class Net::SSH::Transport::Kex::Abstract
See tools.ietf.org/html/rfc4253#page-21<br>Abstract class that implement Diffie-Hellman Key Exchange
def confirm_newkeys # :nodoc:
reply.
Send the NEWKEYS message, and expect the NEWKEYS message in
def confirm_newkeys # :nodoc: # send own NEWKEYS message first (the wodSSHServer won't send first) response = Net::SSH::Buffer.new response.write_byte(NEWKEYS) connection.send_message(response) # wait for the server's NEWKEYS message buffer = connection.next_message raise Net::SSH::Exception, 'expected NEWKEYS' unless buffer.type == NEWKEYS end
def digester
def digester raise NotImplementedError, 'abstract class: digester not implemented' end
def exchange_keys
The caller is expected to be able to understand how to use these
* :hashing_algorithm
* :shared_secret
* :server_key
* :session_id
following keys:
data. This method will return a hash consisting of the
Perform the key-exchange for the given session, with the given
def exchange_keys result = send_kexinit verify_server_key(result[:server_key]) session_id = verify_signature(result) confirm_newkeys { session_id: session_id, server_key: result[:server_key], shared_secret: result[:shared_secret], hashing_algorithm: digester } end
def generate_key_fingerprint(key)
def generate_key_fingerprint(key) blob = Net::SSH::Buffer.from(:key, key).to_s fingerprint = Net::SSH::Authentication::PubKeyFingerprint.fingerprint(blob, @connection.options[:fingerprint_hash] || 'SHA256') [blob, fingerprint] rescue StandardError => e [nil, "(could not generate fingerprint: #{e.message})"] end
def initialize(algorithms, connection, data)
combined with a signature with the host key to provide host
cannot be determined by either party alone. The key exchange is
The Diffie-Hellman (DH) key exchange provides a shared secret that
Create a new instance of the Diffie-Hellman Key Exchange algorithm.
def initialize(algorithms, connection, data) @algorithms = algorithms @connection = connection @data = data.dup @dh = generate_key @logger = @data.delete(:logger) end
def matching?(key_ssh_type, host_key_alg)
def matching?(key_ssh_type, host_key_alg) return true if key_ssh_type == host_key_alg return true if key_ssh_type == 'ssh-rsa' && ['rsa-sha2-512', 'rsa-sha2-256'].include?(host_key_alg) end
def verify_server_key(key) # :nodoc:
if it is not.
really is the key for the session's host. Raise Net::SSH::Exception
Verify that the given key is of the expected type, and that it
def verify_server_key(key) # :nodoc: unless matching?(key.ssh_type, algorithms.host_key) raise Net::SSH::Exception, "host key algorithm mismatch '#{key.ssh_type}' != '#{algorithms.host_key}'" end blob, fingerprint = generate_key_fingerprint(key) unless connection.host_key_verifier.verify(key: key, key_blob: blob, fingerprint: fingerprint, session: connection) raise Net::SSH::Exception, 'host key verification failed' end end
def verify_signature(result) # :nodoc:
session-id.
if the signature could not be verified. Otherwise, return the new
Verify the signature that was received. Raise Net::SSH::Exception
def verify_signature(result) # :nodoc: response = build_signature_buffer(result) hash = digester.digest(response.to_s) server_key = result[:server_key] server_sig = result[:server_sig] unless connection.host_key_verifier.verify_signature { server_key.ssh_do_verify(server_sig, hash, host_key: algorithms.host_key) } raise Net::SSH::Exception, 'could not verify server signature' end hash end