sonixlabs-net-ssh 2.3.0

data/lib/net/ssh/authentication/constants.rb

@@ -0,0 +1,18 @@
+module Net; module SSH; module Authentication
+
+  # Describes the constants used by the Net::SSH::Authentication components
+  # of the Net::SSH library. Individual authentication method implemenations
+  # may define yet more constants that are specific to their implementation.
+  module Constants
+    USERAUTH_REQUEST          = 50
+    USERAUTH_FAILURE          = 51
+    USERAUTH_SUCCESS          = 52
+    USERAUTH_BANNER           = 53
+
+    USERAUTH_PASSWD_CHANGEREQ = 60
+    USERAUTH_PK_OK            = 60
+
+    USERAUTH_METHOD_RANGE     = 60..79
+  end
+
+end; end; end

data/lib/net/ssh/authentication/key_manager.rb

@@ -0,0 +1,253 @@
+require 'net/ssh/errors'
+require 'net/ssh/key_factory'
+require 'net/ssh/loggable'
+require 'net/ssh/authentication/agent'
+
+module Net
+  module SSH
+    module Authentication
+
+      # A trivial exception class used to report errors in the key manager.
+      class KeyManagerError < Net::SSH::Exception; end
+
+      # This class encapsulates all operations done by clients on a user's
+      # private keys. In practice, the client should never need a reference
+      # to a private key; instead, they grab a list of "identities" (public 
+      # keys) that are available from the KeyManager, and then use
+      # the KeyManager to do various private key operations using those
+      # identities.
+      #
+      # The KeyManager also uses the Agent class to encapsulate the
+      # ssh-agent. Thus, from a client's perspective it is completely
+      # hidden whether an identity comes from the ssh-agent or from a file
+      # on disk.
+      class KeyManager
+        include Loggable
+
+        # The list of user key files that will be examined
+        attr_reader :key_files
+
+        # The list of user key data that will be examined
+        attr_reader :key_data
+
+        # The map of loaded identities
+        attr_reader :known_identities
+
+        # The map of options that were passed to the key-manager
+        attr_reader :options
+
+        # Create a new KeyManager. By default, the manager will
+        # use the ssh-agent (if it is running).
+        def initialize(logger, options={})
+          self.logger = logger
+          @key_files = []
+          @key_data = []
+          @use_agent = true
+          @known_identities = {}
+          @agent = nil
+          @options = options
+        end
+
+        # Clear all knowledge of any loaded user keys. This also clears the list
+        # of default identity files that are to be loaded, thus making it
+        # appropriate to use if a client wishes to NOT use the default identity
+        # files.
+        def clear!
+          key_files.clear
+          key_data.clear
+          known_identities.clear
+          self
+        end
+
+        # Add the given key_file to the list of key files that will be used.
+        def add(key_file)
+          key_files.push(File.expand_path(key_file)).uniq!
+          self
+        end
+
+        # Add the given key_file to the list of keys that will be used.
+        def add_key_data(key_data_)
+          key_data.push(key_data_).uniq!
+          self
+        end
+
+        # This is used as a hint to the KeyManager indicating that the agent
+        # connection is no longer needed. Any other open resources may be closed
+        # at this time.
+        #
+        # Calling this does NOT indicate that the KeyManager will no longer
+        # be used. Identities may still be requested and operations done on
+        # loaded identities, in which case, the agent will be automatically
+        # reconnected. This method simply allows the client connection to be
+        # closed when it will not be used in the immediate future.
+        def finish
+          @agent.close if @agent
+          @agent = nil
+        end
+
+        # Iterates over all available identities (public keys) known to this
+        # manager. As it finds one, it will then yield it to the caller.
+        # The origin of the identities may be from files on disk or from an
+        # ssh-agent. Note that identities from an ssh-agent are always listed
+        # first in the array, with other identities coming after.
+        #
+        # If key manager was created with :keys_only option, any identity
+        # from ssh-agent will be ignored unless it present in key_files or
+        # key_data.
+        def each_identity
+          prepared_identities = prepare_identities_from_files + prepare_identities_from_data
+
+          user_identities = load_identities(prepared_identities, false)
+
+          if agent
+            agent.identities.each do |key|
+              corresponding_user_identity = user_identities.detect { |identity|
+                identity[:public_key] && identity[:public_key].to_pem == key.to_pem
+              }
+              user_identities.delete(corresponding_user_identity) if corresponding_user_identity
+
+              if !options[:keys_only] || corresponding_user_identity
+                known_identities[key] = { :from => :agent }
+                yield key
+              end
+            end
+          end
+
+          user_identities = load_identities(user_identities, true)
+
+          user_identities.each do |identity|
+            key = identity.delete(:public_key)
+            known_identities[key] = identity
+            yield key
+          end
+
+          self
+        end
+
+        # Sign the given data, using the corresponding private key of the given
+        # identity. If the identity was originally obtained from an ssh-agent,
+        # then the ssh-agent will be used to sign the data, otherwise the
+        # private key for the identity will be loaded from disk (if it hasn't
+        # been loaded already) and will then be used to sign the data.
+        #
+        # Regardless of the identity's origin or who does the signing, this
+        # will always return the signature in an SSH2-specified "signature
+        # blob" format.
+        def sign(identity, data)
+          info = known_identities[identity] or raise KeyManagerError, "the given identity is unknown to the key manager"
+
+          if info[:key].nil? && info[:from] == :file
+            begin
+              info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], true)
+            rescue Exception, OpenSSL::OpenSSLError => e 
+              raise KeyManagerError, "the given identity is known, but the private key could not be loaded: #{e.class} (#{e.message})"
+            end
+          end
+
+          if info[:key]
+            return Net::SSH::Buffer.from(:string, identity.ssh_type,
+              :string, info[:key].ssh_do_sign(data.to_s)).to_s
+          end
+
+          if info[:from] == :agent
+            raise KeyManagerError, "the agent is no longer available" unless agent
+            return agent.sign(identity, data.to_s)
+          end
+
+          raise KeyManagerError, "[BUG] can't determine identity origin (#{info.inspect})"
+        end
+
+        # Identifies whether the ssh-agent will be used or not.
+        def use_agent?
+          @use_agent
+        end
+
+        # Toggles whether the ssh-agent will be used or not. If true, an
+        # attempt will be made to use the ssh-agent. If false, any existing
+        # connection to an agent is closed and the agent will not be used.
+        def use_agent=(use_agent)
+          finish if !use_agent
+          @use_agent = use_agent
+        end
+
+        # Returns an Agent instance to use for communicating with an SSH
+        # agent process. Returns nil if use of an SSH agent has been disabled,
+        # or if the agent is otherwise not available.
+        def agent
+          return unless use_agent?
+          @agent ||= Agent.connect(logger)
+        rescue AgentNotAvailable
+          @use_agent = false
+          nil
+        end
+
+        private
+
+        # Prepares identities from user key_files for loading, preserving their order and sources.
+        def prepare_identities_from_files
+          key_files.map do |file|
+            public_key_file = file + ".pub"
+            if File.readable?(public_key_file)
+              { :load_from => :pubkey_file, :file => file }
+            elsif File.readable?(file)
+              { :load_from => :privkey_file, :file => file }
+            end
+          end.compact
+        end
+
+        # Prepared identities from user key_data, preserving their order and sources.
+        def prepare_identities_from_data
+          key_data.map do |data|
+            { :load_from => :data, :data => data }
+          end
+        end
+
+        # Load prepared identities. Private key decryption errors ignored if passphrase was not prompted.
+        def load_identities(identities, ask_passphrase)
+          identities.map do |identity|
+            begin
+              case identity[:load_from]
+              when :pubkey_file
+                key = KeyFactory.load_public_key(identity[:file] + ".pub")
+                { :public_key => key, :from => :file, :file => identity[:file] }
+              when :privkey_file
+                private_key = KeyFactory.load_private_key(identity[:file], options[:passphrase], ask_passphrase)
+                key = private_key.__send__(:public_key)
+                { :public_key => key, :from => :file, :file => identity[:file], :key => private_key }
+              when :data
+                private_key = KeyFactory.load_data_private_key(identity[:data], options[:passphrase], ask_passphrase)
+                key = private_key.__send__(:public_key)
+                { :public_key => key, :from => :key_data, :data => identity[:data], :key => private_key }
+              else
+                identity
+              end
+
+            rescue OpenSSL::PKey::RSAError, OpenSSL::PKey::DSAError => e
+              if ask_passphrase
+                process_identity_loading_error(identity, e)
+                nil
+              else
+                identity
+              end
+            rescue Exception => e
+              process_identity_loading_error(identity, e)
+              nil
+            end
+          end.compact
+        end
+
+        def process_identity_loading_error(identity, e)
+          case identity[:load_from]
+          when :pubkey_file
+            error { "could not load public key file `#{identity[:file]}': #{e.class} (#{e.message})" }
+          when :privkey_file
+            error { "could not load private key file `#{identity[:file]}': #{e.class} (#{e.message})" }
+          else
+            raise e
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/methods/abstract.rb

@@ -0,0 +1,60 @@
+require 'net/ssh/buffer'
+require 'net/ssh/errors'
+require 'net/ssh/loggable'
+require 'net/ssh/authentication/constants'
+
+module Net; module SSH; module Authentication; module Methods
+
+  # The base class of all user authentication methods. It provides a few
+  # bits of common functionality.
+  class Abstract
+    include Constants, Loggable
+
+    # The authentication session object
+    attr_reader :session
+
+    # The key manager object. Not all authentication methods will require
+    # this.
+    attr_reader :key_manager
+
+    # Instantiates a new authentication method.
+    def initialize(session, options={})
+      @session = session
+      @key_manager = options[:key_manager]
+      @options = options
+      self.logger = session.logger
+    end
+
+    # Returns the session-id, as generated during the first key exchange of
+    # an SSH connection.
+    def session_id
+      session.transport.algorithms.session_id
+    end
+
+    # Sends a message via the underlying transport layer abstraction. This
+    # will block until the message is completely sent.
+    def send_message(msg)
+      session.transport.send_message(msg)
+    end
+
+    # Creates a new USERAUTH_REQUEST packet. The extra arguments on the end
+    # must be either boolean values or strings, and are tacked onto the end
+    # of the packet. The new packet is returned, ready for sending.
+    def userauth_request(username, next_service, auth_method, *others)
+      buffer = Net::SSH::Buffer.from(:byte, USERAUTH_REQUEST,
+        :string, username, :string, next_service, :string, auth_method)
+
+      others.each do |value|
+        case value
+        when true, false then buffer.write_bool(value)
+        when String      then buffer.write_string(value)
+        else raise ArgumentError, "don't know how to write #{value.inspect}"
+        end
+      end
+
+      buffer
+    end
+
+  end
+
+end; end; end; end

data/lib/net/ssh/authentication/methods/hostbased.rb

@@ -0,0 +1,75 @@
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+
+        # Implements the host-based SSH authentication method.
+        class Hostbased < Abstract
+          include Constants
+
+          # Attempts to perform host-based authorization of the user by trying
+          # all known keys.
+          def authenticate(next_service, username, password=nil)
+            return false unless key_manager
+
+            key_manager.each_identity do |identity|
+              return true if authenticate_with(identity, next_service,
+                username, key_manager)
+            end
+
+            return false
+          end
+
+          private
+
+            # Returns the hostname as reported by the underlying socket.
+            def hostname
+              session.transport.socket.client_name
+            end
+
+            # Attempts to perform host-based authentication of the user, using
+            # the given host identity (key).
+            def authenticate_with(identity, next_service, username, key_manager)
+              debug { "trying hostbased (#{identity.fingerprint})" }
+              client_username = ENV['USER'] || username
+
+              req = build_request(identity, next_service, username, "#{hostname}.", client_username)
+              sig_data = Buffer.from(:string, session_id, :raw, req)
+
+              sig = key_manager.sign(identity, sig_data.to_s)
+
+              message = Buffer.from(:raw, req, :string, sig)
+
+              send_message(message)
+              message = session.next_message
+
+              case message.type
+                when USERAUTH_SUCCESS
+                  info { "hostbased succeeded (#{identity.fingerprint})" }
+                  return true
+                when USERAUTH_FAILURE
+                  info { "hostbased failed (#{identity.fingerprint})" }
+
+                  raise Net::SSH::Authentication::DisallowedMethod unless
+                    message[:authentications].split(/,/).include? 'hostbased'
+
+                  return false
+                else
+                  raise Net::SSH::Exception, "unexpected server response to USERAUTH_REQUEST: #{message.type} (#{message.inspect})"
+              end
+            end
+
+            # Build the "core" hostbased request string.
+            def build_request(identity, next_service, username, hostname, client_username)
+              userauth_request(username, next_service, "hostbased", identity.ssh_type,
+                Buffer.from(:key, identity).to_s, hostname, client_username).to_s
+            end
+
+        end
+
+      end
+    end
+  end
+end

data/lib/net/ssh/authentication/methods/keyboard_interactive.rb

@@ -0,0 +1,70 @@
+require 'net/ssh/prompt'
+require 'net/ssh/authentication/methods/abstract'
+
+module Net
+  module SSH
+    module Authentication
+      module Methods
+
+        # Implements the "keyboard-interactive" SSH authentication method.
+        class KeyboardInteractive < Abstract
+          include Prompt
+
+          USERAUTH_INFO_REQUEST  = 60
+          USERAUTH_INFO_RESPONSE = 61
+
+          # Attempt to authenticate the given user for the given service.
+          def authenticate(next_service, username, password=nil)
+            debug { "trying keyboard-interactive" }
+            send_message(userauth_request(username, next_service, "keyboard-interactive", "", ""))
+
+            loop do
+              message = session.next_message
+
+              case message.type
+              when USERAUTH_SUCCESS
+                debug { "keyboard-interactive succeeded" }
+                return true
+              when USERAUTH_FAILURE
+                debug { "keyboard-interactive failed" }
+
+                raise Net::SSH::Authentication::DisallowedMethod unless
+                  message[:authentications].split(/,/).include? 'keyboard-interactive'
+
+                return false
+              when USERAUTH_INFO_REQUEST
+                name = message.read_string
+                instruction = message.read_string
+                debug { "keyboard-interactive info request" }
+
+                unless password
+                  puts(name) unless name.empty?
+                  puts(instruction) unless instruction.empty?
+                end
+
+                lang_tag = message.read_string
+                responses =[]
+  
+                message.read_long.times do
+                  text = message.read_string
+                  echo = message.read_bool
+                  responses << (password || prompt(text, echo))
+                end
+
+                # if the password failed the first time around, don't try
+                # and use it on subsequent requests.
+                password = nil
+
+                msg = Buffer.from(:byte, USERAUTH_INFO_RESPONSE, :long, responses.length, :string, responses)
+                send_message(msg)
+              else
+                raise Net::SSH::Exception, "unexpected reply in keyboard interactive: #{message.type} (#{message.inspect})"
+              end
+            end
+          end
+        end
+
+      end
+    end
+  end
+end