net-ssh 4.1.0 → 6.1.0

data/.travis.yml

@@ -7,45 +7,46 @@ addon:
     gateway.netssh
 
 rvm:
-  - 2.0
-  - 2.1
-  - 2.2
-  - 2.3.0
-  - 2.4.0
-  - jruby-9.1.6.0
-  - rbx-3.69
+  - 2.3.8
+  - 2.4.8
+  - 2.5.7
+  - 2.6.5
+  - 2.7.0
+  - jruby-9.2.11.1
+  - rbx-3.107
   - ruby-head
 env:
   NET_SSH_RUN_INTEGRATION_TESTS=1
 
 matrix:
   exclude:
-    - rvm: rbx-3.69
-    - rvm: jruby-9.1.6.0
+    - rvm: rbx-3.107
   include:
-    - rvm: rbx-3.69
+    - rvm: rbx-3.107
       env: NET_SSH_RUN_INTEGRATION_TESTS=
-    - rvm: jruby-9.1.6.0
+    - rvm: jruby-9.2.11.1
       env: JRUBY_OPTS='--client -J-XX:+TieredCompilation -J-XX:TieredStopAtLevel=1 -Xcext.enabled=false -J-Xss2m -Xcompile.invokedynamic=false' NET_SSH_RUN_INTEGRATION_TESTS=
   fast_finish: true
   allow_failures:
-    - rvm: rbx-3.69
-    - rvm: jruby-9.1.6.0
+    - rvm: rbx-3.107
+    - rvm: jruby-9.2.11.1
     - rvm: ruby-head
 
 install:
   - export JRUBY_OPTS='--client -J-XX:+TieredCompilation -J-XX:TieredStopAtLevel=1 -Xcext.enabled=false -J-Xss2m -Xcompile.invokedynamic=false'
-  - sudo pip install ansible
-  - gem install bundler -v "= 1.13.7"
-  - bundle _1.13.7_ install
-  - BUNDLE_GEMFILE=./Gemfile.norbnacl bundle _1.13.7_ install
-  - sudo ansible-galaxy install rvm_io.ruby
+  - sudo pip install ansible urllib3 pyOpenSSL ndg-httpsclient pyasn1
+  - gem install bundler -v "= 1.17"
+  - gem list bundler
+  - bundle _1.17_ install
+  - bundle _1.17_ -v
+  - BUNDLE_GEMFILE=./Gemfile.noed25519 bundle _1.17_ install
+  - sudo ansible-galaxy install rvm.ruby
   - sudo chown -R travis:travis /home/travis/.ansible
   - ansible-playbook ./test/integration/playbook.yml -i "localhost," --become -c local -e 'no_rvm=true' -e 'myuser=travis' -e 'mygroup=travis' -e 'homedir=/home/travis'
 
 script:
   - ssh -V
-  - bundle _1.13.7_ exec rake test
-  - BUNDLE_GEMFILE=./Gemfile.norbnacl bundle _1.13.7_ exec rake test
-  - bundle _1.13.7_ exec rake test_test
-  - bundle _1.13.7_ exec rubocop
+  - bundle _1.17_ exec rake test
+  - BUNDLE_GEMFILE=./Gemfile.noed25519 bundle _1.17_ exec rake test
+  - bundle _1.17_ exec rake test_test
+  - bundle _1.17_ exec rubocop

data/CHANGES.txt

@@ -1,3 +1,114 @@
+=== 6.1.0
+
+  * adapt to ssh's default bahaviors when no username is provided.
+    When Net::SSH.start user is nil and config has no entry
+    we default to Etc.getpwuid.name() instead of Etc.getlogin(). [#749]
+
+=== 6.1.0.rc1
+
+  * Make sha2-{256,512}-etm@openssh.com MAC default again [#761]
+  * Support algorithm subtraction syntax from ssh_config [#751]
+
+=== 6.0.2
+
+  * Fix corrupted hmac issue in etm hmac [#759]
+
+=== 6.0.1
+
+  * Make sha2-{256,512}-etm@openssh.com MAC opt-in as they seems to have issues [#757]
+
+=== 6.0.0
+
+  * Support empty lines and comments in known_hosts [donoghuc, #742]
+  * Add sha2-{256,512}-etm@openssh.com MAC algorithms [graaff, #714]
+
+=== 6.0.0 beta2
+  
+  * Support :certkeys and CertificateFile configuration option  [Anders Carling, #722]
+
+=== 6.0.0 beta1
+
+  * curve25519sha256 support [Florian Wininger ,#690]
+  * disabled insecure algs [Florian Wininger , #709]
+
+=== 5.2.0
+
+=== 5.2.0.rc3
+
+  * Fix check_host_ip read from config
+  * Support ssh-ed25519 in kown hosts
+
+=== 5.2.0.rc2
+
+  * Read check_host_ip from ssh config files
+
+=== 5.2.0.rc1
+
+  * Interpret * and ? in know_hosts file [Romain Tartière, #660]
+  * New :check_host_ip so ip checking can be disabled in known hosts [Romain Tartière, #656]
+
+=== 5.1.0
+
+=== 5.1.0.rc1
+
+  * Support new OpenSSH private key format for rsa - bcrypt for rsa (ed25519 already supported) [#646]
+  * Support IdentityAgent is ssh config [Frank Groeneveld, #645]
+  * Improve Match processing in ssh config [Aleksandrs Ļedovskis, #642]
+  * Ignore signature verification when verify_host_key is never [Piotr Kliczewski, #641]
+  * Alg preference was changed to prefer stronger encryptions  [Tray, #637]
+
+=== 5.0.2
+
+  * fix ctr for jruby [#612]
+
+=== 5.0.1
+
+  * default_keys were not loaded even if no keys or key_data options specified [#607]
+
+=== 5.0.0
+
+ * Breaking change: ed25519 now requires ed25519 gem instead of RbNaCl gem [#563]
+ * Verify_host_key options rename (true, false, :very, :secure depreacted new equivalents are :never, :accept_new_or_local_tunnel :accept_new :always) [Jared Beck, #595]
+
+=== 5.0.0.rc2
+
+ * Add .dll extensions to dlopen on cygwin [#603]
+ * Fix host certificate validation [#601]
+
+=== 5.0.0.rc1
+
+ * Fix larger than 4GB file transfers [#599]
+ * Update HTTP proxy to version 1.1 [Connor Dunn, #597]
+
+=== 5.0.0.beta2
+
+ * Support for sha256 pubkey fingerprint [Tom Maher, #585]
+ * Don't try to load default_keys if key_data option is used [Josh Larson, #589]
+ * Added fingerprint_hash defaulting to SHA256 as fingerprint format, and MD5 can be used as an option [Miklós Fazekas, #591]
+
+=== 5.0.0.beta1
+
+ * Don't leave proxy command as zombie on timeout [DimitriosLisenko, #560]
+ * Use OpenSSL for aes*-ctr for up to 5x throughput improvement [Miklós Fazekas, Harald Sitter, #570]
+ * Optimize slice! usage in CTR for up to 2x throughput improvement [Harald Sitter, #569]
+ * Replace RbNaCl dependency with ed25519 gem [Tony Arcieri ,#563]
+ * Add initial Match support [Kasumi Hanazuki,  #553]
+
+=== 4.2.0.rc2
+
+ * Fix double close bug on auth failure (or ruby 2.2 or earlier) [#538]
+
+=== 4.2.0.rc1
+
+ * Improved logging with proxy command [Dmitriy Ivliev, #530]
+ * Close transport on proxy error [adamruzicka, #526]
+ * Support multiple identity files [Kimura Masayuki, #528]
+ * Move `none` cipher to end of cipher list [Brian Cain, #525]
+ * Deprecate `:paranoid` in favor of `:verify_host_key` [Jared Beck, #524]
+ * Support Multile Include ssh config files [Kasumi Hanazuki, #516]
+ * Support Relative path in ssh confif files [Akinori MUSHA, #510]
+ * add direct-streamlocal@openssh.com support in Forward class [Harald Sitter, #502]
+
 === 4.1.0
 === 4.1.0.rc1
 
@@ -168,7 +279,7 @@
 === 2.9.2-beta
 
 * Remove advertised algorithms that were not working (ssh-rsa-cert-* *ed25519 acm*-gcm@openssh.com) [mfazekas]
-* Unkown algorithms now ignored instead of failed [mfazekas]
+* Unknown algorithms now ignored instead of failed [mfazekas]
 * Configuration change: Asks for password with password auth (up to number_of_password_prompts) [mfazekas]
 * Removed warnings [amatsuda]
 

data/Gemfile

@@ -3,13 +3,7 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in mygem.gemspec
 gemspec
 
-if !Gem.win_platform? && RUBY_ENGINE == "mri"
-  gem 'byebug', group: [:development, :test]
-end
-
-if (Gem::Version.new(RUBY_VERSION) <=> Gem::Version.new("2.2.6")) < 0
-  gem 'rbnacl', '< 4.0'
-end
+gem 'byebug', group: %i[development test] if !Gem.win_platform? && RUBY_ENGINE == "ruby"
 
 if ENV["CI"]
   gem 'codecov', require: false, group: :test

data/{Gemfile.norbnacl → Gemfile.noed25519}

@@ -1,6 +1,6 @@
 source 'https://rubygems.org'
 
-ENV['NET_SSH_NO_RBNACL'] = 'true'
+ENV['NET_SSH_NO_ED25519'] = 'true'
 # Specify your gem's dependencies in mygem.gemspec
 gemspec
 

data/Manifest

@@ -33,7 +33,6 @@ lib/net/ssh/proxy/errors.rb
 lib/net/ssh/proxy/http.rb
 lib/net/ssh/proxy/socks4.rb
 lib/net/ssh/proxy/socks5.rb
-lib/net/ssh/ruby_compat.rb
 lib/net/ssh/service/forward.rb
 lib/net/ssh/test.rb
 lib/net/ssh/test/channel.rb
@@ -75,10 +74,10 @@ lib/net/ssh/transport/packet_stream.rb
 lib/net/ssh/transport/server_version.rb
 lib/net/ssh/transport/session.rb
 lib/net/ssh/transport/state.rb
-lib/net/ssh/verifiers/lenient.rb
-lib/net/ssh/verifiers/null.rb
-lib/net/ssh/verifiers/secure.rb
-lib/net/ssh/verifiers/strict.rb
+lib/net/ssh/verifiers/accept_new.rb
+lib/net/ssh/verifiers/accept_new_or_local_tunnel.rb
+lib/net/ssh/verifiers/always.rb
+lib/net/ssh/verifiers/never.rb
 lib/net/ssh/version.rb
 net-ssh.gemspec
 setup.rb

data/README.md

@@ -0,0 +1,287 @@
+[![Gem Version](https://badge.fury.io/rb/net-ssh.svg)](https://badge.fury.io/rb/net-ssh)
+[![Join the chat at https://gitter.im/net-ssh/net-ssh](https://badges.gitter.im/net-ssh/net-ssh.svg)](https://gitter.im/net-ssh/net-ssh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
+[![Build Status](https://travis-ci.org/net-ssh/net-ssh.svg?branch=master)](https://travis-ci.org/net-ssh/net-ssh)
+[![Coverage status](https://codecov.io/gh/net-ssh/net-ssh/branch/master/graph/badge.svg)](https://codecov.io/gh/net-ssh/net-ssh)
+[![Backers on Open Collective](https://opencollective.com/net-ssh/backers/badge.svg)](#backers])
+[![Sponsors on Open Collective](https://opencollective.com/net-ssh/sponsors/badge.svg)](#sponsors)
+
+# Net::SSH 6.x
+
+* Docs: http://net-ssh.github.com/net-ssh
+* Issues: https://github.com/net-ssh/net-ssh/issues
+* Codes: https://github.com/net-ssh/net-ssh
+* Email: net-ssh@solutious.com
+
+*As of v2.6.4, all gem releases are signed. See [INSTALL](#install).*
+
+## DESCRIPTION:
+
+Net::SSH is a pure-Ruby implementation of the SSH2 client protocol.
+It allows you to write programs that invoke and interact with processes on remote servers, via SSH2.
+
+## FEATURES:
+
+* Execute processes on remote servers and capture their output
+* Run multiple processes in parallel over a single SSH connection
+* Support for SSH subsystems
+* Forward local and remote ports via an SSH connection
+
+## Supported Algorithms
+
+Net::SSH 6.0 disables by default the usage of weak algorithms.
+We strongly recommend that you install a servers's version that supports the latest algorithms.
+
+It is possible to return to the previous behavior by adding the option : `append_all_supported_algorithms: true`
+
+Unsecure algoritms will definitely be removed in Net::SSH 7.*.
+
+### Host Keys
+
+| Name                 | Support               | Details  |
+|----------------------|-----------------------|----------|
+| ssh-rsa              | OK                    |          |
+| ssh-ed25519          | OK                    | Require the gem `ed25519` |
+| ecdsa-sha2-nistp521  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
+| ecdsa-sha2-nistp384  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
+| ecdsa-sha2-nistp256  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
+| ssh-dss              | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+
+### Key Exchange
+
+| Name                                 | Support               | Details  |
+|--------------------------------------|-----------------------|----------|
+| curve25519-sha256                    | OK                    | Require the gem `x25519` |
+| ecdh-sha2-nistp521                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
+| ecdh-sha2-nistp384                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
+| ecdh-sha2-nistp256                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
+| diffie-hellman-group1-sha1           | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| diffie-hellman-group14-sha1          | OK                    |          |
+| diffie-hellman-group-exchange-sha1   | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| diffie-hellman-group-exchange-sha256 | OK                    |          |
+
+### Encryption algorithms (ciphers)
+
+| Name                                 | Support               | Details  |
+|--------------------------------------|-----------------------|----------|
+| aes256-ctr / aes192-ctr / aes128-ctr | OK                    |          |
+| aes256-cbc / aes192-cbc / aes128-cbc | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| rijndael-cbc@lysator.liu.se          | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| blowfish-ctr blowfish-cbc            | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| cast128-ctr cast128-cbc              | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| 3des-ctr 3des-cbc                    | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| idea-cbc                             | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| none                                 | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+
+### Message Authentication Code algorithms
+
+| Name                 | Support               | Details  |
+|----------------------|-----------------------|----------|
+| hmac-sha2-512-etm    | OK                    |          |
+| hmac-sha2-256-etm    | OK                    |          |
+| hmac-sha2-512        | OK                    |          |
+| hmac-sha2-256        | OK                    |          |
+| hmac-sha2-512-96     | Deprecated in 6.0     | removed from the specification, will be removed in 7.0 |
+| hmac-sha2-256-96     | Deprecated in 6.0     | removed from the specification, will be removed in 7.0 |
+| hmac-sha1            | OK                    | for backward compatibility      |
+| hmac-sha1-96         | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| hmac-ripemd160       | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| hmac-md5             | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| hmac-md5-96          | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| none                 | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+
+## SYNOPSIS:
+
+In a nutshell:
+
+```ruby
+require 'net/ssh'
+
+Net::SSH.start('host', 'user', password: "password") do |ssh|
+
+# capture all stderr and stdout output from a remote process
+output = ssh.exec!("hostname")
+puts output
+
+# capture only stdout matching a particular pattern
+stdout = ""
+ssh.exec!("ls -l /home/jamis") do |channel, stream, data|
+  stdout << data if stream == :stdout && /foo/.match(data)
+end
+puts stdout
+
+# run multiple processes in parallel to completion
+ssh.exec "sed ..."
+ssh.exec "awk ..."
+ssh.exec "rm -rf ..."
+ssh.loop
+
+# open a new channel and configure a minimal set of callbacks, then run
+# the event loop until the channel finishes (closes)
+channel = ssh.open_channel do |ch|
+  ch.exec "/usr/local/bin/ruby /path/to/file.rb" do |ch, success|
+    raise "could not execute command" unless success
+
+    # "on_data" is called when the process writes something to stdout
+    ch.on_data do |c, data|
+      $stdout.print data
+    end
+
+    # "on_extended_data" is called when the process writes something to stderr
+    ch.on_extended_data do |c, type, data|
+      $stderr.print data
+    end
+
+    ch.on_close { puts "done!" }
+  end
+end
+
+channel.wait
+
+# forward connections on local port 1234 to port 80 of www.capify.org
+ssh.forward.local(1234, "www.capify.org", 80)
+ssh.loop { true }
+end
+```
+
+See Net::SSH for more documentation, and links to further information.
+
+## REQUIREMENTS:
+
+The only requirement you might be missing is the OpenSSL bindings for Ruby with a version greather than `1.0.1`.
+These are built by default on most platforms, but you can verify that they're built and installed on your system by running the following command line:
+
+```sh
+ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
+```
+
+If that spits out something like `OpenSSL 1.0.1 14 Mar 2012`, then you're set.
+If you get an error, then you'll need to see about rebuilding ruby with OpenSSL support,
+or (if your platform supports it) installing the OpenSSL bindings separately.
+
+## INSTALL:
+
+```sh
+gem install net-ssh # might need sudo privileges
+```
+
+NOTE: If you are running on jruby on windows you need to install `jruby-pageant` manually
+(gemspec doesn't allow for platform specific dependencies at gem installation time).
+
+However, in order to be sure the code you're installing hasn't been tampered with,
+it's recommended that you verify the [signature](http://docs.rubygems.org/read/chapter/21).
+ To do this, you need to add my public key as a trusted certificate (you only need to do this once):
+
+```sh
+# Add the public key as a trusted certificate
+# (You only need to do this once)
+curl -O https://raw.githubusercontent.com/net-ssh/net-ssh/master/net-ssh-public_cert.pem
+gem cert --add net-ssh-public_cert.pem
+```
+
+Then, when install the gem, do so with high security:
+
+```sh
+gem install net-ssh -P HighSecurity
+```
+
+If you don't add the public key, you'll see an error like "Couldn't verify data signature".
+If you're still having trouble let me know and I'll give you a hand.
+
+For ed25519 public key auth support your bundle file should contain `ed25519`, `bcrypt_pbkdf` dependencies.
+
+```sh
+gem install ed25519
+gem install bcrypt_pbkdf
+```
+
+For curve25519-sha256 kex exchange support your bundle file should contain `x25519` dependency.
+
+## RUBY SUPPORT
+
+* See [net-ssh.gemspec](https://github.com/net-ssh/net-ssh/blob/master/net-ssh.gemspec) for current versions ruby requirements
+
+## RUNNING TESTS
+
+If you want to run the tests or use any of the Rake tasks, you'll need Mocha and
+other dependencies listed in Gemfile
+
+Run the test suite from the net-ssh directory with the following command:
+
+```sh
+bundle exec rake test
+```
+
+Run a single test file like this:
+
+```sh
+ruby -Ilib -Itest test/transport/test_server_version.rb
+```
+
+To run integration tests see test/integration/README.txt
+
+### BUILDING GEM
+
+```sh
+rake build
+```
+
+### GEM SIGNING (for maintainers)
+
+If you have the net-ssh private signing key, you will be able to create signed release builds. Make sure the private key path matches the `signing_key` path set in `net-ssh.gemspec` and tell rake to sign the gem by setting the `NET_SSH_BUILDGEM_SIGNED` flag:
+
+```sh
+NET_SSH_BUILDGEM_SIGNED=true rake build
+```
+
+For time to time, the public certificate associated to the private key needs to be renewed. You can do this with the following command:
+
+```sh
+gem cert --build netssh@solutious.com --private-key path/2/net-ssh-private_key.pem
+mv gem-public_cert.pem net-ssh-public_cert.pem
+gem cert --add net-ssh-public_cert.pem
+```
+
+## CREDITS
+
+### Contributors
+
+This project exists thanks to all the people who contribute.
+
+[![contributors](https://opencollective.com/net-ssh/contributors.svg?width=890&button=false)](graphs/contributors)
+
+### Backers
+
+Thank you to all our backers! 🙏 [Become a backer](https://opencollective.com/net-ssh#backer)
+
+[![backers](https://opencollective.com/net-ssh/backers.svg?width=890)](https://opencollective.com/net-ssh#backers)
+
+### Sponsors
+
+Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor](https://opencollective.com/net-ssh#sponsor)
+
+[![Sponsor](https://opencollective.com/net-ssh/sponsor/0/avatar.svg)](https://opencollective.com/net-ssh/sponsor/0/website)
+
+## LICENSE:
+
+(The MIT License)
+
+Copyright (c) 2008 Jamis Buck
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.