@electerm/ssh2 1.16.2 → 1.17.1

package/lib/client.js

@@ -84,6 +84,7 @@ class Client extends EventEmitter {
       username: undefined,
       password: undefined,
       privateKey: undefined,
+      certificate: undefined,
       tryKeyboard: undefined,
       agent: undefined,
       allowAgentFwd: undefined,
@@ -209,6 +210,10 @@ class Client extends EventEmitter {
                               || Buffer.isBuffer(cfg.privateKey)
                               ? cfg.privateKey
                               : undefined);
+    this.config.certificate = (typeof cfg.certificate === 'string'
+                               || Buffer.isBuffer(cfg.certificate)
+                               ? cfg.certificate
+                               : undefined);
     this.config.localHostname = (typeof cfg.localHostname === 'string'
                                  ? cfg.localHostname
                                  : undefined);
@@ -268,6 +273,42 @@ class Client extends EventEmitter {
           'privateKey value does not contain a (valid) private key'
         );
       }
+
+      // Wrap with certificate if provided
+      if (this.config.certificate) {
+        const { wrapKeyWithCertificate } = require('./protocol/certificateAuth.js');
+        let certBuffer = this.config.certificate;
+        
+        // Handle string or buffer that contains OpenSSH public key format
+        let certStr;
+        if (typeof certBuffer === 'string') {
+          certStr = certBuffer.trim();
+        } else if (Buffer.isBuffer(certBuffer)) {
+          // Check if it's text format (starts with ssh-) or binary
+          const firstBytes = certBuffer.slice(0, 4).toString('utf8');
+          if (firstBytes.startsWith('ssh-') || firstBytes.startsWith('ecds')) {
+            certStr = certBuffer.toString('utf8').trim();
+          }
+        }
+        
+        if (certStr) {
+          // Parse OpenSSH public key format: "type base64data [comment]"
+          const parts = certStr.split(/\s+/);
+          if (parts.length >= 2) {
+            try {
+              certBuffer = Buffer.from(parts[1], 'base64');
+            } catch (err) {
+              throw new Error(`Cannot parse certificate: ${err.message}`);
+            }
+          }
+        }
+        
+        const wrappedKey = wrapKeyWithCertificate(privateKey, certBuffer);
+        if (wrappedKey instanceof Error) {
+          throw new Error(`Cannot wrap key with certificate: ${wrappedKey.message}`);
+        }
+        privateKey = wrappedKey;
+      }
     }
 
     let hostVerifier;
@@ -321,6 +362,10 @@ class Client extends EventEmitter {
       },
       onHandshakeComplete: (negotiated) => {
         this.emit('handshake', negotiated);
+        // Start keepalive monitoring after handshake
+        if (this.config.keepaliveInterval > 0) {
+          resetKA();
+        }
         if (!ready) {
           ready = true;
           proto.service('ssh-userauth');
@@ -499,10 +544,14 @@ class Client extends EventEmitter {
           }
         },
         REQUEST_SUCCESS: (p, data) => {
+          // Reset keepalive on any protocol activity
+          this._resetKA();
           if (callbacks.length)
             callbacks.shift()(false, data);
         },
         REQUEST_FAILURE: (p) => {
+          // Reset keepalive on any protocol activity
+          this._resetKA();
           if (callbacks.length)
             callbacks.shift()(true);
         },
@@ -707,39 +756,71 @@ class Client extends EventEmitter {
 
     sock.pause();
 
-    // TODO: check keepalive implementation
-    // Keepalive-related
+    // Enhanced keepalive implementation with TCP-level and SSH protocol-level keepalives
     const kainterval = this.config.keepaliveInterval;
     const kacountmax = this.config.keepaliveCountMax;
     let kacount = 0;
     let katimer;
+    let lastActivity = Date.now();
+
+    // Enable TCP keepalive for network-level connection monitoring
+    // This helps detect dead connections even when SSH protocol keepalive is not used
+    if (typeof sock.setKeepAlive === 'function') {
+      sock.setKeepAlive(true, 10000);  // Start probing after 10 seconds idle
+    }
+
     const sendKA = () => {
+      const now = Date.now();
+      const timeSinceLastActivity = now - lastActivity;
+
+      // If we've received any activity recently, reset counter and continue
+      if (timeSinceLastActivity < kainterval) {
+        kacount = 0;
+        return;
+      }
+
       if (++kacount > kacountmax) {
         clearInterval(katimer);
         if (sock.readable) {
-          const err = new Error('Keepalive timeout');
+          const err = new Error(
+            `Keepalive timeout: no response after ${kacountmax} attempts`
+          );
           err.level = 'client-timeout';
           this.emit('error', err);
           sock.destroy();
         }
         return;
       }
+
       if (isWritable(sock)) {
-        // Append dummy callback to keep correct callback order
-        callbacks.push(resetKA);
+        if (debug) {
+          debug(
+            `Client: Sending keepalive (${kacount}/${kacountmax}), ` +
+            `${timeSinceLastActivity}ms since last activity`
+          );
+        }
+        // Send SSH protocol-level keepalive
+        // Use global request instead of relying on callbacks
         proto.ping();
+        
+        // Don't rely on callback - we'll reset based on any activity
       } else {
         clearInterval(katimer);
       }
     };
+
     function resetKA() {
+      lastActivity = Date.now();
+      kacount = 0;
+      
       if (kainterval > 0) {
-        kacount = 0;
         clearInterval(katimer);
-        if (isWritable(sock))
+        if (isWritable(sock)) {
           katimer = setInterval(sendKA, kainterval);
+        }
       }
     }
+    
     this._resetKA = resetKA;
 
     const onDone = (() => {

package/lib/protocol/Protocol.js

@@ -632,31 +632,88 @@ class Protocol {
     if (this._server)
       throw new Error('Client-only method called in server mode');
 
-    pubKey = parseKey(pubKey);
-    if (pubKey instanceof Error)
-      throw new Error('Invalid key');
+    const origPubKey = pubKey;
+    
+    // Only parse if it's not already a parsed key object
+    // Check for common key object properties
+    if (typeof pubKey !== 'object' || pubKey === null || 
+        typeof pubKey.type !== 'string' || typeof pubKey.getPublicSSH !== 'function') {
+      pubKey = parseKey(pubKey);
+      if (pubKey instanceof Error)
+        throw new Error('Invalid key');
+    }
 
     let keyType = pubKey.type;
+    
+    // Check if this is a certificate-wrapped key
+    let pubKeyData = pubKey.getPublicSSH();
+    let isCertificate = false;
+    if (pubKey.getCertificateBuffer) {
+      // This is a CertificateKey, use the certificate data instead
+      pubKeyData = pubKey.getCertificateBuffer();
+      isCertificate = true;
+      this._debug && this._debug('Using SSH certificate for authentication');
+    }
+
+    // Upgrade RSA to SHA2 variants if server supports them
+    // signAlgo is the actual algorithm used for signing
+    // NOTE: Order must match getKeyAlgos() in client.js - rsa-sha2-256 first
+    let signAlgo = keyType;
     if (keyType === 'ssh-rsa') {
-      for (const algo of ['rsa-sha2-512', 'rsa-sha2-256']) {
+      for (const algo of ['rsa-sha2-256', 'rsa-sha2-512']) {
         if (this._remoteHostKeyAlgorithms.includes(algo)) {
-          keyType = algo;
+          signAlgo = algo;
           break;
         }
       }
     }
-    pubKey = pubKey.getPublicSSH();
+    
+    // For certificates, append the cert suffix to the algorithm for the packet
+    // but keep signAlgo as the base signing algorithm
+    if (isCertificate) {
+      // Map the signing algorithm to certificate algorithm
+      // e.g., rsa-sha2-512 -> rsa-sha2-512-cert-v01@openssh.com
+      if (signAlgo === 'rsa-sha2-512') {
+        keyType = 'rsa-sha2-512-cert-v01@openssh.com';
+      } else if (signAlgo === 'rsa-sha2-256') {
+        keyType = 'rsa-sha2-256-cert-v01@openssh.com';
+      } else if (signAlgo === 'ssh-rsa' || keyType === 'ssh-rsa') {
+        keyType = 'ssh-rsa-cert-v01@openssh.com';
+      } else if (keyType === 'ssh-dss') {
+        keyType = 'ssh-dss-cert-v01@openssh.com';
+      } else if (keyType === 'ecdsa-sha2-nistp256') {
+        keyType = 'ecdsa-sha2-nistp256-cert-v01@openssh.com';
+      } else if (keyType === 'ecdsa-sha2-nistp384') {
+        keyType = 'ecdsa-sha2-nistp384-cert-v01@openssh.com';
+      } else if (keyType === 'ecdsa-sha2-nistp521') {
+        keyType = 'ecdsa-sha2-nistp521-cert-v01@openssh.com';
+      } else if (keyType === 'ssh-ed25519') {
+        keyType = 'ssh-ed25519-cert-v01@openssh.com';
+      }
+      this._debug && this._debug(`Certificate key algorithm: ${keyType}`);
+    } else {
+      // For non-certificates, keyType should be signAlgo
+      keyType = signAlgo;
+    }
 
     if (typeof keyAlgo === 'function') {
       cbSign = keyAlgo;
       keyAlgo = undefined;
     }
-    if (!keyAlgo)
+    
+    // For certificates, we must use the certificate algorithm regardless of what was passed
+    if (isCertificate) {
+      keyAlgo = keyType;
+    } else if (!keyAlgo) {
       keyAlgo = keyType;
+    }
 
     const userLen = Buffer.byteLength(username);
     const algoLen = Buffer.byteLength(keyAlgo);
-    const pubKeyLen = pubKey.length;
+    // For certificates, signAlgo is the base signing algorithm (e.g., rsa-sha2-512)
+    // For non-certificates, signAlgo equals keyAlgo
+    const signAlgoLen = Buffer.byteLength(signAlgo);
+    const pubKeyLen = pubKeyData.length;
     const sessionID = this._kex.sessionID;
     const sesLen = sessionID.length;
     const payloadLen =
@@ -692,7 +749,7 @@ class Protocol {
     packet.utf8Write(keyAlgo, p += 4, algoLen);
 
     writeUInt32BE(packet, pubKeyLen, p += algoLen);
-    packet.set(pubKey, p += 4);
+    packet.set(pubKeyData, p += 4);
 
     if (!cbSign) {
       this._authsQueue.push('publickey');
@@ -705,7 +762,7 @@ class Protocol {
     }
 
     cbSign(packet, (signature) => {
-      signature = convertSignature(signature, keyType);
+      signature = convertSignature(signature, signAlgo);
       if (signature === false)
         throw new Error('Error while converting handshake signature');
 
@@ -713,7 +770,7 @@ class Protocol {
       p = this._packetRW.write.allocStart;
       packet = this._packetRW.write.alloc(
         1 + 4 + userLen + 4 + 14 + 4 + 9 + 1 + 4 + algoLen + 4 + pubKeyLen + 4
-          + 4 + algoLen + 4 + sigLen
+          + 4 + signAlgoLen + 4 + sigLen
       );
 
       // TODO: simply copy from original "packet" to new `packet` to avoid
@@ -735,14 +792,17 @@ class Protocol {
       packet.utf8Write(keyAlgo, p += 4, algoLen);
 
       writeUInt32BE(packet, pubKeyLen, p += algoLen);
-      packet.set(pubKey, p += 4);
+      packet.set(pubKeyData, p += 4);
 
-      writeUInt32BE(packet, 4 + algoLen + 4 + sigLen, p += pubKeyLen);
+      // Signature blob: length-prefixed (algorithm string + raw signature)
+      // For RSA signatures, use the base signing algorithm (without cert suffix)
+      // The cert suffix is only used in the public key algorithm field of the main packet
+      writeUInt32BE(packet, 4 + signAlgoLen + 4 + sigLen, p += pubKeyLen);
 
-      writeUInt32BE(packet, algoLen, p += 4);
-      packet.utf8Write(keyAlgo, p += 4, algoLen);
+      writeUInt32BE(packet, signAlgoLen, p += 4);
+      packet.utf8Write(signAlgo, p += 4, signAlgoLen);
 
-      writeUInt32BE(packet, sigLen, p += algoLen);
+      writeUInt32BE(packet, sigLen, p += signAlgoLen);
       packet.set(signature, p += 4);
 
       // Servers shouldn't send packet type 60 in response to signed publickey

package/lib/protocol/certificateAuth.js

@@ -0,0 +1,104 @@
+'use strict';
+
+const {
+  parseSSHCertificate,
+  isCertificate,
+} = require('./sshCertificate.js');
+
+/**
+ * Handle SSH certificate public key authentication
+ * This extends regular publickey auth to support certificates
+ */
+
+class CertificateKey {
+  constructor(baseKey, certificate, certBuffer) {
+    this.baseKey = baseKey; // The underlying parsed key
+    this.certificate = certificate; // Parsed certificate data
+    this.certBuffer = certBuffer; // Raw certificate buffer
+    this.type = baseKey.type;
+    this.comment = baseKey.comment;
+  }
+
+  isPrivateKey() {
+    return this.baseKey.isPrivateKey();
+  }
+
+  getPublicPEM() {
+    return this.baseKey.getPublicPEM?.();
+  }
+
+  getPublicSSH(algo) {
+    return this.baseKey.getPublicSSH?.(algo);
+  }
+
+  sign(data, algo) {
+    return this.baseKey.sign(data, algo);
+  }
+
+  verify(data, signature, algo) {
+    return this.baseKey.verify(data, signature, algo);
+  }
+
+  getCertificate() {
+    return this.certificate;
+  }
+
+  getCertificateBuffer() {
+    return this.certBuffer;
+  }
+}
+
+/**
+ * Wrap a parsed key with certificate information
+ */
+function wrapKeyWithCertificate(key, certBuffer) {
+  if (!Buffer.isBuffer(certBuffer)) {
+    return new Error('Certificate must be a Buffer');
+  }
+
+  try {
+    // Verify this is a certificate
+    if (!isCertificate(certBuffer)) {
+      return new Error('Buffer does not appear to be a certificate');
+    }
+
+    // Parse the certificate - it expects the complete buffer including type string
+    const certificate = parseSSHCertificate(certBuffer);
+
+    if (certificate instanceof Error) {
+      return certificate;
+    }
+
+    return new CertificateKey(key, certificate, certBuffer);
+  } catch (err) {
+    return err;
+  }
+}
+
+/**
+ * Extract certificate from OpenSSH public key format
+ * Returns { certBuffer, remainingData } or Error
+ */
+function extractCertificateFromData(data) {
+  if (!Buffer.isBuffer(data)) {
+    return new Error('Data must be a Buffer');
+  }
+
+  if (!isCertificate(data)) {
+    return null; // Not a certificate
+  }
+
+  try {
+    // The data is in binary SSH format: [type-len][type][data-len][data]...
+    // For a certificate, the entire data IS the certificate
+    return { certBuffer: data };
+  } catch (err) {
+    return err;
+  }
+}
+
+module.exports = {
+  CertificateKey,
+  wrapKeyWithCertificate,
+  extractCertificateFromData,
+};