npm - @electerm/ssh2 - Versions diffs - 1.17.0 → 1.17.2 - Mend

@electerm/ssh2 1.17.0 → 1.17.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/lib/client.js +47 -7
package/lib/protocol/Protocol.js +129 -101
package/package.json +1 -1

package/lib/client.js CHANGED Viewed

@@ -362,6 +362,10 @@ class Client extends EventEmitter {
       },
       onHandshakeComplete: (negotiated) => {
         this.emit('handshake', negotiated);
+        // Start keepalive monitoring after handshake
+        if (this.config.keepaliveInterval > 0) {
+          resetKA();
+        }
         if (!ready) {
           ready = true;
           proto.service('ssh-userauth');
@@ -540,10 +544,14 @@ class Client extends EventEmitter {
           }
         },
         REQUEST_SUCCESS: (p, data) => {
+          // Reset keepalive on any protocol activity
+          this._resetKA();
           if (callbacks.length)
             callbacks.shift()(false, data);
         },
         REQUEST_FAILURE: (p) => {
+          // Reset keepalive on any protocol activity
+          this._resetKA();
           if (callbacks.length)
             callbacks.shift()(true);
         },
@@ -748,39 +756,71 @@ class Client extends EventEmitter {
     sock.pause();
-    // TODO: check keepalive implementation
-    // Keepalive-related
+    // Enhanced keepalive implementation with TCP-level and SSH protocol-level keepalives
     const kainterval = this.config.keepaliveInterval;
     const kacountmax = this.config.keepaliveCountMax;
     let kacount = 0;
     let katimer;
+    let lastActivity = Date.now();
+    // Enable TCP keepalive for network-level connection monitoring
+    // This helps detect dead connections even when SSH protocol keepalive is not used
+    if (typeof sock.setKeepAlive === 'function') {
+      sock.setKeepAlive(true, 10000);  // Start probing after 10 seconds idle
+    }
     const sendKA = () => {
+      const now = Date.now();
+      const timeSinceLastActivity = now - lastActivity;
+      // If we've received any activity recently, reset counter and continue
+      if (timeSinceLastActivity < kainterval) {
+        kacount = 0;
+        return;
+      }
       if (++kacount > kacountmax) {
         clearInterval(katimer);
         if (sock.readable) {
-          const err = new Error('Keepalive timeout');
+          const err = new Error(
+            `Keepalive timeout: no response after ${kacountmax} attempts`
+          );
           err.level = 'client-timeout';
           this.emit('error', err);
           sock.destroy();
         }
         return;
       }
       if (isWritable(sock)) {
-        // Append dummy callback to keep correct callback order
-        callbacks.push(resetKA);
+        if (debug) {
+          debug(
+            `Client: Sending keepalive (${kacount}/${kacountmax}), ` +
+            `${timeSinceLastActivity}ms since last activity`
+          );
+        }
+        // Send SSH protocol-level keepalive
+        // Use global request instead of relying on callbacks
         proto.ping();
+        // Don't rely on callback - we'll reset based on any activity
       } else {
         clearInterval(katimer);
       }
     };
     function resetKA() {
+      lastActivity = Date.now();
+      kacount = 0;
       if (kainterval > 0) {
-        kacount = 0;
         clearInterval(katimer);
-        if (isWritable(sock))
+        if (isWritable(sock)) {
           katimer = setInterval(sendKA, kainterval);
+        }
       }
     }
     this._resetKA = resetKA;
     const onDone = (() => {

package/lib/protocol/Protocol.js CHANGED Viewed

@@ -629,35 +629,65 @@ class Protocol {
     sendPacket(this, this._packetRW.write.finalize(packet));
   }
   authPK(username, pubKey, keyAlgo, cbSign) {
+    if (pubKey && pubKey.certificate) {
+      return this.authPKCert(username, pubKey, keyAlgo, cbSign);
+    }
+    if (this._server)
+      throw new Error('Client-only method called in server mode');
+    pubKey = parseKey(pubKey);
+    if (pubKey instanceof Error)
+      throw new Error('Invalid key');
+    let keyType = pubKey.type;
+    if (keyType === 'ssh-rsa') {
+      for (const algo of ['rsa-sha2-512', 'rsa-sha2-256']) {
+        if (this._remoteHostKeyAlgorithms.includes(algo)) {
+          keyType = algo;
+          break;
+        }
+      }
+    }
+    pubKey = pubKey.getPublicSSH();
+    if (typeof keyAlgo === 'function') {
+      cbSign = keyAlgo;
+      keyAlgo = undefined;
+    }
+    if (!keyAlgo)
+      keyAlgo = keyType;
+    // For standard public keys, the algorithm name on the wire (keyAlgo)
+    // is the same as the algorithm used for signing (signAlgo).
+    this._authPKCommon(username, keyAlgo, pubKey, keyAlgo, cbSign);
+  }
+  authPKCert(username, pubKey, keyAlgo, cbSign) {
     if (this._server)
       throw new Error('Client-only method called in server mode');
-    const origPubKey = pubKey;
     // Only parse if it's not already a parsed key object
-    // Check for common key object properties
-    if (typeof pubKey !== 'object' || pubKey === null ||
+    if (typeof pubKey !== 'object' || pubKey === null ||
         typeof pubKey.type !== 'string' || typeof pubKey.getPublicSSH !== 'function') {
       pubKey = parseKey(pubKey);
       if (pubKey instanceof Error)
         throw new Error('Invalid key');
     }
-    let keyType = pubKey.type;
     // Check if this is a certificate-wrapped key
-    let pubKeyData = pubKey.getPublicSSH();
+    let pubKeyData;
     let isCertificate = false;
     if (pubKey.getCertificateBuffer) {
-      // This is a CertificateKey, use the certificate data instead
       pubKeyData = pubKey.getCertificateBuffer();
       isCertificate = true;
       this._debug && this._debug('Using SSH certificate for authentication');
+    } else {
+      pubKeyData = pubKey.getPublicSSH();
     }
-    // Upgrade RSA to SHA2 variants if server supports them
-    // signAlgo is the actual algorithm used for signing
-    // NOTE: Order must match getKeyAlgos() in client.js - rsa-sha2-256 first
+    let keyType = pubKey.type;
+    // Determine the base signing algorithm (upgrading RSA if needed)
     let signAlgo = keyType;
     if (keyType === 'ssh-rsa') {
       for (const algo of ['rsa-sha2-256', 'rsa-sha2-512']) {
@@ -667,12 +697,10 @@ class Protocol {
         }
       }
     }
-    // For certificates, append the cert suffix to the algorithm for the packet
-    // but keep signAlgo as the base signing algorithm
+    // Determine the algorithm name to use in the packet (keyAlgo)
     if (isCertificate) {
       // Map the signing algorithm to certificate algorithm
-      // e.g., rsa-sha2-512 -> rsa-sha2-512-cert-v01@openssh.com
       if (signAlgo === 'rsa-sha2-512') {
         keyType = 'rsa-sha2-512-cert-v01@openssh.com';
       } else if (signAlgo === 'rsa-sha2-256') {
@@ -692,7 +720,6 @@ class Protocol {
       }
       this._debug && this._debug(`Certificate key algorithm: ${keyType}`);
     } else {
-      // For non-certificates, keyType should be signAlgo
       keyType = signAlgo;
     }
@@ -700,118 +727,119 @@ class Protocol {
       cbSign = keyAlgo;
       keyAlgo = undefined;
     }
-    // For certificates, we must use the certificate algorithm regardless of what was passed
+    // For certificates, default to the determined cert type if not provided
     if (isCertificate) {
       keyAlgo = keyType;
     } else if (!keyAlgo) {
       keyAlgo = keyType;
     }
-    const userLen = Buffer.byteLength(username);
-    const algoLen = Buffer.byteLength(keyAlgo);
-    // For certificates, signAlgo is the base signing algorithm (e.g., rsa-sha2-512)
-    // For non-certificates, signAlgo equals keyAlgo
-    const signAlgoLen = Buffer.byteLength(signAlgo);
-    const pubKeyLen = pubKeyData.length;
-    const sessionID = this._kex.sessionID;
-    const sesLen = sessionID.length;
-    const payloadLen =
-      (cbSign ? 4 + sesLen : 0)
-        + 1 + 4 + userLen + 4 + 14 + 4 + 9 + 1 + 4 + algoLen + 4 + pubKeyLen;
-    let packet;
-    let p;
-    if (cbSign) {
-      packet = Buffer.allocUnsafe(payloadLen);
-      p = 0;
-      writeUInt32BE(packet, sesLen, p);
-      packet.set(sessionID, p += 4);
-      p += sesLen;
-    } else {
-      packet = this._packetRW.write.alloc(payloadLen);
-      p = this._packetRW.write.allocStart;
-    }
-    packet[p] = MESSAGE.USERAUTH_REQUEST;
-    writeUInt32BE(packet, userLen, ++p);
-    packet.utf8Write(username, p += 4, userLen);
-    writeUInt32BE(packet, 14, p += userLen);
-    packet.utf8Write('ssh-connection', p += 4, 14);
-    writeUInt32BE(packet, 9, p += 14);
-    packet.utf8Write('publickey', p += 4, 9);
-    packet[p += 9] = (cbSign ? 1 : 0);
-    writeUInt32BE(packet, algoLen, ++p);
-    packet.utf8Write(keyAlgo, p += 4, algoLen);
+    this._authPKCommon(username, keyAlgo, pubKeyData, signAlgo, cbSign);
+  }
-    writeUInt32BE(packet, pubKeyLen, p += algoLen);
-    packet.set(pubKeyData, p += 4);
+  _authPKCommon(username, algo, pubKey, signAlgo, cbSign) {
+    const userLen = Buffer.byteLength(username);
+    const algoLen = Buffer.byteLength(algo);
+    const pubKeyLen = pubKey.length;
+    // Calculate payload length for the basic packet
+    // Header: MSG_USERAUTH_REQUEST (1) + user (4+len) + service (4+14) + method (4+9) + sign_flag (1) + algo (4+len) + key (4+len)
+    const basePayloadLen = 1 + 4 + userLen + 4 + 14 + 4 + 9 + 1 + 4 + algoLen + 4 + pubKeyLen;
     if (!cbSign) {
-      this._authsQueue.push('publickey');
+      // -----------------------------------------------------------------------
+      // Send "Check" Packet (Signature Flag = 0)
+      // -----------------------------------------------------------------------
+      const packet = this._packetRW.write.alloc(basePayloadLen);
+      let p = this._packetRW.write.allocStart;
-      this._debug && this._debug(
-        'Outbound: Sending USERAUTH_REQUEST (publickey -- check)'
-      );
-      sendPacket(this, this._packetRW.write.finalize(packet));
-      return;
-    }
-    cbSign(packet, (signature) => {
-      signature = convertSignature(signature, signAlgo);
-      if (signature === false)
-        throw new Error('Error while converting handshake signature');
-      const sigLen = signature.length;
-      p = this._packetRW.write.allocStart;
-      packet = this._packetRW.write.alloc(
-        1 + 4 + userLen + 4 + 14 + 4 + 9 + 1 + 4 + algoLen + 4 + pubKeyLen + 4
-          + 4 + signAlgoLen + 4 + sigLen
-      );
-      // TODO: simply copy from original "packet" to new `packet` to avoid
-      // having to write each individual field a second time?
       packet[p] = MESSAGE.USERAUTH_REQUEST;
       writeUInt32BE(packet, userLen, ++p);
       packet.utf8Write(username, p += 4, userLen);
       writeUInt32BE(packet, 14, p += userLen);
       packet.utf8Write('ssh-connection', p += 4, 14);
       writeUInt32BE(packet, 9, p += 14);
       packet.utf8Write('publickey', p += 4, 9);
-      packet[p += 9] = 1;
+      packet[p += 9] = 0; // Not signed
       writeUInt32BE(packet, algoLen, ++p);
-      packet.utf8Write(keyAlgo, p += 4, algoLen);
+      packet.utf8Write(algo, p += 4, algoLen);
       writeUInt32BE(packet, pubKeyLen, p += algoLen);
-      packet.set(pubKeyData, p += 4);
+      packet.set(pubKey, p += 4);
-      // Signature blob: length-prefixed (algorithm string + raw signature)
-      // For RSA signatures, use the base signing algorithm (without cert suffix)
-      // The cert suffix is only used in the public key algorithm field of the main packet
-      writeUInt32BE(packet, 4 + signAlgoLen + 4 + sigLen, p += pubKeyLen);
+      this._authsQueue.push('publickey');
+      this._debug && this._debug('Outbound: Sending USERAUTH_REQUEST (publickey -- check)');
+      sendPacket(this, this._packetRW.write.finalize(packet));
+      return;
+    }
+    // -------------------------------------------------------------------------
+    // Signing Process
+    // -------------------------------------------------------------------------
+    const sessionID = this._kex.sessionID;
+    const sesLen = sessionID.length;
+    // Construct the data payload to be signed: SessionID + UserAuth Request Packet
+    // (Note: The packet construction here mimics the one above but sets sign_flag = 1)
+    const dataToSignLen = 4 + sesLen + basePayloadLen;
+    const dataToSign = Buffer.allocUnsafe(dataToSignLen);
+    let p = 0;
+    writeUInt32BE(dataToSign, sesLen, p);
+    dataToSign.set(sessionID, p += 4);
+    p += sesLen;
+    dataToSign[p] = MESSAGE.USERAUTH_REQUEST;
+    writeUInt32BE(dataToSign, userLen, ++p);
+    dataToSign.utf8Write(username, p += 4, userLen);
+    writeUInt32BE(dataToSign, 14, p += userLen);
+    dataToSign.utf8Write('ssh-connection', p += 4, 14);
+    writeUInt32BE(dataToSign, 9, p += 14);
+    dataToSign.utf8Write('publickey', p += 4, 9);
+    dataToSign[p += 9] = 1; // Signed
+    writeUInt32BE(dataToSign, algoLen, ++p);
+    dataToSign.utf8Write(algo, p += 4, algoLen);
+    writeUInt32BE(dataToSign, pubKeyLen, p += algoLen);
+    dataToSign.set(pubKey, p += 4);
+    cbSign(dataToSign, (signature) => {
+      signature = convertSignature(signature, signAlgo);
+      if (signature === false)
+        throw new Error('Error while converting handshake signature');
+      const sigLen = signature.length;
+      const signAlgoLen = Buffer.byteLength(signAlgo);
+      // -----------------------------------------------------------------------
+      // Send Signed Packet
+      // -----------------------------------------------------------------------
+      // We reconstruct the packet to send. It is identical to the data part of
+      // dataToSign (minus SessionID), plus the signature blob appended at the end.
+      const totalPacketLen = basePayloadLen + 4 + 4 + signAlgoLen + 4 + sigLen;
+      p = this._packetRW.write.allocStart;
+      const packet = this._packetRW.write.alloc(totalPacketLen);
+      // Copy the standard fields from our signing buffer (skipping sessionID)
+      // Offset of packet start in dataToSign is 4 + sesLen
+      const packetStartInSigData = 4 + sesLen;
+      bufferCopy(dataToSign, packet, packetStartInSigData, dataToSign.length, p);
+      // Move pointer to end of copied data
+      p += (dataToSign.length - packetStartInSigData);
+      // Append Signature Blob
+      // Length of signature structure (string len + string + blob len + blob)
+      writeUInt32BE(packet, 4 + signAlgoLen + 4 + sigLen, p);
       writeUInt32BE(packet, signAlgoLen, p += 4);
       packet.utf8Write(signAlgo, p += 4, signAlgoLen);
       writeUInt32BE(packet, sigLen, p += signAlgoLen);
       packet.set(signature, p += 4);
-      // Servers shouldn't send packet type 60 in response to signed publickey
-      // attempts, but if they do, interpret as type 60.
       this._authsQueue.push('publickey');
-      this._debug && this._debug(
-        'Outbound: Sending USERAUTH_REQUEST (publickey)'
-      );
+      this._debug && this._debug('Outbound: Sending USERAUTH_REQUEST (publickey)');
       sendPacket(this, this._packetRW.write.finalize(packet));
     });
   }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@electerm/ssh2",
-  "version": "1.17.0",
+  "version": "1.17.2",
   "author": "Brian White <mscdex@mscdex.net>",
   "description": "SSH2 client and server modules written in pure JavaScript for node.js",
   "main": "./lib/index.js",