net-ssh 4.1.0 → 6.1.0

data/Rakefile

@@ -1,4 +1,3 @@
-# coding: UTF-8
 #
 # Also in your terminal environment run:
 #   $ export LANG=en_US.UTF-8
@@ -12,7 +11,6 @@ require "bundler/gem_tasks"
 
 require "rdoc/task"
 
-
 desc "When releasing make sure NET_SSH_BUILDGEM_SIGNED is set"
 task :check_NET_SSH_BUILDGEM_SIGNED do
   raise "NET_SSH_BUILDGEM_SIGNED should be set to release" unless ENV['NET_SSH_BUILDGEM_SIGNED']
@@ -21,9 +19,8 @@ end
 Rake::Task[:release].enhance [:check_NET_SSH_BUILDGEM_SIGNED]
 Rake::Task[:release].prerequisites.unshift(:check_NET_SSH_BUILDGEM_SIGNED)
 
-
 task default: ["build"]
-CLEAN.include [ 'pkg', 'rdoc' ]
+CLEAN.include ['pkg', 'rdoc']
 name = "net-ssh"
 
 require_relative "lib/net/ssh/version"
@@ -34,38 +31,52 @@ RDoc::Task.new do |rdoc|
   rdoc.rdoc_dir = "rdoc"
   rdoc.title = "#{name} #{version}"
   rdoc.generator = 'hanna' # gem install hanna-nouveau
-  rdoc.main = 'README.rdoc'
+  rdoc.main = 'README.md'
   rdoc.rdoc_files.include("README*")
   rdoc.rdoc_files.include("bin/*.rb")
   rdoc.rdoc_files.include("lib/**/*.rb")
   extra_files.each { |file|
-    rdoc.rdoc_files.include(file) if File.exists?(file)
+    rdoc.rdoc_files.include(file) if File.exist?(file)
   }
 end
 
-namespace :rdoc do
-desc "Update gh-pages branch"
-task :publish do
-  # copy/checkout
-  rm_rf "/tmp/net-ssh-rdoc"
-  rm_rf "/tmp/net-ssh-gh-pages"
-  cp_r "./rdoc", "/tmp/net-ssh-rdoc"
-  mkdir "/tmp/net-ssh-gh-pages"
-  Dir.chdir "/tmp/net-ssh-gh-pages" do
-    sh "git clone --branch gh-pages --single-branch https://github.com/net-ssh/net-ssh"
-    rm_rf "/tmp/net-ssh-gh-pages/net-ssh/*"
-  end
-  # update
-  sh "cp -rf ./rdoc/* /tmp/net-ssh-gh-pages/net-ssh/"
-  Dir.chdir "/tmp/net-ssh-gh-pages/net-ssh" do
-    sh "git add -A ."
-    sh "git commit -m \"Update docs\""
-  end
-  # publish
-  Dir.chdir "/tmp/net-ssh-gh-pages/net-ssh" do
-    sh "git push origin gh-pages"
+namespace :cert do
+  desc "Update public cert from private - only run if public is expired"
+  task :update_public_when_expired do
+    require 'openssl'
+    require 'time'
+    raw = File.read "net-ssh-public_cert.pem"
+    certificate = OpenSSL::X509::Certificate.new raw
+    raise Exception, "Not yet expired: #{certificate.not_after}" unless certificate.not_after < Time.now
+    sh "gem cert --build netssh@solutious.com --days 365*5 --private-key /mnt/gem/net-ssh-private_key.pem"
+    sh "mv gem-public_cert.pem net-ssh-public_cert.pem"
+    sh "gem cert --add net-ssh-public_cert.pem"
   end
 end
+
+namespace :rdoc do
+  desc "Update gh-pages branch"
+  task :publish do
+    # copy/checkout
+    rm_rf "/tmp/net-ssh-rdoc"
+    rm_rf "/tmp/net-ssh-gh-pages"
+    cp_r "./rdoc", "/tmp/net-ssh-rdoc"
+    mkdir "/tmp/net-ssh-gh-pages"
+    Dir.chdir "/tmp/net-ssh-gh-pages" do
+      sh "git clone --branch gh-pages --single-branch https://github.com/net-ssh/net-ssh"
+      rm_rf "/tmp/net-ssh-gh-pages/net-ssh/*"
+    end
+    # update
+    sh "cp -rf ./rdoc/* /tmp/net-ssh-gh-pages/net-ssh/"
+    Dir.chdir "/tmp/net-ssh-gh-pages/net-ssh" do
+      sh "git add -A ."
+      sh "git commit -m \"Update docs\""
+    end
+    # publish
+    Dir.chdir "/tmp/net-ssh-gh-pages/net-ssh" do
+      sh "git push origin gh-pages"
+    end
+  end
 end
 
 require 'rake/testtask'
@@ -80,7 +91,7 @@ Rake::TestTask.new do |t|
   test_files -= FileList['test/manual/test_*.rb']
   test_files -= FileList['test/test_pageant.rb']
   test_files -= FileList['test/test/**/test_*.rb']
-  t.test_files =  test_files
+  t.test_files = test_files
 end
 
 desc "Run tests of Net::SSH:Test"
@@ -89,5 +100,5 @@ Rake::TestTask.new do |t|
   # we need to run test/test separatedly as it hacks io + other modules
   t.libs = ["lib", "test"]
   test_files = FileList['test/test/**/test_*.rb']
-  t.test_files =  test_files
+  t.test_files = test_files
 end

data/appveyor.yml

@@ -5,9 +5,15 @@ skip_tags: true
 environment:
   matrix:
     - ruby_version: "jruby-9.1.2.0"
+    - ruby_version: "26-x64"
+    - ruby_version: "25-x64"
+    - ruby_version: "24-x64"
     - ruby_version: "23"
     - ruby_version: "23-x64"
-    - ruby_version: "22-x64"
+
+matrix:
+  allow_failures:
+    - ruby_version: "jruby-9.1.2.0"
 
 #init:
 #  - ps: iex ((new-object net.webclient).DownloadString('https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1'))
@@ -25,9 +31,9 @@ install:
   - if "%ruby_version%" == "jruby-9.1.2.0" ( cinst jruby --version 9.1.2.0 -i --allow-empty-checksums )
   - if "%ruby_version%" == "jruby-9.1.2.0" ( SET "PATH=C:\jruby-9.1.2.0\bin\;%PATH%" )
   - ruby --version
-  - gem install bundler --no-document -v 1.13.5
-  - SET BUNDLE_GEMFILE=Gemfile.norbnacl
-  - bundle _1.13.5_ install --retry=3
+  - gem install bundler --no-document --user-install -v 1.17
+  - SET BUNDLE_GEMFILE=Gemfile.noed25519
+  - bundle install --retry=3
   - cinst freesshd
   - cinst putty --allow-empty-checksums
   - ps: |
@@ -45,8 +51,8 @@ install:
           }
 
 test_script:
-  - SET BUNDLE_GEMFILE=Gemfile.norbnacl
+  - SET BUNDLE_GEMFILE=Gemfile.noed25519
   - SET NET_SSH_RUN_WIN_INTEGRATION_TESTS=YES
-  - bundle _1.13.5_ exec rake test
+  - bundle exec rake test
 
 build: off

data/lib/net/ssh.rb

@@ -4,6 +4,7 @@ ENV['HOME'] ||= ENV['HOMEPATH'] ? "#{ENV['HOMEDRIVE']}#{ENV['HOMEPATH']}" : Dir.
 
 require 'logger'
 require 'etc'
+require 'shellwords'
 
 require 'net/ssh/config'
 require 'net/ssh/errors'
@@ -62,17 +63,18 @@ module Net
   module SSH
     # This is the set of options that Net::SSH.start recognizes. See
     # Net::SSH.start for a description of each option.
-    VALID_OPTIONS = [
-      :auth_methods, :bind_address, :compression, :compression_level, :config,
-      :encryption, :forward_agent, :hmac, :host_key, :remote_user,
-      :keepalive, :keepalive_interval, :keepalive_maxcount, :kex, :keys, :key_data,
-      :languages, :logger, :paranoid, :password, :port, :proxy,
-      :rekey_blocks_limit,:rekey_limit, :rekey_packet_limit, :timeout, :verbose,
-      :known_hosts, :global_known_hosts_file, :user_known_hosts_file, :host_key_alias,
-      :host_name, :user, :properties, :passphrase, :keys_only, :max_pkt_size,
-      :max_win_size, :send_env, :use_agent, :number_of_password_prompts,
-      :append_supported_algorithms, :non_interactive, :password_prompt, :agent_socket_factory,
-      :minimum_dh_bits
+    VALID_OPTIONS = %i[
+      auth_methods bind_address compression compression_level config
+      encryption forward_agent hmac host_key remote_user
+      keepalive keepalive_interval keepalive_maxcount kex keys key_data
+      keycerts languages logger paranoid password port proxy
+      rekey_blocks_limit rekey_limit rekey_packet_limit timeout verbose
+      known_hosts global_known_hosts_file user_known_hosts_file host_key_alias
+      host_name user properties passphrase keys_only max_pkt_size
+      max_win_size send_env set_env use_agent number_of_password_prompts
+      append_all_supported_algorithms non_interactive password_prompt
+      agent_socket_factory minimum_dh_bits verify_host_key
+      fingerprint_hash check_host_ip
     ]
 
     # The standard means of starting a new SSH connection. When used with a
@@ -107,6 +109,8 @@ module Net
     # * :bind_address => the IP address on the connecting machine to use in
     #   establishing connection. (:bind_address is discarded if :proxy
     #   is set.)
+    # * :check_host_ip => Also ckeck IP address when connecting to remote host.
+    #   Defaults to +true+.
     # * :compression => the compression algorithm to use, or +true+ to use
     #   whatever is supported.
     # * :compression_level => the compression level to use when sending data
@@ -141,6 +145,8 @@ module Net
     # * :kex => the key exchange algorithm (or algorithms) to use
     # * :keys => an array of file names of private keys to use for publickey
     #   and hostbased authentication
+    # * :keycerts => an array of file names of key certificates to use
+    #    with publickey authentication
     # * :key_data => an array of strings, with each element of the array being
     #   a raw private key in PEM format.
     # * :keys_only => set to +true+ to use only private keys from +keys+ and
@@ -157,12 +163,7 @@ module Net
     #   authentication failure vs password prompt. Non-interactive applications
     #   should set it to true to prefer failing a password/etc auth methods vs.
     #   asking for password.
-    # * :paranoid => either false, true, :very, or :secure specifying how
-    #   strict host-key verification should be (in increasing order here).
-    #   You can also provide an own Object which responds to +verify+. The argument
-    #   given to +verify+ is a hash consisting of the +:key+, the +:key_blob+,
-    #   the +:fingerprint+ and the +:session+. Returning true accepts the host key,
-    #   returning false declines it and closes the connection.
+    # * :paranoid => deprecated alias for :verify_host_key
     # * :passphrase => the passphrase to use when loading a private key (default
     #   is +nil+, for no passphrase)
     # * :password => the password to use to login
@@ -175,6 +176,8 @@ module Net
     # * :rekey_packet_limit => the max number of packets to process before rekeying
     # * :send_env => an array of local environment variable names to export to the
     #   remote environment. Names may be given as String or Regexp.
+    # * :set_env => a hash of environment variable names and values to set to the
+    #   remote environment. Override the ones if specified in +send_env+.
     # * :timeout => how long to wait for the initial connection to be made
     # * :user => the user name to log in as; this overrides the +user+
     #   parameter, and is primarily only useful when provided via an SSH
@@ -197,8 +200,19 @@ module Net
     # * :password_prompt => a custom prompt object with ask method. See Net::SSH::Prompt
     #
     # * :agent_socket_factory => enables the user to pass a lambda/block that will serve as the socket factory
-    #    Net::SSH::start(user,host,agent_socket_factory: ->{ UNIXSocket.open('/foo/bar') })
+    #    Net::SSH.start(host,user,agent_socket_factory: ->{ UNIXSocket.open('/foo/bar') })
     #    example: ->{ UNIXSocket.open('/foo/bar')}
+    # * :verify_host_key => specify how strict host-key verification should be.
+    #   In order of increasing strictness:
+    #   * :never (very insecure) ::Net::SSH::Verifiers::Never
+    #   * :accept_new_or_local_tunnel (insecure) ::Net::SSH::Verifiers::AcceptNewOrLocalTunnel
+    #   * :accept_new (insecure) ::Net::SSH::Verifiers::AcceptNew
+    #   * :always (secure) ::Net::SSH::Verifiers::Always
+    #   You can also provide an own Object which responds to +verify+. The argument
+    #   given to +verify+ is a hash consisting of the +:key+, the +:key_blob+,
+    #   the +:fingerprint+ and the +:session+. Returning true accepts the host key,
+    #   returning false declines it and closes the connection.
+    # * :fingerprint_hash => 'MD5' or 'SHA256', defaults to 'SHA256'
     # If +user+ parameter is nil it defaults to USER from ssh_config, or
     # local username
     def self.start(host, user=nil, options={}, &block)
@@ -214,26 +228,30 @@ module Net
       options = configuration_for(host, options.fetch(:config, true)).merge(options)
       host = options.fetch(:host_name, host)
 
+      options[:check_host_ip] = true unless options.key?(:check_host_ip)
+
       if options[:non_interactive]
         options[:number_of_password_prompts] = 0
       end
 
+      _support_deprecated_option_paranoid(options)
+
       if options[:verbose]
         options[:logger].level = case options[:verbose]
-          when Integer then options[:verbose]
-          when :debug then Logger::DEBUG
-          when :info  then Logger::INFO
-          when :warn  then Logger::WARN
-          when :error then Logger::ERROR
-          when :fatal then Logger::FATAL
-          else raise ArgumentError, "can't convert #{options[:verbose].inspect} to any of the Logger level constants"
-        end
+                                 when Integer then options[:verbose]
+                                 when :debug then Logger::DEBUG
+                                 when :info  then Logger::INFO
+                                 when :warn  then Logger::WARN
+                                 when :error then Logger::ERROR
+                                 when :fatal then Logger::FATAL
+                                 else raise ArgumentError, "can't convert #{options[:verbose].inspect} to any of the Logger level constants"
+                                 end
       end
 
       transport = Transport::Session.new(host, options)
       auth = Authentication::Session.new(transport, options)
 
-      user = options.fetch(:user, user) || Etc.getlogin
+      user = options.fetch(:user, user) || Etc.getpwuid.name
       if auth.authenticate("ssh-connection", user, options[:password])
         connection = Connection::Session.new(transport, options)
         if block_given?
@@ -262,10 +280,10 @@ module Net
     # See Net::SSH::Config for the full description of all supported options.
     def self.configuration_for(host, use_ssh_config)
       files = case use_ssh_config
-        when true then Net::SSH::Config.expandable_default_files
-        when false, nil then return {}
-        else Array(use_ssh_config)
-        end
+              when true then Net::SSH::Config.expandable_default_files
+              when false, nil then return {}
+              else Array(use_ssh_config)
+              end
 
       Net::SSH::Config.for(host, files)
     end
@@ -278,7 +296,7 @@ module Net
 
       options[:password_prompt] ||= Prompt.default(options)
 
-      [:password, :passphrase].each do |key|
+      %i[password passphrase].each do |key|
         options.delete(key) if options.key?(key) && options[key].nil?
       end
     end
@@ -291,5 +309,23 @@ module Net
       end
     end
     private_class_method :_sanitize_options
+
+    def self._support_deprecated_option_paranoid(options)
+      if options.key?(:paranoid)
+        Kernel.warn(
+          ":paranoid is deprecated, please use :verify_host_key. Supported " \
+          "values are exactly the same, only the name of the option has changed."
+        )
+        if options.key?(:verify_host_key)
+          Kernel.warn(
+            "Both :paranoid and :verify_host_key were specified. " \
+            ":verify_host_key takes precedence, :paranoid will be ignored."
+          )
+        else
+          options[:verify_host_key] = options.delete(:paranoid)
+        end
+      end
+    end
+    private_class_method :_support_deprecated_option_paranoid
   end
 end

data/lib/net/ssh/authentication/agent.rb

@@ -8,249 +8,261 @@ require 'rubygems'
 
 require 'net/ssh/authentication/pageant' if Gem.win_platform? && RUBY_PLATFORM != "java"
 
-module Net; module SSH; module Authentication
-  # Class for representing agent-specific errors.
-  class AgentError < Net::SSH::Exception; end
-  # An exception for indicating that the SSH agent is not available.
-  class AgentNotAvailable < AgentError; end
-
-  # This class implements a simple client for the ssh-agent protocol. It
-  # does not implement any specific protocol, but instead copies the
-  # behavior of the ssh-agent functions in the OpenSSH library (3.8).
-  #
-  # This means that although it behaves like a SSH1 client, it also has
-  # some SSH2 functionality (like signing data).
-  class Agent
-    include Loggable
-
-    # A simple module for extending keys, to allow comments to be specified
-    # for them.
-    module Comment
-      attr_accessor :comment
-    end
-
-    SSH2_AGENT_REQUEST_VERSION       = 1
-    SSH2_AGENT_REQUEST_IDENTITIES    = 11
-    SSH2_AGENT_IDENTITIES_ANSWER     = 12
-    SSH2_AGENT_SIGN_REQUEST          = 13
-    SSH2_AGENT_SIGN_RESPONSE         = 14
-    SSH2_AGENT_ADD_IDENTITY          = 17
-    SSH2_AGENT_REMOVE_IDENTITY       = 18
-    SSH2_AGENT_REMOVE_ALL_IDENTITIES = 19
-    SSH2_AGENT_ADD_ID_CONSTRAINED    = 25
-    SSH2_AGENT_FAILURE               = 30
-    SSH2_AGENT_VERSION_RESPONSE      = 103
-
-    SSH_COM_AGENT2_FAILURE = 102
-
-    SSH_AGENT_REQUEST_RSA_IDENTITIES = 1
-    SSH_AGENT_RSA_IDENTITIES_ANSWER1 = 2
-    SSH_AGENT_RSA_IDENTITIES_ANSWER2 = 5
-    SSH_AGENT_FAILURE                = 5
-    SSH_AGENT_SUCCESS                = 6
-
-    SSH_AGENT_CONSTRAIN_LIFETIME = 1
-    SSH_AGENT_CONSTRAIN_CONFIRM  = 2
-
-    # The underlying socket being used to communicate with the SSH agent.
-    attr_reader :socket
-
-    # Instantiates a new agent object, connects to a running SSH agent,
-    # negotiates the agent protocol version, and returns the agent object.
-    def self.connect(logger=nil, agent_socket_factory = nil)
-      agent = new(logger)
-      agent.connect!(agent_socket_factory)
-      agent.negotiate!
-      agent
-    end
-
-    # Creates a new Agent object, using the optional logger instance to
-    # report status.
-    def initialize(logger=nil)
-      self.logger = logger
-    end
+module Net
+  module SSH
+    module Authentication
+      # Class for representing agent-specific errors.
+      class AgentError < Net::SSH::Exception; end
+      # An exception for indicating that the SSH agent is not available.
+      class AgentNotAvailable < AgentError; end
+
+      # This class implements a simple client for the ssh-agent protocol. It
+      # does not implement any specific protocol, but instead copies the
+      # behavior of the ssh-agent functions in the OpenSSH library (3.8).
+      #
+      # This means that although it behaves like a SSH1 client, it also has
+      # some SSH2 functionality (like signing data).
+      class Agent
+        include Loggable
+
+        # A simple module for extending keys, to allow comments to be specified
+        # for them.
+        module Comment
+          attr_accessor :comment
+        end
 
-    # Connect to the agent process using the socket factory and socket name
-    # given by the attribute writers. If the agent on the other end of the
-    # socket reports that it is an SSH2-compatible agent, this will fail
-    # (it only supports the ssh-agent distributed by OpenSSH).
-    def connect!(agent_socket_factory = nil)
-      debug { "connecting to ssh-agent" }
-      @socket =
-        if agent_socket_factory
-          agent_socket_factory.call
-        elsif ENV['SSH_AUTH_SOCK'] && unix_socket_class
-          unix_socket_class.open(ENV['SSH_AUTH_SOCK'])
-        elsif Gem.win_platform? && RUBY_ENGINE != "jruby"
-          Pageant::Socket.open
-        else
-          raise AgentNotAvailable, "Agent not configured"
+        SSH2_AGENT_REQUEST_VERSION       = 1
+        SSH2_AGENT_REQUEST_IDENTITIES    = 11
+        SSH2_AGENT_IDENTITIES_ANSWER     = 12
+        SSH2_AGENT_SIGN_REQUEST          = 13
+        SSH2_AGENT_SIGN_RESPONSE         = 14
+        SSH2_AGENT_ADD_IDENTITY          = 17
+        SSH2_AGENT_REMOVE_IDENTITY       = 18
+        SSH2_AGENT_REMOVE_ALL_IDENTITIES = 19
+        SSH2_AGENT_ADD_ID_CONSTRAINED    = 25
+        SSH2_AGENT_FAILURE               = 30
+        SSH2_AGENT_VERSION_RESPONSE      = 103
+
+        SSH_COM_AGENT2_FAILURE = 102
+
+        SSH_AGENT_REQUEST_RSA_IDENTITIES = 1
+        SSH_AGENT_RSA_IDENTITIES_ANSWER1 = 2
+        SSH_AGENT_RSA_IDENTITIES_ANSWER2 = 5
+        SSH_AGENT_FAILURE                = 5
+        SSH_AGENT_SUCCESS                = 6
+
+        SSH_AGENT_CONSTRAIN_LIFETIME = 1
+        SSH_AGENT_CONSTRAIN_CONFIRM  = 2
+
+        SSH_AGENT_RSA_SHA2_256 = 0x02
+        SSH_AGENT_RSA_SHA2_512 = 0x04
+
+        # The underlying socket being used to communicate with the SSH agent.
+        attr_reader :socket
+
+        # Instantiates a new agent object, connects to a running SSH agent,
+        # negotiates the agent protocol version, and returns the agent object.
+        def self.connect(logger=nil, agent_socket_factory = nil, identity_agent = nil)
+          agent = new(logger)
+          agent.connect!(agent_socket_factory, identity_agent)
+          agent.negotiate!
+          agent
         end
-    rescue StandardError => e
-      error { "could not connect to ssh-agent: #{e.message}" }
-      raise AgentNotAvailable, $!.message
-    end
 
-    # Attempts to negotiate the SSH agent protocol version. Raises an error
-    # if the version could not be negotiated successfully.
-    def negotiate!
-      # determine what type of agent we're communicating with
-      type, body = send_and_wait(SSH2_AGENT_REQUEST_VERSION, :string, Transport::ServerVersion::PROTO_VERSION)
-
-      raise AgentNotAvailable, "SSH2 agents are not yet supported" if type == SSH2_AGENT_VERSION_RESPONSE
-      if type == SSH2_AGENT_FAILURE
-        debug { "Unexpected response type==#{type}, this will be ignored" }
-      elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER1 && type != SSH_AGENT_RSA_IDENTITIES_ANSWER2
-        raise AgentNotAvailable, "unknown response from agent: #{type}, #{body.to_s.inspect}"
-      end
-    end
+        # Creates a new Agent object, using the optional logger instance to
+        # report status.
+        def initialize(logger=nil)
+          self.logger = logger
+        end
 
-    # Return an array of all identities (public keys) known to the agent.
-    # Each key returned is augmented with a +comment+ property which is set
-    # to the comment returned by the agent for that key.
-    def identities
-      type, body = send_and_wait(SSH2_AGENT_REQUEST_IDENTITIES)
-      raise AgentError, "could not get identity count" if agent_failed(type)
-      raise AgentError, "bad authentication reply: #{type}" if type != SSH2_AGENT_IDENTITIES_ANSWER
-
-      identities = []
-      body.read_long.times do
-        key_str = body.read_string
-        comment_str = body.read_string
-        begin
-          key = Buffer.new(key_str).read_key
-          key.extend(Comment)
-          key.comment = comment_str
-          identities.push key
-        rescue NotImplementedError => e
-          error { "ignoring unimplemented key:#{e.message} #{comment_str}" }
+        # Connect to the agent process using the socket factory and socket name
+        # given by the attribute writers. If the agent on the other end of the
+        # socket reports that it is an SSH2-compatible agent, this will fail
+        # (it only supports the ssh-agent distributed by OpenSSH).
+        def connect!(agent_socket_factory = nil, identity_agent = nil)
+          debug { "connecting to ssh-agent" }
+          @socket =
+            if agent_socket_factory
+              agent_socket_factory.call
+            elsif identity_agent
+              unix_socket_class.open(identity_agent)
+            elsif ENV['SSH_AUTH_SOCK'] && unix_socket_class
+              unix_socket_class.open(ENV['SSH_AUTH_SOCK'])
+            elsif Gem.win_platform? && RUBY_ENGINE != "jruby"
+              Pageant::Socket.open
+            else
+              raise AgentNotAvailable, "Agent not configured"
+            end
+        rescue StandardError => e
+          error { "could not connect to ssh-agent: #{e.message}" }
+          raise AgentNotAvailable, $!.message
         end
-      end
 
-      return identities
-    end
+        # Attempts to negotiate the SSH agent protocol version. Raises an error
+        # if the version could not be negotiated successfully.
+        def negotiate!
+          # determine what type of agent we're communicating with
+          type, body = send_and_wait(SSH2_AGENT_REQUEST_VERSION, :string, Transport::ServerVersion::PROTO_VERSION)
+
+          raise AgentNotAvailable, "SSH2 agents are not yet supported" if type == SSH2_AGENT_VERSION_RESPONSE
+          if type == SSH2_AGENT_FAILURE
+            debug { "Unexpected response type==#{type}, this will be ignored" }
+          elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER1 && type != SSH_AGENT_RSA_IDENTITIES_ANSWER2
+            raise AgentNotAvailable, "unknown response from agent: #{type}, #{body.to_s.inspect}"
+          end
+        end
 
-    # Closes this socket. This agent reference is no longer able to
-    # query the agent.
-    def close
-      @socket.close
-    end
+        # Return an array of all identities (public keys) known to the agent.
+        # Each key returned is augmented with a +comment+ property which is set
+        # to the comment returned by the agent for that key.
+        def identities
+          type, body = send_and_wait(SSH2_AGENT_REQUEST_IDENTITIES)
+          raise AgentError, "could not get identity count" if agent_failed(type)
+          raise AgentError, "bad authentication reply: #{type}" if type != SSH2_AGENT_IDENTITIES_ANSWER
+
+          identities = []
+          body.read_long.times do
+            key_str = body.read_string
+            comment_str = body.read_string
+            begin
+              key = Buffer.new(key_str).read_key
+              if key.nil?
+                error { "ignoring invalid key: #{comment_str}" }
+                next
+              end
+              key.extend(Comment)
+              key.comment = comment_str
+              identities.push key
+            rescue NotImplementedError => e
+              error { "ignoring unimplemented key:#{e.message} #{comment_str}" }
+            end
+          end
+
+          return identities
+        end
 
-    # Using the agent and the given public key, sign the given data. The
-    # signature is returned in SSH2 format.
-    def sign(key, data)
-      type, reply = send_and_wait(SSH2_AGENT_SIGN_REQUEST, :string, Buffer.from(:key, key), :string, data, :long, 0)
+        # Closes this socket. This agent reference is no longer able to
+        # query the agent.
+        def close
+          @socket.close
+        end
 
-      raise AgentError, "agent could not sign data with requested identity" if agent_failed(type)
-      raise AgentError, "bad authentication response #{type}" if type != SSH2_AGENT_SIGN_RESPONSE
+        # Using the agent and the given public key, sign the given data. The
+        # signature is returned in SSH2 format.
+        def sign(key, data, flags = 0)
+          type, reply = send_and_wait(SSH2_AGENT_SIGN_REQUEST, :string, Buffer.from(:key, key), :string, data, :long, flags)
 
-      return reply.read_string
-    end
+          raise AgentError, "agent could not sign data with requested identity" if agent_failed(type)
+          raise AgentError, "bad authentication response #{type}" if type != SSH2_AGENT_SIGN_RESPONSE
 
-    # Adds the private key with comment to the agent.
-    # If lifetime is given, the key will automatically be removed after lifetime
-    # seconds.
-    # If confirm is true, confirmation will be required for each agent signing
-    # operation.
-    def add_identity(priv_key, comment, lifetime: nil, confirm: false)
-      constraints = Buffer.new
-      if lifetime
-        constraints.write_byte(SSH_AGENT_CONSTRAIN_LIFETIME)
-        constraints.write_long(lifetime)
-      end
-      constraints.write_byte(SSH_AGENT_CONSTRAIN_CONFIRM) if confirm
+          return reply.read_string
+        end
 
-      req_type = constraints.empty? ? SSH2_AGENT_ADD_IDENTITY : SSH2_AGENT_ADD_ID_CONSTRAINED
-      type, = send_and_wait(req_type, :string, priv_key.ssh_type, :raw, blob_for_add(priv_key),
-                            :string, comment, :raw, constraints)
-      raise AgentError, "could not add identity to agent" if type != SSH_AGENT_SUCCESS
-    end
+        # Adds the private key with comment to the agent.
+        # If lifetime is given, the key will automatically be removed after lifetime
+        # seconds.
+        # If confirm is true, confirmation will be required for each agent signing
+        # operation.
+        def add_identity(priv_key, comment, lifetime: nil, confirm: false)
+          constraints = Buffer.new
+          if lifetime
+            constraints.write_byte(SSH_AGENT_CONSTRAIN_LIFETIME)
+            constraints.write_long(lifetime)
+          end
+          constraints.write_byte(SSH_AGENT_CONSTRAIN_CONFIRM) if confirm
+
+          req_type = constraints.empty? ? SSH2_AGENT_ADD_IDENTITY : SSH2_AGENT_ADD_ID_CONSTRAINED
+          type, = send_and_wait(req_type, :string, priv_key.ssh_type, :raw, blob_for_add(priv_key),
+                      :string, comment, :raw, constraints)
+          raise AgentError, "could not add identity to agent" if type != SSH_AGENT_SUCCESS
+        end
 
-    # Removes key from the agent.
-    def remove_identity(key)
-      type, = send_and_wait(SSH2_AGENT_REMOVE_IDENTITY, :string, key.to_blob)
-      raise AgentError, "could not remove identity from agent" if type != SSH_AGENT_SUCCESS
-    end
+        # Removes key from the agent.
+        def remove_identity(key)
+          type, = send_and_wait(SSH2_AGENT_REMOVE_IDENTITY, :string, key.to_blob)
+          raise AgentError, "could not remove identity from agent" if type != SSH_AGENT_SUCCESS
+        end
 
-    # Removes all identities from the agent.
-    def remove_all_identities
-      type, = send_and_wait(SSH2_AGENT_REMOVE_ALL_IDENTITIES)
-      raise AgentError, "could not remove all identity from agent" if type != SSH_AGENT_SUCCESS
-    end
+        # Removes all identities from the agent.
+        def remove_all_identities
+          type, = send_and_wait(SSH2_AGENT_REMOVE_ALL_IDENTITIES)
+          raise AgentError, "could not remove all identity from agent" if type != SSH_AGENT_SUCCESS
+        end
 
-    private
+        private
 
-    def unix_socket_class
-      defined?(UNIXSocket) && UNIXSocket
-    end
+        def unix_socket_class
+          defined?(UNIXSocket) && UNIXSocket
+        end
 
-    # Send a new packet of the given type, with the associated data.
-    def send_packet(type, *args)
-      buffer = Buffer.from(*args)
-      data = [buffer.length + 1, type.to_i, buffer.to_s].pack("NCA*")
-      debug { "sending agent request #{type} len #{buffer.length}" }
-      @socket.send data, 0
-    end
+        # Send a new packet of the given type, with the associated data.
+        def send_packet(type, *args)
+          buffer = Buffer.from(*args)
+          data = [buffer.length + 1, type.to_i, buffer.to_s].pack("NCA*")
+          debug { "sending agent request #{type} len #{buffer.length}" }
+          @socket.send data, 0
+        end
 
-    # Read the next packet from the agent. This will return a two-part
-    # tuple consisting of the packet type, and the packet's body (which
-    # is returned as a Net::SSH::Buffer).
-    def read_packet
-      buffer = Net::SSH::Buffer.new(@socket.read(4))
-      buffer.append(@socket.read(buffer.read_long))
-      type = buffer.read_byte
-      debug { "received agent packet #{type} len #{buffer.length-4}" }
-      return type, buffer
-    end
+        # Read the next packet from the agent. This will return a two-part
+        # tuple consisting of the packet type, and the packet's body (which
+        # is returned as a Net::SSH::Buffer).
+        def read_packet
+          buffer = Net::SSH::Buffer.new(@socket.read(4))
+          buffer.append(@socket.read(buffer.read_long))
+          type = buffer.read_byte
+          debug { "received agent packet #{type} len #{buffer.length - 4}" }
+          return type, buffer
+        end
 
-    # Send the given packet and return the subsequent reply from the agent.
-    # (See #send_packet and #read_packet).
-    def send_and_wait(type, *args)
-      send_packet(type, *args)
-      read_packet
-    end
+        # Send the given packet and return the subsequent reply from the agent.
+        # (See #send_packet and #read_packet).
+        def send_and_wait(type, *args)
+          send_packet(type, *args)
+          read_packet
+        end
 
-    # Returns +true+ if the parameter indicates a "failure" response from
-    # the agent, and +false+ otherwise.
-    def agent_failed(type)
-      type == SSH_AGENT_FAILURE ||
-        type == SSH2_AGENT_FAILURE ||
-        type == SSH_COM_AGENT2_FAILURE
-    end
+        # Returns +true+ if the parameter indicates a "failure" response from
+        # the agent, and +false+ otherwise.
+        def agent_failed(type)
+          type == SSH_AGENT_FAILURE ||
+            type == SSH2_AGENT_FAILURE ||
+            type == SSH_COM_AGENT2_FAILURE
+        end
 
-    def blob_for_add(priv_key)
-      # Ideally we'd have something like `to_private_blob` on the various key types, but the
-      # nuances with encoding (e.g. `n` and `e` are reversed for RSA keys) make this impractical.
-      case priv_key.ssh_type
-      when /^ssh-dss$/
-        Net::SSH::Buffer.from(:bignum, priv_key.p, :bignum, priv_key.q, :bignum, priv_key.g,
-                              :bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
-      when /^ssh-dss-cert-v01@openssh\.com$/
-        Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.priv_key).to_s
-      when /^ecdsa\-sha2\-(\w*)$/
-        curve_name = OpenSSL::PKey::EC::CurveNameAliasInv[priv_key.group.curve_name]
-        Net::SSH::Buffer.from(:string, curve_name, :mstring, priv_key.public_key.to_bn.to_s(2),
-                              :bignum, priv_key.private_key).to_s
-      when /^ecdsa\-sha2\-(\w*)-cert-v01@openssh\.com$/
-        Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.private_key).to_s
-      when /^ssh-ed25519$/
-        Net::SSH::Buffer.from(:string, priv_key.public_key.verify_key.to_bytes,
-                              :string, priv_key.sign_key.keypair_bytes).to_s
-      when /^ssh-ed25519-cert-v01@openssh\.com$/
-        # Unlike the other certificate types, the public key is included after the certifiate.
-        Net::SSH::Buffer.from(:string, priv_key.to_blob,
-                              :string, priv_key.key.public_key.verify_key.to_bytes,
-                              :string, priv_key.key.sign_key.keypair_bytes).to_s
-      when /^ssh-rsa$/
-        # `n` and `e` are reversed compared to the ordering in `OpenSSL::PKey::RSA#to_blob`.
-        Net::SSH::Buffer.from(:bignum, priv_key.n, :bignum, priv_key.e, :bignum, priv_key.d,
-                              :bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
-      when /^ssh-rsa-cert-v01@openssh\.com$/
-        Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.d,
-                              :bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
-                              :bignum, priv_key.key.q).to_s
+        def blob_for_add(priv_key)
+          # Ideally we'd have something like `to_private_blob` on the various key types, but the
+          # nuances with encoding (e.g. `n` and `e` are reversed for RSA keys) make this impractical.
+          case priv_key.ssh_type
+          when /^ssh-dss$/
+            Net::SSH::Buffer.from(:bignum, priv_key.p, :bignum, priv_key.q, :bignum, priv_key.g,
+                        :bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
+          when /^ssh-dss-cert-v01@openssh\.com$/
+            Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.priv_key).to_s
+          when /^ecdsa\-sha2\-(\w*)$/
+            curve_name = OpenSSL::PKey::EC::CurveNameAliasInv[priv_key.group.curve_name]
+            Net::SSH::Buffer.from(:string, curve_name, :mstring, priv_key.public_key.to_bn.to_s(2),
+                        :bignum, priv_key.private_key).to_s
+          when /^ecdsa\-sha2\-(\w*)-cert-v01@openssh\.com$/
+            Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.private_key).to_s
+          when /^ssh-ed25519$/
+            Net::SSH::Buffer.from(:string, priv_key.public_key.verify_key.to_bytes,
+                        :string, priv_key.sign_key.keypair).to_s
+          when /^ssh-ed25519-cert-v01@openssh\.com$/
+            # Unlike the other certificate types, the public key is included after the certifiate.
+            Net::SSH::Buffer.from(:string, priv_key.to_blob,
+                        :string, priv_key.key.public_key.verify_key.to_bytes,
+                        :string, priv_key.key.sign_key.keypair).to_s
+          when /^ssh-rsa$/
+            # `n` and `e` are reversed compared to the ordering in `OpenSSL::PKey::RSA#to_blob`.
+            Net::SSH::Buffer.from(:bignum, priv_key.n, :bignum, priv_key.e, :bignum, priv_key.d,
+                        :bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
+          when /^ssh-rsa-cert-v01@openssh\.com$/
+            Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.d,
+                        :bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
+                        :bignum, priv_key.key.q).to_s
+          end
+        end
       end
     end
   end
-
-end; end; end
+end