net-ssh 5.0.2 → 6.1.0

data/lib/net/ssh.rb

@@ -4,6 +4,7 @@ ENV['HOME'] ||= ENV['HOMEPATH'] ? "#{ENV['HOMEDRIVE']}#{ENV['HOMEPATH']}" : Dir.
 
 require 'logger'
 require 'etc'
+require 'shellwords'
 
 require 'net/ssh/config'
 require 'net/ssh/errors'
@@ -66,14 +67,14 @@ module Net
       auth_methods bind_address compression compression_level config
       encryption forward_agent hmac host_key remote_user
       keepalive keepalive_interval keepalive_maxcount kex keys key_data
-      languages logger paranoid password port proxy
+      keycerts languages logger paranoid password port proxy
       rekey_blocks_limit rekey_limit rekey_packet_limit timeout verbose
       known_hosts global_known_hosts_file user_known_hosts_file host_key_alias
       host_name user properties passphrase keys_only max_pkt_size
-      max_win_size send_env use_agent number_of_password_prompts
+      max_win_size send_env set_env use_agent number_of_password_prompts
       append_all_supported_algorithms non_interactive password_prompt
       agent_socket_factory minimum_dh_bits verify_host_key
-      fingerprint_hash
+      fingerprint_hash check_host_ip
     ]
 
     # The standard means of starting a new SSH connection. When used with a
@@ -108,6 +109,8 @@ module Net
     # * :bind_address => the IP address on the connecting machine to use in
     #   establishing connection. (:bind_address is discarded if :proxy
     #   is set.)
+    # * :check_host_ip => Also ckeck IP address when connecting to remote host.
+    #   Defaults to +true+.
     # * :compression => the compression algorithm to use, or +true+ to use
     #   whatever is supported.
     # * :compression_level => the compression level to use when sending data
@@ -142,6 +145,8 @@ module Net
     # * :kex => the key exchange algorithm (or algorithms) to use
     # * :keys => an array of file names of private keys to use for publickey
     #   and hostbased authentication
+    # * :keycerts => an array of file names of key certificates to use
+    #    with publickey authentication
     # * :key_data => an array of strings, with each element of the array being
     #   a raw private key in PEM format.
     # * :keys_only => set to +true+ to use only private keys from +keys+ and
@@ -171,6 +176,8 @@ module Net
     # * :rekey_packet_limit => the max number of packets to process before rekeying
     # * :send_env => an array of local environment variable names to export to the
     #   remote environment. Names may be given as String or Regexp.
+    # * :set_env => a hash of environment variable names and values to set to the
+    #   remote environment. Override the ones if specified in +send_env+.
     # * :timeout => how long to wait for the initial connection to be made
     # * :user => the user name to log in as; this overrides the +user+
     #   parameter, and is primarily only useful when provided via an SSH
@@ -221,6 +228,8 @@ module Net
       options = configuration_for(host, options.fetch(:config, true)).merge(options)
       host = options.fetch(:host_name, host)
 
+      options[:check_host_ip] = true unless options.key?(:check_host_ip)
+
       if options[:non_interactive]
         options[:number_of_password_prompts] = 0
       end
@@ -242,7 +251,7 @@ module Net
       transport = Transport::Session.new(host, options)
       auth = Authentication::Session.new(transport, options)
 
-      user = options.fetch(:user, user) || Etc.getlogin
+      user = options.fetch(:user, user) || Etc.getpwuid.name
       if auth.authenticate("ssh-connection", user, options[:password])
         connection = Connection::Session.new(transport, options)
         if block_given?

data/lib/net/ssh/authentication/agent.rb

@@ -62,9 +62,9 @@ module Net
 
         # Instantiates a new agent object, connects to a running SSH agent,
         # negotiates the agent protocol version, and returns the agent object.
-        def self.connect(logger=nil, agent_socket_factory = nil)
+        def self.connect(logger=nil, agent_socket_factory = nil, identity_agent = nil)
           agent = new(logger)
-          agent.connect!(agent_socket_factory)
+          agent.connect!(agent_socket_factory, identity_agent)
           agent.negotiate!
           agent
         end
@@ -79,11 +79,13 @@ module Net
         # given by the attribute writers. If the agent on the other end of the
         # socket reports that it is an SSH2-compatible agent, this will fail
         # (it only supports the ssh-agent distributed by OpenSSH).
-        def connect!(agent_socket_factory = nil)
+        def connect!(agent_socket_factory = nil, identity_agent = nil)
           debug { "connecting to ssh-agent" }
           @socket =
             if agent_socket_factory
               agent_socket_factory.call
+            elsif identity_agent
+              unix_socket_class.open(identity_agent)
             elsif ENV['SSH_AUTH_SOCK'] && unix_socket_class
               unix_socket_class.open(ENV['SSH_AUTH_SOCK'])
             elsif Gem.win_platform? && RUBY_ENGINE != "jruby"
@@ -124,6 +126,10 @@ module Net
             comment_str = body.read_string
             begin
               key = Buffer.new(key_str).read_key
+              if key.nil?
+                error { "ignoring invalid key: #{comment_str}" }
+                next
+              end
               key.extend(Comment)
               key.comment = comment_str
               identities.push key

data/lib/net/ssh/authentication/certificate.rb

@@ -31,7 +31,16 @@ module Net
           cert.key_id = buffer.read_string
           cert.valid_principals = buffer.read_buffer.read_all(&:read_string)
           cert.valid_after = Time.at(buffer.read_int64)
-          cert.valid_before = Time.at(buffer.read_int64)
+          
+          cert.valid_before = if RUBY_PLATFORM == "java"
+                                # 0x20c49ba5e353f7 = 0x7fffffffffffffff/1000, the largest value possible for JRuby
+                                # JRuby Time.at multiplies the arg by 1000, and then stores it in a signed long.
+                                # 0x20c49ba5e353f7 = 292278994-08-17 01:12:55 -0600
+                                Time.at([0x20c49ba5e353f7, buffer.read_int64].min)
+                              else
+                                Time.at(buffer.read_int64)
+                              end
+
           cert.critical_options = read_options(buffer)
           cert.extensions = read_options(buffer)
           cert.reserved = buffer.read_string

data/lib/net/ssh/authentication/ed25519.rb

@@ -22,51 +22,26 @@ module Net
           end
         end
 
-        class PubKey
-          include Net::SSH::Authentication::PubKeyFingerprint
-
-          attr_reader :verify_key
-
-          def initialize(data)
-            @verify_key = ::Ed25519::VerifyKey.new(data)
-          end
-
-          def self.read_keyblob(buffer)
-            PubKey.new(buffer.read_string)
-          end
-
-          def to_blob
-            Net::SSH::Buffer.from(:mstring,"ssh-ed25519",:string,@verify_key.to_bytes).to_s
-          end
-
-          def ssh_type
-            "ssh-ed25519"
-          end
-
-          def ssh_signature_type
-            ssh_type
-          end
-
-          def ssh_do_verify(sig,data)
-            @verify_key.verify(sig,data)
-          end
-
-          def to_pem
-            # TODO this is not pem
-            ssh_type + Base64.encode64(@verify_key.to_bytes)
-          end
-        end
-
-        class PrivKey
+        class OpenSSHPrivateKeyLoader
           CipherFactory = Net::SSH::Transport::CipherFactory
 
           MBEGIN = "-----BEGIN OPENSSH PRIVATE KEY-----\n"
-          MEND = "-----END OPENSSH PRIVATE KEY-----\n"
+          MEND = "-----END OPENSSH PRIVATE KEY-----"
           MAGIC = "openssh-key-v1"
 
-          attr_reader :sign_key
+          class DecryptError < ArgumentError
+            def initialize(message, encrypted_key: false)
+              super(message)
+              @encrypted_key = encrypted_key
+            end
 
-          def initialize(datafull,password)
+            def encrypted_key?
+              return @encrypted_key
+            end
+          end
+
+          def self.read(datafull, password)
+            datafull = datafull.strip
             raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
             raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
             datab64 = datafull[MBEGIN.size...-MEND.size]
@@ -111,12 +86,66 @@ module Net
             check1 = decoded.read_long
             check2 = decoded.read_long
 
-            raise ArgumentError, "Decrypt failed on private key" if (check1 != check2)
+            raise DecryptError.new("Decrypt failed on private key", encrypted_key: kdfname == 'bcrypt') if (check1 != check2)
+
+            type_name = decoded.read_string
+            case type_name
+            when "ssh-ed25519"
+              PrivKey.new(decoded)
+            else
+              decoded.read_private_keyblob(type_name)
+            end
+          end
+        end
+
+        class PubKey
+          include Net::SSH::Authentication::PubKeyFingerprint
+
+          attr_reader :verify_key
+
+          def initialize(data)
+            @verify_key = ::Ed25519::VerifyKey.new(data)
+          end
+
+          def self.read_keyblob(buffer)
+            PubKey.new(buffer.read_string)
+          end
+
+          def to_blob
+            Net::SSH::Buffer.from(:mstring,"ssh-ed25519",:string,@verify_key.to_bytes).to_s
+          end
+
+          def ssh_type
+            "ssh-ed25519"
+          end
+
+          def ssh_signature_type
+            ssh_type
+          end
+
+          def ssh_do_verify(sig,data)
+            @verify_key.verify(sig,data)
+          end
+
+          def to_pem
+            # TODO this is not pem
+            ssh_type + Base64.encode64(@verify_key.to_bytes)
+          end
+        end
+
+        class PrivKey
+          CipherFactory = Net::SSH::Transport::CipherFactory
+
+          MBEGIN = "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+          MEND = "-----END OPENSSH PRIVATE KEY-----\n"
+          MAGIC = "openssh-key-v1"
+
+          attr_reader :sign_key
 
-            _type_name = decoded.read_string
-            pk = decoded.read_string
-            sk = decoded.read_string
-            _comment = decoded.read_string
+          def initialize(buffer)
+            pk = buffer.read_string
+            sk = buffer.read_string
+            _comment = buffer.read_string
 
             @pk = pk
             @sign_key = SigningKeyFromFile.new(pk,sk)
@@ -142,8 +171,8 @@ module Net
             @sign_key.sign(data)
           end
 
-          def self.read(data,password)
-            self.new(data,password)
+          def self.read(data, password)
+            OpenSSHPrivateKeyLoader.read(data, password)
           end
         end
       end

data/lib/net/ssh/authentication/ed25519_loader.rb

@@ -3,7 +3,7 @@ module Net
     module Authentication
 
       # Loads ED25519 support which requires optinal dependecies like
-      # rbnacl, bcrypt_pbkdf
+      # ed25519, bcrypt_pbkdf
       module ED25519Loader
       
         begin

data/lib/net/ssh/authentication/key_manager.rb

@@ -30,6 +30,9 @@ module Net
         # The list of user key data that will be examined
         attr_reader :key_data
 
+        # The list of user key certificate files that will be examined
+        attr_reader :keycert_files
+
         # The map of loaded identities
         attr_reader :known_identities
 
@@ -43,6 +46,7 @@ module Net
           self.logger = logger
           @key_files = []
           @key_data = []
+          @keycert_files = []
           @use_agent = options[:use_agent] != false
           @known_identities = {}
           @agent = nil
@@ -66,6 +70,12 @@ module Net
           self
         end
 
+        # Add the given keycert_file to the list of keycert files that will be used.
+        def add_keycert(keycert_file)
+          keycert_files.push(File.expand_path(keycert_file)).uniq!
+          self
+        end
+
         # Add the given key_file to the list of keys that will be used.
         def add_key_data(key_data_)
           key_data.push(key_data_).uniq!
@@ -108,7 +118,7 @@ module Net
               user_identities.delete(corresponding_user_identity) if corresponding_user_identity
 
               if !options[:keys_only] || corresponding_user_identity
-                known_identities[key] = { from: :agent }
+                known_identities[key] = { from: :agent, identity: key }
                 yield key
               end
             end
@@ -122,6 +132,21 @@ module Net
             yield key
           end
 
+          known_identity_blobs = known_identities.keys.map(&:to_blob)
+          keycert_files.each do |keycert_file|
+            keycert = KeyFactory.load_public_key(keycert_file)
+            next if known_identity_blobs.include?(keycert.to_blob)
+
+            (_, corresponding_identity) = known_identities.detect { |public_key, _|
+              public_key.to_pem == keycert.to_pem
+            }
+
+            if corresponding_identity
+              known_identities[keycert] = corresponding_identity
+              yield keycert
+            end
+          end
+
           self
         end
 
@@ -139,7 +164,7 @@ module Net
 
           if info[:key].nil? && info[:from] == :file
             begin
-              info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], !options[:non_interactive])
+              info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], !options[:non_interactive], options[:password_prompt])
             rescue OpenSSL::OpenSSLError, Exception => e
               raise KeyManagerError, "the given identity is known, but the private key could not be loaded: #{e.class} (#{e.message})"
             end
@@ -152,7 +177,7 @@ module Net
 
           if info[:from] == :agent
             raise KeyManagerError, "the agent is no longer available" unless agent
-            return agent.sign(identity, data.to_s)
+            return agent.sign(info[:identity], data.to_s)
           end
 
           raise KeyManagerError, "[BUG] can't determine identity origin (#{info.inspect})"
@@ -176,7 +201,7 @@ module Net
         # or if the agent is otherwise not available.
         def agent
           return unless use_agent?
-          @agent ||= Agent.connect(logger, options[:agent_socket_factory])
+          @agent ||= Agent.connect(logger, options[:agent_socket_factory], options[:identity_agent])
         rescue AgentNotAvailable
           @use_agent = false
           nil
@@ -229,11 +254,15 @@ module Net
                 key = KeyFactory.load_public_key(identity[:pubkey_file])
                 { public_key: key, from: :file, file: identity[:privkey_file] }
               when :privkey_file
-                private_key = KeyFactory.load_private_key(identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt])
+                private_key = KeyFactory.load_private_key(
+                  identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt]
+                )
                 key = private_key.send(:public_key)
                 { public_key: key, from: :file, file: identity[:privkey_file], key: private_key }
               when :data
-                private_key = KeyFactory.load_data_private_key(identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt])
+                private_key = KeyFactory.load_data_private_key(
+                  identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt]
+                )
                 key = private_key.send(:public_key)
                 { public_key: key, from: :key_data, data: identity[:data], key: private_key }
               else

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -40,7 +40,9 @@ module Net
                 instruction = message.read_string
                 debug { "keyboard-interactive info request" }
 
-                prompter = prompt.start(type: 'keyboard-interactive', name: name, instruction: instruction) if password.nil? && interactive? && prompter.nil?
+                if password.nil? && interactive? && prompter.nil?
+                  prompter = prompt.start(type: 'keyboard-interactive', name: name, instruction: instruction)
+                end
 
                 _ = message.read_string # lang_tag
                 responses = []

data/lib/net/ssh/authentication/methods/publickey.rb

@@ -82,6 +82,8 @@ module Net
 
             when USERAUTH_FAILURE
               return false
+            when USERAUTH_SUCCESS
+              return true
 
             else
               raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"

data/lib/net/ssh/authentication/pub_key_fingerprint.rb

@@ -1,4 +1,3 @@
-
 require 'openssl'
 
 module Net

data/lib/net/ssh/authentication/session.rb

@@ -63,6 +63,7 @@ module Net
 
           key_manager = KeyManager.new(logger, options)
           keys.each { |key| key_manager.add(key) } unless keys.empty?
+          keycerts.each { |keycert| key_manager.add_keycert(keycert) } unless keycerts.empty?
           key_data.each { |key2| key_manager.add_key_data(key2) } unless key_data.empty?
           default_keys.each { |key| key_manager.add(key) } unless options.key?(:keys) || options.key?(:key_data)
 
@@ -136,12 +137,8 @@ module Net
         # Returns an array of paths to the key files usually defined
         # by system default.
         def default_keys
-          if defined?(OpenSSL::PKey::EC)
-            %w[~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa
-               ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa]
-          else
-            %w[~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_rsa]
-          end
+          %w[~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa
+             ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa]
         end
 
         # Returns an array of paths to the key files that should be used when
@@ -150,6 +147,12 @@ module Net
           Array(options[:keys])
         end
 
+        # Returns an array of paths to the keycert files that should be used when
+        # attempting any key-based authentication mechanism.
+        def keycerts
+          Array(options[:keycerts])
+        end
+
         # Returns an array of the key data that should be used when
         # attempting any key-based authentication mechanism.
         def key_data