net-ssh 6.3.0.beta1 → 7.0.0.beta1

data/Dockerfile

@@ -0,0 +1,27 @@
+ARG RUBY_VERSION=3.1
+FROM ruby:${RUBY_VERSION}
+
+RUN apt update && apt install -y openssh-server sudo netcat \
+  && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_1' \
+  && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_2' \
+  && echo net_ssh_1:foopwd | chpasswd \
+  && echo net_ssh_2:foo2pwd | chpasswd \
+  && mkdir -p /home/net_ssh_1/.ssh \
+  && mkdir -p /home/net_ssh_2/.ssh \
+  && echo "net_ssh_1 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers \
+  && echo "net_ssh_2 ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers \
+  && ssh-keygen -f /etc/ssh/users_ca -N ''
+
+ENV INSTALL_PATH="/netssh"
+
+WORKDIR $INSTALL_PATH
+
+COPY Gemfile net-ssh.gemspec $INSTALL_PATH/
+
+COPY lib/net/ssh/version.rb $INSTALL_PATH/lib/net/ssh/version.rb
+
+RUN gem install bundler && bundle install
+
+COPY . $INSTALL_PATH/
+
+CMD service ssh start && rake test && NET_SSH_NO_ED25519=1 rake test

data/Dockerfile.openssl3

@@ -0,0 +1,17 @@
+FROM ubuntu:22.04
+
+ENV INSTALL_PATH="/netssh"
+
+RUN apt update && apt install -y openssl ruby ruby-dev git build-essential
+
+WORKDIR $INSTALL_PATH
+
+COPY Gemfile net-ssh.gemspec $INSTALL_PATH/
+
+COPY lib/net/ssh/version.rb $INSTALL_PATH/lib/net/ssh/version.rb
+
+RUN ls -l && gem install bundler && bundle install
+
+COPY . $INSTALL_PATH/
+
+CMD openssl version && ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION' && rake test

data/README.md

@@ -211,13 +211,19 @@ Run the test suite from the net-ssh directory with the following command:
 bundle exec rake test
 ```
 
+NOTE : you can run test on all ruby versions with docker :
+
+```
+docker-compose up --build
+```
+
 Run a single test file like this:
 
 ```sh
 ruby -Ilib -Itest test/transport/test_server_version.rb
 ```
 
-To run integration tests see test/integration/README.txt
+To run integration tests see [here](test/integration/README.md)
 
 ### BUILDING GEM
 

data/Rakefile

@@ -95,6 +95,10 @@ Rake::TestTask.new do |t|
   t.test_files = test_files
 end
 
+# We need to enable the OpenSSL 3.0 legacy providers for our test suite
+require 'openssl'
+ENV['OPENSSL_CONF'] = 'test/openssl3.conf' if OpenSSL::OPENSSL_LIBRARY_VERSION.start_with? "OpenSSL 3"
+
 desc "Run tests of Net::SSH:Test"
 Rake::TestTask.new do |t|
   t.name = "test_test"

data/docker-compose.yml

@@ -0,0 +1,23 @@
+version: '3'
+
+services:
+  ruby-3.1:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 3.1
+  ruby-3.0:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 3.0
+  ruby-2.7:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 2.7
+  ruby-2.6:
+    build:
+      context: .
+      args: 
+        RUBY_VERSION: 2.6

data/lib/net/ssh/authentication/agent.rb

@@ -65,7 +65,7 @@ module Net
 
         # Instantiates a new agent object, connects to a running SSH agent,
         # negotiates the agent protocol version, and returns the agent object.
-        def self.connect(logger=nil, agent_socket_factory = nil, identity_agent = nil)
+        def self.connect(logger = nil, agent_socket_factory = nil, identity_agent = nil)
           agent = new(logger)
           agent.connect!(agent_socket_factory, identity_agent)
           agent.negotiate!
@@ -74,7 +74,7 @@ module Net
 
         # Creates a new Agent object, using the optional logger instance to
         # report status.
-        def initialize(logger=nil)
+        def initialize(logger = nil)
           self.logger = logger
         end
 
@@ -88,9 +88,9 @@ module Net
             if agent_socket_factory
               agent_socket_factory.call
             elsif identity_agent
-              unix_socket_class.open(identity_agent)
+              unix_socket_class.open(File.expand_path(identity_agent))
             elsif ENV['SSH_AUTH_SOCK'] && unix_socket_class
-              unix_socket_class.open(ENV['SSH_AUTH_SOCK'])
+              unix_socket_class.open(File.expand_path(ENV['SSH_AUTH_SOCK']))
             elsif Gem.win_platform? && RUBY_ENGINE != "jruby"
               Pageant::Socket.open
             else
@@ -177,7 +177,7 @@ module Net
 
           req_type = constraints.empty? ? SSH2_AGENT_ADD_IDENTITY : SSH2_AGENT_ADD_ID_CONSTRAINED
           type, = send_and_wait(req_type, :string, priv_key.ssh_type, :raw, blob_for_add(priv_key),
-                      :string, comment, :raw, constraints)
+                                :string, comment, :raw, constraints)
           raise AgentError, "could not add identity to agent" if type != SSH_AGENT_SUCCESS
         end
 
@@ -251,31 +251,31 @@ module Net
           case priv_key.ssh_type
           when /^ssh-dss$/
             Net::SSH::Buffer.from(:bignum, priv_key.p, :bignum, priv_key.q, :bignum, priv_key.g,
-                        :bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
+                                  :bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
           when /^ssh-dss-cert-v01@openssh\.com$/
             Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.priv_key).to_s
           when /^ecdsa\-sha2\-(\w*)$/
             curve_name = OpenSSL::PKey::EC::CurveNameAliasInv[priv_key.group.curve_name]
             Net::SSH::Buffer.from(:string, curve_name, :mstring, priv_key.public_key.to_bn.to_s(2),
-                        :bignum, priv_key.private_key).to_s
+                                  :bignum, priv_key.private_key).to_s
           when /^ecdsa\-sha2\-(\w*)-cert-v01@openssh\.com$/
             Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.private_key).to_s
           when /^ssh-ed25519$/
             Net::SSH::Buffer.from(:string, priv_key.public_key.verify_key.to_bytes,
-                        :string, priv_key.sign_key.keypair).to_s
+                                  :string, priv_key.sign_key.keypair).to_s
           when /^ssh-ed25519-cert-v01@openssh\.com$/
             # Unlike the other certificate types, the public key is included after the certifiate.
             Net::SSH::Buffer.from(:string, priv_key.to_blob,
-                        :string, priv_key.key.public_key.verify_key.to_bytes,
-                        :string, priv_key.key.sign_key.keypair).to_s
+                                  :string, priv_key.key.public_key.verify_key.to_bytes,
+                                  :string, priv_key.key.sign_key.keypair).to_s
           when /^ssh-rsa$/
             # `n` and `e` are reversed compared to the ordering in `OpenSSL::PKey::RSA#to_blob`.
             Net::SSH::Buffer.from(:bignum, priv_key.n, :bignum, priv_key.e, :bignum, priv_key.d,
-                        :bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
+                                  :bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
           when /^ssh-rsa-cert-v01@openssh\.com$/
             Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.d,
-                        :bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
-                        :bignum, priv_key.key.q).to_s
+                                  :bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
+                                  :bignum, priv_key.key.q).to_s
           end
         end
       end

data/lib/net/ssh/authentication/certificate.rb

@@ -66,8 +66,8 @@ module Net
           ).to_s
         end
 
-        def ssh_do_sign(data)
-          key.ssh_do_sign(data)
+        def ssh_do_sign(data, sig_alg = nil)
+          key.ssh_do_sign(data, sig_alg)
         end
 
         def ssh_do_verify(sig, data, options = {})
@@ -83,7 +83,7 @@ module Net
         end
 
         # Signs the certificate with key.
-        def sign!(key, sign_nonce=nil)
+        def sign!(key, sign_nonce = nil)
           # ssh-keygen uses 32 bytes of nonce.
           self.nonce = sign_nonce || SecureRandom.random_bytes(32)
           self.signature_key = key
@@ -94,7 +94,7 @@ module Net
           self
         end
 
-        def sign(key, sign_nonce=nil)
+        def sign(key, sign_nonce = nil)
           cert = clone
           cert.sign!(key, sign_nonce)
         end

data/lib/net/ssh/authentication/ed25519.rb

@@ -14,7 +14,7 @@ module Net
     module Authentication
       module ED25519
         class SigningKeyFromFile < SimpleDelegator
-          def initialize(pk,sk)
+          def initialize(pk, sk)
             key = ::Ed25519::SigningKey.from_keypair(sk)
             raise ArgumentError, "pk does not match sk" unless pk == key.verify_key.to_bytes
 
@@ -116,7 +116,7 @@ module Net
           end
 
           def to_blob
-            Net::SSH::Buffer.from(:mstring,"ssh-ed25519".dup,:string,@verify_key.to_bytes).to_s
+            Net::SSH::Buffer.from(:mstring, "ssh-ed25519".dup, :string, @verify_key.to_bytes).to_s
           end
 
           def ssh_type
@@ -128,7 +128,7 @@ module Net
           end
 
           def ssh_do_verify(sig, data, options = {})
-            @verify_key.verify(sig,data)
+            @verify_key.verify(sig, data)
           end
 
           def to_pem
@@ -152,7 +152,7 @@ module Net
             _comment = buffer.read_string
 
             @pk = pk
-            @sign_key = SigningKeyFromFile.new(pk,sk)
+            @sign_key = SigningKeyFromFile.new(pk, sk)
           end
 
           def to_blob
@@ -171,7 +171,7 @@ module Net
             PubKey.new(@pk)
           end
 
-          def ssh_do_sign(data)
+          def ssh_do_sign(data, sig_alg = nil)
             @sign_key.sign(data)
           end
 

data/lib/net/ssh/authentication/key_manager.rb

@@ -41,7 +41,7 @@ module Net
         # Create a new KeyManager. By default, the manager will
         # use the ssh-agent if it is running and the `:use_agent` option
         # is not false.
-        def initialize(logger, options={})
+        def initialize(logger, options = {})
           self.logger = logger
           @key_files = []
           @key_data = []
@@ -158,7 +158,7 @@ module Net
         # Regardless of the identity's origin or who does the signing, this
         # will always return the signature in an SSH2-specified "signature
         # blob" format.
-        def sign(identity, data)
+        def sign(identity, data, sig_alg = nil)
           info = known_identities[identity] or raise KeyManagerError, "the given identity is unknown to the key manager"
 
           if info[:key].nil? && info[:from] == :file
@@ -170,14 +170,27 @@ module Net
           end
 
           if info[:key]
-            return Net::SSH::Buffer.from(:string, identity.ssh_signature_type,
-              :mstring, info[:key].ssh_do_sign(data.to_s)).to_s
+            if sig_alg.nil?
+              signed = info[:key].ssh_do_sign(data.to_s)
+              sig_alg = identity.ssh_signature_type
+            else
+              signed = info[:key].ssh_do_sign(data.to_s, sig_alg)
+            end
+            return Net::SSH::Buffer.from(:string, sig_alg,
+                                         :mstring, signed).to_s
           end
 
           if info[:from] == :agent
             raise KeyManagerError, "the agent is no longer available" unless agent
 
-            return agent.sign(info[:identity], data.to_s)
+            case sig_alg
+            when "rsa-sha2-512"
+              return agent.sign(info[:identity], data.to_s, Net::SSH::Authentication::Agent::SSH_AGENT_RSA_SHA2_512)
+            when "rsa-sha2-256"
+              return agent.sign(info[:identity], data.to_s, Net::SSH::Authentication::Agent::SSH_AGENT_RSA_SHA2_256)
+            else
+              return agent.sign(info[:identity], data.to_s)
+            end
           end
 
           raise KeyManagerError, "[BUG] can't determine identity origin (#{info.inspect})"

data/lib/net/ssh/authentication/methods/abstract.rb

@@ -20,12 +20,22 @@ module Net
           # this.
           attr_reader :key_manager
 
+          # So far only affects algorithms used for rsa keys, but can be
+          # extended to other keys, e.g after reading of
+          # PubkeyAcceptedAlgorithms option from ssh_config file is implemented.
+          attr_reader :pubkey_algorithms
+
           # Instantiates a new authentication method.
-          def initialize(session, options={})
+          def initialize(session, options = {})
             @session = session
             @key_manager = options[:key_manager]
             @options = options
             @prompt = options[:password_prompt]
+            @pubkey_algorithms = options[:pubkey_algorithms] \
+              || %w[rsa-sha2-256-cert-v01@openssh.com
+                    ssh-rsa-cert-v01@openssh.com
+                    rsa-sha2-256
+                    ssh-rsa]
             self.logger = session.logger
           end
 
@@ -46,7 +56,7 @@ module Net
           # of the packet. The new packet is returned, ready for sending.
           def userauth_request(username, next_service, auth_method, *others)
             buffer = Net::SSH::Buffer.from(:byte, USERAUTH_REQUEST,
-              :string, username, :string, next_service, :string, auth_method)
+                                           :string, username, :string, next_service, :string, auth_method)
 
             others.each do |value|
               case value

data/lib/net/ssh/authentication/methods/hostbased.rb

@@ -10,12 +10,12 @@ module Net
 
           # Attempts to perform host-based authorization of the user by trying
           # all known keys.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             return false unless key_manager
 
             key_manager.each_identity do |identity|
               return true if authenticate_with(identity, next_service,
-                username, key_manager)
+                                               username, key_manager)
             end
 
             return false
@@ -63,7 +63,7 @@ module Net
           # Build the "core" hostbased request string.
           def build_request(identity, next_service, username, hostname, client_username)
             userauth_request(username, next_service, "hostbased", identity.ssh_type,
-              Buffer.from(:key, identity).to_s, hostname, client_username).to_s
+                             Buffer.from(:key, identity).to_s, hostname, client_username).to_s
           end
         end
       end

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -11,7 +11,7 @@ module Net
           USERAUTH_INFO_RESPONSE = 61
 
           # Attempt to authenticate the given user for the given service.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             debug { "trying keyboard-interactive" }
             send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
 

data/lib/net/ssh/authentication/methods/none.rb

@@ -8,7 +8,7 @@ module Net
         # Implements the "none" SSH authentication method.
         class None < Abstract
           # Attempt to authenticate as "none"
-          def authenticate(next_service, user="", password="")
+          def authenticate(next_service, user = "", password = "")
             send_message(userauth_request(user, next_service, "none"))
             message = session.next_message
 

data/lib/net/ssh/authentication/methods/password.rb

@@ -10,7 +10,7 @@ module Net
         class Password < Abstract
           # Attempt to authenticate the given user for the given service. If
           # the password parameter is nil, this will ask for password
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             clear_prompter!
             retries = 0
             max_retries = get_max_retries

data/lib/net/ssh/authentication/methods/publickey.rb

@@ -12,7 +12,7 @@ module Net
           # username, trying each identity known to the key manager. If any of
           # them succeed, returns +true+, otherwise returns +false+. This
           # requires the presence of a key manager.
-          def authenticate(next_service, username, password=nil)
+          def authenticate(next_service, username, password = nil)
             return false unless key_manager
 
             key_manager.each_identity do |identity|
@@ -26,41 +26,40 @@ module Net
 
           # Builds a packet that contains the request formatted for sending
           # a public-key request to the server.
-          def build_request(pub_key, username, next_service, has_sig)
+          def build_request(pub_key, username, next_service, alg, has_sig)
             blob = Net::SSH::Buffer.new
             blob.write_key pub_key
 
             userauth_request(username, next_service, "publickey", has_sig,
-              pub_key.ssh_type, blob.to_s)
+                             alg, blob.to_s)
           end
 
           # Builds and sends a request formatted for a public-key
           # authentication request.
-          def send_request(pub_key, username, next_service, signature=nil)
-            msg = build_request(pub_key, username, next_service, !signature.nil?)
+          def send_request(pub_key, username, next_service, alg, signature = nil)
+            msg = build_request(pub_key, username, next_service, alg,
+                                !signature.nil?)
             msg.write_string(signature) if signature
             send_message(msg)
           end
 
-          # Attempts to perform public-key authentication for the given
-          # username, with the given identity (public key). Returns +true+ if
-          # successful, or +false+ otherwise.
-          def authenticate_with(identity, next_service, username)
+          def authenticate_with_alg(identity, next_service, username, alg, sig_alg = nil)
             debug { "trying publickey (#{identity.fingerprint})" }
-            send_request(identity, username, next_service)
+            send_request(identity, username, next_service, alg)
 
             message = session.next_message
 
             case message.type
             when USERAUTH_PK_OK
-              buffer = build_request(identity, username, next_service, true)
+              buffer = build_request(identity, username, next_service, alg,
+                                     true)
               sig_data = Net::SSH::Buffer.new
               sig_data.write_string(session_id)
               sig_data.append(buffer.to_s)
 
-              sig_blob = key_manager.sign(identity, sig_data)
+              sig_blob = key_manager.sign(identity, sig_data, sig_alg)
 
-              send_request(identity, username, next_service, sig_blob.to_s)
+              send_request(identity, username, next_service, alg, sig_blob.to_s)
               message = session.next_message
 
               case message.type
@@ -76,7 +75,7 @@ module Net
                 return false
               else
                 raise Net::SSH::Exception,
-                  "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+                      "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
               end
 
             when USERAUTH_FAILURE
@@ -88,6 +87,49 @@ module Net
               raise Net::SSH::Exception, "unexpected reply to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
             end
           end
+
+          # Attempts to perform public-key authentication for the given
+          # username, with the given identity (public key). Returns +true+ if
+          # successful, or +false+ otherwise.
+          def authenticate_with(identity, next_service, username)
+            type = identity.ssh_type
+            if type == "ssh-rsa"
+              pubkey_algorithms.each do |pk_alg|
+                case pk_alg
+                when "rsa-sha2-512", "rsa-sha2-256", "ssh-rsa"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, pk_alg)
+                    # success
+                    return true
+                  end
+                end
+              end
+            elsif type == "ssh-rsa-cert-v01@openssh.com"
+              pubkey_algorithms.each do |pk_alg|
+                case pk_alg
+                when "rsa-sha2-512-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, "rsa-sha2-512")
+                    # success
+                    return true
+                  end
+                when "rsa-sha2-256-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg, "rsa-sha2-256")
+                    # success
+                    return true
+                  end
+                when "ssh-rsa-cert-v01@openssh.com"
+                  if authenticate_with_alg(identity, next_service, username, pk_alg)
+                    # success
+                    return true
+                  end
+                end
+              end
+            elsif authenticate_with_alg(identity, next_service, username, type)
+              # success
+              return true
+            end
+            # failure
+            return false
+          end
         end
       end
     end

data/lib/net/ssh/authentication/pageant.rb

@@ -50,13 +50,13 @@ module Net
             SIZEOF_DWORD = DL.sizeof('L')
           elsif RUBY_VERSION < "2.1"
             extend DL::Importer
-            dlload 'user32.dll','kernel32.dll', 'advapi32.dll'
+            dlload 'user32.dll', 'kernel32.dll', 'advapi32.dll'
             include DL::Win32Types
 
             SIZEOF_DWORD = DL::SIZEOF_LONG
           else
             extend Fiddle::Importer
-            dlload 'user32.dll','kernel32.dll', 'advapi32.dll'
+            dlload 'user32.dll', 'kernel32.dll', 'advapi32.dll'
             include Fiddle::Win32Types
             SIZEOF_DWORD = Fiddle::SIZEOF_LONG
           end
@@ -240,7 +240,7 @@ module Net
             end
 
             def self.set_ptr_data(ptr, data)
-              DL::CPtr.new(ptr)[0,data.size] = data
+              DL::CPtr.new(ptr)[0, data.size] = data
             end
           end
 
@@ -281,7 +281,7 @@ module Net
 
             def self.ptr_to_dword(ptr)
               first = ptr.ptr.to_i
-              second = ptr_to_s(ptr,Win::SIZEOF_DWORD).unpack('L')[0]
+              second = ptr_to_s(ptr, Win::SIZEOF_DWORD).unpack('L')[0]
               raise "Error" unless first == second
 
               first
@@ -296,7 +296,7 @@ module Net
             end
 
             def self.get_sid(user)
-              ptr_to_s(user.to_ptr.ptr,Win::SIZEOF_DWORD).unpack('L')[0]
+              ptr_to_s(user.to_ptr.ptr, Win::SIZEOF_DWORD).unpack('L')[0]
             end
 
             def self.get_sid_ptr(user)
@@ -332,7 +332,7 @@ module Net
             token_handle = open_process_token(Win.GetCurrentProcess,
                                               Win::TOKEN_QUERY)
             token_user = get_token_information(token_handle,
-                            Win::TOKEN_USER_INFORMATION_CLASS)
+                                               Win::TOKEN_USER_INFORMATION_CLASS)
             return token_user
           end
 
@@ -404,7 +404,7 @@ module Net
 
             if @win.to_i == 0
               raise Net::SSH::Exception,
-                "pageant process not running"
+                    "pageant process not running"
             end
 
             @input_buffer = Net::SSH::Buffer.new
@@ -458,7 +458,7 @@ module Net
 
             if filemap == 0 || filemap == Win::INVALID_HANDLE_VALUE
               raise Net::SSH::Exception,
-                "Creation of file mapping failed with error: #{Win.GetLastError}"
+                    "Creation of file mapping failed with error: #{Win.GetLastError}"
             end
 
             ptr = Win.MapViewOfFile(filemap, Win::FILE_MAP_WRITE, 0, 0,

data/lib/net/ssh/authentication/pub_key_fingerprint.rb

@@ -22,12 +22,12 @@ module Net
         # returned by OpenSSH's <tt>`ssh-add -l -E SHA256`</tt>, i.e.,
         # trailing base64 padding '=' characters are stripped and the
         # literal string +SHA256:+ is prepended.
-        def fingerprint(algorithm='MD5')
+        def fingerprint(algorithm = 'MD5')
           @fingerprint ||= {}
           @fingerprint[algorithm] ||= PubKeyFingerprint.fingerprint(to_blob, algorithm)
         end
 
-        def self.fingerprint(blob, algorithm='MD5')
+        def self.fingerprint(blob, algorithm = 'MD5')
           case algorithm.to_s.upcase
           when 'MD5'
             OpenSSL::Digest.hexdigest(algorithm, blob).scan(/../).join(":")

data/lib/net/ssh/authentication/session.rb

@@ -41,7 +41,7 @@ module Net
 
         # Instantiates a new Authentication::Session object over the given
         # transport layer abstraction.
-        def initialize(transport, options={})
+        def initialize(transport, options = {})
           self.logger = transport.logger
           @transport = transport
 
@@ -54,7 +54,7 @@ module Net
         # Attempts to authenticate the given user, in preparation for the next
         # service request. Returns true if an authentication method succeeds in
         # authenticating the user, and false otherwise.
-        def authenticate(next_service, username, password=nil)
+        def authenticate(next_service, username, password = nil)
           debug { "beginning authentication of `#{username}'" }
 
           transport.send_message(transport.service_request("ssh-userauth"))
@@ -76,7 +76,9 @@ module Net
             debug { "trying #{name}" }
             begin
               auth_class = Methods.const_get(name.split(/\W+/).map { |p| p.capitalize }.join)
-              method = auth_class.new(self, key_manager: key_manager, password_prompt: options[:password_prompt])
+              method = auth_class.new(self,
+                                      key_manager: key_manager, password_prompt: options[:password_prompt],
+                                      pubkey_algorithms: options[:pubkey_algorithms] || nil)
             rescue NameError
               debug {"Mechanism #{name} was requested, but isn't a known type.  Ignoring it."}
               next