net-ssh 6.1.0 → 6.3.0.beta1

data/.travis.yml

@@ -1,17 +1,16 @@
 language: ruby
 sudo: true
-dist: trusty
+dist: focal
 
 addon:
   hosts:
     gateway.netssh
 
 rvm:
-  - 2.3.8
-  - 2.4.8
   - 2.5.7
   - 2.6.5
   - 2.7.0
+  - 3.0.0
   - jruby-9.2.11.1
   - rbx-3.107
   - ruby-head
@@ -35,18 +34,18 @@ matrix:
 install:
   - export JRUBY_OPTS='--client -J-XX:+TieredCompilation -J-XX:TieredStopAtLevel=1 -Xcext.enabled=false -J-Xss2m -Xcompile.invokedynamic=false'
   - sudo pip install ansible urllib3 pyOpenSSL ndg-httpsclient pyasn1
-  - gem install bundler -v "= 1.17"
+  - gem install bundler
   - gem list bundler
-  - bundle _1.17_ install
-  - bundle _1.17_ -v
-  - BUNDLE_GEMFILE=./Gemfile.noed25519 bundle _1.17_ install
+  - bundle install
+  - bundle -v
+  - BUNDLE_GEMFILE=./Gemfile.noed25519 bundle install
   - sudo ansible-galaxy install rvm.ruby
   - sudo chown -R travis:travis /home/travis/.ansible
   - ansible-playbook ./test/integration/playbook.yml -i "localhost," --become -c local -e 'no_rvm=true' -e 'myuser=travis' -e 'mygroup=travis' -e 'homedir=/home/travis'
 
 script:
   - ssh -V
-  - bundle _1.17_ exec rake test
-  - BUNDLE_GEMFILE=./Gemfile.noed25519 bundle _1.17_ exec rake test
-  - bundle _1.17_ exec rake test_test
-  - bundle _1.17_ exec rubocop
+  - bundle exec rake test
+  - BUNDLE_GEMFILE=./Gemfile.noed25519 bundle exec rake test
+  - bundle exec rake test_test
+  - bundle exec rubocop

data/CHANGES.txt

@@ -1,6 +1,19 @@
+=== 6.3.0 beta1
+
+  * Support cert based host key auth, fix asterisk in known_hosts [#833]
+  * Support kex dh-group14-sha256  [#795]
+  * Fix StrictHostKeyChecking ssh config parameter translation [#765]
+
+=== 6.2.0 rc1
+
+=== 6.2.0 beta1
+
+  * rsa-sha2-512, rsa-sha2-256 host_key algs [#771]
+  * JRuby aes*-ctr suppport [#767]
+
 === 6.1.0
 
-  * adapt to ssh's default bahaviors when no username is provided.
+  * Adapt to ssh's default behaviors when no username is provided.
     When Net::SSH.start user is nil and config has no entry
     we default to Etc.getpwuid.name() instead of Etc.getlogin(). [#749]
 
@@ -36,7 +49,7 @@
 === 5.2.0.rc3
 
   * Fix check_host_ip read from config
-  * Support ssh-ed25519 in kown hosts
+  * Support ssh-ed25519 in known hosts
 
 === 5.2.0.rc2
 
@@ -59,7 +72,7 @@
 
 === 5.0.2
 
-  * fix ctr for jruby [#612]
+  * Fix ctr for jruby [#612]
 
 === 5.0.1
 

data/Gemfile

@@ -9,3 +9,5 @@ if ENV["CI"]
   gem 'codecov', require: false, group: :test
   gem 'simplecov', require: false, group: :test
 end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/Gemfile.noed25519

@@ -8,3 +8,5 @@ if ENV["CI"] && !Gem.win_platform?
   gem 'simplecov', require: false, group: :test
   gem 'codecov', require: false, group: :test
 end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/README.md

@@ -1,13 +1,13 @@
 [![Gem Version](https://badge.fury.io/rb/net-ssh.svg)](https://badge.fury.io/rb/net-ssh)
 [![Join the chat at https://gitter.im/net-ssh/net-ssh](https://badges.gitter.im/net-ssh/net-ssh.svg)](https://gitter.im/net-ssh/net-ssh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
-[![Build Status](https://travis-ci.org/net-ssh/net-ssh.svg?branch=master)](https://travis-ci.org/net-ssh/net-ssh)
+[![Build status](https://github.com/net-ssh/net-ssh/actions/workflows/ci.yml/badge.svg)](https://github.com/net-ssh/net-ssh/actions/workflows/ci.yml)
 [![Coverage status](https://codecov.io/gh/net-ssh/net-ssh/branch/master/graph/badge.svg)](https://codecov.io/gh/net-ssh/net-ssh)
 [![Backers on Open Collective](https://opencollective.com/net-ssh/backers/badge.svg)](#backers])
 [![Sponsors on Open Collective](https://opencollective.com/net-ssh/sponsors/badge.svg)](#sponsors)
 
 # Net::SSH 6.x
 
-* Docs: http://net-ssh.github.com/net-ssh
+* Docs: http://net-ssh.github.io/net-ssh
 * Issues: https://github.com/net-ssh/net-ssh/issues
 * Codes: https://github.com/net-ssh/net-ssh
 * Email: net-ssh@solutious.com

data/Rakefile

@@ -48,6 +48,7 @@ namespace :cert do
     raw = File.read "net-ssh-public_cert.pem"
     certificate = OpenSSL::X509::Certificate.new raw
     raise Exception, "Not yet expired: #{certificate.not_after}" unless certificate.not_after < Time.now
+
     sh "gem cert --build netssh@solutious.com --days 365*5 --private-key /mnt/gem/net-ssh-private_key.pem"
     sh "mv gem-public_cert.pem net-ssh-public_cert.pem"
     sh "gem cert --add net-ssh-public_cert.pem"

data/lib/net/ssh.rb

@@ -15,7 +15,6 @@ require 'net/ssh/connection/session'
 require 'net/ssh/prompt'
 
 module Net
-
   # Net::SSH is a library for interacting, programmatically, with remote
   # processes via the SSH2 protocol. Sessions are always initiated via
   # Net::SSH.start. From there, a program interacts with the new SSH session
@@ -122,7 +121,7 @@ module Net
     # * :forward_agent => set to true if you want the SSH agent connection to
     #   be forwarded
     # * :known_hosts => a custom object holding known hosts records.
-    #   It must implement #search_for and add in a similiar manner as KnownHosts.
+    #   It must implement #search_for and `add` in a similiar manner as KnownHosts.
     # * :global_known_hosts_file => the location of the global known hosts
     #   file. Set to an array if you want to specify multiple global known
     #   hosts files. Defaults to %w(/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2).

data/lib/net/ssh/authentication/agent.rb

@@ -13,6 +13,7 @@ module Net
     module Authentication
       # Class for representing agent-specific errors.
       class AgentError < Net::SSH::Exception; end
+
       # An exception for indicating that the SSH agent is not available.
       class AgentNotAvailable < AgentError; end
 
@@ -39,6 +40,8 @@ module Net
         SSH2_AGENT_ADD_IDENTITY          = 17
         SSH2_AGENT_REMOVE_IDENTITY       = 18
         SSH2_AGENT_REMOVE_ALL_IDENTITIES = 19
+        SSH2_AGENT_LOCK                  = 22
+        SSH2_AGENT_UNLOCK                = 23
         SSH2_AGENT_ADD_ID_CONSTRAINED    = 25
         SSH2_AGENT_FAILURE               = 30
         SSH2_AGENT_VERSION_RESPONSE      = 103
@@ -105,6 +108,7 @@ module Net
           type, body = send_and_wait(SSH2_AGENT_REQUEST_VERSION, :string, Transport::ServerVersion::PROTO_VERSION)
 
           raise AgentNotAvailable, "SSH2 agents are not yet supported" if type == SSH2_AGENT_VERSION_RESPONSE
+
           if type == SSH2_AGENT_FAILURE
             debug { "Unexpected response type==#{type}, this will be ignored" }
           elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER1 && type != SSH_AGENT_RSA_IDENTITIES_ANSWER2
@@ -189,6 +193,18 @@ module Net
           raise AgentError, "could not remove all identity from agent" if type != SSH_AGENT_SUCCESS
         end
 
+        # lock the ssh agent with password
+        def lock(password)
+          type, = send_and_wait(SSH2_AGENT_LOCK, :string, password)
+          raise AgentError, "could not lock agent" if type != SSH_AGENT_SUCCESS
+        end
+
+        # unlock the ssh agent with password
+        def unlock(password)
+          type, = send_and_wait(SSH2_AGENT_UNLOCK, :string, password)
+          raise AgentError, "could not unlock agent" if type != SSH_AGENT_SUCCESS
+        end
+
         private
 
         def unix_socket_class

data/lib/net/ssh/authentication/certificate.rb

@@ -31,12 +31,13 @@ module Net
           cert.key_id = buffer.read_string
           cert.valid_principals = buffer.read_buffer.read_all(&:read_string)
           cert.valid_after = Time.at(buffer.read_int64)
-          
+
           cert.valid_before = if RUBY_PLATFORM == "java"
                                 # 0x20c49ba5e353f7 = 0x7fffffffffffffff/1000, the largest value possible for JRuby
                                 # JRuby Time.at multiplies the arg by 1000, and then stores it in a signed long.
-                                # 0x20c49ba5e353f7 = 292278994-08-17 01:12:55 -0600
-                                Time.at([0x20c49ba5e353f7, buffer.read_int64].min)
+                                # 0x20c49ba2d52500 = 292278993-01-01 00:00:00 +0000
+                                # JRuby 9.1 does not accept the year 292278994 because of edge cases (https://github.com/JodaOrg/joda-time/issues/190)
+                                Time.at([0x20c49ba2d52500, buffer.read_int64].min)
                               else
                                 Time.at(buffer.read_int64)
                               end
@@ -69,8 +70,8 @@ module Net
           key.ssh_do_sign(data)
         end
 
-        def ssh_do_verify(sig, data)
-          key.ssh_do_verify(sig, data)
+        def ssh_do_verify(sig, data, options = {})
+          key.ssh_do_verify(sig, data, options)
         end
 
         def to_pem
@@ -124,6 +125,7 @@ module Net
         def self.type_symbol(type)
           types = { 1 => :user, 2 => :host }
           raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+
           types.fetch(type)
         end
         private_class_method :type_symbol
@@ -133,6 +135,7 @@ module Net
         def type_value(type)
           types = { user: 1, host: 2 }
           raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+
           types.fetch(type)
         end
 

data/lib/net/ssh/authentication/constants.rb

@@ -1,7 +1,6 @@
 module Net
   module SSH
     module Authentication
-
       # Describes the constants used by the Net::SSH::Authentication components
       # of the Net::SSH library. Individual authentication method implemenations
       # may define yet more constants that are specific to their implementation.

data/lib/net/ssh/authentication/ed25519.rb

@@ -44,9 +44,11 @@ module Net
             datafull = datafull.strip
             raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
             raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
+
             datab64 = datafull[MBEGIN.size...-MEND.size]
             data = Base64.decode64(datab64)
             raise ArgumentError.new("Expected #{MAGIC} at start of decoded private key") unless data.start_with?(MAGIC)
+
             buffer = Net::SSH::Buffer.new(data[MAGIC.size + 1..-1])
 
             ciphername = buffer.read_string
@@ -59,6 +61,7 @@ module Net
             kdfopts = Net::SSH::Buffer.new(buffer.read_string)
             num_keys = buffer.read_long
             raise ArgumentError.new("Only 1 key is supported in ssh keys #{num_keys} was in private key") unless num_keys == 1
+
             _pubkey = buffer.read_string
 
             len = buffer.read_long
@@ -72,12 +75,13 @@ module Net
               rounds = kdfopts.read_long
 
               raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
+
               key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
             else
               key = '\x00' * (keylen + ivlen)
             end
 
-            cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv:key[keylen...keylen + ivlen], decrypt: true)
+            cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv: key[keylen...keylen + ivlen], decrypt: true)
 
             decoded = cipher.update(buffer.remainder_as_buffer.to_s)
             decoded << cipher.final
@@ -112,7 +116,7 @@ module Net
           end
 
           def to_blob
-            Net::SSH::Buffer.from(:mstring,"ssh-ed25519",:string,@verify_key.to_bytes).to_s
+            Net::SSH::Buffer.from(:mstring,"ssh-ed25519".dup,:string,@verify_key.to_bytes).to_s
           end
 
           def ssh_type
@@ -123,7 +127,7 @@ module Net
             ssh_type
           end
 
-          def ssh_do_verify(sig,data)
+          def ssh_do_verify(sig, data, options = {})
             @verify_key.verify(sig,data)
           end
 

data/lib/net/ssh/authentication/ed25519_loader.rb

@@ -1,11 +1,9 @@
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Authentication
-
       # Loads ED25519 support which requires optinal dependecies like
       # ed25519, bcrypt_pbkdf
       module ED25519Loader
-      
         begin
           require 'net/ssh/authentication/ed25519'
           LOADED = true
@@ -14,20 +12,19 @@ module Net
           ERROR = e
           LOADED = false
         end
-      
+
         def self.raiseUnlessLoaded(message)
           description = ERROR.is_a?(LoadError) ? dependenciesRequiredForED25519 : ''
           description << "#{ERROR.class} : \"#{ERROR.message}\"\n" if ERROR
           raise NotImplementedError, "#{message}\n#{description}" unless LOADED
         end
-      
+
         def self.dependenciesRequiredForED25519
           result = "net-ssh requires the following gems for ed25519 support:\n"
           result << " * ed25519 (>= 1.2, < 2.0)\n"
           result << " * bcrypt_pbkdf (>= 1.0, < 2.0)\n" unless RUBY_PLATFORM == "java"
           result << "See https://github.com/net-ssh/net-ssh/issues/565 for more information\n"
         end
-      
       end
     end
   end

data/lib/net/ssh/authentication/key_manager.rb

@@ -6,7 +6,6 @@ require 'net/ssh/authentication/agent'
 module Net
   module SSH
     module Authentication
-
       # A trivial exception class used to report errors in the key manager.
       class KeyManagerError < Net::SSH::Exception; end
 
@@ -177,6 +176,7 @@ module Net
 
           if info[:from] == :agent
             raise KeyManagerError, "the agent is no longer available" unless agent
+
             return agent.sign(info[:identity], data.to_s)
           end
 
@@ -201,6 +201,7 @@ module Net
         # or if the agent is otherwise not available.
         def agent
           return unless use_agent?
+
           @agent ||= Agent.connect(logger, options[:agent_socket_factory], options[:identity_agent])
         rescue AgentNotAvailable
           @use_agent = false
@@ -248,37 +249,35 @@ module Net
         # Load prepared identities. Private key decryption errors ignored if ignore_decryption_errors
         def load_identities(identities, ask_passphrase, ignore_decryption_errors)
           identities.map do |identity|
-            begin
-              case identity[:load_from]
-              when :pubkey_file
-                key = KeyFactory.load_public_key(identity[:pubkey_file])
-                { public_key: key, from: :file, file: identity[:privkey_file] }
-              when :privkey_file
-                private_key = KeyFactory.load_private_key(
-                  identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt]
-                )
-                key = private_key.send(:public_key)
-                { public_key: key, from: :file, file: identity[:privkey_file], key: private_key }
-              when :data
-                private_key = KeyFactory.load_data_private_key(
-                  identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt]
-                )
-                key = private_key.send(:public_key)
-                { public_key: key, from: :key_data, data: identity[:data], key: private_key }
-              else
-                identity
-              end
-            rescue OpenSSL::PKey::RSAError, OpenSSL::PKey::DSAError, OpenSSL::PKey::ECError, OpenSSL::PKey::PKeyError, ArgumentError => e
-              if ignore_decryption_errors
-                identity
-              else
-                process_identity_loading_error(identity, e)
-                nil
-              end
-            rescue Exception => e
+            case identity[:load_from]
+            when :pubkey_file
+              key = KeyFactory.load_public_key(identity[:pubkey_file])
+              { public_key: key, from: :file, file: identity[:privkey_file] }
+            when :privkey_file
+              private_key = KeyFactory.load_private_key(
+                identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt]
+              )
+              key = private_key.send(:public_key)
+              { public_key: key, from: :file, file: identity[:privkey_file], key: private_key }
+            when :data
+              private_key = KeyFactory.load_data_private_key(
+                identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt]
+              )
+              key = private_key.send(:public_key)
+              { public_key: key, from: :key_data, data: identity[:data], key: private_key }
+            else
+              identity
+            end
+          rescue OpenSSL::PKey::RSAError, OpenSSL::PKey::DSAError, OpenSSL::PKey::ECError, OpenSSL::PKey::PKeyError, ArgumentError => e
+            if ignore_decryption_errors
+              identity
+            else
               process_identity_loading_error(identity, e)
               nil
             end
+          rescue Exception => e
+            process_identity_loading_error(identity, e)
+            nil
           end.compact
         end
 

data/lib/net/ssh/authentication/methods/abstract.rb

@@ -7,7 +7,6 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # The base class of all user authentication methods. It provides a few
         # bits of common functionality.
         class Abstract

data/lib/net/ssh/authentication/methods/hostbased.rb

@@ -4,7 +4,6 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the host-based SSH authentication method.
         class Hostbased < Abstract
           include Constants
@@ -67,7 +66,6 @@ module Net
               Buffer.from(:key, identity).to_s, hostname, client_username).to_s
           end
         end
-
       end
     end
   end

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -5,7 +5,6 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "keyboard-interactive" SSH authentication method.
         class KeyboardInteractive < Abstract
           USERAUTH_INFO_REQUEST  = 60
@@ -32,6 +31,7 @@ module Net
                   message[:authentications].split(/,/).include? 'keyboard-interactive'
 
                 return false unless interactive?
+
                 password = nil
                 debug { "retrying keyboard-interactive" }
                 send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))