net-ssh 7.1.0 → 7.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 69f379018d9756042dedb6948dda7f92b8d866a0fd3beb7745a11ab1da739001
-  data.tar.gz: 8e5b659e405ea5403ce34fec03e05c1abe1d3dcf6b8962610d7b6c62c6df7794
+  metadata.gz: e941174d3093fe012c56708a9c23e0b86715e7aa0508b59c60e61279ff136fcd
+  data.tar.gz: '02289d4900c6bd52679c65d70715e1038163ba54c61bd9d8257e837305204c1a'
 SHA512:
-  metadata.gz: 065e5076a1d6ed2af0ca3b51f6dc885cf05d09b93ba8a9f5ad003031b5ab3b652e1289b4c5ff9b2e9865db3c12f58874b1ec504044ee17fe1551396e4081daa9
-  data.tar.gz: c27bb7b11148313012628ada70d22e5e425ef4b36c7645e40bd422ad86a2b9495de1b71fa70ad8ae2b9584d4cbbe8fef3030883f29df0c7551f8e3d8eddc4339
+  metadata.gz: 5f9db58c86854a20d4d483129501795292ac9fcb9fe1405250536a6a66577e127ca8fbd287da888642acb2929240c7327663100abe70c0808c319b67a11ccc2a
+  data.tar.gz: 189d3ba6b2e53b0910941b7b866d0d8f18c94024f061876b20c59f35ae48bd1edbd57d313bbb35efa1f7a99878a1751ee71a49cc602bb83f0204a82feb9afac1

data/.github/FUNDING.yml

@@ -0,0 +1 @@
+github: [mfazekas]

data/.github/workflows/ci.yml

@@ -4,10 +4,10 @@ on:
   push: { branches: master }
 jobs:
   test:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-22.04
     strategy:
       matrix:
-        ruby-version: [2.6.6, 2.7.2, 3.0.1, 3.1.1]
+        ruby-version: [2.6.10, 2.7.7, 3.0.6, 3.1.3, 3.2.1, 3.3.0]
     steps:
       - uses: actions/checkout@v3
 
@@ -39,13 +39,14 @@ jobs:
             ${{ runner.os }}-pip-v1
       - name: Bundle install
         run: |
-          gem install bundler
+          gem install bundler ${{ (startsWith(matrix.ruby-version, '2.6.') || startsWith(matrix.ruby-version, '2.7.')) && '-v 2.4.22' || '' }}
           bundle config set path 'vendor/bundle'
           bundle config set --local path 'vendor/bundle'
           bundle install --jobs 4 --retry 3 --path vendor/bundle
           BUNDLE_GEMFILE=./Gemfile.noed25519 bundle install --jobs 4 --retry 3 --path vendor/bundle
         env:
           BUNDLE_PATH: vendor/bundle
+
       
       - name: Add to etc/hosts
         run: |
@@ -77,6 +78,12 @@ jobs:
         env:
           NET_SSH_RUN_INTEGRATION_TESTS: 1
           CI: 1
+      - name: Run tests (without rbnacl)
+        run: bundle exec rake test
+        env:
+          BUNDLE_GEMFILE: ./Gemfile.norbnacl
+          NET_SSH_RUN_INTEGRATION_TESTS: 1
+          CI: 1
       - name: Run Tests (without ed25519)
         run: bundle exec rake test
         env:

data/.gitignore

@@ -8,6 +8,8 @@ pkg
 test/integration/.vagrant
 test/integration/playbook.retry
 
+lib/net/ssh/version.rb.old
+
 .byebug_history
 
 tryout

data/.rubocop_todo.yml

@@ -235,7 +235,7 @@ Lint/UselessTimes:
 # Offense count: 205
 # Configuration parameters: IgnoredMethods, CountRepeatedAttributes.
 Metrics/AbcSize:
-  Max: 74
+  Max: 75
 
 # Offense count: 16
 # Configuration parameters: CountComments, CountAsOne, ExcludedMethods, IgnoredMethods.
@@ -251,7 +251,7 @@ Metrics/BlockNesting:
 # Offense count: 33
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
-  Max: 488
+  Max: 350
 
 # Offense count: 38
 # Configuration parameters: IgnoredMethods.

data/CHANGES.txt

@@ -1,3 +1,27 @@
+=== 7.3.0 rc0
+
+ * aes(128|256)gcm [#946]
+
+=== 7.2.2
+
+  * ruby 3.3.0: base64 fix
+
+=== 7.2.1 rc1
+
+  * feat: allow load of certkey from string [#926]
+  * fix: fix for  Socket#recv returning nil on ruby 3.3.0 [#928]
+
+=== 7.2.0
+
+  * Add debugging information for algorithm of pubkey in use [#918]
+
+=== 7.2.0 rc1
+
+  * Allow IdentityAgent as option to Net::SSH.start [#912]
+
+=== 7.2.0 beta1
+
+  * Support `chacha20-poly1305@opnessh.com` cypher if `RbNaCl` gem is installed [#908]
 
 === 7.1.0
 

data/DEVELOPMENT.md

@@ -0,0 +1,23 @@
+### Development notes
+
+## Building/running ssh server in debug mode
+
+clone the openssh server from `https://github.com/openssh/openssh-portable`
+
+```sh
+brew install openssl
+/usr/local/Cellar/openssl@3/3.1.0/bin/openssl
+
+autoreconf
+./configure --with-ssl-dir=/usr/local/Cellar/openssl@3/3.1.0/ --with-audit=debug --enable-debug CPPFLAGS="-DDEBUG -DPACKET_DEBUG" CFLAGS="-g -O0"
+make
+```
+
+To run server in debug mode:
+```sh
+echo '#' > /tmp/sshd_config
+ssh-keygen -t rsa -f /tmp/ssh_host_rsa_key
+# /Users/boga/Work/OSS/NetSSH/openssh-portable/sshd -p 2222 -D -d -d -d -e -f /tmp/sshd_config
+/Users/boga/Work/OSS/NetSSH/openssh-portable/sshd -p 2222 -D -d -d -d -e -f /tmp/sshd_config -h /tmp/ssh_host_rsa_key
+
+```

data/Dockerfile

@@ -1,7 +1,9 @@
 ARG RUBY_VERSION=3.1
 FROM ruby:${RUBY_VERSION}
 
-RUN apt update && apt install -y openssh-server sudo netcat \
+ARG BUNDLERV=
+
+RUN apt update && apt install -y openssh-server sudo netcat-openbsd \
   && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_1' \
   && useradd --create-home --shell '/bin/bash' --comment 'NetSSH' 'net_ssh_2' \
   && echo net_ssh_1:foopwd | chpasswd \
@@ -20,7 +22,7 @@ COPY Gemfile net-ssh.gemspec $INSTALL_PATH/
 
 COPY lib/net/ssh/version.rb $INSTALL_PATH/lib/net/ssh/version.rb
 
-RUN gem install bundler && bundle install
+RUN gem install bundler ${BUNDLERV}  && bundle install
 
 COPY . $INSTALL_PATH/
 

data/Gemfile.norbnacl

@@ -0,0 +1,12 @@
+source 'https://rubygems.org'
+
+ENV['NET_SSH_NO_RBNACL'] = 'true'
+# Specify your gem's dependencies in mygem.gemspec
+gemspec
+
+if ENV["CI"] && !Gem.win_platform?
+  gem 'simplecov', require: false, group: :test
+  gem 'codecov', require: false, group: :test
+end
+
+gem 'webrick', group: %i[development test] if RUBY_VERSION.split(".")[0].to_i >= 3

data/README.md

@@ -33,7 +33,7 @@ We strongly recommend that you install a servers's version that supports the lat
 
 It is possible to return to the previous behavior by adding the option : `append_all_supported_algorithms: true`
 
-Unsecure algoritms will definitely be removed in Net::SSH 7.*.
+Unsecure algoritms will definitely be removed in Net::SSH 8.*.
 
 ### Host Keys
 
@@ -44,7 +44,7 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | ecdsa-sha2-nistp521  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdsa-sha2-nistp384  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdsa-sha2-nistp256  | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
-| ssh-dss              | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| ssh-dss              | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 
 ### Key Exchange
 
@@ -54,9 +54,9 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | ecdh-sha2-nistp521                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdh-sha2-nistp384                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
 | ecdh-sha2-nistp256                   | OK                    | [using weak elliptic curves](https://safecurves.cr.yp.to/) |
-| diffie-hellman-group1-sha1           | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| diffie-hellman-group1-sha1           | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 | diffie-hellman-group14-sha1          | OK                    |          |
-| diffie-hellman-group-exchange-sha1   | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| diffie-hellman-group-exchange-sha1   | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 | diffie-hellman-group-exchange-sha256 | OK                    |          |
 
 ### Encryption algorithms (ciphers)
@@ -64,13 +64,14 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | Name                                 | Support               | Details  |
 |--------------------------------------|-----------------------|----------|
 | aes256-ctr / aes192-ctr / aes128-ctr | OK                    |          |
-| aes256-cbc / aes192-cbc / aes128-cbc | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| rijndael-cbc@lysator.liu.se          | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| blowfish-ctr blowfish-cbc            | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| cast128-ctr cast128-cbc              | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| 3des-ctr 3des-cbc                    | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| idea-cbc                             | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| none                                 | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| chacha20-poly1305@openssh.com        | OK.                   | Requires the gem `rbnacl` |
+| aes256-cbc / aes192-cbc / aes128-cbc | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| rijndael-cbc@lysator.liu.se          | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| blowfish-ctr blowfish-cbc            | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| cast128-ctr cast128-cbc              | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| 3des-ctr 3des-cbc                    | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| idea-cbc                             | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| none                                 | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 
 ### Message Authentication Code algorithms
 
@@ -80,14 +81,14 @@ Unsecure algoritms will definitely be removed in Net::SSH 7.*.
 | hmac-sha2-256-etm    | OK                    |          |
 | hmac-sha2-512        | OK                    |          |
 | hmac-sha2-256        | OK                    |          |
-| hmac-sha2-512-96     | Deprecated in 6.0     | removed from the specification, will be removed in 7.0 |
-| hmac-sha2-256-96     | Deprecated in 6.0     | removed from the specification, will be removed in 7.0 |
+| hmac-sha2-512-96     | Deprecated in 6.0     | removed from the specification, will be removed in 8.0 |
+| hmac-sha2-256-96     | Deprecated in 6.0     | removed from the specification, will be removed in 8.0 |
 | hmac-sha1            | OK                    | for backward compatibility      |
-| hmac-sha1-96         | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| hmac-ripemd160       | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| hmac-md5             | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| hmac-md5-96          | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
-| none                 | Deprecated in 6.0     | unsecure, will be removed in 7.0 |
+| hmac-sha1-96         | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| hmac-ripemd160       | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| hmac-md5             | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| hmac-md5-96          | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
+| none                 | Deprecated in 6.0     | unsecure, will be removed in 8.0 |
 
 ## SYNOPSIS:
 
@@ -247,6 +248,8 @@ mv gem-public_cert.pem net-ssh-public_cert.pem
 gem cert --add net-ssh-public_cert.pem
 ```
 
+or `rake cert:update_public_when_expired`
+
 ## Security contact information
 
 See [SECURITY.md](SECURITY.md)
@@ -271,6 +274,9 @@ Support this project by becoming a sponsor. Your logo will show up here with a l
 
 [![Sponsor](https://opencollective.com/net-ssh/sponsor/0/avatar.svg)](https://opencollective.com/net-ssh/sponsor/0/website)
 
+[<img src="https://github.com/net-ssh/net-ssh/assets/52435/9690bf3e-34ea-4c52-8aea-1cc4cb5bcb6d" width="320">](https://ubicloud.com)
+
+
 ## LICENSE:
 
 (The MIT License)

data/Rakefile

@@ -59,29 +59,48 @@ def change_version(&block)
   version_file = 'lib/net/ssh/version.rb'
   require_relative version_file
   pre = Net::SSH::Version::PRE
-  result = block[pre: pre]
-  raise "Version change logic should always return a pre", ArgumentError unless result.key?(:pre)
+  tiny = Net::SSH::Version::TINY
+  result = block[pre: pre, tiny: Net::SSH::Version::TINY]
+  raise ArgumentError, "Version change logic should always return a pre" unless result.key?(:pre)
 
   new_pre = result[:pre]
-  found = false
+  new_tiny = result[:tiny] || tiny
+  found = { pre: false, tiny: false }
   File.open("#{version_file}.new", "w") do |f|
     File.readlines(version_file).each do |line|
-      match = /^(\s+PRE\s+=\s+")#{pre}("\s*)$/.match(line)
+      match =
+        if pre.nil?
+          /^(\s+PRE\s+=\s+)nil(\s*)$/.match(line)
+        else
+          /^(\s+PRE\s+=\s+")#{pre}("\s*)$/.match(line)
+        end
       if match
         prefix = match[1]
         postfix = match[2]
-        if new_pre.nil?
-          prefix.delete_suffix!('"')
-          postfix.delete_prefix!('"')
-        end
+        prefix.delete_suffix!('"')
+        postfix.delete_prefix!('"')
         new_line = "#{prefix}#{new_pre.inspect}#{postfix}"
         puts "Changing:\n  - #{line}  + #{new_line}"
         line = new_line
-        found = true
+        found[:pre] = true
+      end
+
+      if new_tiny != tiny
+        match = /^(\s+TINY\s+=\s+)#{tiny}(\s*)$/.match(line)
+        if match
+          prefix = match[1]
+          postfix = match[2]
+          new_line = "#{prefix}#{new_tiny}#{postfix}"
+          puts "Changing:\n  - #{line}  + #{new_line}"
+          line = new_line
+          found[:tiny] = true
+        end
       end
+
       f.write(line)
     end
-    raise ArugmentError, "Cound not find line: PRE = \"#{pre}\" in #{version_file}" unless found
+    raise ArgumentError, "Cound not find line: PRE = \"#{pre}\" in #{version_file}" unless found[:pre]
+    raise ArgumentError, "Cound not find line: TINY = \"#{tiny}\" in #{version_file}" unless found[:tiny] || new_tiny == tiny
   end
 
   FileUtils.mv version_file, "#{version_file}.old"
@@ -91,20 +110,34 @@ end
 namespace :vbump do
   desc "Final release"
   task :final do
-    change_version do |pre:|
-      raise ArgumentError, "Unexpected pre: #{pre}" if pre.nil?
-
-      { pre: nil }
+    change_version do |pre:, tiny:|
+      _ = tiny
+      if pre.nil?
+        { tiny: tiny + 1, pre: nil }
+      else
+        raise ArgumentError, "Unexpected pre: #{pre}" if pre.nil?
+
+        { pre: nil }
+      end
     end
   end
 
   desc "Increment prerelease"
-  task :pre do
-    change_version do |pre:|
+  task :pre, [:type] do |_t, args|
+    change_version do |pre:, tiny:|
+      puts " PRE => #{pre.inspect}"
       match = /^([a-z]+)(\d+)/.match(pre)
-      raise ArgumentError, "Unexpected pre: #{pre}" if match.nil?
+      raise ArgumentError, "Unexpected pre: #{pre}" if match.nil? && args[:type].nil?
 
-      { pre: "#{match[1]}#{match[2].to_i + 1}" }
+      if match.nil? || (!args[:type].nil? && args[:type] != match[1])
+        if pre.nil?
+          { pre: "#{args[:type]}1", tiny: tiny + 1 }
+        else
+          { pre: "#{args[:type]}1" }
+        end
+      else
+        { pre: "#{match[1]}#{match[2].to_i + 1}" }
+      end
     end
   end
 end

data/docker-compose.yml

@@ -16,8 +16,10 @@ services:
       context: .
       args: 
         RUBY_VERSION: 2.7
+        BUNDLERV: "-v 2.2.28"
   ruby-2.6:
     build:
       context: .
       args: 
         RUBY_VERSION: 2.6
+        BUNDLERV: "-v 2.4.22"

data/lib/net/ssh/authentication/ed25519.rb

@@ -3,8 +3,6 @@ gem 'bcrypt_pbkdf', '~> 1.0' unless RUBY_PLATFORM == "java"
 
 require 'ed25519'
 
-require 'base64'
-
 require 'net/ssh/transport/cipher_factory'
 require 'net/ssh/authentication/pub_key_fingerprint'
 require 'bcrypt_pbkdf' unless RUBY_PLATFORM == "java"
@@ -46,7 +44,7 @@ module Net
             raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
 
             datab64 = datafull[MBEGIN.size...-MEND.size]
-            data = Base64.decode64(datab64)
+            data = datab64.unpack1("m")
             raise ArgumentError.new("Expected #{MAGIC} at start of decoded private key") unless data.start_with?(MAGIC)
 
             buffer = Net::SSH::Buffer.new(data[MAGIC.size + 1..-1])
@@ -134,7 +132,7 @@ module Net
 
           def to_pem
             # TODO this is not pem
-            ssh_type + Base64.encode64(@verify_key.to_bytes)
+            ssh_type + [@verify_key.to_bytes].pack("m")
           end
         end
 

data/lib/net/ssh/authentication/key_manager.rb

@@ -32,6 +32,9 @@ module Net
         # The list of user key certificate files that will be examined
         attr_reader :keycert_files
 
+        # The list of user key certificate data that will be examined
+        attr_reader :keycert_data
+
         # The map of loaded identities
         attr_reader :known_identities
 
@@ -46,6 +49,7 @@ module Net
           @key_files = []
           @key_data = []
           @keycert_files = []
+          @keycert_data = []
           @use_agent = options[:use_agent] != false
           @known_identities = {}
           @agent = nil
@@ -59,6 +63,7 @@ module Net
         def clear!
           key_files.clear
           key_data.clear
+          keycert_data.clear
           known_identities.clear
           self
         end
@@ -75,6 +80,12 @@ module Net
           self
         end
 
+        # Add the given keycert_data to the list of keycerts that will be used.
+        def add_keycert_data(keycert_data_)
+          keycert_data.push(keycert_data_).uniq!
+          self
+        end
+
         # Add the given key_file to the list of keys that will be used.
         def add_key_data(key_data_)
           key_data.push(key_data_).uniq!
@@ -132,8 +143,8 @@ module Net
           end
 
           known_identity_blobs = known_identities.keys.map(&:to_blob)
-          keycert_files.each do |keycert_file|
-            keycert = KeyFactory.load_public_key(keycert_file)
+
+          keycerts.each do |keycert|
             next if known_identity_blobs.include?(keycert.to_blob)
 
             (_, corresponding_identity) = known_identities.detect { |public_key, _|
@@ -227,6 +238,12 @@ module Net
 
         private
 
+        # Load keycerts from files and data.
+        def keycerts
+          keycert_files.map { |keycert_file| KeyFactory.load_public_key(keycert_file) } +
+            keycert_data.map { |data| KeyFactory.load_data_public_key(data) }
+        end
+
         # Prepares identities from user key_files for loading, preserving their order and sources.
         def prepare_identities_from_files
           key_files.map do |file|

data/lib/net/ssh/authentication/methods/publickey.rb

@@ -44,7 +44,7 @@ module Net
           end
 
           def authenticate_with_alg(identity, next_service, username, alg, sig_alg = nil)
-            debug { "trying publickey (#{identity.fingerprint})" }
+            debug { "trying publickey (#{identity.fingerprint}) alg #{alg}" }
             send_request(identity, username, next_service, alg)
 
             message = session.next_message

data/lib/net/ssh/authentication/pub_key_fingerprint.rb

@@ -32,7 +32,7 @@ module Net
           when 'MD5'
             OpenSSL::Digest.hexdigest(algorithm, blob).scan(/../).join(":")
           when 'SHA256'
-            "SHA256:#{Base64.encode64(OpenSSL::Digest.digest(algorithm, blob)).chomp.gsub(/=+\z/, '')}"
+            "SHA256:#{[OpenSSL::Digest.digest(algorithm, blob)].pack('m').chomp.gsub(/=+\z/, '')}"
           else
             raise OpenSSL::Digest::DigestError, "unsupported ssh key digest #{algorithm}"
           end

data/lib/net/ssh/authentication/session.rb

@@ -63,6 +63,7 @@ module Net
           key_manager = KeyManager.new(logger, options)
           keys.each { |key| key_manager.add(key) } unless keys.empty?
           keycerts.each { |keycert| key_manager.add_keycert(keycert) } unless keycerts.empty?
+          keycert_data.each { |data| key_manager.add_keycert_data(data) } unless keycert_data.empty?
           key_data.each { |key2| key_manager.add_key_data(key2) } unless key_data.empty?
           default_keys.each { |key| key_manager.add(key) } unless options.key?(:keys) || options.key?(:key_data)
 
@@ -154,6 +155,12 @@ module Net
           Array(options[:keycerts])
         end
 
+        # Returns an array of the keycert data that should be used when
+        # attempting any key-based authentication mechanism.
+        def keycert_data
+          Array(options[:keycert_data])
+        end
+
         # Returns an array of the key data that should be used when
         # attempting any key-based authentication mechanism.
         def key_data

data/lib/net/ssh/buffered_io.rb

@@ -61,7 +61,7 @@ module Net
       # if no data was available to be read.
       def fill(n = 8192)
         input.consume!
-        data = recv(n)
+        data = recv(n) || ""
         debug { "read #{data.length} bytes" }
         input.append(data)
         return data.length

data/lib/net/ssh/known_hosts.rb

@@ -1,6 +1,5 @@
 require 'strscan'
 require 'openssl'
-require 'base64'
 require 'delegate'
 require 'net/ssh/buffer'
 require 'net/ssh/authentication/ed25519_loader'
@@ -241,11 +240,11 @@ module Net
       def known_host_hash?(hostlist, entries)
         if hostlist.size == 1 && hostlist.first =~ /\A\|1(\|.+){2}\z/
           chunks = hostlist.first.split(/\|/)
-          salt = Base64.decode64(chunks[2])
+          salt = chunks[2].unpack1("m")
           digest = OpenSSL::Digest.new('sha1')
           entries.each do |entry|
             hmac = OpenSSL::HMAC.digest(digest, salt, entry)
-            return true if Base64.encode64(hmac).chomp == chunks[3]
+            return true if [hmac].pack("m").chomp == chunks[3]
           end
         end
         false

data/lib/net/ssh/transport/aes128_gcm.rb

@@ -0,0 +1,40 @@
+require 'net/ssh/transport/hmac/abstract'
+require 'net/ssh/transport/gcm_cipher'
+
+module Net::SSH::Transport
+  ## Implements the aes128-gcm@openssh cipher
+  class AES128_GCM
+    extend ::Net::SSH::Transport::GCMCipher
+
+    ## Implicit HMAC, do need to do anything
+    class ImplicitHMac < ::Net::SSH::Transport::HMAC::Abstract
+      def aead
+        true
+      end
+
+      def key_length
+        16
+      end
+    end
+
+    def implicit_mac
+      ImplicitHMac.new
+    end
+
+    def algo_name
+      'aes-128-gcm'
+    end
+
+    def name
+      'aes128-gcm@openssh.com'
+    end
+
+    #
+    # --- RFC 5647 ---
+    # K_LEN       AES key length                   16 octets
+    #
+    def self.key_length
+      16
+    end
+  end
+end

data/lib/net/ssh/transport/aes256_gcm.rb

@@ -0,0 +1,40 @@
+require 'net/ssh/transport/hmac/abstract'
+require 'net/ssh/transport/gcm_cipher'
+
+module Net::SSH::Transport
+  ## Implements the aes256-gcm@openssh cipher
+  class AES256_GCM
+    extend ::Net::SSH::Transport::GCMCipher
+
+    ## Implicit HMAC, do need to do anything
+    class ImplicitHMac < ::Net::SSH::Transport::HMAC::Abstract
+      def aead
+        true
+      end
+
+      def key_length
+        32
+      end
+    end
+
+    def implicit_mac
+      ImplicitHMac.new
+    end
+
+    def algo_name
+      'aes-256-gcm'
+    end
+
+    def name
+      'aes256-gcm@openssh.com'
+    end
+
+    #
+    # --- RFC 5647 ---
+    # K_LEN       AES key length                   32 octets
+    #
+    def self.key_length
+      32
+    end
+  end
+end