net-ssh 7.0.1 → 7.2.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: '001243685ec6a8113bb04e55c5f75b50fb0386636ca40da012e6b0206844e793'
-  data.tar.gz: 6e4da1daaf0d6fc152df30865ec8ace047440b33323fa4a1abf947336876dd17
+  metadata.gz: 3dc1c0937f59690bcefb72834ffc1012936e2555cd417b60214aaf07e7b4b829
+  data.tar.gz: '0857d1fe1296782d7c372836d20cc6217a0502c197ea76f1a0bfc6b9f1dc0cf1'
 SHA512:
-  metadata.gz: 448b9447c97a464fa3c6431a15748dbb25bf79b3ac9ade31c0272a5558eec3180276ed0614c531b3f38910ef6af609e8f696fbb65fffc2288085b9268e7d1086
-  data.tar.gz: 8a425c4dc43f5657ae1391cce0aab1aa828fd3c03b6f3659a1dedb78e62ed08bd74696a86d8bf301bf2a093db9fc355f2f74d6e1e05117fa80e59bb136a55f58
+  metadata.gz: efe8268f0e6d1a4b0dbf60e2cd89b348504a843ed9092e8a378d844b93b000b1751f4eee226f2867d939c571b00e5332d201dd401b3d4241822f3236b6e2f5b7
+  data.tar.gz: 503688bf683aef5315c6748869760fc28e29cd4573782069b007216eed1d1d231ddab1d9dbf843daa60204fb365be7bb115f7490f84d1ce67b91bda987595b41

data/.github/FUNDING.yml

@@ -0,0 +1 @@
+github: [mfazekas]

data/.github/workflows/ci-with-docker.yml

@@ -12,7 +12,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Build docker images
       run: docker-compose build
@@ -35,7 +35,7 @@ jobs:
 
     steps:
     - name: Checkout code
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Build docker images
       run: docker build -t netssh_openssl3 -f Dockerfile.openssl3 .

data/.github/workflows/ci.yml

@@ -4,12 +4,12 @@ on:
   push: { branches: master }
 jobs:
   test:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
-        ruby-version: [2.6.6, 2.7.2, 3.0.1, 3.1.1]
+        ruby-version: [2.6.10, 2.7.7, 3.0.5, 3.1.3, 3.2.1]
     steps:
-      - uses: actions/checkout@v1
+      - uses: actions/checkout@v3
 
       - name: Set up Ruby ${{ matrix.ruby-version }}
         uses: ruby/setup-ruby@v1
@@ -77,6 +77,12 @@ jobs:
         env:
           NET_SSH_RUN_INTEGRATION_TESTS: 1
           CI: 1
+      - name: Run tests (without rbnacl)
+        run: bundle exec rake test
+        env:
+          BUNDLE_GEMFILE: ./Gemfile.norbnacl
+          NET_SSH_RUN_INTEGRATION_TESTS: 1
+          CI: 1
       - name: Run Tests (without ed25519)
         run: bundle exec rake test
         env:

data/.github/workflows/rubocop.yml

@@ -6,8 +6,11 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
-    - name: Rubocop Linter Action
-      uses: andrewmcodes/rubocop-linter-action@v3.0.0.rc2
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v3
+      - name: Set up Ruby 3.1
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: 3.1
+          bundler-cache: true
+      - name: Run RuboCop
+        run: bundle exec rubocop

data/.rubocop_todo.yml

@@ -251,7 +251,7 @@ Metrics/BlockNesting:
 # Offense count: 33
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
-  Max: 488
+  Max: 350
 
 # Offense count: 38
 # Configuration parameters: IgnoredMethods.

data/CHANGES.txt

@@ -1,3 +1,36 @@
+=== 7.2.0
+
+=== 7.2.0 rc1
+
+  * Allow IdentityAgent as option to Net::SSH.start [#912]
+
+=== 7.2.0 beta1
+
+  * Support `chacha20-poly1305@opnessh.com` cypher if `RbNaCl` gem is installed [#908]
+
+=== 7.1.0
+
+  * Accept pubkey_algorithms option when starting a new connection [#891]
+
+=== 7.1.0 beta1
+
+  * Don't use the deprecated set_XXX methods on RSA keys. [#875]
+  * Raise error when BCryptPbkdf fails [#876]
+
+=== 7.0.1
+
+  * Drop leftover debug statement [#866]
+
+=== 7.0.0
+
+  * BREAKING: Drop support for Ruby 2.5
+  * Fix decoding of ecdsa-sha2-nistp256 private keys [#657, #854]
+  * Fix missing require [#855]
+  * Support `~` in the path to the SSH agent's unix socket [#850]
+  * Add support for RSA client authentication with SHA-2 [a45f54]
+  * openssl: DSA: don't hardcode expected signature size, see ruby/openssl#483 [23a15c]
+  * Internal housekeeping (rubocop, codecov, remove travis, adding/improving tests)
+
 === 6.3.0 beta1
 
   * Support cert based host key auth, fix asterisk in known_hosts [#833]

data/DEVELOPMENT.md

@@ -0,0 +1,23 @@
+### Development notes
+
+## Building/running ssh server in debug mode
+
+clone the openssh server from `https://github.com/openssh/openssh-portable`
+
+```sh
+brew install openssl
+/usr/local/Cellar/openssl@3/3.1.0/bin/openssl
+
+autoreconf
+./configure --with-ssl-dir=/usr/local/Cellar/openssl@3/3.1.0/ --with-audit=debug --enable-debug CPPFLAGS="-DDEBUG -DPACKET_DEBUG" CFLAGS="-g -O0"
+make
+```
+
+To run server in debug mode:
+```sh
+echo '#' > /tmp/sshd_config
+ssh-keygen -t rsa -f /tmp/ssh_host_rsa_key
+# /Users/boga/Work/OSS/NetSSH/openssh-portable/sshd -p 2222 -D -d -d -d -e -f /tmp/sshd_config
+/Users/boga/Work/OSS/NetSSH/openssh-portable/sshd -p 2222 -D -d -d -d -e -f /tmp/sshd_config -h /tmp/ssh_host_rsa_key
+
+```

data/Dockerfile

@@ -1,7 +1,7 @@
 ARG RUBY_VERSION=3.1
 FROM ruby:${RUBY_VERSION}
 
-RUN apt update && apt install -y openssh-server sudo netcat \
+RUN apt update && apt install -y openssh-server sudo netcat-openbsd \
   && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_1' \
   && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_2' \
   && echo net_ssh_1:foopwd | chpasswd \

data/Gemfile.norbnacl

@@ -0,0 +1,12 @@
+source 'https://rubygems.org'
+
+ENV['NET_SSH_NO_RBNACL'] = 'true'
+# Specify your gem's dependencies in mygem.gemspec
+gemspec
+
+if ENV["CI"] && !Gem.win_platform?
+  gem 'simplecov', require: false, group: :test
+  gem 'codecov', require: false, group: :test
+end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/README.md

@@ -5,7 +5,7 @@
 [![Backers on Open Collective](https://opencollective.com/net-ssh/backers/badge.svg)](#backers])
 [![Sponsors on Open Collective](https://opencollective.com/net-ssh/sponsors/badge.svg)](#sponsors)
 
-# Net::SSH 6.x
+# Net::SSH 7.x
 
 * Docs: http://net-ssh.github.io/net-ssh
 * Issues: https://github.com/net-ssh/net-ssh/issues
@@ -33,7 +33,7 @@ We strongly recommend that you install a servers's version that supports the lat
 
 It is possible to return to the previous behavior by adding the option : `append_all_supported_algorithms: true`
 
-Unsecure algoritms will definitely be removed in Net::SSH 7.*.
+Unsecure algoritms will definitely be removed in Net::SSH 8.*.
 
 ### Host Keys
 
@@ -44,7 +44,7 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | ecdsa-sha2-nistp521  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdsa-sha2-nistp384  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdsa-sha2-nistp256  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
-| ssh-dss              | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| ssh-dss              | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 
 ### Key Exchange
 
@@ -54,9 +54,9 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | ecdh-sha2-nistp521                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdh-sha2-nistp384                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdh-sha2-nistp256                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
-| diffie-hellman-group1-sha1           | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| diffie-hellman-group1-sha1           | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 | diffie-hellman-group14-sha1          | OK                    |          |
-| diffie-hellman-group-exchange-sha1   | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| diffie-hellman-group-exchange-sha1   | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 | diffie-hellman-group-exchange-sha256 | OK                    |          |
 
 ### Encryption algorithms (ciphers)
@@ -64,13 +64,14 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | Name                                 | Support               | Details  |
 |--------------------------------------|-----------------------|----------|
 | aes256-ctr / aes192-ctr / aes128-ctr | OK                    |          |
-| aes256-cbc / aes192-cbc / aes128-cbc | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| rijndael-cbc@lysator.liu.se          | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| blowfish-ctr blowfish-cbc            | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| cast128-ctr cast128-cbc              | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| 3des-ctr 3des-cbc                    | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| idea-cbc                             | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| none                                 | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| chacha20-poly1305@openssh.com        | OK.                   | Requires the gem `rbnacl` |
+| aes256-cbc / aes192-cbc / aes128-cbc | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| rijndael-cbc@lysator.liu.se          | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| blowfish-ctr blowfish-cbc            | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| cast128-ctr cast128-cbc              | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| 3des-ctr 3des-cbc                    | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| idea-cbc                             | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| none                                 | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 
 ### Message Authentication Code algorithms
 
@@ -80,14 +81,14 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | hmac-sha2-256-etm    | OK                    |          |
 | hmac-sha2-512        | OK                    |          |
 | hmac-sha2-256        | OK                    |          |
-| hmac-sha2-512-96     | Deprecated in 6.0     | removed from the specification, will be removed in 7.0 |
-| hmac-sha2-256-96     | Deprecated in 6.0     | removed from the specification, will be removed in 7.0 |
+| hmac-sha2-512-96     | Deprecated in 6.0     | removed from the specification, will be removed in 8.0 |
+| hmac-sha2-256-96     | Deprecated in 6.0     | removed from the specification, will be removed in 8.0 |
 | hmac-sha1            | OK                    | for backward compatibility      |
-| hmac-sha1-96         | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| hmac-ripemd160       | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| hmac-md5             | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| hmac-md5-96          | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| none                 | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| hmac-sha1-96         | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| hmac-ripemd160       | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| hmac-md5             | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| hmac-md5-96          | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| none                 | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 
 ## SYNOPSIS:
 
@@ -247,6 +248,10 @@ mv gem-public_cert.pem net-ssh-public_cert.pem
 gem cert --add net-ssh-public_cert.pem
 ```
 
+## Security contact information
+
+See [SECURITY.md](SECURITY.md)
+
 ## CREDITS
 
 ### Contributors

data/Rakefile

@@ -55,6 +55,60 @@ namespace :cert do
   end
 end
 
+def change_version(&block)
+  version_file = 'lib/net/ssh/version.rb'
+  require_relative version_file
+  pre = Net::SSH::Version::PRE
+  result = block[pre: pre]
+  raise "Version change logic should always return a pre", ArgumentError unless result.key?(:pre)
+
+  new_pre = result[:pre]
+  found = false
+  File.open("#{version_file}.new", "w") do |f|
+    File.readlines(version_file).each do |line|
+      match = /^(\s+PRE\s+=\s+")#{pre}("\s*)$/.match(line)
+      if match
+        prefix = match[1]
+        postfix = match[2]
+        if new_pre.nil?
+          prefix.delete_suffix!('"')
+          postfix.delete_prefix!('"')
+        end
+        new_line = "#{prefix}#{new_pre.inspect}#{postfix}"
+        puts "Changing:\n  - #{line}  + #{new_line}"
+        line = new_line
+        found = true
+      end
+      f.write(line)
+    end
+    raise ArugmentError, "Cound not find line: PRE = \"#{pre}\" in #{version_file}" unless found
+  end
+
+  FileUtils.mv version_file, "#{version_file}.old"
+  FileUtils.mv "#{version_file}.new", version_file
+end
+
+namespace :vbump do
+  desc "Final release"
+  task :final do
+    change_version do |pre:|
+      raise ArgumentError, "Unexpected pre: #{pre}" if pre.nil?
+
+      { pre: nil }
+    end
+  end
+
+  desc "Increment prerelease"
+  task :pre do
+    change_version do |pre:|
+      match = /^([a-z]+)(\d+)/.match(pre)
+      raise ArgumentError, "Unexpected pre: #{pre}" if match.nil?
+
+      { pre: "#{match[1]}#{match[2].to_i + 1}" }
+    end
+  end
+end
+
 namespace :rdoc do
   desc "Update gh-pages branch"
   task :publish do

data/SECURITY.md

@@ -0,0 +1,4 @@
+## Security contact information
+
+To report a security vulnerability, please use the
+[GitHub private vulnerability reporting feature](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).

data/lib/net/ssh/authentication/certificate.rb

@@ -102,8 +102,8 @@ module Net
         # Checks whether the certificate's signature was signed by signature key.
         def signature_valid?
           buffer = Buffer.new(signature)
-          buffer.read_string # skip signature format
-          signature_key.ssh_do_verify(buffer.read_string, to_blob_without_signature)
+          sig_format = buffer.read_string
+          signature_key.ssh_do_verify(buffer.read_string, to_blob_without_signature, host_key: sig_format)
         end
 
         def self.read_options(buffer)

data/lib/net/ssh/authentication/ed25519.rb

@@ -77,6 +77,7 @@ module Net
               raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
 
               key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
+              raise DecryptError.new("BCyryptPbkdf failed", encrypted_key: true) unless key
             else
               key = '\x00' * (keylen + ivlen)
             end

data/lib/net/ssh/buffer.rb

@@ -251,7 +251,6 @@ module Net
       def read_private_keyblob(type)
         case type
         when /^ssh-rsa$/
-          key = OpenSSL::PKey::RSA.new
           n = read_bignum
           e = read_bignum
           d = read_bignum
@@ -262,27 +261,28 @@ module Net
           _unkown2 = read_bignum
           dmp1 = d % (p - 1)
           dmq1 = d % (q - 1)
-          if key.respond_to?(:set_key)
-            key.set_key(n, e, d)
-          else
-            key.e = e
-            key.n = n
-            key.d = d
-          end
-          if key.respond_to?(:set_factors)
-            key.set_factors(p, q)
-          else
-            key.p = p
-            key.q = q
+          # Public key
+          data_sequence = OpenSSL::ASN1::Sequence([
+                                                    OpenSSL::ASN1::Integer(n),
+                                                    OpenSSL::ASN1::Integer(e)
+                                                  ])
+
+          if d && p && q && dmp1 && dmq1 && iqmp
+            data_sequence = OpenSSL::ASN1::Sequence([
+                                                      OpenSSL::ASN1::Integer(0),
+                                                      OpenSSL::ASN1::Integer(n),
+                                                      OpenSSL::ASN1::Integer(e),
+                                                      OpenSSL::ASN1::Integer(d),
+                                                      OpenSSL::ASN1::Integer(p),
+                                                      OpenSSL::ASN1::Integer(q),
+                                                      OpenSSL::ASN1::Integer(dmp1),
+                                                      OpenSSL::ASN1::Integer(dmq1),
+                                                      OpenSSL::ASN1::Integer(iqmp)
+                                                    ])
           end
-          if key.respond_to?(:set_crt_params)
-            key.set_crt_params(dmp1, dmq1, iqmp)
-          else
-            key.dmp1 = dmp1
-            key.dmq1 = dmq1
-            key.iqmp = iqmp
-          end
-          key
+
+          asn1 = OpenSSL::ASN1::Sequence(data_sequence)
+          OpenSSL::PKey::RSA.new(asn1.to_der)
         when /^ecdsa\-sha2\-(\w*)$/
           OpenSSL::PKey::EC.read_keyblob($1, self)
         else

data/lib/net/ssh/connection/session.rb

@@ -416,7 +416,7 @@ module Net
         #
         #   matches = ssh.exec!("grep something /some/files")
         #
-        # the returned string has an exitstatus method to query it's exit satus
+        # the returned string has an exitstatus method to query its exit status
         def exec!(command, status: nil, &block)
           block_or_concat = block || Proc.new do |ch, type, data|
             ch[:result] ||= String.new

data/lib/net/ssh/transport/algorithms.rb

@@ -51,6 +51,11 @@ module Net
                    hmac-sha1]
         }.freeze
 
+        if Net::SSH::Transport::ChaCha20Poly1305CipherLoader::LOADED
+          DEFAULT_ALGORITHMS[:encryption].unshift(
+            'chacha20-poly1305@openssh.com'
+          )
+        end
         if Net::SSH::Authentication::ED25519Loader::LOADED
           DEFAULT_ALGORITHMS[:host_key].unshift(
             'ssh-ed25519-cert-v01@openssh.com',
@@ -437,12 +442,13 @@ module Net
         def exchange_keys
           debug { "exchanging keys" }
 
+          need_bytes = kex_byte_requirement
           algorithm = Kex::MAP[kex].new(self, session,
                                         client_version_string: Net::SSH::Transport::ServerVersion::PROTO_VERSION,
                                         server_version_string: session.server_version.version,
                                         server_algorithm_packet: @server_packet,
                                         client_algorithm_packet: @client_packet,
-                                        need_bytes: kex_byte_requirement,
+                                        need_bytes: need_bytes,
                                         minimum_dh_bits: options[:minimum_dh_bits],
                                         logger: logger)
           result = algorithm.exchange_keys
@@ -464,11 +470,27 @@ module Net
 
           parameters = { shared: secret, hash: hash, digester: digester }
 
-          cipher_client = CipherFactory.get(encryption_client, parameters.merge(iv: iv_client, key: key_client, encrypt: true))
-          cipher_server = CipherFactory.get(encryption_server, parameters.merge(iv: iv_server, key: key_server, decrypt: true))
+          cipher_client = CipherFactory.get(
+            encryption_client,
+            parameters.merge(iv: iv_client, key: key_client, encrypt: true)
+          )
+          cipher_server = CipherFactory.get(
+            encryption_server,
+            parameters.merge(iv: iv_server, key: key_server, decrypt: true)
+          )
 
-          mac_client = HMAC.get(hmac_client, mac_key_client, parameters)
-          mac_server = HMAC.get(hmac_server, mac_key_server, parameters)
+          mac_client =
+            if cipher_client.implicit_mac?
+              cipher_client.implicit_mac
+            else
+              HMAC.get(hmac_client, mac_key_client, parameters)
+            end
+          mac_server =
+            if cipher_server.implicit_mac?
+              cipher_server.implicit_mac
+            else
+              HMAC.get(hmac_server, mac_key_server, parameters)
+            end
 
           session.configure_client cipher: cipher_client, hmac: mac_client,
                                    compression: normalize_compression_name(compression_client),

data/lib/net/ssh/transport/chacha20_poly1305_cipher.rb

@@ -0,0 +1,117 @@
+require 'rbnacl'
+require 'net/ssh/loggable'
+
+module Net
+  module SSH
+    module Transport
+      ## Implements the chacha20-poly1305@openssh cipher
+      class ChaCha20Poly1305Cipher
+        include Net::SSH::Loggable
+
+        # Implicit HMAC, no need to do anything
+        class ImplicitHMac
+          def etm
+            # TODO: ideally this shouln't be called
+            true
+          end
+
+          def key_length
+            64
+          end
+        end
+
+        def initialize(encrypt:, key:)
+          @chacha_hdr = OpenSSL::Cipher.new("chacha20")
+          key_len = @chacha_hdr.key_len
+          @chacha_main = OpenSSL::Cipher.new("chacha20")
+          @poly = RbNaCl::OneTimeAuths::Poly1305
+          if key.size < key_len * 2
+            error { "chacha20_poly1305: keylength doesn't match" }
+            raise "chacha20_poly1305: keylength doesn't match"
+          end
+          if encrypt
+            @chacha_hdr.encrypt
+            @chacha_main.encrypt
+          else
+            @chacha_hdr.decrypt
+            @chacha_main.decrypt
+          end
+          main_key = key[0...key_len]
+          @chacha_main.key = main_key
+          hdr_key = key[key_len...(2 * key_len)]
+          @chacha_hdr.key = hdr_key
+        end
+
+        def update_cipher_mac(payload, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_main.iv = iv_data
+          poly_key = @chacha_main.update(([0] * 32).pack('C32'))
+
+          packet_length = payload.size
+          length_data = [packet_length].pack("N")
+          @chacha_hdr.iv = iv_data
+          packet = @chacha_hdr.update(length_data)
+
+          iv_data[0] = 1.chr
+          @chacha_main.iv = iv_data
+          unencrypted_data = payload
+          packet += @chacha_main.update(unencrypted_data)
+
+          packet += @poly.auth(poly_key, packet)
+          return packet
+        end
+
+        def read_length(data, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_hdr.iv = iv_data
+          @chacha_hdr.update(data).unpack1("N")
+        end
+
+        def read_and_mac(data, mac, sequence_number)
+          iv_data = [0, 0, 0, sequence_number].pack("NNNN")
+          @chacha_main.iv = iv_data
+          poly_key = @chacha_main.update(([0] * 32).pack('C32'))
+
+          iv_data[0] = 1.chr
+          @chacha_main.iv = iv_data
+          unencrypted_data = @chacha_main.update(data[4..])
+          begin
+            ok = @poly.verify(poly_key, mac, data[0..])
+            raise Net::SSH::Exception, "corrupted hmac detected #{name}" unless ok
+          rescue RbNaCl::BadAuthenticatorError
+            raise Net::SSH::Exception, "corrupted hmac detected #{name}"
+          end
+          return unencrypted_data
+        end
+
+        def mac_length
+          16
+        end
+
+        def block_size
+          8
+        end
+
+        def name
+          "chacha20-poly1305@openssh.com"
+        end
+
+        def implicit_mac?
+          true
+        end
+
+        def implicit_mac
+          return ImplicitHMac.new
+        end
+
+        def self.block_size
+          8
+        end
+
+        def self.key_length
+          64
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/chacha20_poly1305_cipher_loader.rb

@@ -0,0 +1,17 @@
+module Net
+  module SSH
+    module Transport
+      # Loads chacha20 poly1305 support which requires optinal dependency rbnacl
+      module ChaCha20Poly1305CipherLoader
+        begin
+          require 'net/ssh/transport/chacha20_poly1305_cipher'
+          LOADED = true
+          ERROR = nil
+        rescue LoadError => e
+          ERROR = e
+          LOADED = false
+        end
+      end
+    end
+  end
+end

data/lib/net/ssh/transport/cipher_factory.rb

@@ -2,6 +2,8 @@ require 'openssl'
 require 'net/ssh/transport/ctr.rb'
 require 'net/ssh/transport/key_expander'
 require 'net/ssh/transport/identity_cipher'
+require 'net/ssh/transport/chacha20_poly1305_cipher_loader'
+require 'net/ssh/transport/openssl_cipher_extensions'
 
 module Net
   module SSH
@@ -29,13 +31,25 @@ module Net
           'none' => 'none'
         }
 
+        SSH_TO_CLASS =
+          if Net::SSH::Transport::ChaCha20Poly1305CipherLoader::LOADED
+            {
+              'chacha20-poly1305@openssh.com' => Net::SSH::Transport::ChaCha20Poly1305Cipher
+            }
+          else
+            {
+            }
+          end
+
         # Returns true if the underlying OpenSSL library supports the given cipher,
         # and false otherwise.
         def self.supported?(name)
+          return true if SSH_TO_CLASS.key?(name)
+
           ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
           return true if ossl_name == "none"
 
-          return OpenSSL::Cipher.ciphers.include?(ossl_name)
+          return SSH_TO_CLASS.key?(name) || OpenSSL::Cipher.ciphers.include?(ossl_name)
         end
 
         # Retrieves a new instance of the named algorithm. The new instance
@@ -44,6 +58,13 @@ module Net
         # cipher will be put into encryption or decryption mode, based on the
         # value of the +encrypt+ parameter.
         def self.get(name, options = {})
+          klass = SSH_TO_CLASS[name]
+          unless klass.nil?
+            key_len = klass.key_length
+            key = Net::SSH::Transport::KeyExpander.expand_key(key_len, options[:key], options)
+            return klass.new(encrypt: options[:encrypt], key: key)
+          end
+
           ossl_name = SSH_TO_OSSL[name] or raise NotImplementedError, "unimplemented cipher `#{name}'"
           return IdentityCipher if ossl_name == "none"
 
@@ -53,6 +74,7 @@ module Net
 
           cipher.padding = 0
 
+          cipher.extend(Net::SSH::Transport::OpenSSLCipherExtensions)
           if name =~ /-ctr(@openssh.org)?$/
             if ossl_name !~ /-ctr/
               cipher.extend(Net::SSH::Transport::CTR)
@@ -75,6 +97,9 @@ module Net
         # of the tuple.
         # if :iv_len option is supplied the third return value will be ivlen
         def self.get_lengths(name, options = {})
+          klass = SSH_TO_CLASS[name]
+          return [klass.key_length, klass.block_size] unless klass.nil?
+
           ossl_name = SSH_TO_OSSL[name]
           if ossl_name.nil? || ossl_name == "none"
             result = [0, 0]

data/lib/net/ssh/transport/identity_cipher.rb

@@ -11,6 +11,10 @@ module Net
             8
           end
 
+          def key_length
+            0
+          end
+
           # Returns an arbitrary integer.
           def iv_len
             4
@@ -50,6 +54,10 @@ module Net
           def reset
             self
           end
+
+          def implicit_mac?
+            false
+          end
         end
       end
     end

data/lib/net/ssh/transport/openssl_cipher_extensions.rb

@@ -0,0 +1,8 @@
+module Net::SSH::Transport
+  # we add those mehtods to OpenSSL::Chipher instances
+  module OpenSSLCipherExtensions
+    def implicit_mac?
+      false
+    end
+  end
+end

data/lib/net/ssh/transport/packet_stream.rb

@@ -12,7 +12,7 @@ module Net
       # module. It adds SSH encryption, compression, and packet validation, as
       # per the SSH2 protocol. It also adds an abstraction for polling packets,
       # to allow for both blocking and non-blocking reads.
-      module PacketStream
+      module PacketStream # rubocop:disable Metrics/ModuleLength
         PROXY_COMMAND_HOST_IP = '<no hostip for proxy command>'.freeze
 
         include BufferedIo
@@ -123,7 +123,7 @@ module Net
         # Enqueues a packet to be sent, but does not immediately send the packet.
         # The given payload is pre-processed according to the algorithms specified
         # in the client state (compression, cipher, and hmac).
-        def enqueue_packet(payload)
+        def enqueue_packet(payload) # rubocop:disable Metrics/AbcSize
           # try to compress the packet
           payload = client.compress(payload)
 
@@ -144,7 +144,10 @@ module Net
 
           padding = Array.new(padding_length) { rand(256) }.pack("C*")
 
-          if client.hmac.etm
+          if client.cipher.implicit_mac?
+            unencrypted_data = [padding_length, payload, padding].pack("CA*A*")
+            message = client.cipher.update_cipher_mac(unencrypted_data, client.sequence_number)
+          elsif client.hmac.etm
             debug { "using encrypt-then-mac" }
 
             # Encrypt padding_length, payload, and padding. Take MAC
@@ -225,7 +228,11 @@ module Net
             data = read_available(minimum + aad_length)
 
             # decipher it
-            if server.hmac.etm
+            if server.cipher.implicit_mac?
+              @packet_length = server.cipher.read_length(data[0...4], server.sequence_number)
+              @packet = Net::SSH::Buffer.new
+              @mac_data = data
+            elsif server.hmac.etm
               @packet_length = data.unpack("N").first
               @mac_data = data
               @packet = Net::SSH::Buffer.new(server.update_cipher(data[aad_length..-1]))
@@ -238,31 +245,45 @@ module Net
           need = @packet_length + 4 - aad_length - server.block_size
           raise Net::SSH::Exception, "padding error, need #{need} block #{server.block_size}" if need % server.block_size != 0
 
-          return nil if available < need + server.hmac.mac_length
+          if server.cipher.implicit_mac?
+            return nil if available < need + server.cipher.mac_length
+          else
+            return nil if available < need + server.hmac.mac_length # rubocop:disable Style/IfInsideElse
+          end
 
           if need > 0
             # read the remainder of the packet and decrypt it.
             data = read_available(need)
-            @mac_data += data if server.hmac.etm
-            @packet.append(server.update_cipher(data))
+            @mac_data += data if server.hmac.etm || server.cipher.implicit_mac?
+            unless server.cipher.implicit_mac?
+              @packet.append(
+                server.update_cipher(data)
+              )
+            end
           end
 
-          # get the hmac from the tail of the packet (if one exists), and
-          # then validate it.
-          real_hmac = read_available(server.hmac.mac_length) || ""
-
-          @packet.append(server.final_cipher)
-          padding_length = @packet.read_byte
+          if server.cipher.implicit_mac?
+            real_hmac = read_available(server.cipher.mac_length) || ""
+            @packet = Net::SSH::Buffer.new(server.cipher.read_and_mac(@mac_data, real_hmac, server.sequence_number))
+            padding_length = @packet.read_byte
+            payload = @packet.read(@packet_length - padding_length - 1)
+          else
+            # get the hmac from the tail of the packet (if one exists), and
+            # then validate it.
+            real_hmac = read_available(server.hmac.mac_length) || ""
 
-          payload = @packet.read(@packet_length - padding_length - 1)
+            @packet.append(server.final_cipher)
+            padding_length = @packet.read_byte
 
-          my_computed_hmac = if server.hmac.etm
-                               server.hmac.digest([server.sequence_number, @mac_data].pack("NA*"))
-                             else
-                               server.hmac.digest([server.sequence_number, @packet.content].pack("NA*"))
-                             end
-          raise Net::SSH::Exception, "corrupted hmac detected #{server.hmac.class}" if real_hmac != my_computed_hmac
+            payload = @packet.read(@packet_length - padding_length - 1)
 
+            my_computed_hmac = if server.hmac.etm
+                                 server.hmac.digest([server.sequence_number, @mac_data].pack("NA*"))
+                               else
+                                 server.hmac.digest([server.sequence_number, @packet.content].pack("NA*"))
+                               end
+            raise Net::SSH::Exception, "corrupted hmac detected #{server.hmac.class}" if real_hmac != my_computed_hmac
+          end
           # try to decompress the payload, in case compression is active
           payload = server.decompress(payload)
 

data/lib/net/ssh/version.rb

@@ -49,14 +49,14 @@ module Net
       MAJOR = 7
 
       # The minor component of this version of the Net::SSH library
-      MINOR = 0
+      MINOR = 2
 
       # The tiny component of this version of the Net::SSH library
-      TINY  = 1
+      TINY  = 0
 
       # The prerelease component of this version of the Net::SSH library
       # nil allowed
-      PRE   = nil
+      PRE   = "rc1"
 
       # The current version of the Net::SSH library as a Version instance
       CURRENT = new(*[MAJOR, MINOR, TINY, PRE].compact)

data/lib/net/ssh.rb

@@ -64,7 +64,7 @@ module Net
     # Net::SSH.start for a description of each option.
     VALID_OPTIONS = %i[
       auth_methods bind_address compression compression_level config
-      encryption forward_agent hmac host_key remote_user
+      encryption forward_agent hmac host_key identity_agent remote_user
       keepalive keepalive_interval keepalive_maxcount kex keys key_data
       keycerts languages logger paranoid password port proxy
       rekey_blocks_limit rekey_limit rekey_packet_limit timeout verbose
@@ -73,7 +73,7 @@ module Net
       max_win_size send_env set_env use_agent number_of_password_prompts
       append_all_supported_algorithms non_interactive password_prompt
       agent_socket_factory minimum_dh_bits verify_host_key
-      fingerprint_hash check_host_ip
+      fingerprint_hash check_host_ip pubkey_algorithms
     ]
 
     # The standard means of starting a new SSH connection. When used with a
@@ -170,6 +170,11 @@ module Net
     # * :properties => a hash of key/value pairs to add to the new connection's
     #   properties (see Net::SSH::Connection::Session#properties)
     # * :proxy => a proxy instance (see Proxy) to use when connecting
+    # * :pubkey_algorithms => the public key authentication algorithms to use for
+    #   this connection. Valid values are 'rsa-sha2-256-cert-v01@openssh.com',
+    #   'ssh-rsa-cert-v01@openssh.com', 'rsa-sha2-256', 'ssh-rsa'. Currently, this
+    #   option is only used for RSA public key authentication and ignored for other
+    #   types.
     # * :rekey_blocks_limit => the max number of blocks to process before rekeying
     # * :rekey_limit => the max number of bytes to process before rekeying
     # * :rekey_packet_limit => the max number of packets to process before rekeying
@@ -187,6 +192,7 @@ module Net
     #   Defaults to %w(~/.ssh/known_hosts ~/.ssh/known_hosts2).
     # * :use_agent => Set false to disable the use of ssh-agent. Defaults to
     #   true
+    # * :identity_agent => the path to the ssh-agent's UNIX socket
     # * :verbose => how verbose to be (Logger verbosity constants, Logger::DEBUG
     #   is very verbose, Logger::FATAL is all but silent). Logger::FATAL is the
     #   default. The symbols :debug, :info, :warn, :error, and :fatal are also

data/net-ssh-public_cert.pem

@@ -1,7 +1,7 @@
 -----BEGIN CERTIFICATE-----
 MIIDQDCCAiigAwIBAgIBATANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDDBpuZXRz
-c2gvREM9c29sdXRpb3VzL0RDPWNvbTAeFw0yMTA4MTAwODMyMzBaFw0yMjA4MTAw
-ODMyMzBaMCUxIzAhBgNVBAMMGm5ldHNzaC9EQz1zb2x1dGlvdXMvREM9Y29tMIIB
+c2gvREM9c29sdXRpb3VzL0RDPWNvbTAeFw0yMzAxMjQwMzE3NTVaFw0yNDAxMjQw
+MzE3NTVaMCUxIzAhBgNVBAMMGm5ldHNzaC9EQz1zb2x1dGlvdXMvREM9Y29tMIIB
 IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxieE22fR/qmdPKUHyYTyUx2g
 wskLwrCkxay+Tvc97ZZUOwf85LDDDPqhQaTWLvRwnIOMgQE2nBPzwalVclK6a+pW
 x/18KDeZY15vm3Qn5p42b0wi9hUxOqPm3J2hdCLCcgtENgdX21nVzejn39WVqFJO
@@ -11,10 +11,10 @@ fBbmDnsMLAtAtauMOxORrbx3EOY7sHku/kSrMg3FXFay7jc6BkbbUij+MjJ/k82l
 AQABo3sweTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHQ4EFgQUBfKiwO2e
 M4NEiRrVG793qEPLYyMwHwYDVR0RBBgwFoEUbmV0c3NoQHNvbHV0aW91cy5jb20w
 HwYDVR0SBBgwFoEUbmV0c3NoQHNvbHV0aW91cy5jb20wDQYJKoZIhvcNAQELBQAD
-ggEBABRChgo0Jo+iXSnTpODNongzZoU0sWqwx3/FQVo8nyAyr1qFuiqpSPb4bDbU
-DsVnUn3t0X/gGA8qJhutlmfTpEQCjUeyj2x9rWpD3lvttlGWV6btQ0qN4Dfc2gsw
-rCp9Jpful0HGWhiwfjWfsarqAdtLzIG0UC47IN7LGeCMRJIijOsXQhiZ915eNBEw
-g9+WSSGHkMFt/7vi2pFkvXSC0+RF8ovvRWf4Zw2aYXtJ1GElgi4ZS/s6ZU0gmv20
-i4SfC5m5UXIVZvOBYiMuZ/1B2m6R9xU41027zfOVwRFNtlVDiNfQRq6sDmz44At/
-dv8pkxXDgySe41vzlRXFsgIgz5A=
+ggEBAHyOSaOUji+EJFWZ46g+2EZ/kG7EFloFtIQUz8jDJIWGE+3NV5po1M0Z6EqH
+XmG3BtMLfgOV9NwMQRqIdKnZDfKsqM/FOu+9IqrP+OieAde5OrXR2pzQls60Xft7
+3qNVaQS99woQRqiUiDQQ7WagOYrZjuVANqTDNt4myzGSjS5sHcKlz3PRn0LJRMe5
+ouuLwQ7BCXityv5RRXex2ibCOyY7pB5ris6xDnPe1WdlyCfUf1Fb+Yqxpy6a8QmH
+v84waVXQ2i5M7pJaHVBF7DxxeW/q8W3VCnsq8vmmvULSThD18QqYGaFDJeN8sTR4
+6tfjgZ6OvGSScvbCMHkCE9XjonE=
 -----END CERTIFICATE-----

data/net-ssh.gemspec

@@ -36,6 +36,8 @@ Gem::Specification.new do |spec|
     spec.add_development_dependency('x25519') unless RUBY_PLATFORM == 'java'
   end
 
+  spec.add_development_dependency('rbnacl', '~> 7.1') unless ENV['NET_SSH_NO_RBNACL']
+
   spec.add_development_dependency "bundler", ">= 1.17"
   spec.add_development_dependency "minitest", "~> 5.10"
   spec.add_development_dependency "mocha", "~> 1.11.2"

data.tar.gz.sig

@@ -1 +1 @@
-L���]#��&n�SiV	���Y�
+v�:U��֛����Ǒ����m��Ձd*GA�:pp��t���8�G���A���������/P!��'�e��)��gW6�<��c�-���PD.�}��l�U��؜�︭�_R�G���0��̿���.�}���Ë��j�cf��̤9Q9&�^2l�.�ne��Ǹ1Be"q(^Ttw�a�A�Z�����/fGo��\PO��O�E�ǙA�ߗwҽ��!P2��E��O�q��O��M��KN� �Z��&�S

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: net-ssh
 version: !ruby/object:Gem::Version
-  version: 7.0.1
+  version: 7.2.0.rc1
 platform: ruby
 authors:
 - Jamis Buck
@@ -13,8 +13,8 @@ cert_chain:
 - |
   -----BEGIN CERTIFICATE-----
   MIIDQDCCAiigAwIBAgIBATANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDDBpuZXRz
-  c2gvREM9c29sdXRpb3VzL0RDPWNvbTAeFw0yMTA4MTAwODMyMzBaFw0yMjA4MTAw
-  ODMyMzBaMCUxIzAhBgNVBAMMGm5ldHNzaC9EQz1zb2x1dGlvdXMvREM9Y29tMIIB
+  c2gvREM9c29sdXRpb3VzL0RDPWNvbTAeFw0yMzAxMjQwMzE3NTVaFw0yNDAxMjQw
+  MzE3NTVaMCUxIzAhBgNVBAMMGm5ldHNzaC9EQz1zb2x1dGlvdXMvREM9Y29tMIIB
   IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxieE22fR/qmdPKUHyYTyUx2g
   wskLwrCkxay+Tvc97ZZUOwf85LDDDPqhQaTWLvRwnIOMgQE2nBPzwalVclK6a+pW
   x/18KDeZY15vm3Qn5p42b0wi9hUxOqPm3J2hdCLCcgtENgdX21nVzejn39WVqFJO
@@ -24,14 +24,14 @@ cert_chain:
   AQABo3sweTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHQ4EFgQUBfKiwO2e
   M4NEiRrVG793qEPLYyMwHwYDVR0RBBgwFoEUbmV0c3NoQHNvbHV0aW91cy5jb20w
   HwYDVR0SBBgwFoEUbmV0c3NoQHNvbHV0aW91cy5jb20wDQYJKoZIhvcNAQELBQAD
-  ggEBABRChgo0Jo+iXSnTpODNongzZoU0sWqwx3/FQVo8nyAyr1qFuiqpSPb4bDbU
-  DsVnUn3t0X/gGA8qJhutlmfTpEQCjUeyj2x9rWpD3lvttlGWV6btQ0qN4Dfc2gsw
-  rCp9Jpful0HGWhiwfjWfsarqAdtLzIG0UC47IN7LGeCMRJIijOsXQhiZ915eNBEw
-  g9+WSSGHkMFt/7vi2pFkvXSC0+RF8ovvRWf4Zw2aYXtJ1GElgi4ZS/s6ZU0gmv20
-  i4SfC5m5UXIVZvOBYiMuZ/1B2m6R9xU41027zfOVwRFNtlVDiNfQRq6sDmz44At/
-  dv8pkxXDgySe41vzlRXFsgIgz5A=
+  ggEBAHyOSaOUji+EJFWZ46g+2EZ/kG7EFloFtIQUz8jDJIWGE+3NV5po1M0Z6EqH
+  XmG3BtMLfgOV9NwMQRqIdKnZDfKsqM/FOu+9IqrP+OieAde5OrXR2pzQls60Xft7
+  3qNVaQS99woQRqiUiDQQ7WagOYrZjuVANqTDNt4myzGSjS5sHcKlz3PRn0LJRMe5
+  ouuLwQ7BCXityv5RRXex2ibCOyY7pB5ris6xDnPe1WdlyCfUf1Fb+Yqxpy6a8QmH
+  v84waVXQ2i5M7pJaHVBF7DxxeW/q8W3VCnsq8vmmvULSThD18QqYGaFDJeN8sTR4
+  6tfjgZ6OvGSScvbCMHkCE9XjonE=
   -----END CERTIFICATE-----
-date: 2022-06-26 00:00:00.000000000 Z
+date: 2023-07-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt_pbkdf
@@ -75,6 +75,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: rbnacl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.1'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -157,6 +171,7 @@ extra_rdoc_files:
 - README.md
 files:
 - ".dockerignore"
+- ".github/FUNDING.yml"
 - ".github/config/rubocop_linter_action.yml"
 - ".github/workflows/ci-with-docker.yml"
 - ".github/workflows/ci.yml"
@@ -165,15 +180,18 @@ files:
 - ".rubocop.yml"
 - ".rubocop_todo.yml"
 - CHANGES.txt
+- DEVELOPMENT.md
 - Dockerfile
 - Dockerfile.openssl3
 - Gemfile
 - Gemfile.noed25519
+- Gemfile.norbnacl
 - ISSUE_TEMPLATE.md
 - LICENSE.txt
 - Manifest
 - README.md
 - Rakefile
+- SECURITY.md
 - THANKS.txt
 - appveyor.yml
 - docker-compose.yml
@@ -226,6 +244,8 @@ files:
 - lib/net/ssh/test/script.rb
 - lib/net/ssh/test/socket.rb
 - lib/net/ssh/transport/algorithms.rb
+- lib/net/ssh/transport/chacha20_poly1305_cipher.rb
+- lib/net/ssh/transport/chacha20_poly1305_cipher_loader.rb
 - lib/net/ssh/transport/cipher_factory.rb
 - lib/net/ssh/transport/constants.rb
 - lib/net/ssh/transport/ctr.rb
@@ -259,6 +279,7 @@ files:
 - lib/net/ssh/transport/kex/ecdh_sha2_nistp521.rb
 - lib/net/ssh/transport/key_expander.rb
 - lib/net/ssh/transport/openssl.rb
+- lib/net/ssh/transport/openssl_cipher_extensions.rb
 - lib/net/ssh/transport/packet_stream.rb
 - lib/net/ssh/transport/server_version.rb
 - lib/net/ssh/transport/session.rb
@@ -287,11 +308,11 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.6'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
-rubygems_version: 3.1.6
+rubygems_version: 3.3.3
 signing_key: 
 specification_version: 4
 summary: 'Net::SSH: a pure-Ruby implementation of the SSH2 client protocol.'