From 23cef13b90249690b5149b706bda2075d49cd80f Mon Sep 17 00:00:00 2001 From: Miklos Fazkeas Date: Sat, 5 Apr 2014 20:53:27 +0200 Subject: Fix to #145. We now have different 'keyboard-interactive' and 'challenge-response' auth types internally. And as with openssl 6.x you have to set both KbdInteractiveAuthentication and ChallengeResponseAuthentication to 'no' to disable keyboard-interactive auth. --- lib/net/ssh/config.rb | 28 ++++++++++++++++++++++------ test/configs/auth_off | 3 ++- test/test_config.rb | 30 ++++++++++++++++++++++++++++-- 3 files changed, 52 insertions(+), 9 deletions(-) diff --git a/lib/net/ssh/config.rb b/lib/net/ssh/config.rb index 137897c..fb605b2 100644 --- a/lib/net/ssh/config.rb +++ b/lib/net/ssh/config.rb @@ -8,7 +8,8 @@ module Net; module SSH # # Only a subset of OpenSSH configuration options are understood: # - # * ChallengeResponseAuthentication => maps to the :auth_methods option + # * ChallengeResponseAuthentication => maps to the :auth_methods option challenge-response (then coleasced into keyboard-interactive) + # * KbdInteractiveAuthentication => maps to the :auth_methods keyboard-interactive # * Ciphers => maps to the :encryption option # * Compression => :compression # * CompressionLevel => :compression_level @@ -22,7 +23,7 @@ module Net; module SSH # * IdentityFile => maps to the :keys option # * IdentitiesOnly => :keys_only # * Macs => maps to the :hmac option - # * PasswordAuthentication => maps to the :auth_methods option + # * PasswordAuthentication => maps to the :auth_methods option password # * Port => :port # * PreferredAuthentications => maps to the :auth_methods option # * ProxyCommand => maps to the :proxy option @@ -73,8 +74,6 @@ module Net; module SSH file = File.expand_path(path) return settings unless File.readable?(file) - settings[:auth_methods] ||= default_auth_methods.clone - globals = {} matched_host = nil multi_host = [] @@ -133,7 +132,9 @@ module Net; module SSH # +settings+ hash must have Strings for keys, all downcased, and # the returned hash will have Symbols for keys. def translate(settings) - settings.inject({:auth_methods=>default_auth_methods.clone}) do |hash, (key, value)| + auth_methods = default_auth_methods.clone + (auth_methods << 'challenge-response').uniq! + ret = settings.inject({:auth_methods=>auth_methods}) do |hash, (key, value)| case key when 'bindaddress' then hash[:bind_address] = value @@ -174,6 +175,12 @@ module Net; module SSH hash[:auth_methods].delete('password') end when 'challengeresponseauthentication' + if value + (hash[:auth_methods] << 'challenge-response').uniq! + else + hash[:auth_methods].delete('challenge-response') + end + when 'kbdinteractiveauthentication' if value (hash[:auth_methods] << 'keyboard-interactive').uniq! else @@ -182,7 +189,7 @@ module Net; module SSH when 'port' hash[:port] = value when 'preferredauthentications' - hash[:auth_methods] = value.split(/,/) + hash[:auth_methods] = value.split(/,/) # TODO we should place to preferred_auth_methods rather than auth_methods when 'proxycommand' if value and !(value =~ /^none$/) require 'net/ssh/proxy/command' @@ -206,6 +213,7 @@ module Net; module SSH end hash end + merge_challenge_response_with_keyboard_interactive(ret) end private @@ -229,6 +237,14 @@ module Net; module SSH else size.to_i end end + + def merge_challenge_response_with_keyboard_interactive(hash) + if hash[:auth_methods].include?('challenge-response') + hash[:auth_methods].delete('challenge-response') + (hash[:auth_methods] << 'keyboard-interactive').uniq! + end + hash + end end end diff --git a/test/configs/auth_off b/test/configs/auth_off index 6b1b6ef..cf13bd5 100644 --- a/test/configs/auth_off +++ b/test/configs/auth_off @@ -1,4 +1,5 @@ HostBasedAuthentication no PasswordAuthentication no PubKeyAuthentication no -ChallengeResponseAuthentication no \ No newline at end of file +ChallengeResponseAuthentication no +KbdInteractiveAuthentication no diff --git a/test/test_config.rb b/test/test_config.rb index cb462de..761299d 100644 --- a/test/test_config.rb +++ b/test/test_config.rb @@ -112,7 +112,8 @@ class TestConfig < Test::Unit::TestCase 'hostbasedauthentication' => false, 'passwordauthentication' => false, 'pubkeyauthentication' => false, - 'challengeresponseauthentication' => false + 'challengeresponseauthentication' => false, + 'kbdinteractiveauthentication' => false } net_ssh = Net::SSH::Config.translate(open_ssh) @@ -125,7 +126,8 @@ class TestConfig < Test::Unit::TestCase 'hostbasedauthentication' => true, 'passwordauthentication' => true, 'pubkeyauthentication' => true, - 'challengeresponseauthentication' => true + 'challengeresponseauthentication' => true, + 'kbdinteractiveauthentication' => true } net_ssh = Net::SSH::Config.translate(open_ssh) @@ -133,6 +135,30 @@ class TestConfig < Test::Unit::TestCase assert_equal %w(hostbased keyboard-interactive none password publickey), net_ssh[:auth_methods].sort end + def test_translate_should_not_disable_keyboard_interactive_when_challange_or_keyboardinterective_is_on + open_ssh = { + 'kbdinteractiveauthentication' => false + } + net_ssh = Net::SSH::Config.translate(open_ssh) + assert_equal %w(keyboard-interactive none password publickey), net_ssh[:auth_methods].sort + + open_ssh = { + 'challengeresponseauthentication' => false + } + net_ssh = Net::SSH::Config.translate(open_ssh) + assert_equal %w(keyboard-interactive none password publickey), net_ssh[:auth_methods].sort + end + + def test_should_ddisable_keyboard_interactive_when_challeng_and_keyboardinteractive_is_off + open_ssh = { + 'challengeresponseauthentication' => false, + 'kbdinteractiveauthentication' => false + } + + net_ssh = Net::SSH::Config.translate(open_ssh) + assert_equal %w(none password publickey), net_ssh[:auth_methods].sort + end + def test_for_should_turn_off_authentication_methods config = Net::SSH::Config.for("test.host", [config(:empty), config(:auth_off), config(:auth_on)]) assert_equal %w(none), config[:auth_methods].sort -- cgit v1.2.1