net-ssh 5.2.0 → 7.0.1

data/lib/net/ssh/authentication/session.rb

@@ -11,7 +11,6 @@ require 'net/ssh/authentication/methods/keyboard_interactive'
 module Net
   module SSH
     module Authentication
-
       # Raised if the current authentication method is not allowed
       class DisallowedMethod < Net::SSH::Exception
       end
@@ -42,7 +41,7 @@ module Net
 
         # Instantiates a new Authentication::Session object over the given
         # transport layer abstraction.
-        def initialize(transport, options={})
+        def initialize(transport, options = {})
           self.logger = transport.logger
           @transport = transport
 
@@ -55,7 +54,7 @@ module Net
         # Attempts to authenticate the given user, in preparation for the next
         # service request. Returns true if an authentication method succeeds in
         # authenticating the user, and false otherwise.
-        def authenticate(next_service, username, password=nil)
+        def authenticate(next_service, username, password = nil)
           debug { "beginning authentication of `#{username}'" }
 
           transport.send_message(transport.service_request("ssh-userauth"))
@@ -63,28 +62,30 @@ module Net
 
           key_manager = KeyManager.new(logger, options)
           keys.each { |key| key_manager.add(key) } unless keys.empty?
+          keycerts.each { |keycert| key_manager.add_keycert(keycert) } unless keycerts.empty?
           key_data.each { |key2| key_manager.add_key_data(key2) } unless key_data.empty?
           default_keys.each { |key| key_manager.add(key) } unless options.key?(:keys) || options.key?(:key_data)
 
           attempted = []
 
           @auth_methods.each do |name|
+            next unless @allowed_auth_methods.include?(name)
+
+            attempted << name
+
+            debug { "trying #{name}" }
             begin
-              next unless @allowed_auth_methods.include?(name)
-              attempted << name
-
-              debug { "trying #{name}" }
-              begin
-                auth_class = Methods.const_get(name.split(/\W+/).map { |p| p.capitalize }.join)
-                method = auth_class.new(self, key_manager: key_manager, password_prompt: options[:password_prompt])
-              rescue NameError
-                debug {"Mechanism #{name} was requested, but isn't a known type.  Ignoring it."}
-                next
-              end
-
-              return true if method.authenticate(next_service, username, password)
-            rescue Net::SSH::Authentication::DisallowedMethod
+              auth_class = Methods.const_get(name.split(/\W+/).map { |p| p.capitalize }.join)
+              method = auth_class.new(self,
+                                      key_manager: key_manager, password_prompt: options[:password_prompt],
+                                      pubkey_algorithms: options[:pubkey_algorithms] || nil)
+            rescue NameError
+              debug {"Mechanism #{name} was requested, but isn't a known type.  Ignoring it."}
+              next
             end
+
+            return true if method.authenticate(next_service, username, password)
+          rescue Net::SSH::Authentication::DisallowedMethod
           end
 
           error { "all authorization methods failed (tried #{attempted.join(', ')})" }
@@ -128,6 +129,7 @@ module Net
         def expect_message(type)
           message = next_message
           raise Net::SSH::Exception, "expected #{type}, got #{message.type} (#{message})" unless message.type == type
+
           message
         end
 
@@ -136,12 +138,8 @@ module Net
         # Returns an array of paths to the key files usually defined
         # by system default.
         def default_keys
-          if defined?(OpenSSL::PKey::EC)
-            %w[~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa
-               ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa]
-          else
-            %w[~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_rsa]
-          end
+          %w[~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa
+             ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa]
         end
 
         # Returns an array of paths to the key files that should be used when
@@ -150,6 +148,12 @@ module Net
           Array(options[:keys])
         end
 
+        # Returns an array of paths to the keycert files that should be used when
+        # attempting any key-based authentication mechanism.
+        def keycerts
+          Array(options[:keycerts])
+        end
+
         # Returns an array of the key data that should be used when
         # attempting any key-based authentication mechanism.
         def key_data

data/lib/net/ssh/buffer.rb

@@ -1,4 +1,3 @@
-require 'net/ssh/ruby_compat'
 require 'net/ssh/transport/openssl'
 
 require 'net/ssh/authentication/certificate'
@@ -6,7 +5,6 @@ require 'net/ssh/authentication/ed25519_loader'
 
 module Net
   module SSH
-
     # Net::SSH::Buffer is a flexible class for building and parsing binary
     # data packets. It provides a stream-like interface for sequentially
     # reading data items from the buffer, as well as a useful helper method
@@ -72,7 +70,7 @@ module Net
 
       # Creates a new buffer, initialized to the given content. The position
       # is initialized to the beginning of the buffer.
-      def initialize(content="")
+      def initialize(content = String.new)
         @content = content.to_s
         @position = 0
       end
@@ -119,7 +117,7 @@ module Net
       # Resets the buffer, making it empty. Also, resets the read position to
       # 0.
       def clear!
-        @content = ""
+        @content = String.new
         @position = 0
       end
 
@@ -130,12 +128,12 @@ module Net
       # would otherwise tend to grow without bound.
       #
       # Returns the buffer object itself.
-      def consume!(n=position)
+      def consume!(n = position)
         if n >= length
           # optimize for a fairly common case
           clear!
         elsif n > 0
-          @content = @content[n..-1] || ""
+          @content = @content[n..-1] || String.new
           @position -= n
           @position = 0 if @position < 0
         end
@@ -173,7 +171,7 @@ module Net
       # Reads and returns the next +count+ bytes from the buffer, starting from
       # the read position. If +count+ is +nil+, this will return all remaining
       # text in the buffer. This method will increment the pointer.
-      def read(count=nil)
+      def read(count = nil)
         count ||= length
         count = length - @position if @position + count > length
         @position += count
@@ -182,7 +180,7 @@ module Net
 
       # Reads (as #read) and returns the given number of bytes from the buffer,
       # and then consumes (as #consume!) all data up to the new read position.
-      def read!(count=nil)
+      def read!(count = nil)
         data = read(count)
         consume!
         data
@@ -238,6 +236,7 @@ module Net
       def read_bignum
         data = read_string
         return unless data
+
         OpenSSL::BN.new(data, 2)
       end
 
@@ -284,6 +283,8 @@ module Net
             key.iqmp = iqmp
           end
           key
+        when /^ecdsa\-sha2\-(\w*)$/
+          OpenSSL::PKey::EC.read_keyblob($1, self)
         else
           raise Exception, "Cannot decode private key of type #{type}"
         end
@@ -296,42 +297,47 @@ module Net
         when /^(.*)-cert-v01@openssh\.com$/
           key = Net::SSH::Authentication::Certificate.read_certblob(self, $1)
         when /^ssh-dss$/
-          key = OpenSSL::PKey::DSA.new
-          if key.respond_to?(:set_pqg)
-            key.set_pqg(read_bignum, read_bignum, read_bignum)
-          else
-            key.p = read_bignum
-            key.q = read_bignum
-            key.g = read_bignum
-          end
-          if key.respond_to?(:set_key)
-            key.set_key(read_bignum, nil)
-          else
-            key.pub_key = read_bignum
-          end
+          p = read_bignum
+          q = read_bignum
+          g = read_bignum
+          pub_key = read_bignum
+
+          asn1 = OpenSSL::ASN1::Sequence.new(
+            [
+              OpenSSL::ASN1::Sequence.new(
+                [
+                  OpenSSL::ASN1::ObjectId.new('DSA'),
+                  OpenSSL::ASN1::Sequence.new(
+                    [
+                      OpenSSL::ASN1::Integer.new(p),
+                      OpenSSL::ASN1::Integer.new(q),
+                      OpenSSL::ASN1::Integer.new(g)
+                    ]
+                  )
+                ]
+              ),
+              OpenSSL::ASN1::BitString.new(OpenSSL::ASN1::Integer.new(pub_key).to_der)
+            ]
+          )
+
+          key = OpenSSL::PKey::DSA.new(asn1.to_der)
         when /^ssh-rsa$/
-          key = OpenSSL::PKey::RSA.new
-          if key.respond_to?(:set_key)
-            e = read_bignum
-            n = read_bignum
-            key.set_key(n, e, nil)
-          else
-            key.e = read_bignum
-            key.n = read_bignum
-          end
+          e = read_bignum
+          n = read_bignum
+
+          asn1 = OpenSSL::ASN1::Sequence(
+            [
+              OpenSSL::ASN1::Integer(n),
+              OpenSSL::ASN1::Integer(e)
+            ]
+          )
+
+          key = OpenSSL::PKey::RSA.new(asn1.to_der)
         when /^ssh-ed25519$/
           Net::SSH::Authentication::ED25519Loader.raiseUnlessLoaded("unsupported key type `#{type}'")
           key = Net::SSH::Authentication::ED25519::PubKey.read_keyblob(self)
         when /^ecdsa\-sha2\-(\w*)$/
-          unless defined?(OpenSSL::PKey::EC)
-            raise NotImplementedError, "unsupported key type `#{type}'"
-          else
-            begin
-              key = OpenSSL::PKey::EC.read_keyblob($1, self)
-            rescue OpenSSL::PKey::ECError
-              raise NotImplementedError, "unsupported key type `#{type}'"
-            end
-          end
+          key = OpenSSL::PKey::EC.read_keyblob($1, self)
         else
           raise NotImplementedError, "unsupported key type `#{type}'"
         end
@@ -355,7 +361,12 @@ module Net
       # Optimized version of write where the caller gives up ownership of string
       # to the method. This way we can mutate the string.
       def write_moved(string)
-        @content << string.force_encoding('BINARY')
+        @content <<
+          if string.frozen?
+            string.dup.force_encoding('BINARY')
+          else
+            string.force_encoding('BINARY')
+          end
         self
       end
 

data/lib/net/ssh/buffered_io.rb

@@ -1,10 +1,8 @@
 require 'net/ssh/buffer'
 require 'net/ssh/loggable'
-require 'net/ssh/ruby_compat'
 
-module Net 
+module Net
   module SSH
-
     # This module is used to extend sockets and other IO objects, to allow
     # them to be buffered for both read and write. This abstraction makes it
     # quite easy to write a select-based event loop
@@ -49,19 +47,19 @@ module Net
     #   end
     module BufferedIo
       include Loggable
-  
+
       # Called when the #extend is called on an object, with this module as the
       # argument. It ensures that the modules instance variables are all properly
       # initialized.
-      def self.extended(object) #:nodoc:
+      def self.extended(object) # :nodoc:
         # need to use __send__ because #send is overridden in Socket
         object.__send__(:initialize_buffered_io)
       end
-  
+
       # Tries to read up to +n+ bytes of data from the remote end, and appends
       # the data to the input buffer. It returns the number of bytes read, or 0
       # if no data was available to be read.
-      def fill(n=8192)
+      def fill(n = 8192)
         input.consume!
         data = recv(n)
         debug { "read #{data.length} bytes" }
@@ -71,31 +69,31 @@ module Net
         @input_errors << e
         return 0
       end
-  
+
       # Read up to +length+ bytes from the input buffer. If +length+ is nil,
       # all available data is read from the buffer. (See #available.)
-      def read_available(length=nil)
+      def read_available(length = nil)
         input.read(length || available)
       end
-  
+
       # Returns the number of bytes available to be read from the input buffer.
       # (See #read_available.)
       def available
         input.available
       end
-  
+
       # Enqueues data in the output buffer, to be written when #send_pending
       # is called. Note that the data is _not_ sent immediately by this method!
       def enqueue(data)
         output.append(data)
       end
-  
+
       # Returns +true+ if there is data waiting in the output buffer, and
       # +false+ otherwise.
       def pending_write?
         output.length > 0
       end
-  
+
       # Sends as much of the pending output as possible. Returns +true+ if any
       # data was sent, and +false+ otherwise.
       def send_pending
@@ -108,7 +106,7 @@ module Net
           return false
         end
       end
-  
+
       # Calls #send_pending repeatedly, if necessary, blocking until the output
       # buffer is empty.
       def wait_for_pending_sends
@@ -116,31 +114,32 @@ module Net
         while output.length > 0
           result = IO.select(nil, [self]) or next
           next unless result[1].any?
+
           send_pending
         end
       end
-  
+
       public # these methods are primarily for use in tests
-  
-      def write_buffer #:nodoc:
+
+      def write_buffer # :nodoc:
         output.to_s
       end
-  
-      def read_buffer #:nodoc:
+
+      def read_buffer # :nodoc:
         input.to_s
       end
-  
+
       private
-  
+
       #--
       # Can't use attr_reader here (after +private+) without incurring the
       # wrath of "ruby -w". We hates it.
       #++
-  
+
       def input; @input; end
 
       def output; @output; end
-  
+
       # Initializes the intput and output buffers for this object. This method
       # is called automatically when the module is mixed into an object via
       # Object#extend (see Net::SSH::BufferedIo.extended), but must be called
@@ -167,7 +166,7 @@ module Net
     #    http://github.com/net-ssh/net-ssh/tree/portfwfix
     #
     module ForwardedBufferedIo
-      def fill(n=8192)
+      def fill(n = 8192)
         begin
           super(n)
         rescue Errno::ECONNRESET => e
@@ -182,7 +181,7 @@ module Net
           end
         end
       end
-  
+
       def send_pending
         begin
           super
@@ -199,6 +198,5 @@ module Net
         end
       end
     end
-
   end
 end

data/lib/net/ssh/config.rb

@@ -1,6 +1,5 @@
 module Net
   module SSH
-
     # The Net::SSH::Config class is used to parse OpenSSH configuration files,
     # and translates that syntax into the configuration syntax that Net::SSH
     # understands. This lets Net::SSH scripts read their configuration (to
@@ -11,6 +10,7 @@ module Net
     #
     # * ChallengeResponseAuthentication => maps to the :auth_methods option challenge-response (then coleasced into keyboard-interactive)
     # * KbdInteractiveAuthentication => maps to the :auth_methods keyboard-interactive
+    # * CertificateFile => maps to the :keycerts option
     # * Ciphers => maps to the :encryption option
     # * Compression => :compression
     # * CompressionLevel => :compression_level
@@ -33,6 +33,7 @@ module Net
     # * ProxyJump => maps to the :proxy option
     # * PubKeyAuthentication => maps to the :auth_methods option
     # * RekeyLimit => :rekey_limit
+    # * StrictHostKeyChecking => :verify_host_key
     # * User => :user
     # * UserKnownHostsFile => :user_known_hosts_file
     # * NumberOfPasswordPrompts => :number_of_password_prompts
@@ -64,7 +65,7 @@ module Net
         # given +files+ (defaulting to the list of files returned by
         # #default_files), translates the resulting hash into the options
         # recognized by Net::SSH, and returns them.
-        def for(host, files=expandable_default_files)
+        def for(host, files = expandable_default_files)
           translate(files.inject({}) { |settings, file|
             load(file, host, settings)
           })
@@ -76,7 +77,7 @@ module Net
         # ones. Returns a hash containing the OpenSSH options. (See
         # #translate for how to convert the OpenSSH options into Net::SSH
         # options.)
-        def load(path, host, settings={}, base_dir = nil)
+        def load(path, host, settings = {}, base_dir = nil)
           file = File.expand_path(path)
           base_dir ||= File.dirname(file)
           return settings unless File.readable?(file)
@@ -128,7 +129,7 @@ module Net
               block_seen = true
             elsif !block_seen
               case key
-              when 'identityfile'
+              when 'identityfile', 'certificatefile'
                 (globals[key] ||= []) << value
               when 'include'
                 included_file_paths(base_dir, value).each do |file_path|
@@ -139,7 +140,7 @@ module Net
               end
             elsif block_matched
               case key
-              when 'identityfile'
+              when 'identityfile', 'certificatefile'
                 (settings[key] ||= []) << value
               when 'include'
                 included_file_paths(base_dir, value).each do |file_path|
@@ -149,11 +150,18 @@ module Net
                 settings[key] = value unless settings.key?(key)
               end
             end
+
+            # ProxyCommand and ProxyJump override each other so they need to be tracked togeather
+            %w[proxyjump proxycommand].each do |proxy_key|
+              if (proxy_value = settings.delete(proxy_key))
+                settings['proxy'] ||= [proxy_key, proxy_value]
+              end
+            end
           end
 
           globals.merge(settings) do |key, oldval, newval|
             case key
-            when 'identityfile'
+            when 'identityfile', 'certificatefile'
               oldval + newval
             else
               newval
@@ -177,36 +185,57 @@ module Net
         # Filters default_files down to the files that are expandable.
         def expandable_default_files
           default_files.keep_if do |path|
-            begin
-              File.expand_path(path)
-              true
-            rescue ArgumentError
-              false
-            end
+            File.expand_path(path)
+            true
+          rescue ArgumentError
+            false
           end
         end
 
         private
 
+        def translate_verify_host_key(value)
+          case value
+          when false
+            :never
+          when true
+            :always
+          when 'accept-new'
+            :accept_new
+          end
+        end
+
+        def translate_keepalive(hash, value)
+          if value && value.to_i > 0
+            hash[:keepalive] = true
+            hash[:keepalive_interval] = value.to_i
+          else
+            hash[:keepalive] = false
+          end
+        end
+
+        TRANSLATE_CONFIG_KEY_RENAME_MAP = {
+          bindaddress: :bind_address,
+          compression: :compression,
+          compressionlevel: :compression_level,
+          certificatefile: :keycerts,
+          connecttimeout: :timeout,
+          forwardagent: :forward_agent,
+          identitiesonly: :keys_only,
+          identityagent: :identity_agent,
+          globalknownhostsfile: :global_known_hosts_file,
+          hostkeyalias: :host_key_alias,
+          identityfile: :keys,
+          fingerprinthash: :fingerprint_hash,
+          port: :port,
+          user: :user,
+          userknownhostsfile: :user_known_hosts_file,
+          checkhostip: :check_host_ip
+        }.freeze
         def translate_config_key(hash, key, value, settings)
-          rename = {
-            bindaddress: :bind_address,
-            compression: :compression,
-            compressionlevel: :compression_level,
-            connecttimeout: :timeout,
-            forwardagent: :forward_agent,
-            identitiesonly: :keys_only,
-            identityagent: :identity_agent,
-            globalknownhostsfile: :global_known_hosts_file,
-            hostkeyalias: :host_key_alias,
-            identityfile: :keys,
-            fingerprinthash: :fingerprint_hash,
-            port: :port,
-            user: :user,
-            userknownhostsfile: :user_known_hosts_file,
-            checkhostip: :check_host_ip
-          }
           case key
+          when :stricthostkeychecking
+            hash[:verify_host_key] = translate_verify_host_key(value)
           when :ciphers
             hash[:encryption] = value.split(/,/)
           when :hostbasedauthentication
@@ -224,12 +253,7 @@ module Net
           when :serveralivecountmax
             hash[:keepalive_maxcount] = value.to_i if value
           when :serveraliveinterval
-            if value && value.to_i > 0
-              hash[:keepalive] = true
-              hash[:keepalive_interval] = value.to_i
-            else
-              hash[:keepalive] = false
-            end
+            translate_keepalive(hash, value)
           when :passwordauthentication
             if value
               (hash[:auth_methods] << 'password').uniq!
@@ -250,15 +274,9 @@ module Net
             end
           when :preferredauthentications
             hash[:auth_methods] = value.split(/,/) # TODO we should place to preferred_auth_methods rather than auth_methods
-          when :proxycommand
-            if value and value !~ /^none$/
-              require 'net/ssh/proxy/command'
-              hash[:proxy] = Net::SSH::Proxy::Command.new(value)
-            end
-          when :proxyjump
-            if value
-              require 'net/ssh/proxy/jump'
-              hash[:proxy] = Net::SSH::Proxy::Jump.new(value)
+          when :proxy
+            if (proxy = setup_proxy(*value))
+              hash[:proxy] = proxy
             end
           when :pubkeyauthentication
             if value
@@ -271,10 +289,25 @@ module Net
           when :sendenv
             multi_send_env = value.to_s.split(/\s+/)
             hash[:send_env] = multi_send_env.map { |e| Regexp.new pattern2regex(e).source, false }
+          when :setenv
+            hash[:set_env] = Shellwords.split(value.to_s).map { |e| e.split '=', 2 }.to_h
           when :numberofpasswordprompts
             hash[:number_of_password_prompts] = value.to_i
-          when *rename.keys
-            hash[rename[key]] = value
+          when *TRANSLATE_CONFIG_KEY_RENAME_MAP.keys
+            hash[TRANSLATE_CONFIG_KEY_RENAME_MAP[key]] = value
+          end
+        end
+
+        def setup_proxy(type, value)
+          case type
+          when 'proxycommand'
+            if value !~ /^none$/
+              require 'net/ssh/proxy/command'
+              Net::SSH::Proxy::Command.new(value)
+            end
+          when 'proxyjump'
+            require 'net/ssh/proxy/jump'
+            Net::SSH::Proxy::Jump.new(value)
           end
         end
 
@@ -282,9 +315,9 @@ module Net
         # host names.
         def pattern2regex(pattern)
           tail = pattern
-          prefix = ""
+          prefix = String.new
           while !tail.empty? do
-            head,sep,tail = tail.partition(/[\*\?]/)
+            head, sep, tail = tail.partition(/[\*\?]/)
             prefix = prefix + Regexp.quote(head)
             case sep
             when '*'
@@ -338,7 +371,7 @@ module Net
 
           conditions = conditions.each_slice(2)
           condition_matches = []
-          conditions.each do |(kind,exprs)|
+          conditions.each do |(kind, exprs)|
             exprs = unquote(exprs)
 
             case kind.downcase
@@ -369,6 +402,5 @@ module Net
         end
       end
     end
-
   end
 end