1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
|
module Net
module SSH
# The Net::SSH::Config class is used to parse OpenSSH configuration files,
# and translates that syntax into the configuration syntax that Net::SSH
# understands. This lets Net::SSH scripts read their configuration (to
# some extent) from OpenSSH configuration files (~/.ssh/config, /etc/ssh_config,
# and so forth).
#
# Only a subset of OpenSSH configuration options are understood:
#
# * ChallengeResponseAuthentication => maps to the :auth_methods option challenge-response (then coleasced into keyboard-interactive)
# * KbdInteractiveAuthentication => maps to the :auth_methods keyboard-interactive
# * CertificateFile => maps to the :keycerts option
# * Ciphers => maps to the :encryption option
# * Compression => :compression
# * CompressionLevel => :compression_level
# * ConnectTimeout => maps to the :timeout option
# * ForwardAgent => :forward_agent
# * GlobalKnownHostsFile => :global_known_hosts_file
# * HostBasedAuthentication => maps to the :auth_methods option
# * HostKeyAlgorithms => maps to :host_key option
# * HostKeyAlias => :host_key_alias
# * HostName => :host_name
# * IdentityFile => maps to the :keys option
# * IdentityAgent => :identity_agent
# * IdentitiesOnly => :keys_only
# * CheckHostIP => :check_host_ip
# * Macs => maps to the :hmac option
# * PasswordAuthentication => maps to the :auth_methods option password
# * Port => :port
# * PreferredAuthentications => maps to the :auth_methods option
# * ProxyCommand => maps to the :proxy option
# * ProxyJump => maps to the :proxy option
# * PubKeyAuthentication => maps to the :auth_methods option
# * RekeyLimit => :rekey_limit
# * StrictHostKeyChecking => :strict_host_key_checking
# * User => :user
# * UserKnownHostsFile => :user_known_hosts_file
# * NumberOfPasswordPrompts => :number_of_password_prompts
# * FingerprintHash => :fingerprint_hash
#
# Note that you will never need to use this class directly--you can control
# whether the OpenSSH configuration files are read by passing the :config
# option to Net::SSH.start. (They are, by default.)
class Config
class << self
@@default_files = %w[~/.ssh/config /etc/ssh_config /etc/ssh/ssh_config]
# The following defaults follow the openssh client ssh_config defaults.
# http://lwn.net/Articles/544640/
# "hostbased" is off and "none" is not supported but we allow it since
# it's used by some clients to query the server for allowed auth methods
@@default_auth_methods = %w[none publickey password keyboard-interactive]
# Returns an array of locations of OpenSSH configuration files
# to parse by default.
def default_files
@@default_files.clone
end
def default_auth_methods
@@default_auth_methods.clone
end
# Loads the configuration data for the given +host+ from all of the
# given +files+ (defaulting to the list of files returned by
# #default_files), translates the resulting hash into the options
# recognized by Net::SSH, and returns them.
def for(host, files=expandable_default_files)
translate(files.inject({}) { |settings, file|
load(file, host, settings)
})
end
# Load the OpenSSH configuration settings in the given +file+ for the
# given +host+. If +settings+ is given, the options are merged into
# that hash, with existing values taking precedence over newly parsed
# ones. Returns a hash containing the OpenSSH options. (See
# #translate for how to convert the OpenSSH options into Net::SSH
# options.)
def load(path, host, settings={}, base_dir = nil)
file = File.expand_path(path)
base_dir ||= File.dirname(file)
return settings unless File.readable?(file)
globals = {}
block_matched = false
block_seen = false
IO.foreach(file) do |line|
next if line =~ /^\s*(?:#.*)?$/
if line =~ /^\s*(\S+)\s*=(.*)$/
key, value = $1, $2
else
key, value = line.strip.split(/\s+/, 2)
end
# silently ignore malformed entries
next if value.nil?
key.downcase!
value = unquote(value)
value = case value.strip
when /^\d+$/ then value.to_i
when /^no$/i then false
when /^yes$/i then true
else value
end
if key == 'host'
# Support "Host host1 host2 hostN".
# See http://github.com/net-ssh/net-ssh/issues#issue/6
negative_hosts, positive_hosts = value.to_s.split(/\s+/).partition { |h| h.start_with?('!') }
# Check for negative patterns first. If the host matches, that overrules any other positive match.
# The host substring code is used to strip out the starting "!" so the regexp will be correct.
negative_matched = negative_hosts.any? { |h| host =~ pattern2regex(h[1..-1]) }
if negative_matched
block_matched = false
else
block_matched = positive_hosts.any? { |h| host =~ pattern2regex(h) }
end
block_seen = true
settings[key] = host
elsif key == 'match'
block_matched = eval_match_conditions(value, host, settings)
block_seen = true
elsif !block_seen
case key
when 'identityfile', 'certificatefile'
(globals[key] ||= []) << value
when 'include'
included_file_paths(base_dir, value).each do |file_path|
globals = load(file_path, host, globals, base_dir)
end
else
globals[key] = value unless settings.key?(key)
end
elsif block_matched
case key
when 'identityfile', 'certificatefile'
(settings[key] ||= []) << value
when 'include'
included_file_paths(base_dir, value).each do |file_path|
settings = load(file_path, host, settings, base_dir)
end
else
settings[key] = value unless settings.key?(key)
end
end
# ProxyCommand and ProxyJump override each other so they need to be tracked togeather
%w[proxyjump proxycommand].each do |proxy_key|
if (proxy_value = settings.delete(proxy_key))
settings['proxy'] ||= [proxy_key, proxy_value]
end
end
end
globals.merge(settings) do |key, oldval, newval|
case key
when 'identityfile', 'certificatefile'
oldval + newval
else
newval
end
end
end
# Given a hash of OpenSSH configuration options, converts them into
# a hash of Net::SSH options. Unrecognized options are ignored. The
# +settings+ hash must have Strings for keys, all downcased, and
# the returned hash will have Symbols for keys.
def translate(settings)
auth_methods = default_auth_methods.clone
(auth_methods << 'challenge-response').uniq!
ret = settings.each_with_object({ auth_methods: auth_methods }) do |(key, value), hash|
translate_config_key(hash, key.to_sym, value, settings)
end
merge_challenge_response_with_keyboard_interactive(ret)
end
# Filters default_files down to the files that are expandable.
def expandable_default_files
default_files.keep_if do |path|
begin
File.expand_path(path)
true
rescue ArgumentError
false
end
end
end
private
TRANSLATE_CONFIG_KEY_RENAME_MAP = {
bindaddress: :bind_address,
compression: :compression,
compressionlevel: :compression_level,
certificatefile: :keycerts,
connecttimeout: :timeout,
forwardagent: :forward_agent,
identitiesonly: :keys_only,
identityagent: :identity_agent,
globalknownhostsfile: :global_known_hosts_file,
hostkeyalias: :host_key_alias,
identityfile: :keys,
fingerprinthash: :fingerprint_hash,
port: :port,
stricthostkeychecking: :strict_host_key_checking,
user: :user,
userknownhostsfile: :user_known_hosts_file,
checkhostip: :check_host_ip
}.freeze
def translate_config_key(hash, key, value, settings)
case key
when :ciphers
hash[:encryption] = value.split(/,/)
when :hostbasedauthentication
if value
(hash[:auth_methods] << "hostbased").uniq!
else
hash[:auth_methods].delete("hostbased")
end
when :hostkeyalgorithms
hash[:host_key] = value.split(/,/)
when :hostname
hash[:host_name] = value.gsub(/%h/, settings['host'])
when :macs
hash[:hmac] = value.split(/,/)
when :serveralivecountmax
hash[:keepalive_maxcount] = value.to_i if value
when :serveraliveinterval
if value && value.to_i > 0
hash[:keepalive] = true
hash[:keepalive_interval] = value.to_i
else
hash[:keepalive] = false
end
when :passwordauthentication
if value
(hash[:auth_methods] << 'password').uniq!
else
hash[:auth_methods].delete('password')
end
when :challengeresponseauthentication
if value
(hash[:auth_methods] << 'challenge-response').uniq!
else
hash[:auth_methods].delete('challenge-response')
end
when :kbdinteractiveauthentication
if value
(hash[:auth_methods] << 'keyboard-interactive').uniq!
else
hash[:auth_methods].delete('keyboard-interactive')
end
when :preferredauthentications
hash[:auth_methods] = value.split(/,/) # TODO we should place to preferred_auth_methods rather than auth_methods
when :proxy
if (proxy = setup_proxy(*value))
hash[:proxy] = proxy
end
when :pubkeyauthentication
if value
(hash[:auth_methods] << 'publickey').uniq!
else
hash[:auth_methods].delete('publickey')
end
when :rekeylimit
hash[:rekey_limit] = interpret_size(value)
when :sendenv
multi_send_env = value.to_s.split(/\s+/)
hash[:send_env] = multi_send_env.map { |e| Regexp.new pattern2regex(e).source, false }
when :setenv
hash[:set_env] = Shellwords.split(value.to_s).map { |e| e.split '=', 2 }.to_h
when :numberofpasswordprompts
hash[:number_of_password_prompts] = value.to_i
when *TRANSLATE_CONFIG_KEY_RENAME_MAP.keys
hash[TRANSLATE_CONFIG_KEY_RENAME_MAP[key]] = value
end
end
def setup_proxy(type, value)
case type
when 'proxycommand'
if value !~ /^none$/
require 'net/ssh/proxy/command'
Net::SSH::Proxy::Command.new(value)
end
when 'proxyjump'
require 'net/ssh/proxy/jump'
Net::SSH::Proxy::Jump.new(value)
end
end
# Converts an ssh_config pattern into a regex for matching against
# host names.
def pattern2regex(pattern)
tail = pattern
prefix = ""
while !tail.empty? do
head,sep,tail = tail.partition(/[\*\?]/)
prefix = prefix + Regexp.quote(head)
case sep
when '*'
prefix += '.*'
when '?'
prefix += '.'
when ''
else
fail "Unpexpcted sep:#{sep}"
end
end
Regexp.new("^" + prefix + "$", true)
end
# Converts the given size into an integer number of bytes.
def interpret_size(size)
case size
when /k$/i then size.to_i * 1024
when /m$/i then size.to_i * 1024 * 1024
when /g$/i then size.to_i * 1024 * 1024 * 1024
else size.to_i
end
end
def merge_challenge_response_with_keyboard_interactive(hash)
if hash[:auth_methods].include?('challenge-response')
hash[:auth_methods].delete('challenge-response')
(hash[:auth_methods] << 'keyboard-interactive').uniq!
end
hash
end
def included_file_paths(base_dir, config_paths)
tokenize_config_value(config_paths).flat_map do |path|
Dir.glob(File.expand_path(path, base_dir)).select { |f| File.file?(f) }
end
end
# Tokenize string into tokens.
# A token is a word or a quoted sequence of words, separated by whitespaces.
def tokenize_config_value(str)
str.scan(/([^"\s]+)?(?:"([^"]+)")?\s*/).map(&:join)
end
def eval_match_conditions(condition, host, settings)
# Not using `\s` for whitespace matching as canonical
# ssh_config parser implementation (OpenSSH) has specific character set.
# Ref: https://github.com/openssh/openssh-portable/blob/2581333d564d8697837729b3d07d45738eaf5a54/misc.c#L237-L239
conditions = condition.split(/[ \t\r\n]+|(?<!=)=(?!=)/).reject(&:empty?)
return true if conditions == ["all"]
conditions = conditions.each_slice(2)
condition_matches = []
conditions.each do |(kind,exprs)|
exprs = unquote(exprs)
case kind.downcase
when "all"
raise "all cannot be mixed with other conditions"
when "host"
if exprs.start_with?('!')
negated = true
exprs = exprs[1..-1]
else
negated = false
end
condition_met = false
exprs.split(",").each do |expr|
condition_met = condition_met || host =~ pattern2regex(expr)
end
condition_matches << (true && negated ^ condition_met)
# else
# warn "net-ssh: Unsupported expr in Match block: #{kind}"
end
end
!condition_matches.empty? && condition_matches.all?
end
def unquote(string)
string =~ /^"(.*)"$/ ? Regexp.last_match(1) : string
end
end
end
end
end
|
