net-ssh 6.1.0 → 7.0.1

data/lib/net/ssh/authentication/methods/hostbased.rb

@@ -4,19 +4,18 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the host-based SSH authentication method.
         class Hostbased < Abstract
           include Constants
 
           # Attempts to perform host-based authorization of the user by trying
           # all known keys.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             return false unless key_manager
 
             key_manager.each_identity do |identity|
               return true if authenticate_with(identity, next_service,
-                username, key_manager)
+                                               username, key_manager)
             end
 
             return false
@@ -64,10 +63,9 @@ module Net
           # Build the "core" hostbased request string.
           def build_request(identity, next_service, username, hostname, client_username)
             userauth_request(username, next_service, "hostbased", identity.ssh_type,
-              Buffer.from(:key, identity).to_s, hostname, client_username).to_s
+                             Buffer.from(:key, identity).to_s, hostname, client_username).to_s
           end
         end
-
       end
     end
   end

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -5,14 +5,13 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "keyboard-interactive" SSH authentication method.
         class KeyboardInteractive < Abstract
           USERAUTH_INFO_REQUEST  = 60
           USERAUTH_INFO_RESPONSE = 61
 
           # Attempt to authenticate the given user for the given service.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             debug { "trying keyboard-interactive" }
             send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
 
@@ -32,6 +31,7 @@ module Net
                   message[:authentications].split(/,/).include? 'keyboard-interactive'
 
                 return false unless interactive?
+
                 password = nil
                 debug { "retrying keyboard-interactive" }
                 send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))

data/lib/net/ssh/authentication/methods/none.rb

@@ -5,32 +5,29 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "none" SSH authentication method.
         class None < Abstract
           # Attempt to authenticate as "none"
-          def authenticate(next_service, user="", password="")
-            send_message(userauth_request(user, next_service, "none")) 
+          def authenticate(next_service, user = "", password = "")
+            send_message(userauth_request(user, next_service, "none"))
             message = session.next_message
-            
+
             case message.type
             when USERAUTH_SUCCESS
               debug { "none succeeded" }
               return true
             when USERAUTH_FAILURE
               debug { "none failed" }
-              
+
               raise Net::SSH::Authentication::DisallowedMethod unless
                 message[:authentications].split(/,/).include? 'none'
-              
+
               return false
             else
               raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
-            end   
-            
+            end
           end
         end
-
       end
     end
   end

data/lib/net/ssh/authentication/methods/password.rb

@@ -6,12 +6,11 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "password" SSH authentication method.
         class Password < Abstract
           # Attempt to authenticate the given user for the given service. If
           # the password parameter is nil, this will ask for password
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             clear_prompter!
             retries = 0
             max_retries = get_max_retries
@@ -29,6 +28,7 @@ module Net
 
                 raise Net::SSH::Authentication::DisallowedMethod unless
                   message[:authentications].split(/,/).include? 'password'
+
                 password = nil
               end
             end until (message.type != USERAUTH_FAILURE || retries >= max_retries)
@@ -74,7 +74,6 @@ module Net
             options[:non_interactive] ? 0 : result
           end
         end
-
       end
     end
   end

data/lib/net/ssh/authentication/methods/publickey.rb

@@ -6,14 +6,13 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "publickey" SSH authentication method.
         class Publickey < Abstract
           # Attempts to perform public-key authentication for the given
           # username, trying each identity known to the key manager. If any of
           # them succeed, returns +true+, otherwise returns +false+. This
           # requires the presence of a key manager.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             return false unless key_manager
 
             key_manager.each_identity do |identity|
@@ -27,41 +26,40 @@ module Net
 
           # Builds a packet that contains the request formatted for sending
           # a public-key request to the server.
-          def build_request(pub_key, username, next_service, has_sig)
+          def build_request(pub_key, username, next_service, alg, has_sig)
             blob = Net::SSH::Buffer.new
             blob.write_key pub_key
 
             userauth_request(username, next_service, "publickey", has_sig,
-              pub_key.ssh_type, blob.to_s)
+                             alg, blob.to_s)
           end
 
           # Builds and sends a request formatted for a public-key
           # authentication request.
-          def send_request(pub_key, username, next_service, signature=nil)
-            msg = build_request(pub_key, username, next_service, !signature.nil?)
+          def send_request(pub_key, username, next_service, alg, signature = nil)
+            msg = build_request(pub_key, username, next_service, alg,
+                                !signature.nil?)
             msg.write_string(signature) if signature
             send_message(msg)
           end
 
-          # Attempts to perform public-key authentication for the given
-          # username, with the given identity (public key). Returns +true+ if
-          # successful, or +false+ otherwise.
-          def authenticate_with(identity, next_service, username)
+          def authenticate_with_alg(identity, next_service, username, alg, sig_alg = nil)
             debug { "trying publickey (#{identity.fingerprint})" }
-            send_request(identity, username, next_service)
+            send_request(identity, username, next_service, alg)
 
             message = session.next_message
 
             case message.type
             when USERAUTH_PK_OK
-              buffer = build_request(identity, username, next_service, true)
+              buffer = build_request(identity, username, next_service, alg,
+                                     true)
               sig_data = Net::SSH::Buffer.new
               sig_data.write_string(session_id)
               sig_data.append(buffer.to_s)
 
-              sig_blob = key_manager.sign(identity, sig_data)
+              sig_blob = key_manager.sign(identity, sig_data, sig_alg)
 
-              send_request(identity, username, next_service, sig_blob.to_s)
+              send_request(identity, username, next_service, alg, sig_blob.to_s)
               message = session.next_message
 
               case message.type
@@ -77,7 +75,7 @@ module Net
                 return false
               else
                 raise Net::SSH::Exception,
-                  "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+                      "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
               end
 
             when USERAUTH_FAILURE
@@ -89,8 +87,50 @@ module Net
               raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
             end
           end
-        end
 
+          # Attempts to perform public-key authentication for the given
+          # username, with the given identity (public key). Returns +true+ if
+          # successful, or +false+ otherwise.
+          def authenticate_with(identity, next_service, username)
+            type = identity.ssh_type
+            if type == "ssh-rsa"
+              pubkey_algorithms.each do |pk_alg|
+                case pk_alg
+                when "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, pk_alg)
+                    # success
+                    return true
+                  end
+                end
+              end
+            elsif type == "ssh-rsa-cert-v01@openssh.com"
+              pubkey_algorithms.each do |pk_alg|
+                case pk_alg
+                when "rsa-sha2-512-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, "rsa-sha2-512")
+                    # success
+                    return true
+                  end
+                when "rsa-sha2-256-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, "rsa-sha2-256")
+                    # success
+                    return true
+                  end
+                when "ssh-rsa-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg)
+                    # success
+                    return true
+                  end
+                end
+              end
+            elsif authenticate_with_alg(identity, next_service, username, type)
+              # success
+              return true
+            end
+            # failure
+            return false
+          end
+        end
       end
     end
   end