1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
|
require 'strscan'
require 'openssl'
require 'base64'
require 'net/ssh/buffer'
require 'net/ssh/authentication/ed25519_loader'
module Net
module SSH
module HostKeyEntries
# regular public key entry
class PubKey < Delegator
def initialize(key, comment: nil) # rubocop:disable Lint/MissingSuper
@key = key
@comment = comment
end
def ssh_type
@key.ssh_type
end
def ssh_types
[ssh_type]
end
def to_blob
@key.to_blob
end
def __getobj__
Kernel.warn("Calling Net::SSH::Buffer methods on HostKeyEntries PubKey is deprecated")
@key
end
def matches_key?(server_key)
@key.ssh_type == server_key.ssh_type && @key.to_blob == server_key.to_blob
end
end
# @cert-authority entry
class CertAuthority
def ssh_types
%w[
ecdsa-sha2-nistp256-cert-v01@openssh.com
ecdsa-sha2-nistp384-cert-v01@openssh.com
ecdsa-sha2-nistp521-cert-v01@openssh.com
ssh-ed25519-cert-v01@openssh.com
ssh-rsa-cert-v01@openssh.com
ssh-rsa-cert-v00@openssh.com
]
end
def initialize(key, comment: nil)
@key = key
@comment = comment
end
def matches_key?(server_key)
if ssh_types.include?(server_key.ssh_type)
server_key.signature_valid? && (server_key.signature_key.to_blob == @key.to_blob)
else
false
end
end
end
end
# Represents the result of a search in known hosts
# see search_for
class HostKeys
include Enumerable
attr_reader :host
def initialize(host_keys, host, known_hosts, options = {})
@host_keys = host_keys
@host = host
@known_hosts = known_hosts
@options = options
end
def add_host_key(key)
@known_hosts.add(@host, key, @options)
@host_keys.push(key)
end
def each(&block)
@host_keys.each(&block)
end
def empty?
@host_keys.empty?
end
end
# Searches an OpenSSH-style known-host file for a given host, and returns all
# matching keys. This is used to implement host-key verification, as well as
# to determine what key a user prefers to use for a given host.
#
# This is used internally by Net::SSH, and will never need to be used directly
# by consumers of the library.
class KnownHosts
SUPPORTED_TYPE = %w[ssh-rsa ssh-dss
ecdsa-sha2-nistp256
ecdsa-sha2-nistp384
ecdsa-sha2-nistp521]
SUPPORTED_TYPE.push('ssh-ed25519') if Net::SSH::Authentication::ED25519Loader::LOADED
class << self
# Searches all known host files (see KnownHosts.hostfiles) for all keys
# of the given host. Returns an enumerable of keys found.
def search_for(host, options = {})
HostKeys.new(search_in(hostfiles(options), host, options), host, self, options)
end
# Search for all known keys for the given host, in every file given in
# the +files+ array. Returns the list of keys.
def search_in(files, host, options = {})
files.flat_map { |file| KnownHosts.new(file).keys_for(host, options) }
end
# Looks in the given +options+ hash for the :user_known_hosts_file and
# :global_known_hosts_file keys, and returns an array of all known
# hosts files. If the :user_known_hosts_file key is not set, the
# default is returned (~/.ssh/known_hosts and ~/.ssh/known_hosts2). If
# :global_known_hosts_file is not set, the default is used
# (/etc/ssh/ssh_known_hosts and /etc/ssh/ssh_known_hosts2).
#
# If you only want the user known host files, you can pass :user as
# the second option.
def hostfiles(options, which = :all)
files = []
files += Array(options[:user_known_hosts_file] || %w[~/.ssh/known_hosts ~/.ssh/known_hosts2]) if which == :all || which == :user
if which == :all || which == :global
files += Array(options[:global_known_hosts_file] || %w[/etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2])
end
return files
end
# Looks in all user known host files (see KnownHosts.hostfiles) and tries to
# add an entry for the given host and key to the first file it is able
# to.
def add(host, key, options = {})
hostfiles(options, :user).each do |file|
KnownHosts.new(file).add(host, key)
return
rescue SystemCallError
# try the next hostfile
end
end
end
# The host-key file name that this KnownHosts instance will use to search
# for keys.
attr_reader :source
# Instantiate a new KnownHosts instance that will search the given known-hosts
# file. The path is expanded file File.expand_path.
def initialize(source)
@source = File.expand_path(source)
end
# Returns an array of all keys that are known to be associatd with the
# given host. The +host+ parameter is either the domain name or ip address
# of the host, or both (comma-separated). Additionally, if a non-standard
# port is being used, it may be specified by putting the host (or ip, or
# both) in square brackets, and appending the port outside the brackets
# after a colon. Possible formats for +host+, then, are;
#
# "net.ssh.test"
# "1.2.3.4"
# "net.ssh.test,1.2.3.4"
# "[net.ssh.test]:5555"
# "[1,2,3,4]:5555"
# "[net.ssh.test]:5555,[1.2.3.4]:5555
def keys_for(host, options = {})
keys = []
return keys unless File.readable?(source)
entries = host.split(/,/)
host_name = entries[0]
host_ip = entries[1]
File.open(source) do |file|
file.each_line do |line|
if line.start_with?('@')
marker, hosts, type, key_content, comment = line.split(' ')
else
marker = nil
hosts, type, key_content, comment = line.split(' ')
end
# Skip empty line or one that is commented
next if hosts.nil? || hosts.start_with?('#')
hostlist = hosts.split(',')
next unless SUPPORTED_TYPE.include?(type)
found = hostlist.any? { |pattern| match(host_name, pattern) } || known_host_hash?(hostlist, entries)
next unless found
found = hostlist.include?(host_ip) if options[:check_host_ip] && entries.size > 1 && hostlist.size > 1
next unless found
blob = key_content.unpack("m*").first
raw_key = Net::SSH::Buffer.new(blob).read_key
keys <<
if marker == "@cert-authority"
HostKeyEntries::CertAuthority.new(raw_key, comment: comment)
else
HostKeyEntries::PubKey.new(raw_key, comment: comment)
end
end
end
keys
end
def match(host, pattern)
if pattern.include?('*') || pattern.include?('?')
# see man 8 sshd for pattern details
pattern_regexp = pattern.split('*', -1).map do |x|
x.split('?', -1).map do |y|
Regexp.escape(y)
end.join('.')
end.join('.*')
host =~ Regexp.new("\\A#{pattern_regexp}\\z")
else
host == pattern
end
end
# Indicates whether one of the entries matches an hostname that has been
# stored as a HMAC-SHA1 hash in the known hosts.
def known_host_hash?(hostlist, entries)
if hostlist.size == 1 && hostlist.first =~ /\A\|1(\|.+){2}\z/
chunks = hostlist.first.split(/\|/)
salt = Base64.decode64(chunks[2])
digest = OpenSSL::Digest.new('sha1')
entries.each do |entry|
hmac = OpenSSL::HMAC.digest(digest, salt, entry)
return true if Base64.encode64(hmac).chomp == chunks[3]
end
end
false
end
# Tries to append an entry to the current source file for the given host
# and key. If it is unable to (because the file is not writable, for
# instance), an exception will be raised.
def add(host, key)
File.open(source, "a") do |file|
blob = [Net::SSH::Buffer.from(:key, key).to_s].pack("m*").gsub(/\s/, "")
file.puts "#{host} #{key.ssh_type} #{blob}"
end
end
end
end
end
|
