net-ssh 5.2.0 → 6.0.0

data/lib/net/ssh/authentication/ed25519.rb

@@ -26,7 +26,7 @@ module Net
           CipherFactory = Net::SSH::Transport::CipherFactory
 
           MBEGIN = "-----BEGIN OPENSSH PRIVATE KEY-----\n"
-          MEND = "-----END OPENSSH PRIVATE KEY-----\n"
+          MEND = "-----END OPENSSH PRIVATE KEY-----"
           MAGIC = "openssh-key-v1"
 
           class DecryptError < ArgumentError
@@ -41,6 +41,7 @@ module Net
           end
 
           def self.read(datafull, password)
+            datafull = datafull.strip
             raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
             raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
             datab64 = datafull[MBEGIN.size...-MEND.size]

data/lib/net/ssh/authentication/ed25519_loader.rb

@@ -3,7 +3,7 @@ module Net
     module Authentication
 
       # Loads ED25519 support which requires optinal dependecies like
-      # rbnacl, bcrypt_pbkdf
+      # ed25519, bcrypt_pbkdf
       module ED25519Loader
       
         begin

data/lib/net/ssh/authentication/key_manager.rb

@@ -30,6 +30,9 @@ module Net
         # The list of user key data that will be examined
         attr_reader :key_data
 
+        # The list of user key certificate files that will be examined
+        attr_reader :keycert_files
+
         # The map of loaded identities
         attr_reader :known_identities
 
@@ -43,6 +46,7 @@ module Net
           self.logger = logger
           @key_files = []
           @key_data = []
+          @keycert_files = []
           @use_agent = options[:use_agent] != false
           @known_identities = {}
           @agent = nil
@@ -66,6 +70,12 @@ module Net
           self
         end
 
+        # Add the given keycert_file to the list of keycert files that will be used.
+        def add_keycert(keycert_file)
+          keycert_files.push(File.expand_path(keycert_file)).uniq!
+          self
+        end
+
         # Add the given key_file to the list of keys that will be used.
         def add_key_data(key_data_)
           key_data.push(key_data_).uniq!
@@ -108,7 +118,7 @@ module Net
               user_identities.delete(corresponding_user_identity) if corresponding_user_identity
 
               if !options[:keys_only] || corresponding_user_identity
-                known_identities[key] = { from: :agent }
+                known_identities[key] = { from: :agent, identity: key }
                 yield key
               end
             end
@@ -122,6 +132,21 @@ module Net
             yield key
           end
 
+          known_identity_blobs = known_identities.keys.map(&:to_blob)
+          keycert_files.each do |keycert_file|
+            keycert = KeyFactory.load_public_key(keycert_file)
+            next if known_identity_blobs.include?(keycert.to_blob)
+
+            (_, corresponding_identity) = known_identities.detect { |public_key, _|
+              public_key.to_pem == keycert.to_pem
+            }
+
+            if corresponding_identity
+              known_identities[keycert] = corresponding_identity
+              yield keycert
+            end
+          end
+
           self
         end
 
@@ -139,7 +164,7 @@ module Net
 
           if info[:key].nil? && info[:from] == :file
             begin
-              info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], !options[:non_interactive])
+              info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], !options[:non_interactive], options[:password_prompt])
             rescue OpenSSL::OpenSSLError, Exception => e
               raise KeyManagerError, "the given identity is known, but the private key could not be loaded: #{e.class} (#{e.message})"
             end
@@ -152,7 +177,7 @@ module Net
 
           if info[:from] == :agent
             raise KeyManagerError, "the agent is no longer available" unless agent
-            return agent.sign(identity, data.to_s)
+            return agent.sign(info[:identity], data.to_s)
           end
 
           raise KeyManagerError, "[BUG] can't determine identity origin (#{info.inspect})"
@@ -229,11 +254,15 @@ module Net
                 key = KeyFactory.load_public_key(identity[:pubkey_file])
                 { public_key: key, from: :file, file: identity[:privkey_file] }
               when :privkey_file
-                private_key = KeyFactory.load_private_key(identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt])
+                private_key = KeyFactory.load_private_key(
+                  identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt]
+                )
                 key = private_key.send(:public_key)
                 { public_key: key, from: :file, file: identity[:privkey_file], key: private_key }
               when :data
-                private_key = KeyFactory.load_data_private_key(identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt])
+                private_key = KeyFactory.load_data_private_key(
+                  identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt]
+                )
                 key = private_key.send(:public_key)
                 { public_key: key, from: :key_data, data: identity[:data], key: private_key }
               else

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -40,7 +40,9 @@ module Net
                 instruction = message.read_string
                 debug { "keyboard-interactive info request" }
 
-                prompter = prompt.start(type: 'keyboard-interactive', name: name, instruction: instruction) if password.nil? && interactive? && prompter.nil?
+                if password.nil? && interactive? && prompter.nil?
+                  prompter = prompt.start(type: 'keyboard-interactive', name: name, instruction: instruction)
+                end
 
                 _ = message.read_string # lang_tag
                 responses = []

data/lib/net/ssh/authentication/pub_key_fingerprint.rb

@@ -1,4 +1,3 @@
-
 require 'openssl'
 
 module Net

data/lib/net/ssh/authentication/session.rb

@@ -63,6 +63,7 @@ module Net
 
           key_manager = KeyManager.new(logger, options)
           keys.each { |key| key_manager.add(key) } unless keys.empty?
+          keycerts.each { |keycert| key_manager.add_keycert(keycert) } unless keycerts.empty?
           key_data.each { |key2| key_manager.add_key_data(key2) } unless key_data.empty?
           default_keys.each { |key| key_manager.add(key) } unless options.key?(:keys) || options.key?(:key_data)
 
@@ -136,12 +137,8 @@ module Net
         # Returns an array of paths to the key files usually defined
         # by system default.
         def default_keys
-          if defined?(OpenSSL::PKey::EC)
-            %w[~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa
-               ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa]
-          else
-            %w[~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_rsa]
-          end
+          %w[~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa
+             ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa]
         end
 
         # Returns an array of paths to the key files that should be used when
@@ -150,6 +147,12 @@ module Net
           Array(options[:keys])
         end
 
+        # Returns an array of paths to the keycert files that should be used when
+        # attempting any key-based authentication mechanism.
+        def keycerts
+          Array(options[:keycerts])
+        end
+
         # Returns an array of the key data that should be used when
         # attempting any key-based authentication mechanism.
         def key_data

data/lib/net/ssh/buffer.rb

@@ -1,4 +1,3 @@
-require 'net/ssh/ruby_compat'
 require 'net/ssh/transport/openssl'
 
 require 'net/ssh/authentication/certificate'
@@ -323,15 +322,7 @@ module Net
           Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("unsupported key type `#{type}'")
           key = Net::SSH::Authentication::ED25519::PubKey.read_keyblob(self)
         when /^ecdsa\-sha2\-(\w*)$/
-          unless defined?(OpenSSL::PKey::EC)
-            raise NotImplementedError, "unsupported key type `#{type}'"
-          else
-            begin
-              key = OpenSSL::PKey::EC.read_keyblob($1, self)
-            rescue OpenSSL::PKey::ECError
-              raise NotImplementedError, "unsupported key type `#{type}'"
-            end
-          end
+          key = OpenSSL::PKey::EC.read_keyblob($1, self)
         else
           raise NotImplementedError, "unsupported key type `#{type}'"
         end

data/lib/net/ssh/buffered_io.rb

@@ -1,6 +1,5 @@
 require 'net/ssh/buffer'
 require 'net/ssh/loggable'
-require 'net/ssh/ruby_compat'
 
 module Net 
   module SSH

data/lib/net/ssh/config.rb

@@ -11,6 +11,7 @@ module Net
     #
     # * ChallengeResponseAuthentication => maps to the :auth_methods option challenge-response (then coleasced into keyboard-interactive)
     # * KbdInteractiveAuthentication => maps to the :auth_methods keyboard-interactive
+    # * CertificateFile => maps to the :keycerts option
     # * Ciphers => maps to the :encryption option
     # * Compression => :compression
     # * CompressionLevel => :compression_level
@@ -33,6 +34,7 @@ module Net
     # * ProxyJump => maps to the :proxy option
     # * PubKeyAuthentication => maps to the :auth_methods option
     # * RekeyLimit => :rekey_limit
+    # * StrictHostKeyChecking => :strict_host_key_checking
     # * User => :user
     # * UserKnownHostsFile => :user_known_hosts_file
     # * NumberOfPasswordPrompts => :number_of_password_prompts
@@ -128,7 +130,7 @@ module Net
               block_seen = true
             elsif !block_seen
               case key
-              when 'identityfile'
+              when 'identityfile', 'certificatefile'
                 (globals[key] ||= []) << value
               when 'include'
                 included_file_paths(base_dir, value).each do |file_path|
@@ -139,7 +141,7 @@ module Net
               end
             elsif block_matched
               case key
-              when 'identityfile'
+              when 'identityfile', 'certificatefile'
                 (settings[key] ||= []) << value
               when 'include'
                 included_file_paths(base_dir, value).each do |file_path|
@@ -149,11 +151,18 @@ module Net
                 settings[key] = value unless settings.key?(key)
               end
             end
+
+            # ProxyCommand and ProxyJump override each other so they need to be tracked togeather
+            %w[proxyjump proxycommand].each do |proxy_key|
+              if (proxy_value = settings.delete(proxy_key))
+                settings['proxy'] ||= [proxy_key, proxy_value]
+              end
+            end
           end
 
           globals.merge(settings) do |key, oldval, newval|
             case key
-            when 'identityfile'
+            when 'identityfile', 'certificatefile'
               oldval + newval
             else
               newval
@@ -188,24 +197,26 @@ module Net
 
         private
 
+        TRANSLATE_CONFIG_KEY_RENAME_MAP = {
+          bindaddress: :bind_address,
+          compression: :compression,
+          compressionlevel: :compression_level,
+          certificatefile: :keycerts,
+          connecttimeout: :timeout,
+          forwardagent: :forward_agent,
+          identitiesonly: :keys_only,
+          identityagent: :identity_agent,
+          globalknownhostsfile: :global_known_hosts_file,
+          hostkeyalias: :host_key_alias,
+          identityfile: :keys,
+          fingerprinthash: :fingerprint_hash,
+          port: :port,
+          stricthostkeychecking: :strict_host_key_checking,
+          user: :user,
+          userknownhostsfile: :user_known_hosts_file,
+          checkhostip: :check_host_ip
+        }.freeze
         def translate_config_key(hash, key, value, settings)
-          rename = {
-            bindaddress: :bind_address,
-            compression: :compression,
-            compressionlevel: :compression_level,
-            connecttimeout: :timeout,
-            forwardagent: :forward_agent,
-            identitiesonly: :keys_only,
-            identityagent: :identity_agent,
-            globalknownhostsfile: :global_known_hosts_file,
-            hostkeyalias: :host_key_alias,
-            identityfile: :keys,
-            fingerprinthash: :fingerprint_hash,
-            port: :port,
-            user: :user,
-            userknownhostsfile: :user_known_hosts_file,
-            checkhostip: :check_host_ip
-          }
           case key
           when :ciphers
             hash[:encryption] = value.split(/,/)
@@ -250,15 +261,9 @@ module Net
             end
           when :preferredauthentications
             hash[:auth_methods] = value.split(/,/) # TODO we should place to preferred_auth_methods rather than auth_methods
-          when :proxycommand
-            if value and value !~ /^none$/
-              require 'net/ssh/proxy/command'
-              hash[:proxy] = Net::SSH::Proxy::Command.new(value)
-            end
-          when :proxyjump
-            if value
-              require 'net/ssh/proxy/jump'
-              hash[:proxy] = Net::SSH::Proxy::Jump.new(value)
+          when :proxy
+            if (proxy = setup_proxy(*value))
+              hash[:proxy] = proxy
             end
           when :pubkeyauthentication
             if value
@@ -271,10 +276,25 @@ module Net
           when :sendenv
             multi_send_env = value.to_s.split(/\s+/)
             hash[:send_env] = multi_send_env.map { |e| Regexp.new pattern2regex(e).source, false }
+          when :setenv
+            hash[:set_env] = Shellwords.split(value.to_s).map { |e| e.split '=', 2 }.to_h
           when :numberofpasswordprompts
             hash[:number_of_password_prompts] = value.to_i
-          when *rename.keys
-            hash[rename[key]] = value
+          when *TRANSLATE_CONFIG_KEY_RENAME_MAP.keys
+            hash[TRANSLATE_CONFIG_KEY_RENAME_MAP[key]] = value
+          end
+        end
+
+        def setup_proxy(type, value)
+          case type
+          when 'proxycommand'
+            if value !~ /^none$/
+              require 'net/ssh/proxy/command'
+              Net::SSH::Proxy::Command.new(value)
+            end
+          when 'proxyjump'
+            require 'net/ssh/proxy/jump'
+            Net::SSH::Proxy::Jump.new(value)
           end
         end
 
@@ -369,6 +389,5 @@ module Net
         end
       end
     end
-
   end
 end

data/lib/net/ssh/connection/channel.rb

@@ -2,8 +2,8 @@ require 'net/ssh/loggable'
 require 'net/ssh/connection/constants'
 require 'net/ssh/connection/term'
 
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Connection
 
       # The channel abstraction. Multiple "channels" can be multiplexed onto a
@@ -530,6 +530,7 @@ module Net
           @remote_maximum_packet_size = max_packet
           connection.forward.agent(self) if connection.options[:forward_agent] && type == "session"
           forward_local_env(connection.options[:send_env]) if connection.options[:send_env]
+          set_remote_env(connection.options[:set_env]) if connection.options[:set_env]
           @on_confirm_open.call(self) if @on_confirm_open
         end
     
@@ -648,10 +649,14 @@ module Net
         def update_local_window_size(size)
           @local_window_size -= size
           if local_window_size < local_maximum_window_size / 2
-            connection.send_message(Buffer.from(:byte, CHANNEL_WINDOW_ADJUST,
-              :long, remote_id, :long, LOCAL_WINDOW_SIZE_INCREMENT))
+            connection.send_message(
+              Buffer.from(:byte, CHANNEL_WINDOW_ADJUST, :long, remote_id, :long, LOCAL_WINDOW_SIZE_INCREMENT)
+            )
             @local_window_size += LOCAL_WINDOW_SIZE_INCREMENT
-            @local_maximum_window_size += LOCAL_WINDOW_SIZE_INCREMENT if @local_maximum_window_size < @local_window_size || @local_maximum_window_size < GOOD_LOCAL_MAXIUMUM_WINDOW_SIZE
+
+            if @local_maximum_window_size < @local_window_size || @local_maximum_window_size < GOOD_LOCAL_MAXIUMUM_WINDOW_SIZE
+              @local_maximum_window_size += LOCAL_WINDOW_SIZE_INCREMENT
+            end
           end
         end
 
@@ -673,6 +678,13 @@ module Net
             end
           end
         end
+
+        # Set a +Hash+ of environment variables in the remote process' environment.
+        #
+        #   channel.set_remote_env foo: 'bar', baz: 'whale'
+        def set_remote_env(env)
+          env.each { |key, value| self.env(key, value) }
+        end
       end
 
     end

data/lib/net/ssh/connection/event_loop.rb

@@ -1,5 +1,4 @@
 require 'net/ssh/loggable'
-require 'net/ssh/ruby_compat'
 
 module Net 
   module SSH 

data/lib/net/ssh/connection/session.rb

@@ -1,5 +1,4 @@
 require 'net/ssh/loggable'
-require 'net/ssh/ruby_compat'
 require 'net/ssh/connection/channel'
 require 'net/ssh/connection/constants'
 require 'net/ssh/service/forward'
@@ -580,8 +579,10 @@ module Net
           info { "global request received: #{packet[:request_type]} #{packet[:want_reply]}" }
           callback = @on_global_request[packet[:request_type]]
           result = callback ? callback.call(packet[:request_data], packet[:want_reply]) : false
-    
-          raise "expected global request handler for `#{packet[:request_type]}' to return true, false, or :sent, but got #{result.inspect}" if result != :sent && result != true && result != false
+
+          if result != :sent && result != true && result != false
+            raise "expected global request handler for `#{packet[:request_type]}' to return true, false, or :sent, but got #{result.inspect}"
+          end
     
           if packet[:want_reply] && result != :sent
             msg = Buffer.from(:byte, result ? REQUEST_SUCCESS : REQUEST_FAILURE)
@@ -624,7 +625,9 @@ module Net
               failure = [err.code, err.reason]
             else
               channels[local_id] = channel
-              msg = Buffer.from(:byte, CHANNEL_OPEN_CONFIRMATION, :long, channel.remote_id, :long, channel.local_id, :long, channel.local_maximum_window_size, :long, channel.local_maximum_packet_size)
+              msg = Buffer.from(:byte, CHANNEL_OPEN_CONFIRMATION, :long, channel.remote_id, :long,
+                                channel.local_id, :long, channel.local_maximum_window_size, :long,
+                                channel.local_maximum_packet_size)
             end
           else
             failure = [3, "unknown channel type #{channel.type}"]

data/lib/net/ssh/key_factory.rb

@@ -18,14 +18,12 @@ module Net
     class KeyFactory
       # Specifies the mapping of SSH names to OpenSSL key classes.
       MAP = {
-        "dh"  => OpenSSL::PKey::DH,
-        "rsa" => OpenSSL::PKey::RSA,
-        "dsa" => OpenSSL::PKey::DSA
+        'dh'    => OpenSSL::PKey::DH,
+        'rsa'   => OpenSSL::PKey::RSA,
+        'dsa'   => OpenSSL::PKey::DSA,
+        'ecdsa' => OpenSSL::PKey::EC
       }
-      if defined?(OpenSSL::PKey::EC)
-        MAP["ecdsa"] = OpenSSL::PKey::EC
-        MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
-      end
+      MAP["ed25519"] = Net::SSH::Authentication::ED25519::PrivKey if defined? Net::SSH::Authentication::ED25519
 
       class <<self
         # Fetch an OpenSSL key instance by its SSH name. It will be a new,
@@ -207,7 +205,7 @@ module Net
             return OpenSSLDSAKeyType
           elsif data.match(/-----BEGIN RSA PRIVATE KEY-----/)
             return OpenSSLRSAKeyType
-          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/) && defined?(OpenSSL::PKey::EC)
+          elsif data.match(/-----BEGIN EC PRIVATE KEY-----/)
             return OpenSSLECKeyType
           elsif data.match(/-----BEGIN (.+) PRIVATE KEY-----/)
             raise OpenSSL::PKey::PKeyError, "not a supported key type '#{$1}'"