net-ssh 5.0.2 → 7.0.1

data/lib/net/ssh/known_hosts.rb

@@ -1,10 +1,69 @@
 require 'strscan'
 require 'openssl'
 require 'base64'
+require 'delegate'
 require 'net/ssh/buffer'
+require 'net/ssh/authentication/ed25519_loader'
 
 module Net
   module SSH
+    module HostKeyEntries
+      # regular public key entry
+      class PubKey < Delegator
+        def initialize(key, comment: nil) # rubocop:disable Lint/MissingSuper
+          @key = key
+          @comment = comment
+        end
+
+        def ssh_type
+          @key.ssh_type
+        end
+
+        def ssh_types
+          [ssh_type]
+        end
+
+        def to_blob
+          @key.to_blob
+        end
+
+        def __getobj__
+          Kernel.warn("Calling Net::SSH::Buffer methods on HostKeyEntries PubKey is deprecated")
+          @key
+        end
+
+        def matches_key?(server_key)
+          @key.ssh_type == server_key.ssh_type && @key.to_blob == server_key.to_blob
+        end
+      end
+
+      # @cert-authority entry
+      class CertAuthority
+        def ssh_types
+          %w[
+            ecdsa-sha2-nistp256-cert-v01@openssh.com
+            ecdsa-sha2-nistp384-cert-v01@openssh.com
+            ecdsa-sha2-nistp521-cert-v01@openssh.com
+            ssh-ed25519-cert-v01@openssh.com
+            ssh-rsa-cert-v01@openssh.com
+            ssh-rsa-cert-v00@openssh.com
+          ]
+        end
+
+        def initialize(key, comment: nil)
+          @key = key
+          @comment = comment
+        end
+
+        def matches_key?(server_key)
+          if ssh_types.include?(server_key.ssh_type)
+            server_key.signature_valid? && (server_key.signature_key.to_blob == @key.to_blob)
+          else
+            false
+          end
+        end
+      end
+    end
 
     # Represents the result of a search in known hosts
     # see search_for
@@ -40,26 +99,24 @@ module Net
     # This is used internally by Net::SSH, and will never need to be used directly
     # by consumers of the library.
     class KnownHosts
-      if defined?(OpenSSL::PKey::EC)
-        SUPPORTED_TYPE = %w[ssh-rsa ssh-dss
-                            ecdsa-sha2-nistp256
-                            ecdsa-sha2-nistp384
-                            ecdsa-sha2-nistp521]
-      else
-        SUPPORTED_TYPE = %w[ssh-rsa ssh-dss]
-      end
+      SUPPORTED_TYPE = %w[ssh-rsa ssh-dss
+                          ecdsa-sha2-nistp256
+                          ecdsa-sha2-nistp384
+                          ecdsa-sha2-nistp521]
+
+      SUPPORTED_TYPE.push('ssh-ed25519') if Net::SSH::Authentication::ED25519Loader::LOADED
 
-      class <<self
+      class << self
         # Searches all known host files (see KnownHosts.hostfiles) for all keys
         # of the given host. Returns an enumerable of keys found.
-        def search_for(host, options={})
-          HostKeys.new(search_in(hostfiles(options), host), host, self, options)
+        def search_for(host, options = {})
+          HostKeys.new(search_in(hostfiles(options), host, options), host, self, options)
         end
 
         # Search for all known keys for the given host, in every file given in
         # the +files+ array. Returns the list of keys.
-        def search_in(files, host)
-          files.flat_map { |file| KnownHosts.new(file).keys_for(host) }
+        def search_in(files, host, options = {})
+          files.flat_map { |file| KnownHosts.new(file).keys_for(host, options) }
         end
 
         # Looks in the given +options+ hash for the :user_known_hosts_file and
@@ -71,12 +128,14 @@ module Net
         #
         # If you only want the user known host files, you can pass :user as
         # the second option.
-        def hostfiles(options, which=:all)
+        def hostfiles(options, which = :all)
           files = []
 
           files += Array(options[:user_known_hosts_file] || %w[~/.ssh/known_hosts ~/.ssh/known_hosts2]) if which == :all || which == :user
 
-          files += Array(options[:global_known_hosts_file] || %w[/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2]) if which == :all || which == :global
+          if which == :all || which == :global
+            files += Array(options[:global_known_hosts_file] || %w[/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2])
+          end
 
           return files
         end
@@ -84,14 +143,12 @@ module Net
         # Looks in all user known host files (see KnownHosts.hostfiles) and tries to
         # add an entry for the given host and key to the first file it is able
         # to.
-        def add(host, key, options={})
+        def add(host, key, options = {})
           hostfiles(options, :user).each do |file|
-            begin
-              KnownHosts.new(file).add(host, key)
-              return
-            rescue SystemCallError
-              # try the next hostfile
-            end
+            KnownHosts.new(file).add(host, key)
+            return
+          rescue SystemCallError
+            # try the next hostfile
           end
         end
       end
@@ -119,39 +176,66 @@ module Net
       #   "[net.ssh.test]:5555"
       #   "[1,2,3,4]:5555"
       #   "[net.ssh.test]:5555,[1.2.3.4]:5555
-      def keys_for(host)
+      def keys_for(host, options = {})
         keys = []
         return keys unless File.readable?(source)
 
         entries = host.split(/,/)
+        host_name = entries[0]
+        host_ip = entries[1]
 
         File.open(source) do |file|
-          scanner = StringScanner.new("")
           file.each_line do |line|
-            scanner.string = line
+            if line.start_with?('@')
+              marker, hosts, type, key_content, comment = line.split(' ')
+            else
+              marker = nil
+              hosts, type, key_content, comment = line.split(' ')
+            end
+
+            # Skip empty line or one that is commented
+            next if hosts.nil? || hosts.start_with?('#')
 
-            scanner.skip(/\s*/)
-            next if scanner.match?(/$|#/)
+            hostlist = hosts.split(',')
 
-            hostlist = scanner.scan(/\S+/).split(/,/)
-            found = entries.all? { |entry| hostlist.include?(entry) } ||
-              known_host_hash?(hostlist, entries)
+            next unless SUPPORTED_TYPE.include?(type)
+
+            found = hostlist.any? { |pattern| match(host_name, pattern) } || known_host_hash?(hostlist, entries)
             next unless found
 
-            scanner.skip(/\s*/)
-            type = scanner.scan(/\S+/)
+            found = hostlist.include?(host_ip) if options[:check_host_ip] && entries.size > 1 && hostlist.size > 1
+            next unless found
 
-            next unless SUPPORTED_TYPE.include?(type)
+            blob = key_content.unpack("m*").first
+            raw_key = Net::SSH::Buffer.new(blob).read_key
 
-            scanner.skip(/\s*/)
-            blob = scanner.rest.unpack("m*").first
-            keys << Net::SSH::Buffer.new(blob).read_key
+            keys <<
+              if marker == "@cert-authority"
+                HostKeyEntries::CertAuthority.new(raw_key, comment: comment)
+              else
+                HostKeyEntries::PubKey.new(raw_key, comment: comment)
+              end
           end
         end
 
         keys
       end
 
+      def match(host, pattern)
+        if pattern.include?('*') || pattern.include?('?')
+          # see man 8 sshd for pattern details
+          pattern_regexp = pattern.split('*', -1).map do |x|
+            x.split('?', -1).map do |y|
+              Regexp.escape(y)
+            end.join('.')
+          end.join('.*')
+
+          host =~ Regexp.new("\\A#{pattern_regexp}\\z")
+        else
+          host == pattern
+        end
+      end
+
       # Indicates whether one of the entries matches an hostname that has been
       # stored as a HMAC-SHA1 hash in the known hosts.
       def known_host_hash?(hostlist, entries)

data/lib/net/ssh/loggable.rb

@@ -1,6 +1,5 @@
-module Net 
+module Net
   module SSH
-
     # A simple module to make logging easier to deal with. It assumes that the
     # logger instance (if not nil) quacks like a Logger object (in Ruby's
     # standard library). Although used primarily internally by Net::SSH, it
@@ -19,45 +18,45 @@ module Net
       # The logger instance that will be used to log messages. If nil, nothing
       # will be logged.
       attr_accessor :logger
-  
+
       # Displays the result of yielding if the log level is Logger::DEBUG or
       # greater.
       def debug
         logger.add(Logger::DEBUG, nil, facility) { yield } if logger && logger.debug?
       end
-  
+
       # Displays the result of yielding if the log level is Logger::INFO or
       # greater.
       def info
         logger.add(Logger::INFO, nil, facility) { yield } if logger && logger.info?
       end
-  
+
       # Displays the result of yielding if the log level is Logger::WARN or
       # greater. (Called lwarn to avoid shadowing with Kernel#warn.)
       def lwarn
         logger.add(Logger::WARN, nil, facility) { yield } if logger && logger.warn?
       end
-  
+
       # Displays the result of yielding if the log level is Logger:ERROR or
       # greater.
       def error
         logger.add(Logger::ERROR, nil, facility) { yield } if logger && logger.error?
       end
-  
+
       # Displays the result of yielding if the log level is Logger::FATAL or
       # greater.
       def fatal
         logger.add(Logger::FATAL, nil, facility) { yield } if logger && logger.fatal?
       end
-  
+
       private
-  
+
       # Sets the "facility" value, used for reporting where a log message
       # originates. It defaults to the name of class with the object_id
       # appended.
       def facility
-        @facility ||= self.class.name.gsub(/::/, ".").gsub(/([a-z])([A-Z])/, "\\1_\\2").downcase + "[%x]" % object_id
+        @facility ||= self.class.to_s.gsub(/::/, ".").gsub(/([a-z])([A-Z])/, "\\1_\\2").downcase + "[%x]" % object_id
       end
     end
   end
-end
+end

data/lib/net/ssh/packet.rb

@@ -5,7 +5,6 @@ require 'net/ssh/connection/constants'
 
 module Net
   module SSH
-
     # A specialization of Buffer that knows the format of certain common
     # packet types. It auto-parses those packet types, and allows them to
     # be accessed via the #[] accessor.
@@ -85,6 +84,7 @@ module Net
       def [](name)
         name = name.to_sym
         raise ArgumentError, "no such element #{name}" unless @named_elements.key?(name)
+
         @named_elements[name]
       end
 

data/lib/net/ssh/prompt.rb

@@ -1,8 +1,7 @@
 require 'io/console'
 
-module Net 
+module Net
   module SSH
-
     # Default prompt implementation, called for asking password from user.
     # It will never be instantiated directly, but will instead be created for
     # you automatically.
@@ -13,8 +12,8 @@ module Net
     #
     #   prompter = options[:password_prompt].start({type:'password'})
     #   while !ok && max_retries < 3
-    #     user = prompter.ask("user: ", {}, true)
-    #     password = prompter.ask("password: ", {}, false)
+    #     user = prompter.ask("user: ", true)
+    #     password = prompter.ask("password: ", false)
     #     ok = send(user, password)
     #     prompter.sucess if ok
     #   end
@@ -24,9 +23,9 @@ module Net
       def self.default(options = {})
         @default ||= new(options)
       end
-  
+
       def initialize(options = {}); end
-  
+
       # default prompt object implementation. More sophisticated implemenetations
       # might implement caching.
       class Prompter
@@ -36,22 +35,22 @@ module Net
             $stdout.puts(info[:instruction]) unless info[:instruction].empty?
           end
         end
-  
+
         # ask input from user, a prompter might ask for multiple inputs
         # (like user and password) in a single session.
-        def ask(prompt, echo=true)
+        def ask(prompt, echo = true)
           $stdout.print(prompt)
           $stdout.flush
           ret = $stdin.noecho(&:gets).chomp
           $stdout.print("\n")
           ret
         end
-  
+
         # success method will be called when the password was accepted
         # It's a good time to save password asked to a cache.
         def success; end
       end
-  
+
       # start password session. Multiple questions might be asked multiple times
       # on the returned object. Info hash tries to uniquely identify the password
       # session, so caching implementations can save passwords properly.
@@ -59,6 +58,5 @@ module Net
         Prompter.new(info)
       end
     end
-
   end
 end

data/lib/net/ssh/proxy/command.rb

@@ -1,12 +1,10 @@
 require 'socket'
 require 'rubygems'
 require 'net/ssh/proxy/errors'
-require 'net/ssh/ruby_compat'
 
 module Net
   module SSH
     module Proxy
-
       # An implementation of a command proxy. To use it, instantiate it,
       # then pass the instantiated object via the :proxy key to
       # Net::SSH.start:
@@ -106,6 +104,7 @@ module Net
                 if IO.select([self], nil, [self], timeout_in_seconds) == nil
                   raise "Unexpected spurious read wakeup"
                 end
+
                 retry
               end
               result

data/lib/net/ssh/proxy/errors.rb

@@ -1,9 +1,8 @@
 require 'net/ssh/errors'
 
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Proxy
-
       # A general exception class for all Proxy errors.
       class Error < Net::SSH::Exception; end
 
@@ -12,7 +11,6 @@ module Net
 
       # Used when the server doesn't recognize the user's credentials.
       class UnauthorizedError < Error; end
-
     end
   end
 end

data/lib/net/ssh/proxy/http.rb

@@ -1,10 +1,9 @@
 require 'socket'
 require 'net/ssh/proxy/errors'
 
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Proxy
-
       # An implementation of an HTTP proxy. To use it, instantiate it, then
       # pass the instantiated object via the :proxy key to Net::SSH.start:
       #
@@ -26,14 +25,14 @@ module Net
       class HTTP
         # The hostname or IP address of the HTTP proxy.
         attr_reader :proxy_host
-    
+
         # The port number of the proxy.
         attr_reader :proxy_port
-    
+
         # The map of additional options that were given to the object at
         # initialization.
         attr_reader :options
-    
+
         # Create a new socket factory that tunnels via the given host and
         # port. The +options+ parameter is a hash of additional settings that
         # can be used to tweak this proxy connection. Specifically, the following
@@ -41,52 +40,52 @@ module Net
         #
         # * :user => the user name to use when authenticating to the proxy
         # * :password => the password to use when authenticating
-        def initialize(proxy_host, proxy_port=80, options={})
+        def initialize(proxy_host, proxy_port = 80, options = {})
           @proxy_host = proxy_host
           @proxy_port = proxy_port
           @options = options
         end
-    
+
         # Return a new socket connected to the given host and port via the
         # proxy that was requested when the socket factory was instantiated.
         def open(host, port, connection_options)
           socket = establish_connection(connection_options[:timeout])
           socket.write "CONNECT #{host}:#{port} HTTP/1.1\r\n"
           socket.write "Host: #{host}:#{port}\r\n"
-    
+
           if options[:user]
             credentials = ["#{options[:user]}:#{options[:password]}"].pack("m*").gsub(/\s/, "")
             socket.write "Proxy-Authorization: Basic #{credentials}\r\n"
           end
-    
+
           socket.write "\r\n"
-    
+
           resp = parse_response(socket)
-    
+
           return socket if resp[:code] == 200
-    
+
           socket.close
           raise ConnectError, resp.inspect
         end
-    
+
         protected
-    
+
         def establish_connection(connect_timeout)
           Socket.tcp(proxy_host, proxy_port, nil, nil,
                      connect_timeout: connect_timeout)
         end
-    
+
         def parse_response(socket)
           version, code, reason = socket.gets.chomp.split(/ /, 3)
           headers = {}
-    
+
           while (line = socket.gets) && (line.chomp! != "")
             name, value = line.split(/:/, 2)
             headers[name.strip] = value.strip
           end
-    
+
           body = socket.read(headers["Content-Length"].to_i) if headers["Content-Length"]
-    
+
           return { version: version,
                    code: code.to_i,
                    reason: reason,
@@ -94,7 +93,6 @@ module Net
                    body: body }
         end
       end
-
     end
   end
 end

data/lib/net/ssh/proxy/https.rb

@@ -3,10 +3,9 @@ require 'openssl'
 require 'net/ssh/proxy/errors'
 require 'net/ssh/proxy/http'
 
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Proxy
-
       # A specialization of the HTTP proxy which encrypts the whole connection
       # using OpenSSL. This has the advantage that proxy authentication
       # information is not sent in plaintext.
@@ -17,27 +16,27 @@ module Net
         # taken by Net::SSH::Proxy::HTTP it supports:
         #
         # * :ssl_context => the SSL configuration to use for the connection
-        def initialize(proxy_host, proxy_port=80, options={})
+        def initialize(proxy_host, proxy_port = 80, options = {})
           @ssl_context = options.delete(:ssl_context) ||
                            OpenSSL::SSL::SSLContext.new
           super(proxy_host, proxy_port, options)
         end
-    
+
         protected
-    
+
         # Shim to make OpenSSL::SSL::SSLSocket behave like a regular TCPSocket
         # for all intents and purposes of Net::SSH::BufferedIo
         module SSLSocketCompatibility
-          def self.extended(object) #:nodoc:
+          def self.extended(object) # :nodoc:
             object.define_singleton_method(:recv, object.method(:sysread))
             object.sync_close = true
           end
-    
+
           def send(data, _opts)
             syswrite(data)
           end
         end
-    
+
         def establish_connection(connect_timeout)
           plain_socket = super(connect_timeout)
           OpenSSL::SSL::SSLSocket.new(plain_socket, @ssl_context).tap do |socket|
@@ -46,7 +45,6 @@ module Net
           end
         end
       end
-
     end
   end
 end

data/lib/net/ssh/proxy/jump.rb

@@ -1,10 +1,9 @@
 require 'uri'
 require 'net/ssh/proxy/command'
 
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Proxy
-
       # An implementation of a jump proxy. To use it, instantiate it,
       # then pass the instantiated object via the :proxy key to
       # Net::SSH.start:
@@ -18,39 +17,38 @@ module Net
       class Jump < Command
         # The jump proxies
         attr_reader :jump_proxies
-    
+
         # Create a new socket factory that tunnels via multiple jump proxes as
         # [user@]host[:port].
         def initialize(jump_proxies)
           @jump_proxies = jump_proxies
         end
-    
+
         # Return a new socket connected to the given host and port via the jump
         # proxy that was requested when the socket factory was instantiated.
         def open(host, port, connection_options = nil)
           build_proxy_command_equivalent(connection_options)
           super
         end
-    
+
         # We cannot build the ProxyCommand template until we know if the :config
         # option was specified during `Net::SSH.start`.
         def build_proxy_command_equivalent(connection_options = nil)
           first_jump, extra_jumps = jump_proxies.split(",", 2)
           config = connection_options && connection_options[:config]
           uri = URI.parse("ssh://#{first_jump}")
-    
-          template = "ssh"
+
+          template = "ssh".dup
           template << " -l #{uri.user}"    if uri.user
           template << " -p #{uri.port}"    if uri.port
           template << " -J #{extra_jumps}" if extra_jumps
           template << " -F #{config}" if config != true && config
           template << " -W %h:%p "
           template << uri.host
-    
+
           @command_line_template = template
         end
       end
-
     end
   end
 end

data/lib/net/ssh/proxy/socks4.rb

@@ -6,7 +6,6 @@ require 'net/ssh/proxy/errors'
 module Net
   module SSH
     module Proxy
-
       # An implementation of a SOCKS4 proxy. To use it, instantiate it, then
       # pass the instantiated object via the :proxy key to Net::SSH.start:
       #
@@ -38,7 +37,7 @@ module Net
         # Create a new proxy connection to the given proxy host and port.
         # Optionally, a :user key may be given to identify the username
         # with which to authenticate.
-        def initialize(proxy_host, proxy_port=1080, options={})
+        def initialize(proxy_host, proxy_port = 1080, options = {})
           @proxy_host = proxy_host
           @proxy_port = proxy_port
           @options = options
@@ -50,7 +49,7 @@ module Net
           socket = Socket.tcp(proxy_host, proxy_port, nil, nil,
                               connect_timeout: connection_options[:timeout])
           ip_addr = IPAddr.new(Resolv.getaddress(host))
-          
+
           packet = [VERSION, CONNECT, port.to_i, ip_addr.to_i, options[:user]].pack("CCnNZ*")
           socket.send packet, 0
 
@@ -63,7 +62,6 @@ module Net
           return socket
         end
       end
-
     end
   end
 end