net-ssh 5.0.2 → 6.1.0

data/lib/net/ssh/buffer.rb

@@ -1,4 +1,3 @@
-require 'net/ssh/ruby_compat'
 require 'net/ssh/transport/openssl'
 
 require 'net/ssh/authentication/certificate'
@@ -249,6 +248,46 @@ module Net
         return (type ? read_keyblob(type) : nil)
       end
 
+      def read_private_keyblob(type)
+        case type
+        when /^ssh-rsa$/
+          key = OpenSSL::PKey::RSA.new
+          n = read_bignum
+          e = read_bignum
+          d = read_bignum
+          iqmp = read_bignum
+          p = read_bignum
+          q = read_bignum
+          _unkown1 = read_bignum
+          _unkown2 = read_bignum
+          dmp1 = d % (p - 1)
+          dmq1 = d % (q - 1)
+          if key.respond_to?(:set_key)
+            key.set_key(n, e, d)
+          else
+            key.e = e
+            key.n = n
+            key.d = d
+          end
+          if key.respond_to?(:set_factors)
+            key.set_factors(p, q)
+          else
+            key.p = p
+            key.q = q
+          end
+          if key.respond_to?(:set_crt_params)
+            key.set_crt_params(dmp1, dmq1, iqmp)
+          else
+            key.dmp1 = dmp1
+            key.dmq1 = dmq1
+            key.iqmp = iqmp
+          end
+          key
+        else
+          raise Exception, "Cannot decode private key of type #{type}"
+        end
+      end
+
       # Read a keyblob of the given type from the buffer, and return it as
       # a key. Only RSA, DSA, and ECDSA keys are supported.
       def read_keyblob(type)
@@ -283,15 +322,7 @@ module Net
           Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("unsupported key type `#{type}'")
           key = Net::SSH::Authentication::ED25519::PubKey.read_keyblob(self)
         when /^ecdsa\-sha2\-(\w*)$/
-          unless defined?(OpenSSL::PKey::EC)
-            raise NotImplementedError, "unsupported key type `#{type}'"
-          else
-            begin
-              key = OpenSSL::PKey::EC.read_keyblob($1, self)
-            rescue OpenSSL::PKey::ECError
-              raise NotImplementedError, "unsupported key type `#{type}'"
-            end
-          end
+          key = OpenSSL::PKey::EC.read_keyblob($1, self)
         else
           raise NotImplementedError, "unsupported key type `#{type}'"
         end

data/lib/net/ssh/buffered_io.rb

@@ -1,6 +1,5 @@
 require 'net/ssh/buffer'
 require 'net/ssh/loggable'
-require 'net/ssh/ruby_compat'
 
 module Net 
   module SSH

data/lib/net/ssh/config.rb

@@ -11,6 +11,7 @@ module Net
     #
     # * ChallengeResponseAuthentication => maps to the :auth_methods option challenge-response (then coleasced into keyboard-interactive)
     # * KbdInteractiveAuthentication => maps to the :auth_methods keyboard-interactive
+    # * CertificateFile => maps to the :keycerts option
     # * Ciphers => maps to the :encryption option
     # * Compression => :compression
     # * CompressionLevel => :compression_level
@@ -22,7 +23,9 @@ module Net
     # * HostKeyAlias => :host_key_alias
     # * HostName => :host_name
     # * IdentityFile => maps to the :keys option
+    # * IdentityAgent => :identity_agent
     # * IdentitiesOnly => :keys_only
+    # * CheckHostIP => :check_host_ip
     # * Macs => maps to the :hmac option
     # * PasswordAuthentication => maps to the :auth_methods option password
     # * Port => :port
@@ -31,6 +34,7 @@ module Net
     # * ProxyJump => maps to the :proxy option
     # * PubKeyAuthentication => maps to the :auth_methods option
     # * RekeyLimit => :rekey_limit
+    # * StrictHostKeyChecking => :strict_host_key_checking
     # * User => :user
     # * UserKnownHostsFile => :user_known_hosts_file
     # * NumberOfPasswordPrompts => :number_of_password_prompts
@@ -95,7 +99,7 @@ module Net
             next if value.nil?
 
             key.downcase!
-            value = $1 if value =~ /^"(.*)"$/
+            value = unquote(value)
 
             value = case value.strip
                     when /^\d+$/ then value.to_i
@@ -126,7 +130,7 @@ module Net
               block_seen = true
             elsif !block_seen
               case key
-              when 'identityfile'
+              when 'identityfile', 'certificatefile'
                 (globals[key] ||= []) << value
               when 'include'
                 included_file_paths(base_dir, value).each do |file_path|
@@ -137,7 +141,7 @@ module Net
               end
             elsif block_matched
               case key
-              when 'identityfile'
+              when 'identityfile', 'certificatefile'
                 (settings[key] ||= []) << value
               when 'include'
                 included_file_paths(base_dir, value).each do |file_path|
@@ -147,11 +151,18 @@ module Net
                 settings[key] = value unless settings.key?(key)
               end
             end
+
+            # ProxyCommand and ProxyJump override each other so they need to be tracked togeather
+            %w[proxyjump proxycommand].each do |proxy_key|
+              if (proxy_value = settings.delete(proxy_key))
+                settings['proxy'] ||= [proxy_key, proxy_value]
+              end
+            end
           end
 
           globals.merge(settings) do |key, oldval, newval|
             case key
-            when 'identityfile'
+            when 'identityfile', 'certificatefile'
               oldval + newval
             else
               newval
@@ -186,22 +197,26 @@ module Net
 
         private
 
+        TRANSLATE_CONFIG_KEY_RENAME_MAP = {
+          bindaddress: :bind_address,
+          compression: :compression,
+          compressionlevel: :compression_level,
+          certificatefile: :keycerts,
+          connecttimeout: :timeout,
+          forwardagent: :forward_agent,
+          identitiesonly: :keys_only,
+          identityagent: :identity_agent,
+          globalknownhostsfile: :global_known_hosts_file,
+          hostkeyalias: :host_key_alias,
+          identityfile: :keys,
+          fingerprinthash: :fingerprint_hash,
+          port: :port,
+          stricthostkeychecking: :strict_host_key_checking,
+          user: :user,
+          userknownhostsfile: :user_known_hosts_file,
+          checkhostip: :check_host_ip
+        }.freeze
         def translate_config_key(hash, key, value, settings)
-          rename = {
-            bindaddress: :bind_address,
-            compression: :compression,
-            compressionlevel: :compression_level,
-            connecttimeout: :timeout,
-            forwardagent: :forward_agent,
-            identitiesonly: :keys_only,
-            globalknownhostsfile: :global_known_hosts_file,
-            hostkeyalias: :host_key_alias,
-            identityfile: :keys,
-            fingerprinthash: :fingerprint_hash,
-            port: :port,
-            user: :user,
-            userknownhostsfile: :user_known_hosts_file
-          }
           case key
           when :ciphers
             hash[:encryption] = value.split(/,/)
@@ -246,15 +261,9 @@ module Net
             end
           when :preferredauthentications
             hash[:auth_methods] = value.split(/,/) # TODO we should place to preferred_auth_methods rather than auth_methods
-          when :proxycommand
-            if value and value !~ /^none$/
-              require 'net/ssh/proxy/command'
-              hash[:proxy] = Net::SSH::Proxy::Command.new(value)
-            end
-          when :proxyjump
-            if value
-              require 'net/ssh/proxy/jump'
-              hash[:proxy] = Net::SSH::Proxy::Jump.new(value)
+          when :proxy
+            if (proxy = setup_proxy(*value))
+              hash[:proxy] = proxy
             end
           when :pubkeyauthentication
             if value
@@ -267,10 +276,25 @@ module Net
           when :sendenv
             multi_send_env = value.to_s.split(/\s+/)
             hash[:send_env] = multi_send_env.map { |e| Regexp.new pattern2regex(e).source, false }
+          when :setenv
+            hash[:set_env] = Shellwords.split(value.to_s).map { |e| e.split '=', 2 }.to_h
           when :numberofpasswordprompts
             hash[:number_of_password_prompts] = value.to_i
-          when *rename.keys
-            hash[rename[key]] = value
+          when *TRANSLATE_CONFIG_KEY_RENAME_MAP.keys
+            hash[TRANSLATE_CONFIG_KEY_RENAME_MAP[key]] = value
+          end
+        end
+
+        def setup_proxy(type, value)
+          case type
+          when 'proxycommand'
+            if value !~ /^none$/
+              require 'net/ssh/proxy/command'
+              Net::SSH::Proxy::Command.new(value)
+            end
+          when 'proxyjump'
+            require 'net/ssh/proxy/jump'
+            Net::SSH::Proxy::Jump.new(value)
           end
         end
 
@@ -326,12 +350,17 @@ module Net
         end
 
         def eval_match_conditions(condition, host, settings)
-          conditions = condition.split(/\s+/)
+          # Not using `\s` for whitespace matching as canonical
+          # ssh_config parser implementation (OpenSSH) has specific character set.
+          # Ref: https://github.com/openssh/openssh-portable/blob/2581333d564d8697837729b3d07d45738eaf5a54/misc.c#L237-L239
+          conditions = condition.split(/[ \t\r\n]+|(?<!=)=(?!=)/).reject(&:empty?)
           return true if conditions == ["all"]
 
           conditions = conditions.each_slice(2)
-          matching = true
+          condition_matches = []
           conditions.each do |(kind,exprs)|
+            exprs = unquote(exprs)
+
             case kind.downcase
             when "all"
               raise "all cannot be mixed with other conditions"
@@ -346,15 +375,19 @@ module Net
               exprs.split(",").each do |expr|
                 condition_met = condition_met || host =~ pattern2regex(expr)
               end
-              matching = matching && negated ^ condition_met
+              condition_matches << (true && negated ^ condition_met)
               # else
               # warn "net-ssh: Unsupported expr in Match block: #{kind}"
             end
           end
-          matching
+
+          !condition_matches.empty? && condition_matches.all?
+        end
+
+        def unquote(string)
+          string =~ /^"(.*)"$/ ? Regexp.last_match(1) : string
         end
       end
     end
-
   end
 end

data/lib/net/ssh/connection/channel.rb

@@ -2,8 +2,8 @@ require 'net/ssh/loggable'
 require 'net/ssh/connection/constants'
 require 'net/ssh/connection/term'
 
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Connection
 
       # The channel abstraction. Multiple "channels" can be multiplexed onto a
@@ -530,6 +530,7 @@ module Net
           @remote_maximum_packet_size = max_packet
           connection.forward.agent(self) if connection.options[:forward_agent] && type == "session"
           forward_local_env(connection.options[:send_env]) if connection.options[:send_env]
+          set_remote_env(connection.options[:set_env]) if connection.options[:set_env]
           @on_confirm_open.call(self) if @on_confirm_open
         end
     
@@ -648,10 +649,14 @@ module Net
         def update_local_window_size(size)
           @local_window_size -= size
           if local_window_size < local_maximum_window_size / 2
-            connection.send_message(Buffer.from(:byte, CHANNEL_WINDOW_ADJUST,
-              :long, remote_id, :long, LOCAL_WINDOW_SIZE_INCREMENT))
+            connection.send_message(
+              Buffer.from(:byte, CHANNEL_WINDOW_ADJUST, :long, remote_id, :long, LOCAL_WINDOW_SIZE_INCREMENT)
+            )
             @local_window_size += LOCAL_WINDOW_SIZE_INCREMENT
-            @local_maximum_window_size += LOCAL_WINDOW_SIZE_INCREMENT if @local_maximum_window_size < @local_window_size || @local_maximum_window_size < GOOD_LOCAL_MAXIUMUM_WINDOW_SIZE
+
+            if @local_maximum_window_size < @local_window_size || @local_maximum_window_size < GOOD_LOCAL_MAXIUMUM_WINDOW_SIZE
+              @local_maximum_window_size += LOCAL_WINDOW_SIZE_INCREMENT
+            end
           end
         end
 
@@ -673,6 +678,13 @@ module Net
             end
           end
         end
+
+        # Set a +Hash+ of environment variables in the remote process' environment.
+        #
+        #   channel.set_remote_env foo: 'bar', baz: 'whale'
+        def set_remote_env(env)
+          env.each { |key, value| self.env(key, value) }
+        end
       end
 
     end

data/lib/net/ssh/connection/event_loop.rb

@@ -1,5 +1,4 @@
 require 'net/ssh/loggable'
-require 'net/ssh/ruby_compat'
 
 module Net 
   module SSH 

data/lib/net/ssh/connection/session.rb

@@ -1,5 +1,4 @@
 require 'net/ssh/loggable'
-require 'net/ssh/ruby_compat'
 require 'net/ssh/connection/channel'
 require 'net/ssh/connection/constants'
 require 'net/ssh/service/forward'
@@ -580,8 +579,10 @@ module Net
           info { "global request received: #{packet[:request_type]} #{packet[:want_reply]}" }
           callback = @on_global_request[packet[:request_type]]
           result = callback ? callback.call(packet[:request_data], packet[:want_reply]) : false
-    
-          raise "expected global request handler for `#{packet[:request_type]}' to return true, false, or :sent, but got #{result.inspect}" if result != :sent && result != true && result != false
+
+          if result != :sent && result != true && result != false
+            raise "expected global request handler for `#{packet[:request_type]}' to return true, false, or :sent, but got #{result.inspect}"
+          end
     
           if packet[:want_reply] && result != :sent
             msg = Buffer.from(:byte, result ? REQUEST_SUCCESS : REQUEST_FAILURE)
@@ -624,7 +625,9 @@ module Net
               failure = [err.code, err.reason]
             else
               channels[local_id] = channel
-              msg = Buffer.from(:byte, CHANNEL_OPEN_CONFIRMATION, :long, channel.remote_id, :long, channel.local_id, :long, channel.local_maximum_window_size, :long, channel.local_maximum_packet_size)
+              msg = Buffer.from(:byte, CHANNEL_OPEN_CONFIRMATION, :long, channel.remote_id, :long,
+                                channel.local_id, :long, channel.local_maximum_window_size, :long,
+                                channel.local_maximum_packet_size)
             end
           else
             failure = [3, "unknown channel type #{channel.type}"]

data/lib/net/ssh/key_factory.rb

@@ -18,14 +18,12 @@ module Net
     class KeyFactory
       # Specifies the mapping of SSH names to OpenSSL key classes.
       MAP = {
-        "dh"  => OpenSSL::PKey::DH,
-        "rsa" => OpenSSL::PKey::RSA,
-        "dsa" => OpenSSL::PKey::DSA
+        'dh'    => OpenSSL::PKey::DH,
+        'rsa'   => OpenSSL::PKey::RSA,
+        'dsa'   => OpenSSL::PKey::DSA,
+        'ecdsa' => OpenSSL::PKey::EC
       }
-      if defined?(OpenSSL::PKey::EC)
-        MAP["ecdsa"] = OpenSSL::PKey::EC
-        MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
-      end
+      MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
 
       class <<self
         # Fetch an OpenSSL key instance by its SSH name. It will be a new,
@@ -50,16 +48,17 @@ module Net
         # encrypted (requiring a passphrase to use), the user will be
         # prompted to enter their password unless passphrase works.
         def load_data_private_key(data, passphrase=nil, ask_passphrase=true, filename="", prompt=Prompt.default)
-          key_read, error_classes = classify_key(data, filename)
+          key_type = classify_key(data, filename)
 
-          encrypted_key = data.match(/ENCRYPTED/)
+          encrypted_key = nil
           tries = 0
 
           prompter = nil
           result =
             begin
-              key_read[data, passphrase || 'invalid']
-            rescue *error_classes
+              key_type.read(data, passphrase || 'invalid')
+            rescue *key_type.error_classes => e
+              encrypted_key = !!key_type.encrypted_key?(data, e) if encrypted_key.nil?
               if encrypted_key && ask_passphrase
                 tries += 1
                 if tries <= 3
@@ -106,20 +105,108 @@ module Net
 
         private
 
+        # rubocop:disable Style/Documentation, Lint/DuplicateMethods
+        class KeyType
+          def self.read(key_data, passphrase)
+            raise Exception, "TODO subclasses should implement read"
+          end
+
+          def self.error_classes
+            raise Exception, "TODO subclasses should implement read"
+          end
+
+          def self.encrypted_key?(data, error)
+            raise Exception, "TODO subclasses should implement is_encrypted_key"
+          end
+        end
+
+        class OpenSSHPrivateKeyType < KeyType
+          def self.read(key_data, passphrase)
+            Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader.read(key_data, passphrase)
+          end
+
+          def self.error_classes
+            [Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError]
+          end
+
+          def self.encrypted_key?(key_data, decode_error)
+            decode_error.is_a?(Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError) && decode_error.encrypted_key?
+          end
+        end
+
+        class OpenSSLKeyTypeBase < KeyType
+          def self.open_ssl_class
+            raise Exception, "TODO: subclasses should implement"
+          end
+
+          def self.read(key_data, passphrase)
+            open_ssl_class.new(key_data, passphrase)
+          end
+
+          def self.encrypted_key?(key_data, error)
+            key_data.match(/ENCRYPTED/)
+          end
+        end
+
+        class OpenSSLPKeyType < OpenSSLKeyTypeBase
+          def self.read(key_data, passphrase)
+            open_ssl_class.read(key_data, passphrase)
+          end
+
+          def self.open_ssl_class
+            OpenSSL::PKey
+          end
+
+          def self.error_classes
+            [ArgumentError, OpenSSL::PKey::PKeyError]
+          end
+        end
+
+        class OpenSSLDSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::DSA
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::DSAError]
+          end
+        end
+
+        class OpenSSLRSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::RSA
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::RSAError]
+          end
+        end
+
+        class OpenSSLECKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::EC
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::ECError]
+          end
+        end
+        # rubocop:enable Style/Documentation, Lint/DuplicateMethods
+
         # Determine whether the file describes an RSA or DSA key, and return how load it
         # appropriately.
         def classify_key(data, filename)
           if data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
             Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("OpenSSH keys only supported if ED25519 is available")
-            return ->(key_data, passphrase) { Net::SSH::Authentication::ED25519::PrivKey.read(key_data, passphrase) }, [ArgumentError]
+            return OpenSSHPrivateKeyType
           elsif OpenSSL::PKey.respond_to?(:read)
-            return ->(key_data, passphrase) { OpenSSL::PKey.read(key_data, passphrase) }, [ArgumentError, OpenSSL::PKey::PKeyError]
+            return OpenSSLPKeyType
           elsif data.match(/-----BEGIN DSA PRIVATE KEY-----/)
-            return ->(key_data, passphrase) { OpenSSL::PKey::DSA.new(key_data, passphrase) }, [OpenSSL::PKey::DSAError]
+            return OpenSSLDSAKeyType
           elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
-            return ->(key_data, passphrase) { OpenSSL::PKey::RSA.new(key_data, passphrase) }, [OpenSSL::PKey::RSAError]
-          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/) && defined?(OpenSSL::PKey::EC)
-            return ->(key_data, passphrase) { OpenSSL::PKey::EC.new(key_data, passphrase) }, [OpenSSL::PKey::ECError]
+            return OpenSSLRSAKeyType
+          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/)
+            return OpenSSLECKeyType
           elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
             raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
           else