net-ssh 6.1.0 → 7.3.0

data/lib/net/ssh/authentication/ed25519.rb

@@ -3,8 +3,6 @@ gem 'bcrypt_pbkdf', '~> 1.0' unless RUBY_PLATFORM == "java"
 
 require 'ed25519'
 
-require 'base64'
-
 require 'net/ssh/transport/cipher_factory'
 require 'net/ssh/authentication/pub_key_fingerprint'
 require 'bcrypt_pbkdf' unless RUBY_PLATFORM == "java"
@@ -14,7 +12,7 @@ module Net
     module Authentication
       module ED25519
         class SigningKeyFromFile < SimpleDelegator
-          def initialize(pk,sk)
+          def initialize(pk, sk)
             key = ::Ed25519::SigningKey.from_keypair(sk)
             raise ArgumentError, "pk does not match sk" unless pk == key.verify_key.to_bytes
 
@@ -44,9 +42,11 @@ module Net
             datafull = datafull.strip
             raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
             raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
+
             datab64 = datafull[MBEGIN.size...-MEND.size]
-            data = Base64.decode64(datab64)
+            data = datab64.unpack1("m")
             raise ArgumentError.new("Expected #{MAGIC} at start of decoded private key") unless data.start_with?(MAGIC)
+
             buffer = Net::SSH::Buffer.new(data[MAGIC.size + 1..-1])
 
             ciphername = buffer.read_string
@@ -59,6 +59,7 @@ module Net
             kdfopts = Net::SSH::Buffer.new(buffer.read_string)
             num_keys = buffer.read_long
             raise ArgumentError.new("Only 1 key is supported in ssh keys #{num_keys} was in private key") unless num_keys == 1
+
             _pubkey = buffer.read_string
 
             len = buffer.read_long
@@ -72,12 +73,14 @@ module Net
               rounds = kdfopts.read_long
 
               raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
+
               key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
+              raise DecryptError.new("BCyryptPbkdf failed", encrypted_key: true) unless key
             else
               key = '\x00' * (keylen + ivlen)
             end
 
-            cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv:key[keylen...keylen + ivlen], decrypt: true)
+            cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv: key[keylen...keylen + ivlen], decrypt: true)
 
             decoded = cipher.update(buffer.remainder_as_buffer.to_s)
             decoded << cipher.final
@@ -112,7 +115,7 @@ module Net
           end
 
           def to_blob
-            Net::SSH::Buffer.from(:mstring,"ssh-ed25519",:string,@verify_key.to_bytes).to_s
+            Net::SSH::Buffer.from(:mstring, "ssh-ed25519".dup, :string, @verify_key.to_bytes).to_s
           end
 
           def ssh_type
@@ -123,13 +126,13 @@ module Net
             ssh_type
           end
 
-          def ssh_do_verify(sig,data)
-            @verify_key.verify(sig,data)
+          def ssh_do_verify(sig, data, options = {})
+            @verify_key.verify(sig, data)
           end
 
           def to_pem
             # TODO this is not pem
-            ssh_type + Base64.encode64(@verify_key.to_bytes)
+            ssh_type + [@verify_key.to_bytes].pack("m")
           end
         end
 
@@ -148,7 +151,7 @@ module Net
             _comment = buffer.read_string
 
             @pk = pk
-            @sign_key = SigningKeyFromFile.new(pk,sk)
+            @sign_key = SigningKeyFromFile.new(pk, sk)
           end
 
           def to_blob
@@ -167,7 +170,7 @@ module Net
             PubKey.new(@pk)
           end
 
-          def ssh_do_sign(data)
+          def ssh_do_sign(data, sig_alg = nil)
             @sign_key.sign(data)
           end
 

data/lib/net/ssh/authentication/ed25519_loader.rb

@@ -1,11 +1,9 @@
-module Net 
-  module SSH 
+module Net
+  module SSH
     module Authentication
-
       # Loads ED25519 support which requires optinal dependecies like
       # ed25519, bcrypt_pbkdf
       module ED25519Loader
-      
         begin
           require 'net/ssh/authentication/ed25519'
           LOADED = true
@@ -14,20 +12,19 @@ module Net
           ERROR = e
           LOADED = false
         end
-      
+
         def self.raiseUnlessLoaded(message)
           description = ERROR.is_a?(LoadError) ? dependenciesRequiredForED25519 : ''
           description << "#{ERROR.class} : \"#{ERROR.message}\"\n" if ERROR
           raise NotImplementedError, "#{message}\n#{description}" unless LOADED
         end
-      
+
         def self.dependenciesRequiredForED25519
           result = "net-ssh requires the following gems for ed25519 support:\n"
           result << " * ed25519 (>= 1.2, < 2.0)\n"
           result << " * bcrypt_pbkdf (>= 1.0, < 2.0)\n" unless RUBY_PLATFORM == "java"
           result << "See https://github.com/net-ssh/net-ssh/issues/565 for more information\n"
         end
-      
       end
     end
   end

data/lib/net/ssh/authentication/key_manager.rb

@@ -6,7 +6,6 @@ require 'net/ssh/authentication/agent'
 module Net
   module SSH
     module Authentication
-
       # A trivial exception class used to report errors in the key manager.
       class KeyManagerError < Net::SSH::Exception; end
 
@@ -33,6 +32,9 @@ module Net
         # The list of user key certificate files that will be examined
         attr_reader :keycert_files
 
+        # The list of user key certificate data that will be examined
+        attr_reader :keycert_data
+
         # The map of loaded identities
         attr_reader :known_identities
 
@@ -42,11 +44,12 @@ module Net
         # Create a new KeyManager. By default, the manager will
         # use the ssh-agent if it is running and the `:use_agent` option
         # is not false.
-        def initialize(logger, options={})
+        def initialize(logger, options = {})
           self.logger = logger
           @key_files = []
           @key_data = []
           @keycert_files = []
+          @keycert_data = []
           @use_agent = options[:use_agent] != false
           @known_identities = {}
           @agent = nil
@@ -60,6 +63,7 @@ module Net
         def clear!
           key_files.clear
           key_data.clear
+          keycert_data.clear
           known_identities.clear
           self
         end
@@ -76,6 +80,12 @@ module Net
           self
         end
 
+        # Add the given keycert_data to the list of keycerts that will be used.
+        def add_keycert_data(keycert_data_)
+          keycert_data.push(keycert_data_).uniq!
+          self
+        end
+
         # Add the given key_file to the list of keys that will be used.
         def add_key_data(key_data_)
           key_data.push(key_data_).uniq!
@@ -133,8 +143,8 @@ module Net
           end
 
           known_identity_blobs = known_identities.keys.map(&:to_blob)
-          keycert_files.each do |keycert_file|
-            keycert = KeyFactory.load_public_key(keycert_file)
+
+          keycerts.each do |keycert|
             next if known_identity_blobs.include?(keycert.to_blob)
 
             (_, corresponding_identity) = known_identities.detect { |public_key, _|
@@ -159,7 +169,7 @@ module Net
         # Regardless of the identity's origin or who does the signing, this
         # will always return the signature in an SSH2-specified "signature
         # blob" format.
-        def sign(identity, data)
+        def sign(identity, data, sig_alg = nil)
           info = known_identities[identity] or raise KeyManagerError, "the given identity is unknown to the key manager"
 
           if info[:key].nil? && info[:from] == :file
@@ -171,13 +181,27 @@ module Net
           end
 
           if info[:key]
-            return Net::SSH::Buffer.from(:string, identity.ssh_signature_type,
-              :mstring, info[:key].ssh_do_sign(data.to_s)).to_s
+            if sig_alg.nil?
+              signed = info[:key].ssh_do_sign(data.to_s)
+              sig_alg = identity.ssh_signature_type
+            else
+              signed = info[:key].ssh_do_sign(data.to_s, sig_alg)
+            end
+            return Net::SSH::Buffer.from(:string, sig_alg,
+                                         :mstring, signed).to_s
           end
 
           if info[:from] == :agent
             raise KeyManagerError, "the agent is no longer available" unless agent
-            return agent.sign(info[:identity], data.to_s)
+
+            case sig_alg
+            when "rsa-sha2-512"
+              return agent.sign(info[:identity], data.to_s, Net::SSH::Authentication::Agent::SSH_AGENT_RSA_SHA2_512)
+            when "rsa-sha2-256"
+              return agent.sign(info[:identity], data.to_s, Net::SSH::Authentication::Agent::SSH_AGENT_RSA_SHA2_256)
+            else
+              return agent.sign(info[:identity], data.to_s)
+            end
           end
 
           raise KeyManagerError, "[BUG] can't determine identity origin (#{info.inspect})"
@@ -201,6 +225,7 @@ module Net
         # or if the agent is otherwise not available.
         def agent
           return unless use_agent?
+
           @agent ||= Agent.connect(logger, options[:agent_socket_factory], options[:identity_agent])
         rescue AgentNotAvailable
           @use_agent = false
@@ -213,6 +238,12 @@ module Net
 
         private
 
+        # Load keycerts from files and data.
+        def keycerts
+          keycert_files.map { |keycert_file| KeyFactory.load_public_key(keycert_file) } +
+            keycert_data.map { |data| KeyFactory.load_data_public_key(data) }
+        end
+
         # Prepares identities from user key_files for loading, preserving their order and sources.
         def prepare_identities_from_files
           key_files.map do |file|
@@ -248,37 +279,35 @@ module Net
         # Load prepared identities. Private key decryption errors ignored if ignore_decryption_errors
         def load_identities(identities, ask_passphrase, ignore_decryption_errors)
           identities.map do |identity|
-            begin
-              case identity[:load_from]
-              when :pubkey_file
-                key = KeyFactory.load_public_key(identity[:pubkey_file])
-                { public_key: key, from: :file, file: identity[:privkey_file] }
-              when :privkey_file
-                private_key = KeyFactory.load_private_key(
-                  identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt]
-                )
-                key = private_key.send(:public_key)
-                { public_key: key, from: :file, file: identity[:privkey_file], key: private_key }
-              when :data
-                private_key = KeyFactory.load_data_private_key(
-                  identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt]
-                )
-                key = private_key.send(:public_key)
-                { public_key: key, from: :key_data, data: identity[:data], key: private_key }
-              else
-                identity
-              end
-            rescue OpenSSL::PKey::RSAError, OpenSSL::PKey::DSAError, OpenSSL::PKey::ECError, OpenSSL::PKey::PKeyError, ArgumentError => e
-              if ignore_decryption_errors
-                identity
-              else
-                process_identity_loading_error(identity, e)
-                nil
-              end
-            rescue Exception => e
+            case identity[:load_from]
+            when :pubkey_file
+              key = KeyFactory.load_public_key(identity[:pubkey_file])
+              { public_key: key, from: :file, file: identity[:privkey_file] }
+            when :privkey_file
+              private_key = KeyFactory.load_private_key(
+                identity[:privkey_file], options[:passphrase], ask_passphrase, options[:password_prompt]
+              )
+              key = private_key.send(:public_key)
+              { public_key: key, from: :file, file: identity[:privkey_file], key: private_key }
+            when :data
+              private_key = KeyFactory.load_data_private_key(
+                identity[:data], options[:passphrase], ask_passphrase, "<key in memory>", options[:password_prompt]
+              )
+              key = private_key.send(:public_key)
+              { public_key: key, from: :key_data, data: identity[:data], key: private_key }
+            else
+              identity
+            end
+          rescue OpenSSL::PKey::RSAError, OpenSSL::PKey::DSAError, OpenSSL::PKey::ECError, OpenSSL::PKey::PKeyError, ArgumentError => e
+            if ignore_decryption_errors
+              identity
+            else
               process_identity_loading_error(identity, e)
               nil
             end
+          rescue Exception => e
+            process_identity_loading_error(identity, e)
+            nil
           end.compact
         end
 

data/lib/net/ssh/authentication/methods/abstract.rb

@@ -7,7 +7,6 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # The base class of all user authentication methods. It provides a few
         # bits of common functionality.
         class Abstract
@@ -21,12 +20,22 @@ module Net
           # this.
           attr_reader :key_manager
 
+          # So far only affects algorithms used for rsa keys, but can be
+          # extended to other keys, e.g after reading of
+          # PubkeyAcceptedAlgorithms option from ssh_config file is implemented.
+          attr_reader :pubkey_algorithms
+
           # Instantiates a new authentication method.
-          def initialize(session, options={})
+          def initialize(session, options = {})
             @session = session
             @key_manager = options[:key_manager]
             @options = options
             @prompt = options[:password_prompt]
+            @pubkey_algorithms = options[:pubkey_algorithms] \
+              || %w[rsa-sha2-256-cert-v01@openssh.com
+                    ssh-rsa-cert-v01@openssh.com
+                    rsa-sha2-256
+                    ssh-rsa]
             self.logger = session.logger
           end
 
@@ -47,7 +56,7 @@ module Net
           # of the packet. The new packet is returned, ready for sending.
           def userauth_request(username, next_service, auth_method, *others)
             buffer = Net::SSH::Buffer.from(:byte, USERAUTH_REQUEST,
-              :string, username, :string, next_service, :string, auth_method)
+                                           :string, username, :string, next_service, :string, auth_method)
 
             others.each do |value|
               case value

data/lib/net/ssh/authentication/methods/hostbased.rb

@@ -4,19 +4,18 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the host-based SSH authentication method.
         class Hostbased < Abstract
           include Constants
 
           # Attempts to perform host-based authorization of the user by trying
           # all known keys.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             return false unless key_manager
 
             key_manager.each_identity do |identity|
               return true if authenticate_with(identity, next_service,
-                username, key_manager)
+                                               username, key_manager)
             end
 
             return false
@@ -64,10 +63,9 @@ module Net
           # Build the "core" hostbased request string.
           def build_request(identity, next_service, username, hostname, client_username)
             userauth_request(username, next_service, "hostbased", identity.ssh_type,
-              Buffer.from(:key, identity).to_s, hostname, client_username).to_s
+                             Buffer.from(:key, identity).to_s, hostname, client_username).to_s
           end
         end
-
       end
     end
   end

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -5,14 +5,13 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "keyboard-interactive" SSH authentication method.
         class KeyboardInteractive < Abstract
           USERAUTH_INFO_REQUEST  = 60
           USERAUTH_INFO_RESPONSE = 61
 
           # Attempt to authenticate the given user for the given service.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             debug { "trying keyboard-interactive" }
             send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
 
@@ -32,6 +31,7 @@ module Net
                   message[:authentications].split(/,/).include? 'keyboard-interactive'
 
                 return false unless interactive?
+
                 password = nil
                 debug { "retrying keyboard-interactive" }
                 send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))

data/lib/net/ssh/authentication/methods/none.rb

@@ -5,32 +5,29 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "none" SSH authentication method.
         class None < Abstract
           # Attempt to authenticate as "none"
-          def authenticate(next_service, user="", password="")
-            send_message(userauth_request(user, next_service, "none")) 
+          def authenticate(next_service, user = "", password = "")
+            send_message(userauth_request(user, next_service, "none"))
             message = session.next_message
-            
+
             case message.type
             when USERAUTH_SUCCESS
               debug { "none succeeded" }
               return true
             when USERAUTH_FAILURE
               debug { "none failed" }
-              
+
               raise Net::SSH::Authentication::DisallowedMethod unless
                 message[:authentications].split(/,/).include? 'none'
-              
+
               return false
             else
               raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
-            end   
-            
+            end
           end
         end
-
       end
     end
   end

data/lib/net/ssh/authentication/methods/password.rb

@@ -6,12 +6,11 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "password" SSH authentication method.
         class Password < Abstract
           # Attempt to authenticate the given user for the given service. If
           # the password parameter is nil, this will ask for password
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             clear_prompter!
             retries = 0
             max_retries = get_max_retries
@@ -29,6 +28,7 @@ module Net
 
                 raise Net::SSH::Authentication::DisallowedMethod unless
                   message[:authentications].split(/,/).include? 'password'
+
                 password = nil
               end
             end until (message.type != USERAUTH_FAILURE || retries >= max_retries)
@@ -74,7 +74,6 @@ module Net
             options[:non_interactive] ? 0 : result
           end
         end
-
       end
     end
   end

data/lib/net/ssh/authentication/methods/publickey.rb

@@ -6,14 +6,13 @@ module Net
   module SSH
     module Authentication
       module Methods
-
         # Implements the "publickey" SSH authentication method.
         class Publickey < Abstract
           # Attempts to perform public-key authentication for the given
           # username, trying each identity known to the key manager. If any of
           # them succeed, returns +true+, otherwise returns +false+. This
           # requires the presence of a key manager.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             return false unless key_manager
 
             key_manager.each_identity do |identity|
@@ -27,41 +26,40 @@ module Net
 
           # Builds a packet that contains the request formatted for sending
           # a public-key request to the server.
-          def build_request(pub_key, username, next_service, has_sig)
+          def build_request(pub_key, username, next_service, alg, has_sig)
             blob = Net::SSH::Buffer.new
             blob.write_key pub_key
 
             userauth_request(username, next_service, "publickey", has_sig,
-              pub_key.ssh_type, blob.to_s)
+                             alg, blob.to_s)
           end
 
           # Builds and sends a request formatted for a public-key
           # authentication request.
-          def send_request(pub_key, username, next_service, signature=nil)
-            msg = build_request(pub_key, username, next_service, !signature.nil?)
+          def send_request(pub_key, username, next_service, alg, signature = nil)
+            msg = build_request(pub_key, username, next_service, alg,
+                                !signature.nil?)
             msg.write_string(signature) if signature
             send_message(msg)
           end
 
-          # Attempts to perform public-key authentication for the given
-          # username, with the given identity (public key). Returns +true+ if
-          # successful, or +false+ otherwise.
-          def authenticate_with(identity, next_service, username)
-            debug { "trying publickey (#{identity.fingerprint})" }
-            send_request(identity, username, next_service)
+          def authenticate_with_alg(identity, next_service, username, alg, sig_alg = nil)
+            debug { "trying publickey (#{identity.fingerprint}) alg #{alg}" }
+            send_request(identity, username, next_service, alg)
 
             message = session.next_message
 
             case message.type
             when USERAUTH_PK_OK
-              buffer = build_request(identity, username, next_service, true)
+              buffer = build_request(identity, username, next_service, alg,
+                                     true)
               sig_data = Net::SSH::Buffer.new
               sig_data.write_string(session_id)
               sig_data.append(buffer.to_s)
 
-              sig_blob = key_manager.sign(identity, sig_data)
+              sig_blob = key_manager.sign(identity, sig_data, sig_alg)
 
-              send_request(identity, username, next_service, sig_blob.to_s)
+              send_request(identity, username, next_service, alg, sig_blob.to_s)
               message = session.next_message
 
               case message.type
@@ -77,7 +75,7 @@ module Net
                 return false
               else
                 raise Net::SSH::Exception,
-                  "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+                      "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
               end
 
             when USERAUTH_FAILURE
@@ -89,8 +87,50 @@ module Net
               raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
             end
           end
-        end
 
+          # Attempts to perform public-key authentication for the given
+          # username, with the given identity (public key). Returns +true+ if
+          # successful, or +false+ otherwise.
+          def authenticate_with(identity, next_service, username)
+            type = identity.ssh_type
+            if type == "ssh-rsa"
+              pubkey_algorithms.each do |pk_alg|
+                case pk_alg
+                when "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, pk_alg)
+                    # success
+                    return true
+                  end
+                end
+              end
+            elsif type == "ssh-rsa-cert-v01@openssh.com"
+              pubkey_algorithms.each do |pk_alg|
+                case pk_alg
+                when "rsa-sha2-512-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, "rsa-sha2-512")
+                    # success
+                    return true
+                  end
+                when "rsa-sha2-256-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, "rsa-sha2-256")
+                    # success
+                    return true
+                  end
+                when "ssh-rsa-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg)
+                    # success
+                    return true
+                  end
+                end
+              end
+            elsif authenticate_with_alg(identity, next_service, username, type)
+              # success
+              return true
+            end
+            # failure
+            return false
+          end
+        end
       end
     end
   end