PK!óiSSH/Common/Traits/ReadBytes.phpnu„[µü¤ * @copyright 2015 Jim Wigginton * @license http://www.opensource.org/licenses/mit-license.html MIT License * @link http://phpseclib.sourceforge.net */ namespace phpseclib3\System\SSH\Common\Traits; /** * ReadBytes trait * * @author Jim Wigginton */ trait ReadBytes { /** * Read data * * @param int $length * @throws \RuntimeException on connection errors */ public function readBytes($length) { $temp = fread($this->fsock, $length); if (strlen($temp) != $length) { throw new \RuntimeException("Expected $length bytes; got " . strlen($temp)); } return $temp; } } PK!0GMm.#.# SSH/Agent.phpnu„[µü¤ * login('username', $agent)) { * exit('Login Failed'); * } * * echo $ssh->exec('pwd'); * echo $ssh->exec('ls -la'); * ?> * * * @author Jim Wigginton * @copyright 2014 Jim Wigginton * @license http://www.opensource.org/licenses/mit-license.html MIT License * @link http://phpseclib.sourceforge.net */ namespace phpseclib3\System\SSH; use phpseclib3\Common\Functions\Strings; use phpseclib3\Crypt\Common\PublicKey; use phpseclib3\Crypt\PublicKeyLoader; use phpseclib3\Crypt\RSA; use phpseclib3\Exception\BadConfigurationException; use phpseclib3\Net\SSH2; use phpseclib3\System\SSH\Agent\Identity; /** * Pure-PHP ssh-agent client identity factory * * requestIdentities() method pumps out \phpseclib3\System\SSH\Agent\Identity objects * * @author Jim Wigginton */ class Agent { use Common\Traits\ReadBytes; // Message numbers // to request SSH1 keys you have to use SSH_AGENTC_REQUEST_RSA_IDENTITIES (1) const SSH_AGENTC_REQUEST_IDENTITIES = 11; // this is the SSH2 response; the SSH1 response is SSH_AGENT_RSA_IDENTITIES_ANSWER (2). const SSH_AGENT_IDENTITIES_ANSWER = 12; // the SSH1 request is SSH_AGENTC_RSA_CHALLENGE (3) const SSH_AGENTC_SIGN_REQUEST = 13; // the SSH1 response is SSH_AGENT_RSA_RESPONSE (4) const SSH_AGENT_SIGN_RESPONSE = 14; // Agent forwarding status // no forwarding requested and not active const FORWARD_NONE = 0; // request agent forwarding when opportune const FORWARD_REQUEST = 1; // forwarding has been request and is active const FORWARD_ACTIVE = 2; /** * Unused */ const SSH_AGENT_FAILURE = 5; /** * Socket Resource * * @var resource */ private $fsock; /** * Agent forwarding status * * @var int */ private $forward_status = self::FORWARD_NONE; /** * Buffer for accumulating forwarded authentication * agent data arriving on SSH data channel destined * for agent unix socket * * @var string */ private $socket_buffer = ''; /** * Tracking the number of bytes we are expecting * to arrive for the agent socket on the SSH data * channel * * @var int */ private $expected_bytes = 0; /** * Default Constructor * * @return Agent * @throws BadConfigurationException if SSH_AUTH_SOCK cannot be found * @throws \RuntimeException on connection errors */ public function __construct($address = null) { if (!$address) { switch (true) { case isset($_SERVER['SSH_AUTH_SOCK']): $address = $_SERVER['SSH_AUTH_SOCK']; break; case isset($_ENV['SSH_AUTH_SOCK']): $address = $_ENV['SSH_AUTH_SOCK']; break; default: throw new BadConfigurationException('SSH_AUTH_SOCK not found'); } } if (in_array('unix', stream_get_transports())) { $this->fsock = fsockopen('unix://' . $address, 0, $errno, $errstr); if (!$this->fsock) { throw new \RuntimeException("Unable to connect to ssh-agent (Error $errno: $errstr)"); } } else { if (substr($address, 0, 9) != '\\\\.\\pipe\\' || strpos(substr($address, 9), '\\') !== false) { throw new \RuntimeException('Address is not formatted as a named pipe should be'); } $this->fsock = fopen($address, 'r+b'); if (!$this->fsock) { throw new \RuntimeException('Unable to open address'); } } } /** * Request Identities * * See "2.5.2 Requesting a list of protocol 2 keys" * Returns an array containing zero or more \phpseclib3\System\SSH\Agent\Identity objects * * @return array * @throws \RuntimeException on receipt of unexpected packets */ public function requestIdentities() { if (!$this->fsock) { return []; } $packet = pack('NC', 1, self::SSH_AGENTC_REQUEST_IDENTITIES); if (strlen($packet) != fputs($this->fsock, $packet)) { throw new \RuntimeException('Connection closed while requesting identities'); } $length = current(unpack('N', $this->readBytes(4))); $packet = $this->readBytes($length); list($type, $keyCount) = Strings::unpackSSH2('CN', $packet); if ($type != self::SSH_AGENT_IDENTITIES_ANSWER) { throw new \RuntimeException('Unable to request identities'); } $identities = []; for ($i = 0; $i < $keyCount; $i++) { list($key_blob, $comment) = Strings::unpackSSH2('ss', $packet); $temp = $key_blob; list($key_type) = Strings::unpackSSH2('s', $temp); switch ($key_type) { case 'ssh-rsa': case 'ssh-dss': case 'ssh-ed25519': case 'ecdsa-sha2-nistp256': case 'ecdsa-sha2-nistp384': case 'ecdsa-sha2-nistp521': $key = PublicKeyLoader::load($key_type . ' ' . base64_encode($key_blob)); } // resources are passed by reference by default if (isset($key)) { $identity = (new Identity($this->fsock)) ->withPublicKey($key) ->withPublicKeyBlob($key_blob) ->withComment($comment); $identities[] = $identity; unset($key); } } return $identities; } /** * Returns the SSH Agent identity matching a given public key or null if no identity is found * * @return ?Identity */ public function findIdentityByPublicKey(PublicKey $key) { $identities = $this->requestIdentities(); $key = (string) $key; foreach ($identities as $identity) { if (((string) $identity->getPublicKey()) == $key) { return $identity; } } return null; } /** * Signal that agent forwarding should * be requested when a channel is opened * * @return void */ public function startSSHForwarding() { if ($this->forward_status == self::FORWARD_NONE) { $this->forward_status = self::FORWARD_REQUEST; } } /** * Request agent forwarding of remote server * * @param SSH2 $ssh * @return bool */ private function request_forwarding(SSH2 $ssh) { if (!$ssh->requestAgentForwarding()) { return false; } $this->forward_status = self::FORWARD_ACTIVE; return true; } /** * On successful channel open * * This method is called upon successful channel * open to give the SSH Agent an opportunity * to take further action. i.e. request agent forwarding * * @param SSH2 $ssh */ public function registerChannelOpen(SSH2 $ssh) { if ($this->forward_status == self::FORWARD_REQUEST) { $this->request_forwarding($ssh); } } /** * Forward data to SSH Agent and return data reply * * @param string $data * @return string Data from SSH Agent * @throws \RuntimeException on connection errors */ public function forwardData($data) { if ($this->expected_bytes > 0) { $this->socket_buffer .= $data; $this->expected_bytes -= strlen($data); } else { $agent_data_bytes = current(unpack('N', $data)); $current_data_bytes = strlen($data); $this->socket_buffer = $data; if ($current_data_bytes != $agent_data_bytes + 4) { $this->expected_bytes = ($agent_data_bytes + 4) - $current_data_bytes; return false; } } if (strlen($this->socket_buffer) != fwrite($this->fsock, $this->socket_buffer)) { throw new \RuntimeException('Connection closed attempting to forward data to SSH agent'); } $this->socket_buffer = ''; $this->expected_bytes = 0; $agent_reply_bytes = current(unpack('N', $this->readBytes(4))); $agent_reply_data = $this->readBytes($agent_reply_bytes); $agent_reply_data = current(unpack('a*', $agent_reply_data)); return pack('Na*', $agent_reply_bytes, $agent_reply_data); } } PK!BÉxè/#/#SSH/Agent/Identity.phpnu„[µü¤ * @copyright 2009 Jim Wigginton * @license http://www.opensource.org/licenses/mit-license.html MIT License * @link http://phpseclib.sourceforge.net */ namespace phpseclib3\System\SSH\Agent; use phpseclib3\Common\Functions\Strings; use phpseclib3\Crypt\Common\PrivateKey; use phpseclib3\Crypt\Common\PublicKey; use phpseclib3\Crypt\DSA; use phpseclib3\Crypt\EC; use phpseclib3\Crypt\RSA; use phpseclib3\Exception\UnsupportedAlgorithmException; use phpseclib3\System\SSH\Agent; use phpseclib3\System\SSH\Common\Traits\ReadBytes; /** * Pure-PHP ssh-agent client identity object * * Instantiation should only be performed by \phpseclib3\System\SSH\Agent class. * This could be thought of as implementing an interface that phpseclib3\Crypt\RSA * implements. ie. maybe a Net_SSH_Auth_PublicKey interface or something. * The methods in this interface would be getPublicKey and sign since those are the * methods phpseclib looks for to perform public key authentication. * * @author Jim Wigginton * @internal */ class Identity implements PrivateKey { use ReadBytes; // Signature Flags // See https://tools.ietf.org/html/draft-miller-ssh-agent-00#section-5.3 const SSH_AGENT_RSA2_256 = 2; const SSH_AGENT_RSA2_512 = 4; /** * Key Object * * @var PublicKey * @see self::getPublicKey() */ private $key; /** * Key Blob * * @var string * @see self::sign() */ private $key_blob; /** * Socket Resource * * @var resource * @see self::sign() */ private $fsock; /** * Signature flags * * @var int * @see self::sign() * @see self::setHash() */ private $flags = 0; /** * Comment * * @var null|string */ private $comment; /** * Curve Aliases * * @var array */ private static $curveAliases = [ 'secp256r1' => 'nistp256', 'secp384r1' => 'nistp384', 'secp521r1' => 'nistp521', 'Ed25519' => 'Ed25519' ]; /** * Default Constructor. * * @param resource $fsock */ public function __construct($fsock) { $this->fsock = $fsock; } /** * Set Public Key * * Called by \phpseclib3\System\SSH\Agent::requestIdentities() * * @param PublicKey $key */ public function withPublicKey(PublicKey $key) { if ($key instanceof EC) { if (is_array($key->getCurve()) || !isset(self::$curveAliases[$key->getCurve()])) { throw new UnsupportedAlgorithmException('The only supported curves are nistp256, nistp384, nistp512 and Ed25519'); } } $new = clone $this; $new->key = $key; return $new; } /** * Set Public Key * * Called by \phpseclib3\System\SSH\Agent::requestIdentities(). The key blob could be extracted from $this->key * but this saves a small amount of computation. * * @param string $key_blob */ public function withPublicKeyBlob($key_blob) { $new = clone $this; $new->key_blob = $key_blob; return $new; } /** * Get Public Key * * Wrapper for $this->key->getPublicKey() * * @return mixed */ public function getPublicKey() { return $this->key; } /** * Sets the hash * * @param string $hash */ public function withHash($hash) { $new = clone $this; $hash = strtolower($hash); if ($this->key instanceof RSA) { $new->flags = 0; switch ($hash) { case 'sha1': break; case 'sha256': $new->flags = self::SSH_AGENT_RSA2_256; break; case 'sha512': $new->flags = self::SSH_AGENT_RSA2_512; break; default: throw new UnsupportedAlgorithmException('The only supported hashes for RSA are sha1, sha256 and sha512'); } } if ($this->key instanceof EC) { switch ($this->key->getCurve()) { case 'secp256r1': $expectedHash = 'sha256'; break; case 'secp384r1': $expectedHash = 'sha384'; break; //case 'secp521r1': //case 'Ed25519': default: $expectedHash = 'sha512'; } if ($hash != $expectedHash) { throw new UnsupportedAlgorithmException('The only supported hash for ' . self::$curveAliases[$this->key->getCurve()] . ' is ' . $expectedHash); } } if ($this->key instanceof DSA) { if ($hash != 'sha1') { throw new UnsupportedAlgorithmException('The only supported hash for DSA is sha1'); } } return $new; } /** * Sets the padding * * Only PKCS1 padding is supported * * @param string $padding */ public function withPadding($padding) { if (!$this->key instanceof RSA) { throw new UnsupportedAlgorithmException('Only RSA keys support padding'); } if ($padding != RSA::SIGNATURE_PKCS1 && $padding != RSA::SIGNATURE_RELAXED_PKCS1) { throw new UnsupportedAlgorithmException('ssh-agent can only create PKCS1 signatures'); } return $this; } /** * Determines the signature padding mode * * Valid values are: ASN1, SSH2, Raw * * @param string $format */ public function withSignatureFormat($format) { if ($this->key instanceof RSA) { throw new UnsupportedAlgorithmException('Only DSA and EC keys support signature format setting'); } if ($format != 'SSH2') { throw new UnsupportedAlgorithmException('Only SSH2-formatted signatures are currently supported'); } return $this; } /** * Returns the curve * * Returns a string if it's a named curve, an array if not * * @return string|array */ public function getCurve() { if (!$this->key instanceof EC) { throw new UnsupportedAlgorithmException('Only EC keys have curves'); } return $this->key->getCurve(); } /** * Create a signature * * See "2.6.2 Protocol 2 private key signature request" * * @param string $message * @return string * @throws \RuntimeException on connection errors * @throws UnsupportedAlgorithmException if the algorithm is unsupported */ public function sign($message) { // the last parameter (currently 0) is for flags and ssh-agent only defines one flag (for ssh-dss): SSH_AGENT_OLD_SIGNATURE $packet = Strings::packSSH2( 'CssN', Agent::SSH_AGENTC_SIGN_REQUEST, $this->key_blob, $message, $this->flags ); $packet = Strings::packSSH2('s', $packet); if (strlen($packet) != fputs($this->fsock, $packet)) { throw new \RuntimeException('Connection closed during signing'); } $length = current(unpack('N', $this->readBytes(4))); $packet = $this->readBytes($length); list($type, $signature_blob) = Strings::unpackSSH2('Cs', $packet); if ($type != Agent::SSH_AGENT_SIGN_RESPONSE) { throw new \RuntimeException('Unable to retrieve signature'); } if (!$this->key instanceof RSA) { return $signature_blob; } list($type, $signature_blob) = Strings::unpackSSH2('ss', $signature_blob); return $signature_blob; } /** * Returns the private key * * @param string $type * @param array $options optional * @return string */ public function toString($type, array $options = []) { throw new \RuntimeException('ssh-agent does not provide a mechanism to get the private key'); } /** * Sets the password * * @param string|bool $password * @return never */ public function withPassword($password = false) { throw new \RuntimeException('ssh-agent does not provide a mechanism to get the private key'); } /** * Sets the comment */ public function withComment($comment = null) { $new = clone $this; $new->comment = $comment; return $new; } /** * Returns the comment * * @return null|string */ public function getComment() { return $this->comment; } } PK!óiSSH/Common/Traits/ReadBytes.phpnu„[µü¤PK!0GMm.#.# dSSH/Agent.phpnu„[µü¤PK!BÉxè/#/#Ï&SSH/Agent/Identity.phpnu„[µü¤PKDJ