net-ssh 5.2.0 → 6.0.0

data/lib/net/ssh/known_hosts.rb

@@ -41,14 +41,11 @@ module Net
     # This is used internally by Net::SSH, and will never need to be used directly
     # by consumers of the library.
     class KnownHosts
-      if defined?(OpenSSL::PKey::EC)
-        SUPPORTED_TYPE = %w[ssh-rsa ssh-dss
-                            ecdsa-sha2-nistp256
-                            ecdsa-sha2-nistp384
-                            ecdsa-sha2-nistp521]
-      else
-        SUPPORTED_TYPE = %w[ssh-rsa ssh-dss]
-      end
+      SUPPORTED_TYPE = %w[ssh-rsa ssh-dss
+                          ecdsa-sha2-nistp256
+                          ecdsa-sha2-nistp384
+                          ecdsa-sha2-nistp521]
+
       SUPPORTED_TYPE.push('ssh-ed25519') if Net::SSH::Authentication::ED25519Loader::LOADED
 
       class <<self
@@ -78,7 +75,9 @@ module Net
 
           files += Array(options[:user_known_hosts_file] || %w[~/.ssh/known_hosts ~/.ssh/known_hosts2]) if which == :all || which == :user
 
-          files += Array(options[:global_known_hosts_file] || %w[/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2]) if which == :all || which == :global
+          if which == :all || which == :global
+            files += Array(options[:global_known_hosts_file] || %w[/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2])
+          end
 
           return files
         end
@@ -130,27 +129,22 @@ module Net
         host_ip = entries[1]
 
         File.open(source) do |file|
-          scanner = StringScanner.new("")
           file.each_line do |line|
-            scanner.string = line
+            hosts, type, key_content = line.split(' ')
+            # Skip empty line or one that is commented
+            next if hosts.nil? || hosts.start_with?('#')
 
-            scanner.skip(/\s*/)
-            next if scanner.match?(/$|#/)
+            hostlist = hosts.split(',')
+
+            next unless SUPPORTED_TYPE.include?(type)
 
-            hostlist = scanner.scan(/\S+/).split(/,/)
             found = hostlist.any? { |pattern| match(host_name, pattern) } || known_host_hash?(hostlist, entries)
             next unless found
 
             found = hostlist.include?(host_ip) if options[:check_host_ip] && entries.size > 1 && hostlist.size > 1
             next unless found
 
-            scanner.skip(/\s*/)
-            type = scanner.scan(/\S+/)
-
-            next unless SUPPORTED_TYPE.include?(type)
-
-            scanner.skip(/\s*/)
-            blob = scanner.rest.unpack("m*").first
+            blob = key_content.unpack("m*").first
             keys << Net::SSH::Buffer.new(blob).read_key
           end
         end
@@ -159,14 +153,18 @@ module Net
       end
 
       def match(host, pattern)
-        # see man 8 sshd for pattern details
-        pattern_regexp = pattern.split('*').map do |x|
-          x.split('?').map do |y|
-            Regexp.escape(y)
-          end.join('.')
-        end.join('[^.]*')
-
-        host =~ Regexp.new("\\A#{pattern_regexp}\\z")
+        if pattern.include?('*') || pattern.include?('?')
+          # see man 8 sshd for pattern details
+          pattern_regexp = pattern.split('*').map do |x|
+            x.split('?').map do |y|
+              Regexp.escape(y)
+            end.join('.')
+          end.join('[^.]*')
+
+          host =~ Regexp.new("\\A#{pattern_regexp}\\z")
+        else
+          host == pattern
+        end
       end
 
       # Indicates whether one of the entries matches an hostname that has been

data/lib/net/ssh/loggable.rb

@@ -56,8 +56,8 @@ module Net
       # originates. It defaults to the name of class with the object_id
       # appended.
       def facility
-        @facility ||= self.class.name.gsub(/::/, ".").gsub(/([a-z])([A-Z])/, "\\1_\\2").downcase + "[%x]" % object_id
+        @facility ||= self.class.to_s.gsub(/::/, ".").gsub(/([a-z])([A-Z])/, "\\1_\\2").downcase + "[%x]" % object_id
       end
     end
   end
-end
+end

data/lib/net/ssh/proxy/command.rb

@@ -1,7 +1,6 @@
 require 'socket'
 require 'rubygems'
 require 'net/ssh/proxy/errors'
-require 'net/ssh/ruby_compat'
 
 module Net
   module SSH

data/lib/net/ssh/proxy/socks5.rb

@@ -1,5 +1,4 @@
 require 'socket'
-require 'net/ssh/ruby_compat'
 require 'net/ssh/proxy/errors'
 
 module Net

data/lib/net/ssh/service/forward.rb

@@ -85,7 +85,8 @@ module Net
             client = server.accept
             debug { "received connection on #{socket}" }
 
-            channel = session.open_channel("direct-tcpip", :string, remote_host, :long, remote_port, :string, bind_address, local_port_type, local_port) do |achannel|
+            channel = session.open_channel("direct-tcpip", :string, remote_host, :long,
+                                           remote_port, :string, bind_address, local_port_type, local_port) do |achannel|
               achannel.info { "direct channel established" }
             end
 

data/lib/net/ssh/test.rb

@@ -74,7 +74,7 @@ module Net
       def transport(options={})
         @transport ||= Net::SSH::Transport::Session.new(
           options[:host] || "localhost",
-          options.merge(kex: "test", host_key: "ssh-rsa", verify_host_key: :never, proxy: socket(options))
+          options.merge(kex: "test", host_key: "ssh-rsa", append_all_supported_algorithms: true, verify_host_key: :never, proxy: socket(options))
         )
       end
 
@@ -86,7 +86,8 @@ module Net
       def assert_scripted
         raise "there is no script to be processed" if socket.script.events.empty?
         Net::SSH::Test::Extensions::IO.with_test_extension { yield }
-        assert socket.script.events.empty?, "there should not be any remaining scripted events, but there are still #{socket.script.events.length} pending"
+        assert socket.script.events.empty?, "there should not be any remaining scripted events, but there are still" \
+                                            "#{socket.script.events.length} pending"
       end
     end
 

data/lib/net/ssh/transport/algorithms.rb

@@ -5,13 +5,13 @@ require 'net/ssh/transport/cipher_factory'
 require 'net/ssh/transport/constants'
 require 'net/ssh/transport/hmac'
 require 'net/ssh/transport/kex'
+require 'net/ssh/transport/kex/curve25519_sha256_loader'
 require 'net/ssh/transport/server_version'
 require 'net/ssh/authentication/ed25519_loader'
 
 module Net
   module SSH
     module Transport
-
       # Implements the higher-level logic behind an SSH key-exchange. It handles
       # both the initial exchange, as well as subsequent re-exchanges (as needed).
       # It also encapsulates the negotiation of the algorithms, and provides a
@@ -23,56 +23,72 @@ module Net
         include Loggable
         include Constants
 
-        # Define the default algorithms, in order of preference, supported by
-        # Net::SSH.
-        ALGORITHMS = {
-          host_key: %w[ssh-rsa-cert-v01@openssh.com
+        # Define the default algorithms, in order of preference, supported by Net::SSH.
+        DEFAULT_ALGORITHMS = {
+          host_key: %w[ecdsa-sha2-nistp521-cert-v01@openssh.com
+                       ecdsa-sha2-nistp384-cert-v01@openssh.com
+                       ecdsa-sha2-nistp256-cert-v01@openssh.com
+                       ecdsa-sha2-nistp521
+                       ecdsa-sha2-nistp384
+                       ecdsa-sha2-nistp256
+                       ssh-rsa-cert-v01@openssh.com
                        ssh-rsa-cert-v00@openssh.com
-                       ssh-rsa ssh-dss],
-          kex: %w[diffie-hellman-group-exchange-sha256
-                  diffie-hellman-group-exchange-sha1
-                  diffie-hellman-group14-sha1
+                       ssh-rsa],
+
+          kex: %w[ecdh-sha2-nistp521
+                  ecdh-sha2-nistp384
+                  ecdh-sha2-nistp256
+                  diffie-hellman-group-exchange-sha256
+                  diffie-hellman-group14-sha1],
+
+          encryption: %w[aes256-ctr aes192-ctr aes128-ctr],
+
+          hmac: %w[hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com
+                   hmac-sha2-512 hmac-sha2-256
+                   hmac-sha1]
+        }.freeze
+
+        if Net::SSH::Authentication::ED25519Loader::LOADED
+          DEFAULT_ALGORITHMS[:host_key].unshift(
+            'ssh-ed25519-cert-v01@openssh.com',
+            'ssh-ed25519'
+          )
+        end
+
+        if Net::SSH::Transport::Kex::Curve25519Sha256Loader::LOADED
+          DEFAULT_ALGORITHMS[:kex].unshift(
+            'curve25519-sha256',
+            'curve25519-sha256@libssh.org'
+          )
+        end
+
+        # Define all algorithms, with the deprecated, supported by Net::SSH.
+        ALGORITHMS = {
+          host_key: DEFAULT_ALGORITHMS[:host_key] + %w[ssh-dss],
+
+          kex: DEFAULT_ALGORITHMS[:kex] +
+               %w[diffie-hellman-group-exchange-sha1
                   diffie-hellman-group1-sha1],
-          encryption: %w[aes256-ctr aes192-ctr aes128-ctr
-                         aes256-cbc aes192-cbc aes128-cbc
+
+          encryption: DEFAULT_ALGORITHMS[:encryption] +
+                      %w[aes256-cbc aes192-cbc aes128-cbc
                          rijndael-cbc@lysator.liu.se
                          blowfish-ctr blowfish-cbc
                          cast128-ctr cast128-cbc
                          3des-ctr 3des-cbc
-                         idea-cbc arcfour256 arcfour128 arcfour
+                         idea-cbc
                          none],
 
-          hmac: %w[hmac-sha2-512 hmac-sha2-256
-                   hmac-sha2-512-96 hmac-sha2-256-96
-                   hmac-sha1 hmac-sha1-96
+          hmac: DEFAULT_ALGORITHMS[:hmac] +
+                %w[hmac-sha2-512-96 hmac-sha2-256-96
+                   hmac-sha1-96
                    hmac-ripemd160 hmac-ripemd160@openssh.com
                    hmac-md5 hmac-md5-96
                    none],
 
           compression: %w[none zlib@openssh.com zlib],
           language: %w[]
-        }
-        if defined?(OpenSSL::PKey::EC)
-          ALGORITHMS[:host_key].unshift(
-            "ecdsa-sha2-nistp521-cert-v01@openssh.com",
-            "ecdsa-sha2-nistp384-cert-v01@openssh.com",
-            "ecdsa-sha2-nistp256-cert-v01@openssh.com",
-            "ecdsa-sha2-nistp521",
-            "ecdsa-sha2-nistp384",
-            "ecdsa-sha2-nistp256"
-          )
-          if Net::SSH::Authentication::ED25519Loader::LOADED
-            ALGORITHMS[:host_key].unshift(
-              "ssh-ed25519-cert-v01@openssh.com",
-              "ssh-ed25519"
-            )
-          end
-          ALGORITHMS[:kex].unshift(
-            "ecdh-sha2-nistp521",
-            "ecdh-sha2-nistp384",
-            "ecdh-sha2-nistp256"
-          )
-        end
+        }.freeze
 
         # The underlying transport layer session that supports this object
         attr_reader :session
@@ -140,6 +156,7 @@ module Net
         # Start the algorithm negotation
         def start
           raise ArgumentError, "Cannot call start if it's negotiation started or done" if @pending || @initialized
+
           send_kexinit
         end
 
@@ -197,8 +214,8 @@ module Net
 
         def host_key_format
           case host_key
-          when "ssh-rsa-cert-v01@openssh.com", "ssh-rsa-cert-v00@openssh.com"
-            "ssh-rsa"
+          when /^([a-z0-9-]+)-cert-v\d{2}@openssh.com$/
+            Regexp.last_match[1]
           else
             host_key
           end
@@ -239,7 +256,10 @@ module Net
           options[:compression] = %w[zlib@openssh.com zlib] if options[:compression] == true
 
           ALGORITHMS.each do |algorithm, supported|
-            algorithms[algorithm] = compose_algorithm_list(supported, options[algorithm], options[:append_all_supported_algorithms])
+            algorithms[algorithm] = compose_algorithm_list(
+              supported, options[algorithm] || DEFAULT_ALGORITHMS[algorithm],
+              options[:append_all_supported_algorithms]
+            )
           end
 
           # for convention, make sure our list has the same keys as the server
@@ -356,7 +376,8 @@ module Net
 
           debug do
             "negotiated:\n" +
-              %i[kex host_key encryption_server encryption_client hmac_client hmac_server compression_client compression_server language_client language_server].map do |key|
+              %i[kex host_key encryption_server encryption_client hmac_client hmac_server
+                 compression_client compression_server language_client language_server].map do |key|
                 "* #{key}: #{instance_variable_get("@#{key}")}"
               end.join("\n")
           end
@@ -368,7 +389,11 @@ module Net
         def negotiate(algorithm)
           match = self[algorithm].find { |item| @server_data[algorithm].include?(item) }
 
-          raise Net::SSH::Exception, "could not settle on #{algorithm} algorithm" if match.nil?
+          if match.nil?
+            raise Net::SSH::Exception, "could not settle on #{algorithm} algorithm\n"\
+              "Server #{algorithm} preferences: #{@server_data[algorithm].join(',')}\n"\
+              "Client #{algorithm} preferences: #{self[algorithm].join(',')}"
+          end
 
           return match
         end

data/lib/net/ssh/transport/cipher_factory.rb

@@ -19,30 +19,17 @@ module Net
           "idea-cbc"                    => "idea-cbc",
           "cast128-cbc"                 => "cast-cbc",
           "rijndael-cbc@lysator.liu.se" => "aes-256-cbc",
-          "arcfour128"                  => "rc4",
-          "arcfour256"                  => "rc4",
-          "arcfour512"                  => "rc4",
-          "arcfour"                     => "rc4",
-    
           "3des-ctr"                    => "des-ede3",
           "blowfish-ctr"                => "bf-ecb",
-    
-          "aes256-ctr"                  => ::OpenSSL::Cipher.ciphers.include?("aes-256-ctr") ? "aes-256-ctr" : "aes-256-ecb",
-          "aes192-ctr"                  => ::OpenSSL::Cipher.ciphers.include?("aes-192-ctr") ? "aes-192-ctr" : "aes-192-ecb",
-          "aes128-ctr"                  => ::OpenSSL::Cipher.ciphers.include?("aes-128-ctr") ? "aes-128-ctr" : "aes-128-ecb",
-          "cast128-ctr"                 => "cast5-ecb",
-    
-          "none"                        => "none"
-        }
-    
-        # Ruby's OpenSSL bindings always return a key length of 16 for RC4 ciphers
-        # resulting in the error: OpenSSL::CipherError: key length too short.
-        # The following ciphers will override this key length.
-        KEY_LEN_OVERRIDE = {
-          "arcfour256"                  => 32,
-          "arcfour512"                  => 64
+
+          'aes256-ctr'                  => 'aes-256-ctr',
+          'aes192-ctr'                  => 'aes-192-ctr',
+          'aes128-ctr'                  => 'aes-128-ctr',
+          'cast128-ctr'                 => 'cast5-ecb',
+
+          'none'                        => 'none'
         }
-    
+
         # Returns true if the underlying OpenSSL library supports the given cipher,
         # and false otherwise.
         def self.supported?(name)
@@ -72,12 +59,11 @@ module Net
               cipher = Net::SSH::Transport::OpenSSLAESCTR.new(cipher)
             end
           end
-          cipher.iv = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options) if ossl_name != "rc4"
+          cipher.iv = Net::SSH::Transport::KeyExpander.expand_key(cipher.iv_len, options[:iv], options)
     
-          key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
+          key_len = cipher.key_len
           cipher.key_len = key_len
           cipher.key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
-          cipher.update(" " * 1536) if (ossl_name == "rc4" && name != "arcfour")
     
           return cipher
         end
@@ -94,13 +80,11 @@ module Net
             result << 0 if options[:iv_len]
           else
             cipher = OpenSSL::Cipher.new(ossl_name)
-            key_len = KEY_LEN_OVERRIDE[name] || cipher.key_len
+            key_len = cipher.key_len
             cipher.key_len = key_len
     
             block_size =
               case ossl_name
-              when "rc4"
-                8
               when /\-ctr/
                 Net::SSH::Transport::OpenSSLAESCTR.block_size
               else

data/lib/net/ssh/transport/constants.rb

@@ -2,11 +2,10 @@ module Net
   module SSH 
     module Transport
       module Constants
-    
         #--
         # Transport layer generic messages
         #++
-    
+
         DISCONNECT                = 1
         IGNORE                    = 2
         UNIMPLEMENTED             = 3
@@ -17,19 +16,24 @@ module Net
         #--
         # Algorithm negotiation messages
         #++
-    
+
         KEXINIT                   = 20
         NEWKEYS                   = 21
-    
+
         #--
         # Key exchange method specific messages
         #++
-    
+
         KEXDH_INIT                = 30
         KEXDH_REPLY               = 31
-    
+
         KEXECDH_INIT              = 30
         KEXECDH_REPLY             = 31
+
+        KEXDH_GEX_GROUP           = 31
+        KEXDH_GEX_INIT            = 32
+        KEXDH_GEX_REPLY           = 33
+        KEXDH_GEX_REQUEST         = 34
       end
     end
   end

data/lib/net/ssh/transport/ctr.rb

@@ -88,14 +88,8 @@ module Net::SSH::Transport
         end
 
         def final
-          unless @remaining.empty?
-            s = xor!(@remaining, _update(@counter))
-          else
-            s = ""
-          end
-
+          s = @remaining.empty? ? '' : xor!(@remaining, _update(@counter))
           @remaining = ""
-
           s
         end