net-ssh 6.1.0 → 7.3.0

data/lib/net/ssh/transport/state.rb

@@ -2,10 +2,9 @@ require 'zlib'
 require 'net/ssh/transport/cipher_factory'
 require 'net/ssh/transport/hmac'
 
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Transport
-
       # Encapsulates state information about one end of an SSH connection. Such
       # state includes the packet sequence number, the algorithms in use, how
       # many packets and blocks have been processed since the last reset, and so
@@ -14,46 +13,46 @@ module Net
       class State
         # The socket object that owns this state object.
         attr_reader :socket
-    
+
         # The next packet sequence number for this socket endpoint.
         attr_reader :sequence_number
-    
+
         # The hmac algorithm in use for this endpoint.
         attr_reader :hmac
-    
+
         # The compression algorithm in use for this endpoint.
         attr_reader :compression
-    
+
         # The compression level to use when compressing data (or nil, for the default).
         attr_reader :compression_level
-    
+
         # The number of packets processed since the last call to #reset!
         attr_reader :packets
-    
+
         # The number of data blocks processed since the last call to #reset!
         attr_reader :blocks
-    
+
         # The cipher algorithm in use for this socket endpoint.
         attr_reader :cipher
-    
+
         # The block size for the cipher
         attr_reader :block_size
-    
+
         # The role that this state plays (either :client or :server)
         attr_reader :role
-    
+
         # The maximum number of packets that this endpoint wants to process before
         # needing a rekey.
         attr_accessor :max_packets
-    
+
         # The maximum number of blocks that this endpoint wants to process before
         # needing a rekey.
         attr_accessor :max_blocks
-    
+
         # The user-specified maximum number of bytes that this endpoint ought to
         # process before needing a rekey.
         attr_accessor :rekey_limit
-    
+
         # Creates a new state object, belonging to the given socket. Initializes
         # the algorithms to "none".
         def initialize(socket, role)
@@ -65,9 +64,9 @@ module Net
           @hmac = HMAC.get("none")
           @compression = nil
           @compressor = @decompressor = nil
-          @next_iv = ""
+          @next_iv = String.new
         end
-    
+
         # A convenience method for quickly setting multiple values in a single
         # command.
         def set(values)
@@ -76,19 +75,19 @@ module Net
           end
           reset!
         end
-    
+
         def update_cipher(data)
           result = cipher.update(data)
           update_next_iv(role == :client ? result : data)
           return result
         end
-    
+
         def final_cipher
           result = cipher.final
           update_next_iv(role == :client ? result : "", true)
           return result
         end
-    
+
         # Increments the counters. The sequence number is incremented (and remapped
         # so it always fits in a 32-bit integer). The number of packets and blocks
         # are also incremented.
@@ -97,18 +96,18 @@ module Net
           @packets += 1
           @blocks += (packet_length + 4) / @block_size
         end
-    
+
         # The compressor object to use when compressing data. This takes into account
         # the desired compression level.
         def compressor
           @compressor ||= Zlib::Deflate.new(compression_level || Zlib::DEFAULT_COMPRESSION)
         end
-    
+
         # The decompressor object to use when decompressing data.
         def decompressor
           @decompressor ||= Zlib::Inflate.new(nil)
         end
-    
+
         # Returns true if data compression/decompression is enabled. This will
         # return true if :standard compression is selected, or if :delayed
         # compression is selected and the :authenticated hint has been received
@@ -116,33 +115,35 @@ module Net
         def compression?
           compression == :standard || (compression == :delayed && socket.hints[:authenticated])
         end
-    
+
         # Compresses the data. If no compression is in effect, this will just return
         # the data unmodified, otherwise it uses #compressor to compress the data.
         def compress(data)
           data = data.to_s
           return data unless compression?
+
           compressor.deflate(data, Zlib::SYNC_FLUSH)
         end
-    
-        # Deompresses the data. If no compression is in effect, this will just return
+
+        # Decompresses the data. If no compression is in effect, this will just return
         # the data unmodified, otherwise it uses #decompressor to decompress the data.
         def decompress(data)
           data = data.to_s
           return data unless compression?
+
           decompressor.inflate(data)
         end
-    
+
         # Resets the counters on the state object, but leaves the sequence_number
         # unchanged. It also sets defaults for and recomputes the max_packets and
         # max_blocks values.
         def reset!
           @packets = @blocks = 0
-    
+
           @max_packets ||= 1 << 31
-    
+
           @block_size = cipher.block_size
-    
+
           if max_blocks.nil?
             # cargo-culted from openssh. the idea is that "the 2^(blocksize*2)
             # limit is too expensive for 3DES, blowfish, etc., so enforce a 1GB
@@ -152,16 +153,16 @@ module Net
             else
               @max_blocks = (1 << 30) / @block_size
             end
-    
+
             # if a limit on the # of bytes has been given, convert that into a
             # minimum number of blocks processed.
-    
+
             @max_blocks = [@max_blocks, rekey_limit / @block_size].min if rekey_limit
           end
-    
+
           cleanup
         end
-    
+
         # Closes any the compressor and/or decompressor objects that have been
         # instantiated.
         def cleanup
@@ -169,17 +170,17 @@ module Net
             @compressor.finish if !@compressor.finished?
             @compressor.close
           end
-    
+
           if @decompressor
             # we call reset here so that we don't get warnings when we try to
             # close the decompressor
             @decompressor.reset
             @decompressor.close
           end
-    
+
           @compressor = @decompressor = nil
         end
-    
+
         # Returns true if the number of packets processed exceeds the maximum
         # number of packets, or if the number of blocks processed exceeds the
         # maximum number of blocks.
@@ -187,22 +188,21 @@ module Net
           max_packets && packets > max_packets ||
           max_blocks && blocks > max_blocks
         end
-    
+
         private
-    
-        def update_next_iv(data, reset=false)
+
+        def update_next_iv(data, reset = false)
           @next_iv << data
           @next_iv = @next_iv[@next_iv.size - cipher.iv_len..-1]
-    
+
           if reset
             cipher.reset
             cipher.iv = @next_iv
           end
-    
+
           return data
         end
       end
-
     end
   end
 end

data/lib/net/ssh/verifiers/accept_new.rb

@@ -5,7 +5,6 @@ require 'net/ssh/verifiers/always'
 module Net
   module SSH
     module Verifiers
-
       # Does a strict host verification, looking the server up in the known
       # host files to see if a key has already been seen for this server. If this
       # server does not appear in any host file, this will silently add the
@@ -29,7 +28,6 @@ module Net
           return true
         end
       end
-
     end
   end
 end

data/lib/net/ssh/verifiers/accept_new_or_local_tunnel.rb

@@ -3,7 +3,6 @@ require 'net/ssh/verifiers/accept_new'
 module Net
   module SSH
     module Verifiers
-
       # Basically the same as the AcceptNew verifier, but does not try to actually
       # verify a connection if the server is the localhost and the port is a
       # nonstandard port number. Those two conditions will typically mean the
@@ -14,6 +13,7 @@ module Net
         # returns true. Otherwise, performs the standard strict verification.
         def verify(arguments)
           return true if tunnelled?(arguments)
+
           super
         end
 
@@ -28,7 +28,6 @@ module Net
           return ip == "127.0.0.1" || ip == "::1"
         end
       end
-
     end
   end
 end

data/lib/net/ssh/verifiers/always.rb

@@ -4,7 +4,6 @@ require 'net/ssh/known_hosts'
 module Net
   module SSH
     module Verifiers
-
       # Does a strict host verification, looking the server up in the known
       # host files to see if a key has already been seen for this server. If this
       # server does not appear in any host file, an exception will be raised
@@ -22,9 +21,13 @@ module Net
 
           # If we found any matches, check to see that the key type and
           # blob also match.
+
           found = host_keys.any? do |key|
-            key.ssh_type == arguments[:key].ssh_type &&
-            key.to_blob  == arguments[:key].to_blob
+            if key.respond_to?(:matches_key?)
+              key.matches_key?(arguments[:key])
+            else
+              key.ssh_type == arguments[:key].ssh_type && key.to_blob == arguments[:key].to_blob
+            end
           end
 
           # If a match was found, return true. Otherwise, raise an exception
@@ -50,7 +53,6 @@ module Net
           raise exception
         end
       end
-
     end
   end
 end

data/lib/net/ssh/verifiers/never.rb

@@ -1,7 +1,6 @@
 module Net
   module SSH
     module Verifiers
-
       # This host key verifier simply allows every key it sees, without
       # any verification. This is simple, but very insecure because it
       # exposes you to MiTM attacks.
@@ -15,7 +14,6 @@ module Net
           true
         end
       end
-
     end
   end
 end

data/lib/net/ssh/version.rb

@@ -46,10 +46,10 @@ module Net
       end
 
       # The major component of this version of the Net::SSH library
-      MAJOR = 6
+      MAJOR = 7
 
       # The minor component of this version of the Net::SSH library
-      MINOR = 1
+      MINOR = 3
 
       # The tiny component of this version of the Net::SSH library
       TINY  = 0

data/lib/net/ssh.rb

@@ -15,7 +15,6 @@ require 'net/ssh/connection/session'
 require 'net/ssh/prompt'
 
 module Net
-
   # Net::SSH is a library for interacting, programmatically, with remote
   # processes via the SSH2 protocol. Sessions are always initiated via
   # Net::SSH.start. From there, a program interacts with the new SSH session
@@ -65,16 +64,16 @@ module Net
     # Net::SSH.start for a description of each option.
     VALID_OPTIONS = %i[
       auth_methods bind_address compression compression_level config
-      encryption forward_agent hmac host_key remote_user
+      encryption forward_agent hmac host_key identity_agent remote_user
       keepalive keepalive_interval keepalive_maxcount kex keys key_data
-      keycerts languages logger paranoid password port proxy
+      keycerts keycert_data languages logger paranoid password port proxy
       rekey_blocks_limit rekey_limit rekey_packet_limit timeout verbose
       known_hosts global_known_hosts_file user_known_hosts_file host_key_alias
       host_name user properties passphrase keys_only max_pkt_size
       max_win_size send_env set_env use_agent number_of_password_prompts
       append_all_supported_algorithms non_interactive password_prompt
       agent_socket_factory minimum_dh_bits verify_host_key
-      fingerprint_hash check_host_ip
+      fingerprint_hash check_host_ip pubkey_algorithms
     ]
 
     # The standard means of starting a new SSH connection. When used with a
@@ -122,7 +121,7 @@ module Net
     # * :forward_agent => set to true if you want the SSH agent connection to
     #   be forwarded
     # * :known_hosts => a custom object holding known hosts records.
-    #   It must implement #search_for and add in a similiar manner as KnownHosts.
+    #   It must implement #search_for and `add` in a similiar manner as KnownHosts.
     # * :global_known_hosts_file => the location of the global known hosts
     #   file. Set to an array if you want to specify multiple global known
     #   hosts files. Defaults to %w(/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2).
@@ -147,6 +146,8 @@ module Net
     #   and hostbased authentication
     # * :keycerts => an array of file names of key certificates to use
     #    with publickey authentication
+    # * :keycert_data => an array of strings, which each element of the array
+    #   being a key certificate to use with publickey authentication
     # * :key_data => an array of strings, with each element of the array being
     #   a raw private key in PEM format.
     # * :keys_only => set to +true+ to use only private keys from +keys+ and
@@ -171,6 +172,11 @@ module Net
     # * :properties => a hash of key/value pairs to add to the new connection's
     #   properties (see Net::SSH::Connection::Session#properties)
     # * :proxy => a proxy instance (see Proxy) to use when connecting
+    # * :pubkey_algorithms => the public key authentication algorithms to use for
+    #   this connection. Valid values are 'rsa-sha2-256-cert-v01@openssh.com',
+    #   'ssh-rsa-cert-v01@openssh.com', 'rsa-sha2-256', 'ssh-rsa'. Currently, this
+    #   option is only used for RSA public key authentication and ignored for other
+    #   types.
     # * :rekey_blocks_limit => the max number of blocks to process before rekeying
     # * :rekey_limit => the max number of bytes to process before rekeying
     # * :rekey_packet_limit => the max number of packets to process before rekeying
@@ -188,6 +194,7 @@ module Net
     #   Defaults to %w(~/.ssh/known_hosts ~/.ssh/known_hosts2).
     # * :use_agent => Set false to disable the use of ssh-agent. Defaults to
     #   true
+    # * :identity_agent => the path to the ssh-agent's UNIX socket
     # * :verbose => how verbose to be (Logger verbosity constants, Logger::DEBUG
     #   is very verbose, Logger::FATAL is all but silent). Logger::FATAL is the
     #   default. The symbols :debug, :info, :warn, :error, and :fatal are also
@@ -215,7 +222,7 @@ module Net
     # * :fingerprint_hash => 'MD5' or 'SHA256', defaults to 'SHA256'
     # If +user+ parameter is nil it defaults to USER from ssh_config, or
     # local username
-    def self.start(host, user=nil, options={}, &block)
+    def self.start(host, user = nil, options = {}, &block)
       invalid_options = options.keys - VALID_OPTIONS
       if invalid_options.any?
         raise ArgumentError, "invalid option(s): #{invalid_options.join(', ')}"
@@ -302,9 +309,9 @@ module Net
     end
 
     def self._sanitize_options(options)
-      invalid_option_values = [nil,[nil]]
+      invalid_option_values = [nil, [nil]]
       unless (options.values & invalid_option_values).empty?
-        nil_options = options.select { |_k,v| invalid_option_values.include?(v) }.map(&:first)
+        nil_options = options.select { |_k, v| invalid_option_values.include?(v) }.map(&:first)
         Kernel.warn "#{caller_locations(2, 1)[0]}: Passing nil, or [nil] to Net::SSH.start is deprecated for keys: #{nil_options.join(', ')}"
       end
     end

data/net-ssh-public_cert.pem

@@ -1,20 +1,21 @@
 -----BEGIN CERTIFICATE-----
-MIIDQDCCAiigAwIBAgIBATANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDDBpuZXRz
-c2gvREM9c29sdXRpb3VzL0RDPWNvbTAeFw0yMDA0MTEwNTQyMTZaFw0yMTA0MTEw
-NTQyMTZaMCUxIzAhBgNVBAMMGm5ldHNzaC9EQz1zb2x1dGlvdXMvREM9Y29tMIIB
-IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxieE22fR/qmdPKUHyYTyUx2g
-wskLwrCkxay+Tvc97ZZUOwf85LDDDPqhQaTWLvRwnIOMgQE2nBPzwalVclK6a+pW
-x/18KDeZY15vm3Qn5p42b0wi9hUxOqPm3J2hdCLCcgtENgdX21nVzejn39WVqFJO
-lntgSDNW5+kCS8QaRsmIbzj17GKKkrsw39kiQw7FhWfJFeTjddzoZiWwc59KA/Bx
-fBbmDnsMLAtAtauMOxORrbx3EOY7sHku/kSrMg3FXFay7jc6BkbbUij+MjJ/k82l
-4o8o0YO4BAnya90xgEmgOG0LCCxRhuXQFnMDuDjK2XnUe0h4/6NCn94C+z9GsQID
-AQABo3sweTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHQ4EFgQUBfKiwO2e
-M4NEiRrVG793qEPLYyMwHwYDVR0RBBgwFoEUbmV0c3NoQHNvbHV0aW91cy5jb20w
-HwYDVR0SBBgwFoEUbmV0c3NoQHNvbHV0aW91cy5jb20wDQYJKoZIhvcNAQELBQAD
-ggEBAJTylLYXo5AybI+tLq79+OXQ8/nbGZ7iydU1uTHQud1JZQ1MRV5dRDjeBmCT
-lRxaEZT4NopEzuHO0sm3nVpSYtQwTaQyVKmnllNI3kc0f4H6i7dpPd7eUAQ3/O2I
-eWjDJlzu0zwqTa+N6vzS8Y3ypDSGgb1gJKzluOv7viVUAthmuuJws7XQq/qMMaNw
-3163oCKuJvMW1w8kdUMQqvlLJkVKaxz9K64r2+a04Ok1cKloTB3OSowfAYFoRlqP
-voajiJNS75Pw/2j13WnPB4Q6w7dHSb57E/VluBpVKmcQZN0dGdAkEIVty3v7kw9g
-y++VpCpWM/PstIFv4ApZMf501UY=
+MIIDeDCCAmCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBBMQ8wDQYDVQQDDAZuZXRz
+c2gxGTAXBgoJkiaJk/IsZAEZFglzb2x1dGlvdXMxEzARBgoJkiaJk/IsZAEZFgNj
+b20wHhcNMjQwNDAxMDk1NjIxWhcNMjUwNDAxMDk1NjIxWjBBMQ8wDQYDVQQDDAZu
+ZXRzc2gxGTAXBgoJkiaJk/IsZAEZFglzb2x1dGlvdXMxEzARBgoJkiaJk/IsZAEZ
+FgNjb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGJ4TbZ9H+qZ08
+pQfJhPJTHaDCyQvCsKTFrL5O9z3tllQ7B/zksMMM+qFBpNYu9HCcg4yBATacE/PB
+qVVyUrpr6lbH/XwoN5ljXm+bdCfmnjZvTCL2FTE6o+bcnaF0IsJyC0Q2B1fbWdXN
+6Off1ZWoUk6We2BIM1bn6QJLxBpGyYhvOPXsYoqSuzDf2SJDDsWFZ8kV5ON13Ohm
+JbBzn0oD8HF8FuYOewwsC0C1q4w7E5GtvHcQ5juweS7+RKsyDcVcVrLuNzoGRttS
+KP4yMn+TzaXijyjRg7gECfJr3TGASaA4bQsILFGG5dAWcwO4OMrZedR7SHj/o0Kf
+3gL7P0axAgMBAAGjezB5MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQW
+BBQF8qLA7Z4zg0SJGtUbv3eoQ8tjIzAfBgNVHREEGDAWgRRuZXRzc2hAc29sdXRp
+b3VzLmNvbTAfBgNVHRIEGDAWgRRuZXRzc2hAc29sdXRpb3VzLmNvbTANBgkqhkiG
+9w0BAQsFAAOCAQEAfY2WbsBKwRtBep4l+Y2/84H1BKH9UVOsFxqQzYkvM2LFDyup
+UkjYf8nPSjg3mquhaiA5KSoSVUPpNDfQo+UvY3+mlxRs96ttWiUGwz27fy82rx1B
+ZnfKjsWOntemNON6asOD0mtv0xsNBfOB2VNIKW/uqHsiPpa0OaVy5uENhX+5OFan
+2P1Uy+WcMiv38RlRkn4cdEIZUFupDgKFsguYlaJy473/wsae4exUgc5bvi3Splob
+1uE/LmB/qWBVSNW8e9KDtJynhDDZBlpESyQHFQCZj6UapzxlnC46LaDncPoAtJPc
+MlWxJ8mKghIcyXc5y4cSyGypNG5BralqnvQUyg==
 -----END CERTIFICATE-----

data/net-ssh.gemspec

@@ -15,7 +15,7 @@ Gem::Specification.new do |spec|
   spec.description   = %q{Net::SSH: a pure-Ruby implementation of the SSH2 client protocol. It allows you to write programs that invoke and interact with processes on remote servers, via SSH2.}
   spec.homepage      = "https://github.com/net-ssh/net-ssh"
   spec.license       = "MIT"
-  spec.required_ruby_version = Gem::Requirement.new(">= 2.3")
+  spec.required_ruby_version = Gem::Requirement.new(">= 2.6")
   spec.metadata = {
     "changelog_uri" => "https://github.com/net-ssh/net-ssh/blob/master/CHANGES.txt"
   }
@@ -36,9 +36,12 @@ Gem::Specification.new do |spec|
     spec.add_development_dependency('x25519') unless RUBY_PLATFORM == 'java'
   end
 
+  spec.add_development_dependency('rbnacl', '~> 7.1') unless ENV['NET_SSH_NO_RBNACL']
+
+  spec.add_development_dependency "base64"
   spec.add_development_dependency "bundler", ">= 1.17"
-  spec.add_development_dependency "minitest", "~> 5.10"
-  spec.add_development_dependency "mocha", "~> 1.11.2"
+  spec.add_development_dependency "minitest", "~> 5.19"
+  spec.add_development_dependency "mocha", "~> 2.1.0"
   spec.add_development_dependency "rake", "~> 12.0"
-  spec.add_development_dependency "rubocop", "~> 0.74.0"
+  spec.add_development_dependency "rubocop", "~> 1.28.0"
 end

data/support/ssh_tunnel_bug.rb

@@ -15,12 +15,12 @@
 #       visible_hostname netsshtest
 #     * Start squid squid -N -d 1 -D
 # * Run this script
-# * Configure browser proxy to use localhost with LOCAL_PORT. 
+# * Configure browser proxy to use localhost with LOCAL_PORT.
 # * Load any page, wait for it to load fully. If the page loads
 #   correctly, move on. If not, something needs to be corrected.
 # * Refresh the page several times. This should cause this
 #   script to failed with the error: "closed stream". You may
-#   need to try a few times. 
+#   need to try a few times.
 #
 
 require 'highline/import'
@@ -37,7 +37,7 @@ pass = ask("Password: ") { |q| q.echo = "*" }
 puts "Configure your browser proxy to localhost:#{LOCAL_PORT}"
 
 begin
-  session = Net::SSH.start(host, user, password: pass)  
+  session = Net::SSH.start(host, user, password: pass)
   session.forward.local(LOCAL_PORT, host, PROXY_PORT)
   session.loop {true}
 rescue StandardError => e