net-ssh 3.3.0.beta1 → 4.0.0.alpha1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b4ac524bacb278642fe098d34f8f85d1a4f0579f
-  data.tar.gz: b6725236e2cae6de59f5994602cf3ead0c39bd8d
+  metadata.gz: 0844171c8c635cf6a3507e82ea80755ba3f62907
+  data.tar.gz: 695c5873e12985df1085af7de53c9953415dfd16
 SHA512:
-  metadata.gz: d3e76a59cde72ff7dba71135482a0409b295e6b624a5b7c870bb8fd87d55af9c3cc446237dd8ffa3e53da453fbda52e3d96979e83d032c22177b7dfb62ebeca2
-  data.tar.gz: adcd1157982585d306d5bed0fcf5b64e9c001674d511054b683a4fee1ac0a75aa023fb462ff02f335570717fc6d011dc14bd6bc7273d2b2cf80437909f7d88f4
+  metadata.gz: d12f8d882dc07599c08f5ca9824ecf631faee841a6bc53f6e4bd16141061208b560cc128a844652dbdd9beaf3720f986b05a5aa4eeed31ac3c75990c440225ab
+  data.tar.gz: c3307431b05c1107f98046b7347bd915d468da7ffa5c18f68b471153cb416e0003709b8ed4da418a4c2ce73e22124db1d3208848e25b1c05722adc2b63ed6b56

data/.travis.yml

@@ -7,8 +7,9 @@ rvm:
   - 2.3.0
   - jruby-head
   - jruby-19mode
+  - rbx-2
 
-install: gem install test-unit mocha
+install: bundle install
 
 script: rake test
 

data/CHANGES.txt

@@ -1,20 +1,7 @@
-=== 3.3.0 beta 1
+=== 4.0.0.alpha1
 
-* UTF-8 buffer building encoding fixes [Ethan J. Brown, #434]
-
-=== 3.2.1 beta 1
-
-* Fix pageant/windows [Elconas, #385]
-
-=== 3.2.0
-
-* Added agent_socket_factory option [Alon Goldboim]
-* Send KEXINIT asap don't wait for server [Miklos Fazekas]
-* Close channels in case server closed connection [Miklos Fazekas]
-
-=== 3.1.1
-
-* added missing etc require
+* ed25519 key support [Miklos Fazekas]
+* removed camellia [Miklos Fazekas]
 
 === 3.1.0
 === 3.1.0.rc1

data/Gemfile

@@ -0,0 +1,17 @@
+source 'https://rubygems.org'
+
+# Note: this is run at package time not install time so if you are
+# running on jruby, you need to install jruby-pageant manually.
+gem 'jruby-pageant', ">=1.1.1" if RUBY_PLATFORM == "java"
+
+gem 'rbnacl-libsodium', ">=1.0.2"
+gem 'rbnacl', ">=3.1.2"
+gem 'bcrypt_pbkdf', '1.0.0.alpha1' unless RUBY_PLATFORM == "java"
+
+
+group :development do
+  gem 'rake'
+  gem 'test-unit', ">= 0.8.5"
+  gem 'mocha'
+  gem 'jeweler'
+end

data/README.rdoc

@@ -1,4 +1,4 @@
-= Net::SSH 3.x
+= Net::SSH 4.x
 
 <em><b>Please note: this project is in maintenance mode. It is not under active development but pull requests are very much welcome. Just be sure to include tests! -- delano</b></em>
 

data/Rakefile

@@ -32,15 +32,7 @@ begin
     s.authors = ["Jamis Buck", "Delano Mandelbaum", "Miklós Fazekas"]
     s.required_ruby_version = '>= 2.0'
 
-    # Note: this is run at package time not install time so if you are
-    # running on jruby, you need to install jruby-pageant manually.
-    if RUBY_PLATFORM == "java"
-      s.add_dependency 'jruby-pageant', ">=1.1.1"
-    end
-
-    s.add_development_dependency 'test-unit'
-    s.add_development_dependency 'mocha'
-
+    # dependencies defined in Gemfile
     s.license = "MIT"
 
     unless ENV['NET_SSH_NOKEY']
@@ -51,6 +43,21 @@ begin
         raise "No key found at #{signing_key} for signing, use rake <taskname> NET_SSH_NOKEY=1 to build without key" unless File.exist?(signing_key)
       end
     end
+    def s.to_ruby
+      # see https://github.com/technicalpickles/jeweler/issues/170
+      result = super
+      result = result.chomp("\n").split("\n").map do |line|
+        if line =~ /%q<bcrypt_pbkdf>/
+          line += ' unless RUBY_PLATFORM == "java"'
+        else
+          line
+        end
+      end.join("\n") << "\n"
+      fail "Unexpected gemspec:#{result.inspect}" unless result.chomp!("\nend\n")
+      result << "\n  s.add_dependency('jruby-pageant', ['>= 1.1.1']) if RUBY_PLATFORM == 'jruby'"
+      result << "\nend\n"
+      result
+    end
   end
   Jeweler::RubygemsDotOrgTasks.new
 rescue LoadError

data/lib/net/ssh.rb

@@ -3,7 +3,6 @@
 ENV['HOME'] ||= ENV['HOMEPATH'] ? "#{ENV['HOMEDRIVE']}#{ENV['HOMEPATH']}" : Dir.pwd
 
 require 'logger'
-require 'etc'
 
 require 'net/ssh/config'
 require 'net/ssh/errors'
@@ -70,7 +69,7 @@ module Net
       :known_hosts, :global_known_hosts_file, :user_known_hosts_file, :host_key_alias,
       :host_name, :user, :properties, :passphrase, :keys_only, :max_pkt_size,
       :max_win_size, :send_env, :use_agent, :number_of_password_prompts,
-      :append_supported_algorithms, :non_interactive, :agent_socket_factory
+      :append_supported_algorithms, :non_interactive
     ]
 
     # The standard means of starting a new SSH connection. When used with a
@@ -192,9 +191,6 @@ module Net
     #   password auth method
     # * :non_interactive => non interactive applications should set it to true
     #   to prefer failing a password/etc auth methods vs asking for password
-    # * :agent_socket_factory => enables the user to pass a lambda/block that will serve as the socket factory
-    #    Net::SSH::start(user,host,agent_socket_factory: ->{ UNIXSocket.open('/foo/bar') })
-    #    example: ->{ UNIXSocket.open('/foo/bar')}
     #
     # If +user+ parameter is nil it defaults to USER from ssh_config, or
     # local username

data/lib/net/ssh/authentication/agent/java_pageant.rb

@@ -19,7 +19,7 @@ module Net; module SSH; module Authentication
 
     # Instantiates a new agent object, connects to a running SSH agent,
     # negotiates the agent protocol version, and returns the agent object.
-    def self.connect(logger=nil, agent_socket_factory)
+    def self.connect(logger=nil)
       agent = new(logger)
       agent.connect!
       agent

data/lib/net/ssh/authentication/agent/socket.rb

@@ -42,9 +42,9 @@ module Net; module SSH; module Authentication
 
     # Instantiates a new agent object, connects to a running SSH agent,
     # negotiates the agent protocol version, and returns the agent object.
-    def self.connect(logger=nil, agent_socket_factory = nil)
+    def self.connect(logger=nil)
       agent = new(logger)
-      agent.connect!(agent_socket_factory)
+      agent.connect!
       agent.negotiate!
       agent
     end
@@ -59,10 +59,10 @@ module Net; module SSH; module Authentication
     # given by the attribute writers. If the agent on the other end of the
     # socket reports that it is an SSH2-compatible agent, this will fail
     # (it only supports the ssh-agent distributed by OpenSSH).
-    def connect!(agent_socket_factory = nil)
+    def connect!
       begin
         debug { "connecting to ssh-agent" }
-        @socket = agent_socket_factory.nil? ? socket_class.open(ENV['SSH_AUTH_SOCK']) : agent_socket_factory.call
+        @socket = agent_socket_factory.open(ENV['SSH_AUTH_SOCK'])
       rescue
         error { "could not connect to ssh-agent" }
         raise AgentNotAvailable, $!.message
@@ -132,7 +132,7 @@ module Net; module SSH; module Authentication
     private
 
     # Returns the agent socket factory to use.
-    def socket_class
+    def agent_socket_factory
       if Net::SSH::Authentication::PLATFORM == :win32
         Pageant::Socket
       else

data/lib/net/ssh/authentication/ed25519.rb

@@ -0,0 +1,140 @@
+gem 'rbnacl-libsodium'
+gem 'rbnacl'
+
+require 'rbnacl/libsodium'
+require 'rbnacl'
+require 'rbnacl/signatures/ed25519/verify_key'
+require 'rbnacl/signatures/ed25519/signing_key'
+
+require 'rbnacl/hash'
+
+require 'base64'
+
+require 'net/ssh/transport/cipher_factory'
+require 'bcrypt_pbkdf' unless RUBY_PLATFORM == "java"
+
+module RbNaCl
+  module Signatures
+    module Ed25519
+      class SigningKeyFromFile < SigningKey
+        def initialize(pk,sk)
+          @signing_key = sk
+          @verify_key = VerifyKey.new(pk)
+        end
+      end
+    end
+  end
+end
+
+module ED25519
+  class PubKey
+    def initialize(data)
+      @verify_key = RbNaCl::Signatures::Ed25519::VerifyKey.new(data)
+    end
+
+    def self.read_keyblob(buffer)
+      PubKey.new(buffer.read_string)
+    end
+
+    def to_blob
+      Net::SSH::Buffer.from(:string,"ssh-ed25519",:string,@verify_key.to_bytes).to_s
+    end
+
+    def ssh_type
+      "ssh-ed25519"
+    end
+
+    def ssh_do_verify(sig,data)
+      @verify_key.verify(sig,data)
+    end
+
+    def to_pem
+      # TODO this is not pem
+      ssh_type + Base64.encode64(@verify_key.to_bytes)
+    end
+
+    def fingerprint
+      @fingerprint ||= OpenSSL::Digest::MD5.hexdigest(to_blob).scan(/../).join(":")
+    end
+  end
+
+  class PrivKey
+    CipherFactory = Net::SSH::Transport::CipherFactory
+
+    MBEGIN = "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+    MEND = "-----END OPENSSH PRIVATE KEY-----\n"
+    MAGIC = "openssh-key-v1"
+
+    def initialize(datafull,password)
+      raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
+      raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
+      datab64 = datafull[MBEGIN.size ... -MEND.size]
+      data = Base64.decode64(datab64)
+      raise ArgumentError.new("Expected #{MAGIC} at start of decoded private key") unless data.start_with?(MAGIC)
+      buffer = Net::SSH::Buffer.new(data[MAGIC.size+1 .. -1])
+
+      ciphername = buffer.read_string
+      raise ArgumentError.new("#{ciphername} in private key is not supported") unless
+        CipherFactory.supported?(ciphername)
+
+      kdfname = buffer.read_string
+      raise ArgumentError.new("Expected #{kdfname} to be or none or bcrypt") unless %w(none bcrypt).include?(kdfname)
+
+      kdfopts = Net::SSH::Buffer.new(buffer.read_string)
+      num_keys = buffer.read_long
+      raise ArgumentError.new("Only 1 key is supported in ssh keys #{num_keys} was in private key") unless num_keys == 1
+      _pubkey = buffer.read_string
+
+      len = buffer.read_long
+
+      keylen, blocksize, ivlen = CipherFactory.get_lengths(ciphername, iv_len: true)
+      raise ArgumentError.new("Private key len:#{len} is not a multiple of #{blocksize}") if 
+        ((len < blocksize) || ((blocksize > 0) && (len % blocksize) != 0))
+
+      if kdfname == 'bcrypt'
+        salt = kdfopts.read_string
+        rounds = kdfopts.read_long
+
+        raise "BCryptPbkdf is not implemented for jruby" if RUBY_PLATFORM == "java"
+        key = BCryptPbkdf::key(password, salt, keylen + ivlen, rounds)
+      else
+        key = '\x00' * (keylen + ivlen)
+      end
+
+      cipher = CipherFactory.get(ciphername, key: key[0...keylen], iv:key[keylen...keylen+ivlen], decrypt: true)
+
+      decoded = cipher.update(buffer.remainder_as_buffer.to_s)
+      decoded << cipher.final
+
+      decoded = Net::SSH::Buffer.new(decoded)
+      check1 = decoded.read_long
+      check2 = decoded.read_long
+
+      raise ArgumentError, "Decrypt failed on private key" if (check1 != check2)
+
+      _type_name = decoded.read_string
+      pk = decoded.read_string
+      sk = decoded.read_string
+      _comment = decoded.read_string
+
+      @pk = pk
+      @sign_key = RbNaCl::Signatures::Ed25519::SigningKeyFromFile.new(pk,sk)
+    end
+
+    def public_key
+      PubKey.new(@pk)
+    end
+
+    def ssh_do_sign(data)
+      @sign_key.sign(data)
+    end
+
+    def self.read(data,password)
+      self.new(data,password)
+    end
+
+    def self.read_keyblob(buffer)
+      ED25519::PubKey.read_keyblob(buffer)
+    end
+  end
+end

data/lib/net/ssh/authentication/key_manager.rb

@@ -147,7 +147,7 @@ module Net
 
           if info[:key]
             return Net::SSH::Buffer.from(:string, identity.ssh_type,
-              :mstring, info[:key].ssh_do_sign(data.to_s)).to_s
+              :string, info[:key].ssh_do_sign(data.to_s)).to_s
           end
 
           if info[:from] == :agent
@@ -176,7 +176,7 @@ module Net
         # or if the agent is otherwise not available.
         def agent
           return unless use_agent?
-          @agent ||= Agent.connect(logger, options[:agent_socket_factory])
+          @agent ||= Agent.connect(logger)
         rescue AgentNotAvailable
           @use_agent = false
           nil

data/lib/net/ssh/authentication/pageant.rb

@@ -254,7 +254,7 @@ module Net; module SSH; module Authentication
         Win.GetTokenInformation(token_handle,
                                 token_information_class,
                                 Win::NULL, 0, preturn_length)
-        ptoken_information = malloc_ptr(preturn_length.to_s(Win::SIZEOF_DWORD).unpack('L')[0])
+        ptoken_information = malloc_ptr(preturn_length.ptr.to_i)
 
         # This call is going to write the requested information to
         # the memory location referenced by token_information.

data/lib/net/ssh/buffer.rb

@@ -34,7 +34,6 @@ module Net; module SSH
     # * :long => write a 4-byte integer (#write_long)
     # * :byte => write a single byte (#write_byte)
     # * :string => write a 4-byte length followed by character data (#write_string)
-    # * :mstring => same as string, but caller cannot resuse the string, avoids potential duplication (#write_moved)
     # * :bool => write a single byte, interpreted as a boolean (#write_bool)
     # * :bignum => write an SSH-encoded bignum (#write_bignum)
     # * :key => write an SSH-encoded key value (#write_key)
@@ -183,7 +182,7 @@ module Net; module SSH
       consume!
       data
     end
-
+      
     # Return the next 8 bytes as a 64-bit integer (in network byte order).
     # Returns nil if there are less than 8 bytes remaining to be read in the
     # buffer.
@@ -256,6 +255,9 @@ module Net; module SSH
           key.e = read_bignum
           key.n = read_bignum
 
+        when /^ssh-ed25519$/
+          key = ED25519::PubKey.read_keyblob(self)
+
         when /^ecdsa\-sha2\-(\w*)$/
           unless defined?(OpenSSL::PKey::EC)
             raise NotImplementedError, "unsupported key type `#{type}'"
@@ -282,14 +284,7 @@ module Net; module SSH
     # Writes the given data literally into the string. Does not alter the
     # read position. Returns the buffer object.
     def write(*data)
-      data.each { |datum| @content << datum.dup.force_encoding('BINARY') }
-      self
-    end
-
-    # Optimized version of write where the caller gives up ownership of string
-    # to the method. This way we can mutate the string.
-    def write_moved(string)
-      @content << string.force_encoding('BINARY')
+      data.each { |datum| @content << datum }
       self
     end
 
@@ -332,19 +327,6 @@ module Net; module SSH
       self
     end
 
-    # Writes each argument to the buffer as an SSH2-encoded string. Each
-    # string is prefixed by its length, encoded as a 4-byte long integer.
-    # Does not alter the read position. Returns the buffer object.
-    # Might alter arguments see write_moved
-    def write_mstring(*text)
-      text.each do |string|
-        s = string.to_s
-        write_long(s.bytesize)
-        write_moved(s)
-      end
-      self
-    end
-
     # Writes each argument to the buffer as a (C-style) boolean, with 1
     # meaning true, and 0 meaning false. Does not alter the read position.
     # Returns the buffer object.

data/lib/net/ssh/connection/session.rb

@@ -210,9 +210,6 @@ module Net; module SSH; module Connection
       readers, writers, = Net::SSH::Compat.io_select(r, w, nil, io_select_wait(wait))
 
       postprocess(readers, writers)
-    rescue
-      force_channel_cleanup_on_close if closed?
-      raise
     end
 
     # This is called internally as part of #process. It dispatches any
@@ -368,7 +365,6 @@ module Net; module SSH; module Connection
       channel.wait
 
       channel[:result] ||= "" unless block
-      channel[:result] &&= channel[:result].force_encoding("UTF-8") unless block
 
       return channel[:result]
     end
@@ -460,9 +456,9 @@ module Net; module SSH; module Connection
     end
 
     def cleanup_channel(channel)
-        if channel.local_closed? and channel.remote_closed?
-          info { "#{host} delete channel #{channel.local_id} which closed locally and remotely" }
-          channels.delete(channel.local_id)
+      if channel.local_closed? and channel.remote_closed?
+        info { "#{host} delete channel #{channel.local_id} which closed locally and remotely" }
+        channels.delete(channel.local_id)
       end
     end
 
@@ -479,9 +475,6 @@ module Net; module SSH; module Connection
 
           send(MAP[packet.type], packet)
         end
-      rescue
-        force_channel_cleanup_on_close if closed?
-        raise
       end
 
       # Returns the next available channel id to be assigned, and increments
@@ -490,16 +483,6 @@ module Net; module SSH; module Connection
         @channel_id_counter += 1
       end
 
-      def force_channel_cleanup_on_close
-        channels.each do |id, channel|
-          channel.remote_closed!
-          channel.close
-
-          cleanup_channel(channel)
-          channel.do_close
-        end
-      end
-
       # Invoked when a global request is received. The registered global
       # request callback will be invoked, if one exists, and the necessary
       # reply returned.