net-ssh 3.2.0.rc2 → 7.1.0

data/lib/net/ssh/authentication/methods/abstract.rb

@@ -3,58 +3,77 @@ require 'net/ssh/errors'
 require 'net/ssh/loggable'
 require 'net/ssh/authentication/constants'
 
-module Net; module SSH; module Authentication; module Methods
-
-  # The base class of all user authentication methods. It provides a few
-  # bits of common functionality.
-  class Abstract
-    include Constants, Loggable
-
-    # The authentication session object
-    attr_reader :session
-
-    # The key manager object. Not all authentication methods will require
-    # this.
-    attr_reader :key_manager
-
-    # Instantiates a new authentication method.
-    def initialize(session, options={})
-      @session = session
-      @key_manager = options[:key_manager]
-      @options = options
-      self.logger = session.logger
-    end
+module Net
+  module SSH
+    module Authentication
+      module Methods
+        # The base class of all user authentication methods. It provides a few
+        # bits of common functionality.
+        class Abstract
+          include Loggable
+          include Constants
 
-    # Returns the session-id, as generated during the first key exchange of
-    # an SSH connection.
-    def session_id
-      session.transport.algorithms.session_id
-    end
+          # The authentication session object
+          attr_reader :session
 
-    # Sends a message via the underlying transport layer abstraction. This
-    # will block until the message is completely sent.
-    def send_message(msg)
-      session.transport.send_message(msg)
-    end
+          # The key manager object. Not all authentication methods will require
+          # this.
+          attr_reader :key_manager
+
+          # So far only affects algorithms used for rsa keys, but can be
+          # extended to other keys, e.g after reading of
+          # PubkeyAcceptedAlgorithms option from ssh_config file is implemented.
+          attr_reader :pubkey_algorithms
+
+          # Instantiates a new authentication method.
+          def initialize(session, options = {})
+            @session = session
+            @key_manager = options[:key_manager]
+            @options = options
+            @prompt = options[:password_prompt]
+            @pubkey_algorithms = options[:pubkey_algorithms] \
+              || %w[rsa-sha2-256-cert-v01@openssh.com
+                    ssh-rsa-cert-v01@openssh.com
+                    rsa-sha2-256
+                    ssh-rsa]
+            self.logger = session.logger
+          end
+
+          # Returns the session-id, as generated during the first key exchange of
+          # an SSH connection.
+          def session_id
+            session.transport.algorithms.session_id
+          end
+
+          # Sends a message via the underlying transport layer abstraction. This
+          # will block until the message is completely sent.
+          def send_message(msg)
+            session.transport.send_message(msg)
+          end
 
-    # Creates a new USERAUTH_REQUEST packet. The extra arguments on the end
-    # must be either boolean values or strings, and are tacked onto the end
-    # of the packet. The new packet is returned, ready for sending.
-    def userauth_request(username, next_service, auth_method, *others)
-      buffer = Net::SSH::Buffer.from(:byte, USERAUTH_REQUEST,
-        :string, username, :string, next_service, :string, auth_method)
-
-      others.each do |value|
-        case value
-        when true, false then buffer.write_bool(value)
-        when String      then buffer.write_string(value)
-        else raise ArgumentError, "don't know how to write #{value.inspect}"
+          # Creates a new USERAUTH_REQUEST packet. The extra arguments on the end
+          # must be either boolean values or strings, and are tacked onto the end
+          # of the packet. The new packet is returned, ready for sending.
+          def userauth_request(username, next_service, auth_method, *others)
+            buffer = Net::SSH::Buffer.from(:byte, USERAUTH_REQUEST,
+                                           :string, username, :string, next_service, :string, auth_method)
+
+            others.each do |value|
+              case value
+              when true, false then buffer.write_bool(value)
+              when String      then buffer.write_string(value)
+              else raise ArgumentError, "don't know how to write #{value.inspect}"
+              end
+            end
+
+            buffer
+          end
+
+          private
+
+          attr_reader :prompt
         end
       end
-
-      buffer
     end
-
   end
-
-end; end; end; end
+end

data/lib/net/ssh/authentication/methods/hostbased.rb

@@ -4,19 +4,18 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the host-based SSH authentication method.
         class Hostbased < Abstract
           include Constants
 
           # Attempts to perform host-based authorization of the user by trying
           # all known keys.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             return false unless key_manager
 
             key_manager.each_identity do |identity|
               return true if authenticate_with(identity, next_service,
-                username, key_manager)
+                                               username, key_manager)
             end
 
             return false
@@ -24,51 +23,49 @@ module Net
 
           private
 
-            # Returns the hostname as reported by the underlying socket.
-            def hostname
-              session.transport.socket.client_name
-            end
-
-            # Attempts to perform host-based authentication of the user, using
-            # the given host identity (key).
-            def authenticate_with(identity, next_service, username, key_manager)
-              debug { "trying hostbased (#{identity.fingerprint})" }
-              client_username = ENV['USER'] || username
+          # Returns the hostname as reported by the underlying socket.
+          def hostname
+            session.transport.socket.client_name
+          end
 
-              req = build_request(identity, next_service, username, "#{hostname}.", client_username)
-              sig_data = Buffer.from(:string, session_id, :raw, req)
+          # Attempts to perform host-based authentication of the user, using
+          # the given host identity (key).
+          def authenticate_with(identity, next_service, username, key_manager)
+            debug { "trying hostbased (#{identity.fingerprint})" }
+            client_username = ENV['USER'] || username
 
-              sig = key_manager.sign(identity, sig_data.to_s)
+            req = build_request(identity, next_service, username, "#{hostname}.", client_username)
+            sig_data = Buffer.from(:string, session_id, :raw, req)
 
-              message = Buffer.from(:raw, req, :string, sig)
+            sig = key_manager.sign(identity, sig_data.to_s)
 
-              send_message(message)
-              message = session.next_message
+            message = Buffer.from(:raw, req, :string, sig)
 
-              case message.type
-                when USERAUTH_SUCCESS
-                  info { "hostbased succeeded (#{identity.fingerprint})" }
-                  return true
-                when USERAUTH_FAILURE
-                  info { "hostbased failed (#{identity.fingerprint})" }
+            send_message(message)
+            message = session.next_message
 
-                  raise Net::SSH::Authentication::DisallowedMethod unless
-                    message[:authentications].split(/,/).include? 'hostbased'
+            case message.type
+            when USERAUTH_SUCCESS
+              info { "hostbased succeeded (#{identity.fingerprint})" }
+              return true
+            when USERAUTH_FAILURE
+              info { "hostbased failed (#{identity.fingerprint})" }
 
-                  return false
-                else
-                  raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
-              end
-            end
+              raise Net::SSH::Authentication::DisallowedMethod unless
+                message[:authentications].split(/,/).include? 'hostbased'
 
-            # Build the "core" hostbased request string.
-            def build_request(identity, next_service, username, hostname, client_username)
-              userauth_request(username, next_service, "hostbased", identity.ssh_type,
-                Buffer.from(:key, identity).to_s, hostname, client_username).to_s
+              return false
+            else
+              raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
             end
+          end
 
+          # Build the "core" hostbased request string.
+          def build_request(identity, next_service, username, hostname, client_username)
+            userauth_request(username, next_service, "hostbased", identity.ssh_type,
+                             Buffer.from(:key, identity).to_s, hostname, client_username).to_s
+          end
         end
-
       end
     end
   end

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -5,25 +5,24 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "keyboard-interactive" SSH authentication method.
         class KeyboardInteractive < Abstract
-          include Prompt
-
           USERAUTH_INFO_REQUEST  = 60
           USERAUTH_INFO_RESPONSE = 61
 
           # Attempt to authenticate the given user for the given service.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             debug { "trying keyboard-interactive" }
             send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
 
+            prompter = nil
             loop do
               message = session.next_message
 
               case message.type
               when USERAUTH_SUCCESS
                 debug { "keyboard-interactive succeeded" }
+                prompter.success if prompter
                 return true
               when USERAUTH_FAILURE
                 debug { "keyboard-interactive failed" }
@@ -31,26 +30,27 @@ module Net
                 raise Net::SSH::Authentication::DisallowedMethod unless
                   message[:authentications].split(/,/).include? 'keyboard-interactive'
 
-                return false
+                return false unless interactive?
+
+                password = nil
+                debug { "retrying keyboard-interactive" }
+                send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
               when USERAUTH_INFO_REQUEST
                 name = message.read_string
                 instruction = message.read_string
                 debug { "keyboard-interactive info request" }
 
-                unless password
-                  if interactive?
-                    puts(name) unless name.empty?
-                    puts(instruction) unless instruction.empty?
-                  end
+                if password.nil? && interactive? && prompter.nil?
+                  prompter = prompt.start(type: 'keyboard-interactive', name: name, instruction: instruction)
                 end
 
                 _ = message.read_string # lang_tag
-                responses =[]
-  
+                responses = []
+
                 message.read_long.times do
                   text = message.read_string
                   echo = message.read_bool
-                  password_to_send = password || (interactive? ? prompt(text, echo) : nil)
+                  password_to_send = password || (prompter && prompter.ask(text, echo))
                   responses << password_to_send
                 end
 

data/lib/net/ssh/authentication/methods/none.rb

@@ -5,32 +5,29 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "none" SSH authentication method.
         class None < Abstract
           # Attempt to authenticate as "none"
-          def authenticate(next_service, user="", password="")
-            send_message(userauth_request(user, next_service, "none")) 
+          def authenticate(next_service, user = "", password = "")
+            send_message(userauth_request(user, next_service, "none"))
             message = session.next_message
-            
+
             case message.type
-              when USERAUTH_SUCCESS
-                debug { "none succeeded" }
-                return true
-              when USERAUTH_FAILURE
-                debug { "none failed" }
-              
-                raise Net::SSH::Authentication::DisallowedMethod unless
-                  message[:authentications].split(/,/).include? 'none'
-              
-                return false
-              else
-                raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
-            end   
-            
+            when USERAUTH_SUCCESS
+              debug { "none succeeded" }
+              return true
+            when USERAUTH_FAILURE
+              debug { "none failed" }
+
+              raise Net::SSH::Authentication::DisallowedMethod unless
+                message[:authentications].split(/,/).include? 'none'
+
+              return false
+            else
+              raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+            end
           end
         end
-
       end
     end
   end

data/lib/net/ssh/authentication/methods/password.rb

@@ -6,16 +6,14 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "password" SSH authentication method.
         class Password < Abstract
-          include Prompt
-
           # Attempt to authenticate the given user for the given service. If
           # the password parameter is nil, this will ask for password
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
+            clear_prompter!
             retries = 0
-            max_retries =  get_max_retries
+            max_retries = get_max_retries
             return false if !password && max_retries == 0
 
             begin
@@ -30,21 +28,23 @@ module Net
 
                 raise Net::SSH::Authentication::DisallowedMethod unless
                   message[:authentications].split(/,/).include? 'password'
+
                 password = nil
               end
             end until (message.type != USERAUTH_FAILURE || retries >= max_retries)
 
             case message.type
-              when USERAUTH_SUCCESS
-                debug { "password succeeded" }
-                return true
-              when USERAUTH_FAILURE
-                return false
-              when USERAUTH_PASSWD_CHANGEREQ
-                debug { "password change request received, failing" }
-                return false
-              else
-                raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+            when USERAUTH_SUCCESS
+              debug { "password succeeded" }
+              @prompter.success if @prompter
+              return true
+            when USERAUTH_FAILURE
+              return false
+            when USERAUTH_PASSWD_CHANGEREQ
+              debug { "password change request received, failing" }
+              return false
+            else
+              raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
             end
           end
 
@@ -52,9 +52,20 @@ module Net
 
           NUMBER_OF_PASSWORD_PROMPTS = 3
 
+          def clear_prompter!
+            @prompt_info = nil
+            @prompter = nil
+          end
+
           def ask_password(username)
+            host = session.transport.host
+            prompt_info = { type: 'password', user: username, host: host }
+            if @prompt_info != prompt_info
+              @prompt_info = prompt_info
+              @prompter = prompt.start(prompt_info)
+            end
             echo = false
-            prompt("#{username}@#{session.transport.host}'s password:", echo)
+            @prompter.ask("#{username}@#{host}'s password:", echo)
           end
 
           def get_max_retries
@@ -63,7 +74,6 @@ module Net
             options[:non_interactive] ? 0 : result
           end
         end
-
       end
     end
   end

data/lib/net/ssh/authentication/methods/publickey.rb

@@ -6,14 +6,13 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "publickey" SSH authentication method.
         class Publickey < Abstract
           # Attempts to perform public-key authentication for the given
           # username, trying each identity known to the key manager. If any of
           # them succeed, returns +true+, otherwise returns +false+. This
           # requires the presence of a key manager.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             return false unless key_manager
 
             key_manager.each_identity do |identity|
@@ -25,71 +24,113 @@ module Net
 
           private
 
-            # Builds a packet that contains the request formatted for sending
-            # a public-key request to the server.
-            def build_request(pub_key, username, next_service, has_sig)
-              blob = Net::SSH::Buffer.new
-              blob.write_key pub_key
+          # Builds a packet that contains the request formatted for sending
+          # a public-key request to the server.
+          def build_request(pub_key, username, next_service, alg, has_sig)
+            blob = Net::SSH::Buffer.new
+            blob.write_key pub_key
 
-              userauth_request(username, next_service, "publickey", has_sig,
-                pub_key.ssh_type, blob.to_s)
-            end
+            userauth_request(username, next_service, "publickey", has_sig,
+                             alg, blob.to_s)
+          end
 
-            # Builds and sends a request formatted for a public-key
-            # authentication request.
-            def send_request(pub_key, username, next_service, signature=nil)
-              msg = build_request(pub_key, username, next_service, !signature.nil?)
-              msg.write_string(signature) if signature
-              send_message(msg)
-            end
+          # Builds and sends a request formatted for a public-key
+          # authentication request.
+          def send_request(pub_key, username, next_service, alg, signature = nil)
+            msg = build_request(pub_key, username, next_service, alg,
+                                !signature.nil?)
+            msg.write_string(signature) if signature
+            send_message(msg)
+          end
+
+          def authenticate_with_alg(identity, next_service, username, alg, sig_alg = nil)
+            debug { "trying publickey (#{identity.fingerprint})" }
+            send_request(identity, username, next_service, alg)
 
-            # Attempts to perform public-key authentication for the given
-            # username, with the given identity (public key). Returns +true+ if
-            # successful, or +false+ otherwise.
-            def authenticate_with(identity, next_service, username)
-              debug { "trying publickey (#{identity.fingerprint})" }
-              send_request(identity, username, next_service)
+            message = session.next_message
 
+            case message.type
+            when USERAUTH_PK_OK
+              buffer = build_request(identity, username, next_service, alg,
+                                     true)
+              sig_data = Net::SSH::Buffer.new
+              sig_data.write_string(session_id)
+              sig_data.append(buffer.to_s)
+
+              sig_blob = key_manager.sign(identity, sig_data, sig_alg)
+
+              send_request(identity, username, next_service, alg, sig_blob.to_s)
               message = session.next_message
 
               case message.type
-                when USERAUTH_PK_OK
-                  buffer = build_request(identity, username, next_service, true)
-                  sig_data = Net::SSH::Buffer.new
-                  sig_data.write_string(session_id)
-                  sig_data.append(buffer.to_s)
-
-                  sig_blob = key_manager.sign(identity, sig_data)
-
-                  send_request(identity, username, next_service, sig_blob.to_s)
-                  message = session.next_message
-
-                  case message.type
-                    when USERAUTH_SUCCESS
-                      debug { "publickey succeeded (#{identity.fingerprint})" }
-                      return true
-                    when USERAUTH_FAILURE
-                      debug { "publickey failed (#{identity.fingerprint})" }
-
-                      raise Net::SSH::Authentication::DisallowedMethod unless
-                        message[:authentications].split(/,/).include? 'publickey'
-
-                      return false
-                    else
-                      raise Net::SSH::Exception,
-                        "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
-                  end
+              when USERAUTH_SUCCESS
+                debug { "publickey succeeded (#{identity.fingerprint})" }
+                return true
+              when USERAUTH_FAILURE
+                debug { "publickey failed (#{identity.fingerprint})" }
+
+                raise Net::SSH::Authentication::DisallowedMethod unless
+                  message[:authentications].split(/,/).include? 'publickey'
+
+                return false
+              else
+                raise Net::SSH::Exception,
+                      "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+              end
 
-                when USERAUTH_FAILURE
-                  return false
+            when USERAUTH_FAILURE
+              return false
+            when USERAUTH_SUCCESS
+              return true
 
-                else
-                  raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
-              end
+            else
+              raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
             end
+          end
 
+          # Attempts to perform public-key authentication for the given
+          # username, with the given identity (public key). Returns +true+ if
+          # successful, or +false+ otherwise.
+          def authenticate_with(identity, next_service, username)
+            type = identity.ssh_type
+            if type == "ssh-rsa"
+              pubkey_algorithms.each do |pk_alg|
+                case pk_alg
+                when "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, pk_alg)
+                    # success
+                    return true
+                  end
+                end
+              end
+            elsif type == "ssh-rsa-cert-v01@openssh.com"
+              pubkey_algorithms.each do |pk_alg|
+                case pk_alg
+                when "rsa-sha2-512-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, "rsa-sha2-512")
+                    # success
+                    return true
+                  end
+                when "rsa-sha2-256-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, "rsa-sha2-256")
+                    # success
+                    return true
+                  end
+                when "ssh-rsa-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg)
+                    # success
+                    return true
+                  end
+                end
+              end
+            elsif authenticate_with_alg(identity, next_service, username, type)
+              # success
+              return true
+            end
+            # failure
+            return false
+          end
         end
-
       end
     end
   end