net-ssh 5.0.2 → 7.0.1

data/lib/net/ssh/authentication/session.rb

@@ -11,7 +11,6 @@ require 'net/ssh/authentication/methods/keyboard_interactive'
 module Net
   module SSH
     module Authentication
-
       # Raised if the current authentication method is not allowed
       class DisallowedMethod < Net::SSH::Exception
       end
@@ -42,7 +41,7 @@ module Net
 
         # Instantiates a new Authentication::Session object over the given
         # transport layer abstraction.
-        def initialize(transport, options={})
+        def initialize(transport, options = {})
           self.logger = transport.logger
           @transport = transport
 
@@ -55,7 +54,7 @@ module Net
         # Attempts to authenticate the given user, in preparation for the next
         # service request. Returns true if an authentication method succeeds in
         # authenticating the user, and false otherwise.
-        def authenticate(next_service, username, password=nil)
+        def authenticate(next_service, username, password = nil)
           debug { "beginning authentication of `#{username}'" }
 
           transport.send_message(transport.service_request("ssh-userauth"))
@@ -63,28 +62,30 @@ module Net
 
           key_manager = KeyManager.new(logger, options)
           keys.each { |key| key_manager.add(key) } unless keys.empty?
+          keycerts.each { |keycert| key_manager.add_keycert(keycert) } unless keycerts.empty?
           key_data.each { |key2| key_manager.add_key_data(key2) } unless key_data.empty?
           default_keys.each { |key| key_manager.add(key) } unless options.key?(:keys) || options.key?(:key_data)
 
           attempted = []
 
           @auth_methods.each do |name|
+            next unless @allowed_auth_methods.include?(name)
+
+            attempted << name
+
+            debug { "trying #{name}" }
             begin
-              next unless @allowed_auth_methods.include?(name)
-              attempted << name
-
-              debug { "trying #{name}" }
-              begin
-                auth_class = Methods.const_get(name.split(/\W+/).map { |p| p.capitalize }.join)
-                method = auth_class.new(self, key_manager: key_manager, password_prompt: options[:password_prompt])
-              rescue NameError
-                debug {"Mechanism #{name} was requested, but isn't a known type.  Ignoring it."}
-                next
-              end
-
-              return true if method.authenticate(next_service, username, password)
-            rescue Net::SSH::Authentication::DisallowedMethod
+              auth_class = Methods.const_get(name.split(/\W+/).map { |p| p.capitalize }.join)
+              method = auth_class.new(self,
+                                      key_manager: key_manager, password_prompt: options[:password_prompt],
+                                      pubkey_algorithms: options[:pubkey_algorithms] || nil)
+            rescue NameError
+              debug {"Mechanism #{name} was requested, but isn't a known type.  Ignoring it."}
+              next
             end
+
+            return true if method.authenticate(next_service, username, password)
+          rescue Net::SSH::Authentication::DisallowedMethod
           end
 
           error { "all authorization methods failed (tried #{attempted.join(', ')})" }
@@ -128,6 +129,7 @@ module Net
         def expect_message(type)
           message = next_message
           raise Net::SSH::Exception, "expected #{type}, got #{message.type} (#{message})" unless message.type == type
+
           message
         end
 
@@ -136,12 +138,8 @@ module Net
         # Returns an array of paths to the key files usually defined
         # by system default.
         def default_keys
-          if defined?(OpenSSL::PKey::EC)
-            %w[~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa
-               ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa]
-          else
-            %w[~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_rsa]
-          end
+          %w[~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa
+             ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa]
         end
 
         # Returns an array of paths to the key files that should be used when
@@ -150,6 +148,12 @@ module Net
           Array(options[:keys])
         end
 
+        # Returns an array of paths to the keycert files that should be used when
+        # attempting any key-based authentication mechanism.
+        def keycerts
+          Array(options[:keycerts])
+        end
+
         # Returns an array of the key data that should be used when
         # attempting any key-based authentication mechanism.
         def key_data

data/lib/net/ssh/buffer.rb

@@ -1,4 +1,3 @@
-require 'net/ssh/ruby_compat'
 require 'net/ssh/transport/openssl'
 
 require 'net/ssh/authentication/certificate'
@@ -6,7 +5,6 @@ require 'net/ssh/authentication/ed25519_loader'
 
 module Net
   module SSH
-
     # Net::SSH::Buffer is a flexible class for building and parsing binary
     # data packets. It provides a stream-like interface for sequentially
     # reading data items from the buffer, as well as a useful helper method
@@ -72,7 +70,7 @@ module Net
 
       # Creates a new buffer, initialized to the given content. The position
       # is initialized to the beginning of the buffer.
-      def initialize(content="")
+      def initialize(content = String.new)
         @content = content.to_s
         @position = 0
       end
@@ -119,7 +117,7 @@ module Net
       # Resets the buffer, making it empty. Also, resets the read position to
       # 0.
       def clear!
-        @content = ""
+        @content = String.new
         @position = 0
       end
 
@@ -130,12 +128,12 @@ module Net
       # would otherwise tend to grow without bound.
       #
       # Returns the buffer object itself.
-      def consume!(n=position)
+      def consume!(n = position)
         if n >= length
           # optimize for a fairly common case
           clear!
         elsif n > 0
-          @content = @content[n..-1] || ""
+          @content = @content[n..-1] || String.new
           @position -= n
           @position = 0 if @position < 0
         end
@@ -173,7 +171,7 @@ module Net
       # Reads and returns the next +count+ bytes from the buffer, starting from
       # the read position. If +count+ is +nil+, this will return all remaining
       # text in the buffer. This method will increment the pointer.
-      def read(count=nil)
+      def read(count = nil)
         count ||= length
         count = length - @position if @position + count > length
         @position += count
@@ -182,7 +180,7 @@ module Net
 
       # Reads (as #read) and returns the given number of bytes from the buffer,
       # and then consumes (as #consume!) all data up to the new read position.
-      def read!(count=nil)
+      def read!(count = nil)
         data = read(count)
         consume!
         data
@@ -238,6 +236,7 @@ module Net
       def read_bignum
         data = read_string
         return unless data
+
         OpenSSL::BN.new(data, 2)
       end
 
@@ -249,6 +248,48 @@ module Net
         return (type ? read_keyblob(type) : nil)
       end
 
+      def read_private_keyblob(type)
+        case type
+        when /^ssh-rsa$/
+          key = OpenSSL::PKey::RSA.new
+          n = read_bignum
+          e = read_bignum
+          d = read_bignum
+          iqmp = read_bignum
+          p = read_bignum
+          q = read_bignum
+          _unkown1 = read_bignum
+          _unkown2 = read_bignum
+          dmp1 = d % (p - 1)
+          dmq1 = d % (q - 1)
+          if key.respond_to?(:set_key)
+            key.set_key(n, e, d)
+          else
+            key.e = e
+            key.n = n
+            key.d = d
+          end
+          if key.respond_to?(:set_factors)
+            key.set_factors(p, q)
+          else
+            key.p = p
+            key.q = q
+          end
+          if key.respond_to?(:set_crt_params)
+            key.set_crt_params(dmp1, dmq1, iqmp)
+          else
+            key.dmp1 = dmp1
+            key.dmq1 = dmq1
+            key.iqmp = iqmp
+          end
+          key
+        when /^ecdsa\-sha2\-(\w*)$/
+          OpenSSL::PKey::EC.read_keyblob($1, self)
+        else
+          raise Exception, "Cannot decode private key of type #{type}"
+        end
+      end
+
       # Read a keyblob of the given type from the buffer, and return it as
       # a key. Only RSA, DSA, and ECDSA keys are supported.
       def read_keyblob(type)
@@ -256,42 +297,47 @@ module Net
         when /^(.*)-cert-v01@openssh\.com$/
           key = Net::SSH::Authentication::Certificate.read_certblob(self, $1)
         when /^ssh-dss$/
-          key = OpenSSL::PKey::DSA.new
-          if key.respond_to?(:set_pqg)
-            key.set_pqg(read_bignum, read_bignum, read_bignum)
-          else
-            key.p = read_bignum
-            key.q = read_bignum
-            key.g = read_bignum
-          end
-          if key.respond_to?(:set_key)
-            key.set_key(read_bignum, nil)
-          else
-            key.pub_key = read_bignum
-          end
+          p = read_bignum
+          q = read_bignum
+          g = read_bignum
+          pub_key = read_bignum
+
+          asn1 = OpenSSL::ASN1::Sequence.new(
+            [
+              OpenSSL::ASN1::Sequence.new(
+                [
+                  OpenSSL::ASN1::ObjectId.new('DSA'),
+                  OpenSSL::ASN1::Sequence.new(
+                    [
+                      OpenSSL::ASN1::Integer.new(p),
+                      OpenSSL::ASN1::Integer.new(q),
+                      OpenSSL::ASN1::Integer.new(g)
+                    ]
+                  )
+                ]
+              ),
+              OpenSSL::ASN1::BitString.new(OpenSSL::ASN1::Integer.new(pub_key).to_der)
+            ]
+          )
+
+          key = OpenSSL::PKey::DSA.new(asn1.to_der)
         when /^ssh-rsa$/
-          key = OpenSSL::PKey::RSA.new
-          if key.respond_to?(:set_key)
-            e = read_bignum
-            n = read_bignum
-            key.set_key(n, e, nil)
-          else
-            key.e = read_bignum
-            key.n = read_bignum
-          end
+          e = read_bignum
+          n = read_bignum
+
+          asn1 = OpenSSL::ASN1::Sequence(
+            [
+              OpenSSL::ASN1::Integer(n),
+              OpenSSL::ASN1::Integer(e)
+            ]
+          )
+
+          key = OpenSSL::PKey::RSA.new(asn1.to_der)
         when /^ssh-ed25519$/
           Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("unsupported key type `#{type}'")
           key = Net::SSH::Authentication::ED25519::PubKey.read_keyblob(self)
         when /^ecdsa\-sha2\-(\w*)$/
-          unless defined?(OpenSSL::PKey::EC)
-            raise NotImplementedError, "unsupported key type `#{type}'"
-          else
-            begin
-              key = OpenSSL::PKey::EC.read_keyblob($1, self)
-            rescue OpenSSL::PKey::ECError
-              raise NotImplementedError, "unsupported key type `#{type}'"
-            end
-          end
+          key = OpenSSL::PKey::EC.read_keyblob($1, self)
         else
           raise NotImplementedError, "unsupported key type `#{type}'"
         end
@@ -315,7 +361,12 @@ module Net
       # Optimized version of write where the caller gives up ownership of string
       # to the method. This way we can mutate the string.
       def write_moved(string)
-        @content << string.force_encoding('BINARY')
+        @content <<
+          if string.frozen?
+            string.dup.force_encoding('BINARY')
+          else
+            string.force_encoding('BINARY')
+          end
         self
       end
 

data/lib/net/ssh/buffered_io.rb

@@ -1,10 +1,8 @@
 require 'net/ssh/buffer'
 require 'net/ssh/loggable'
-require 'net/ssh/ruby_compat'
 
-module Net 
+module Net
   module SSH
-
     # This module is used to extend sockets and other IO objects, to allow
     # them to be buffered for both read and write. This abstraction makes it
     # quite easy to write a select-based event loop
@@ -49,19 +47,19 @@ module Net
     #   end
     module BufferedIo
       include Loggable
-  
+
       # Called when the #extend is called on an object, with this module as the
       # argument. It ensures that the modules instance variables are all properly
       # initialized.
-      def self.extended(object) #:nodoc:
+      def self.extended(object) # :nodoc:
         # need to use __send__ because #send is overridden in Socket
         object.__send__(:initialize_buffered_io)
       end
-  
+
       # Tries to read up to +n+ bytes of data from the remote end, and appends
       # the data to the input buffer. It returns the number of bytes read, or 0
       # if no data was available to be read.
-      def fill(n=8192)
+      def fill(n = 8192)
         input.consume!
         data = recv(n)
         debug { "read #{data.length} bytes" }
@@ -71,31 +69,31 @@ module Net
         @input_errors << e
         return 0
       end
-  
+
       # Read up to +length+ bytes from the input buffer. If +length+ is nil,
       # all available data is read from the buffer. (See #available.)
-      def read_available(length=nil)
+      def read_available(length = nil)
         input.read(length || available)
       end
-  
+
       # Returns the number of bytes available to be read from the input buffer.
       # (See #read_available.)
       def available
         input.available
       end
-  
+
       # Enqueues data in the output buffer, to be written when #send_pending
       # is called. Note that the data is _not_ sent immediately by this method!
       def enqueue(data)
         output.append(data)
       end
-  
+
       # Returns +true+ if there is data waiting in the output buffer, and
       # +false+ otherwise.
       def pending_write?
         output.length > 0
       end
-  
+
       # Sends as much of the pending output as possible. Returns +true+ if any
       # data was sent, and +false+ otherwise.
       def send_pending
@@ -108,7 +106,7 @@ module Net
           return false
         end
       end
-  
+
       # Calls #send_pending repeatedly, if necessary, blocking until the output
       # buffer is empty.
       def wait_for_pending_sends
@@ -116,31 +114,32 @@ module Net
         while output.length > 0
           result = IO.select(nil, [self]) or next
           next unless result[1].any?
+
           send_pending
         end
       end
-  
+
       public # these methods are primarily for use in tests
-  
-      def write_buffer #:nodoc:
+
+      def write_buffer # :nodoc:
         output.to_s
       end
-  
-      def read_buffer #:nodoc:
+
+      def read_buffer # :nodoc:
         input.to_s
       end
-  
+
       private
-  
+
       #--
       # Can't use attr_reader here (after +private+) without incurring the
       # wrath of "ruby -w". We hates it.
       #++
-  
+
       def input; @input; end
 
       def output; @output; end
-  
+
       # Initializes the intput and output buffers for this object. This method
       # is called automatically when the module is mixed into an object via
       # Object#extend (see Net::SSH::BufferedIo.extended), but must be called
@@ -167,7 +166,7 @@ module Net
     #    http://github.com/net-ssh/net-ssh/tree/portfwfix
     #
     module ForwardedBufferedIo
-      def fill(n=8192)
+      def fill(n = 8192)
         begin
           super(n)
         rescue Errno::ECONNRESET => e
@@ -182,7 +181,7 @@ module Net
           end
         end
       end
-  
+
       def send_pending
         begin
           super
@@ -199,6 +198,5 @@ module Net
         end
       end
     end
-
   end
 end