orthrus-ssh 0.5.0

data/.autotest

@@ -0,0 +1,23 @@
+# -*- ruby -*-
+
+require 'autotest/restart'
+
+# Autotest.add_hook :initialize do |at|
+#   at.extra_files << "../some/external/dependency.rb"
+#
+#   at.libs << ":../some/external"
+#
+#   at.add_exception 'vendor'
+#
+#   at.add_mapping(/dependency.rb/) do |f, _|
+#     at.files_matching(/test_.*rb$/)
+#   end
+#
+#   %w(TestA TestB).each do |klass|
+#     at.extra_class_map[klass] = "test/test_misc.rb"
+#   end
+# end
+
+# Autotest.add_hook :run_command do |at|
+#   system "rake build"
+# end

data/History.txt

@@ -0,0 +1,6 @@
+=== 1.0.0 / 2012-03-18
+
+* 1 major enhancement
+
+  * Birthday!
+

data/Manifest.txt

@@ -0,0 +1,31 @@
+.autotest
+History.txt
+Manifest.txt
+README.txt
+Rakefile
+bin/orthrus
+lib/orthrus.rb
+lib/orthrus/key.rb
+lib/orthrus/key_holder.rb
+lib/orthrus/ssh.rb
+lib/orthrus/ssh/agent.rb
+lib/orthrus/ssh/buffer.rb
+lib/orthrus/ssh/dsa.rb
+lib/orthrus/ssh/http_agent.rb
+lib/orthrus/ssh/key.rb
+lib/orthrus/ssh/public_key_set.rb
+lib/orthrus/ssh/rack_app.rb
+lib/orthrus/ssh/rsa.rb
+lib/orthrus/ssh/utils.rb
+test/data/authorized_keys
+test/data/id_dsa
+test/data/id_dsa.pub
+test/data/id_rsa
+test/data/id_rsa.pub
+test/sessions.rb
+test/test_orthrus_ssh_agent.rb
+test/test_orthrus_ssh_dsa.rb
+test/test_orthrus_ssh_http_agent.rb
+test/test_orthrus_ssh_public_key_set.rb
+test/test_orthrus_ssh_rackapp.rb
+test/test_orthrus_ssh_rsa.rb

data/README.txt

@@ -0,0 +1,61 @@
+= orthrus-ssh
+
+* http://github.com/evanphx/orthrus
+
+== DESCRIPTION:
+
+A user authentication system built on SSH's key
+
+== FEATURES/PROBLEMS:
+
+* Uses ssh keys to authenticate users
+* Can use the ssh-agent for added security
+* Includes HTTPAgent and sample RackApp
+
+== SYNOPSIS:
+
+  agent = Orthrus::SSH::HTTPAgent.new url
+  h.start user
+  p h.access_token
+
+== REQUIREMENTS:
+
+* OpenSSL
+
+== INSTALL:
+
+* gem install orthrus
+
+== DEVELOPERS:
+
+After checking out the source, run:
+
+  $ rake newb
+
+This task will install any missing dependencies, run the tests/specs,
+and generate the RDoc.
+
+== LICENSE:
+
+(The MIT License)
+
+Copyright (c) 2012 FIX
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,12 @@
+# -*- ruby -*-
+
+require 'rubygems'
+require 'hoe'
+
+ Hoe.plugin :minitest
+
+Hoe.spec 'orthrus-ssh' do
+  developer('Evan Phoenix', 'evan@phx.io')
+end
+
+# vim: syntax=ruby

data/bin/orthrus

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby
+
+case cmd = ARGV.shift
+when "ids"
+  require 'orthrus/ssh/agent'
+
+  agent = Orthrus::SSH::Agent.connect
+
+  puts "Agent identities:"
+  agent.identities.each do |i|
+    puts "#{i.type}: #{i.fingerprint}"
+  end
+
+else
+  abort "Unsupported option - #{cmd}"
+end

data/lib/orthrus.rb

@@ -0,0 +1,2 @@
+class Orthrus
+end

data/lib/orthrus/key.rb

@@ -0,0 +1,12 @@
+require 'openssl'
+
+module Orthrus
+
+  CURVE = "secp224k1"
+
+  class Key
+    def self.new_pair
+
+    end
+  end
+end

data/lib/orthrus/key_holder.rb

@@ -0,0 +1,15 @@
+module Orthrus
+  class KeyHolder
+    def initialize
+      @keys = {}
+    end
+
+    def add_key(name, key)
+      @keys[name] = key
+    end
+
+    def key(name)
+      @keys[name]
+    end
+  end
+end

data/lib/orthrus/ssh.rb

@@ -0,0 +1,50 @@
+require 'openssl'
+
+module Orthrus; end
+
+require 'orthrus/ssh/rsa'
+require 'orthrus/ssh/dsa'
+require 'orthrus/ssh/utils'
+
+module Orthrus::SSH
+  VERSION = '0.5.0'
+
+  def self.load_private(path)
+    data = File.read(path)
+    if data.index("-----BEGIN RSA PRIVATE KEY-----") == 0
+      k = OpenSSL::PKey::RSA.new data
+      return RSAPrivateKey.new k
+    elsif data.index("-----BEGIN DSA PRIVATE KEY-----") == 0
+      k = OpenSSL::PKey::DSA.new data
+      return DSAPrivateKey.new k
+    else
+      raise "Unknown key type in '#{path}'"
+    end
+  end
+
+  def self.parse_public(data)
+    type, key, comment = data.split " ", 3
+
+    case type
+    when "ssh-rsa"
+      RSAPublicKey.parse key
+    when "ssh-dss"
+      DSAPublicKey.parse key
+    else
+      raise "Unknown key type - #{type}"
+    end
+  end
+
+  def self.load_public(path)
+    parse_public File.read(path)
+  end
+
+end
+
+# For 1.8/1.9 compat
+class String
+  unless method_defined? :getbytpe
+    alias_method :getbyte, :[]
+  end
+end
+

data/lib/orthrus/ssh/agent.rb

@@ -0,0 +1,176 @@
+require 'orthrus/ssh'
+require 'orthrus/ssh/buffer'
+
+require 'socket'
+
+# Adapted from agent.rb in net-ssh
+
+module Orthrus::SSH
+  # A trivial exception class for representing agent-specific errors.
+  class AgentError < StandardError; end
+
+  # An exception for indicating that the SSH agent is not available.
+  class AgentNotAvailable < AgentError; end
+
+  # This class implements a simple client for the ssh-agent protocol. It
+  # does not implement any specific protocol, but instead copies the
+  # behavior of the ssh-agent functions in the OpenSSH library (3.8).
+  #
+  # This means that although it behaves like a SSH1 client, it also has
+  # some SSH2 functionality (like signing data).
+  class Agent
+    SSH2_AGENT_REQUEST_VERSION    = 1
+    SSH2_AGENT_REQUEST_IDENTITIES = 11
+    SSH2_AGENT_IDENTITIES_ANSWER  = 12
+    SSH2_AGENT_SIGN_REQUEST       = 13
+    SSH2_AGENT_SIGN_RESPONSE      = 14
+    SSH2_AGENT_FAILURE            = 30
+    SSH2_AGENT_VERSION_RESPONSE   = 103
+
+    SSH_COM_AGENT2_FAILURE        = 102
+
+    SSH_AGENT_REQUEST_RSA_IDENTITIES = 1
+    SSH_AGENT_RSA_IDENTITIES_ANSWER1 = 2
+    SSH_AGENT_RSA_IDENTITIES_ANSWER2 = 5
+    SSH_AGENT_FAILURE                = 5
+
+    # The underlying socket being used to communicate with the SSH agent.
+    attr_reader :socket
+
+    # Instantiates a new agent object, connects to a running SSH agent,
+    # negotiates the agent protocol version, and returns the agent object.
+    def self.connect
+      agent = new
+      agent.connect!
+      agent.negotiate!
+      agent
+    end
+
+    def self.available?
+      ENV.key?("SSH_AUTH_SOCK") && File.exists?(ENV['SSH_AUTH_SOCK'])
+    end
+
+    # Creates a new Agent object.
+    def initialize
+      @socket = nil
+    end
+
+    # Connect to the agent process using the socket factory and socket name
+    # given by the attribute writers. If the agent on the other end of the
+    # socket reports that it is an SSH2-compatible agent, this will fail
+    # (it only supports the ssh-agent distributed by OpenSSH).
+    def connect!
+      begin
+        @socket = UNIXSocket.open(ENV['SSH_AUTH_SOCK'])
+      rescue
+        raise AgentNotAvailable, $!.message
+      end
+    end
+
+    ID = "SSH-2.0-Ruby/Orthrus #{RUBY_PLATFORM}"
+
+    # Attempts to negotiate the SSH agent protocol version. Raises an error
+    # if the version could not be negotiated successfully.
+    def negotiate!
+      # determine what type of agent we're communicating with
+      type, body = send_and_wait(SSH2_AGENT_REQUEST_VERSION, :string, ID)
+
+      if type == SSH2_AGENT_VERSION_RESPONSE
+        raise NotImplementedError, "SSH2 agents are not yet supported"
+      elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER1 && type != SSH_AGENT_RSA_IDENTITIES_ANSWER2
+        raise AgentError, "unknown response from agent: #{type}, #{body.to_s.inspect}"
+      end
+    end
+
+    # Return an array of all identities (public keys) known to the agent.
+    # Each key returned is augmented with a +comment+ property which is set
+    # to the comment returned by the agent for that key.
+    def identities
+      type, body = send_and_wait(SSH2_AGENT_REQUEST_IDENTITIES)
+      raise AgentError, "could not get identity count" if agent_failed(type)
+      raise AgentError, "bad authentication reply: #{type}" if type != SSH2_AGENT_IDENTITIES_ANSWER
+
+      identities = []
+      body.read_long.times do
+        key = Buffer.new(body.read_string).read_key
+        case key
+        when OpenSSL::PKey::RSA
+          key = RSAPublicKey.new key
+        when OpenSSL::PKey::DSA
+          key = DSAPublicKey.new key
+        else
+          raise AgentError, "Unknown key type - #{key.class}"
+        end
+
+        key.comment = body.read_string
+        identities.push key
+      end
+
+      return identities
+    end
+
+    # Closes this socket. This agent reference is no longer able to
+    # query the agent.
+    def close
+      @socket.close
+    end
+
+    # Using the agent and the given public key, sign the given data. The
+    # signature is returned in SSH2 format.
+    def sign(key, data)
+      type, reply = send_and_wait(SSH2_AGENT_SIGN_REQUEST,
+                                  :string, Buffer.from(:key, key),
+                                  :string, data,
+                                  :long, 0)
+
+      if agent_failed(type)
+        raise AgentError, "agent could not sign data with requested identity"
+      elsif type != SSH2_AGENT_SIGN_RESPONSE
+        raise AgentError, "bad authentication response #{type}"
+      end
+
+      b = Buffer.new reply.read_string
+      [b.read_string, b.read_string]
+    end
+
+    def hexsign(key, data)
+      type, sig = sign key, data
+
+      [type, [sig].pack("m").gsub("\n","")]
+    end
+
+    private
+
+    # Send a new packet of the given type, with the associated data.
+    def send_packet(type, *args)
+      buffer = Buffer.from(*args)
+      data = [buffer.length + 1, type.to_i, buffer.to_s].pack("NCA*")
+      @socket.send data, 0
+    end
+
+    # Read the next packet from the agent. This will return a two-part
+    # tuple consisting of the packet type, and the packet's body (which
+    # is returned as a Net::SSH::Buffer).
+    def read_packet
+      buffer = Buffer.new @socket.read(4)
+      buffer.append @socket.read(buffer.read_long)
+      type = buffer.read_byte
+      return type, buffer
+    end
+
+    # Send the given packet and return the subsequent reply from the agent.
+    # (See #send_packet and #read_packet).
+    def send_and_wait(type, *args)
+      send_packet(type, *args)
+      read_packet
+    end
+
+    # Returns +true+ if the parameter indicates a "failure" response from
+    # the agent, and +false+ otherwise.
+    def agent_failed(type)
+      type == SSH_AGENT_FAILURE ||
+      type == SSH2_AGENT_FAILURE ||
+      type == SSH_COM_AGENT2_FAILURE
+    end
+  end
+end

data/lib/orthrus/ssh/buffer.rb

@@ -0,0 +1,343 @@
+require 'openssl'
+
+require 'orthrus/ssh/utils'
+
+# Adapted from buffer.rb in net-ssh
+
+module Orthrus::SSH
+
+  # Net::SSH::Buffer is a flexible class for building and parsing binary
+  # data packets. It provides a stream-like interface for sequentially
+  # reading data items from the buffer, as well as a useful helper method
+  # for building binary packets given a signature.
+  #
+  # Writing to a buffer always appends to the end, regardless of where the
+  # read cursor is. Reading, on the other hand, always begins at the first
+  # byte of the buffer and increments the read cursor, with subsequent reads
+  # taking up where the last left off.
+  #
+  # As a consumer of the Net::SSH library, you will rarely come into contact
+  # with these buffer objects directly, but it could happen. Also, if you
+  # are ever implementing a protocol on top of SSH (e.g. SFTP), this buffer
+  # class can be quite handy.
+  class Buffer
+    # This is a convenience method for creating and populating a new buffer
+    # from a single command. The arguments must be even in length, with the
+    # first of each pair of arguments being a symbol naming the type of the
+    # data that follows. If the type is :raw, the value is written directly
+    # to the hash.
+    #
+    #   b = Buffer.from(:byte, 1, :string, "hello", :raw, "\1\2\3\4")
+    #   #-> "\1\0\0\0\5hello\1\2\3\4"
+    #
+    # The supported data types are:
+    #
+    # * :raw => write the next value verbatim (#write)
+    # * :int64 => write an 8-byte integer (#write_int64)
+    # * :long => write a 4-byte integer (#write_long)
+    # * :byte => write a single byte (#write_byte)
+    # * :string => write a 4-byte length followed by character data (#write_string)
+    # * :bool => write a single byte, interpreted as a boolean (#write_bool)
+    # * :bignum => write an SSH-encoded bignum (#write_bignum)
+    # * :key => write an SSH-encoded key value (#write_key)
+    #
+    # Any of these, except for :raw, accepts an Array argument, to make it
+    # easier to write multiple values of the same type in a briefer manner.
+    def self.from(*args)
+      raise ArgumentError, "odd number of arguments given" unless args.length % 2 == 0
+
+      buffer = new
+      0.step(args.length-1, 2) do |index|
+        type = args[index]
+        value = args[index+1]
+        if type == :raw
+          buffer.append(value.to_s)
+        elsif Array === value
+          buffer.send("write_#{type}", *value)
+        else
+          buffer.send("write_#{type}", value)
+        end
+      end
+
+      buffer
+    end
+
+    # exposes the raw content of the buffer
+    attr_reader :content
+
+    # the current position of the pointer in the buffer
+    attr_accessor :position
+
+    # Creates a new buffer, initialized to the given content. The position
+    # is initialized to the beginning of the buffer.
+    def initialize(content="")
+      @content = content.to_s
+      @position = 0
+    end
+
+    # Returns the length of the buffer's content.
+    def length
+      @content.length
+    end
+
+    # Returns the number of bytes available to be read (e.g., how many bytes
+    # remain between the current position and the end of the buffer).
+    def available
+      length - position
+    end
+
+    # Returns a copy of the buffer's content.
+    def to_s
+      (@content || "").dup
+    end
+
+    # Compares the contents of the two buffers, returning +true+ only if they
+    # are identical in size and content.
+    def ==(buffer)
+      to_s == buffer.to_s
+    end
+
+    # Returns +true+ if the buffer contains no data (e.g., it is of zero length).
+    def empty?
+      @content.empty?
+    end
+
+    # Resets the pointer to the start of the buffer. Subsequent reads will
+    # begin at position 0.
+    def reset!
+      @position = 0
+    end
+
+    # Returns true if the pointer is at the end of the buffer. Subsequent
+    # reads will return nil, in this case.
+    def eof?
+      @position >= length
+    end
+
+    # Resets the buffer, making it empty. Also, resets the read position to
+    # 0.
+    def clear!
+      @content = ""
+      @position = 0
+    end
+
+    # Consumes n bytes from the buffer, where n is the current position
+    # unless otherwise specified. This is useful for removing data from the
+    # buffer that has previously been read, when you are expecting more data
+    # to be appended. It helps to keep the size of buffers down when they
+    # would otherwise tend to grow without bound.
+    #
+    # Returns the buffer object itself.
+    def consume!(n=position)
+      if n >= length
+        # optimize for a fairly common case
+        clear!
+      elsif n > 0
+        @content = @content[n..-1] || ""
+        @position -= n
+        @position = 0 if @position < 0
+      end
+      self
+    end
+
+    # Appends the given text to the end of the buffer. Does not alter the
+    # read position. Returns the buffer object itself.
+    def append(text)
+      @content << text
+      self
+    end
+
+    # Returns all text from the current pointer to the end of the buffer as
+    # a new Net::SSH::Buffer object.
+    def remainder_as_buffer
+      Buffer.new(@content[@position..-1])
+    end
+
+    # Reads all data up to and including the given pattern, which may be a
+    # String, Fixnum, or Regexp and is interpreted exactly as String#index
+    # does. Returns nil if nothing matches. Increments the position to point
+    # immediately after the pattern, if it does match. Returns all data up to
+    # and including the text that matched the pattern.
+    def read_to(pattern)
+      index = @content.index(pattern, @position) or return nil
+      length = case pattern
+        when String then pattern.length
+        when Fixnum then 1
+        when Regexp then $&.length
+      end
+      index && read(index+length)
+    end
+
+    # Reads and returns the next +count+ bytes from the buffer, starting from
+    # the read position. If +count+ is +nil+, this will return all remaining
+    # text in the buffer. This method will increment the pointer.
+    def read(count=nil)
+      count ||= length
+      count = length - @position if @position + count > length
+      @position += count
+      @content[@position-count, count]
+    end
+
+    # Reads (as #read) and returns the given number of bytes from the buffer,
+    # and then consumes (as #consume!) all data up to the new read position.
+    def read!(count=nil)
+      data = read(count)
+      consume!
+      data
+    end
+      
+    # Return the next 8 bytes as a 64-bit integer (in network byte order).
+    # Returns nil if there are less than 8 bytes remaining to be read in the
+    # buffer.
+    def read_int64
+      hi = read_long or return nil
+      lo = read_long or return nil
+      return (hi << 32) + lo
+    end
+
+    # Return the next four bytes as a long integer (in network byte order).
+    # Returns nil if there are less than 4 bytes remaining to be read in the
+    # buffer.
+    def read_long
+      b = read(4) or return nil
+      b.unpack("N").first
+    end
+
+    # Read and return the next byte in the buffer. Returns nil if called at
+    # the end of the buffer.
+    def read_byte
+      b = read(1) or return nil
+      b.getbyte(0)
+    end
+
+    # Read and return an SSH2-encoded string. The string starts with a long
+    # integer that describes the number of bytes remaining in the string.
+    # Returns nil if there are not enough bytes to satisfy the request.
+    def read_string
+      length = read_long or return nil
+      read(length)
+    end
+
+    # Read a single byte and convert it into a boolean, using 'C' rules
+    # (i.e., zero is false, non-zero is true).
+    def read_bool
+      b = read_byte or return nil
+      b != 0
+    end
+
+    # Read a bignum (OpenSSL::BN) from the buffer, in SSH2 format. It is
+    # essentially just a string, which is reinterpreted to be a bignum in
+    # binary format.
+    def read_bignum
+      data = read_string
+      return unless data
+      OpenSSL::BN.new(data, 2)
+    end
+
+    # Read a key from the buffer. The key will start with a string
+    # describing its type. The remainder of the key is defined by the
+    # type that was read.
+    def read_key
+      type = read_string
+      return (type ? read_keyblob(type) : nil)
+    end
+
+    # Read a keyblob of the given type from the buffer, and return it as
+    # a key. Only RSA and DSA keys are supported.
+    def read_keyblob(type)
+      case type
+        when "ssh-dss"
+          key = OpenSSL::PKey::DSA.new
+          key.p = read_bignum
+          key.q = read_bignum
+          key.g = read_bignum
+          key.pub_key = read_bignum
+
+        when "ssh-rsa"
+          key = OpenSSL::PKey::RSA.new
+          key.e = read_bignum
+          key.n = read_bignum
+
+        else
+          raise NotImplementedError, "unsupported key type `#{type}'"
+      end
+
+      return key
+    end
+
+    # Reads the next string from the buffer, and returns a new Buffer
+    # object that wraps it.
+    def read_buffer
+      Buffer.new(read_string)
+    end
+
+    # Writes the given data literally into the string. Does not alter the
+    # read position. Returns the buffer object.
+    def write(*data)
+      data.each { |datum| @content << datum }
+      self
+    end
+
+    # Writes each argument to the buffer as a network-byte-order-encoded
+    # 64-bit integer (8 bytes). Does not alter the read position. Returns the
+    # buffer object.
+    def write_int64(*n)
+      n.each do |i|
+        hi = (i >> 32) & 0xFFFFFFFF
+        lo = i & 0xFFFFFFFF
+        @content << [hi, lo].pack("N2")
+      end
+      self
+    end
+
+    # Writes each argument to the buffer as a network-byte-order-encoded
+    # long (4-byte) integer. Does not alter the read position. Returns the
+    # buffer object.
+    def write_long(*n)
+      @content << n.pack("N*")
+      self
+    end
+
+    # Writes each argument to the buffer as a byte. Does not alter the read
+    # position. Returns the buffer object.
+    def write_byte(*n)
+      n.each { |b| @content << b.chr }
+      self
+    end
+
+    # Writes each argument to the buffer as an SSH2-encoded string. Each
+    # string is prefixed by its length, encoded as a 4-byte long integer.
+    # Does not alter the read position. Returns the buffer object.
+    def write_string(*text)
+      text.each do |string|
+        s = string.to_s
+        write_long(s.length)
+        write(s)
+      end
+      self
+    end
+
+    # Writes each argument to the buffer as a (C-style) boolean, with 1
+    # meaning true, and 0 meaning false. Does not alter the read position.
+    # Returns the buffer object.
+    def write_bool(*b)
+      b.each { |v| @content << (v ? "\1" : "\0") }
+      self
+    end
+
+    # Writes each argument to the buffer as a bignum (SSH2-style). No
+    # checking is done to ensure that the arguments are, in fact, bignums.
+    # Does not alter the read position. Returns the buffer object.
+    def write_bignum(*n)
+      @content << n.map { |b| Utils.write_bignum(b) }.join
+      self
+    end
+
+    # Writes the given arguments to the buffer as SSH2-encoded keys. Does not
+    # alter the read position. Returns the buffer object.
+    def write_key(*key)
+      key.each { |k| append(k.public_identity(false)) }
+      self
+    end
+  end
+end