/usr/lib/ruby/vendor_ruby/net/ssh/authentication/agent.rb is in ruby-net-ssh 1:4.2.0-2ubuntu1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 | require 'net/ssh/buffer'
require 'net/ssh/errors'
require 'net/ssh/loggable'
require 'net/ssh/transport/server_version'
require 'socket'
require 'rubygems'
require 'net/ssh/authentication/pageant' if Gem.win_platform? && RUBY_PLATFORM != "java"
module Net; module SSH; module Authentication
# Class for representing agent-specific errors.
class AgentError < Net::SSH::Exception; end
# An exception for indicating that the SSH agent is not available.
class AgentNotAvailable < AgentError; end
# This class implements a simple client for the ssh-agent protocol. It
# does not implement any specific protocol, but instead copies the
# behavior of the ssh-agent functions in the OpenSSH library (3.8).
#
# This means that although it behaves like a SSH1 client, it also has
# some SSH2 functionality (like signing data).
class Agent
include Loggable
# A simple module for extending keys, to allow comments to be specified
# for them.
module Comment
attr_accessor :comment
end
SSH2_AGENT_REQUEST_VERSION = 1
SSH2_AGENT_REQUEST_IDENTITIES = 11
SSH2_AGENT_IDENTITIES_ANSWER = 12
SSH2_AGENT_SIGN_REQUEST = 13
SSH2_AGENT_SIGN_RESPONSE = 14
SSH2_AGENT_ADD_IDENTITY = 17
SSH2_AGENT_REMOVE_IDENTITY = 18
SSH2_AGENT_REMOVE_ALL_IDENTITIES = 19
SSH2_AGENT_ADD_ID_CONSTRAINED = 25
SSH2_AGENT_FAILURE = 30
SSH2_AGENT_VERSION_RESPONSE = 103
SSH_COM_AGENT2_FAILURE = 102
SSH_AGENT_REQUEST_RSA_IDENTITIES = 1
SSH_AGENT_RSA_IDENTITIES_ANSWER1 = 2
SSH_AGENT_RSA_IDENTITIES_ANSWER2 = 5
SSH_AGENT_FAILURE = 5
SSH_AGENT_SUCCESS = 6
SSH_AGENT_CONSTRAIN_LIFETIME = 1
SSH_AGENT_CONSTRAIN_CONFIRM = 2
SSH_AGENT_RSA_SHA2_256 = 0x02
SSH_AGENT_RSA_SHA2_512 = 0x04
# The underlying socket being used to communicate with the SSH agent.
attr_reader :socket
# Instantiates a new agent object, connects to a running SSH agent,
# negotiates the agent protocol version, and returns the agent object.
def self.connect(logger=nil, agent_socket_factory = nil)
agent = new(logger)
agent.connect!(agent_socket_factory)
agent.negotiate!
agent
end
# Creates a new Agent object, using the optional logger instance to
# report status.
def initialize(logger=nil)
self.logger = logger
end
# Connect to the agent process using the socket factory and socket name
# given by the attribute writers. If the agent on the other end of the
# socket reports that it is an SSH2-compatible agent, this will fail
# (it only supports the ssh-agent distributed by OpenSSH).
def connect!(agent_socket_factory = nil)
debug { "connecting to ssh-agent" }
@socket =
if agent_socket_factory
agent_socket_factory.call
elsif ENV['SSH_AUTH_SOCK'] && unix_socket_class
unix_socket_class.open(ENV['SSH_AUTH_SOCK'])
elsif Gem.win_platform? && RUBY_ENGINE != "jruby"
Pageant::Socket.open
else
raise AgentNotAvailable, "Agent not configured"
end
rescue StandardError => e
error { "could not connect to ssh-agent: #{e.message}" }
raise AgentNotAvailable, $!.message
end
# Attempts to negotiate the SSH agent protocol version. Raises an error
# if the version could not be negotiated successfully.
def negotiate!
# determine what type of agent we're communicating with
type, body = send_and_wait(SSH2_AGENT_REQUEST_VERSION, :string, Transport::ServerVersion::PROTO_VERSION)
raise AgentNotAvailable, "SSH2 agents are not yet supported" if type == SSH2_AGENT_VERSION_RESPONSE
if type == SSH2_AGENT_FAILURE
debug { "Unexpected response type==#{type}, this will be ignored" }
elsif type != SSH_AGENT_RSA_IDENTITIES_ANSWER1 && type != SSH_AGENT_RSA_IDENTITIES_ANSWER2
raise AgentNotAvailable, "unknown response from agent: #{type}, #{body.to_s.inspect}"
end
end
# Return an array of all identities (public keys) known to the agent.
# Each key returned is augmented with a +comment+ property which is set
# to the comment returned by the agent for that key.
def identities
type, body = send_and_wait(SSH2_AGENT_REQUEST_IDENTITIES)
raise AgentError, "could not get identity count" if agent_failed(type)
raise AgentError, "bad authentication reply: #{type}" if type != SSH2_AGENT_IDENTITIES_ANSWER
identities = []
body.read_long.times do
key_str = body.read_string
comment_str = body.read_string
begin
key = Buffer.new(key_str).read_key
key.extend(Comment)
key.comment = comment_str
identities.push key
rescue NotImplementedError => e
error { "ignoring unimplemented key:#{e.message} #{comment_str}" }
end
end
return identities
end
# Closes this socket. This agent reference is no longer able to
# query the agent.
def close
@socket.close
end
# Using the agent and the given public key, sign the given data. The
# signature is returned in SSH2 format.
def sign(key, data, flags = 0)
type, reply = send_and_wait(SSH2_AGENT_SIGN_REQUEST, :string, Buffer.from(:key, key), :string, data, :long, flags)
raise AgentError, "agent could not sign data with requested identity" if agent_failed(type)
raise AgentError, "bad authentication response #{type}" if type != SSH2_AGENT_SIGN_RESPONSE
return reply.read_string
end
# Adds the private key with comment to the agent.
# If lifetime is given, the key will automatically be removed after lifetime
# seconds.
# If confirm is true, confirmation will be required for each agent signing
# operation.
def add_identity(priv_key, comment, lifetime: nil, confirm: false)
constraints = Buffer.new
if lifetime
constraints.write_byte(SSH_AGENT_CONSTRAIN_LIFETIME)
constraints.write_long(lifetime)
end
constraints.write_byte(SSH_AGENT_CONSTRAIN_CONFIRM) if confirm
req_type = constraints.empty? ? SSH2_AGENT_ADD_IDENTITY : SSH2_AGENT_ADD_ID_CONSTRAINED
type, = send_and_wait(req_type, :string, priv_key.ssh_type, :raw, blob_for_add(priv_key),
:string, comment, :raw, constraints)
raise AgentError, "could not add identity to agent" if type != SSH_AGENT_SUCCESS
end
# Removes key from the agent.
def remove_identity(key)
type, = send_and_wait(SSH2_AGENT_REMOVE_IDENTITY, :string, key.to_blob)
raise AgentError, "could not remove identity from agent" if type != SSH_AGENT_SUCCESS
end
# Removes all identities from the agent.
def remove_all_identities
type, = send_and_wait(SSH2_AGENT_REMOVE_ALL_IDENTITIES)
raise AgentError, "could not remove all identity from agent" if type != SSH_AGENT_SUCCESS
end
private
def unix_socket_class
defined?(UNIXSocket) && UNIXSocket
end
# Send a new packet of the given type, with the associated data.
def send_packet(type, *args)
buffer = Buffer.from(*args)
data = [buffer.length + 1, type.to_i, buffer.to_s].pack("NCA*")
debug { "sending agent request #{type} len #{buffer.length}" }
@socket.send data, 0
end
# Read the next packet from the agent. This will return a two-part
# tuple consisting of the packet type, and the packet's body (which
# is returned as a Net::SSH::Buffer).
def read_packet
buffer = Net::SSH::Buffer.new(@socket.read(4))
buffer.append(@socket.read(buffer.read_long))
type = buffer.read_byte
debug { "received agent packet #{type} len #{buffer.length-4}" }
return type, buffer
end
# Send the given packet and return the subsequent reply from the agent.
# (See #send_packet and #read_packet).
def send_and_wait(type, *args)
send_packet(type, *args)
read_packet
end
# Returns +true+ if the parameter indicates a "failure" response from
# the agent, and +false+ otherwise.
def agent_failed(type)
type == SSH_AGENT_FAILURE ||
type == SSH2_AGENT_FAILURE ||
type == SSH_COM_AGENT2_FAILURE
end
def blob_for_add(priv_key)
# Ideally we'd have something like `to_private_blob` on the various key types, but the
# nuances with encoding (e.g. `n` and `e` are reversed for RSA keys) make this impractical.
case priv_key.ssh_type
when /^ssh-dss$/
Net::SSH::Buffer.from(:bignum, priv_key.p, :bignum, priv_key.q, :bignum, priv_key.g,
:bignum, priv_key.pub_key, :bignum, priv_key.priv_key).to_s
when /^ssh-dss-cert-v01@openssh\.com$/
Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.priv_key).to_s
when /^ecdsa\-sha2\-(\w*)$/
curve_name = OpenSSL::PKey::EC::CurveNameAliasInv[priv_key.group.curve_name]
Net::SSH::Buffer.from(:string, curve_name, :mstring, priv_key.public_key.to_bn.to_s(2),
:bignum, priv_key.private_key).to_s
when /^ecdsa\-sha2\-(\w*)-cert-v01@openssh\.com$/
Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.private_key).to_s
when /^ssh-ed25519$/
Net::SSH::Buffer.from(:string, priv_key.public_key.verify_key.to_bytes,
:string, priv_key.sign_key.keypair_bytes).to_s
when /^ssh-ed25519-cert-v01@openssh\.com$/
# Unlike the other certificate types, the public key is included after the certifiate.
Net::SSH::Buffer.from(:string, priv_key.to_blob,
:string, priv_key.key.public_key.verify_key.to_bytes,
:string, priv_key.key.sign_key.keypair_bytes).to_s
when /^ssh-rsa$/
# `n` and `e` are reversed compared to the ordering in `OpenSSL::PKey::RSA#to_blob`.
Net::SSH::Buffer.from(:bignum, priv_key.n, :bignum, priv_key.e, :bignum, priv_key.d,
:bignum, priv_key.iqmp, :bignum, priv_key.p, :bignum, priv_key.q).to_s
when /^ssh-rsa-cert-v01@openssh\.com$/
Net::SSH::Buffer.from(:string, priv_key.to_blob, :bignum, priv_key.key.d,
:bignum, priv_key.key.iqmp, :bignum, priv_key.key.p,
:bignum, priv_key.key.q).to_s
end
end
end
end; end; end
|