net-ssh 4.1.0 → 6.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/.gitignore +5 -0
- data/.rubocop.yml +8 -2
- data/.rubocop_todo.yml +405 -552
- data/.travis.yml +23 -22
- data/CHANGES.txt +112 -1
- data/Gemfile +1 -7
- data/{Gemfile.norbnacl → Gemfile.noed25519} +1 -1
- data/Manifest +4 -5
- data/README.md +287 -0
- data/Rakefile +40 -29
- data/appveyor.yml +12 -6
- data/lib/net/ssh.rb +68 -32
- data/lib/net/ssh/authentication/agent.rb +234 -222
- data/lib/net/ssh/authentication/certificate.rb +175 -164
- data/lib/net/ssh/authentication/constants.rb +17 -14
- data/lib/net/ssh/authentication/ed25519.rb +162 -141
- data/lib/net/ssh/authentication/ed25519_loader.rb +32 -29
- data/lib/net/ssh/authentication/key_manager.rb +40 -9
- data/lib/net/ssh/authentication/methods/abstract.rb +53 -47
- data/lib/net/ssh/authentication/methods/hostbased.rb +32 -33
- data/lib/net/ssh/authentication/methods/keyboard_interactive.rb +1 -1
- data/lib/net/ssh/authentication/methods/none.rb +10 -10
- data/lib/net/ssh/authentication/methods/password.rb +13 -13
- data/lib/net/ssh/authentication/methods/publickey.rb +56 -55
- data/lib/net/ssh/authentication/pageant.rb +468 -465
- data/lib/net/ssh/authentication/pub_key_fingerprint.rb +43 -0
- data/lib/net/ssh/authentication/session.rb +130 -122
- data/lib/net/ssh/buffer.rb +345 -312
- data/lib/net/ssh/buffered_io.rb +163 -163
- data/lib/net/ssh/config.rb +316 -238
- data/lib/net/ssh/connection/channel.rb +670 -650
- data/lib/net/ssh/connection/constants.rb +30 -26
- data/lib/net/ssh/connection/event_loop.rb +108 -105
- data/lib/net/ssh/connection/keepalive.rb +54 -50
- data/lib/net/ssh/connection/session.rb +682 -671
- data/lib/net/ssh/connection/term.rb +180 -176
- data/lib/net/ssh/errors.rb +101 -99
- data/lib/net/ssh/key_factory.rb +195 -108
- data/lib/net/ssh/known_hosts.rb +161 -152
- data/lib/net/ssh/loggable.rb +57 -55
- data/lib/net/ssh/packet.rb +82 -78
- data/lib/net/ssh/prompt.rb +55 -53
- data/lib/net/ssh/proxy/command.rb +104 -89
- data/lib/net/ssh/proxy/errors.rb +12 -8
- data/lib/net/ssh/proxy/http.rb +93 -91
- data/lib/net/ssh/proxy/https.rb +42 -39
- data/lib/net/ssh/proxy/jump.rb +50 -47
- data/lib/net/ssh/proxy/socks4.rb +0 -2
- data/lib/net/ssh/proxy/socks5.rb +11 -12
- data/lib/net/ssh/service/forward.rb +370 -317
- data/lib/net/ssh/test.rb +83 -77
- data/lib/net/ssh/test/channel.rb +146 -142
- data/lib/net/ssh/test/extensions.rb +150 -146
- data/lib/net/ssh/test/kex.rb +35 -31
- data/lib/net/ssh/test/local_packet.rb +48 -44
- data/lib/net/ssh/test/packet.rb +87 -84
- data/lib/net/ssh/test/remote_packet.rb +35 -31
- data/lib/net/ssh/test/script.rb +173 -171
- data/lib/net/ssh/test/socket.rb +59 -55
- data/lib/net/ssh/transport/algorithms.rb +430 -364
- data/lib/net/ssh/transport/cipher_factory.rb +95 -91
- data/lib/net/ssh/transport/constants.rb +33 -25
- data/lib/net/ssh/transport/ctr.rb +33 -11
- data/lib/net/ssh/transport/hmac.rb +15 -13
- data/lib/net/ssh/transport/hmac/abstract.rb +82 -63
- data/lib/net/ssh/transport/hmac/sha2_256.rb +7 -11
- data/lib/net/ssh/transport/hmac/sha2_256_96.rb +4 -8
- data/lib/net/ssh/transport/hmac/sha2_256_etm.rb +12 -0
- data/lib/net/ssh/transport/hmac/sha2_512.rb +6 -9
- data/lib/net/ssh/transport/hmac/sha2_512_96.rb +4 -8
- data/lib/net/ssh/transport/hmac/sha2_512_etm.rb +12 -0
- data/lib/net/ssh/transport/identity_cipher.rb +55 -51
- data/lib/net/ssh/transport/kex.rb +14 -13
- data/lib/net/ssh/transport/kex/abstract.rb +123 -0
- data/lib/net/ssh/transport/kex/abstract5656.rb +72 -0
- data/lib/net/ssh/transport/kex/curve25519_sha256.rb +38 -0
- data/lib/net/ssh/transport/kex/curve25519_sha256_loader.rb +30 -0
- data/lib/net/ssh/transport/kex/diffie_hellman_group14_sha1.rb +33 -40
- data/lib/net/ssh/transport/kex/diffie_hellman_group1_sha1.rb +112 -217
- data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha1.rb +53 -62
- data/lib/net/ssh/transport/kex/diffie_hellman_group_exchange_sha256.rb +5 -9
- data/lib/net/ssh/transport/kex/ecdh_sha2_nistp256.rb +36 -90
- data/lib/net/ssh/transport/kex/ecdh_sha2_nistp384.rb +18 -10
- data/lib/net/ssh/transport/kex/ecdh_sha2_nistp521.rb +18 -10
- data/lib/net/ssh/transport/key_expander.rb +29 -25
- data/lib/net/ssh/transport/openssl.rb +116 -116
- data/lib/net/ssh/transport/packet_stream.rb +223 -190
- data/lib/net/ssh/transport/server_version.rb +64 -66
- data/lib/net/ssh/transport/session.rb +306 -257
- data/lib/net/ssh/transport/state.rb +198 -196
- data/lib/net/ssh/verifiers/accept_new.rb +35 -0
- data/lib/net/ssh/verifiers/accept_new_or_local_tunnel.rb +34 -0
- data/lib/net/ssh/verifiers/always.rb +56 -0
- data/lib/net/ssh/verifiers/never.rb +21 -0
- data/lib/net/ssh/version.rb +55 -53
- data/net-ssh-public_cert.pem +18 -19
- data/net-ssh.gemspec +12 -11
- data/support/ssh_tunnel_bug.rb +2 -2
- metadata +86 -75
- metadata.gz.sig +0 -0
- data/Gemfile.norbnacl.lock +0 -41
- data/README.rdoc +0 -169
- data/lib/net/ssh/ruby_compat.rb +0 -24
- data/lib/net/ssh/verifiers/lenient.rb +0 -30
- data/lib/net/ssh/verifiers/null.rb +0 -12
- data/lib/net/ssh/verifiers/secure.rb +0 -52
- data/lib/net/ssh/verifiers/strict.rb +0 -24
- data/support/arcfour_check.rb +0 -20
@@ -1,373 +1,426 @@
|
|
1
|
-
# -*- coding: utf-8 -*-
|
2
1
|
require 'net/ssh/loggable'
|
3
2
|
|
4
|
-
module Net
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
10
|
-
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
29
|
-
|
30
|
-
|
31
|
-
|
32
|
-
|
33
|
-
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
39
|
-
# accepts either three or four arguments. When four arguments are given,
|
40
|
-
# they are:
|
41
|
-
#
|
42
|
-
# * the local address to bind to
|
43
|
-
# * the local port to listen on
|
44
|
-
# * the remote host to forward connections to
|
45
|
-
# * the port on the remote host to connect to
|
46
|
-
#
|
47
|
-
# If three arguments are given, it is as if the local bind address is
|
48
|
-
# "127.0.0.1", and the rest are applied as above.
|
49
|
-
#
|
50
|
-
# To request an ephemeral port on the remote server, provide 0 (zero) for
|
51
|
-
# the port number. In all cases, this method will return the port that
|
52
|
-
# has been assigned.
|
53
|
-
#
|
54
|
-
# ssh.forward.local(1234, "www.capify.org", 80)
|
55
|
-
# assigned_port = ssh.forward.local("0.0.0.0", 0, "www.capify.org", 80)
|
56
|
-
def local(*args)
|
57
|
-
if args.length < 3 || args.length > 4
|
58
|
-
raise ArgumentError, "expected 3 or 4 parameters, got #{args.length}"
|
59
|
-
end
|
3
|
+
module Net
|
4
|
+
module SSH
|
5
|
+
module Service
|
6
|
+
|
7
|
+
# This class implements various port forwarding services for use by
|
8
|
+
# Net::SSH clients. The Forward class should never need to be instantiated
|
9
|
+
# directly; instead, it should be accessed via the singleton instance
|
10
|
+
# returned by Connection::Session#forward:
|
11
|
+
#
|
12
|
+
# ssh.forward.local(1234, "www.capify.org", 80)
|
13
|
+
class Forward
|
14
|
+
include Loggable
|
15
|
+
|
16
|
+
# The underlying connection service instance that the port-forwarding
|
17
|
+
# services employ.
|
18
|
+
attr_reader :session
|
19
|
+
|
20
|
+
# A simple class for representing a requested remote forwarded port.
|
21
|
+
Remote = Struct.new(:host, :port) #:nodoc:
|
22
|
+
|
23
|
+
# Instantiates a new Forward service instance atop the given connection
|
24
|
+
# service session. This will register new channel open handlers to handle
|
25
|
+
# the specialized channels that the SSH port forwarding protocols employ.
|
26
|
+
def initialize(session)
|
27
|
+
@session = session
|
28
|
+
self.logger = session.logger
|
29
|
+
@remote_forwarded_ports = {}
|
30
|
+
@local_forwarded_ports = {}
|
31
|
+
@agent_forwarded = false
|
32
|
+
@local_forwarded_sockets = {}
|
33
|
+
|
34
|
+
session.on_open_channel('forwarded-tcpip', &method(:forwarded_tcpip))
|
35
|
+
session.on_open_channel('auth-agent', &method(:auth_agent_channel))
|
36
|
+
session.on_open_channel('auth-agent@openssh.com', &method(:auth_agent_channel))
|
37
|
+
end
|
60
38
|
|
61
|
-
|
39
|
+
# Starts listening for connections on the local host, and forwards them
|
40
|
+
# to the specified remote host/port via the SSH connection. This method
|
41
|
+
# accepts either three or four arguments. When four arguments are given,
|
42
|
+
# they are:
|
43
|
+
#
|
44
|
+
# * the local address to bind to
|
45
|
+
# * the local port to listen on
|
46
|
+
# * the remote host to forward connections to
|
47
|
+
# * the port on the remote host to connect to
|
48
|
+
#
|
49
|
+
# If three arguments are given, it is as if the local bind address is
|
50
|
+
# "127.0.0.1", and the rest are applied as above.
|
51
|
+
#
|
52
|
+
# To request an ephemeral port on the remote server, provide 0 (zero) for
|
53
|
+
# the port number. In all cases, this method will return the port that
|
54
|
+
# has been assigned.
|
55
|
+
#
|
56
|
+
# ssh.forward.local(1234, "www.capify.org", 80)
|
57
|
+
# assigned_port = ssh.forward.local("0.0.0.0", 0, "www.capify.org", 80)
|
58
|
+
def local(*args)
|
59
|
+
if args.length < 3 || args.length > 4
|
60
|
+
raise ArgumentError, "expected 3 or 4 parameters, got #{args.length}"
|
61
|
+
end
|
62
62
|
|
63
|
-
socket = begin
|
64
|
-
if defined?(UNIXServer) and args.first.class == UNIXServer
|
65
|
-
local_port_type = :string
|
66
|
-
args.shift
|
67
|
-
else
|
68
|
-
bind_address = "127.0.0.1"
|
69
|
-
bind_address = args.shift if args.first.is_a?(String) && args.first =~ /\D/
|
70
|
-
local_port = args.shift.to_i
|
71
63
|
local_port_type = :long
|
72
|
-
TCPServer.new(bind_address, local_port)
|
73
|
-
end
|
74
|
-
end
|
75
64
|
|
76
|
-
|
77
|
-
|
78
|
-
|
65
|
+
socket = begin
|
66
|
+
if defined?(UNIXServer) and args.first.class == UNIXServer
|
67
|
+
local_port_type = :string
|
68
|
+
args.shift
|
69
|
+
else
|
70
|
+
bind_address = "127.0.0.1"
|
71
|
+
bind_address = args.shift if args.first.is_a?(String) && args.first =~ /\D/
|
72
|
+
local_port = args.shift.to_i
|
73
|
+
local_port_type = :long
|
74
|
+
TCPServer.new(bind_address, local_port)
|
75
|
+
end
|
76
|
+
end
|
79
77
|
|
80
|
-
|
78
|
+
local_port = socket.addr[1] if local_port == 0 # ephemeral port was requested
|
79
|
+
remote_host = args.shift
|
80
|
+
remote_port = args.shift.to_i
|
81
81
|
|
82
|
-
|
83
|
-
client = server.accept
|
84
|
-
debug { "received connection on #{socket}" }
|
82
|
+
@local_forwarded_ports[[local_port, bind_address]] = socket
|
85
83
|
|
86
|
-
|
87
|
-
|
88
|
-
|
84
|
+
session.listen_to(socket) do |server|
|
85
|
+
client = server.accept
|
86
|
+
debug { "received connection on #{socket}" }
|
87
|
+
|
88
|
+
channel = session.open_channel("direct-tcpip", :string, remote_host, :long,
|
89
|
+
remote_port, :string, bind_address, local_port_type, local_port) do |achannel|
|
90
|
+
achannel.info { "direct channel established" }
|
91
|
+
end
|
89
92
|
|
90
|
-
|
93
|
+
prepare_client(client, channel, :local)
|
91
94
|
|
92
|
-
|
93
|
-
|
94
|
-
|
95
|
-
|
95
|
+
channel.on_open_failed do |ch, code, description|
|
96
|
+
channel.error { "could not establish direct channel: #{description} (#{code})" }
|
97
|
+
session.stop_listening_to(channel[:socket])
|
98
|
+
channel[:socket].close
|
99
|
+
end
|
100
|
+
end
|
101
|
+
|
102
|
+
local_port
|
96
103
|
end
|
97
|
-
end
|
98
104
|
|
99
|
-
|
100
|
-
|
105
|
+
# Terminates an active local forwarded port.
|
106
|
+
#
|
107
|
+
# ssh.forward.cancel_local(1234)
|
108
|
+
# ssh.forward.cancel_local(1234, "0.0.0.0")
|
109
|
+
def cancel_local(port, bind_address="127.0.0.1")
|
110
|
+
socket = @local_forwarded_ports.delete([port, bind_address])
|
111
|
+
socket.shutdown rescue nil
|
112
|
+
socket.close rescue nil
|
113
|
+
session.stop_listening_to(socket)
|
114
|
+
end
|
101
115
|
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
socket = @local_forwarded_ports.delete([port, bind_address])
|
110
|
-
socket.shutdown rescue nil
|
111
|
-
socket.close rescue nil
|
112
|
-
session.stop_listening_to(socket)
|
113
|
-
end
|
116
|
+
# Returns a list of all active locally forwarded ports. The returned value
|
117
|
+
# is an array of arrays, where each element is a two-element tuple
|
118
|
+
# consisting of the local port and bind address corresponding to the
|
119
|
+
# forwarding port.
|
120
|
+
def active_locals
|
121
|
+
@local_forwarded_ports.keys
|
122
|
+
end
|
114
123
|
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
|
121
|
-
|
124
|
+
# Starts listening for connections on the local host, and forwards them
|
125
|
+
# to the specified remote socket via the SSH connection. This will
|
126
|
+
# (re)create the local socket file. The remote server needs to have the
|
127
|
+
# socket file already available.
|
128
|
+
#
|
129
|
+
# ssh.forward.local_socket('/tmp/local.sock', '/tmp/remote.sock')
|
130
|
+
def local_socket(local_socket_path, remote_socket_path)
|
131
|
+
File.delete(local_socket_path) if File.exist?(local_socket_path)
|
132
|
+
socket = Socket.unix_server_socket(local_socket_path)
|
133
|
+
|
134
|
+
@local_forwarded_sockets[local_socket_path] = socket
|
135
|
+
|
136
|
+
session.listen_to(socket) do |server|
|
137
|
+
client = server.accept[0]
|
138
|
+
debug { "received connection on #{socket}" }
|
139
|
+
|
140
|
+
channel = session.open_channel("direct-streamlocal@openssh.com",
|
141
|
+
:string, remote_socket_path,
|
142
|
+
:string, nil,
|
143
|
+
:long, 0) do |achannel|
|
144
|
+
achannel.info { "direct channel established" }
|
145
|
+
end
|
146
|
+
|
147
|
+
prepare_client(client, channel, :local)
|
122
148
|
|
123
|
-
|
124
|
-
|
125
|
-
|
126
|
-
|
127
|
-
|
128
|
-
# forwarded immediately. If the remote server is not able to begin the
|
129
|
-
# listener for this request, an exception will be raised asynchronously.
|
130
|
-
#
|
131
|
-
# To request an ephemeral port on the remote server, provide 0 (zero) for
|
132
|
-
# the port number. The assigned port will show up in the # #active_remotes
|
133
|
-
# list.
|
134
|
-
#
|
135
|
-
# remote_host is interpreted by the server per RFC 4254, which has these
|
136
|
-
# special values:
|
137
|
-
#
|
138
|
-
# - "" means that connections are to be accepted on all protocol
|
139
|
-
# families supported by the SSH implementation.
|
140
|
-
# - "0.0.0.0" means to listen on all IPv4 addresses.
|
141
|
-
# - "::" means to listen on all IPv6 addresses.
|
142
|
-
# - "localhost" means to listen on all protocol families supported by
|
143
|
-
# the SSH implementation on loopback addresses only ([RFC3330] and
|
144
|
-
# [RFC3513]).
|
145
|
-
# - "127.0.0.1" and "::1" indicate listening on the loopback
|
146
|
-
# interfaces for IPv4 and IPv6, respectively.
|
147
|
-
#
|
148
|
-
# You may pass a block that will be called when the the port forward
|
149
|
-
# request receives a response. This block will be passed the remote_port
|
150
|
-
# that was actually bound to, or nil if the binding failed. If the block
|
151
|
-
# returns :no_exception, the "failed binding" exception will not be thrown.
|
152
|
-
#
|
153
|
-
# If you want to block until the port is active, you could do something
|
154
|
-
# like this:
|
155
|
-
#
|
156
|
-
# got_remote_port = nil
|
157
|
-
# remote(port, host, remote_port, remote_host) do |actual_remote_port|
|
158
|
-
# got_remote_port = actual_remote_port || :error
|
159
|
-
# :no_exception # will yield the exception on my own thread
|
160
|
-
# end
|
161
|
-
# session.loop { !got_remote_port }
|
162
|
-
# if got_remote_port == :error
|
163
|
-
# raise Net::SSH::Exception, "remote forwarding request failed"
|
164
|
-
# end
|
165
|
-
#
|
166
|
-
def remote(port, host, remote_port, remote_host="127.0.0.1")
|
167
|
-
session.send_global_request("tcpip-forward", :string, remote_host, :long, remote_port) do |success, response|
|
168
|
-
if success
|
169
|
-
remote_port = response.read_long if remote_port == 0
|
170
|
-
debug { "remote forward from remote #{remote_host}:#{remote_port} to #{host}:#{port} established" }
|
171
|
-
@remote_forwarded_ports[[remote_port, remote_host]] = Remote.new(host, port)
|
172
|
-
yield remote_port, remote_host if block_given?
|
173
|
-
else
|
174
|
-
instruction = if block_given?
|
175
|
-
yield :error
|
149
|
+
channel.on_open_failed do |ch, code, description|
|
150
|
+
channel.error { "could not establish direct channel: #{description} (#{code})" }
|
151
|
+
session.stop_listening_to(channel[:socket])
|
152
|
+
channel[:socket].close
|
153
|
+
end
|
176
154
|
end
|
177
|
-
|
178
|
-
|
179
|
-
|
155
|
+
|
156
|
+
local_socket_path
|
157
|
+
end
|
158
|
+
|
159
|
+
# Terminates an active local forwarded socket.
|
160
|
+
#
|
161
|
+
# ssh.forward.cancel_local_socket('/tmp/foo.sock')
|
162
|
+
def cancel_local_socket(local_socket_path)
|
163
|
+
socket = @local_forwarded_sockets.delete(local_socket_path)
|
164
|
+
socket.shutdown rescue nil
|
165
|
+
socket.close rescue nil
|
166
|
+
session.stop_listening_to(socket)
|
167
|
+
end
|
168
|
+
|
169
|
+
# Returns a list of all active locally forwarded sockets. The returned value
|
170
|
+
# is an array of Unix domain socket file paths.
|
171
|
+
def active_local_sockets
|
172
|
+
@local_forwarded_sockets.keys
|
173
|
+
end
|
174
|
+
|
175
|
+
# Requests that all connections on the given remote-port be forwarded via
|
176
|
+
# the local host to the given port/host. The last argument describes the
|
177
|
+
# bind address on the remote host, and defaults to 127.0.0.1.
|
178
|
+
#
|
179
|
+
# This method will return immediately, but the port will not actually be
|
180
|
+
# forwarded immediately. If the remote server is not able to begin the
|
181
|
+
# listener for this request, an exception will be raised asynchronously.
|
182
|
+
#
|
183
|
+
# To request an ephemeral port on the remote server, provide 0 (zero) for
|
184
|
+
# the port number. The assigned port will show up in the # #active_remotes
|
185
|
+
# list.
|
186
|
+
#
|
187
|
+
# remote_host is interpreted by the server per RFC 4254, which has these
|
188
|
+
# special values:
|
189
|
+
#
|
190
|
+
# - "" means that connections are to be accepted on all protocol
|
191
|
+
# families supported by the SSH implementation.
|
192
|
+
# - "0.0.0.0" means to listen on all IPv4 addresses.
|
193
|
+
# - "::" means to listen on all IPv6 addresses.
|
194
|
+
# - "localhost" means to listen on all protocol families supported by
|
195
|
+
# the SSH implementation on loopback addresses only ([RFC3330] and
|
196
|
+
# [RFC3513]).
|
197
|
+
# - "127.0.0.1" and "::1" indicate listening on the loopback
|
198
|
+
# interfaces for IPv4 and IPv6, respectively.
|
199
|
+
#
|
200
|
+
# You may pass a block that will be called when the the port forward
|
201
|
+
# request receives a response. This block will be passed the remote_port
|
202
|
+
# that was actually bound to, or nil if the binding failed. If the block
|
203
|
+
# returns :no_exception, the "failed binding" exception will not be thrown.
|
204
|
+
#
|
205
|
+
# If you want to block until the port is active, you could do something
|
206
|
+
# like this:
|
207
|
+
#
|
208
|
+
# got_remote_port = nil
|
209
|
+
# remote(port, host, remote_port, remote_host) do |actual_remote_port|
|
210
|
+
# got_remote_port = actual_remote_port || :error
|
211
|
+
# :no_exception # will yield the exception on my own thread
|
212
|
+
# end
|
213
|
+
# session.loop { !got_remote_port }
|
214
|
+
# if got_remote_port == :error
|
215
|
+
# raise Net::SSH::Exception, "remote forwarding request failed"
|
216
|
+
# end
|
217
|
+
#
|
218
|
+
def remote(port, host, remote_port, remote_host="127.0.0.1")
|
219
|
+
session.send_global_request("tcpip-forward", :string, remote_host, :long, remote_port) do |success, response|
|
220
|
+
if success
|
221
|
+
remote_port = response.read_long if remote_port == 0
|
222
|
+
debug { "remote forward from remote #{remote_host}:#{remote_port} to #{host}:#{port} established" }
|
223
|
+
@remote_forwarded_ports[[remote_port, remote_host]] = Remote.new(host, port)
|
224
|
+
yield remote_port, remote_host if block_given?
|
225
|
+
else
|
226
|
+
instruction = if block_given?
|
227
|
+
yield :error
|
228
|
+
end
|
229
|
+
unless instruction == :no_exception
|
230
|
+
error { "remote forwarding request failed" }
|
231
|
+
raise Net::SSH::Exception, "remote forwarding request failed"
|
232
|
+
end
|
233
|
+
end
|
180
234
|
end
|
181
235
|
end
|
182
|
-
end
|
183
|
-
end
|
184
236
|
|
185
|
-
|
186
|
-
|
187
|
-
|
188
|
-
|
189
|
-
|
190
|
-
|
191
|
-
|
192
|
-
|
193
|
-
|
194
|
-
|
195
|
-
|
196
|
-
|
197
|
-
|
198
|
-
|
199
|
-
|
200
|
-
|
201
|
-
|
202
|
-
|
203
|
-
|
204
|
-
|
205
|
-
|
237
|
+
# an alias, for token backwards compatibility with the 1.x API
|
238
|
+
alias :remote_to :remote
|
239
|
+
|
240
|
+
# Requests that a remote forwarded port be cancelled. The remote forwarded
|
241
|
+
# port on the remote host, bound to the given address on the remote host,
|
242
|
+
# will be terminated, but not immediately. This method returns immediately
|
243
|
+
# after queueing the request to be sent to the server. If for some reason
|
244
|
+
# the port cannot be cancelled, an exception will be raised (asynchronously).
|
245
|
+
#
|
246
|
+
# If you want to know when the connection has been cancelled, it will no
|
247
|
+
# longer be present in the #active_remotes list. If you want to block until
|
248
|
+
# the port is no longer active, you could do something like this:
|
249
|
+
#
|
250
|
+
# ssh.forward.cancel_remote(1234, "0.0.0.0")
|
251
|
+
# ssh.loop { ssh.forward.active_remotes.include?([1234, "0.0.0.0"]) }
|
252
|
+
def cancel_remote(port, host="127.0.0.1")
|
253
|
+
session.send_global_request("cancel-tcpip-forward", :string, host, :long, port) do |success, response|
|
254
|
+
if success
|
255
|
+
@remote_forwarded_ports.delete([port, host])
|
256
|
+
else
|
257
|
+
raise Net::SSH::Exception, "could not cancel remote forward request on #{host}:#{port}"
|
258
|
+
end
|
259
|
+
end
|
206
260
|
end
|
207
|
-
end
|
208
|
-
end
|
209
261
|
|
210
|
-
|
211
|
-
|
212
|
-
|
213
|
-
|
214
|
-
|
215
|
-
|
262
|
+
# Returns all active forwarded remote ports. The returned value is an
|
263
|
+
# array of two-element tuples, where the first element is the port on the
|
264
|
+
# remote host and the second is the bind address.
|
265
|
+
def active_remotes
|
266
|
+
@remote_forwarded_ports.keys
|
267
|
+
end
|
216
268
|
|
217
|
-
|
218
|
-
|
219
|
-
|
220
|
-
|
221
|
-
|
222
|
-
|
223
|
-
|
224
|
-
|
225
|
-
end
|
269
|
+
# Returns all active remote forwarded ports and where they forward to. The
|
270
|
+
# returned value is a hash from [<forwarding port on the local host>, <local forwarding address>]
|
271
|
+
# to [<port on the remote host>, <remote bind address>].
|
272
|
+
def active_remote_destinations
|
273
|
+
@remote_forwarded_ports.each_with_object({}) do |(remote, local), result|
|
274
|
+
result[[local.port, local.host]] = remote
|
275
|
+
end
|
276
|
+
end
|
226
277
|
|
227
|
-
|
228
|
-
|
229
|
-
|
230
|
-
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
-
|
235
|
-
|
236
|
-
|
237
|
-
|
238
|
-
|
239
|
-
|
240
|
-
|
241
|
-
|
242
|
-
|
243
|
-
|
244
|
-
|
245
|
-
|
246
|
-
debug { "authentication agent forwarding is active" }
|
247
|
-
else
|
248
|
-
achannel.send_channel_request("auth-agent-req") do |a2channel, success2|
|
249
|
-
if success2
|
278
|
+
# Enables SSH agent forwarding on the given channel. The forwarded agent
|
279
|
+
# will remain active even after the channel closes--the channel is only
|
280
|
+
# used as the transport for enabling the forwarded connection. You should
|
281
|
+
# never need to call this directly--it is called automatically the first
|
282
|
+
# time a session channel is opened, when the connection was created with
|
283
|
+
# :forward_agent set to true:
|
284
|
+
#
|
285
|
+
# Net::SSH.start("remote.host", "me", :forward_agent => true) do |ssh|
|
286
|
+
# ssh.open_channel do |ch|
|
287
|
+
# # agent will be automatically forwarded by this point
|
288
|
+
# end
|
289
|
+
# ssh.loop
|
290
|
+
# end
|
291
|
+
def agent(channel)
|
292
|
+
return if @agent_forwarded
|
293
|
+
@agent_forwarded = true
|
294
|
+
|
295
|
+
channel.send_channel_request("auth-agent-req@openssh.com") do |achannel, success|
|
296
|
+
if success
|
250
297
|
debug { "authentication agent forwarding is active" }
|
251
298
|
else
|
252
|
-
|
299
|
+
achannel.send_channel_request("auth-agent-req") do |a2channel, success2|
|
300
|
+
if success2
|
301
|
+
debug { "authentication agent forwarding is active" }
|
302
|
+
else
|
303
|
+
error { "could not establish forwarding of authentication agent" }
|
304
|
+
end
|
305
|
+
end
|
253
306
|
end
|
254
307
|
end
|
255
308
|
end
|
256
|
-
end
|
257
|
-
end
|
258
309
|
|
259
|
-
|
310
|
+
private
|
260
311
|
|
261
|
-
|
262
|
-
|
263
|
-
|
264
|
-
|
265
|
-
|
266
|
-
|
267
|
-
|
312
|
+
# Perform setup operations that are common to all forwarded channels.
|
313
|
+
# +client+ is a socket, +channel+ is the channel that was just created,
|
314
|
+
# and +type+ is an arbitrary string describing the type of the channel.
|
315
|
+
def prepare_client(client, channel, type)
|
316
|
+
client.extend(Net::SSH::BufferedIo)
|
317
|
+
client.extend(Net::SSH::ForwardedBufferedIo)
|
318
|
+
client.logger = logger
|
268
319
|
|
269
|
-
|
270
|
-
|
320
|
+
session.listen_to(client)
|
321
|
+
channel[:socket] = client
|
271
322
|
|
272
|
-
|
273
|
-
|
274
|
-
|
275
|
-
|
323
|
+
channel.on_data do |ch, data|
|
324
|
+
debug { "data:#{data.length} on #{type} forwarded channel" }
|
325
|
+
ch[:socket].enqueue(data)
|
326
|
+
end
|
276
327
|
|
277
|
-
|
278
|
-
|
279
|
-
|
280
|
-
|
281
|
-
|
282
|
-
|
283
|
-
|
328
|
+
channel.on_eof do |ch|
|
329
|
+
debug { "eof #{type} on #{type} forwarded channel" }
|
330
|
+
begin
|
331
|
+
ch[:socket].send_pending
|
332
|
+
ch[:socket].shutdown Socket::SHUT_WR
|
333
|
+
rescue IOError => e
|
334
|
+
if e.message =~ /closed/ then
|
335
|
+
debug { "epipe in on_eof => shallowing exception:#{e}" }
|
336
|
+
else
|
337
|
+
raise
|
338
|
+
end
|
339
|
+
rescue Errno::EPIPE => e
|
284
340
|
debug { "epipe in on_eof => shallowing exception:#{e}" }
|
285
|
-
|
286
|
-
|
341
|
+
rescue Errno::ENOTCONN => e
|
342
|
+
debug { "enotconn in on_eof => shallowing exception:#{e}" }
|
287
343
|
end
|
288
|
-
rescue Errno::EPIPE => e
|
289
|
-
debug { "epipe in on_eof => shallowing exception:#{e}" }
|
290
|
-
rescue Errno::ENOTCONN => e
|
291
|
-
debug { "enotconn in on_eof => shallowing exception:#{e}" }
|
292
344
|
end
|
293
|
-
end
|
294
345
|
|
295
|
-
|
296
|
-
|
297
|
-
|
298
|
-
|
299
|
-
|
346
|
+
channel.on_close do |ch|
|
347
|
+
debug { "closing #{type} forwarded channel" }
|
348
|
+
ch[:socket].close if !client.closed?
|
349
|
+
session.stop_listening_to(ch[:socket])
|
350
|
+
end
|
300
351
|
|
301
|
-
|
302
|
-
|
303
|
-
|
304
|
-
|
305
|
-
|
306
|
-
|
307
|
-
|
308
|
-
|
352
|
+
channel.on_process do |ch|
|
353
|
+
if ch[:socket].closed?
|
354
|
+
ch.info { "#{type} forwarded connection closed" }
|
355
|
+
ch.close
|
356
|
+
elsif ch[:socket].available > 0
|
357
|
+
data = ch[:socket].read_available(8192)
|
358
|
+
ch.debug { "read #{data.length} bytes from client, sending over #{type} forwarded connection" }
|
359
|
+
ch.send_data(data)
|
360
|
+
end
|
309
361
|
end
|
310
362
|
end
|
311
|
-
end
|
312
363
|
|
313
|
-
|
314
|
-
|
315
|
-
|
364
|
+
# not a real socket, so use a simpler behaviour
|
365
|
+
def prepare_simple_client(client, channel, type)
|
366
|
+
channel[:socket] = client
|
316
367
|
|
317
|
-
|
318
|
-
|
319
|
-
|
320
|
-
|
368
|
+
channel.on_data do |ch, data|
|
369
|
+
ch.debug { "data:#{data.length} on #{type} forwarded channel" }
|
370
|
+
ch[:socket].send(data)
|
371
|
+
end
|
321
372
|
|
322
|
-
|
323
|
-
|
324
|
-
|
325
|
-
|
326
|
-
|
373
|
+
channel.on_process do |ch|
|
374
|
+
data = ch[:socket].read(8192)
|
375
|
+
if data
|
376
|
+
ch.debug { "read #{data.length} bytes from client, sending over #{type} forwarded connection" }
|
377
|
+
ch.send_data(data)
|
378
|
+
end
|
327
379
|
end
|
328
380
|
end
|
329
|
-
end
|
330
381
|
|
331
|
-
|
332
|
-
|
333
|
-
|
334
|
-
|
335
|
-
|
336
|
-
|
337
|
-
|
338
|
-
|
382
|
+
# The callback used when a new "forwarded-tcpip" channel is requested
|
383
|
+
# by the server. This will open a new socket to the host/port specified
|
384
|
+
# when the forwarded connection was first requested.
|
385
|
+
def forwarded_tcpip(session, channel, packet)
|
386
|
+
connected_address = packet.read_string
|
387
|
+
connected_port = packet.read_long
|
388
|
+
originator_address = packet.read_string
|
389
|
+
originator_port = packet.read_long
|
339
390
|
|
340
|
-
|
391
|
+
remote = @remote_forwarded_ports[[connected_port, connected_address]]
|
341
392
|
|
342
|
-
|
343
|
-
|
344
|
-
|
393
|
+
if remote.nil?
|
394
|
+
raise Net::SSH::ChannelOpenFailed.new(1, "unknown request from remote forwarded connection on #{connected_address}:#{connected_port}")
|
395
|
+
end
|
345
396
|
|
346
|
-
|
347
|
-
|
397
|
+
client = TCPSocket.new(remote.host, remote.port)
|
398
|
+
info { "connected #{connected_address}:#{connected_port} originator #{originator_address}:#{originator_port}" }
|
348
399
|
|
349
|
-
|
350
|
-
|
351
|
-
|
352
|
-
|
400
|
+
prepare_client(client, channel, :remote)
|
401
|
+
rescue SocketError => err
|
402
|
+
raise Net::SSH::ChannelOpenFailed.new(2, "could not connect to remote host (#{remote.host}:#{remote.port}): #{err.message}")
|
403
|
+
end
|
404
|
+
|
405
|
+
# The callback used when an auth-agent channel is requested by the server.
|
406
|
+
def auth_agent_channel(session, channel, packet)
|
407
|
+
info { "opening auth-agent channel" }
|
408
|
+
channel[:invisible] = true
|
353
409
|
|
354
|
-
|
355
|
-
|
356
|
-
|
357
|
-
|
358
|
-
|
359
|
-
|
360
|
-
|
361
|
-
|
362
|
-
|
363
|
-
|
364
|
-
prepare_simple_client(agent.socket, channel, :agent)
|
410
|
+
begin
|
411
|
+
agent = Authentication::Agent.connect(logger, session.options[:agent_socket_factory])
|
412
|
+
if (agent.socket.is_a? ::IO)
|
413
|
+
prepare_client(agent.socket, channel, :agent)
|
414
|
+
else
|
415
|
+
prepare_simple_client(agent.socket, channel, :agent)
|
416
|
+
end
|
417
|
+
rescue Exception => e
|
418
|
+
error { "attempted to connect to agent but failed: #{e.class.name} (#{e.message})" }
|
419
|
+
raise Net::SSH::ChannelOpenFailed.new(2, "could not connect to authentication agent")
|
365
420
|
end
|
366
|
-
rescue Exception => e
|
367
|
-
error { "attempted to connect to agent but failed: #{e.class.name} (#{e.message})" }
|
368
|
-
raise Net::SSH::ChannelOpenFailed.new(2, "could not connect to authentication agent")
|
369
421
|
end
|
370
422
|
end
|
371
|
-
end
|
372
423
|
|
373
|
-
end
|
424
|
+
end
|
425
|
+
end
|
426
|
+
end
|