RubyGems - net-ssh - Versions diffs - 3.2.0 → 7.2.0.rc1 - Mend

net-ssh 3.2.0 → 7.2.0.rc1

Files changed (210) hide show

checksums.yaml +5 -5
checksums.yaml.gz.sig +0 -0
data/.dockerignore +6 -0
data/.github/FUNDING.yml +1 -0
data/.github/config/rubocop_linter_action.yml +4 -0
data/.github/workflows/ci-with-docker.yml +44 -0
data/.github/workflows/ci.yml +93 -0
data/.github/workflows/rubocop.yml +16 -0
data/.gitignore +13 -0
data/.rubocop.yml +22 -0
data/.rubocop_todo.yml +1081 -0
data/CHANGES.txt +237 -7
data/DEVELOPMENT.md +23 -0
data/Dockerfile +27 -0
data/Dockerfile.openssl3 +17 -0
data/Gemfile +13 -0
data/Gemfile.noed25519 +12 -0
data/Gemfile.norbnacl +12 -0
data/ISSUE_TEMPLATE.md +30 -0
data/Manifest +4 -5
data/README.md +298 -0
data/Rakefile +125 -74
data/SECURITY.md +4 -0
data/appveyor.yml +58 -0
data/docker-compose.yml +23 -0
data/lib/net/ssh/authentication/agent.rb +279 -18
data/lib/net/ssh/authentication/certificate.rb +183 -0
data/lib/net/ssh/authentication/constants.rb +17 -15
data/lib/net/ssh/authentication/ed25519.rb +186 -0
data/lib/net/ssh/authentication/ed25519_loader.rb +31 -0
data/lib/net/ssh/authentication/key_manager.rb +86 -39
data/lib/net/ssh/authentication/methods/abstract.rb +67 -48
data/lib/net/ssh/authentication/methods/hostbased.rb +34 -37
data/lib/net/ssh/authentication/methods/keyboard_interactive.rb +13 -13
data/lib/net/ssh/authentication/methods/none.rb +16 -19
data/lib/net/ssh/authentication/methods/password.rb +27 -17
data/lib/net/ssh/authentication/methods/publickey.rb +96 -55
data/lib/net/ssh/authentication/pageant.rb +471 -367
data/lib/net/ssh/authentication/pub_key_fingerprint.rb +43 -0
data/lib/net/ssh/authentication/session.rb +131 -121
data/lib/net/ssh/buffer.rb +399 -300
data/lib/net/ssh/buffered_io.rb +154 -150
data/lib/net/ssh/config.rb +308 -185
data/lib/net/ssh/connection/channel.rb +635 -613
data/lib/net/ssh/connection/constants.rb +29 -29
data/lib/net/ssh/connection/event_loop.rb +123 -0
data/lib/net/ssh/connection/keepalive.rb +55 -51
data/lib/net/ssh/connection/session.rb +620 -551
data/lib/net/ssh/connection/term.rb +125 -123
data/lib/net/ssh/errors.rb +101 -99
data/lib/net/ssh/key_factory.rb +197 -105
data/lib/net/ssh/known_hosts.rb +214 -127
data/lib/net/ssh/loggable.rb +50 -49
data/lib/net/ssh/packet.rb +83 -79
data/lib/net/ssh/prompt.rb +50 -81
data/lib/net/ssh/proxy/command.rb +105 -90
data/lib/net/ssh/proxy/errors.rb +12 -10
data/lib/net/ssh/proxy/http.rb +82 -79
data/lib/net/ssh/proxy/https.rb +50 -0
data/lib/net/ssh/proxy/jump.rb +54 -0
data/lib/net/ssh/proxy/socks4.rb +2 -6
data/lib/net/ssh/proxy/socks5.rb +14 -17
data/lib/net/ssh/service/forward.rb +370 -317
data/lib/net/ssh/test/channel.rb +145 -136
data/lib/net/ssh/test/extensions.rb +131 -110
data/lib/net/ssh/test/kex.rb +34 -32
data/lib/net/ssh/test/local_packet.rb +46 -44
data/lib/net/ssh/test/packet.rb +89 -70
data/lib/net/ssh/test/remote_packet.rb +32 -30
data/lib/net/ssh/test/script.rb +156 -142
data/lib/net/ssh/test/socket.rb +49 -48
data/lib/net/ssh/test.rb +82 -77
data/lib/net/ssh/transport/algorithms.rb +462 -359
data/lib/net/ssh/transport/chacha20_poly1305_cipher.rb +117 -0
data/lib/net/ssh/transport/chacha20_poly1305_cipher_loader.rb +17 -0
data/lib/net/ssh/transport/cipher_factory.rb +122 -99
data/lib/net/ssh/transport/constants.rb +32 -24
data/lib/net/ssh/transport/ctr.rb +42 -22
data/lib/net/ssh/transport/hmac/abstract.rb +81 -63
data/lib/net/ssh/transport/hmac/md5.rb +0 -2
data/lib/net/ssh/transport/hmac/md5_96.rb +0 -2
data/lib/net/ssh/transport/hmac/none.rb +0 -2
data/lib/net/ssh/transport/hmac/ripemd160.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1.rb +0 -2
data/lib/net/ssh/transport/hmac/sha1_96.rb +0 -2
data/lib/net/ssh/transport/hmac/sha2_256.rb +7 -11
data/lib/net/ssh/transport/hmac/sha2_256_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_256_etm.rb +12 -0
data/lib/net/ssh/transport/hmac/sha2_512.rb +6 -9
data/lib/net/ssh/transport/hmac/sha2_512_96.rb +4 -8
data/lib/net/ssh/transport/hmac/sha2_512_etm.rb +12 -0
data/lib/net/ssh/transport/hmac.rb +14 -12
data/lib/net/ssh/transport/identity_cipher.rb +54 -44
data/lib/net/ssh/transport/kex/abstract.rb +130 -0
data/lib/net/ssh/transport/kex/abstract5656.rb +72 -0
data/lib/net/ssh/transport/kex/curve25519_sha256.rb +39 -0
data/lib/net/ssh/transport/kex/curve25519_sha256_loader.rb +30 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha1.rb +33 -40
data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha256.rb +11 -0
data/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb +119 -213
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb +53 -61
data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb +5 -9
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb +36 -90
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp384.rb +18 -10
data/lib/net/ssh/transport/kex/ecdh_sha2_nistp521.rb +18 -10
data/lib/net/ssh/transport/kex.rb +15 -12
data/lib/net/ssh/transport/key_expander.rb +24 -20
data/lib/net/ssh/transport/openssl.rb +161 -124
data/lib/net/ssh/transport/openssl_cipher_extensions.rb +8 -0
data/lib/net/ssh/transport/packet_stream.rb +246 -185
data/lib/net/ssh/transport/server_version.rb +55 -56
data/lib/net/ssh/transport/session.rb +306 -255
data/lib/net/ssh/transport/state.rb +178 -176
data/lib/net/ssh/verifiers/accept_new.rb +33 -0
data/lib/net/ssh/verifiers/accept_new_or_local_tunnel.rb +33 -0
data/lib/net/ssh/verifiers/always.rb +58 -0
data/lib/net/ssh/verifiers/never.rb +19 -0
data/lib/net/ssh/version.rb +55 -53
data/lib/net/ssh.rb +111 -47
data/net-ssh-public_cert.pem +18 -18
data/net-ssh.gemspec +38 -205
data/support/ssh_tunnel_bug.rb +5 -5
data.tar.gz.sig +0 -0
metadata +173 -118
metadata.gz.sig +0 -0
data/.travis.yml +0 -18
data/README.rdoc +0 -182
data/lib/net/ssh/authentication/agent/java_pageant.rb +0 -85
data/lib/net/ssh/authentication/agent/socket.rb +0 -178
data/lib/net/ssh/ruby_compat.rb +0 -46
data/lib/net/ssh/verifiers/lenient.rb +0 -30
data/lib/net/ssh/verifiers/null.rb +0 -12
data/lib/net/ssh/verifiers/secure.rb +0 -52
data/lib/net/ssh/verifiers/strict.rb +0 -24
data/setup.rb +0 -1585
data/support/arcfour_check.rb +0 -20
data/test/README.txt +0 -18
data/test/authentication/methods/common.rb +0 -28
data/test/authentication/methods/test_abstract.rb +0 -51
data/test/authentication/methods/test_hostbased.rb +0 -114
data/test/authentication/methods/test_keyboard_interactive.rb +0 -121
data/test/authentication/methods/test_none.rb +0 -41
data/test/authentication/methods/test_password.rb +0 -95
data/test/authentication/methods/test_publickey.rb +0 -148
data/test/authentication/test_agent.rb +0 -232
data/test/authentication/test_key_manager.rb +0 -240
data/test/authentication/test_session.rb +0 -107
data/test/common.rb +0 -125
data/test/configs/auth_off +0 -5
data/test/configs/auth_on +0 -4
data/test/configs/empty +0 -0
data/test/configs/eqsign +0 -3
data/test/configs/exact_match +0 -8
data/test/configs/host_plus +0 -10
data/test/configs/multihost +0 -4
data/test/configs/negative_match +0 -6
data/test/configs/nohost +0 -19
data/test/configs/numeric_host +0 -4
data/test/configs/proxy_remote_user +0 -2
data/test/configs/send_env +0 -2
data/test/configs/substitutes +0 -8
data/test/configs/wild_cards +0 -14
data/test/connection/test_channel.rb +0 -487
data/test/connection/test_session.rb +0 -564
data/test/integration/README.txt +0 -17
data/test/integration/Vagrantfile +0 -12
data/test/integration/common.rb +0 -63
data/test/integration/playbook.yml +0 -56
data/test/integration/test_forward.rb +0 -637
data/test/integration/test_id_rsa_keys.rb +0 -96
data/test/integration/test_proxy.rb +0 -93
data/test/known_hosts/github +0 -1
data/test/known_hosts/github_hash +0 -1
data/test/manual/test_pageant.rb +0 -37
data/test/start/test_connection.rb +0 -53
data/test/start/test_options.rb +0 -57
data/test/start/test_transport.rb +0 -28
data/test/start/test_user_nil.rb +0 -27
data/test/test_all.rb +0 -12
data/test/test_buffer.rb +0 -433
data/test/test_buffered_io.rb +0 -63
data/test/test_config.rb +0 -268
data/test/test_key_factory.rb +0 -191
data/test/test_known_hosts.rb +0 -66
data/test/transport/hmac/test_md5.rb +0 -41
data/test/transport/hmac/test_md5_96.rb +0 -27
data/test/transport/hmac/test_none.rb +0 -34
data/test/transport/hmac/test_ripemd160.rb +0 -36
data/test/transport/hmac/test_sha1.rb +0 -36
data/test/transport/hmac/test_sha1_96.rb +0 -27
data/test/transport/hmac/test_sha2_256.rb +0 -37
data/test/transport/hmac/test_sha2_256_96.rb +0 -27
data/test/transport/hmac/test_sha2_512.rb +0 -37
data/test/transport/hmac/test_sha2_512_96.rb +0 -27
data/test/transport/kex/test_diffie_hellman_group14_sha1.rb +0 -13
data/test/transport/kex/test_diffie_hellman_group1_sha1.rb +0 -150
data/test/transport/kex/test_diffie_hellman_group_exchange_sha1.rb +0 -96
data/test/transport/kex/test_diffie_hellman_group_exchange_sha256.rb +0 -19
data/test/transport/kex/test_ecdh_sha2_nistp256.rb +0 -161
data/test/transport/kex/test_ecdh_sha2_nistp384.rb +0 -38
data/test/transport/kex/test_ecdh_sha2_nistp521.rb +0 -38
data/test/transport/test_algorithms.rb +0 -328
data/test/transport/test_cipher_factory.rb +0 -443
data/test/transport/test_hmac.rb +0 -34
data/test/transport/test_identity_cipher.rb +0 -40
data/test/transport/test_packet_stream.rb +0 -1762
data/test/transport/test_server_version.rb +0 -74
data/test/transport/test_session.rb +0 -331
data/test/transport/test_state.rb +0 -181
data/test/verifiers/test_secure.rb +0 -40

data/lib/net/ssh/authentication/pub_key_fingerprint.rb ADDED Viewed

@@ -0,0 +1,43 @@
+require 'openssl'
+module Net
+  module SSH
+    module Authentication
+      # Public key fingerprinting utility module - internal not part of API.
+      # This is included in pubkey classes and called from there. All RSA, DSA, and ECC keys
+      # are supported.
+      #
+      #     require 'net/ssh'
+      #     my_pubkey_text = File.read('/path/to/id_ed25519.pub')
+      #        #=> "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDB2NBh4GJPPUN1kXPMu8b633Xcv55WoKC3OkBjFAbzJ alice@example.com"
+      #     my_pubkey = Net::SSH::KeyFactory.load_data_public_key(my_pubkey_text)
+      #        #=> #<Net::SSH::Authentication::ED25519::PubKey:0x00007fc8e91819b0
+      #     my_pubkey.fingerprint
+      #        #=> "2f:7f:97:21:76:a4:0f:38:c4:fe:d8:b4:6a:39:72:30"
+      #     my_pubkey.fingerprint('SHA256')
+      #        #=> "SHA256:u6mXnY8P1b0FODGp8mckqOB33u8+jvkSCtJbD5Q9klg"
+      module PubKeyFingerprint # :nodoc:
+        # Return the key's fingerprint.  Algorithm may be either +MD5+ (default),
+        # or +SHA256+. For +SHA256+, fingerprints are in the same format
+        # returned by OpenSSH's <tt>`ssh-add -l -E SHA256`</tt>, i.e.,
+        # trailing base64 padding '=' characters are stripped and the
+        # literal string +SHA256:+ is prepended.
+        def fingerprint(algorithm = 'MD5')
+          @fingerprint ||= {}
+          @fingerprint[algorithm] ||= PubKeyFingerprint.fingerprint(to_blob, algorithm)
+        end
+        def self.fingerprint(blob, algorithm = 'MD5')
+          case algorithm.to_s.upcase
+          when 'MD5'
+            OpenSSL::Digest.hexdigest(algorithm, blob).scan(/../).join(":")
+          when 'SHA256'
+            "SHA256:#{Base64.encode64(OpenSSL::Digest.digest(algorithm, blob)).chomp.gsub(/=+\z/, '')}"
+          else
+            raise OpenSSL::Digest::DigestError, "unsupported ssh key digest #{algorithm}"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/session.rb CHANGED Viewed

@@ -8,148 +8,158 @@ require 'net/ssh/authentication/methods/hostbased'
 require 'net/ssh/authentication/methods/password'
 require 'net/ssh/authentication/methods/keyboard_interactive'
-module Net; module SSH; module Authentication
-  # Raised if the current authentication method is not allowed
-  class DisallowedMethod < Net::SSH::Exception
-  end
-  # Represents an authentication session. It manages the authentication of
-  # a user over an established connection (the "transport" object, see
-  # Net::SSH::Transport::Session).
-  #
-  # The use of an authentication session to manage user authentication is
-  # internal to Net::SSH (specifically Net::SSH.start). Consumers of the
-  # Net::SSH library will never need to access this class directly.
-  class Session
-    include Transport::Constants, Constants, Loggable
-    # transport layer abstraction
-    attr_reader :transport
-    # the list of authentication methods to try
-    attr_reader :auth_methods
-    # the list of authentication methods that are allowed
-    attr_reader :allowed_auth_methods
-    # a hash of options, given at construction time
-    attr_reader :options
+module Net
+  module SSH
+    module Authentication
+      # Raised if the current authentication method is not allowed
+      class DisallowedMethod < Net::SSH::Exception
+      end
-    # Instantiates a new Authentication::Session object over the given
-    # transport layer abstraction.
-    def initialize(transport, options={})
-      self.logger = transport.logger
-      @transport = transport
+      # Represents an authentication session. It manages the authentication of
+      # a user over an established connection (the "transport" object, see
+      # Net::SSH::Transport::Session).
+      #
+      # The use of an authentication session to manage user authentication is
+      # internal to Net::SSH (specifically Net::SSH.start). Consumers of the
+      # Net::SSH library will never need to access this class directly.
+      class Session
+        include Loggable
+        include Constants
+        include Transport::Constants
-      @auth_methods = options[:auth_methods] || Net::SSH::Config.default_auth_methods
-      @options = options
+        # transport layer abstraction
+        attr_reader :transport
-      @allowed_auth_methods = @auth_methods
-    end
+        # the list of authentication methods to try
+        attr_reader :auth_methods
-    # Attempts to authenticate the given user, in preparation for the next
-    # service request. Returns true if an authentication method succeeds in
-    # authenticating the user, and false otherwise.
-    def authenticate(next_service, username, password=nil)
-      debug { "beginning authentication of `#{username}'" }
+        # the list of authentication methods that are allowed
+        attr_reader :allowed_auth_methods
-      transport.send_message(transport.service_request("ssh-userauth"))
-      expect_message(SERVICE_ACCEPT)
+        # a hash of options, given at construction time
+        attr_reader :options
-      key_manager = KeyManager.new(logger, options)
-      keys.each { |key| key_manager.add(key) } unless keys.empty?
-      key_data.each { |key2| key_manager.add_key_data(key2) } unless key_data.empty?
+        # Instantiates a new Authentication::Session object over the given
+        # transport layer abstraction.
+        def initialize(transport, options = {})
+          self.logger = transport.logger
+          @transport = transport
-      attempted = []
+          @auth_methods = options[:auth_methods] || Net::SSH::Config.default_auth_methods
+          @options = options
-      @auth_methods.each do |name|
-        begin
-          next unless @allowed_auth_methods.include?(name)
-          attempted << name
+          @allowed_auth_methods = @auth_methods
+        end
-          debug { "trying #{name}" }
-          begin
-            method = Methods.const_get(name.split(/\W+/).map { |p| p.capitalize }.join).new(self, :key_manager => key_manager)
-          rescue NameError
-            debug{"Mechanism #{name} was requested, but isn't a known type.  Ignoring it."}
-            next
+        # Attempts to authenticate the given user, in preparation for the next
+        # service request. Returns true if an authentication method succeeds in
+        # authenticating the user, and false otherwise.
+        def authenticate(next_service, username, password = nil)
+          debug { "beginning authentication of `#{username}'" }
+          transport.send_message(transport.service_request("ssh-userauth"))
+          expect_message(SERVICE_ACCEPT)
+          key_manager = KeyManager.new(logger, options)
+          keys.each { |key| key_manager.add(key) } unless keys.empty?
+          keycerts.each { |keycert| key_manager.add_keycert(keycert) } unless keycerts.empty?
+          key_data.each { |key2| key_manager.add_key_data(key2) } unless key_data.empty?
+          default_keys.each { |key| key_manager.add(key) } unless options.key?(:keys) || options.key?(:key_data)
+          attempted = []
+          @auth_methods.each do |name|
+            next unless @allowed_auth_methods.include?(name)
+            attempted << name
+            debug { "trying #{name}" }
+            begin
+              auth_class = Methods.const_get(name.split(/\W+/).map { |p| p.capitalize }.join)
+              method = auth_class.new(self,
+                                      key_manager: key_manager, password_prompt: options[:password_prompt],
+                                      pubkey_algorithms: options[:pubkey_algorithms] || nil)
+            rescue NameError
+              debug {"Mechanism #{name} was requested, but isn't a known type.  Ignoring it."}
+              next
+            end
+            return true if method.authenticate(next_service, username, password)
+          rescue Net::SSH::Authentication::DisallowedMethod
           end
-          return true if method.authenticate(next_service, username, password)
-        rescue Net::SSH::Authentication::DisallowedMethod
+          error { "all authorization methods failed (tried #{attempted.join(', ')})" }
+          return false
+        ensure
+          key_manager.finish if key_manager
         end
-      end
-      error { "all authorization methods failed (tried #{attempted.join(', ')})" }
-      return false
-    ensure
-      key_manager.finish if key_manager
-    end
-    # Blocks until a packet is received. It silently handles USERAUTH_BANNER
-    # packets, and will raise an error if any packet is received that is not
-    # valid during user authentication.
-    def next_message
-      loop do
-        packet = transport.next_message
-        case packet.type
-        when USERAUTH_BANNER
-          info { packet[:message] }
-          # TODO add a hook for people to retrieve the banner when it is sent
-        when USERAUTH_FAILURE
-          @allowed_auth_methods = packet[:authentications].split(/,/)
-          debug { "allowed methods: #{packet[:authentications]}" }
-          return packet
-        when USERAUTH_METHOD_RANGE, SERVICE_ACCEPT
-          return packet
+        # Blocks until a packet is received. It silently handles USERAUTH_BANNER
+        # packets, and will raise an error if any packet is received that is not
+        # valid during user authentication.
+        def next_message
+          loop do
+            packet = transport.next_message
+            case packet.type
+            when USERAUTH_BANNER
+              info { packet[:message] }
+            # TODO add a hook for people to retrieve the banner when it is sent
+            when USERAUTH_FAILURE
+              @allowed_auth_methods = packet[:authentications].split(/,/)
+              debug { "allowed methods: #{packet[:authentications]}" }
+              return packet
+            when USERAUTH_METHOD_RANGE, SERVICE_ACCEPT
+              return packet
+            when USERAUTH_SUCCESS
+              transport.hint :authenticated
+              return packet
+            else
+              raise Net::SSH::Exception, "unexpected message #{packet.type} (#{packet})"
+            end
+          end
+        end
-        when USERAUTH_SUCCESS
-          transport.hint :authenticated
-          return packet
+        # Blocks until a packet is received, and returns it if it is of the given
+        # type. If it is not, an exception is raised.
+        def expect_message(type)
+          message = next_message
+          raise Net::SSH::Exception, "expected #{type}, got #{message.type} (#{message})" unless message.type == type
-        else
-          raise Net::SSH::Exception, "unexpected message #{packet.type} (#{packet})"
+          message
         end
-      end
-    end
-    # Blocks until a packet is received, and returns it if it is of the given
-    # type. If it is not, an exception is raised.
-    def expect_message(type)
-      message = next_message
-      unless message.type == type
-        raise Net::SSH::Exception, "expected #{type}, got #{message.type} (#{message})"
-      end
-      message
-    end
+        private
-    private
+        # Returns an array of paths to the key files usually defined
+        # by system default.
+        def default_keys
+          %w[~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa
+             ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa]
+        end
-      # Returns an array of paths to the key files usually defined
-      # by system default.
-      def default_keys
-        if defined?(OpenSSL::PKey::EC)
-          %w(~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa
-             ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa)
-        else
-          %w(~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_rsa)
+        # Returns an array of paths to the key files that should be used when
+        # attempting any key-based authentication mechanism.
+        def keys
+          Array(options[:keys])
         end
-      end
-      # Returns an array of paths to the key files that should be used when
-      # attempting any key-based authentication mechanism.
-      def keys
-        Array(options[:keys] || default_keys)
-      end
+        # Returns an array of paths to the keycert files that should be used when
+        # attempting any key-based authentication mechanism.
+        def keycerts
+          Array(options[:keycerts])
+        end
-      # Returns an array of the key data that should be used when
-      # attempting any key-based authentication mechanism.
-      def key_data
-        Array(options[:key_data])
+        # Returns an array of the key data that should be used when
+        # attempting any key-based authentication mechanism.
+        def key_data
+          Array(options[:key_data])
+        end
       end
+    end
   end
-end; end; end
+end