orthrus-ssh 0.5.0

data/lib/orthrus/ssh/dsa.rb

@@ -0,0 +1,88 @@
+require 'orthrus/ssh/key'
+
+require 'orthrus/ssh/buffer'
+
+module Orthrus::SSH
+  module DSA
+    def initialize(k)
+      super k, OpenSSL::Digest::DSS1
+    end
+
+    def public_identity(base64=true)
+      b = Buffer.from :string, "ssh-dss",
+                      :bignum, @key.p,
+                      :bignum, @key.q,
+                      :bignum, @key.g,
+                      :bignum, @key.pub_key
+
+      d = b.to_s
+
+      return d unless base64
+
+      [d].pack("m").gsub("\n","")
+    end
+
+    def type
+      "ssh-dss"
+    end
+  end
+
+  class DSAPrivateKey < PrivateKey
+    include DSA
+
+    def sign(data)
+      sig = super data
+
+      a1sig = OpenSSL::ASN1.decode sig
+
+      sig_r = a1sig.value[0].value.to_s(2)
+      sig_s = a1sig.value[1].value.to_s(2)
+
+      if sig_r.length > 20 || sig_s.length > 20
+        raise OpenSSL::PKey::DSAError, "bad sig size"
+      end
+
+      sig_r = "\0" * ( 20 - sig_r.length ) + sig_r if sig_r.length < 20
+      sig_s = "\0" * ( 20 - sig_s.length ) + sig_s if sig_s.length < 20
+      return sig_r + sig_s
+    end
+  end
+
+  class DSAPublicKey < PublicKey
+    def self.parse(data)
+      raw = data.unpack("m").first
+
+      b = Buffer.new raw
+
+      type = b.read_string
+      unless type == "ssh-dss"
+        raise "Unvalid key data"
+      end
+
+      k = OpenSSL::PKey::DSA.new
+      k.p = b.read_bignum
+      k.q = b.read_bignum
+      k.g = b.read_bignum
+      k.pub_key = b.read_bignum
+
+      new k
+    end
+
+    include DSA
+
+    # Adapted from net-ssh
+    # Verifies the given signature matches the given data.
+    def verify(sig, data)
+      sig_r = sig[0,20].unpack("H*")[0].to_i(16)
+      sig_s = sig[20,20].unpack("H*")[0].to_i(16)
+
+      a1sig = OpenSSL::ASN1::Sequence([
+        OpenSSL::ASN1::Integer(sig_r),
+        OpenSSL::ASN1::Integer(sig_s)
+      ])
+
+      super a1sig.to_der, data
+    end
+  end
+
+end

data/lib/orthrus/ssh/http_agent.rb

@@ -0,0 +1,83 @@
+require 'orthrus/ssh'
+require 'orthrus/ssh/agent'
+
+require 'uri'
+
+require 'net/http'
+
+module Orthrus::SSH
+  class HTTPAgent
+    def initialize(url)
+      @url = url
+      @keys = []
+      @access_token = nil
+    end
+
+    attr_reader :access_token
+
+    def add_key(key)
+      @keys << Orthrus::SSH.load_private(key)
+    end
+
+    def check(user, k)
+      id = Rack::Utils.escape(k.public_identity)
+      user = Rack::Utils.escape(user)
+
+      url = @url + "?state=find&user=#{user}&id=#{id}"
+      response = Net::HTTP.get_response url
+      params = Rack::Utils.parse_query response.body
+
+      return nil unless params["code"] == "check"
+
+      [params['session_id'], params['nonce']]
+    end
+
+    def negotiate(k, sid, sig)
+      sig = Rack::Utils.escape sig
+
+      url = @url + "?state=signed&sig=#{sig}&session_id=#{sid}"
+
+      response = Net::HTTP.get_response url
+      params = Rack::Utils.parse_query response.body
+
+      if params['code'] == "verified"
+        return params['access_token']
+      end
+
+      return nil
+    end
+
+    def start(user)
+      @keys.each do |k|
+        sid, data = check(user, k)
+        next unless sid
+
+        sig = k.hexsign(data)
+
+        token = negotiate(k, sid, sig)
+        if token
+          @access_token = token
+          return
+        end
+      end
+
+      if Agent.available?
+        agent = Agent.connect
+        agent.identities.each do |k|
+          sid, data = check(user, k)
+          next unless sid
+
+          type, sig = agent.hexsign k, data
+
+          token = negotiate(k, sid, sig)
+          if token
+            @access_token = token
+            return
+          end
+        end
+      end
+
+      raise "Unable to find key to authenticate with"
+    end
+  end
+end

data/lib/orthrus/ssh/key.rb

@@ -0,0 +1,50 @@
+module Orthrus::SSH
+  class Key
+    def initialize(k, digest)
+      @key = k
+      @digest = digest
+      @comment = nil
+    end
+
+    attr_reader :key
+    attr_accessor :comment
+
+    def rsa?
+      @key.kind_of? OpenSSL::PKey::RSA
+    end
+
+    def dsa?
+      @key.kind_of? OpenSSL::PKey::DSA
+    end
+
+    def fingerprint
+      blob = public_identity(false)
+      OpenSSL::Digest::MD5.hexdigest(blob).scan(/../).join(":")
+    end
+
+    def inspect
+      "#<#{self.class} #{fingerprint}>"
+    end
+  end
+
+  class PrivateKey < Key
+    def sign(data)
+      @key.sign @digest.new, data
+    end
+
+    def hexsign(data)
+      [sign(data)].pack("m").gsub("\n","")
+    end
+  end
+
+  class PublicKey < Key
+    def verify(sign, data)
+      @key.verify @digest.new, sign, data
+    end
+
+    def hexverify(sign, data)
+      verify sign.unpack("m").first, data
+    end
+  end
+
+end

data/lib/orthrus/ssh/public_key_set.rb

@@ -0,0 +1,30 @@
+require 'orthrus/ssh'
+
+module Orthrus::SSH
+  class PublicKeySet
+    def self.load_file(path)
+      keys = {}
+
+      File.readlines(path).each do |x|
+        type, dig, comment = x.split(" ", 3)
+
+        keys[dig] = Orthrus::SSH.parse_public x
+      end
+
+      new keys
+    end
+
+    def initialize(keys)
+      @keys = keys
+    end
+
+    def find(dig)
+      @keys[dig]
+    end
+
+    def num_keys
+      @keys.size
+    end
+  end
+end
+

data/lib/orthrus/ssh/rack_app.rb

@@ -0,0 +1,62 @@
+require 'orthrus/ssh'
+require 'rack'
+
+module Orthrus::SSH
+  class RackApp
+    def initialize(sessions)
+      @sessions = sessions
+    end
+
+    attr_reader :sessions
+
+    def call(env)
+      req = Rack::Request.new(env)
+
+      case req.params['state']
+      when 'find'
+        find req
+      when 'signed'
+        verify req
+      else
+        [500, {}, ["unknown state"]]
+      end
+    end
+
+    def form(body)
+      [200,
+       { "Content-Type" => "application/x-www-form-urlencoded" },
+       [body]
+      ]
+    end
+
+    def find(req)
+      user = req.params['user']
+      id = req.params["id"]
+
+      unless pub = @sessions.find_key(user, id)
+        return form("code=unknown")
+      end
+
+      session, nonce = @sessions.new_session(user, pub)
+
+      nonce = Rack::Utils.escape Utils.sha1_hash(nonce)
+
+      form "code=check&session_id=#{session}&nonce=#{nonce}"
+    end
+
+    def verify(req)
+      id = req.params["session_id"].to_i
+      nonce, pub = @sessions.find_session(id)
+
+      nonce = Utils.sha1_hash(nonce)
+
+      sig = req.params['sig']
+
+      if pub.hexverify(sig, nonce)
+        form "code=verified&access_token=1"
+      else
+        form "code=fail"
+      end
+    end
+  end
+end

data/lib/orthrus/ssh/rsa.rb

@@ -0,0 +1,51 @@
+require 'orthrus/ssh/key'
+
+module Orthrus::SSH
+
+  module RSA
+    def initialize(k)
+      super k, OpenSSL::Digest::SHA1
+    end
+
+    def public_identity(base64=true)
+      b = Buffer.from :string, "ssh-rsa",
+                      :bignum, @key.e,
+                      :bignum, @key.n
+
+      d = b.to_s
+
+      return d unless base64
+
+      [d].pack("m").gsub("\n","")
+    end
+
+    def type
+      "ssh-rsa"
+    end
+  end
+
+  class RSAPrivateKey < PrivateKey
+    include RSA
+  end
+
+  class RSAPublicKey < PublicKey
+    def self.parse(data)
+      raw = data.unpack("m").first
+
+      b = Buffer.new raw
+
+      type = b.read_string
+      unless type == "ssh-rsa"
+        raise "Unvalid key data"
+      end
+
+      k = OpenSSL::PKey::RSA.new
+      k.e = b.read_bignum
+      k.n = b.read_bignum
+
+      new k
+    end
+
+    include RSA
+  end
+end

data/lib/orthrus/ssh/utils.rb

@@ -0,0 +1,26 @@
+module Orthrus::SSH
+  module Utils
+    def self.write_bignum(bn)
+      # Cribbed from net-ssh
+      if bn.zero?
+        return [0].pack("N")
+      else
+        buf = bn.to_s(2)
+        if buf[0][7] == 1
+          return [buf.length+1, 0, buf].pack("NCA*")
+        else
+          return [buf.length, buf].pack("NA*")
+        end
+      end
+    end
+
+    def self.write_string(str)
+      [str.size].pack("N") + str
+    end
+
+    def self.sha1_hash(data)
+      OpenSSL::Digest::SHA1.hexdigest data
+    end
+
+  end
+end

data/test/data/authorized_keys

@@ -0,0 +1,2 @@
+ssh-dss AAAAB3NzaC1kc3MAAACBAK8JRdWMWVcnFxRn8Pwhu6a7W8HQGPd93GY4JbKTTZjDrJEjKMnNUaFVZpu13MQwow8kaolqS+6tUaNDTFY+bymYcVWdQKWFAC/8MrOeJZq1GugNBxk9RC/VZBvW4nDTPgXhRftSxB7KBk0Tvk70fbwffaVGW7A+GBJKXYHdA/PdAAAAFQCjif6zl1zEITOq8us9WfvvBiQCkQAAAIEAqwFVbyhPWEVp5Ierq1syOJv4Hjqnbo/69mU/mFpnhIhreJ+uNIaFlEdwJY+WaQ7mUpWKCjhRMcDICQ+Lgq3zjaZhSe6F+SBHWI2ISDgRs73W2z42oECRrQoNJ9WZSF+6l+cHEHsD6Qv+B4cYtr7JJj7IGtMZzDO+zhQaUWTNeUoAAACADRsQHiTTr+50iRiiC26dq+W8GxksI4A5nESv3LpbqMI/SNzglK5OlLkKw403Ox7O1Hb+uZmmOZQmk1OTPjS3QPT+LC/lkUANpP7T7Bkh9RwUUVJF3qvhHDH94BDO3clZKdV558gSHi+T9P31h1gcw5rAVh+yK2ZyZGV/jP0r0z0= evan@aero.local
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDDgYlt6gUVZUZE4xgW2TRvi8HjVgrWZ5e6Av76/H3PzvZpsgHSZyDiU1rgVsgwfb1NmJiwflNpILLprSmp3RRqdOEKzEPgxdscQY1sJtTQcmdlWeIvN6KvmImPwV9krqtN8vji7Zqr0N3mcDmdK1MbQ56Cjx5l6/y9rYGLmIZvoLOLDVe3olOHjpapHQLHrQL3c/2Il5y+9aXR1c/gKFeEwwhRL6hcSIufBnanXqVGa5QNrfzw4si8oAIWDNfXDGRdFkxrnGxHOguj8hFeYXNtz6OHu2UPbvum9sUNHXdDHBYSTPqUJfdLvo49ZMqShcEgNrlBe8rx7ooPdDas40mH evan@aero.local

data/test/data/id_dsa

@@ -0,0 +1,12 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBuwIBAAKBgQCvCUXVjFlXJxcUZ/D8Ibumu1vB0Bj3fdxmOCWyk02Yw6yRIyjJ
+zVGhVWabtdzEMKMPJGqJakvurVGjQ0xWPm8pmHFVnUClhQAv/DKzniWatRroDQcZ
+PUQv1WQb1uJw0z4F4UX7UsQeygZNE75O9H28H32lRluwPhgSSl2B3QPz3QIVAKOJ
+/rOXXMQhM6ry6z1Z++8GJAKRAoGBAKsBVW8oT1hFaeSHq6tbMjib+B46p26P+vZl
+P5haZ4SIa3ifrjSGhZRHcCWPlmkO5lKVigo4UTHAyAkPi4Kt842mYUnuhfkgR1iN
+iEg4EbO91ts+NqBAka0KDSfVmUhfupfnBxB7A+kL/geHGLa+ySY+yBrTGcwzvs4U
+GlFkzXlKAoGADRsQHiTTr+50iRiiC26dq+W8GxksI4A5nESv3LpbqMI/SNzglK5O
+lLkKw403Ox7O1Hb+uZmmOZQmk1OTPjS3QPT+LC/lkUANpP7T7Bkh9RwUUVJF3qvh
+HDH94BDO3clZKdV558gSHi+T9P31h1gcw5rAVh+yK2ZyZGV/jP0r0z0CFEY8QELo
+OZ+AwfX3cTZZTQMaNgAm
+-----END DSA PRIVATE KEY-----

data/test/data/id_dsa.pub

@@ -0,0 +1 @@
+ssh-dss AAAAB3NzaC1kc3MAAACBAK8JRdWMWVcnFxRn8Pwhu6a7W8HQGPd93GY4JbKTTZjDrJEjKMnNUaFVZpu13MQwow8kaolqS+6tUaNDTFY+bymYcVWdQKWFAC/8MrOeJZq1GugNBxk9RC/VZBvW4nDTPgXhRftSxB7KBk0Tvk70fbwffaVGW7A+GBJKXYHdA/PdAAAAFQCjif6zl1zEITOq8us9WfvvBiQCkQAAAIEAqwFVbyhPWEVp5Ierq1syOJv4Hjqnbo/69mU/mFpnhIhreJ+uNIaFlEdwJY+WaQ7mUpWKCjhRMcDICQ+Lgq3zjaZhSe6F+SBHWI2ISDgRs73W2z42oECRrQoNJ9WZSF+6l+cHEHsD6Qv+B4cYtr7JJj7IGtMZzDO+zhQaUWTNeUoAAACADRsQHiTTr+50iRiiC26dq+W8GxksI4A5nESv3LpbqMI/SNzglK5OlLkKw403Ox7O1Hb+uZmmOZQmk1OTPjS3QPT+LC/lkUANpP7T7Bkh9RwUUVJF3qvhHDH94BDO3clZKdV558gSHi+T9P31h1gcw5rAVh+yK2ZyZGV/jP0r0z0= evan@aero.local

data/test/data/id_rsa

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEAw4GJbeoFFWVGROMYFtk0b4vB41YK1meXugL++vx9z872abIB
+0mcg4lNa4FbIMH29TZiYsH5TaSCy6a0pqd0UanThCsxD4MXbHEGNbCbU0HJnZVni
+Lzeir5iJj8FfZK6rTfL44u2aq9Dd5nA5nStTG0Oego8eZev8va2Bi5iGb6Cziw1X
+t6JTh46WqR0Cx60C93P9iJecvvWl0dXP4ChXhMMIUS+oXEiLnwZ2p16lRmuUDa38
+8OLIvKACFgzX1wxkXRZMa5xsRzoLo/IRXmFzbc+jh7tlD277pvbFDR13QxwWEkz6
+lCX3S76OPWTKkoXBIDa5QXvK8e6KD3Q2rONJhwIDAQABAoIBAH0yRr+MTRUWdZlH
+k/WNwnZsGQ1r3CTQ0ejcYkx3xFl/P20QAPqr7/L/TgK7kBb9bmxye9UKEIAR4ICj
+0zpjyN8jWbmAdTdLfLTrhZTsiPuzR2Mv3BhAmH26QN0+B8iB0lFodtlbLuE4L+GR
+nFN5mw6qjqcs31qFdKRCp+KtGeoA8B2OvPLH6tBoLo4UPtB9OgZR9nhi6ZSkUuNP
+xzFU+QgtfBumGOfspwa8Cy+zatwI0Xw4O4FY5bIcp7n+E43pzMLVnkrBxQKouugR
+ldgW2PYm5yX/ffuKdjruSbXRb1Li+Ikx7rK76GfbBSzr33qH1PDqoOdPS4JPuAzj
+wh4YLoECgYEA6q6GJBFui3xFmN+CXVDGeNGXutxxVksMtbHw3P3xwmerfs3+KQD6
+UIb2r22dfu/dILAIkgsx6lsUpvpj0vyyav7mNVRv06qbcGs/zxTquTZXd7NA8+Gm
+ZPv2WKugdsVKHO22D40pFdBM13GPnYo2FGSIsvTC2oZHScJxpnySrKMCgYEA1UP9
+O0CrpYqI7Ktt3iPeX/a+tTCIcmxoWvKwq29dEg6Ck4JmLDcQETQms7tflbNyjX3L
+VgzmBEeRo8cz0YpvSHFmcgy7F0Rnk2ijb85ppJF0rJS0yBJOlHzoYsqIlbFWihl/
+QEy0sBMXQjcvLvIDpiQDzWNdLf7DS9aNKKAyec0CgYA+3rRW80iPG6K1eqM9Boe1
+FEk2qRm/yWlFP79MJMfgkc9SsDK3n2hvrEhn5NC9kdrGiAIzxcYAh5f3x7p4anQN
+z+2yOcWfieQMcN7uRic/qPwzuBTdgQUHpqxvQsNBLkdViqUsc1+fVWdQjD6yMLWe
+LvSkJIgS7MgqTWoO9O6CSwKBgDhB3yMqRB0/Fi+YaTsYKykVZelWDChjAIQ9UO1o
+SxzgRwGyfFFdlRd0smDnJKfQ1n8Ml/7zGBo45upVOg4kfoaVo3iicxgIK2pvR+3O
+fX+z/xsnfyjn62KwMH0fADi8tx9m6nKDyYZJAvGsrP2tSdkh1v7vHz1q3wm6ZzI4
+UBhhAoGAGno46WOio1hGOQoT5GFvyMPBsZAWvFdWSd14gOUzbX4cf+hRsBW4KqZy
+v3jMQ1YgYXf0yvXODKycuFP9uz9HcznwwahT23T0jYtDWkGeMqdoncpenarsfVjF
+PUQgoSpveFwz5UtsP3WhZKCl3/et7FDN1hbXqmWF1i6YbnjIJo8=
+-----END RSA PRIVATE KEY-----