net-ssh 5.2.0 → 6.0.0.beta1

data/lib/net/ssh/buffer.rb

@@ -323,15 +323,7 @@ module Net
           Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("unsupported key type `#{type}'")
           key = Net::SSH::Authentication::ED25519::PubKey.read_keyblob(self)
         when /^ecdsa\-sha2\-(\w*)$/
-          unless defined?(OpenSSL::PKey::EC)
-            raise NotImplementedError, "unsupported key type `#{type}'"
-          else
-            begin
-              key = OpenSSL::PKey::EC.read_keyblob($1, self)
-            rescue OpenSSL::PKey::ECError
-              raise NotImplementedError, "unsupported key type `#{type}'"
-            end
-          end
+          key = OpenSSL::PKey::EC.read_keyblob($1, self)
         else
           raise NotImplementedError, "unsupported key type `#{type}'"
         end

data/lib/net/ssh/config.rb

@@ -33,6 +33,7 @@ module Net
     # * ProxyJump => maps to the :proxy option
     # * PubKeyAuthentication => maps to the :auth_methods option
     # * RekeyLimit => :rekey_limit
+    # * StrictHostKeyChecking => :strict_host_key_checking
     # * User => :user
     # * UserKnownHostsFile => :user_known_hosts_file
     # * NumberOfPasswordPrompts => :number_of_password_prompts
@@ -149,6 +150,13 @@ module Net
                 settings[key] = value unless settings.key?(key)
               end
             end
+
+            # ProxyCommand and ProxyJump override each other so they need to be tracked togeather
+            %w[proxyjump proxycommand].each do |proxy_key|
+              if (proxy_value = settings.delete(proxy_key))
+                settings['proxy'] ||= [proxy_key, proxy_value]
+              end
+            end
           end
 
           globals.merge(settings) do |key, oldval, newval|
@@ -202,6 +210,7 @@ module Net
             identityfile: :keys,
             fingerprinthash: :fingerprint_hash,
             port: :port,
+            stricthostkeychecking: :strict_host_key_checking,
             user: :user,
             userknownhostsfile: :user_known_hosts_file,
             checkhostip: :check_host_ip
@@ -250,15 +259,9 @@ module Net
             end
           when :preferredauthentications
             hash[:auth_methods] = value.split(/,/) # TODO we should place to preferred_auth_methods rather than auth_methods
-          when :proxycommand
-            if value and value !~ /^none$/
-              require 'net/ssh/proxy/command'
-              hash[:proxy] = Net::SSH::Proxy::Command.new(value)
-            end
-          when :proxyjump
-            if value
-              require 'net/ssh/proxy/jump'
-              hash[:proxy] = Net::SSH::Proxy::Jump.new(value)
+          when :proxy
+            if (proxy = setup_proxy(*value))
+              hash[:proxy] = proxy
             end
           when :pubkeyauthentication
             if value
@@ -278,6 +281,19 @@ module Net
           end
         end
 
+        def setup_proxy(type, value)
+          case type
+          when 'proxycommand'
+            if value !~ /^none$/
+              require 'net/ssh/proxy/command'
+              Net::SSH::Proxy::Command.new(value)
+            end
+          when 'proxyjump'
+            require 'net/ssh/proxy/jump'
+            Net::SSH::Proxy::Jump.new(value)
+          end
+        end
+
         # Converts an ssh_config pattern into a regex for matching against
         # host names.
         def pattern2regex(pattern)
@@ -369,6 +385,5 @@ module Net
         end
       end
     end
-
   end
 end

data/lib/net/ssh/connection/channel.rb

@@ -648,10 +648,14 @@ module Net
         def update_local_window_size(size)
           @local_window_size -= size
           if local_window_size < local_maximum_window_size / 2
-            connection.send_message(Buffer.from(:byte, CHANNEL_WINDOW_ADJUST,
-              :long, remote_id, :long, LOCAL_WINDOW_SIZE_INCREMENT))
+            connection.send_message(
+              Buffer.from(:byte, CHANNEL_WINDOW_ADJUST, :long, remote_id, :long, LOCAL_WINDOW_SIZE_INCREMENT)
+            )
             @local_window_size += LOCAL_WINDOW_SIZE_INCREMENT
-            @local_maximum_window_size += LOCAL_WINDOW_SIZE_INCREMENT if @local_maximum_window_size < @local_window_size || @local_maximum_window_size < GOOD_LOCAL_MAXIUMUM_WINDOW_SIZE
+
+            if @local_maximum_window_size < @local_window_size || @local_maximum_window_size < GOOD_LOCAL_MAXIUMUM_WINDOW_SIZE
+              @local_maximum_window_size += LOCAL_WINDOW_SIZE_INCREMENT
+            end
           end
         end
 

data/lib/net/ssh/connection/session.rb

@@ -580,8 +580,10 @@ module Net
           info { "global request received: #{packet[:request_type]} #{packet[:want_reply]}" }
           callback = @on_global_request[packet[:request_type]]
           result = callback ? callback.call(packet[:request_data], packet[:want_reply]) : false
-    
-          raise "expected global request handler for `#{packet[:request_type]}' to return true, false, or :sent, but got #{result.inspect}" if result != :sent && result != true && result != false
+
+          if result != :sent && result != true && result != false
+            raise "expected global request handler for `#{packet[:request_type]}' to return true, false, or :sent, but got #{result.inspect}"
+          end
     
           if packet[:want_reply] && result != :sent
             msg = Buffer.from(:byte, result ? REQUEST_SUCCESS : REQUEST_FAILURE)
@@ -624,7 +626,9 @@ module Net
               failure = [err.code, err.reason]
             else
               channels[local_id] = channel
-              msg = Buffer.from(:byte, CHANNEL_OPEN_CONFIRMATION, :long, channel.remote_id, :long, channel.local_id, :long, channel.local_maximum_window_size, :long, channel.local_maximum_packet_size)
+              msg = Buffer.from(:byte, CHANNEL_OPEN_CONFIRMATION, :long, channel.remote_id, :long,
+                                channel.local_id, :long, channel.local_maximum_window_size, :long,
+                                channel.local_maximum_packet_size)
             end
           else
             failure = [3, "unknown channel type #{channel.type}"]

data/lib/net/ssh/key_factory.rb

@@ -18,14 +18,12 @@ module Net
     class KeyFactory
       # Specifies the mapping of SSH names to OpenSSL key classes.
       MAP = {
-        "dh"  => OpenSSL::PKey::DH,
-        "rsa" => OpenSSL::PKey::RSA,
-        "dsa" => OpenSSL::PKey::DSA
+        'dh'    => OpenSSL::PKey::DH,
+        'rsa'   => OpenSSL::PKey::RSA,
+        'dsa'   => OpenSSL::PKey::DSA,
+        'ecdsa' => OpenSSL::PKey::EC
       }
-      if defined?(OpenSSL::PKey::EC)
-        MAP["ecdsa"] = OpenSSL::PKey::EC
-        MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
-      end
+      MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
 
       class <<self
         # Fetch an OpenSSL key instance by its SSH name. It will be a new,
@@ -207,7 +205,7 @@ module Net
             return OpenSSLDSAKeyType
           elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
             return OpenSSLRSAKeyType
-          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/) && defined?(OpenSSL::PKey::EC)
+          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/)
             return OpenSSLECKeyType
           elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
             raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"

data/lib/net/ssh/known_hosts.rb

@@ -41,14 +41,11 @@ module Net
     # This is used internally by Net::SSH, and will never need to be used directly
     # by consumers of the library.
     class KnownHosts
-      if defined?(OpenSSL::PKey::EC)
-        SUPPORTED_TYPE = %w[ssh-rsa ssh-dss
-                            ecdsa-sha2-nistp256
-                            ecdsa-sha2-nistp384
-                            ecdsa-sha2-nistp521]
-      else
-        SUPPORTED_TYPE = %w[ssh-rsa ssh-dss]
-      end
+      SUPPORTED_TYPE = %w[ssh-rsa ssh-dss
+                          ecdsa-sha2-nistp256
+                          ecdsa-sha2-nistp384
+                          ecdsa-sha2-nistp521]
+
       SUPPORTED_TYPE.push('ssh-ed25519') if Net::SSH::Authentication::ED25519Loader::LOADED
 
       class <<self
@@ -78,7 +75,9 @@ module Net
 
           files += Array(options[:user_known_hosts_file] || %w[~/.ssh/known_hosts ~/.ssh/known_hosts2]) if which == :all || which == :user
 
-          files += Array(options[:global_known_hosts_file] || %w[/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2]) if which == :all || which == :global
+          if which == :all || which == :global
+            files += Array(options[:global_known_hosts_file] || %w[/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2])
+          end
 
           return files
         end
@@ -130,27 +129,21 @@ module Net
         host_ip = entries[1]
 
         File.open(source) do |file|
-          scanner = StringScanner.new("")
           file.each_line do |line|
-            scanner.string = line
+            hosts, type, key_content = line.split(' ')
+            next unless hosts || hosts.start_with?('#')
 
-            scanner.skip(/\s*/)
-            next if scanner.match?(/$|#/)
+            hostlist = hosts.split(',')
+
+            next unless SUPPORTED_TYPE.include?(type)
 
-            hostlist = scanner.scan(/\S+/).split(/,/)
             found = hostlist.any? { |pattern| match(host_name, pattern) } || known_host_hash?(hostlist, entries)
             next unless found
 
             found = hostlist.include?(host_ip) if options[:check_host_ip] && entries.size > 1 && hostlist.size > 1
             next unless found
 
-            scanner.skip(/\s*/)
-            type = scanner.scan(/\S+/)
-
-            next unless SUPPORTED_TYPE.include?(type)
-
-            scanner.skip(/\s*/)
-            blob = scanner.rest.unpack("m*").first
+            blob = key_content.unpack("m*").first
             keys << Net::SSH::Buffer.new(blob).read_key
           end
         end
@@ -159,14 +152,18 @@ module Net
       end
 
       def match(host, pattern)
-        # see man 8 sshd for pattern details
-        pattern_regexp = pattern.split('*').map do |x|
-          x.split('?').map do |y|
-            Regexp.escape(y)
-          end.join('.')
-        end.join('[^.]*')
-
-        host =~ Regexp.new("\\A#{pattern_regexp}\\z")
+        if pattern.include?('*') || pattern.include?('?')
+          # see man 8 sshd for pattern details
+          pattern_regexp = pattern.split('*').map do |x|
+            x.split('?').map do |y|
+              Regexp.escape(y)
+            end.join('.')
+          end.join('[^.]*')
+
+          host =~ Regexp.new("\\A#{pattern_regexp}\\z")
+        else
+          host == pattern
+        end
       end
 
       # Indicates whether one of the entries matches an hostname that has been

data/lib/net/ssh/service/forward.rb

@@ -85,7 +85,8 @@ module Net
             client = server.accept
             debug { "received connection on #{socket}" }
 
-            channel = session.open_channel("direct-tcpip", :string, remote_host, :long, remote_port, :string, bind_address, local_port_type, local_port) do |achannel|
+            channel = session.open_channel("direct-tcpip", :string, remote_host, :long,
+                                           remote_port, :string, bind_address, local_port_type, local_port) do |achannel|
               achannel.info { "direct channel established" }
             end
 

data/lib/net/ssh/test.rb

@@ -74,7 +74,7 @@ module Net
       def transport(options={})
         @transport ||= Net::SSH::Transport::Session.new(
           options[:host] || "localhost",
-          options.merge(kex: "test", host_key: "ssh-rsa", verify_host_key: :never, proxy: socket(options))
+          options.merge(kex: "test", host_key: "ssh-rsa", append_all_supported_algorithms: true, verify_host_key: :never, proxy: socket(options))
         )
       end
 
@@ -86,7 +86,8 @@ module Net
       def assert_scripted
         raise "there is no script to be processed" if socket.script.events.empty?
         Net::SSH::Test::Extensions::IO.with_test_extension { yield }
-        assert socket.script.events.empty?, "there should not be any remaining scripted events, but there are still #{socket.script.events.length} pending"
+        assert socket.script.events.empty?, "there should not be any remaining scripted events, but there are still" \
+                                            "#{socket.script.events.length} pending"
       end
     end
 

data/lib/net/ssh/transport/algorithms.rb

@@ -5,13 +5,13 @@ require 'net/ssh/transport/cipher_factory'
 require 'net/ssh/transport/constants'
 require 'net/ssh/transport/hmac'
 require 'net/ssh/transport/kex'
+require 'net/ssh/transport/kex/curve25519_sha256_loader'
 require 'net/ssh/transport/server_version'
 require 'net/ssh/authentication/ed25519_loader'
 
 module Net
   module SSH
     module Transport
-
       # Implements the higher-level logic behind an SSH key-exchange. It handles
       # both the initial exchange, as well as subsequent re-exchanges (as needed).
       # It also encapsulates the negotiation of the algorithms, and provides a
@@ -23,56 +23,72 @@ module Net
         include Loggable
         include Constants
 
-        # Define the default algorithms, in order of preference, supported by
-        # Net::SSH.
-        ALGORITHMS = {
-          host_key: %w[ssh-rsa-cert-v01@openssh.com
+        # Define the default algorithms, in order of preference, supported by Net::SSH.
+        DEFAULT_ALGORITHMS = {
+          host_key: %w[ecdsa-sha2-nistp521-cert-v01@openssh.com
+                       ecdsa-sha2-nistp384-cert-v01@openssh.com
+                       ecdsa-sha2-nistp256-cert-v01@openssh.com
+                       ecdsa-sha2-nistp521
+                       ecdsa-sha2-nistp384
+                       ecdsa-sha2-nistp256
+                       ssh-rsa-cert-v01@openssh.com
                        ssh-rsa-cert-v00@openssh.com
-                       ssh-rsa ssh-dss],
-          kex: %w[diffie-hellman-group-exchange-sha256
-                  diffie-hellman-group-exchange-sha1
-                  diffie-hellman-group14-sha1
+                       ssh-rsa],
+
+          kex: %w[ecdh-sha2-nistp521
+                  ecdh-sha2-nistp384
+                  ecdh-sha2-nistp256
+                  diffie-hellman-group-exchange-sha256
+                  diffie-hellman-group14-sha1],
+
+          encryption: %w[aes256-ctr aes192-ctr aes128-ctr],
+
+          hmac: %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com
+                   hmac-sha2-512 hmac-sha2-256
+                   hmac-sha1]
+        }.freeze
+
+        if Net::SSH::Authentication::ED25519Loader::LOADED
+          DEFAULT_ALGORITHMS[:host_key].unshift(
+            'ssh-ed25519-cert-v01@openssh.com',
+            'ssh-ed25519'
+          )
+        end
+
+        if Net::SSH::Transport::Kex::Curve25519Sha256Loader::LOADED
+          DEFAULT_ALGORITHMS[:kex].unshift(
+            'curve25519-sha256',
+            'curve22519-sha256@libssh.org'
+          )
+        end
+
+        # Define all algorithms, with the deprecated, supported by Net::SSH.
+        ALGORITHMS = {
+          host_key: DEFAULT_ALGORITHMS[:host_key] + %w[ssh-dss],
+
+          kex: DEFAULT_ALGORITHMS[:kex] +
+               %w[diffie-hellman-group-exchange-sha1
                   diffie-hellman-group1-sha1],
-          encryption: %w[aes256-ctr aes192-ctr aes128-ctr
-                         aes256-cbc aes192-cbc aes128-cbc
+
+          encryption: DEFAULT_ALGORITHMS[:encryption] +
+                      %w[aes256-cbc aes192-cbc aes128-cbc
                          rijndael-cbc@lysator.liu.se
                          blowfish-ctr blowfish-cbc
                          cast128-ctr cast128-cbc
                          3des-ctr 3des-cbc
-                         idea-cbc arcfour256 arcfour128 arcfour
+                         idea-cbc
                          none],
 
-          hmac: %w[hmac-sha2-512 hmac-sha2-256
-                   hmac-sha2-512-96 hmac-sha2-256-96
-                   hmac-sha1 hmac-sha1-96
+          hmac: DEFAULT_ALGORITHMS[:hmac] +
+                %w[hmac-sha2-512-96 hmac-sha2-256-96
+                   hmac-sha1-96
                    hmac-ripemd160 hmac-ripemd160@openssh.com
                    hmac-md5 hmac-md5-96
                    none],
 
           compression: %w[none zlib@openssh.com zlib],
           language: %w[]
-        }
-        if defined?(OpenSSL::PKey::EC)
-          ALGORITHMS[:host_key].unshift(
-            "ecdsa-sha2-nistp521-cert-v01@openssh.com",
-            "ecdsa-sha2-nistp384-cert-v01@openssh.com",
-            "ecdsa-sha2-nistp256-cert-v01@openssh.com",
-            "ecdsa-sha2-nistp521",
-            "ecdsa-sha2-nistp384",
-            "ecdsa-sha2-nistp256"
-          )
-          if Net::SSH::Authentication::ED25519Loader::LOADED
-            ALGORITHMS[:host_key].unshift(
-              "ssh-ed25519-cert-v01@openssh.com",
-              "ssh-ed25519"
-            )
-          end
-          ALGORITHMS[:kex].unshift(
-            "ecdh-sha2-nistp521",
-            "ecdh-sha2-nistp384",
-            "ecdh-sha2-nistp256"
-          )
-        end
+        }.freeze
 
         # The underlying transport layer session that supports this object
         attr_reader :session
@@ -140,6 +156,7 @@ module Net
         # Start the algorithm negotation
         def start
           raise ArgumentError, "Cannot call start if it's negotiation started or done" if @pending || @initialized
+
           send_kexinit
         end
 
@@ -197,8 +214,8 @@ module Net
 
         def host_key_format
           case host_key
-          when "ssh-rsa-cert-v01@openssh.com", "ssh-rsa-cert-v00@openssh.com"
-            "ssh-rsa"
+          when /^([a-z0-9-]+)-cert-v\d{2}@openssh.com$/
+            Regexp.last_match[1]
           else
             host_key
           end
@@ -239,7 +256,10 @@ module Net
           options[:compression] = %w[zlib@openssh.com zlib] if options[:compression] == true
 
           ALGORITHMS.each do |algorithm, supported|
-            algorithms[algorithm] = compose_algorithm_list(supported, options[algorithm], options[:append_all_supported_algorithms])
+            algorithms[algorithm] = compose_algorithm_list(
+              supported, options[algorithm] || DEFAULT_ALGORITHMS[algorithm],
+              options[:append_all_supported_algorithms]
+            )
           end
 
           # for convention, make sure our list has the same keys as the server
@@ -356,7 +376,8 @@ module Net
 
           debug do
             "negotiated:\n" +
-              %i[kex host_key encryption_server encryption_client hmac_client hmac_server compression_client compression_server language_client language_server].map do |key|
+              %i[kex host_key encryption_server encryption_client hmac_client hmac_server
+                 compression_client compression_server language_client language_server].map do |key|
                 "* #{key}: #{instance_variable_get("@#{key}")}"
               end.join("\n")
           end
@@ -368,7 +389,11 @@ module Net
         def negotiate(algorithm)
           match = self[algorithm].find { |item| @server_data[algorithm].include?(item) }
 
-          raise Net::SSH::Exception, "could not settle on #{algorithm} algorithm" if match.nil?
+          if match.nil?
+            raise Net::SSH::Exception, "could not settle on #{algorithm} algorithm\n"\
+              "Server #{algorithm} preferences: #{@server_data[algorithm].join(',')}\n"\
+              "Client #{algorithm} preferences: #{self[algorithm].join(',')}"
+          end
 
           return match
         end