net-ssh 4.1.0 → 6.1.0

data/lib/net/ssh/buffered_io.rb

@@ -1,144 +1,145 @@
 require 'net/ssh/buffer'
 require 'net/ssh/loggable'
-require 'net/ssh/ruby_compat'
 
-module Net; module SSH
-
-  # This module is used to extend sockets and other IO objects, to allow
-  # them to be buffered for both read and write. This abstraction makes it
-  # quite easy to write a select-based event loop
-  # (see Net::SSH::Connection::Session#listen_to).
-  #
-  # The general idea is that instead of calling #read directly on an IO that
-  # has been extended with this module, you call #fill (to add pending input
-  # to the internal read buffer), and then #read_available (to read from that
-  # buffer). Likewise, you don't call #write directly, you call #enqueue to
-  # add data to the write buffer, and then #send_pending or #wait_for_pending_sends
-  # to actually send the data across the wire.
-  #
-  # In this way you can easily use the object as an argument to IO.select,
-  # calling #fill when it is available for read, or #send_pending when it is
-  # available for write, and then call #enqueue and #read_available during
-  # the idle times.
-  #
-  #   socket = TCPSocket.new(address, port)
-  #   socket.extend(Net::SSH::BufferedIo)
-  #
-  #   ssh.listen_to(socket)
-  #
-  #   ssh.loop do
-  #     if socket.available > 0
-  #       puts socket.read_available
-  #       socket.enqueue("response\n")
-  #     end
-  #   end
-  #
-  # Note that this module must be used to extend an instance, and should not
-  # be included in a class. If you do want to use it via an include, then you
-  # must make sure to invoke the private #initialize_buffered_io method in
-  # your class' #initialize method:
-  #
-  #   class Foo < IO
-  #     include Net::SSH::BufferedIo
-  #
-  #     def initialize
-  #       initialize_buffered_io
-  #       # ...
-  #     end
-  #   end
-  module BufferedIo
-    include Loggable
-
-    # Called when the #extend is called on an object, with this module as the
-    # argument. It ensures that the modules instance variables are all properly
-    # initialized.
-    def self.extended(object) #:nodoc:
-      # need to use __send__ because #send is overridden in Socket
-      object.__send__(:initialize_buffered_io)
-    end
-
-    # Tries to read up to +n+ bytes of data from the remote end, and appends
-    # the data to the input buffer. It returns the number of bytes read, or 0
-    # if no data was available to be read.
-    def fill(n=8192)
-      input.consume!
-      data = recv(n)
-      debug { "read #{data.length} bytes" }
-      input.append(data)
-      return data.length
-    rescue EOFError => e
-      @input_errors << e
-      return 0
-    end
-
-    # Read up to +length+ bytes from the input buffer. If +length+ is nil,
-    # all available data is read from the buffer. (See #available.)
-    def read_available(length=nil)
-      input.read(length || available)
-    end
-
-    # Returns the number of bytes available to be read from the input buffer.
-    # (See #read_available.)
-    def available
-      input.available
-    end
-
-    # Enqueues data in the output buffer, to be written when #send_pending
-    # is called. Note that the data is _not_ sent immediately by this method!
-    def enqueue(data)
-      output.append(data)
-    end
-
-    # Returns +true+ if there is data waiting in the output buffer, and
-    # +false+ otherwise.
-    def pending_write?
-      output.length > 0
-    end
-
-    # Sends as much of the pending output as possible. Returns +true+ if any
-    # data was sent, and +false+ otherwise.
-    def send_pending
-      if output.length > 0
-        sent = send(output.to_s, 0)
-        debug { "sent #{sent} bytes" }
-        output.consume!(sent)
-        return sent > 0
-      else
-        return false
+module Net 
+  module SSH
+
+    # This module is used to extend sockets and other IO objects, to allow
+    # them to be buffered for both read and write. This abstraction makes it
+    # quite easy to write a select-based event loop
+    # (see Net::SSH::Connection::Session#listen_to).
+    #
+    # The general idea is that instead of calling #read directly on an IO that
+    # has been extended with this module, you call #fill (to add pending input
+    # to the internal read buffer), and then #read_available (to read from that
+    # buffer). Likewise, you don't call #write directly, you call #enqueue to
+    # add data to the write buffer, and then #send_pending or #wait_for_pending_sends
+    # to actually send the data across the wire.
+    #
+    # In this way you can easily use the object as an argument to IO.select,
+    # calling #fill when it is available for read, or #send_pending when it is
+    # available for write, and then call #enqueue and #read_available during
+    # the idle times.
+    #
+    #   socket = TCPSocket.new(address, port)
+    #   socket.extend(Net::SSH::BufferedIo)
+    #
+    #   ssh.listen_to(socket)
+    #
+    #   ssh.loop do
+    #     if socket.available > 0
+    #       puts socket.read_available
+    #       socket.enqueue("response\n")
+    #     end
+    #   end
+    #
+    # Note that this module must be used to extend an instance, and should not
+    # be included in a class. If you do want to use it via an include, then you
+    # must make sure to invoke the private #initialize_buffered_io method in
+    # your class' #initialize method:
+    #
+    #   class Foo < IO
+    #     include Net::SSH::BufferedIo
+    #
+    #     def initialize
+    #       initialize_buffered_io
+    #       # ...
+    #     end
+    #   end
+    module BufferedIo
+      include Loggable
+  
+      # Called when the #extend is called on an object, with this module as the
+      # argument. It ensures that the modules instance variables are all properly
+      # initialized.
+      def self.extended(object) #:nodoc:
+        # need to use __send__ because #send is overridden in Socket
+        object.__send__(:initialize_buffered_io)
       end
-    end
-
-    # Calls #send_pending repeatedly, if necessary, blocking until the output
-    # buffer is empty.
-    def wait_for_pending_sends
-      send_pending
-      while output.length > 0
-        result = Net::SSH::Compat.io_select(nil, [self]) or next
-        next unless result[1].any?
+  
+      # Tries to read up to +n+ bytes of data from the remote end, and appends
+      # the data to the input buffer. It returns the number of bytes read, or 0
+      # if no data was available to be read.
+      def fill(n=8192)
+        input.consume!
+        data = recv(n)
+        debug { "read #{data.length} bytes" }
+        input.append(data)
+        return data.length
+      rescue EOFError => e
+        @input_errors << e
+        return 0
+      end
+  
+      # Read up to +length+ bytes from the input buffer. If +length+ is nil,
+      # all available data is read from the buffer. (See #available.)
+      def read_available(length=nil)
+        input.read(length || available)
+      end
+  
+      # Returns the number of bytes available to be read from the input buffer.
+      # (See #read_available.)
+      def available
+        input.available
+      end
+  
+      # Enqueues data in the output buffer, to be written when #send_pending
+      # is called. Note that the data is _not_ sent immediately by this method!
+      def enqueue(data)
+        output.append(data)
+      end
+  
+      # Returns +true+ if there is data waiting in the output buffer, and
+      # +false+ otherwise.
+      def pending_write?
+        output.length > 0
+      end
+  
+      # Sends as much of the pending output as possible. Returns +true+ if any
+      # data was sent, and +false+ otherwise.
+      def send_pending
+        if output.length > 0
+          sent = send(output.to_s, 0)
+          debug { "sent #{sent} bytes" }
+          output.consume!(sent)
+          return sent > 0
+        else
+          return false
+        end
+      end
+  
+      # Calls #send_pending repeatedly, if necessary, blocking until the output
+      # buffer is empty.
+      def wait_for_pending_sends
         send_pending
+        while output.length > 0
+          result = IO.select(nil, [self]) or next
+          next unless result[1].any?
+          send_pending
+        end
       end
-    end
-
-    public # these methods are primarily for use in tests
-
+  
+      public # these methods are primarily for use in tests
+  
       def write_buffer #:nodoc:
         output.to_s
       end
-
+  
       def read_buffer #:nodoc:
         input.to_s
       end
-
-    private
-
+  
+      private
+  
       #--
       # Can't use attr_reader here (after +private+) without incurring the
       # wrath of "ruby -w". We hates it.
       #++
-
+  
       def input; @input; end
-      def output; @output; end
 
+      def output; @output; end
+  
       # Initializes the intput and output buffers for this object. This method
       # is called automatically when the module is mixed into an object via
       # Object#extend (see Net::SSH::BufferedIo.extended), but must be called
@@ -150,54 +151,53 @@ module Net; module SSH
         @output = Net::SSH::Buffer.new
         @output_errors = []
       end
-  end
-
-
+    end
 
-  # Fixes for two issues by Miklós Fazekas:
-  #
-  #   * if client closes a forwarded connection, but the server is
-  #     reading, net-ssh terminates with IOError socket closed.
-  #   * if client force closes (RST) a forwarded connection, but
-  #     server is reading, net-ssh terminates with [an exception]
-  #
-  # See:
-  #
-  #    http://net-ssh.lighthouseapp.com/projects/36253/tickets/7
-  #    http://github.com/net-ssh/net-ssh/tree/portfwfix
-  #
-  module ForwardedBufferedIo
-    def fill(n=8192)
-      begin
-        super(n)
-      rescue Errno::ECONNRESET => e
-        debug { "connection was reset => shallowing exception:#{e}" }
-        return 0
-      rescue IOError => e
-        if e.message =~ /closed/ then
+    # Fixes for two issues by Miklós Fazekas:
+    #
+    #   * if client closes a forwarded connection, but the server is
+    #     reading, net-ssh terminates with IOError socket closed.
+    #   * if client force closes (RST) a forwarded connection, but
+    #     server is reading, net-ssh terminates with [an exception]
+    #
+    # See:
+    #
+    #    http://net-ssh.lighthouseapp.com/projects/36253/tickets/7
+    #    http://github.com/net-ssh/net-ssh/tree/portfwfix
+    #
+    module ForwardedBufferedIo
+      def fill(n=8192)
+        begin
+          super(n)
+        rescue Errno::ECONNRESET => e
           debug { "connection was reset => shallowing exception:#{e}" }
           return 0
-        else
-          raise
+        rescue IOError => e
+          if e.message =~ /closed/ then
+            debug { "connection was reset => shallowing exception:#{e}" }
+            return 0
+          else
+            raise
+          end
         end
       end
-    end
-
-    def send_pending
-      begin
-        super
-      rescue Errno::ECONNRESET => e
-        debug { "connection was reset => shallowing exception:#{e}" }
-        return 0
-      rescue IOError => e
-        if e.message =~ /closed/ then
+  
+      def send_pending
+        begin
+          super
+        rescue Errno::ECONNRESET => e
           debug { "connection was reset => shallowing exception:#{e}" }
           return 0
-        else
-          raise
+        rescue IOError => e
+          if e.message =~ /closed/ then
+            debug { "connection was reset => shallowing exception:#{e}" }
+            return 0
+          else
+            raise
+          end
         end
       end
     end
-  end
 
-end; end
+  end
+end

data/lib/net/ssh/config.rb

@@ -1,266 +1,300 @@
-module Net; module SSH
+module Net
+  module SSH
 
-  # The Net::SSH::Config class is used to parse OpenSSH configuration files,
-  # and translates that syntax into the configuration syntax that Net::SSH
-  # understands. This lets Net::SSH scripts read their configuration (to
-  # some extent) from OpenSSH configuration files (~/.ssh/config, /etc/ssh_config,
-  # and so forth).
-  #
-  # Only a subset of OpenSSH configuration options are understood:
-  #
-  # * ChallengeResponseAuthentication => maps to the :auth_methods option challenge-response (then coleasced into keyboard-interactive)
-  # * KbdInteractiveAuthentication => maps to the :auth_methods keyboard-interactive
-  # * Ciphers => maps to the :encryption option
-  # * Compression => :compression
-  # * CompressionLevel => :compression_level
-  # * ConnectTimeout => maps to the :timeout option
-  # * ForwardAgent => :forward_agent
-  # * GlobalKnownHostsFile => :global_known_hosts_file
-  # * HostBasedAuthentication => maps to the :auth_methods option
-  # * HostKeyAlgorithms => maps to :host_key option
-  # * HostKeyAlias => :host_key_alias
-  # * HostName => :host_name
-  # * IdentityFile => maps to the :keys option
-  # * IdentitiesOnly => :keys_only
-  # * Macs => maps to the :hmac option
-  # * PasswordAuthentication => maps to the :auth_methods option password
-  # * Port => :port
-  # * PreferredAuthentications => maps to the :auth_methods option
-  # * ProxyCommand => maps to the :proxy option
-  # * ProxyJump => maps to the :proxy option
-  # * PubKeyAuthentication => maps to the :auth_methods option
-  # * RekeyLimit => :rekey_limit
-  # * User => :user
-  # * UserKnownHostsFile => :user_known_hosts_file
-  # * NumberOfPasswordPrompts => :number_of_password_prompts
-  #
-  # Note that you will never need to use this class directly--you can control
-  # whether the OpenSSH configuration files are read by passing the :config
-  # option to Net::SSH.start. (They are, by default.)
-  class Config
-    class << self
-      @@default_files = %w(~/.ssh/config /etc/ssh_config /etc/ssh/ssh_config)
-      # The following defaults follow the openssh client ssh_config defaults.
-      # http://lwn.net/Articles/544640/
-      # "hostbased" is off and "none" is not supported but we allow it since
-      # it's used by some clients to query the server for allowed auth methods
-      @@default_auth_methods = %w(none publickey password keyboard-interactive)
+    # The Net::SSH::Config class is used to parse OpenSSH configuration files,
+    # and translates that syntax into the configuration syntax that Net::SSH
+    # understands. This lets Net::SSH scripts read their configuration (to
+    # some extent) from OpenSSH configuration files (~/.ssh/config, /etc/ssh_config,
+    # and so forth).
+    #
+    # Only a subset of OpenSSH configuration options are understood:
+    #
+    # * ChallengeResponseAuthentication => maps to the :auth_methods option challenge-response (then coleasced into keyboard-interactive)
+    # * KbdInteractiveAuthentication => maps to the :auth_methods keyboard-interactive
+    # * CertificateFile => maps to the :keycerts option
+    # * Ciphers => maps to the :encryption option
+    # * Compression => :compression
+    # * CompressionLevel => :compression_level
+    # * ConnectTimeout => maps to the :timeout option
+    # * ForwardAgent => :forward_agent
+    # * GlobalKnownHostsFile => :global_known_hosts_file
+    # * HostBasedAuthentication => maps to the :auth_methods option
+    # * HostKeyAlgorithms => maps to :host_key option
+    # * HostKeyAlias => :host_key_alias
+    # * HostName => :host_name
+    # * IdentityFile => maps to the :keys option
+    # * IdentityAgent => :identity_agent
+    # * IdentitiesOnly => :keys_only
+    # * CheckHostIP => :check_host_ip
+    # * Macs => maps to the :hmac option
+    # * PasswordAuthentication => maps to the :auth_methods option password
+    # * Port => :port
+    # * PreferredAuthentications => maps to the :auth_methods option
+    # * ProxyCommand => maps to the :proxy option
+    # * ProxyJump => maps to the :proxy option
+    # * PubKeyAuthentication => maps to the :auth_methods option
+    # * RekeyLimit => :rekey_limit
+    # * StrictHostKeyChecking => :strict_host_key_checking
+    # * User => :user
+    # * UserKnownHostsFile => :user_known_hosts_file
+    # * NumberOfPasswordPrompts => :number_of_password_prompts
+    # * FingerprintHash => :fingerprint_hash
+    #
+    # Note that you will never need to use this class directly--you can control
+    # whether the OpenSSH configuration files are read by passing the :config
+    # option to Net::SSH.start. (They are, by default.)
+    class Config
+      class << self
+        @@default_files = %w[~/.ssh/config /etc/ssh_config /etc/ssh/ssh_config]
+        # The following defaults follow the openssh client ssh_config defaults.
+        # http://lwn.net/Articles/544640/
+        # "hostbased" is off and "none" is not supported but we allow it since
+        # it's used by some clients to query the server for allowed auth methods
+        @@default_auth_methods = %w[none publickey password keyboard-interactive]
 
-      # Returns an array of locations of OpenSSH configuration files
-      # to parse by default.
-      def default_files
-        @@default_files
-      end
+        # Returns an array of locations of OpenSSH configuration files
+        # to parse by default.
+        def default_files
+          @@default_files.clone
+        end
 
-      def default_auth_methods
-        @@default_auth_methods
-      end
+        def default_auth_methods
+          @@default_auth_methods.clone
+        end
 
-      # Loads the configuration data for the given +host+ from all of the
-      # given +files+ (defaulting to the list of files returned by
-      # #default_files), translates the resulting hash into the options
-      # recognized by Net::SSH, and returns them.
-      def for(host, files=expandable_default_files)
-        translate(files.inject({}) { |settings, file|
-          load(file, host, settings)
-        })
-      end
+        # Loads the configuration data for the given +host+ from all of the
+        # given +files+ (defaulting to the list of files returned by
+        # #default_files), translates the resulting hash into the options
+        # recognized by Net::SSH, and returns them.
+        def for(host, files=expandable_default_files)
+          translate(files.inject({}) { |settings, file|
+            load(file, host, settings)
+          })
+        end
 
-      # Load the OpenSSH configuration settings in the given +file+ for the
-      # given +host+. If +settings+ is given, the options are merged into
-      # that hash, with existing values taking precedence over newly parsed
-      # ones. Returns a hash containing the OpenSSH options. (See
-      # #translate for how to convert the OpenSSH options into Net::SSH
-      # options.)
-      def load(path, host, settings={})
-        file = File.expand_path(path)
-        base_dir = File.dirname(file)
-        return settings unless File.readable?(file)
+        # Load the OpenSSH configuration settings in the given +file+ for the
+        # given +host+. If +settings+ is given, the options are merged into
+        # that hash, with existing values taking precedence over newly parsed
+        # ones. Returns a hash containing the OpenSSH options. (See
+        # #translate for how to convert the OpenSSH options into Net::SSH
+        # options.)
+        def load(path, host, settings={}, base_dir = nil)
+          file = File.expand_path(path)
+          base_dir ||= File.dirname(file)
+          return settings unless File.readable?(file)
 
-        globals = {}
-        host_matched = false
-        seen_host = false
-        IO.foreach(file) do |line|
-          next if line =~ /^\s*(?:#.*)?$/
+          globals = {}
+          block_matched = false
+          block_seen = false
+          IO.foreach(file) do |line|
+            next if line =~ /^\s*(?:#.*)?$/
 
-          if line =~ /^\s*(\S+)\s*=(.*)$/
-            key, value = $1, $2
-          else
-            key, value = line.strip.split(/\s+/, 2)
-          end
+            if line =~ /^\s*(\S+)\s*=(.*)$/
+              key, value = $1, $2
+            else
+              key, value = line.strip.split(/\s+/, 2)
+            end
 
-          # silently ignore malformed entries
-          next if value.nil?
+            # silently ignore malformed entries
+            next if value.nil?
 
-          key.downcase!
-          value = $1 if value =~ /^"(.*)"$/
+            key.downcase!
+            value = unquote(value)
 
-          value = case value.strip
-            when /^\d+$/ then value.to_i
-            when /^no$/i then false
-            when /^yes$/i then true
-            else value
-            end
+            value = case value.strip
+                    when /^\d+$/ then value.to_i
+                    when /^no$/i then false
+                    when /^yes$/i then true
+                    else value
+                    end
 
-          if key == 'host'
-            # Support "Host host1 host2 hostN".
-            # See http://github.com/net-ssh/net-ssh/issues#issue/6
-            negative_hosts, positive_hosts = value.to_s.split(/\s+/).partition { |h| h.start_with?('!') }
+            if key == 'host'
+              # Support "Host host1 host2 hostN".
+              # See http://github.com/net-ssh/net-ssh/issues#issue/6
+              negative_hosts, positive_hosts = value.to_s.split(/\s+/).partition { |h| h.start_with?('!') }
 
-            # Check for negative patterns first. If the host matches, that overrules any other positive match.
-            # The host substring code is used to strip out the starting "!" so the regexp will be correct.
-            negative_matched = negative_hosts.any? { |h| host =~ pattern2regex(h[1..-1]) }
+              # Check for negative patterns first. If the host matches, that overrules any other positive match.
+              # The host substring code is used to strip out the starting "!" so the regexp will be correct.
+              negative_matched = negative_hosts.any? { |h| host =~ pattern2regex(h[1..-1]) }
 
-            if negative_matched
-              host_matched = false
-            else
-              host_matched = positive_hosts.any? { |h| host =~ pattern2regex(h) }
+              if negative_matched
+                block_matched = false
+              else
+                block_matched = positive_hosts.any? { |h| host =~ pattern2regex(h) }
+              end
+
+              block_seen = true
+              settings[key] = host
+            elsif key == 'match'
+              block_matched = eval_match_conditions(value, host, settings)
+              block_seen = true
+            elsif !block_seen
+              case key
+              when 'identityfile', 'certificatefile'
+                (globals[key] ||= []) << value
+              when 'include'
+                included_file_paths(base_dir, value).each do |file_path|
+                  globals = load(file_path, host, globals, base_dir)
+                end
+              else
+                globals[key] = value unless settings.key?(key)
+              end
+            elsif block_matched
+              case key
+              when 'identityfile', 'certificatefile'
+                (settings[key] ||= []) << value
+              when 'include'
+                included_file_paths(base_dir, value).each do |file_path|
+                  settings = load(file_path, host, settings, base_dir)
+                end
+              else
+                settings[key] = value unless settings.key?(key)
+              end
             end
 
-            seen_host = true
-            settings[key] = host
-          elsif !seen_host
-            case key
-            when 'identityfile'
-              (globals[key] ||= []) << value
-            when 'include'
-              included_file_paths(base_dir, value).each do |file_path|
-                globals = load(file_path, host, globals)
+            # ProxyCommand and ProxyJump override each other so they need to be tracked togeather
+            %w[proxyjump proxycommand].each do |proxy_key|
+              if (proxy_value = settings.delete(proxy_key))
+                settings['proxy'] ||= [proxy_key, proxy_value]
               end
-            else
-              globals[key] = value unless settings.key?(key)
             end
-          elsif host_matched
+          end
+
+          globals.merge(settings) do |key, oldval, newval|
             case key
-            when 'identityfile'
-              (settings[key] ||= []) << value
-            when 'include'
-              included_file_paths(base_dir, value).each do |file_path|
-                settings = load(file_path, host, settings)
-              end
+            when 'identityfile', 'certificatefile'
+              oldval + newval
             else
-              settings[key] = value unless settings.key?(key)
+              newval
             end
           end
         end
 
-        settings = globals.merge(settings) if globals
-
-        return settings
-      end
-
-      # Given a hash of OpenSSH configuration options, converts them into
-      # a hash of Net::SSH options. Unrecognized options are ignored. The
-      # +settings+ hash must have Strings for keys, all downcased, and
-      # the returned hash will have Symbols for keys.
-      def translate(settings)
-        auth_methods = default_auth_methods.clone
-        (auth_methods << 'challenge-response').uniq!
-        ret = settings.inject({auth_methods: auth_methods}) do |hash, (key, value)|
-          translate_config_key(hash, key.to_sym, value, settings)
-          hash
+        # Given a hash of OpenSSH configuration options, converts them into
+        # a hash of Net::SSH options. Unrecognized options are ignored. The
+        # +settings+ hash must have Strings for keys, all downcased, and
+        # the returned hash will have Symbols for keys.
+        def translate(settings)
+          auth_methods = default_auth_methods.clone
+          (auth_methods << 'challenge-response').uniq!
+          ret = settings.each_with_object({ auth_methods: auth_methods }) do |(key, value), hash|
+            translate_config_key(hash, key.to_sym, value, settings)
+          end
+          merge_challenge_response_with_keyboard_interactive(ret)
         end
-        merge_challenge_response_with_keyboard_interactive(ret)
-      end
 
-      # Filters default_files down to the files that are expandable.
-      def expandable_default_files
-        default_files.keep_if do |path|
-          begin
-            File.expand_path(path)
-            true
-          rescue ArgumentError
-            false
+        # Filters default_files down to the files that are expandable.
+        def expandable_default_files
+          default_files.keep_if do |path|
+            begin
+              File.expand_path(path)
+              true
+            rescue ArgumentError
+              false
+            end
           end
         end
-      end
 
-      private
+        private
 
+        TRANSLATE_CONFIG_KEY_RENAME_MAP = {
+          bindaddress: :bind_address,
+          compression: :compression,
+          compressionlevel: :compression_level,
+          certificatefile: :keycerts,
+          connecttimeout: :timeout,
+          forwardagent: :forward_agent,
+          identitiesonly: :keys_only,
+          identityagent: :identity_agent,
+          globalknownhostsfile: :global_known_hosts_file,
+          hostkeyalias: :host_key_alias,
+          identityfile: :keys,
+          fingerprinthash: :fingerprint_hash,
+          port: :port,
+          stricthostkeychecking: :strict_host_key_checking,
+          user: :user,
+          userknownhostsfile: :user_known_hosts_file,
+          checkhostip: :check_host_ip
+        }.freeze
         def translate_config_key(hash, key, value, settings)
-          rename = {
-            bindaddress: :bind_address,
-            compression: :compression,
-            compressionlevel: :compression_level,
-            connecttimeout: :timeout,
-            forwardagent: :forward_agent,
-            identitiesonly: :keys_only,
-            globalknownhostsfile: :global_known_hosts_file,
-            hostkeyalias: :host_key_alias,
-            identityfile: :keys,
-            port: :port,
-            user: :user,
-            userknownhostsfile: :user_known_hosts_file
-          }
           case key
-            when :ciphers
-              hash[:encryption] = value.split(/,/)
-            when :hostbasedauthentication
-              if value
-                (hash[:auth_methods] << "hostbased").uniq!
-              else
-                hash[:auth_methods].delete("hostbased")
-              end
-            when :hostkeyalgorithms
-              hash[:host_key] = value.split(/,/)
-            when :hostname
-              hash[:host_name] = value.gsub(/%h/, settings['host'])
-            when :macs
-              hash[:hmac] = value.split(/,/)
-            when :serveralivecountmax
-              hash[:keepalive_maxcount] = value.to_i if value
-            when :serveraliveinterval
-              if value && value.to_i > 0
-                hash[:keepalive] = true
-                hash[:keepalive_interval] = value.to_i
-              else
-                hash[:keepalive] = false
-              end
-            when :passwordauthentication
-              if value
-                (hash[:auth_methods] << 'password').uniq!
-              else
-                hash[:auth_methods].delete('password')
-              end
-            when :challengeresponseauthentication
-              if value
-                (hash[:auth_methods] << 'challenge-response').uniq!
-              else
-                hash[:auth_methods].delete('challenge-response')
-              end
-            when :kbdinteractiveauthentication
-              if value
-                (hash[:auth_methods] << 'keyboard-interactive').uniq!
-              else
-                hash[:auth_methods].delete('keyboard-interactive')
-              end
-            when :preferredauthentications
-              hash[:auth_methods] = value.split(/,/) # TODO we should place to preferred_auth_methods rather than auth_methods
-            when :proxycommand
-              if value and !(value =~ /^none$/)
-                require 'net/ssh/proxy/command'
-                hash[:proxy] = Net::SSH::Proxy::Command.new(value)
-              end
-            when :proxyjump
-              if value
-                require 'net/ssh/proxy/jump'
-                hash[:proxy] = Net::SSH::Proxy::Jump.new(value)
-              end
-            when :pubkeyauthentication
-              if value
-                (hash[:auth_methods] << 'publickey').uniq!
-              else
-                hash[:auth_methods].delete('publickey')
-              end
-            when :rekeylimit
-              hash[:rekey_limit] = interpret_size(value)
-            when :sendenv
-              multi_send_env = value.to_s.split(/\s+/)
-              hash[:send_env] = multi_send_env.map { |e| Regexp.new pattern2regex(e).source, false }
-            when :numberofpasswordprompts
-              hash[:number_of_password_prompts] = value.to_i
-            when *rename.keys
-              hash[rename[key]] = value
+          when :ciphers
+            hash[:encryption] = value.split(/,/)
+          when :hostbasedauthentication
+            if value
+              (hash[:auth_methods] << "hostbased").uniq!
+            else
+              hash[:auth_methods].delete("hostbased")
+            end
+          when :hostkeyalgorithms
+            hash[:host_key] = value.split(/,/)
+          when :hostname
+            hash[:host_name] = value.gsub(/%h/, settings['host'])
+          when :macs
+            hash[:hmac] = value.split(/,/)
+          when :serveralivecountmax
+            hash[:keepalive_maxcount] = value.to_i if value
+          when :serveraliveinterval
+            if value && value.to_i > 0
+              hash[:keepalive] = true
+              hash[:keepalive_interval] = value.to_i
+            else
+              hash[:keepalive] = false
+            end
+          when :passwordauthentication
+            if value
+              (hash[:auth_methods] << 'password').uniq!
+            else
+              hash[:auth_methods].delete('password')
+            end
+          when :challengeresponseauthentication
+            if value
+              (hash[:auth_methods] << 'challenge-response').uniq!
+            else
+              hash[:auth_methods].delete('challenge-response')
+            end
+          when :kbdinteractiveauthentication
+            if value
+              (hash[:auth_methods] << 'keyboard-interactive').uniq!
+            else
+              hash[:auth_methods].delete('keyboard-interactive')
+            end
+          when :preferredauthentications
+            hash[:auth_methods] = value.split(/,/) # TODO we should place to preferred_auth_methods rather than auth_methods
+          when :proxy
+            if (proxy = setup_proxy(*value))
+              hash[:proxy] = proxy
+            end
+          when :pubkeyauthentication
+            if value
+              (hash[:auth_methods] << 'publickey').uniq!
+            else
+              hash[:auth_methods].delete('publickey')
+            end
+          when :rekeylimit
+            hash[:rekey_limit] = interpret_size(value)
+          when :sendenv
+            multi_send_env = value.to_s.split(/\s+/)
+            hash[:send_env] = multi_send_env.map { |e| Regexp.new pattern2regex(e).source, false }
+          when :setenv
+            hash[:set_env] = Shellwords.split(value.to_s).map { |e| e.split '=', 2 }.to_h
+          when :numberofpasswordprompts
+            hash[:number_of_password_prompts] = value.to_i
+          when *TRANSLATE_CONFIG_KEY_RENAME_MAP.keys
+            hash[TRANSLATE_CONFIG_KEY_RENAME_MAP[key]] = value
+          end
+        end
+
+        def setup_proxy(type, value)
+          case type
+          when 'proxycommand'
+            if value !~ /^none$/
+              require 'net/ssh/proxy/command'
+              Net::SSH::Proxy::Command.new(value)
+            end
+          when 'proxyjump'
+            require 'net/ssh/proxy/jump'
+            Net::SSH::Proxy::Jump.new(value)
           end
         end
 
@@ -303,13 +337,57 @@ module Net; module SSH
           hash
         end
 
-        def included_file_paths(base_dir, config_path)
-          paths = Dir.glob(File.expand_path(config_path)).select { |f| File.file?(f) }
-          paths += Dir.glob(File.join(base_dir, config_path)).select { |f| File.file?(f) }
-          paths.uniq
+        def included_file_paths(base_dir, config_paths)
+          tokenize_config_value(config_paths).flat_map do |path|
+            Dir.glob(File.expand_path(path, base_dir)).select { |f| File.file?(f) }
+          end
+        end
+
+        # Tokenize string into tokens.
+        # A token is a word or a quoted sequence of words, separated by whitespaces.
+        def tokenize_config_value(str)
+          str.scan(/([^"\s]+)?(?:"([^"]+)")?\s*/).map(&:join)
         end
 
+        def eval_match_conditions(condition, host, settings)
+          # Not using `\s` for whitespace matching as canonical
+          # ssh_config parser implementation (OpenSSH) has specific character set.
+          # Ref: https://github.com/openssh/openssh-portable/blob/2581333d564d8697837729b3d07d45738eaf5a54/misc.c#L237-L239
+          conditions = condition.split(/[ \t\r\n]+|(?<!=)=(?!=)/).reject(&:empty?)
+          return true if conditions == ["all"]
+
+          conditions = conditions.each_slice(2)
+          condition_matches = []
+          conditions.each do |(kind,exprs)|
+            exprs = unquote(exprs)
+
+            case kind.downcase
+            when "all"
+              raise "all cannot be mixed with other conditions"
+            when "host"
+              if exprs.start_with?('!')
+                negated = true
+                exprs = exprs[1..-1]
+              else
+                negated = false
+              end
+              condition_met = false
+              exprs.split(",").each do |expr|
+                condition_met = condition_met || host =~ pattern2regex(expr)
+              end
+              condition_matches << (true && negated ^ condition_met)
+              # else
+              # warn "net-ssh: Unsupported expr in Match block: #{kind}"
+            end
+          end
+
+          !condition_matches.empty? && condition_matches.all?
+        end
+
+        def unquote(string)
+          string =~ /^"(.*)"$/ ? Regexp.last_match(1) : string
+        end
+      end
     end
   end
-
-end; end
+end