net-ssh 5.1.0 → 5.2.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: e14e949eb49846743dae609d76bb3ff8e7e26332
-  data.tar.gz: b373032655d4f986f1695d231eafc1d7f3a7fffd
+  metadata.gz: f322b0b79581a7d7b24a917b79ddabc8563b5a5c
+  data.tar.gz: a9e3a2c9cfa281f1b91a335bda58f4b6dcc568fd
 SHA512:
-  metadata.gz: 073c77cec7e4420dec75779906809319fb65f8163a4b99cfd3fbafaa1f1fce1e209ac96cb8ac22c82c182835f1ff7609625492108612f2158c1ba26fffd828a1
-  data.tar.gz: 293eb2965ccb35840c5bc29abc8c5be3ae78ab55461ce7ca42cc21045ed3ef02bcf44356e2bb33ef115e479ef1c11e269e88cd8d6f260a79b6e75273fe869175
+  metadata.gz: fcd0f1c4c2a6833e75509523cf19195cbb2320860f5f20800ce780f785d52093ae24331b27ac3dcfd49d62de341048ed611078f15449f3052830cf7c1630e309
+  data.tar.gz: 3b3fa8989372dbbe9a84fdfdbc22dde5b9ea69fcb206b9e859aa83f6a46b729b117dfe024c49a1fe969a2fedc2dbacbc190d2b5764603efe6780c10f15b31f58

checksums.yaml.gz.sig

@@ -1,3 +1 @@
-*�6+3T�t~
-��k�)��Ȗ0��cq�?�J�k��d�_�@����&%y]ȋt�������V��Z���SdQ%n�4"U�8�ȯ5�ud�9���wO�'"7�׻
-=�BH6¾!n�'Pi���վQB3�U��	�l�M�L~�-���m���M
4��J�~��-�X�π͋�P��e7��s@��#�`>Wٌ���M���G�@$Ke�P�N\kn8x^��\
+4�QQ�t���UPSG*�˩�rMd�"\B���b2�b�n����!�8����)�a,�(k��2$��.cKKS���U@T�~g��	&�0v)��Z�%���/H-�z�˺�{�v�1j�~�_*M/f��J�feѬ*p������M]��&��|ϕO�yA'F��ha�Z������CZe�^�t���X�,eJ%&u_zwn-	;tx�H��,�N�HYs���iL���J�~�1�� 6��\���� A

data/.rubocop.yml

@@ -3,3 +3,6 @@ inherit_from: .rubocop_todo.yml
 AllCops:
   Exclude:
     - 'tryout/**/*'
+
+Style/DoubleNegation:
+  Enabled: false

data/CHANGES.txt

@@ -1,8 +1,15 @@
+=== 5.2.0.rc1
+
+  * Interpret * and ? in know_hosts file [Romain Tartière, #660]
+  * New :check_host_ip so ip checking can be disabled in known hosts [Romain Tartière, #656]
+
+=== 5.1.0
+
 === 5.1.0.rc1
 
   * Support new OpenSSH private key format for rsa - bcrypt for rsa (ed25519 already supported) [#646]
   * Support IdentityAgent is ssh config [Frank Groeneveld, #645]
-  * Improve Match processin in ssh config [Aleksandrs Ļedovskis, #642]
+  * Improve Match processing in ssh config [Aleksandrs Ļedovskis, #642]
   * Ignore signature verification when verify_host_key is never [Piotr Kliczewski, #641]
   * Alg preference was changed to prefer stronger encryptions  [Tray, #637]
 

data/lib/net/ssh.rb

@@ -73,7 +73,7 @@ module Net
       max_win_size send_env use_agent number_of_password_prompts
       append_all_supported_algorithms non_interactive password_prompt
       agent_socket_factory minimum_dh_bits verify_host_key
-      fingerprint_hash
+      fingerprint_hash check_host_ip
     ]
 
     # The standard means of starting a new SSH connection. When used with a
@@ -108,6 +108,8 @@ module Net
     # * :bind_address => the IP address on the connecting machine to use in
     #   establishing connection. (:bind_address is discarded if :proxy
     #   is set.)
+    # * :check_host_ip => Also ckeck IP address when connecting to remote host.
+    #   Defaults to +true+.
     # * :compression => the compression algorithm to use, or +true+ to use
     #   whatever is supported.
     # * :compression_level => the compression level to use when sending data
@@ -290,6 +292,8 @@ module Net
       %i[password passphrase].each do |key|
         options.delete(key) if options.key?(key) && options[key].nil?
       end
+
+      options[:check_host_ip] = true unless options.key?(:check_host_ip)
     end
 
     def self._sanitize_options(options)

data/lib/net/ssh/authentication/ed25519.rb

@@ -29,6 +29,17 @@ module Net
           MEND = "-----END OPENSSH PRIVATE KEY-----\n"
           MAGIC = "openssh-key-v1"
 
+          class DecryptError < ArgumentError
+            def initialize(message, encrypted_key: false)
+              super(message)
+              @encrypted_key = encrypted_key
+            end
+
+            def encrypted_key?
+              return @encrypted_key
+            end
+          end
+
           def self.read(datafull, password)
             raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
             raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
@@ -74,7 +85,7 @@ module Net
             check1 = decoded.read_long
             check2 = decoded.read_long
 
-            raise ArgumentError, "Decrypt failed on private key" if (check1 != check2)
+            raise DecryptError.new("Decrypt failed on private key", encrypted_key: kdfname == 'bcrypt') if (check1 != check2)
 
             type_name = decoded.read_string
             case type_name

data/lib/net/ssh/key_factory.rb

@@ -50,16 +50,17 @@ module Net
         # encrypted (requiring a passphrase to use), the user will be
         # prompted to enter their password unless passphrase works.
         def load_data_private_key(data, passphrase=nil, ask_passphrase=true, filename="", prompt=Prompt.default)
-          key_read, error_classes = classify_key(data, filename)
+          key_type = classify_key(data, filename)
 
-          encrypted_key = data.match(/ENCRYPTED/)
+          encrypted_key = nil
           tries = 0
 
           prompter = nil
           result =
             begin
-              key_read[data, passphrase || 'invalid']
-            rescue *error_classes
+              key_type.read(data, passphrase || 'invalid')
+            rescue *key_type.error_classes => e
+              encrypted_key = !!key_type.encrypted_key?(data, e) if encrypted_key.nil?
               if encrypted_key && ask_passphrase
                 tries += 1
                 if tries <= 3
@@ -106,20 +107,108 @@ module Net
 
         private
 
+        # rubocop:disable Style/Documentation, Lint/DuplicateMethods
+        class KeyType
+          def self.read(key_data, passphrase)
+            raise Exception, "TODO subclasses should implement read"
+          end
+
+          def self.error_classes
+            raise Exception, "TODO subclasses should implement read"
+          end
+
+          def self.encrypted_key?(data, error)
+            raise Exception, "TODO subclasses should implement is_encrypted_key"
+          end
+        end
+
+        class OpenSSHPrivateKeyType < KeyType
+          def self.read(key_data, passphrase)
+            Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader.read(key_data, passphrase)
+          end
+
+          def self.error_classes
+            [Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError]
+          end
+
+          def self.encrypted_key?(key_data, decode_error)
+            decode_error.is_a?(Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader::DecryptError) && decode_error.encrypted_key?
+          end
+        end
+
+        class OpenSSLKeyTypeBase < KeyType
+          def self.open_ssl_class
+            raise Exception, "TODO: subclasses should implement"
+          end
+
+          def self.read(key_data, passphrase)
+            open_ssl_class.new(key_data, passphrase)
+          end
+
+          def self.encrypted_key?(key_data, error)
+            key_data.match(/ENCRYPTED/)
+          end
+        end
+
+        class OpenSSLPKeyType < OpenSSLKeyTypeBase
+          def self.read(key_data, passphrase)
+            open_ssl_class.read(key_data, passphrase)
+          end
+
+          def self.open_ssl_class
+            OpenSSL::PKey
+          end
+
+          def self.error_classes
+            [ArgumentError, OpenSSL::PKey::PKeyError]
+          end
+        end
+
+        class OpenSSLDSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::DSA
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::DSAError]
+          end
+        end
+
+        class OpenSSLRSAKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::RSA
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::RSAError]
+          end
+        end
+
+        class OpenSSLECKeyType < OpenSSLKeyTypeBase
+          def self.open_ssl_class
+            OpenSSL::PKey::EC
+          end
+
+          def self.error_classes
+            [OpenSSL::PKey::ECError]
+          end
+        end
+        # rubocop:enable Style/Documentation, Lint/DuplicateMethods
+
         # Determine whether the file describes an RSA or DSA key, and return how load it
         # appropriately.
         def classify_key(data, filename)
           if data.match(/-----BEGIN OPENSSH PRIVATE KEY-----/)
             Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("OpenSSH keys only supported if ED25519 is available")
-            return ->(key_data, passphrase) { Net::SSH::Authentication::ED25519::OpenSSHPrivateKeyLoader.read(key_data, passphrase) }, [ArgumentError]
+            return OpenSSHPrivateKeyType
           elsif OpenSSL::PKey.respond_to?(:read)
-            return ->(key_data, passphrase) { OpenSSL::PKey.read(key_data, passphrase) }, [ArgumentError, OpenSSL::PKey::PKeyError]
+            return OpenSSLPKeyType
           elsif data.match(/-----BEGIN DSA PRIVATE KEY-----/)
-            return ->(key_data, passphrase) { OpenSSL::PKey::DSA.new(key_data, passphrase) }, [OpenSSL::PKey::DSAError]
+            return OpenSSLDSAKeyType
           elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
-            return ->(key_data, passphrase) { OpenSSL::PKey::RSA.new(key_data, passphrase) }, [OpenSSL::PKey::RSAError]
+            return OpenSSLRSAKeyType
           elsif data.match(/-----BEGIN EC PRIVATE KEY-----/) && defined?(OpenSSL::PKey::EC)
-            return ->(key_data, passphrase) { OpenSSL::PKey::EC.new(key_data, passphrase) }, [OpenSSL::PKey::ECError]
+            return OpenSSLECKeyType
           elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
             raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"
           else

data/lib/net/ssh/known_hosts.rb

@@ -53,13 +53,13 @@ module Net
         # Searches all known host files (see KnownHosts.hostfiles) for all keys
         # of the given host. Returns an enumerable of keys found.
         def search_for(host, options={})
-          HostKeys.new(search_in(hostfiles(options), host), host, self, options)
+          HostKeys.new(search_in(hostfiles(options), host, options), host, self, options)
         end
 
         # Search for all known keys for the given host, in every file given in
         # the +files+ array. Returns the list of keys.
-        def search_in(files, host)
-          files.flat_map { |file| KnownHosts.new(file).keys_for(host) }
+        def search_in(files, host, options = {})
+          files.flat_map { |file| KnownHosts.new(file).keys_for(host, options) }
         end
 
         # Looks in the given +options+ hash for the :user_known_hosts_file and
@@ -119,11 +119,13 @@ module Net
       #   "[net.ssh.test]:5555"
       #   "[1,2,3,4]:5555"
       #   "[net.ssh.test]:5555,[1.2.3.4]:5555
-      def keys_for(host)
+      def keys_for(host, options = {})
         keys = []
         return keys unless File.readable?(source)
 
         entries = host.split(/,/)
+        host_name = entries[0]
+        host_ip = entries[1]
 
         File.open(source) do |file|
           scanner = StringScanner.new("")
@@ -134,8 +136,10 @@ module Net
             next if scanner.match?(/$|#/)
 
             hostlist = scanner.scan(/\S+/).split(/,/)
-            found = entries.all? { |entry| hostlist.include?(entry) } ||
-              known_host_hash?(hostlist, entries)
+            found = hostlist.any? { |pattern| match(host_name, pattern) } || known_host_hash?(hostlist, entries)
+            next unless found
+
+            found = hostlist.include?(host_ip) if options[:check_host_ip] && entries.size > 1 && hostlist.size > 1
             next unless found
 
             scanner.skip(/\s*/)
@@ -152,6 +156,17 @@ module Net
         keys
       end
 
+      def match(host, pattern)
+        # see man 8 sshd for pattern details
+        pattern_regexp = pattern.split('*').map do |x|
+          x.split('?').map do |y|
+            Regexp.escape(y)
+          end.join('.')
+        end.join('[^.]*')
+
+        host =~ Regexp.new("\\A#{pattern_regexp}\\z")
+      end
+
       # Indicates whether one of the entries matches an hostname that has been
       # stored as a HMAC-SHA1 hash in the known hosts.
       def known_host_hash?(hostlist, entries)

data/lib/net/ssh/transport/session.rb

@@ -279,7 +279,7 @@ module Net
         # method.
         class CompatibleVerifier
           def initialize(verifier)
-            @verifier
+            @verifier = verifier
           end
 
           def verify(arguments)

data/lib/net/ssh/version.rb

@@ -49,14 +49,14 @@ module Net
       MAJOR = 5
 
       # The minor component of this version of the Net::SSH library
-      MINOR = 1
+      MINOR = 2
 
       # The tiny component of this version of the Net::SSH library
       TINY  = 0
 
       # The prerelease component of this version of the Net::SSH library
       # nil allowed
-      PRE   = nil
+      PRE   = "rc1"
 
       # The current version of the Net::SSH library as a Version instance
       CURRENT = new(*[MAJOR, MINOR, TINY, PRE].compact)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: net-ssh
 version: !ruby/object:Gem::Version
-  version: 5.1.0
+  version: 5.2.0.rc1
 platform: ruby
 authors:
 - Jamis Buck
@@ -32,7 +32,7 @@ cert_chain:
   ZFwoIuXKeDmTTpryd/vI7sdLXDuV6MbWOLGh6gXn9RDDXG1EqEXW0bjovATBMpdH
   9OGohJvAFzcvhDTWPwT6w3PG5B80pqb9j1hEAg==
   -----END CERTIFICATE-----
-date: 2018-12-28 00:00:00.000000000 Z
+date: 2019-03-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt_pbkdf
@@ -262,9 +262,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 2.2.6
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.6.8