net-ssh 6.1.0 → 7.3.0

data/CHANGES.txt

@@ -1,6 +1,67 @@
+=== 7.3.0 rc0
+
+ * aes(128|256)gcm [#946]
+
+=== 7.2.2
+
+  * ruby 3.3.0: base64 fix
+
+=== 7.2.1 rc1
+
+  * feat: allow load of certkey from string [#926]
+  * fix: fix for  Socket#recv returning nil on ruby 3.3.0 [#928]
+
+=== 7.2.0
+
+  * Add debugging information for algorithm of pubkey in use [#918]
+
+=== 7.2.0 rc1
+
+  * Allow IdentityAgent as option to Net::SSH.start [#912]
+
+=== 7.2.0 beta1
+
+  * Support `chacha20-poly1305@opnessh.com` cypher if `RbNaCl` gem is installed [#908]
+
+=== 7.1.0
+
+  * Accept pubkey_algorithms option when starting a new connection [#891]
+
+=== 7.1.0 beta1
+
+  * Don't use the deprecated set_XXX methods on RSA keys. [#875]
+  * Raise error when BCryptPbkdf fails [#876]
+
+=== 7.0.1
+
+  * Drop leftover debug statement [#866]
+
+=== 7.0.0
+
+  * BREAKING: Drop support for Ruby 2.5
+  * Fix decoding of ecdsa-sha2-nistp256 private keys [#657, #854]
+  * Fix missing require [#855]
+  * Support `~` in the path to the SSH agent's unix socket [#850]
+  * Add support for RSA client authentication with SHA-2 [a45f54]
+  * openssl: DSA: don't hardcode expected signature size, see ruby/openssl#483 [23a15c]
+  * Internal housekeeping (rubocop, codecov, remove travis, adding/improving tests)
+
+=== 6.3.0 beta1
+
+  * Support cert based host key auth, fix asterisk in known_hosts [#833]
+  * Support kex dh-group14-sha256  [#795]
+  * Fix StrictHostKeyChecking ssh config parameter translation [#765]
+
+=== 6.2.0 rc1
+
+=== 6.2.0 beta1
+
+  * rsa-sha2-512, rsa-sha2-256 host_key algs [#771]
+  * JRuby aes*-ctr suppport [#767]
+
 === 6.1.0
 
-  * adapt to ssh's default bahaviors when no username is provided.
+  * Adapt to ssh's default behaviors when no username is provided.
     When Net::SSH.start user is nil and config has no entry
     we default to Etc.getpwuid.name() instead of Etc.getlogin(). [#749]
 
@@ -36,7 +97,7 @@
 === 5.2.0.rc3
 
   * Fix check_host_ip read from config
-  * Support ssh-ed25519 in kown hosts
+  * Support ssh-ed25519 in known hosts
 
 === 5.2.0.rc2
 
@@ -59,7 +120,7 @@
 
 === 5.0.2
 
-  * fix ctr for jruby [#612]
+  * Fix ctr for jruby [#612]
 
 === 5.0.1
 

data/DEVELOPMENT.md

@@ -0,0 +1,23 @@
+### Development notes
+
+## Building/running ssh server in debug mode
+
+clone the openssh server from `https://github.com/openssh/openssh-portable`
+
+```sh
+brew install openssl
+/usr/local/Cellar/openssl@3/3.1.0/bin/openssl
+
+autoreconf
+./configure --with-ssl-dir=/usr/local/Cellar/openssl@3/3.1.0/ --with-audit=debug --enable-debug CPPFLAGS="-DDEBUG -DPACKET_DEBUG" CFLAGS="-g -O0"
+make
+```
+
+To run server in debug mode:
+```sh
+echo '#' > /tmp/sshd_config
+ssh-keygen -t rsa -f /tmp/ssh_host_rsa_key
+# /Users/boga/Work/OSS/NetSSH/openssh-portable/sshd -p 2222 -D -d -d -d -e -f /tmp/sshd_config
+/Users/boga/Work/OSS/NetSSH/openssh-portable/sshd -p 2222 -D -d -d -d -e -f /tmp/sshd_config -h /tmp/ssh_host_rsa_key
+
+```

data/Dockerfile

@@ -0,0 +1,29 @@
+ARG RUBY_VERSION=3.1
+FROM ruby:${RUBY_VERSION}
+
+ARG BUNDLERV=
+
+RUN apt update && apt install -y openssh-server sudo netcat-openbsd \
+  && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_1' \
+  && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_2' \
+  && echo net_ssh_1:foopwd | chpasswd \
+  && echo net_ssh_2:foo2pwd | chpasswd \
+  && mkdir -p /home/net_ssh_1/.ssh \
+  && mkdir -p /home/net_ssh_2/.ssh \
+  && echo "net_ssh_1 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers \
+  && echo "net_ssh_2 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers \
+  && ssh-keygen -f /etc/ssh/users_ca -N ''
+
+ENV INSTALL_PATH="/netssh"
+
+WORKDIR $INSTALL_PATH
+
+COPY Gemfile net-ssh.gemspec $INSTALL_PATH/
+
+COPY lib/net/ssh/version.rb $INSTALL_PATH/lib/net/ssh/version.rb
+
+RUN gem install bundler ${BUNDLERV}  && bundle install
+
+COPY . $INSTALL_PATH/
+
+CMD service ssh start && rake test && NET_SSH_NO_ED25519=1 rake test

data/Dockerfile.openssl3

@@ -0,0 +1,17 @@
+FROM ubuntu:22.04
+
+ENV INSTALL_PATH="/netssh"
+
+RUN apt update && apt install -y openssl ruby ruby-dev git build-essential
+
+WORKDIR $INSTALL_PATH
+
+COPY Gemfile net-ssh.gemspec $INSTALL_PATH/
+
+COPY lib/net/ssh/version.rb $INSTALL_PATH/lib/net/ssh/version.rb
+
+RUN ls -l && gem install bundler && bundle install
+
+COPY . $INSTALL_PATH/
+
+CMD openssl version && ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION' && rake test

data/Gemfile

@@ -9,3 +9,5 @@ if ENV["CI"]
   gem 'codecov', require: false, group: :test
   gem 'simplecov', require: false, group: :test
 end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/Gemfile.noed25519

@@ -8,3 +8,5 @@ if ENV["CI"] && !Gem.win_platform?
   gem 'simplecov', require: false, group: :test
   gem 'codecov', require: false, group: :test
 end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/Gemfile.norbnacl

@@ -0,0 +1,12 @@
+source 'https://rubygems.org'
+
+ENV['NET_SSH_NO_RBNACL'] = 'true'
+# Specify your gem's dependencies in mygem.gemspec
+gemspec
+
+if ENV["CI"] && !Gem.win_platform?
+  gem 'simplecov', require: false, group: :test
+  gem 'codecov', require: false, group: :test
+end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/README.md

@@ -1,13 +1,13 @@
 [![Gem Version](https://badge.fury.io/rb/net-ssh.svg)](https://badge.fury.io/rb/net-ssh)
 [![Join the chat at https://gitter.im/net-ssh/net-ssh](https://badges.gitter.im/net-ssh/net-ssh.svg)](https://gitter.im/net-ssh/net-ssh?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=badge)
-[![Build Status](https://travis-ci.org/net-ssh/net-ssh.svg?branch=master)](https://travis-ci.org/net-ssh/net-ssh)
+[![Build status](https://github.com/net-ssh/net-ssh/actions/workflows/ci.yml/badge.svg)](https://github.com/net-ssh/net-ssh/actions/workflows/ci.yml)
 [![Coverage status](https://codecov.io/gh/net-ssh/net-ssh/branch/master/graph/badge.svg)](https://codecov.io/gh/net-ssh/net-ssh)
 [![Backers on Open Collective](https://opencollective.com/net-ssh/backers/badge.svg)](#backers])
 [![Sponsors on Open Collective](https://opencollective.com/net-ssh/sponsors/badge.svg)](#sponsors)
 
-# Net::SSH 6.x
+# Net::SSH 7.x
 
-* Docs: http://net-ssh.github.com/net-ssh
+* Docs: http://net-ssh.github.io/net-ssh
 * Issues: https://github.com/net-ssh/net-ssh/issues
 * Codes: https://github.com/net-ssh/net-ssh
 * Email: net-ssh@solutious.com
@@ -33,7 +33,7 @@ We strongly recommend that you install a servers's version that supports the lat
 
 It is possible to return to the previous behavior by adding the option : `append_all_supported_algorithms: true`
 
-Unsecure algoritms will definitely be removed in Net::SSH 7.*.
+Unsecure algoritms will definitely be removed in Net::SSH 8.*.
 
 ### Host Keys
 
@@ -44,7 +44,7 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | ecdsa-sha2-nistp521  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdsa-sha2-nistp384  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdsa-sha2-nistp256  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
-| ssh-dss              | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| ssh-dss              | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 
 ### Key Exchange
 
@@ -54,9 +54,9 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | ecdh-sha2-nistp521                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdh-sha2-nistp384                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdh-sha2-nistp256                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
-| diffie-hellman-group1-sha1           | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| diffie-hellman-group1-sha1           | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 | diffie-hellman-group14-sha1          | OK                    |          |
-| diffie-hellman-group-exchange-sha1   | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| diffie-hellman-group-exchange-sha1   | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 | diffie-hellman-group-exchange-sha256 | OK                    |          |
 
 ### Encryption algorithms (ciphers)
@@ -64,13 +64,14 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | Name                                 | Support               | Details  |
 |--------------------------------------|-----------------------|----------|
 | aes256-ctr / aes192-ctr / aes128-ctr | OK                    |          |
-| aes256-cbc / aes192-cbc / aes128-cbc | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| rijndael-cbc@lysator.liu.se          | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| blowfish-ctr blowfish-cbc            | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| cast128-ctr cast128-cbc              | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| 3des-ctr 3des-cbc                    | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| idea-cbc                             | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| none                                 | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| chacha20-poly1305@openssh.com        | OK.                   | Requires the gem `rbnacl` |
+| aes256-cbc / aes192-cbc / aes128-cbc | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| rijndael-cbc@lysator.liu.se          | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| blowfish-ctr blowfish-cbc            | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| cast128-ctr cast128-cbc              | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| 3des-ctr 3des-cbc                    | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| idea-cbc                             | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| none                                 | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 
 ### Message Authentication Code algorithms
 
@@ -80,14 +81,14 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | hmac-sha2-256-etm    | OK                    |          |
 | hmac-sha2-512        | OK                    |          |
 | hmac-sha2-256        | OK                    |          |
-| hmac-sha2-512-96     | Deprecated in 6.0     | removed from the specification, will be removed in 7.0 |
-| hmac-sha2-256-96     | Deprecated in 6.0     | removed from the specification, will be removed in 7.0 |
+| hmac-sha2-512-96     | Deprecated in 6.0     | removed from the specification, will be removed in 8.0 |
+| hmac-sha2-256-96     | Deprecated in 6.0     | removed from the specification, will be removed in 8.0 |
 | hmac-sha1            | OK                    | for backward compatibility      |
-| hmac-sha1-96         | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| hmac-ripemd160       | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| hmac-md5             | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| hmac-md5-96          | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| none                 | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| hmac-sha1-96         | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| hmac-ripemd160       | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| hmac-md5             | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| hmac-md5-96          | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| none                 | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 
 ## SYNOPSIS:
 
@@ -211,13 +212,19 @@ Run the test suite from the net-ssh directory with the following command:
 bundle exec rake test
 ```
 
+NOTE : you can run test on all ruby versions with docker :
+
+```
+docker-compose up --build
+```
+
 Run a single test file like this:
 
 ```sh
 ruby -Ilib -Itest test/transport/test_server_version.rb
 ```
 
-To run integration tests see test/integration/README.txt
+To run integration tests see [here](test/integration/README.md)
 
 ### BUILDING GEM
 
@@ -241,6 +248,12 @@ mv gem-public_cert.pem net-ssh-public_cert.pem
 gem cert --add net-ssh-public_cert.pem
 ```
 
+or `rake cert:update_public_when_expired`
+
+## Security contact information
+
+See [SECURITY.md](SECURITY.md)
+
 ## CREDITS
 
 ### Contributors
@@ -261,6 +274,9 @@ Support this project by becoming a sponsor. Your logo will show up here with a l
 
 [![Sponsor](https://opencollective.com/net-ssh/sponsor/0/avatar.svg)](https://opencollective.com/net-ssh/sponsor/0/website)
 
+[<img src="https://github.com/net-ssh/net-ssh/assets/52435/9690bf3e-34ea-4c52-8aea-1cc4cb5bcb6d" width="320">](https://ubicloud.com)
+
+
 ## LICENSE:
 
 (The MIT License)

data/Rakefile

@@ -48,12 +48,100 @@ namespace :cert do
     raw = File.read "net-ssh-public_cert.pem"
     certificate = OpenSSL::X509::Certificate.new raw
     raise Exception, "Not yet expired: #{certificate.not_after}" unless certificate.not_after < Time.now
+
     sh "gem cert --build netssh@solutious.com --days 365*5 --private-key /mnt/gem/net-ssh-private_key.pem"
     sh "mv gem-public_cert.pem net-ssh-public_cert.pem"
     sh "gem cert --add net-ssh-public_cert.pem"
   end
 end
 
+def change_version(&block)
+  version_file = 'lib/net/ssh/version.rb'
+  require_relative version_file
+  pre = Net::SSH::Version::PRE
+  tiny = Net::SSH::Version::TINY
+  result = block[pre: pre, tiny: Net::SSH::Version::TINY]
+  raise ArgumentError, "Version change logic should always return a pre" unless result.key?(:pre)
+
+  new_pre = result[:pre]
+  new_tiny = result[:tiny] || tiny
+  found = { pre: false, tiny: false }
+  File.open("#{version_file}.new", "w") do |f|
+    File.readlines(version_file).each do |line|
+      match =
+        if pre.nil?
+          /^(\s+PRE\s+=\s+)nil(\s*)$/.match(line)
+        else
+          /^(\s+PRE\s+=\s+")#{pre}("\s*)$/.match(line)
+        end
+      if match
+        prefix = match[1]
+        postfix = match[2]
+        prefix.delete_suffix!('"')
+        postfix.delete_prefix!('"')
+        new_line = "#{prefix}#{new_pre.inspect}#{postfix}"
+        puts "Changing:\n  - #{line}  + #{new_line}"
+        line = new_line
+        found[:pre] = true
+      end
+
+      if new_tiny != tiny
+        match = /^(\s+TINY\s+=\s+)#{tiny}(\s*)$/.match(line)
+        if match
+          prefix = match[1]
+          postfix = match[2]
+          new_line = "#{prefix}#{new_tiny}#{postfix}"
+          puts "Changing:\n  - #{line}  + #{new_line}"
+          line = new_line
+          found[:tiny] = true
+        end
+      end
+
+      f.write(line)
+    end
+    raise ArgumentError, "Cound not find line: PRE = \"#{pre}\" in #{version_file}" unless found[:pre]
+    raise ArgumentError, "Cound not find line: TINY = \"#{tiny}\" in #{version_file}" unless found[:tiny] || new_tiny == tiny
+  end
+
+  FileUtils.mv version_file, "#{version_file}.old"
+  FileUtils.mv "#{version_file}.new", version_file
+end
+
+namespace :vbump do
+  desc "Final release"
+  task :final do
+    change_version do |pre:, tiny:|
+      _ = tiny
+      if pre.nil?
+        { tiny: tiny + 1, pre: nil }
+      else
+        raise ArgumentError, "Unexpected pre: #{pre}" if pre.nil?
+
+        { pre: nil }
+      end
+    end
+  end
+
+  desc "Increment prerelease"
+  task :pre, [:type] do |_t, args|
+    change_version do |pre:, tiny:|
+      puts " PRE => #{pre.inspect}"
+      match = /^([a-z]+)(\d+)/.match(pre)
+      raise ArgumentError, "Unexpected pre: #{pre}" if match.nil? && args[:type].nil?
+
+      if match.nil? || (!args[:type].nil? && args[:type] != match[1])
+        if pre.nil?
+          { pre: "#{args[:type]}1", tiny: tiny + 1 }
+        else
+          { pre: "#{args[:type]}1" }
+        end
+      else
+        { pre: "#{match[1]}#{match[2].to_i + 1}" }
+      end
+    end
+  end
+end
+
 namespace :rdoc do
   desc "Update gh-pages branch"
   task :publish do
@@ -94,6 +182,10 @@ Rake::TestTask.new do |t|
   t.test_files = test_files
 end
 
+# We need to enable the OpenSSL 3.0 legacy providers for our test suite
+require 'openssl'
+ENV['OPENSSL_CONF'] = 'test/openssl3.conf' if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? "OpenSSL 3"
+
 desc "Run tests of Net::SSH:Test"
 Rake::TestTask.new do |t|
   t.name = "test_test"

data/SECURITY.md

@@ -0,0 +1,4 @@
+## Security contact information
+
+To report a security vulnerability, please use the
+[GitHub private vulnerability reporting feature](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).

data/docker-compose.yml

@@ -0,0 +1,25 @@
+version: '3'
+
+services:
+  ruby-3.1:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 3.1
+  ruby-3.0:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 3.0
+  ruby-2.7:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 2.7
+        BUNDLERV: "-v 2.2.28"
+  ruby-2.6:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 2.6
+        BUNDLERV: "-v 2.4.22"

data/lib/net/ssh/authentication/agent.rb

@@ -13,6 +13,7 @@ module Net
     module Authentication
       # Class for representing agent-specific errors.
       class AgentError < Net::SSH::Exception; end
+
       # An exception for indicating that the SSH agent is not available.
       class AgentNotAvailable < AgentError; end
 
@@ -39,6 +40,8 @@ module Net
         SSH2_AGENT_ADD_IDENTITY          = 17
         SSH2_AGENT_REMOVE_IDENTITY       = 18
         SSH2_AGENT_REMOVE_ALL_IDENTITIES = 19
+        SSH2_AGENT_LOCK                  = 22
+        SSH2_AGENT_UNLOCK                = 23
         SSH2_AGENT_ADD_ID_CONSTRAINED    = 25
         SSH2_AGENT_FAILURE               = 30
         SSH2_AGENT_VERSION_RESPONSE      = 103
@@ -62,7 +65,7 @@ module Net
 
         # Instantiates a new agent object, connects to a running SSH agent,
         # negotiates the agent protocol version, and returns the agent object.
-        def self.connect(logger=nil, agent_socket_factory = nil, identity_agent = nil)
+        def self.connect(logger = nil, agent_socket_factory = nil, identity_agent = nil)
           agent = new(logger)
           agent.connect!(agent_socket_factory, identity_agent)
           agent.negotiate!
@@ -71,7 +74,7 @@ module Net
 
         # Creates a new Agent object, using the optional logger instance to
         # report status.
-        def initialize(logger=nil)
+        def initialize(logger = nil)
           self.logger = logger
         end
 
@@ -85,9 +88,9 @@ module Net
             if agent_socket_factory
               agent_socket_factory.call
             elsif identity_agent
-              unix_socket_class.open(identity_agent)
+              unix_socket_class.open(File.expand_path(identity_agent))
             elsif ENV['SSH_AUTH_SOCK'] && unix_socket_class
-              unix_socket_class.open(ENV['SSH_AUTH_SOCK'])
+              unix_socket_class.open(File.expand_path(ENV['SSH_AUTH_SOCK']))
             elsif Gem.win_platform? && RUBY_ENGINE != "jruby"
               Pageant::Socket.open
             else
@@ -105,6 +108,7 @@ module Net
           type, body = send_and_wait(SSH2_AGENT_REQUEST_VERSION, :string, Transport::ServerVersion::PROTO_VERSION)
 
           raise AgentNotAvailable, "SSH2 agents are not yet supported" if type == SSH2_AGENT_VERSION_RESPONSE
+
           if type == SSH2_AGENT_FAILURE
             debug { "Unexpected response type==#{type}, this will be ignored" }
           elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER1 && type != SSH_AGENT_RSA_IDENTITIES_ANSWER2
@@ -173,7 +177,7 @@ module Net
 
           req_type = constraints.empty? ? SSH2_AGENT_ADD_IDENTITY : SSH2_AGENT_ADD_ID_CONSTRAINED
           type, = send_and_wait(req_type, :string, priv_key.ssh_type, :raw, blob_for_add(priv_key),
-                      :string, comment, :raw, constraints)
+                                :string, comment, :raw, constraints)
           raise AgentError, "could not add identity to agent" if type != SSH_AGENT_SUCCESS
         end
 
@@ -189,6 +193,18 @@ module Net
           raise AgentError, "could not remove all identity from agent" if type != SSH_AGENT_SUCCESS
         end
 
+        # lock the ssh agent with password
+        def lock(password)
+          type, = send_and_wait(SSH2_AGENT_LOCK, :string, password)
+          raise AgentError, "could not lock agent" if type != SSH_AGENT_SUCCESS
+        end
+
+        # unlock the ssh agent with password
+        def unlock(password)
+          type, = send_and_wait(SSH2_AGENT_UNLOCK, :string, password)
+          raise AgentError, "could not unlock agent" if type != SSH_AGENT_SUCCESS
+        end
+
         private
 
         def unix_socket_class
@@ -235,31 +251,31 @@ module Net
           case priv_key.ssh_type
           when /^ssh-dss$/
             Net::SSH::Buffer.from(:bignum, priv_key.p, :bignum, priv_key.q, :bignum, priv_key.g,
-                        :bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
+                                  :bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
           when /^ssh-dss-cert-v01@openssh\.com$/
             Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.priv_key).to_s
           when /^ecdsa\-sha2\-(\w*)$/
             curve_name = OpenSSL::PKey::EC::CurveNameAliasInv[priv_key.group.curve_name]
             Net::SSH::Buffer.from(:string, curve_name, :mstring, priv_key.public_key.to_bn.to_s(2),
-                        :bignum, priv_key.private_key).to_s
+                                  :bignum, priv_key.private_key).to_s
           when /^ecdsa\-sha2\-(\w*)-cert-v01@openssh\.com$/
             Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.private_key).to_s
           when /^ssh-ed25519$/
             Net::SSH::Buffer.from(:string, priv_key.public_key.verify_key.to_bytes,
-                        :string, priv_key.sign_key.keypair).to_s
+                                  :string, priv_key.sign_key.keypair).to_s
           when /^ssh-ed25519-cert-v01@openssh\.com$/
             # Unlike the other certificate types, the public key is included after the certifiate.
             Net::SSH::Buffer.from(:string, priv_key.to_blob,
-                        :string, priv_key.key.public_key.verify_key.to_bytes,
-                        :string, priv_key.key.sign_key.keypair).to_s
+                                  :string, priv_key.key.public_key.verify_key.to_bytes,
+                                  :string, priv_key.key.sign_key.keypair).to_s
           when /^ssh-rsa$/
             # `n` and `e` are reversed compared to the ordering in `OpenSSL::PKey::RSA#to_blob`.
             Net::SSH::Buffer.from(:bignum, priv_key.n, :bignum, priv_key.e, :bignum, priv_key.d,
-                        :bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
+                                  :bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
           when /^ssh-rsa-cert-v01@openssh\.com$/
             Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.d,
-                        :bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
-                        :bignum, priv_key.key.q).to_s
+                                  :bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
+                                  :bignum, priv_key.key.q).to_s
           end
         end
       end

data/lib/net/ssh/authentication/certificate.rb

@@ -31,12 +31,13 @@ module Net
           cert.key_id = buffer.read_string
           cert.valid_principals = buffer.read_buffer.read_all(&:read_string)
           cert.valid_after = Time.at(buffer.read_int64)
-          
+
           cert.valid_before = if RUBY_PLATFORM == "java"
                                 # 0x20c49ba5e353f7 = 0x7fffffffffffffff/1000, the largest value possible for JRuby
                                 # JRuby Time.at multiplies the arg by 1000, and then stores it in a signed long.
-                                # 0x20c49ba5e353f7 = 292278994-08-17 01:12:55 -0600
-                                Time.at([0x20c49ba5e353f7, buffer.read_int64].min)
+                                # 0x20c49ba2d52500 = 292278993-01-01 00:00:00 +0000
+                                # JRuby 9.1 does not accept the year 292278994 because of edge cases (https://github.com/JodaOrg/joda-time/issues/190)
+                                Time.at([0x20c49ba2d52500, buffer.read_int64].min)
                               else
                                 Time.at(buffer.read_int64)
                               end
@@ -65,12 +66,12 @@ module Net
           ).to_s
         end
 
-        def ssh_do_sign(data)
-          key.ssh_do_sign(data)
+        def ssh_do_sign(data, sig_alg = nil)
+          key.ssh_do_sign(data, sig_alg)
         end
 
-        def ssh_do_verify(sig, data)
-          key.ssh_do_verify(sig, data)
+        def ssh_do_verify(sig, data, options = {})
+          key.ssh_do_verify(sig, data, options)
         end
 
         def to_pem
@@ -82,7 +83,7 @@ module Net
         end
 
         # Signs the certificate with key.
-        def sign!(key, sign_nonce=nil)
+        def sign!(key, sign_nonce = nil)
           # ssh-keygen uses 32 bytes of nonce.
           self.nonce = sign_nonce || SecureRandom.random_bytes(32)
           self.signature_key = key
@@ -93,7 +94,7 @@ module Net
           self
         end
 
-        def sign(key, sign_nonce=nil)
+        def sign(key, sign_nonce = nil)
           cert = clone
           cert.sign!(key, sign_nonce)
         end
@@ -101,8 +102,8 @@ module Net
         # Checks whether the certificate's signature was signed by signature key.
         def signature_valid?
           buffer = Buffer.new(signature)
-          buffer.read_string # skip signature format
-          signature_key.ssh_do_verify(buffer.read_string, to_blob_without_signature)
+          sig_format = buffer.read_string
+          signature_key.ssh_do_verify(buffer.read_string, to_blob_without_signature, host_key: sig_format)
         end
 
         def self.read_options(buffer)
@@ -124,6 +125,7 @@ module Net
         def self.type_symbol(type)
           types = { 1 => :user, 2 => :host }
           raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+
           types.fetch(type)
         end
         private_class_method :type_symbol
@@ -133,6 +135,7 @@ module Net
         def type_value(type)
           types = { user: 1, host: 2 }
           raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+
           types.fetch(type)
         end
 

data/lib/net/ssh/authentication/constants.rb

@@ -1,7 +1,6 @@
 module Net
   module SSH
     module Authentication
-
       # Describes the constants used by the Net::SSH::Authentication components
       # of the Net::SSH library. Individual authentication method implemenations
       # may define yet more constants that are specific to their implementation.