summaryrefslogtreecommitdiff
path: root/lib/net/ssh/config.rb
blob: a40262ed475f73143be6495a78604c7bfdf37a80 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
module Net
  module SSH

    # The Net::SSH::Config class is used to parse OpenSSH configuration files,
    # and translates that syntax into the configuration syntax that Net::SSH
    # understands. This lets Net::SSH scripts read their configuration (to
    # some extent) from OpenSSH configuration files (~/.ssh/config, /etc/ssh_config,
    # and so forth).
    #
    # Only a subset of OpenSSH configuration options are understood:
    #
    # * ChallengeResponseAuthentication => maps to the :auth_methods option challenge-response (then coleasced into keyboard-interactive)
    # * KbdInteractiveAuthentication => maps to the :auth_methods keyboard-interactive
    # * CertificateFile => maps to the :keycerts option
    # * Ciphers => maps to the :encryption option
    # * Compression => :compression
    # * CompressionLevel => :compression_level
    # * ConnectTimeout => maps to the :timeout option
    # * ForwardAgent => :forward_agent
    # * GlobalKnownHostsFile => :global_known_hosts_file
    # * HostBasedAuthentication => maps to the :auth_methods option
    # * HostKeyAlgorithms => maps to :host_key option
    # * HostKeyAlias => :host_key_alias
    # * HostName => :host_name
    # * IdentityFile => maps to the :keys option
    # * IdentityAgent => :identity_agent
    # * IdentitiesOnly => :keys_only
    # * CheckHostIP => :check_host_ip
    # * Macs => maps to the :hmac option
    # * PasswordAuthentication => maps to the :auth_methods option password
    # * Port => :port
    # * PreferredAuthentications => maps to the :auth_methods option
    # * ProxyCommand => maps to the :proxy option
    # * ProxyJump => maps to the :proxy option
    # * PubKeyAuthentication => maps to the :auth_methods option
    # * RekeyLimit => :rekey_limit
    # * StrictHostKeyChecking => :strict_host_key_checking
    # * User => :user
    # * UserKnownHostsFile => :user_known_hosts_file
    # * NumberOfPasswordPrompts => :number_of_password_prompts
    # * FingerprintHash => :fingerprint_hash
    #
    # Note that you will never need to use this class directly--you can control
    # whether the OpenSSH configuration files are read by passing the :config
    # option to Net::SSH.start. (They are, by default.)
    class Config
      class << self
        @@default_files = %w[~/.ssh/config /etc/ssh_config /etc/ssh/ssh_config]
        # The following defaults follow the openssh client ssh_config defaults.
        # http://lwn.net/Articles/544640/
        # "hostbased" is off and "none" is not supported but we allow it since
        # it's used by some clients to query the server for allowed auth methods
        @@default_auth_methods = %w[none publickey password keyboard-interactive]

        # Returns an array of locations of OpenSSH configuration files
        # to parse by default.
        def default_files
          @@default_files.clone
        end

        def default_auth_methods
          @@default_auth_methods.clone
        end

        # Loads the configuration data for the given +host+ from all of the
        # given +files+ (defaulting to the list of files returned by
        # #default_files), translates the resulting hash into the options
        # recognized by Net::SSH, and returns them.
        def for(host, files=expandable_default_files)
          translate(files.inject({}) { |settings, file|
            load(file, host, settings)
          })
        end

        # Load the OpenSSH configuration settings in the given +file+ for the
        # given +host+. If +settings+ is given, the options are merged into
        # that hash, with existing values taking precedence over newly parsed
        # ones. Returns a hash containing the OpenSSH options. (See
        # #translate for how to convert the OpenSSH options into Net::SSH
        # options.)
        def load(path, host, settings={}, base_dir = nil)
          file = File.expand_path(path)
          base_dir ||= File.dirname(file)
          return settings unless File.readable?(file)

          globals = {}
          block_matched = false
          block_seen = false
          IO.foreach(file) do |line|
            next if line =~ /^\s*(?:#.*)?$/

            if line =~ /^\s*(\S+)\s*=(.*)$/
              key, value = $1, $2
            else
              key, value = line.strip.split(/\s+/, 2)
            end

            # silently ignore malformed entries
            next if value.nil?

            key.downcase!
            value = unquote(value)

            value = case value.strip
                    when /^\d+$/ then value.to_i
                    when /^no$/i then false
                    when /^yes$/i then true
                    else value
                    end

            if key == 'host'
              # Support "Host host1 host2 hostN".
              # See http://github.com/net-ssh/net-ssh/issues#issue/6
              negative_hosts, positive_hosts = value.to_s.split(/\s+/).partition { |h| h.start_with?('!') }

              # Check for negative patterns first. If the host matches, that overrules any other positive match.
              # The host substring code is used to strip out the starting "!" so the regexp will be correct.
              negative_matched = negative_hosts.any? { |h| host =~ pattern2regex(h[1..-1]) }

              if negative_matched
                block_matched = false
              else
                block_matched = positive_hosts.any? { |h| host =~ pattern2regex(h) }
              end

              block_seen = true
              settings[key] = host
            elsif key == 'match'
              block_matched = eval_match_conditions(value, host, settings)
              block_seen = true
            elsif !block_seen
              case key
              when 'identityfile', 'certificatefile'
                (globals[key] ||= []) << value
              when 'include'
                included_file_paths(base_dir, value).each do |file_path|
                  globals = load(file_path, host, globals, base_dir)
                end
              else
                globals[key] = value unless settings.key?(key)
              end
            elsif block_matched
              case key
              when 'identityfile', 'certificatefile'
                (settings[key] ||= []) << value
              when 'include'
                included_file_paths(base_dir, value).each do |file_path|
                  settings = load(file_path, host, settings, base_dir)
                end
              else
                settings[key] = value unless settings.key?(key)
              end
            end

            # ProxyCommand and ProxyJump override each other so they need to be tracked togeather
            %w[proxyjump proxycommand].each do |proxy_key|
              if (proxy_value = settings.delete(proxy_key))
                settings['proxy'] ||= [proxy_key, proxy_value]
              end
            end
          end

          globals.merge(settings) do |key, oldval, newval|
            case key
            when 'identityfile', 'certificatefile'
              oldval + newval
            else
              newval
            end
          end
        end

        # Given a hash of OpenSSH configuration options, converts them into
        # a hash of Net::SSH options. Unrecognized options are ignored. The
        # +settings+ hash must have Strings for keys, all downcased, and
        # the returned hash will have Symbols for keys.
        def translate(settings)
          auth_methods = default_auth_methods.clone
          (auth_methods << 'challenge-response').uniq!
          ret = settings.each_with_object({ auth_methods: auth_methods }) do |(key, value), hash|
            translate_config_key(hash, key.to_sym, value, settings)
          end
          merge_challenge_response_with_keyboard_interactive(ret)
        end

        # Filters default_files down to the files that are expandable.
        def expandable_default_files
          default_files.keep_if do |path|
            begin
              File.expand_path(path)
              true
            rescue ArgumentError
              false
            end
          end
        end

        private

        TRANSLATE_CONFIG_KEY_RENAME_MAP = {
          bindaddress: :bind_address,
          compression: :compression,
          compressionlevel: :compression_level,
          certificatefile: :keycerts,
          connecttimeout: :timeout,
          forwardagent: :forward_agent,
          identitiesonly: :keys_only,
          identityagent: :identity_agent,
          globalknownhostsfile: :global_known_hosts_file,
          hostkeyalias: :host_key_alias,
          identityfile: :keys,
          fingerprinthash: :fingerprint_hash,
          port: :port,
          stricthostkeychecking: :strict_host_key_checking,
          user: :user,
          userknownhostsfile: :user_known_hosts_file,
          checkhostip: :check_host_ip
        }.freeze
        def translate_config_key(hash, key, value, settings)
          case key
          when :ciphers
            hash[:encryption] = value.split(/,/)
          when :hostbasedauthentication
            if value
              (hash[:auth_methods] << "hostbased").uniq!
            else
              hash[:auth_methods].delete("hostbased")
            end
          when :hostkeyalgorithms
            hash[:host_key] = value.split(/,/)
          when :hostname
            hash[:host_name] = value.gsub(/%h/, settings['host'])
          when :macs
            hash[:hmac] = value.split(/,/)
          when :serveralivecountmax
            hash[:keepalive_maxcount] = value.to_i if value
          when :serveraliveinterval
            if value && value.to_i > 0
              hash[:keepalive] = true
              hash[:keepalive_interval] = value.to_i
            else
              hash[:keepalive] = false
            end
          when :passwordauthentication
            if value
              (hash[:auth_methods] << 'password').uniq!
            else
              hash[:auth_methods].delete('password')
            end
          when :challengeresponseauthentication
            if value
              (hash[:auth_methods] << 'challenge-response').uniq!
            else
              hash[:auth_methods].delete('challenge-response')
            end
          when :kbdinteractiveauthentication
            if value
              (hash[:auth_methods] << 'keyboard-interactive').uniq!
            else
              hash[:auth_methods].delete('keyboard-interactive')
            end
          when :preferredauthentications
            hash[:auth_methods] = value.split(/,/) # TODO we should place to preferred_auth_methods rather than auth_methods
          when :proxy
            if (proxy = setup_proxy(*value))
              hash[:proxy] = proxy
            end
          when :pubkeyauthentication
            if value
              (hash[:auth_methods] << 'publickey').uniq!
            else
              hash[:auth_methods].delete('publickey')
            end
          when :rekeylimit
            hash[:rekey_limit] = interpret_size(value)
          when :sendenv
            multi_send_env = value.to_s.split(/\s+/)
            hash[:send_env] = multi_send_env.map { |e| Regexp.new pattern2regex(e).source, false }
          when :setenv
            hash[:set_env] = Shellwords.split(value.to_s).map { |e| e.split '=', 2 }.to_h
          when :numberofpasswordprompts
            hash[:number_of_password_prompts] = value.to_i
          when *TRANSLATE_CONFIG_KEY_RENAME_MAP.keys
            hash[TRANSLATE_CONFIG_KEY_RENAME_MAP[key]] = value
          end
        end

        def setup_proxy(type, value)
          case type
          when 'proxycommand'
            if value !~ /^none$/
              require 'net/ssh/proxy/command'
              Net::SSH::Proxy::Command.new(value)
            end
          when 'proxyjump'
            require 'net/ssh/proxy/jump'
            Net::SSH::Proxy::Jump.new(value)
          end
        end

        # Converts an ssh_config pattern into a regex for matching against
        # host names.
        def pattern2regex(pattern)
          tail = pattern
          prefix = ""
          while !tail.empty? do
            head,sep,tail = tail.partition(/[\*\?]/)
            prefix = prefix + Regexp.quote(head)
            case sep
            when '*'
              prefix += '.*'
            when '?'
              prefix += '.'
            when ''
            else
              fail "Unpexpcted sep:#{sep}"
            end
          end
          Regexp.new("^" + prefix + "$", true)
        end

        # Converts the given size into an integer number of bytes.
        def interpret_size(size)
          case size
          when /k$/i then size.to_i * 1024
          when /m$/i then size.to_i * 1024 * 1024
          when /g$/i then size.to_i * 1024 * 1024 * 1024
          else size.to_i
          end
        end

        def merge_challenge_response_with_keyboard_interactive(hash)
          if hash[:auth_methods].include?('challenge-response')
            hash[:auth_methods].delete('challenge-response')
            (hash[:auth_methods] << 'keyboard-interactive').uniq!
          end
          hash
        end

        def included_file_paths(base_dir, config_paths)
          tokenize_config_value(config_paths).flat_map do |path|
            Dir.glob(File.expand_path(path, base_dir)).select { |f| File.file?(f) }
          end
        end

        # Tokenize string into tokens.
        # A token is a word or a quoted sequence of words, separated by whitespaces.
        def tokenize_config_value(str)
          str.scan(/([^"\s]+)?(?:"([^"]+)")?\s*/).map(&:join)
        end

        def eval_match_conditions(condition, host, settings)
          # Not using `\s` for whitespace matching as canonical
          # ssh_config parser implementation (OpenSSH) has specific character set.
          # Ref: https://github.com/openssh/openssh-portable/blob/2581333d564d8697837729b3d07d45738eaf5a54/misc.c#L237-L239
          conditions = condition.split(/[ \t\r\n]+|(?<!=)=(?!=)/).reject(&:empty?)
          return true if conditions == ["all"]

          conditions = conditions.each_slice(2)
          condition_matches = []
          conditions.each do |(kind,exprs)|
            exprs = unquote(exprs)

            case kind.downcase
            when "all"
              raise "all cannot be mixed with other conditions"
            when "host"
              if exprs.start_with?('!')
                negated = true
                exprs = exprs[1..-1]
              else
                negated = false
              end
              condition_met = false
              exprs.split(",").each do |expr|
                condition_met = condition_met || host =~ pattern2regex(expr)
              end
              condition_matches << (true && negated ^ condition_met)
              # else
              # warn "net-ssh: Unsupported expr in Match block: #{kind}"
            end
          end

          !condition_matches.empty? && condition_matches.all?
        end

        def unquote(string)
          string =~ /^"(.*)"$/ ? Regexp.last_match(1) : string
        end
      end
    end
  end
end