net-ssh 4.0.1 → 4.1.0.beta1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1b8b826d8c871af72b032997bce4a0c712535416
-  data.tar.gz: 9f595442bcd2630e658d90e03806c431e74b290d
+  metadata.gz: 3ddb17acb82519ed776b8253f91d7ce18fefdf51
+  data.tar.gz: 15b3ed1a09ac2284404592c7aa75258960acd0db
 SHA512:
-  metadata.gz: 6e580fe96e26173fed37ddf9b7900ef93d3865a8331c42c5f5cd195cb2fc81302a6552caa5fd11fccdd5e6d2941f3ba711b26061e51b25b2ddf298cf2e23079b
-  data.tar.gz: cc669fc72133df8552cdb6820ed0eebe5fc9d59c1c8874c2fb9bc3604e64760cc1734c6e6076e8232de66c74ce54d63a3f1e421ab6bef754fc47a457a4cb3521
+  metadata.gz: 929f76416e948641680d7355c1e86d8614799b6ed874de172111a1d66d0dcfe2b5ef715e4d4bf10c2bc3d8268e5ffcbd9b487544e00c802d3c5069549789cb48
+  data.tar.gz: 8fefcbc82dc35a448abe499a5656245c1d7c3959abea95e1629bbbe390bb7f73cd53bd3b0c96cc18e6d03f831c370ad0d4a1af9cc699e48f564621e5e52b3d07

data/CHANGES.txt

@@ -1,3 +1,8 @@
+=== 4.1.0.beta1
+
+ * Fix nil error when libsodium is not there [chapmajs ,#488]
+ * SSH certificate support for client auth [David Bartley, #485]
+
 === 4.0.1
 === 4.0.1.rc2
 

data/lib/net/ssh/authentication/agent.rb

@@ -29,20 +29,28 @@ module Net; module SSH; module Authentication
       attr_accessor :comment
     end
 
-    SSH2_AGENT_REQUEST_VERSION    = 1
-    SSH2_AGENT_REQUEST_IDENTITIES = 11
-    SSH2_AGENT_IDENTITIES_ANSWER  = 12
-    SSH2_AGENT_SIGN_REQUEST       = 13
-    SSH2_AGENT_SIGN_RESPONSE      = 14
-    SSH2_AGENT_FAILURE            = 30
-    SSH2_AGENT_VERSION_RESPONSE   = 103
+    SSH2_AGENT_REQUEST_VERSION       = 1
+    SSH2_AGENT_REQUEST_IDENTITIES    = 11
+    SSH2_AGENT_IDENTITIES_ANSWER     = 12
+    SSH2_AGENT_SIGN_REQUEST          = 13
+    SSH2_AGENT_SIGN_RESPONSE         = 14
+    SSH2_AGENT_ADD_IDENTITY          = 17
+    SSH2_AGENT_REMOVE_IDENTITY       = 18
+    SSH2_AGENT_REMOVE_ALL_IDENTITIES = 19
+    SSH2_AGENT_ADD_ID_CONSTRAINED    = 25
+    SSH2_AGENT_FAILURE               = 30
+    SSH2_AGENT_VERSION_RESPONSE      = 103
 
-    SSH_COM_AGENT2_FAILURE        = 102
+    SSH_COM_AGENT2_FAILURE = 102
 
     SSH_AGENT_REQUEST_RSA_IDENTITIES = 1
     SSH_AGENT_RSA_IDENTITIES_ANSWER1 = 2
     SSH_AGENT_RSA_IDENTITIES_ANSWER2 = 5
     SSH_AGENT_FAILURE                = 5
+    SSH_AGENT_SUCCESS                = 6
+
+    SSH_AGENT_CONSTRAIN_LIFETIME = 1
+    SSH_AGENT_CONSTRAIN_CONFIRM  = 2
 
     # The underlying socket being used to communicate with the SSH agent.
     attr_reader :socket
@@ -139,6 +147,37 @@ module Net; module SSH; module Authentication
       return reply.read_string
     end
 
+    # Adds the private key with comment to the agent.
+    # If lifetime is given, the key will automatically be removed after lifetime
+    # seconds.
+    # If confirm is true, confirmation will be required for each agent signing
+    # operation.
+    def add_identity(priv_key, comment, lifetime: nil, confirm: false)
+      constraints = Buffer.new
+      if lifetime
+        constraints.write_byte(SSH_AGENT_CONSTRAIN_LIFETIME)
+        constraints.write_long(lifetime)
+      end
+      constraints.write_byte(SSH_AGENT_CONSTRAIN_CONFIRM) if confirm
+
+      req_type = constraints.empty? ? SSH2_AGENT_ADD_IDENTITY : SSH2_AGENT_ADD_ID_CONSTRAINED
+      type, = send_and_wait(req_type, :string, priv_key.ssh_type, :raw, blob_for_add(priv_key),
+                            :string, comment, :raw, constraints)
+      raise AgentError, "could not add identity to agent" if type != SSH_AGENT_SUCCESS
+    end
+
+    # Removes key from the agent.
+    def remove_identity(key)
+      type, = send_and_wait(SSH2_AGENT_REMOVE_IDENTITY, :string, key.to_blob)
+      raise AgentError, "could not remove identity from agent" if type != SSH_AGENT_SUCCESS
+    end
+
+    # Removes all identities from the agent.
+    def remove_all_identities
+      type, = send_and_wait(SSH2_AGENT_REMOVE_ALL_IDENTITIES)
+      raise AgentError, "could not remove all identity from agent" if type != SSH_AGENT_SUCCESS
+    end
+
     private
 
     def unix_socket_class
@@ -178,6 +217,40 @@ module Net; module SSH; module Authentication
         type == SSH2_AGENT_FAILURE ||
         type == SSH_COM_AGENT2_FAILURE
     end
+
+    def blob_for_add(priv_key)
+      # Ideally we'd have something like `to_private_blob` on the various key types, but the
+      # nuances with encoding (e.g. `n` and `e` are reversed for RSA keys) make this impractical.
+      case priv_key.ssh_type
+      when /^ssh-dss$/
+        Net::SSH::Buffer.from(:bignum, priv_key.p, :bignum, priv_key.q, :bignum, priv_key.g,
+                              :bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
+      when /^ssh-dss-cert-v01@openssh\.com$/
+        Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.priv_key).to_s
+      when /^ecdsa\-sha2\-(\w*)$/
+        curve_name = OpenSSL::PKey::EC::CurveNameAliasInv[priv_key.group.curve_name]
+        Net::SSH::Buffer.from(:string, curve_name, :mstring, priv_key.public_key.to_bn.to_s(2),
+                              :bignum, priv_key.private_key).to_s
+      when /^ecdsa\-sha2\-(\w*)-cert-v01@openssh\.com$/
+        Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.private_key).to_s
+      when /^ssh-ed25519$/
+        Net::SSH::Buffer.from(:string, priv_key.public_key.verify_key.to_bytes,
+                              :string, priv_key.sign_key.keypair_bytes).to_s
+      when /^ssh-ed25519-cert-v01@openssh\.com$/
+        # Unlike the other certificate types, the public key is included after the certifiate.
+        Net::SSH::Buffer.from(:string, priv_key.to_blob,
+                              :string, priv_key.key.public_key.verify_key.to_bytes,
+                              :string, priv_key.key.sign_key.keypair_bytes).to_s
+      when /^ssh-rsa$/
+        # `n` and `e` are reversed compared to the ordering in `OpenSSL::PKey::RSA#to_blob`.
+        Net::SSH::Buffer.from(:bignum, priv_key.n, :bignum, priv_key.e, :bignum, priv_key.d,
+                              :bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
+      when /^ssh-rsa-cert-v01@openssh\.com$/
+        Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.d,
+                              :bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
+                              :bignum, priv_key.key.q).to_s
+      end
+    end
   end
 
 end; end; end

data/lib/net/ssh/authentication/certificate.rb

@@ -0,0 +1,169 @@
+require 'securerandom'
+
+module Net; module SSH; module Authentication
+  # Class for representing an SSH certificate.
+  #
+  # http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/usr.bin/ssh/PROTOCOL.certkeys?rev=1.10&content-type=text/plain
+  class Certificate
+    attr_accessor :nonce
+    attr_accessor :key
+    attr_accessor :serial
+    attr_accessor :type
+    attr_accessor :key_id
+    attr_accessor :valid_principals
+    attr_accessor :valid_after
+    attr_accessor :valid_before
+    attr_accessor :critical_options
+    attr_accessor :extensions
+    attr_accessor :reserved
+    attr_accessor :signature_key
+    attr_accessor :signature
+
+    # Read a certificate blob associated with a key of the given type.
+    def self.read_certblob(buffer, type)
+      cert = Certificate.new
+      cert.nonce = buffer.read_string
+      cert.key = buffer.read_keyblob(type)
+      cert.serial = buffer.read_int64
+      cert.type = type_symbol(buffer.read_long)
+      cert.key_id = buffer.read_string
+      cert.valid_principals = buffer.read_buffer.read_all(&:read_string)
+      cert.valid_after = Time.at(buffer.read_int64)
+      cert.valid_before = Time.at(buffer.read_int64)
+      cert.critical_options = read_options(buffer)
+      cert.extensions = read_options(buffer)
+      cert.reserved = buffer.read_string
+      cert.signature_key = buffer.read_buffer.read_key
+      cert.signature = buffer.read_string
+      cert
+    end
+
+    def ssh_type
+      key.ssh_type + "-cert-v01@openssh.com"
+    end
+
+    def ssh_signature_type
+      key.ssh_type
+    end
+
+    # Serializes the certificate (and key).
+    def to_blob
+      Buffer.from(
+        :raw, to_blob_without_signature,
+        :string, signature
+      ).to_s
+    end
+
+    def ssh_do_sign(data)
+      key.ssh_do_sign(data)
+    end
+
+    def ssh_do_verify(sig, data)
+      key.ssh_do_verify(sig, data)
+    end
+
+    def to_pem
+      key.to_pem
+    end
+
+    def fingerprint
+      key.fingerprint
+    end
+
+    # Signs the certificate with key.
+    def sign!(key, sign_nonce=nil)
+      # ssh-keygen uses 32 bytes of nonce.
+      self.nonce = sign_nonce || SecureRandom.random_bytes(32)
+      self.signature_key = key
+      self.signature = Net::SSH::Buffer.from(
+        :string, key.ssh_signature_type,
+        :mstring, key.ssh_do_sign(to_blob_without_signature)
+      ).to_s
+      self
+    end
+
+    def sign(key, sign_nonce=nil)
+      cert = clone
+      cert.sign!(key, sign_nonce)
+    end
+
+    # Checks whether the certificate's signature was signed by signature key.
+    def signature_valid?
+      buffer = Buffer.new(signature)
+      buffer.read_string # skip signature format
+      signature_key.ssh_do_verify(buffer.read_string, to_blob_without_signature)
+    end
+
+    def self.read_options(buffer)
+      names = []
+      options = buffer.read_buffer.read_all do |b|
+        name = b.read_string
+        names << name
+        data = b.read_string
+        data = Buffer.new(data).read_string unless data.empty?
+        [name, data]
+      end
+
+      if names.sort != names
+        raise ArgumentError, "option/extension names must be in sorted order"
+      end
+
+      Hash[options]
+    end
+    private_class_method :read_options
+
+    def self.type_symbol(type)
+      types = {1 => :user, 2 => :host}
+      raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+      types.fetch(type)
+    end
+    private_class_method :type_symbol
+
+    private
+
+    def type_value(type)
+      types = {user: 1, host: 2}
+      raise ArgumentError("unsupported type: #{type}") unless types.include?(type)
+      types.fetch(type)
+    end
+
+    def ssh_time(t)
+      # Times in certificates are represented as a uint64.
+      [[t.to_i, 0].max, 2<<64 - 1].min
+    end
+
+    def to_blob_without_signature
+      Buffer.from(
+        :string, ssh_type,
+        :string, nonce,
+        :raw, key_without_type,
+        :int64, serial,
+        :long, type_value(type),
+        :string, key_id,
+        :string, valid_principals.inject(Buffer.new) { |acc, elem| acc.write_string(elem) }.to_s,
+        :int64, ssh_time(valid_after),
+        :int64, ssh_time(valid_before),
+        :string, options_to_blob(critical_options),
+        :string, options_to_blob(extensions),
+        :string, reserved,
+        :string, signature_key.to_blob
+      ).to_s
+    end
+
+    def key_without_type
+      # key.to_blob gives us e.g. "ssh-rsa,<key>" but we just want "<key>".
+      tmp = Buffer.new(key.to_blob)
+      tmp.read_string # skip the underlying key type
+      tmp.read
+    end
+
+    def options_to_blob(options)
+      options.keys.sort.inject(Buffer.new) do |b, name|
+        b.write_string(name)
+        data = options.fetch(name)
+        data = Buffer.from(:string, data).to_s unless data.empty?
+        b.write_string(data)
+      end.to_s
+    end
+  end
+end; end; end

data/lib/net/ssh/authentication/ed25519.rb

@@ -1,7 +1,11 @@
 gem 'rbnacl', '>= 3.2.0', '< 5.0'
 gem 'bcrypt_pbkdf', '~> 1.0' unless RUBY_PLATFORM == "java"
 
-require 'rbnacl/libsodium'
+begin
+  require 'rbnacl/libsodium'
+rescue LoadError # rubocop:disable Lint/HandleExceptions
+end
+
 require 'rbnacl'
 require 'rbnacl/signatures/ed25519/verify_key'
 require 'rbnacl/signatures/ed25519/signing_key'
@@ -23,6 +27,8 @@ module ED25519
   end
 
   class PubKey
+    attr_reader :verify_key
+
     def initialize(data)
       @verify_key = RbNaCl::Signatures::Ed25519::VerifyKey.new(data)
     end
@@ -39,6 +45,10 @@ module ED25519
       "ssh-ed25519"
     end
 
+    def ssh_signature_type
+      ssh_type
+    end
+
     def ssh_do_verify(sig,data)
       @verify_key.verify(sig,data)
     end
@@ -60,6 +70,8 @@ module ED25519
     MEND = "-----END OPENSSH PRIVATE KEY-----\n"
     MAGIC = "openssh-key-v1"
 
+    attr_reader :sign_key
+
     def initialize(datafull,password)
       raise ArgumentError.new("Expected #{MBEGIN} at start of private key") unless datafull.start_with?(MBEGIN)
       raise ArgumentError.new("Expected #{MEND} at end of private key") unless datafull.end_with?(MEND)
@@ -116,6 +128,18 @@ module ED25519
       @sign_key = SigningKeyFromFile.new(pk,sk)
     end
 
+    def to_blob
+      public_key.to_blob
+    end
+
+    def ssh_type
+      "ssh-ed25519"
+    end
+
+    def ssh_signature_type
+      ssh_type
+    end
+
     def public_key
       PubKey.new(@pk)
     end

data/lib/net/ssh/authentication/ed25519_loader.rb

@@ -14,7 +14,7 @@ rescue LoadError => e
 end
 
 def self.raiseUnlessLoaded(message)
-  description = dependenciesRequiredForED25519 if ERROR.is_a?(Gem::LoadError)
+  description = ERROR.is_a?(LoadError) ? dependenciesRequiredForED25519 : ''
   description << "#{ERROR.class} : \"#{ERROR.message}\"\n" if ERROR
   raise NotImplementedError, "#{message}\n#{description}" unless LOADED
 end

data/lib/net/ssh/authentication/key_manager.rb

@@ -146,7 +146,7 @@ module Net
           end
 
           if info[:key]
-            return Net::SSH::Buffer.from(:string, identity.ssh_type,
+            return Net::SSH::Buffer.from(:string, identity.ssh_signature_type,
               :mstring, info[:key].ssh_do_sign(data.to_s)).to_s
           end
 
@@ -189,8 +189,12 @@ module Net
           key_files.map do |file|
             if readable_file?(file)
               identity = {}
+              cert_file = file + "-cert.pub"
               public_key_file = file + ".pub"
-              if readable_file?(public_key_file)
+              if readable_file?(cert_file)
+                identity[:load_from] = :pubkey_file
+                identity[:pubkey_file] = cert_file
+              elsif readable_file?(public_key_file)
                 identity[:load_from] = :pubkey_file
                 identity[:pubkey_file] = public_key_file
               else

data/lib/net/ssh/buffer.rb

@@ -1,6 +1,7 @@
 require 'net/ssh/ruby_compat'
 require 'net/ssh/transport/openssl'
 
+require 'net/ssh/authentication/certificate'
 require 'net/ssh/authentication/ed25519_loader'
 
 module Net; module SSH
@@ -186,6 +187,11 @@ module Net; module SSH
       data
     end
 
+    # Calls block(self) until the buffer is empty, and returns all results.
+    def read_all(&block)
+      Enumerator.new { |e| e << yield(self) until eof? }.to_a
+    end
+
     # Return the next 8 bytes as a 64-bit integer (in network byte order).
     # Returns nil if there are less than 8 bytes remaining to be read in the
     # buffer.
@@ -246,7 +252,9 @@ module Net; module SSH
     # a key. Only RSA, DSA, and ECDSA keys are supported.
     def read_keyblob(type)
       case type
-        when /^ssh-dss(-cert-v01@openssh\.com)?$/
+        when /^(.*)-cert-v01@openssh\.com$/
+          key = Net::SSH::Authentication::Certificate.read_certblob(self, $1)
+        when /^ssh-dss$/
           key = OpenSSL::PKey::DSA.new
           if key.respond_to?(:set_pqg)
             key.set_pqg(read_bignum, read_bignum, read_bignum)
@@ -260,8 +268,7 @@ module Net; module SSH
           else
             key.pub_key = read_bignum
           end
-
-        when /^ssh-rsa(-cert-v01@openssh\.com)?$/
+        when /^ssh-rsa$/
           key = OpenSSL::PKey::RSA.new
           if key.respond_to?(:set_key)
             e = read_bignum

data/lib/net/ssh/key_factory.rb

@@ -93,7 +93,7 @@ module Net; module SSH
         blob = nil
         begin
           blob = fields.shift
-        end while !blob.nil? && !/^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp\d+)$/.match(blob)
+        end while !blob.nil? && !/^(ssh-(rsa|dss|ed25519)|ecdsa-sha2-nistp\d+)(-cert-v01@openssh\.com)?$/.match(blob)
         blob = fields.shift
 
         raise Net::SSH::Exception, "public key at #{filename} is not valid" if blob.nil?

data/lib/net/ssh/transport/algorithms.rb

@@ -263,7 +263,7 @@ module Net; module SSH; module Transport
           is_supported
         end
 
-        lwarn { "unsupported #{algorithm} algorithm: `#{unsupported}'" } unless unsupported.empty?
+        lwarn { %(unsupported algorithm: `#{unsupported}') } unless unsupported.empty?
 
         list
       end

data/lib/net/ssh/transport/openssl.rb

@@ -60,6 +60,10 @@ module OpenSSL
         "ssh-rsa"
       end
 
+      def ssh_signature_type
+        ssh_type
+      end
+
       # Converts the key to a blob, according to the SSH2 protocol.
       def to_blob
         @blob ||= Net::SSH::Buffer.from(:string, ssh_type, :bignum, e, :bignum, n).to_s
@@ -87,6 +91,10 @@ module OpenSSL
         "ssh-dss"
       end
 
+      def ssh_signature_type
+        ssh_type
+      end
+
       # Converts the key to a blob, according to the SSH2 protocol.
       def to_blob
         @blob ||= Net::SSH::Buffer.from(:string, ssh_type,
@@ -165,6 +173,10 @@ module OpenSSL
           "ecdsa-sha2-#{CurveNameAliasInv[self.group.curve_name]}"
         end
 
+        def ssh_signature_type
+          ssh_type
+        end
+
         def digester
           if self.group.curve_name =~ /^[a-z]+(\d+)\w*\z/
             curve_size = $1.to_i

data/lib/net/ssh/version.rb

@@ -48,14 +48,14 @@ module Net; module SSH
     MAJOR = 4
 
     # The minor component of this version of the Net::SSH library
-    MINOR = 0
+    MINOR = 1
 
     # The tiny component of this version of the Net::SSH library
-    TINY  = 1
+    TINY  = 0
 
     # The prerelease component of this version of the Net::SSH library
     # nil allowed
-    PRE   = nil
+    PRE   = "beta1"
 
     # The current version of the Net::SSH library as a Version instance
     CURRENT = new(*[MAJOR, MINOR, TINY, PRE].compact)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: net-ssh
 version: !ruby/object:Gem::Version
-  version: 4.0.1
+  version: 4.1.0.beta1
 platform: ruby
 authors:
 - Jamis Buck
@@ -32,7 +32,7 @@ cert_chain:
   L4d54WIy4HkZCqQXoTSiK5HZMIdXkPk3F1bZdJ8Dy1sMRru0rUkkM5mW7TQ75mfW
   Zp0QrZyNZhtitrXFbZneGRrIA/8G2Krft5Ly/A==
   -----END CERTIFICATE-----
-date: 2017-01-07 00:00:00.000000000 Z
+date: 2017-01-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   requirement: !ruby/object:Gem::Requirement
@@ -166,6 +166,7 @@ files:
 - appveyor.yml
 - lib/net/ssh.rb
 - lib/net/ssh/authentication/agent.rb
+- lib/net/ssh/authentication/certificate.rb
 - lib/net/ssh/authentication/constants.rb
 - lib/net/ssh/authentication/ed25519.rb
 - lib/net/ssh/authentication/ed25519_loader.rb
@@ -265,9 +266,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '2.0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
 rubygems_version: 2.6.8