lib/net/ssh/authentication/agent/socket.rb +0 -178
data/lib/net/ssh/ruby_compat.rb +0 -46
data/lib/net/ssh/verifiers/lenient.rb +0 -30
data/lib/net/ssh/verifiers/null.rb +0 -12
data/lib/net/ssh/verifiers/secure.rb +0 -52
data/lib/net/ssh/verifiers/strict.rb +0 -24
data/setup.rb +0 -1585
data/support/arcfour_check.rb +0 -20
data/test/README.txt +0 -18
data/test/authentication/methods/common.rb +0 -28
data/test/authentication/methods/test_abstract.rb +0 -51
data/test/authentication/methods/test_hostbased.rb +0 -114
data/test/authentication/methods/test_keyboard_interactive.rb +0 -121
data/test/authentication/methods/test_none.rb +0 -41
data/test/authentication/methods/test_password.rb +0 -95
data/test/authentication/methods/test_publickey.rb +0 -148
data/test/authentication/test_agent.rb +0 -232
data/test/authentication/test_key_manager.rb +0 -240
data/test/authentication/test_session.rb +0 -107
data/test/common.rb +0 -125
data/test/configs/auth_off +0 -5
data/test/configs/auth_on +0 -4
data/test/configs/empty +0 -0
data/test/configs/eqsign +0 -3
data/test/configs/exact_match +0 -8
data/test/configs/host_plus +0 -10
data/test/configs/multihost +0 -4
data/test/configs/negative_match +0 -6
data/test/configs/nohost +0 -19
data/test/configs/numeric_host +0 -4
data/test/configs/proxy_remote_user +0 -2
data/test/configs/send_env +0 -2
data/test/configs/substitutes +0 -8
data/test/configs/wild_cards +0 -14
data/test/connection/test_channel.rb +0 -487
data/test/connection/test_session.rb +0 -564
data/test/integration/README.txt +0 -17
data/test/integration/Vagrantfile +0 -12
data/test/integration/common.rb +0 -63
data/test/integration/playbook.yml +0 -56
data/test/integration/test_forward.rb +0 -637
data/test/integration/test_id_rsa_keys.rb +0 -96
data/test/integration/test_proxy.rb +0 -93
data/test/known_hosts/github +0 -1
data/test/known_hosts/github_hash +0 -1
data/test/manual/test_pageant.rb +0 -37
data/test/start/test_connection.rb +0 -53
data/test/start/test_options.rb +0 -57
data/test/start/test_transport.rb +0 -28
data/test/start/test_user_nil.rb +0 -27
data/test/test_all.rb +0 -12
data/test/test_buffer.rb +0 -433
data/test/test_buffered_io.rb +0 -63
data/test/test_config.rb +0 -268
data/test/test_key_factory.rb +0 -191
data/test/test_known_hosts.rb +0 -66
data/test/transport/hmac/test_md5.rb +0 -41
data/test/transport/hmac/test_md5_96.rb +0 -27
data/test/transport/hmac/test_none.rb +0 -34
data/test/transport/hmac/test_ripemd160.rb +0 -36
data/test/transport/hmac/test_sha1.rb +0 -36
data/test/transport/hmac/test_sha1_96.rb +0 -27
data/test/transport/hmac/test_sha2_256.rb +0 -37
data/test/transport/hmac/test_sha2_256_96.rb +0 -27
data/test/transport/hmac/test_sha2_512.rb +0 -37
data/test/transport/hmac/test_sha2_512_96.rb +0 -27
data/test/transport/kex/test_diffie_hellman_group14_sha1.rb +0 -13
data/test/transport/kex/test_diffie_hellman_group1_sha1.rb +0 -150
data/test/transport/kex/test_diffie_hellman_group_exchange_sha1.rb +0 -96
data/test/transport/kex/test_diffie_hellman_group_exchange_sha256.rb +0 -19
data/test/transport/kex/test_ecdh_sha2_nistp256.rb +0 -161
data/test/transport/kex/test_ecdh_sha2_nistp384.rb +0 -38
data/test/transport/kex/test_ecdh_sha2_nistp521.rb +0 -38
data/test/transport/test_algorithms.rb +0 -328
data/test/transport/test_cipher_factory.rb +0 -443
data/test/transport/test_hmac.rb +0 -34
data/test/transport/test_identity_cipher.rb +0 -40
data/test/transport/test_packet_stream.rb +0 -1762
data/test/transport/test_server_version.rb +0 -74
data/test/transport/test_session.rb +0 -331
data/test/transport/test_state.rb +0 -181
data/test/verifiers/test_secure.rb +0 -40

data/lib/net/ssh/key_factory.rb CHANGED Viewed

@@ -1,126 +1,218 @@
 require 'net/ssh/transport/openssl'
 require 'net/ssh/prompt'
-module Net; module SSH
-  # A factory class for returning new Key classes. It is used for obtaining
-  # OpenSSL key instances via their SSH names, and for loading both public and
-  # private keys. It used used primarily by Net::SSH itself, internally, and
-  # will rarely (if ever) be directly used by consumers of the library.
-  #
-  #   klass = Net::SSH::KeyFactory.get("rsa")
-  #   assert klass.is_a?(OpenSSL::PKey::RSA)
-  #
-  #   key = Net::SSH::KeyFactory.load_public_key("~/.ssh/id_dsa.pub")
-  class KeyFactory
-    # Specifies the mapping of SSH names to OpenSSL key classes.
-    MAP = {
-      "dh"  => OpenSSL::PKey::DH,
-      "rsa" => OpenSSL::PKey::RSA,
-      "dsa" => OpenSSL::PKey::DSA,
-    }
-    if defined?(OpenSSL::PKey::EC)
-      MAP["ecdsa"] = OpenSSL::PKey::EC
-    end
+require 'net/ssh/authentication/ed25519_loader'
-    class <<self
-      include Prompt
+module Net
+  module SSH
+    # A factory class for returning new Key classes. It is used for obtaining
+    # OpenSSL key instances via their SSH names, and for loading both public and
+    # private keys. It used used primarily by Net::SSH itself, internally, and
+    # will rarely (if ever) be directly used by consumers of the library.
+    #
+    #   klass = Net::SSH::KeyFactory.get("rsa")
+    #   assert klass.is_a?(OpenSSL::PKey::RSA)
+    #
+    #   key = Net::SSH::KeyFactory.load_public_key("~/.ssh/id_dsa.pub")
+    class KeyFactory
+      # Specifies the mapping of SSH names to OpenSSL key classes.
+      MAP = {
+        'dh' => OpenSSL::PKey::DH,
+        'rsa' => OpenSSL::PKey::RSA,
+        'dsa' => OpenSSL::PKey::DSA,
+        'ecdsa' => OpenSSL::PKey::EC
+      }
+      MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
-      # Fetch an OpenSSL key instance by its SSH name. It will be a new,
-      # empty key of the given type.
-      def get(name)
-        MAP.fetch(name).new
-      end
+      class << self
+        # Fetch an OpenSSL key instance by its SSH name. It will be a new,
+        # empty key of the given type.
+        def get(name)
+          MAP.fetch(name).new
+        end
-      # Loads a private key from a file. It will correctly determine
-      # whether the file describes an RSA or DSA key, and will load it
-      # appropriately. The new key is returned. If the key itself is
-      # encrypted (requiring a passphrase to use), the user will be
-      # prompted to enter their password unless passphrase works.
-      def load_private_key(filename, passphrase=nil, ask_passphrase=true)
-        data = File.read(File.expand_path(filename))
-        load_data_private_key(data, passphrase, ask_passphrase, filename)
-      end
+        # Loads a private key from a file. It will correctly determine
+        # whether the file describes an RSA or DSA key, and will load it
+        # appropriately. The new key is returned. If the key itself is
+        # encrypted (requiring a passphrase to use), the user will be
+        # prompted to enter their password unless passphrase works.
+        def load_private_key(filename, passphrase = nil, ask_passphrase = true, prompt = Prompt.default)
+          data = File.read(File.expand_path(filename))
+          load_data_private_key(data, passphrase, ask_passphrase, filename, prompt)
+        end
-      # Loads a private key. It will correctly determine
-      # whether the file describes an RSA or DSA key, and will load it
-      # appropriately. The new key is returned. If the key itself is
-      # encrypted (requiring a passphrase to use), the user will be
-      # prompted to enter their password unless passphrase works.
-      def load_data_private_key(data, passphrase=nil, ask_passphrase=true, filename="")
-        if OpenSSL::PKey.respond_to?(:read)
-          pkey_read = true
-          error_class = ArgumentError
-        else
-          pkey_read = false
-          if data.match(/-----BEGIN DSA PRIVATE KEY-----/)
-            key_type = OpenSSL::PKey::DSA
-            error_class = OpenSSL::PKey::DSAError
-          elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
-            key_type = OpenSSL::PKey::RSA
-            error_class = OpenSSL::PKey::RSAError
-          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/) && defined?(OpenSSL::PKey::EC)
-            key_type = OpenSSL::PKey::EC
-            error_class = OpenSSL::PKey::ECError
-          elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
-            raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
-          else
-            raise OpenSSL::PKey::PKeyError, "not a private key (#{filename})"
+        # Loads a private key. It will correctly determine
+        # whether the file describes an RSA or DSA key, and will load it
+        # appropriately. The new key is returned. If the key itself is
+        # encrypted (requiring a passphrase to use), the user will be
+        # prompted to enter their password unless passphrase works.
+        def load_data_private_key(data, passphrase = nil, ask_passphrase = true, filename = "", prompt = Prompt.default)
+          key_type = classify_key(data, filename)
+          encrypted_key = nil
+          tries = 0
+          prompter = nil
+          result =
+            begin
+              key_type.read(data, passphrase || 'invalid')
+            rescue *key_type.error_classes => e
+              encrypted_key = !!key_type.encrypted_key?(data, e) if encrypted_key.nil?
+              if encrypted_key && ask_passphrase
+                tries += 1
+                if tries <= 3
+                  prompter ||= prompt.start(type: 'private_key', filename: filename, sha: Digest::SHA256.digest(data))
+                  passphrase = prompter.ask("Enter passphrase for #{filename}:", false)
+                  retry
+                else
+                  raise
+                end
+              else
+                raise
+              end
+            end
+          prompter.success if prompter
+          result
+        end
+        # Loads a public key from a file. It will correctly determine whether
+        # the file describes an RSA or DSA key, and will load it
+        # appropriately. The new public key is returned.
+        def load_public_key(filename)
+          data = File.read(File.expand_path(filename))
+          load_data_public_key(data, filename)
+        end
+        # Loads a public key. It will correctly determine whether
+        # the file describes an RSA or DSA key, and will load it
+        # appropriately. The new public key is returned.
+        def load_data_public_key(data, filename = "")
+          fields = data.split(/ /)
+          blob = nil
+          begin
+            blob = fields.shift
+          end while !blob.nil? && !/^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp\d+)(-cert-v01@openssh\.com)?$/.match(blob)
+          blob = fields.shift
+          raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?
+          blob = blob.unpack("m*").first
+          reader = Net::SSH::Buffer.new(blob)
+          reader.read_key or raise OpenSSL::PKey::PKeyError, "not a public key #{filename.inspect}"
+        end
+        private
+        # rubocop:disable Style/Documentation, Lint/DuplicateMethods
+        class KeyType
+          def self.read(key_data, passphrase)
+            raise Exception, "TODO subclasses should implement read"
+          end
+          def self.error_classes
+            raise Exception, "TODO subclasses should implement read"
+          end
+          def self.encrypted_key?(data, error)
+            raise Exception, "TODO subclasses should implement is_encrypted_key"
           end
         end
-        encrypted_key = data.match(/ENCRYPTED/)
-        tries = 0
+        class OpenSSHPrivateKeyType < KeyType
+          def self.read(key_data, passphrase)
+            Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader.read(key_data, passphrase)
+          end
-        begin
-          if pkey_read
-            return OpenSSL::PKey.read(data, passphrase || 'invalid')
-          else
-            return key_type.new(data, passphrase || 'invalid')
-          end
-        rescue error_class
-          if encrypted_key && ask_passphrase
-            tries += 1
-            if tries <= 3
-              passphrase = prompt("Enter passphrase for #{filename}:", false)
-              retry
-            else
-              raise
-            end
-          else
-            raise
+          def self.error_classes
+            [Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError]
+          end
+          def self.encrypted_key?(key_data, decode_error)
+            decode_error.is_a?(Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError) && decode_error.encrypted_key?
           end
         end
-      end
-      # Loads a public key from a file. It will correctly determine whether
-      # the file describes an RSA or DSA key, and will load it
-      # appropriately. The new public key is returned.
-      def load_public_key(filename)
-        data = File.read(File.expand_path(filename))
-        load_data_public_key(data, filename)
-      end
+        class OpenSSLKeyTypeBase < KeyType
+          def self.open_ssl_class
+            raise Exception, "TODO: subclasses should implement"
+          end
-      # Loads a public key. It will correctly determine whether
-      # the file describes an RSA or DSA key, and will load it
-      # appropriately. The new public key is returned.
-      def load_data_public_key(data, filename="")
-        fields = data.split(/ /)
+          def self.read(key_data, passphrase)
+            open_ssl_class.new(key_data, passphrase)
+          end
-        blob = nil
-        begin
-          blob = fields.shift
-        end while !blob.nil? && !/^(ssh-(rsa|dss)|ecdsa-sha2-nistp\d+)$/.match(blob)
-        blob = fields.shift
+          def self.encrypted_key?(key_data, error)
+            key_data.match(/ENCRYPTED/)
+          end
+        end
+        class OpenSSLPKeyType < OpenSSLKeyTypeBase
+          def self.read(key_data, passphrase)
+            open_ssl_class.read(key_data, passphrase)
+          end
+          def self.open_ssl_class
+            OpenSSL::PKey
+          end
-        raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?
+          def self.error_classes
+            [ArgumentError, OpenSSL::PKey::PKeyError]
+          end
+        end
+        class OpenSSLDSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::DSA
+          end
+          def self.error_classes
+            [OpenSSL::PKey::DSAError]
+          end
+        end
+        class OpenSSLRSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::RSA
+          end
-        blob = blob.unpack("m*").first
-        reader = Net::SSH::Buffer.new(blob)
-        reader.read_key or raise OpenSSL::PKey::PKeyError, "not a public key #{filename.inspect}"
+          def self.error_classes
+            [OpenSSL::PKey::RSAError]
+          end
+        end
+        class OpenSSLECKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::EC
+          end
+          def self.error_classes
+            [OpenSSL::PKey::ECError]
+          end
+        end
+        # rubocop:enable Style/Documentation, Lint/DuplicateMethods
+        # Determine whether the file describes an RSA or DSA key, and return how load it
+        # appropriately.
+        def classify_key(data, filename)
+          if data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
+            Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("OpenSSH keys only supported if ED25519 is available")
+            return OpenSSHPrivateKeyType
+          elsif OpenSSL::PKey.respond_to?(:read)
+            return OpenSSLPKeyType
+          elsif data.match(/-----BEGIN DSA PRIVATE KEY-----/)
+            return OpenSSLDSAKeyType
+          elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
+            return OpenSSLRSAKeyType
+          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/)
+            return OpenSSLECKeyType
+          elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
+            raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
+          else
+            raise OpenSSL::PKey::PKeyError, "not a private key (#{filename})"
+          end
+        end
       end
     end
   end
-end; end
+end