net-ssh 6.0.0 → 7.0.1

data/CHANGES.txt

@@ -1,3 +1,40 @@
+=== 6.3.0 beta1
+
+  * Support cert based host key auth, fix asterisk in known_hosts [#833]
+  * Support kex dh-group14-sha256  [#795]
+  * Fix StrictHostKeyChecking ssh config parameter translation [#765]
+
+=== 6.2.0 rc1
+
+=== 6.2.0 beta1
+
+  * rsa-sha2-512, rsa-sha2-256 host_key algs [#771]
+  * JRuby aes*-ctr suppport [#767]
+
+=== 6.1.0
+
+  * Adapt to ssh's default behaviors when no username is provided.
+    When Net::SSH.start user is nil and config has no entry
+    we default to Etc.getpwuid.name() instead of Etc.getlogin(). [#749]
+
+=== 6.1.0.rc1
+
+  * Make sha2-{256,512}-etm@openssh.com MAC default again [#761]
+  * Support algorithm subtraction syntax from ssh_config [#751]
+
+=== 6.0.2
+
+  * Fix corrupted hmac issue in etm hmac [#759]
+
+=== 6.0.1
+
+  * Make sha2-{256,512}-etm@openssh.com MAC opt-in as they seems to have issues [#757]
+
+=== 6.0.0
+
+  * Support empty lines and comments in known_hosts [donoghuc, #742]
+  * Add sha2-{256,512}-etm@openssh.com MAC algorithms [graaff, #714]
+
 === 6.0.0 beta2
   
   * Support :certkeys and CertificateFile configuration option  [Anders Carling, #722]
@@ -12,7 +49,7 @@
 === 5.2.0.rc3
 
   * Fix check_host_ip read from config
-  * Support ssh-ed25519 in kown hosts
+  * Support ssh-ed25519 in known hosts
 
 === 5.2.0.rc2
 
@@ -35,7 +72,7 @@
 
 === 5.0.2
 
-  * fix ctr for jruby [#612]
+  * Fix ctr for jruby [#612]
 
 === 5.0.1
 

data/Dockerfile

@@ -0,0 +1,27 @@
+ARG RUBY_VERSION=3.1
+FROM ruby:${RUBY_VERSION}
+
+RUN apt update && apt install -y openssh-server sudo netcat \
+  && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_1' \
+  && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_2' \
+  && echo net_ssh_1:foopwd | chpasswd \
+  && echo net_ssh_2:foo2pwd | chpasswd \
+  && mkdir -p /home/net_ssh_1/.ssh \
+  && mkdir -p /home/net_ssh_2/.ssh \
+  && echo "net_ssh_1 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers \
+  && echo "net_ssh_2 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers \
+  && ssh-keygen -f /etc/ssh/users_ca -N ''
+
+ENV INSTALL_PATH="/netssh"
+
+WORKDIR $INSTALL_PATH
+
+COPY Gemfile net-ssh.gemspec $INSTALL_PATH/
+
+COPY lib/net/ssh/version.rb $INSTALL_PATH/lib/net/ssh/version.rb
+
+RUN gem install bundler && bundle install
+
+COPY . $INSTALL_PATH/
+
+CMD service ssh start && rake test && NET_SSH_NO_ED25519=1 rake test

data/Dockerfile.openssl3

@@ -0,0 +1,17 @@
+FROM ubuntu:22.04
+
+ENV INSTALL_PATH="/netssh"
+
+RUN apt update && apt install -y openssl ruby ruby-dev git build-essential
+
+WORKDIR $INSTALL_PATH
+
+COPY Gemfile net-ssh.gemspec $INSTALL_PATH/
+
+COPY lib/net/ssh/version.rb $INSTALL_PATH/lib/net/ssh/version.rb
+
+RUN ls -l && gem install bundler && bundle install
+
+COPY . $INSTALL_PATH/
+
+CMD openssl version && ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION' && rake test

data/Gemfile

@@ -9,3 +9,5 @@ if ENV["CI"]
   gem 'codecov', require: false, group: :test
   gem 'simplecov', require: false, group: :test
 end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/Gemfile.noed25519

@@ -8,3 +8,5 @@ if ENV["CI"] && !Gem.win_platform?
   gem 'simplecov', require: false, group: :test
   gem 'codecov', require: false, group: :test
 end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/README.md

@@ -1,13 +1,13 @@
 [![Gem Version](https://badge.fury.io/rb/net-ssh.svg)](https://badge.fury.io/rb/net-ssh)
 [![Join the chat at https://gitter.im/net-ssh/net-ssh](https://badges.gitter.im/net-ssh/net-ssh.svg)](https://gitter.im/net-ssh/net-ssh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
-[![Build Status](https://travis-ci.org/net-ssh/net-ssh.svg?branch=master)](https://travis-ci.org/net-ssh/net-ssh)
+[![Build status](https://github.com/net-ssh/net-ssh/actions/workflows/ci.yml/badge.svg)](https://github.com/net-ssh/net-ssh/actions/workflows/ci.yml)
 [![Coverage status](https://codecov.io/gh/net-ssh/net-ssh/branch/master/graph/badge.svg)](https://codecov.io/gh/net-ssh/net-ssh)
 [![Backers on Open Collective](https://opencollective.com/net-ssh/backers/badge.svg)](#backers])
 [![Sponsors on Open Collective](https://opencollective.com/net-ssh/sponsors/badge.svg)](#sponsors)
 
 # Net::SSH 6.x
 
-* Docs: http://net-ssh.github.com/net-ssh
+* Docs: http://net-ssh.github.io/net-ssh
 * Issues: https://github.com/net-ssh/net-ssh/issues
 * Codes: https://github.com/net-ssh/net-ssh
 * Email: net-ssh@solutious.com
@@ -33,7 +33,7 @@ We strongly recommend that you install a servers's version that supports the lat
 
 It is possible to return to the previous behavior by adding the option : `append_all_supported_algorithms: true`
 
-Unsecure algoritms will be definively remove in Net::SSH 7.*.
+Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 
 ### Host Keys
 
@@ -63,7 +63,7 @@ Unsecure algoritms will be definively remove in Net::SSH 7.*.
 
 | Name                                 | Support               | Details  |
 |--------------------------------------|-----------------------|----------|
-| aes256-ctr / aes192-ctr / aes128-ctr | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
+| aes256-ctr / aes192-ctr / aes128-ctr | OK                    |          |
 | aes256-cbc / aes192-cbc / aes128-cbc | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
 | rijndael-cbc@lysator.liu.se          | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
 | blowfish-ctr blowfish-cbc            | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
@@ -97,6 +97,7 @@ In a nutshell:
 require 'net/ssh'
 
 Net::SSH.start('host', 'user', password: "password") do |ssh|
+
 # capture all stderr and stdout output from a remote process
 output = ssh.exec!("hostname")
 puts output
@@ -104,7 +105,7 @@ puts output
 # capture only stdout matching a particular pattern
 stdout = ""
 ssh.exec!("ls -l /home/jamis") do |channel, stream, data|
-  stdout << data if stream == :stdout
+  stdout << data if stream == :stdout && /foo/.match(data)
 end
 puts stdout
 
@@ -164,7 +165,7 @@ gem install net-ssh # might need sudo privileges
 ```
 
 NOTE: If you are running on jruby on windows you need to install `jruby-pageant` manually
-(gemspec doesn't allow for platform specific dependencies).
+(gemspec doesn't allow for platform specific dependencies at gem installation time).
 
 However, in order to be sure the code you're installing hasn't been tampered with,
 it's recommended that you verify the [signature](http://docs.rubygems.org/read/chapter/21).
@@ -210,13 +211,19 @@ Run the test suite from the net-ssh directory with the following command:
 bundle exec rake test
 ```
 
+NOTE : you can run test on all ruby versions with docker :
+
+```
+docker-compose up --build
+```
+
 Run a single test file like this:
 
 ```sh
 ruby -Ilib -Itest test/transport/test_server_version.rb
 ```
 
-To run integration tests see test/integration/README.txt
+To run integration tests see [here](test/integration/README.md)
 
 ### BUILDING GEM
 

data/Rakefile

@@ -48,6 +48,7 @@ namespace :cert do
     raw = File.read "net-ssh-public_cert.pem"
     certificate = OpenSSL::X509::Certificate.new raw
     raise Exception, "Not yet expired: #{certificate.not_after}" unless certificate.not_after < Time.now
+
     sh "gem cert --build netssh@solutious.com --days 365*5 --private-key /mnt/gem/net-ssh-private_key.pem"
     sh "mv gem-public_cert.pem net-ssh-public_cert.pem"
     sh "gem cert --add net-ssh-public_cert.pem"
@@ -94,6 +95,10 @@ Rake::TestTask.new do |t|
   t.test_files = test_files
 end
 
+# We need to enable the OpenSSL 3.0 legacy providers for our test suite
+require 'openssl'
+ENV['OPENSSL_CONF'] = 'test/openssl3.conf' if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? "OpenSSL 3"
+
 desc "Run tests of Net::SSH:Test"
 Rake::TestTask.new do |t|
   t.name = "test_test"

data/docker-compose.yml

@@ -0,0 +1,23 @@
+version: '3'
+
+services:
+  ruby-3.1:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 3.1
+  ruby-3.0:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 3.0
+  ruby-2.7:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 2.7
+  ruby-2.6:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 2.6

data/lib/net/ssh/authentication/agent.rb

@@ -13,6 +13,7 @@ module Net
     module Authentication
       # Class for representing agent-specific errors.
       class AgentError < Net::SSH::Exception; end
+
       # An exception for indicating that the SSH agent is not available.
       class AgentNotAvailable < AgentError; end
 
@@ -39,6 +40,8 @@ module Net
         SSH2_AGENT_ADD_IDENTITY          = 17
         SSH2_AGENT_REMOVE_IDENTITY       = 18
         SSH2_AGENT_REMOVE_ALL_IDENTITIES = 19
+        SSH2_AGENT_LOCK                  = 22
+        SSH2_AGENT_UNLOCK                = 23
         SSH2_AGENT_ADD_ID_CONSTRAINED    = 25
         SSH2_AGENT_FAILURE               = 30
         SSH2_AGENT_VERSION_RESPONSE      = 103
@@ -62,7 +65,7 @@ module Net
 
         # Instantiates a new agent object, connects to a running SSH agent,
         # negotiates the agent protocol version, and returns the agent object.
-        def self.connect(logger=nil, agent_socket_factory = nil, identity_agent = nil)
+        def self.connect(logger = nil, agent_socket_factory = nil, identity_agent = nil)
           agent = new(logger)
           agent.connect!(agent_socket_factory, identity_agent)
           agent.negotiate!
@@ -71,7 +74,7 @@ module Net
 
         # Creates a new Agent object, using the optional logger instance to
         # report status.
-        def initialize(logger=nil)
+        def initialize(logger = nil)
           self.logger = logger
         end
 
@@ -85,9 +88,9 @@ module Net
             if agent_socket_factory
               agent_socket_factory.call
             elsif identity_agent
-              unix_socket_class.open(identity_agent)
+              unix_socket_class.open(File.expand_path(identity_agent))
             elsif ENV['SSH_AUTH_SOCK'] && unix_socket_class
-              unix_socket_class.open(ENV['SSH_AUTH_SOCK'])
+              unix_socket_class.open(File.expand_path(ENV['SSH_AUTH_SOCK']))
             elsif Gem.win_platform? && RUBY_ENGINE != "jruby"
               Pageant::Socket.open
             else
@@ -105,6 +108,7 @@ module Net
           type, body = send_and_wait(SSH2_AGENT_REQUEST_VERSION, :string, Transport::ServerVersion::PROTO_VERSION)
 
           raise AgentNotAvailable, "SSH2 agents are not yet supported" if type == SSH2_AGENT_VERSION_RESPONSE
+
           if type == SSH2_AGENT_FAILURE
             debug { "Unexpected response type==#{type}, this will be ignored" }
           elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER1 && type != SSH_AGENT_RSA_IDENTITIES_ANSWER2
@@ -173,7 +177,7 @@ module Net
 
           req_type = constraints.empty? ? SSH2_AGENT_ADD_IDENTITY : SSH2_AGENT_ADD_ID_CONSTRAINED
           type, = send_and_wait(req_type, :string, priv_key.ssh_type, :raw, blob_for_add(priv_key),
-                      :string, comment, :raw, constraints)
+                                :string, comment, :raw, constraints)
           raise AgentError, "could not add identity to agent" if type != SSH_AGENT_SUCCESS
         end
 
@@ -189,6 +193,18 @@ module Net
           raise AgentError, "could not remove all identity from agent" if type != SSH_AGENT_SUCCESS
         end
 
+        # lock the ssh agent with password
+        def lock(password)
+          type, = send_and_wait(SSH2_AGENT_LOCK, :string, password)
+          raise AgentError, "could not lock agent" if type != SSH_AGENT_SUCCESS
+        end
+
+        # unlock the ssh agent with password
+        def unlock(password)
+          type, = send_and_wait(SSH2_AGENT_UNLOCK, :string, password)
+          raise AgentError, "could not unlock agent" if type != SSH_AGENT_SUCCESS
+        end
+
         private
 
         def unix_socket_class
@@ -235,31 +251,31 @@ module Net
           case priv_key.ssh_type
           when /^ssh-dss$/
             Net::SSH::Buffer.from(:bignum, priv_key.p, :bignum, priv_key.q, :bignum, priv_key.g,
-                        :bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
+                                  :bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
           when /^ssh-dss-cert-v01@openssh\.com$/
             Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.priv_key).to_s
           when /^ecdsa\-sha2\-(\w*)$/
             curve_name = OpenSSL::PKey::EC::CurveNameAliasInv[priv_key.group.curve_name]
             Net::SSH::Buffer.from(:string, curve_name, :mstring, priv_key.public_key.to_bn.to_s(2),
-                        :bignum, priv_key.private_key).to_s
+                                  :bignum, priv_key.private_key).to_s
           when /^ecdsa\-sha2\-(\w*)-cert-v01@openssh\.com$/
             Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.private_key).to_s
           when /^ssh-ed25519$/
             Net::SSH::Buffer.from(:string, priv_key.public_key.verify_key.to_bytes,
-                        :string, priv_key.sign_key.keypair).to_s
+                                  :string, priv_key.sign_key.keypair).to_s
           when /^ssh-ed25519-cert-v01@openssh\.com$/
             # Unlike the other certificate types, the public key is included after the certifiate.
             Net::SSH::Buffer.from(:string, priv_key.to_blob,
-                        :string, priv_key.key.public_key.verify_key.to_bytes,
-                        :string, priv_key.key.sign_key.keypair).to_s
+                                  :string, priv_key.key.public_key.verify_key.to_bytes,
+                                  :string, priv_key.key.sign_key.keypair).to_s
           when /^ssh-rsa$/
             # `n` and `e` are reversed compared to the ordering in `OpenSSL::PKey::RSA#to_blob`.
             Net::SSH::Buffer.from(:bignum, priv_key.n, :bignum, priv_key.e, :bignum, priv_key.d,
-                        :bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
+                                  :bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
           when /^ssh-rsa-cert-v01@openssh\.com$/
             Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.d,
-                        :bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
-                        :bignum, priv_key.key.q).to_s
+                                  :bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
+                                  :bignum, priv_key.key.q).to_s
           end
         end
       end

data/lib/net/ssh/authentication/certificate.rb

@@ -31,12 +31,13 @@ module Net
           cert.key_id = buffer.read_string
           cert.valid_principals = buffer.read_buffer.read_all(&:read_string)
           cert.valid_after = Time.at(buffer.read_int64)
-          
+
           cert.valid_before = if RUBY_PLATFORM == "java"
                                 # 0x20c49ba5e353f7 = 0x7fffffffffffffff/1000, the largest value possible for JRuby
                                 # JRuby Time.at multiplies the arg by 1000, and then stores it in a signed long.
-                                # 0x20c49ba5e353f7 = 292278994-08-17 01:12:55 -0600
-                                Time.at([0x20c49ba5e353f7, buffer.read_int64].min)
+                                # 0x20c49ba2d52500 = 292278993-01-01 00:00:00 +0000
+                                # JRuby 9.1 does not accept the year 292278994 because of edge cases (https://github.com/JodaOrg/joda-time/issues/190)
+                                Time.at([0x20c49ba2d52500, buffer.read_int64].min)
                               else
                                 Time.at(buffer.read_int64)
                               end
@@ -65,12 +66,12 @@ module Net
           ).to_s
         end
 
-        def ssh_do_sign(data)
-          key.ssh_do_sign(data)
+        def ssh_do_sign(data, sig_alg = nil)
+          key.ssh_do_sign(data, sig_alg)
         end
 
-        def ssh_do_verify(sig, data)
-          key.ssh_do_verify(sig, data)
+        def ssh_do_verify(sig, data, options = {})
+          key.ssh_do_verify(sig, data, options)
         end
 
         def to_pem
@@ -82,7 +83,7 @@ module Net
         end
 
         # Signs the certificate with key.
-        def sign!(key, sign_nonce=nil)
+        def sign!(key, sign_nonce = nil)
           # ssh-keygen uses 32 bytes of nonce.
           self.nonce = sign_nonce || SecureRandom.random_bytes(32)
           self.signature_key = key
@@ -93,7 +94,7 @@ module Net
           self
         end
 
-        def sign(key, sign_nonce=nil)
+        def sign(key, sign_nonce = nil)
           cert = clone
           cert.sign!(key, sign_nonce)
         end
@@ -124,6 +125,7 @@ module Net
         def self.type_symbol(type)
           types = { 1 => :user, 2 => :host }
           raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+
           types.fetch(type)
         end
         private_class_method :type_symbol
@@ -133,6 +135,7 @@ module Net
         def type_value(type)
           types = { user: 1, host: 2 }
           raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+
           types.fetch(type)
         end
 

data/lib/net/ssh/authentication/constants.rb

@@ -1,7 +1,6 @@
 module Net
   module SSH
     module Authentication
-
       # Describes the constants used by the Net::SSH::Authentication components
       # of the Net::SSH library. Individual authentication method implemenations
       # may define yet more constants that are specific to their implementation.

data/lib/net/ssh/authentication/ed25519.rb

@@ -14,7 +14,7 @@ module Net
     module Authentication
       module ED25519
         class SigningKeyFromFile < SimpleDelegator
-          def initialize(pk,sk)
+          def initialize(pk, sk)
             key = ::Ed25519::SigningKey.from_keypair(sk)
             raise ArgumentError, "pk does not match sk" unless pk == key.verify_key.to_bytes
 
@@ -44,9 +44,11 @@ module Net
             datafull = datafull.strip
             raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
             raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
+
             datab64 = datafull[MBEGIN.size...-MEND.size]
             data = Base64.decode64(datab64)
             raise ArgumentError.new("Expected #{MAGIC} at start of decoded private key") unless data.start_with?(MAGIC)
+
             buffer = Net::SSH::Buffer.new(data[MAGIC.size + 1..-1])
 
             ciphername = buffer.read_string
@@ -59,6 +61,7 @@ module Net
             kdfopts = Net::SSH::Buffer.new(buffer.read_string)
             num_keys = buffer.read_long
             raise ArgumentError.new("Only 1 key is supported in ssh keys #{num_keys} was in private key") unless num_keys == 1
+
             _pubkey = buffer.read_string
 
             len = buffer.read_long
@@ -72,12 +75,13 @@ module Net
               rounds = kdfopts.read_long
 
               raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
+
               key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
             else
               key = '\x00' * (keylen + ivlen)
             end
 
-            cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv:key[keylen...keylen + ivlen], decrypt: true)
+            cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv: key[keylen...keylen + ivlen], decrypt: true)
 
             decoded = cipher.update(buffer.remainder_as_buffer.to_s)
             decoded << cipher.final
@@ -112,7 +116,7 @@ module Net
           end
 
           def to_blob
-            Net::SSH::Buffer.from(:mstring,"ssh-ed25519",:string,@verify_key.to_bytes).to_s
+            Net::SSH::Buffer.from(:mstring, "ssh-ed25519".dup, :string, @verify_key.to_bytes).to_s
           end
 
           def ssh_type
@@ -123,8 +127,8 @@ module Net
             ssh_type
           end
 
-          def ssh_do_verify(sig,data)
-            @verify_key.verify(sig,data)
+          def ssh_do_verify(sig, data, options = {})
+            @verify_key.verify(sig, data)
           end
 
           def to_pem
@@ -148,7 +152,7 @@ module Net
             _comment = buffer.read_string
 
             @pk = pk
-            @sign_key = SigningKeyFromFile.new(pk,sk)
+            @sign_key = SigningKeyFromFile.new(pk, sk)
           end
 
           def to_blob
@@ -167,7 +171,7 @@ module Net
             PubKey.new(@pk)
           end
 
-          def ssh_do_sign(data)
+          def ssh_do_sign(data, sig_alg = nil)
             @sign_key.sign(data)
           end
 

data/lib/net/ssh/authentication/ed25519_loader.rb

@@ -1,11 +1,9 @@
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Authentication
-
       # Loads ED25519 support which requires optinal dependecies like
       # ed25519, bcrypt_pbkdf
       module ED25519Loader
-      
         begin
           require 'net/ssh/authentication/ed25519'
           LOADED = true
@@ -14,20 +12,19 @@ module Net
           ERROR = e
           LOADED = false
         end
-      
+
         def self.raiseUnlessLoaded(message)
           description = ERROR.is_a?(LoadError) ? dependenciesRequiredForED25519 : ''
           description << "#{ERROR.class} : \"#{ERROR.message}\"\n" if ERROR
           raise NotImplementedError, "#{message}\n#{description}" unless LOADED
         end
-      
+
         def self.dependenciesRequiredForED25519
           result = "net-ssh requires the following gems for ed25519 support:\n"
           result << " * ed25519 (>= 1.2, < 2.0)\n"
           result << " * bcrypt_pbkdf (>= 1.0, < 2.0)\n" unless RUBY_PLATFORM == "java"
           result << "See https://github.com/net-ssh/net-ssh/issues/565 for more information\n"
         end
-      
       end
     end
   end