diff options
Diffstat (limited to 'lib/net/ssh')
| -rw-r--r-- | lib/net/ssh/authentication/agent/socket.rb | 2 | ||||
| -rw-r--r-- | lib/net/ssh/authentication/key_manager.rb | 11 | ||||
| -rw-r--r-- | lib/net/ssh/authentication/session.rb | 4 | ||||
| -rw-r--r-- | lib/net/ssh/config.rb | 28 | ||||
| -rw-r--r-- | lib/net/ssh/known_hosts.rb | 12 | ||||
| -rw-r--r-- | lib/net/ssh/transport/algorithms.rb | 17 |
6 files changed, 55 insertions, 19 deletions
diff --git a/lib/net/ssh/authentication/agent/socket.rb b/lib/net/ssh/authentication/agent/socket.rb index 0bb43a1..c80099e 100644 --- a/lib/net/ssh/authentication/agent/socket.rb +++ b/lib/net/ssh/authentication/agent/socket.rb @@ -77,6 +77,8 @@ module Net; module SSH; module Authentication if type == SSH2_AGENT_VERSION_RESPONSE raise AgentNotAvailable, "SSH2 agents are not yet supported" + elsif type == SSH2_AGENT_FAILURE + debug { "Unexpected response type==#{type}, this will be ignored" } elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER1 && type != SSH_AGENT_RSA_IDENTITIES_ANSWER2 raise AgentNotAvailable, "unknown response from agent: #{type}, #{body.to_s.inspect}" end diff --git a/lib/net/ssh/authentication/key_manager.rb b/lib/net/ssh/authentication/key_manager.rb index dc9480b..9847750 100644 --- a/lib/net/ssh/authentication/key_manager.rb +++ b/lib/net/ssh/authentication/key_manager.rb @@ -37,13 +37,13 @@ module Net attr_reader :options # Create a new KeyManager. By default, the manager will - # use the ssh-agent if it is running and the `:keys_only` option - # is not true. + # use the ssh-agent if it is running and the `:use_agent` option + # is not false. def initialize(logger, options={}) self.logger = logger @key_files = [] @key_data = [] - @use_agent = !options[:keys_only] + @use_agent = !(options[:use_agent] == false) @known_identities = {} @agent = nil @options = options @@ -92,8 +92,9 @@ module Net # ssh-agent. Note that identities from an ssh-agent are always listed # first in the array, with other identities coming after. # - # If key manager was created with :keys_only option, no identities - # from ssh-agent will be loaded. + # If key manager was created with :keys_only option, any identity + # from ssh-agent will be ignored unless it present in key_files or + # key_data. def each_identity prepared_identities = prepare_identities_from_files + prepare_identities_from_data diff --git a/lib/net/ssh/authentication/session.rb b/lib/net/ssh/authentication/session.rb index c63bf41..5ac2cdc 100644 --- a/lib/net/ssh/authentication/session.rb +++ b/lib/net/ssh/authentication/session.rb @@ -133,8 +133,8 @@ module Net; module SSH; module Authentication # by system default. def default_keys if defined?(OpenSSL::PKey::EC) - %w(~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh/id_ecdsa - ~/.ssh2/id_dsa ~/.ssh2/id_rsa ~/.ssh2/id_ecdsa) + %w(~/.ssh/id_ed25519 ~/.ssh/id_rsa ~/.ssh/id_dsa ~/.ssh/id_ecdsa + ~/.ssh2/id_ed25519 ~/.ssh2/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_ecdsa) else %w(~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_rsa) end diff --git a/lib/net/ssh/config.rb b/lib/net/ssh/config.rb index 4798344..fb605b2 100644 --- a/lib/net/ssh/config.rb +++ b/lib/net/ssh/config.rb @@ -8,7 +8,8 @@ module Net; module SSH # # Only a subset of OpenSSH configuration options are understood: # - # * ChallengeResponseAuthentication => maps to the :auth_methods option + # * ChallengeResponseAuthentication => maps to the :auth_methods option challenge-response (then coleasced into keyboard-interactive) + # * KbdInteractiveAuthentication => maps to the :auth_methods keyboard-interactive # * Ciphers => maps to the :encryption option # * Compression => :compression # * CompressionLevel => :compression_level @@ -22,7 +23,7 @@ module Net; module SSH # * IdentityFile => maps to the :keys option # * IdentitiesOnly => :keys_only # * Macs => maps to the :hmac option - # * PasswordAuthentication => maps to the :auth_methods option + # * PasswordAuthentication => maps to the :auth_methods option password # * Port => :port # * PreferredAuthentications => maps to the :auth_methods option # * ProxyCommand => maps to the :proxy option @@ -73,8 +74,6 @@ module Net; module SSH file = File.expand_path(path) return settings unless File.readable?(file) - settings[:auth_methods] ||= default_auth_methods.clone - globals = {} matched_host = nil multi_host = [] @@ -133,7 +132,9 @@ module Net; module SSH # +settings+ hash must have Strings for keys, all downcased, and # the returned hash will have Symbols for keys. def translate(settings) - settings.inject({}) do |hash, (key, value)| + auth_methods = default_auth_methods.clone + (auth_methods << 'challenge-response').uniq! + ret = settings.inject({:auth_methods=>auth_methods}) do |hash, (key, value)| case key when 'bindaddress' then hash[:bind_address] = value @@ -175,6 +176,12 @@ module Net; module SSH end when 'challengeresponseauthentication' if value + (hash[:auth_methods] << 'challenge-response').uniq! + else + hash[:auth_methods].delete('challenge-response') + end + when 'kbdinteractiveauthentication' + if value (hash[:auth_methods] << 'keyboard-interactive').uniq! else hash[:auth_methods].delete('keyboard-interactive') @@ -182,7 +189,7 @@ module Net; module SSH when 'port' hash[:port] = value when 'preferredauthentications' - hash[:auth_methods] = value.split(/,/) + hash[:auth_methods] = value.split(/,/) # TODO we should place to preferred_auth_methods rather than auth_methods when 'proxycommand' if value and !(value =~ /^none$/) require 'net/ssh/proxy/command' @@ -206,6 +213,7 @@ module Net; module SSH end hash end + merge_challenge_response_with_keyboard_interactive(ret) end private @@ -229,6 +237,14 @@ module Net; module SSH else size.to_i end end + + def merge_challenge_response_with_keyboard_interactive(hash) + if hash[:auth_methods].include?('challenge-response') + hash[:auth_methods].delete('challenge-response') + (hash[:auth_methods] << 'keyboard-interactive').uniq! + end + hash + end end end diff --git a/lib/net/ssh/known_hosts.rb b/lib/net/ssh/known_hosts.rb index f91131e..7ee253a 100644 --- a/lib/net/ssh/known_hosts.rb +++ b/lib/net/ssh/known_hosts.rb @@ -15,9 +15,17 @@ module Net; module SSH SUPPORTED_TYPE = %w(ssh-rsa ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 - ecdsa-sha2-nistp521) + ecdsa-sha2-nistp521 + ssh-ed25519-cert-v01@openssh.com + ssh-rsa-cert-v01@openssh.com + ssh-rsa-cert-v00@openssh.com + ssh-ed25519 + ) else - SUPPORTED_TYPE = %w(ssh-rsa ssh-dss) + SUPPORTED_TYPE = %w(ssh-rsa ssh-dss + ssh-rsa-cert-v01@openssh.com + ssh-rsa-cert-v00@openssh.com + ) end diff --git a/lib/net/ssh/transport/algorithms.rb b/lib/net/ssh/transport/algorithms.rb index d34e1ea..f4aec2f 100644 --- a/lib/net/ssh/transport/algorithms.rb +++ b/lib/net/ssh/transport/algorithms.rb @@ -22,7 +22,9 @@ module Net; module SSH; module Transport # Define the default algorithms, in order of preference, supported by # Net::SSH. ALGORITHMS = { - :host_key => %w(ssh-rsa ssh-dss), + :host_key => %w(ssh-rsa ssh-dss + ssh-rsa-cert-v01@openssh.com + ssh-rsa-cert-v00@openssh.com), :kex => %w(diffie-hellman-group-exchange-sha1 diffie-hellman-group1-sha1 diffie-hellman-group14-sha1 @@ -40,21 +42,28 @@ module Net; module SSH; module Transport camellia192-ctr@openssh.org camellia256-ctr@openssh.org cast128-ctr blowfish-ctr 3des-ctr + aes256-gcm@openssh.com aes128-gcm@openssh.com ), :hmac => %w(hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96 hmac-ripemd160 hmac-ripemd160@openssh.com hmac-sha2-256 hmac-sha2-512 hmac-sha2-256-96 - hmac-sha2-512-96 none), + hmac-sha2-512-96 none + hmac-sha2-512-etm@openssh.com hmac-sha2-256-etm@openssh.com + umac-128-etm@openssh.com), + :compression => %w(none zlib@openssh.com zlib), :language => %w() } if defined?(OpenSSL::PKey::EC) ALGORITHMS[:host_key] += %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 - ecdsa-sha2-nistp521) + ecdsa-sha2-nistp521 + ssh-ed25519-cert-v01@openssh.com + ssh-ed25519) ALGORITHMS[:kex] += %w(ecdh-sha2-nistp256 ecdh-sha2-nistp384 - ecdh-sha2-nistp521) + ecdh-sha2-nistp521 + curve25519-sha256@libssh.org) end # The underlying transport layer session that supports this object |