net-ssh 4.1.0 → 6.1.0

data/lib/net/ssh/key_factory.rb

@@ -3,130 +3,217 @@ require 'net/ssh/prompt'
 
 require 'net/ssh/authentication/ed25519_loader'
 
-module Net; module SSH
-
-  # A factory class for returning new Key classes. It is used for obtaining
-  # OpenSSL key instances via their SSH names, and for loading both public and
-  # private keys. It used used primarily by Net::SSH itself, internally, and
-  # will rarely (if ever) be directly used by consumers of the library.
-  #
-  #   klass = Net::SSH::KeyFactory.get("rsa")
-  #   assert klass.is_a?(OpenSSL::PKey::RSA)
-  #
-  #   key = Net::SSH::KeyFactory.load_public_key("~/.ssh/id_dsa.pub")
-  class KeyFactory
-    # Specifies the mapping of SSH names to OpenSSL key classes.
-    MAP = {
-      "dh"  => OpenSSL::PKey::DH,
-      "rsa" => OpenSSL::PKey::RSA,
-      "dsa" => OpenSSL::PKey::DSA,
-    }
-    if defined?(OpenSSL::PKey::EC)
-      MAP["ecdsa"] = OpenSSL::PKey::EC
+module Net
+  module SSH
+
+    # A factory class for returning new Key classes. It is used for obtaining
+    # OpenSSL key instances via their SSH names, and for loading both public and
+    # private keys. It used used primarily by Net::SSH itself, internally, and
+    # will rarely (if ever) be directly used by consumers of the library.
+    #
+    #   klass = Net::SSH::KeyFactory.get("rsa")
+    #   assert klass.is_a?(OpenSSL::PKey::RSA)
+    #
+    #   key = Net::SSH::KeyFactory.load_public_key("~/.ssh/id_dsa.pub")
+    class KeyFactory
+      # Specifies the mapping of SSH names to OpenSSL key classes.
+      MAP = {
+        'dh'    => OpenSSL::PKey::DH,
+        'rsa'   => OpenSSL::PKey::RSA,
+        'dsa'   => OpenSSL::PKey::DSA,
+        'ecdsa' => OpenSSL::PKey::EC
+      }
       MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
-    end
-
-    class <<self
-      # Fetch an OpenSSL key instance by its SSH name. It will be a new,
-      # empty key of the given type.
-      def get(name)
-        MAP.fetch(name).new
-      end
-
-      # Loads a private key from a file. It will correctly determine
-      # whether the file describes an RSA or DSA key, and will load it
-      # appropriately. The new key is returned. If the key itself is
-      # encrypted (requiring a passphrase to use), the user will be
-      # prompted to enter their password unless passphrase works.
-      def load_private_key(filename, passphrase=nil, ask_passphrase=true, prompt=Prompt.default)
-        data = File.read(File.expand_path(filename))
-        load_data_private_key(data, passphrase, ask_passphrase, filename, prompt)
-      end
 
-      # Loads a private key. It will correctly determine
-      # whether the file describes an RSA or DSA key, and will load it
-      # appropriately. The new key is returned. If the key itself is
-      # encrypted (requiring a passphrase to use), the user will be
-      # prompted to enter their password unless passphrase works.
-      def load_data_private_key(data, passphrase=nil, ask_passphrase=true, filename="", prompt=Prompt.default)
-        key_read, error_classes = classify_key(data, filename)
+      class <<self
+        # Fetch an OpenSSL key instance by its SSH name. It will be a new,
+        # empty key of the given type.
+        def get(name)
+          MAP.fetch(name).new
+        end
 
-        encrypted_key = data.match(/ENCRYPTED/)
-        tries = 0
+        # Loads a private key from a file. It will correctly determine
+        # whether the file describes an RSA or DSA key, and will load it
+        # appropriately. The new key is returned. If the key itself is
+        # encrypted (requiring a passphrase to use), the user will be
+        # prompted to enter their password unless passphrase works.
+        def load_private_key(filename, passphrase=nil, ask_passphrase=true, prompt=Prompt.default)
+          data = File.read(File.expand_path(filename))
+          load_data_private_key(data, passphrase, ask_passphrase, filename, prompt)
+        end
 
-        prompter = nil
-        result =
-          begin
-            key_read[data, passphrase || 'invalid']
-          rescue *error_classes
-            if encrypted_key && ask_passphrase
-              tries += 1
-              if tries <= 3
-                prompter ||= prompt.start(type: 'private_key', filename: filename, sha: Digest::SHA256.digest(data))
-                passphrase = prompter.ask("Enter passphrase for #{filename}:", false)
-                retry
+        # Loads a private key. It will correctly determine
+        # whether the file describes an RSA or DSA key, and will load it
+        # appropriately. The new key is returned. If the key itself is
+        # encrypted (requiring a passphrase to use), the user will be
+        # prompted to enter their password unless passphrase works.
+        def load_data_private_key(data, passphrase=nil, ask_passphrase=true, filename="", prompt=Prompt.default)
+          key_type = classify_key(data, filename)
+
+          encrypted_key = nil
+          tries = 0
+
+          prompter = nil
+          result =
+            begin
+              key_type.read(data, passphrase || 'invalid')
+            rescue *key_type.error_classes => e
+              encrypted_key = !!key_type.encrypted_key?(data, e) if encrypted_key.nil?
+              if encrypted_key && ask_passphrase
+                tries += 1
+                if tries <= 3
+                  prompter ||= prompt.start(type: 'private_key', filename: filename, sha: Digest::SHA256.digest(data))
+                  passphrase = prompter.ask("Enter passphrase for #{filename}:", false)
+                  retry
+                else
+                  raise
+                end
               else
                 raise
               end
-            else
-              raise
             end
-          end
-        prompter.success if prompter
-        result
-      end
+          prompter.success if prompter
+          result
+        end
 
-      # Loads a public key from a file. It will correctly determine whether
-      # the file describes an RSA or DSA key, and will load it
-      # appropriately. The new public key is returned.
-      def load_public_key(filename)
-        data = File.read(File.expand_path(filename))
-        load_data_public_key(data, filename)
-      end
+        # Loads a public key from a file. It will correctly determine whether
+        # the file describes an RSA or DSA key, and will load it
+        # appropriately. The new public key is returned.
+        def load_public_key(filename)
+          data = File.read(File.expand_path(filename))
+          load_data_public_key(data, filename)
+        end
 
-      # Loads a public key. It will correctly determine whether
-      # the file describes an RSA or DSA key, and will load it
-      # appropriately. The new public key is returned.
-      def load_data_public_key(data, filename="")
-        fields = data.split(/ /)
+        # Loads a public key. It will correctly determine whether
+        # the file describes an RSA or DSA key, and will load it
+        # appropriately. The new public key is returned.
+        def load_data_public_key(data, filename="")
+          fields = data.split(/ /)
 
-        blob = nil
-        begin
+          blob = nil
+          begin
+            blob = fields.shift
+          end while !blob.nil? && !/^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp\d+)(-cert-v01@openssh\.com)?$/.match(blob)
           blob = fields.shift
-        end while !blob.nil? && !/^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp\d+)(-cert-v01@openssh\.com)?$/.match(blob)
-        blob = fields.shift
 
-        raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?
+          raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?
 
-        blob = blob.unpack("m*").first
-        reader = Net::SSH::Buffer.new(blob)
-        reader.read_key or raise OpenSSL::PKey::PKeyError, "not a public key #{filename.inspect}"
-      end
+          blob = blob.unpack("m*").first
+          reader = Net::SSH::Buffer.new(blob)
+          reader.read_key or raise OpenSSL::PKey::PKeyError, "not a public key #{filename.inspect}"
+        end
+
+        private
+
+        # rubocop:disable Style/Documentation, Lint/DuplicateMethods
+        class KeyType
+          def self.read(key_data, passphrase)
+            raise Exception, "TODO subclasses should implement read"
+          end
+
+          def self.error_classes
+            raise Exception, "TODO subclasses should implement read"
+          end
+
+          def self.encrypted_key?(data, error)
+            raise Exception, "TODO subclasses should implement is_encrypted_key"
+          end
+        end
+
+        class OpenSSHPrivateKeyType < KeyType
+          def self.read(key_data, passphrase)
+            Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader.read(key_data, passphrase)
+          end
+
+          def self.error_classes
+            [Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError]
+          end
+
+          def self.encrypted_key?(key_data, decode_error)
+            decode_error.is_a?(Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError) && decode_error.encrypted_key?
+          end
+        end
 
-      private
-
-      # Determine whether the file describes an RSA or DSA key, and return how load it
-      # appropriately.
-      def classify_key(data, filename)
-        if data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
-          Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("OpenSSH keys only supported if ED25519 is available")
-          return ->(key_data, passphrase) { Net::SSH::Authentication::ED25519::PrivKey.read(key_data, passphrase) }, [ArgumentError]
-        elsif OpenSSL::PKey.respond_to?(:read)
-          return ->(key_data, passphrase) { OpenSSL::PKey.read(key_data, passphrase) }, [ArgumentError, OpenSSL::PKey::PKeyError]
-        elsif data.match(/-----BEGIN DSA PRIVATE KEY-----/)
-          return ->(key_data, passphrase) { OpenSSL::PKey::DSA.new(key_data, passphrase) }, [OpenSSL::PKey::DSAError]
-        elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
-          return ->(key_data, passphrase) { OpenSSL::PKey::RSA.new(key_data, passphrase) }, [OpenSSL::PKey::RSAError]
-        elsif data.match(/-----BEGIN EC PRIVATE KEY-----/) && defined?(OpenSSL::PKey::EC)
-          return ->(key_data, passphrase) { OpenSSL::PKey::EC.new(key_data, passphrase) }, [OpenSSL::PKey::ECError]
-        elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
-          raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
-        else
-          raise OpenSSL::PKey::PKeyError, "not a private key (#{filename})"
+        class OpenSSLKeyTypeBase < KeyType
+          def self.open_ssl_class
+            raise Exception, "TODO: subclasses should implement"
+          end
+
+          def self.read(key_data, passphrase)
+            open_ssl_class.new(key_data, passphrase)
+          end
+
+          def self.encrypted_key?(key_data, error)
+            key_data.match(/ENCRYPTED/)
+          end
+        end
+
+        class OpenSSLPKeyType < OpenSSLKeyTypeBase
+          def self.read(key_data, passphrase)
+            open_ssl_class.read(key_data, passphrase)
+          end
+
+          def self.open_ssl_class
+            OpenSSL::PKey
+          end
+
+          def self.error_classes
+            [ArgumentError, OpenSSL::PKey::PKeyError]
+          end
+        end
+
+        class OpenSSLDSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::DSA
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::DSAError]
+          end
+        end
+
+        class OpenSSLRSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::RSA
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::RSAError]
+          end
+        end
+
+        class OpenSSLECKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::EC
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::ECError]
+          end
+        end
+        # rubocop:enable Style/Documentation, Lint/DuplicateMethods
+
+        # Determine whether the file describes an RSA or DSA key, and return how load it
+        # appropriately.
+        def classify_key(data, filename)
+          if data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
+            Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("OpenSSH keys only supported if ED25519 is available")
+            return OpenSSHPrivateKeyType
+          elsif OpenSSL::PKey.respond_to?(:read)
+            return OpenSSLPKeyType
+          elsif data.match(/-----BEGIN DSA PRIVATE KEY-----/)
+            return OpenSSLDSAKeyType
+          elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
+            return OpenSSLRSAKeyType
+          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/)
+            return OpenSSLECKeyType
+          elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
+            raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
+          else
+            raise OpenSSL::PKey::PKeyError, "not a private key (#{filename})"
+          end
         end
       end
     end
-
   end
-
-end; end
+end

data/lib/net/ssh/known_hosts.rb

@@ -2,186 +2,195 @@ require 'strscan'
 require 'openssl'
 require 'base64'
 require 'net/ssh/buffer'
+require 'net/ssh/authentication/ed25519_loader'
+
+module Net
+  module SSH
+
+    # Represents the result of a search in known hosts
+    # see search_for
+    class HostKeys
+      include Enumerable
+      attr_reader :host
+
+      def initialize(host_keys, host, known_hosts, options = {})
+        @host_keys = host_keys
+        @host = host
+        @known_hosts = known_hosts
+        @options = options
+      end
 
-module Net; module SSH
-
-  # Represents the result of a search in known hosts
-  # see search_for
-  class HostKeys
-    include Enumerable
-    attr_reader :host
-
-    def initialize(host_keys, host, known_hosts, options = {})
-       @host_keys = host_keys
-       @host = host
-       @known_hosts = known_hosts
-       @options = options
-    end
+      def add_host_key(key)
+        @known_hosts.add(@host, key, @options)
+        @host_keys.push(key)
+      end
 
-    def add_host_key(key)
-       @known_hosts.add(@host, key, @options)
-       @host_keys.push(key)
-    end
+      def each(&block)
+        @host_keys.each(&block)
+      end
 
-    def each(&block)
-       @host_keys.each(&block)
+      def empty?
+        @host_keys.empty?
+      end
     end
 
-    def empty?
-      @host_keys.empty?
-    end
-  end
-
-  # Searches an OpenSSH-style known-host file for a given host, and returns all
-  # matching keys. This is used to implement host-key verification, as well as
-  # to determine what key a user prefers to use for a given host.
-  #
-  # This is used internally by Net::SSH, and will never need to be used directly
-  # by consumers of the library.
-  class KnownHosts
-
-    if defined?(OpenSSL::PKey::EC)
-      SUPPORTED_TYPE = %w(ssh-rsa ssh-dss
+    # Searches an OpenSSH-style known-host file for a given host, and returns all
+    # matching keys. This is used to implement host-key verification, as well as
+    # to determine what key a user prefers to use for a given host.
+    #
+    # This is used internally by Net::SSH, and will never need to be used directly
+    # by consumers of the library.
+    class KnownHosts
+      SUPPORTED_TYPE = %w[ssh-rsa ssh-dss
                           ecdsa-sha2-nistp256
                           ecdsa-sha2-nistp384
-                          ecdsa-sha2-nistp521)
-    else
-      SUPPORTED_TYPE = %w(ssh-rsa ssh-dss)
-    end
-
+                          ecdsa-sha2-nistp521]
 
-    class <<self
+      SUPPORTED_TYPE.push('ssh-ed25519') if Net::SSH::Authentication::ED25519Loader::LOADED
 
-      # Searches all known host files (see KnownHosts.hostfiles) for all keys
-      # of the given host. Returns an enumerable of keys found.
-      def search_for(host, options={})
-        HostKeys.new(search_in(hostfiles(options), host), host, self, options)
-      end
+      class <<self
+        # Searches all known host files (see KnownHosts.hostfiles) for all keys
+        # of the given host. Returns an enumerable of keys found.
+        def search_for(host, options={})
+          HostKeys.new(search_in(hostfiles(options), host, options), host, self, options)
+        end
 
-      # Search for all known keys for the given host, in every file given in
-      # the +files+ array. Returns the list of keys.
-      def search_in(files, host)
-        files.map { |file| KnownHosts.new(file).keys_for(host) }.flatten
-      end
+        # Search for all known keys for the given host, in every file given in
+        # the +files+ array. Returns the list of keys.
+        def search_in(files, host, options = {})
+          files.flat_map { |file| KnownHosts.new(file).keys_for(host, options) }
+        end
 
-      # Looks in the given +options+ hash for the :user_known_hosts_file and
-      # :global_known_hosts_file keys, and returns an array of all known
-      # hosts files. If the :user_known_hosts_file key is not set, the
-      # default is returned (~/.ssh/known_hosts and ~/.ssh/known_hosts2). If
-      # :global_known_hosts_file is not set, the default is used
-      # (/etc/ssh/ssh_known_hosts and /etc/ssh/ssh_known_hosts2).
-      #
-      # If you only want the user known host files, you can pass :user as
-      # the second option.
-      def hostfiles(options, which=:all)
-        files = []
+        # Looks in the given +options+ hash for the :user_known_hosts_file and
+        # :global_known_hosts_file keys, and returns an array of all known
+        # hosts files. If the :user_known_hosts_file key is not set, the
+        # default is returned (~/.ssh/known_hosts and ~/.ssh/known_hosts2). If
+        # :global_known_hosts_file is not set, the default is used
+        # (/etc/ssh/ssh_known_hosts and /etc/ssh/ssh_known_hosts2).
+        #
+        # If you only want the user known host files, you can pass :user as
+        # the second option.
+        def hostfiles(options, which=:all)
+          files = []
+
+          files += Array(options[:user_known_hosts_file] || %w[~/.ssh/known_hosts ~/.ssh/known_hosts2]) if which == :all || which == :user
+
+          if which == :all || which == :global
+            files += Array(options[:global_known_hosts_file] || %w[/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2])
+          end
 
-        if which == :all || which == :user
-          files += Array(options[:user_known_hosts_file] || %w(~/.ssh/known_hosts ~/.ssh/known_hosts2))
+          return files
         end
 
-        if which == :all || which == :global
-          files += Array(options[:global_known_hosts_file] || %w(/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2))
+        # Looks in all user known host files (see KnownHosts.hostfiles) and tries to
+        # add an entry for the given host and key to the first file it is able
+        # to.
+        def add(host, key, options={})
+          hostfiles(options, :user).each do |file|
+            begin
+              KnownHosts.new(file).add(host, key)
+              return
+            rescue SystemCallError
+              # try the next hostfile
+            end
+          end
         end
+      end
+
+      # The host-key file name that this KnownHosts instance will use to search
+      # for keys.
+      attr_reader :source
 
-        return files
+      # Instantiate a new KnownHosts instance that will search the given known-hosts
+      # file. The path is expanded file File.expand_path.
+      def initialize(source)
+        @source = File.expand_path(source)
       end
 
-      # Looks in all user known host files (see KnownHosts.hostfiles) and tries to
-      # add an entry for the given host and key to the first file it is able
-      # to.
-      def add(host, key, options={})
-        hostfiles(options, :user).each do |file|
-          begin
-            KnownHosts.new(file).add(host, key)
-            return
-          rescue SystemCallError
-            # try the next hostfile
+      # Returns an array of all keys that are known to be associatd with the
+      # given host. The +host+ parameter is either the domain name or ip address
+      # of the host, or both (comma-separated). Additionally, if a non-standard
+      # port is being used, it may be specified by putting the host (or ip, or
+      # both) in square brackets, and appending the port outside the brackets
+      # after a colon. Possible formats for +host+, then, are;
+      #
+      #   "net.ssh.test"
+      #   "1.2.3.4"
+      #   "net.ssh.test,1.2.3.4"
+      #   "[net.ssh.test]:5555"
+      #   "[1,2,3,4]:5555"
+      #   "[net.ssh.test]:5555,[1.2.3.4]:5555
+      def keys_for(host, options = {})
+        keys = []
+        return keys unless File.readable?(source)
+
+        entries = host.split(/,/)
+        host_name = entries[0]
+        host_ip = entries[1]
+
+        File.open(source) do |file|
+          file.each_line do |line|
+            hosts, type, key_content = line.split(' ')
+            # Skip empty line or one that is commented
+            next if hosts.nil? || hosts.start_with?('#')
+
+            hostlist = hosts.split(',')
+
+            next unless SUPPORTED_TYPE.include?(type)
+
+            found = hostlist.any? { |pattern| match(host_name, pattern) } || known_host_hash?(hostlist, entries)
+            next unless found
+
+            found = hostlist.include?(host_ip) if options[:check_host_ip] && entries.size > 1 && hostlist.size > 1
+            next unless found
+
+            blob = key_content.unpack("m*").first
+            keys << Net::SSH::Buffer.new(blob).read_key
           end
         end
-      end
-    end
-
-    # The host-key file name that this KnownHosts instance will use to search
-    # for keys.
-    attr_reader :source
 
-    # Instantiate a new KnownHosts instance that will search the given known-hosts
-    # file. The path is expanded file File.expand_path.
-    def initialize(source)
-      @source = File.expand_path(source)
-    end
+        keys
+      end
 
-    # Returns an array of all keys that are known to be associatd with the
-    # given host. The +host+ parameter is either the domain name or ip address
-    # of the host, or both (comma-separated). Additionally, if a non-standard
-    # port is being used, it may be specified by putting the host (or ip, or
-    # both) in square brackets, and appending the port outside the brackets
-    # after a colon. Possible formats for +host+, then, are;
-    #
-    #   "net.ssh.test"
-    #   "1.2.3.4"
-    #   "net.ssh.test,1.2.3.4"
-    #   "[net.ssh.test]:5555"
-    #   "[1,2,3,4]:5555"
-    #   "[net.ssh.test]:5555,[1.2.3.4]:5555
-    def keys_for(host)
-      keys = []
-      return keys unless File.readable?(source)
-
-      entries = host.split(/,/)
-
-      File.open(source) do |file|
-        scanner = StringScanner.new("")
-        file.each_line do |line|
-          scanner.string = line
-
-          scanner.skip(/\s*/)
-          next if scanner.match?(/$|#/)
-
-          hostlist = scanner.scan(/\S+/).split(/,/)
-          found = entries.all? { |entry| hostlist.include?(entry) } ||
-            known_host_hash?(hostlist, entries, scanner)
-          next unless found
-
-          scanner.skip(/\s*/)
-          type = scanner.scan(/\S+/)
-
-          next unless SUPPORTED_TYPE.include?(type)
-
-          scanner.skip(/\s*/)
-          blob = scanner.rest.unpack("m*").first
-          keys << Net::SSH::Buffer.new(blob).read_key
+      def match(host, pattern)
+        if pattern.include?('*') || pattern.include?('?')
+          # see man 8 sshd for pattern details
+          pattern_regexp = pattern.split('*').map do |x|
+            x.split('?').map do |y|
+              Regexp.escape(y)
+            end.join('.')
+          end.join('[^.]*')
+
+          host =~ Regexp.new("\\A#{pattern_regexp}\\z")
+        else
+          host == pattern
         end
       end
 
-      keys
-    end
-
-    # Indicates whether one of the entries matches an hostname that has been
-    # stored as a HMAC-SHA1 hash in the known hosts.
-    def known_host_hash?(hostlist, entries, scanner)
-      if hostlist.size == 1 && hostlist.first =~ /\A\|1(\|.+){2}\z/
-        chunks = hostlist.first.split(/\|/)
-        salt = Base64.decode64(chunks[2])
-        digest = OpenSSL::Digest.new('sha1')
-        entries.each do |entry|
-          hmac = OpenSSL::HMAC.digest(digest, salt, entry)
-          return true if Base64.encode64(hmac).chomp == chunks[3]
+      # Indicates whether one of the entries matches an hostname that has been
+      # stored as a HMAC-SHA1 hash in the known hosts.
+      def known_host_hash?(hostlist, entries)
+        if hostlist.size == 1 && hostlist.first =~ /\A\|1(\|.+){2}\z/
+          chunks = hostlist.first.split(/\|/)
+          salt = Base64.decode64(chunks[2])
+          digest = OpenSSL::Digest.new('sha1')
+          entries.each do |entry|
+            hmac = OpenSSL::HMAC.digest(digest, salt, entry)
+            return true if Base64.encode64(hmac).chomp == chunks[3]
+          end
         end
+        false
       end
-      false
-    end
 
-    # Tries to append an entry to the current source file for the given host
-    # and key. If it is unable to (because the file is not writable, for
-    # instance), an exception will be raised.
-    def add(host, key)
-      File.open(source, "a") do |file|
-        blob = [Net::SSH::Buffer.from(:key, key).to_s].pack("m*").gsub(/\s/, "")
-        file.puts "#{host} #{key.ssh_type} #{blob}"
+      # Tries to append an entry to the current source file for the given host
+      # and key. If it is unable to (because the file is not writable, for
+      # instance), an exception will be raised.
+      def add(host, key)
+        File.open(source, "a") do |file|
+          blob = [Net::SSH::Buffer.from(:key, key).to_s].pack("m*").gsub(/\s/, "")
+          file.puts "#{host} #{key.ssh_type} #{blob}"
+        end
       end
     end
-
   end
-end; end
+end