Class: Net::SSH::Authentication::KeyManager

Inherits:

Object

• Object
• Net::SSH::Authentication::KeyManager

Includes:

Loggable

Defined in:

lib/net/ssh/authentication/key_manager.rb

Overview

This class encapsulates all operations done by clients on a user’s private keys. In practice, the client should never need a reference to a private key; instead, they grab a list of “identities” (public keys) that are available from the KeyManager, and then use the KeyManager to do various private key operations using those identities.

The KeyManager also uses the Agent class to encapsulate the ssh-agent. Thus, from a client’s perspective it is completely hidden whether an identity comes from the ssh-agent or from a file on disk.

Instance Attribute Summary

• #key_files ⇒ Object readonly

  The list of user key files that will be examined.

• #known_identities ⇒ Object readonly

  The map of loaded identities.

• #options ⇒ Object readonly

  The map of options that were passed to the key-manager.

Attributes included from Loggable

#logger

Instance Method Summary

• #add(key_file) ⇒ Object

  Add the given key_file to the list of key files that will be used.

• #agent ⇒ Object

  Returns an Agent instance to use for communicating with an SSH agent process.

• #clear! ⇒ Object

  Clear all knowledge of any loaded user keys.

• #each_identity ⇒ Object

  Iterates over all available identities (public keys) known to this manager.

• #finish ⇒ Object

  This is used as a hint to the KeyManager indicating that the agent connection is no longer needed.

• #initialize(logger, options = {}) ⇒ KeyManager constructor

  Create a new KeyManager.

• #sign(identity, data) ⇒ Object

  Sign the given data, using the corresponding private key of the given identity.

• #use_agent=(use_agent) ⇒ Object

  Toggles whether the ssh-agent will be used or not.

• #use_agent? ⇒ Boolean

  Identifies whether the ssh-agent will be used or not.

Methods included from Loggable

#debug, #error, #fatal, #info, #lwarn

Constructor Details

#initialize(logger, options = {}) ⇒ KeyManager

Create a new KeyManager. By default, the manager will use the ssh-agent (if it is running).

# File 'lib/net/ssh/authentication/key_manager.rb', line 38

def initialize(logger, options={})
  self.logger = logger
  @key_files = []
  @use_agent = true
  @known_identities = {}
  @agent = nil
  @options = options
end

Instance Attribute Details

#key_files ⇒ Object (readonly)

The list of user key files that will be examined

# File 'lib/net/ssh/authentication/key_manager.rb', line 28

def key_files
  @key_files
end

#known_identities ⇒ Object (readonly)

The map of loaded identities

# File 'lib/net/ssh/authentication/key_manager.rb', line 31

def known_identities
  @known_identities
end

#options ⇒ Object (readonly)

The map of options that were passed to the key-manager

# File 'lib/net/ssh/authentication/key_manager.rb', line 34

def options
  @options
end

Instance Method Details

#add(key_file) ⇒ Object

Add the given key_file to the list of key files that will be used.

# File 'lib/net/ssh/authentication/key_manager.rb', line 58

def add(key_file)
  key_files.push(File.expand_path(key_file)).uniq!
  self
end

#agent ⇒ Object

Returns an Agent instance to use for communicating with an SSH agent process. Returns nil if use of an SSH agent has been disabled, or if the agent is otherwise not available.

# File 'lib/net/ssh/authentication/key_manager.rb', line 164

def agent
  return unless use_agent?
  @agent ||= Agent.connect(logger)
rescue AgentNotAvailable
  @use_agent = false
  nil
end

#clear! ⇒ Object

Clear all knowledge of any loaded user keys. This also clears the list of default identity files that are to be loaded, thus making it appropriate to use if a client wishes to NOT use the default identity files.

# File 'lib/net/ssh/authentication/key_manager.rb', line 51

def clear!
  key_files.clear
  known_identities.clear
  self
end

#each_identity ⇒ Object

Iterates over all available identities (public keys) known to this manager. As it finds one, it will then yield it to the caller. The origin of the identities may be from files on disk or from an ssh-agent. Note that identities from an ssh-agent are always listed first in the array, with other identities coming after.

# File 'lib/net/ssh/authentication/key_manager.rb', line 82

def each_identity
  if agent
    agent.identities.each do |key|
      known_identities[key] = { :from => :agent }
      yield key
    end
  end
  
  key_files.each do |file|
    public_key_file = file + ".pub"
    if File.readable?(public_key_file)
      begin
        key = KeyFactory.load_public_key(public_key_file)
        known_identities[key] = { :from => :file, :file => file }
        yield key
      rescue Exception => e
        error { "could not load public key file `#{public_key_file}': #{e.class} (#{e.message})" }
      end
    elsif File.readable?(file)
      begin
        private_key = KeyFactory.load_private_key(file, options[:passphrase])
        key = private_key.send(:public_key)
        known_identities[key] = { :from => :file, :file => file, :key => private_key }
        yield key
      rescue Exception => e
        error { "could not load private key file `#{file}': #{e.class} (#{e.message})" }
      end
    end
  end

  self
end

#finish ⇒ Object

This is used as a hint to the KeyManager indicating that the agent connection is no longer needed. Any other open resources may be closed at this time.

Calling this does NOT indicate that the KeyManager will no longer be used. Identities may still be requested and operations done on loaded identities, in which case, the agent will be automatically reconnected. This method simply allows the client connection to be closed when it will not be used in the immediate future.

# File 'lib/net/ssh/authentication/key_manager.rb', line 72

def finish
  @agent.close if @agent
  @agent = nil
end

#sign(identity, data) ⇒ Object

Sign the given data, using the corresponding private key of the given identity. If the identity was originally obtained from an ssh-agent, then the ssh-agent will be used to sign the data, otherwise the private key for the identity will be loaded from disk (if it hasn’t been loaded already) and will then be used to sign the data.

Regardless of the identity’s origin or who does the signing, this will always return the signature in an SSH2-specified “signature blob” format.

Raises:

• (KeyManagerError)

# File 'lib/net/ssh/authentication/key_manager.rb', line 124

def sign(identity, data)
  info = known_identities[identity] or raise KeyManagerError, "the given identity is unknown to the key manager"

  if info[:key].nil? && info[:from] == :file
    begin
      info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase])
    rescue Exception => e 
      raise KeyManagerError, "the given identity is known, but the private key could not be loaded: #{e.class} (#{e.message})"
    end
  end

  if info[:key]
    return Net::SSH::Buffer.from(:string, identity.ssh_type,
      :string, info[:key].ssh_do_sign(data.to_s)).to_s
  end

  if info[:from] == :agent
    raise KeyManagerError, "the agent is no longer available" unless agent
    return agent.sign(identity, data.to_s)
  end

  raise KeyManagerError, "[BUG] can't determine identity origin (#{info.inspect})"
end

#use_agent=(use_agent) ⇒ Object

Toggles whether the ssh-agent will be used or not. If true, an attempt will be made to use the ssh-agent. If false, any existing connection to an agent is closed and the agent will not be used.

# File 'lib/net/ssh/authentication/key_manager.rb', line 156

def use_agent=(use_agent)
  finish if !use_agent
  @use_agent = use_agent
end

#use_agent? ⇒ Boolean

Identifies whether the ssh-agent will be used or not.

Returns:

• (Boolean)

# File 'lib/net/ssh/authentication/key_manager.rb', line 149

def use_agent?
  @use_agent
end