net-ssh 4.1.0 → 6.1.0

data/lib/net/ssh/authentication/ed25519_loader.rb

@@ -1,31 +1,34 @@
-module Net; module SSH; module Authentication
-
-# Loads ED25519 support which requires optinal dependecies like
-# rbnacl, bcrypt_pbkdf
-module ED25519Loader
-
-begin
-  require 'net/ssh/authentication/ed25519'
-  LOADED = true
-  ERROR = nil
-rescue LoadError => e
-  ERROR = e
-  LOADED = false
-end
-
-def self.raiseUnlessLoaded(message)
-  description = ERROR.is_a?(LoadError) ? dependenciesRequiredForED25519 : ''
-  description << "#{ERROR.class} : \"#{ERROR.message}\"\n" if ERROR
-  raise NotImplementedError, "#{message}\n#{description}" unless LOADED
-end
-
-def self.dependenciesRequiredForED25519
-  result = "net-ssh requires the following gems for ed25519 support:\n"
-  result << " * rbnacl (>= 3.2, < 5.0)\n"
-  result << " * rbnacl-libsodium, if your system doesn't have libsodium installed.\n"
-  result << " * bcrypt_pbkdf (>= 1.0, < 2.0)\n" unless RUBY_PLATFORM == "java"
-  result << "See https://github.com/net-ssh/net-ssh/issues/478 for more information\n"
-end
+module Net 
+  module SSH 
+    module Authentication
 
+      # Loads ED25519 support which requires optinal dependecies like
+      # ed25519, bcrypt_pbkdf
+      module ED25519Loader
+      
+        begin
+          require 'net/ssh/authentication/ed25519'
+          LOADED = true
+          ERROR = nil
+        rescue LoadError => e
+          ERROR = e
+          LOADED = false
+        end
+      
+        def self.raiseUnlessLoaded(message)
+          description = ERROR.is_a?(LoadError) ? dependenciesRequiredForED25519 : ''
+          description << "#{ERROR.class} : \"#{ERROR.message}\"\n" if ERROR
+          raise NotImplementedError, "#{message}\n#{description}" unless LOADED
+        end
+      
+        def self.dependenciesRequiredForED25519
+          result = "net-ssh requires the following gems for ed25519 support:\n"
+          result << " * ed25519 (>= 1.2, < 2.0)\n"
+          result << " * bcrypt_pbkdf (>= 1.0, < 2.0)\n" unless RUBY_PLATFORM == "java"
+          result << "See https://github.com/net-ssh/net-ssh/issues/565 for more information\n"
+        end
+      
+      end
+    end
+  end
 end
-end; end; end

data/lib/net/ssh/authentication/key_manager.rb

@@ -30,6 +30,9 @@ module Net
         # The list of user key data that will be examined
         attr_reader :key_data
 
+        # The list of user key certificate files that will be examined
+        attr_reader :keycert_files
+
         # The map of loaded identities
         attr_reader :known_identities
 
@@ -43,7 +46,8 @@ module Net
           self.logger = logger
           @key_files = []
           @key_data = []
-          @use_agent = !(options[:use_agent] == false)
+          @keycert_files = []
+          @use_agent = options[:use_agent] != false
           @known_identities = {}
           @agent = nil
           @options = options
@@ -66,6 +70,12 @@ module Net
           self
         end
 
+        # Add the given keycert_file to the list of keycert files that will be used.
+        def add_keycert(keycert_file)
+          keycert_files.push(File.expand_path(keycert_file)).uniq!
+          self
+        end
+
         # Add the given key_file to the list of keys that will be used.
         def add_key_data(key_data_)
           key_data.push(key_data_).uniq!
@@ -108,7 +118,7 @@ module Net
               user_identities.delete(corresponding_user_identity) if corresponding_user_identity
 
               if !options[:keys_only] || corresponding_user_identity
-                known_identities[key] = { from: :agent }
+                known_identities[key] = { from: :agent, identity: key }
                 yield key
               end
             end
@@ -122,6 +132,21 @@ module Net
             yield key
           end
 
+          known_identity_blobs = known_identities.keys.map(&:to_blob)
+          keycert_files.each do |keycert_file|
+            keycert = KeyFactory.load_public_key(keycert_file)
+            next if known_identity_blobs.include?(keycert.to_blob)
+
+            (_, corresponding_identity) = known_identities.detect { |public_key, _|
+              public_key.to_pem == keycert.to_pem
+            }
+
+            if corresponding_identity
+              known_identities[keycert] = corresponding_identity
+              yield keycert
+            end
+          end
+
           self
         end
 
@@ -139,7 +164,7 @@ module Net
 
           if info[:key].nil? && info[:from] == :file
             begin
-              info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], !options[:non_interactive])
+              info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], !options[:non_interactive], options[:password_prompt])
             rescue OpenSSL::OpenSSLError, Exception => e
               raise KeyManagerError, "the given identity is known, but the private key could not be loaded: #{e.class} (#{e.message})"
             end
@@ -152,7 +177,7 @@ module Net
 
           if info[:from] == :agent
             raise KeyManagerError, "the agent is no longer available" unless agent
-            return agent.sign(identity, data.to_s)
+            return agent.sign(info[:identity], data.to_s)
           end
 
           raise KeyManagerError, "[BUG] can't determine identity origin (#{info.inspect})"
@@ -176,12 +201,16 @@ module Net
         # or if the agent is otherwise not available.
         def agent
           return unless use_agent?
-          @agent ||= Agent.connect(logger, options[:agent_socket_factory])
+          @agent ||= Agent.connect(logger, options[:agent_socket_factory], options[:identity_agent])
         rescue AgentNotAvailable
           @use_agent = false
           nil
         end
 
+        def no_keys?
+          key_files.empty? && key_data.empty?
+        end
+
         private
 
         # Prepares identities from user key_files for loading, preserving their order and sources.
@@ -225,17 +254,20 @@ module Net
                 key = KeyFactory.load_public_key(identity[:pubkey_file])
                 { public_key: key, from: :file, file: identity[:privkey_file] }
               when :privkey_file
-                private_key = KeyFactory.load_private_key(identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt])
+                private_key = KeyFactory.load_private_key(
+                  identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt]
+                )
                 key = private_key.send(:public_key)
                 { public_key: key, from: :file, file: identity[:privkey_file], key: private_key }
               when :data
-                private_key = KeyFactory.load_data_private_key(identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt])
+                private_key = KeyFactory.load_data_private_key(
+                  identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt]
+                )
                 key = private_key.send(:public_key)
                 { public_key: key, from: :key_data, data: identity[:data], key: private_key }
               else
                 identity
               end
-
             rescue OpenSSL::PKey::RSAError, OpenSSL::PKey::DSAError, OpenSSL::PKey::ECError, OpenSSL::PKey::PKeyError, ArgumentError => e
               if ignore_decryption_errors
                 identity
@@ -260,7 +292,6 @@ module Net
             raise e
           end
         end
-
       end
     end
   end

data/lib/net/ssh/authentication/methods/abstract.rb

@@ -3,62 +3,68 @@ require 'net/ssh/errors'
 require 'net/ssh/loggable'
 require 'net/ssh/authentication/constants'
 
-module Net; module SSH; module Authentication; module Methods
+module Net
+  module SSH
+    module Authentication
+      module Methods
 
-  # The base class of all user authentication methods. It provides a few
-  # bits of common functionality.
-  class Abstract
-    include Constants, Loggable
+        # The base class of all user authentication methods. It provides a few
+        # bits of common functionality.
+        class Abstract
+          include Loggable
+          include Constants
 
-    # The authentication session object
-    attr_reader :session
+          # The authentication session object
+          attr_reader :session
 
-    # The key manager object. Not all authentication methods will require
-    # this.
-    attr_reader :key_manager
+          # The key manager object. Not all authentication methods will require
+          # this.
+          attr_reader :key_manager
 
-    # Instantiates a new authentication method.
-    def initialize(session, options={})
-      @session = session
-      @key_manager = options[:key_manager]
-      @options = options
-      @prompt = options[:password_prompt]
-      self.logger = session.logger
-    end
+          # Instantiates a new authentication method.
+          def initialize(session, options={})
+            @session = session
+            @key_manager = options[:key_manager]
+            @options = options
+            @prompt = options[:password_prompt]
+            self.logger = session.logger
+          end
 
-    # Returns the session-id, as generated during the first key exchange of
-    # an SSH connection.
-    def session_id
-      session.transport.algorithms.session_id
-    end
+          # Returns the session-id, as generated during the first key exchange of
+          # an SSH connection.
+          def session_id
+            session.transport.algorithms.session_id
+          end
 
-    # Sends a message via the underlying transport layer abstraction. This
-    # will block until the message is completely sent.
-    def send_message(msg)
-      session.transport.send_message(msg)
-    end
+          # Sends a message via the underlying transport layer abstraction. This
+          # will block until the message is completely sent.
+          def send_message(msg)
+            session.transport.send_message(msg)
+          end
 
-    # Creates a new USERAUTH_REQUEST packet. The extra arguments on the end
-    # must be either boolean values or strings, and are tacked onto the end
-    # of the packet. The new packet is returned, ready for sending.
-    def userauth_request(username, next_service, auth_method, *others)
-      buffer = Net::SSH::Buffer.from(:byte, USERAUTH_REQUEST,
-        :string, username, :string, next_service, :string, auth_method)
+          # Creates a new USERAUTH_REQUEST packet. The extra arguments on the end
+          # must be either boolean values or strings, and are tacked onto the end
+          # of the packet. The new packet is returned, ready for sending.
+          def userauth_request(username, next_service, auth_method, *others)
+            buffer = Net::SSH::Buffer.from(:byte, USERAUTH_REQUEST,
+              :string, username, :string, next_service, :string, auth_method)
 
-      others.each do |value|
-        case value
-        when true, false then buffer.write_bool(value)
-        when String      then buffer.write_string(value)
-        else raise ArgumentError, "don't know how to write #{value.inspect}"
-        end
-      end
+            others.each do |value|
+              case value
+              when true, false then buffer.write_bool(value)
+              when String      then buffer.write_string(value)
+              else raise ArgumentError, "don't know how to write #{value.inspect}"
+              end
+            end
 
-      buffer
-    end
+            buffer
+          end
 
-    private
+          private
 
-    attr_reader :prompt
+          attr_reader :prompt
+        end
+      end
+    end
   end
-
-end; end; end; end
+end

data/lib/net/ssh/authentication/methods/hostbased.rb

@@ -24,49 +24,48 @@ module Net
 
           private
 
-            # Returns the hostname as reported by the underlying socket.
-            def hostname
-              session.transport.socket.client_name
-            end
-
-            # Attempts to perform host-based authentication of the user, using
-            # the given host identity (key).
-            def authenticate_with(identity, next_service, username, key_manager)
-              debug { "trying hostbased (#{identity.fingerprint})" }
-              client_username = ENV['USER'] || username
+          # Returns the hostname as reported by the underlying socket.
+          def hostname
+            session.transport.socket.client_name
+          end
 
-              req = build_request(identity, next_service, username, "#{hostname}.", client_username)
-              sig_data = Buffer.from(:string, session_id, :raw, req)
+          # Attempts to perform host-based authentication of the user, using
+          # the given host identity (key).
+          def authenticate_with(identity, next_service, username, key_manager)
+            debug { "trying hostbased (#{identity.fingerprint})" }
+            client_username = ENV['USER'] || username
 
-              sig = key_manager.sign(identity, sig_data.to_s)
+            req = build_request(identity, next_service, username, "#{hostname}.", client_username)
+            sig_data = Buffer.from(:string, session_id, :raw, req)
 
-              message = Buffer.from(:raw, req, :string, sig)
+            sig = key_manager.sign(identity, sig_data.to_s)
 
-              send_message(message)
-              message = session.next_message
+            message = Buffer.from(:raw, req, :string, sig)
 
-              case message.type
-                when USERAUTH_SUCCESS
-                  info { "hostbased succeeded (#{identity.fingerprint})" }
-                  return true
-                when USERAUTH_FAILURE
-                  info { "hostbased failed (#{identity.fingerprint})" }
+            send_message(message)
+            message = session.next_message
 
-                  raise Net::SSH::Authentication::DisallowedMethod unless
-                    message[:authentications].split(/,/).include? 'hostbased'
+            case message.type
+            when USERAUTH_SUCCESS
+              info { "hostbased succeeded (#{identity.fingerprint})" }
+              return true
+            when USERAUTH_FAILURE
+              info { "hostbased failed (#{identity.fingerprint})" }
 
-                  return false
-                else
-                  raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
-              end
-            end
+              raise Net::SSH::Authentication::DisallowedMethod unless
+                message[:authentications].split(/,/).include? 'hostbased'
 
-            # Build the "core" hostbased request string.
-            def build_request(identity, next_service, username, hostname, client_username)
-              userauth_request(username, next_service, "hostbased", identity.ssh_type,
-                Buffer.from(:key, identity).to_s, hostname, client_username).to_s
+              return false
+            else
+              raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
             end
+          end
 
+          # Build the "core" hostbased request string.
+          def build_request(identity, next_service, username, hostname, client_username)
+            userauth_request(username, next_service, "hostbased", identity.ssh_type,
+              Buffer.from(:key, identity).to_s, hostname, client_username).to_s
+          end
         end
 
       end

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -45,7 +45,7 @@ module Net
                 end
 
                 _ = message.read_string # lang_tag
-                responses =[]
+                responses = []
 
                 message.read_long.times do
                   text = message.read_string

data/lib/net/ssh/authentication/methods/none.rb

@@ -14,18 +14,18 @@ module Net
             message = session.next_message
             
             case message.type
-              when USERAUTH_SUCCESS
-                debug { "none succeeded" }
-                return true
-              when USERAUTH_FAILURE
-                debug { "none failed" }
+            when USERAUTH_SUCCESS
+              debug { "none succeeded" }
+              return true
+            when USERAUTH_FAILURE
+              debug { "none failed" }
               
-                raise Net::SSH::Authentication::DisallowedMethod unless
-                  message[:authentications].split(/,/).include? 'none'
+              raise Net::SSH::Authentication::DisallowedMethod unless
+                message[:authentications].split(/,/).include? 'none'
               
-                return false
-              else
-                raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+              return false
+            else
+              raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
             end   
             
           end

data/lib/net/ssh/authentication/methods/password.rb

@@ -14,7 +14,7 @@ module Net
           def authenticate(next_service, username, password=nil)
             clear_prompter!
             retries = 0
-            max_retries =  get_max_retries
+            max_retries = get_max_retries
             return false if !password && max_retries == 0
 
             begin
@@ -34,17 +34,17 @@ module Net
             end until (message.type != USERAUTH_FAILURE || retries >= max_retries)
 
             case message.type
-              when USERAUTH_SUCCESS
-                debug { "password succeeded" }
-                @prompter.success if @prompter
-                return true
-              when USERAUTH_FAILURE
-                return false
-              when USERAUTH_PASSWD_CHANGEREQ
-                debug { "password change request received, failing" }
-                return false
-              else
-                raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+            when USERAUTH_SUCCESS
+              debug { "password succeeded" }
+              @prompter.success if @prompter
+              return true
+            when USERAUTH_FAILURE
+              return false
+            when USERAUTH_PASSWD_CHANGEREQ
+              debug { "password change request received, failing" }
+              return false
+            else
+              raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
             end
           end
 
@@ -59,7 +59,7 @@ module Net
 
           def ask_password(username)
             host = session.transport.host
-            prompt_info = {type: 'password', user: username, host: host}
+            prompt_info = { type: 'password', user: username, host: host }
             if @prompt_info != prompt_info
               @prompt_info = prompt_info
               @prompter = prompt.start(prompt_info)