1
0
mirror of https://github.com/danog/tgseclib.git synced 2024-12-14 01:57:28 +01:00
tgseclib/phpseclib/System/SSH/Agent.php

341 lines
9.6 KiB
PHP
Raw Normal View History

<?php
2014-12-30 03:44:31 +01:00
/**
* Pure-PHP ssh-agent client.
*
2015-04-02 12:57:52 +02:00
* PHP version 5
*
* Here are some examples of how to use this library:
* <code>
* <?php
2014-12-10 02:31:41 +01:00
* include 'vendor/autoload.php';
*
2014-12-15 18:25:46 +01:00
* $agent = new \phpseclib\System\SSH\Agent();
*
2014-12-10 02:31:41 +01:00
* $ssh = new \phpseclib\Net\SSH2('www.domain.tld');
* if (!$ssh->login('username', $agent)) {
* exit('Login Failed');
* }
*
* echo $ssh->exec('pwd');
* echo $ssh->exec('ls -la');
* ?>
* </code>
*
* @category System
2014-12-15 18:25:46 +01:00
* @package SSH\Agent
* @author Jim Wigginton <terrafrost@php.net>
* @copyright 2014 Jim Wigginton
* @license http://www.opensource.org/licenses/mit-license.html MIT License
* @link http://phpseclib.sourceforge.net
* @internal See http://api.libssh.org/rfc/PROTOCOL.agent
*/
2014-12-15 18:25:46 +01:00
namespace phpseclib\System\SSH;
2016-05-12 22:28:40 +02:00
use ParagonIE\ConstantTime\Base64;
2014-12-17 01:16:54 +01:00
use phpseclib\Crypt\RSA;
use phpseclib\Exception\BadConfigurationException;
use phpseclib\System\SSH\Agent\Identity;
2017-01-08 02:51:56 +01:00
use phpseclib\Common\Functions\Objects;
/**
* Pure-PHP ssh-agent client identity factory
*
2014-12-15 18:25:46 +01:00
* requestIdentities() method pumps out \phpseclib\System\SSH\Agent\Identity objects
*
2014-12-15 18:25:46 +01:00
* @package SSH\Agent
* @author Jim Wigginton <terrafrost@php.net>
* @access internal
*/
2014-12-15 18:25:46 +01:00
class Agent
{
/**#@+
* Message numbers
*
* @access private
*/
// to request SSH1 keys you have to use SSH_AGENTC_REQUEST_RSA_IDENTITIES (1)
const SSH_AGENTC_REQUEST_IDENTITIES = 11;
// this is the SSH2 response; the SSH1 response is SSH_AGENT_RSA_IDENTITIES_ANSWER (2).
const SSH_AGENT_IDENTITIES_ANSWER = 12;
// the SSH1 request is SSH_AGENTC_RSA_CHALLENGE (3)
const SSH_AGENTC_SIGN_REQUEST = 13;
// the SSH1 response is SSH_AGENT_RSA_RESPONSE (4)
const SSH_AGENT_SIGN_RESPONSE = 14;
/**#@-*/
/**@+
* Agent forwarding status
*
* @access private
*/
// no forwarding requested and not active
const FORWARD_NONE = 0;
// request agent forwarding when opportune
const FORWARD_REQUEST = 1;
// forwarding has been request and is active
const FORWARD_ACTIVE = 2;
/**#@-*/
/**
* Unused
*/
const SSH_AGENT_FAILURE = 5;
/**
* Socket Resource
*
* @var resource
* @access private
*/
2017-01-08 02:51:56 +01:00
private $fsock;
2014-12-30 03:44:31 +01:00
/**
* Agent forwarding status
2014-12-30 03:44:31 +01:00
*
2017-01-08 02:51:56 +01:00
* @var int
2014-12-30 03:44:31 +01:00
* @access private
*/
2017-01-08 02:51:56 +01:00
private $forward_status = self::FORWARD_NONE;
2014-12-30 03:44:31 +01:00
/**
* Buffer for accumulating forwarded authentication
* agent data arriving on SSH data channel destined
* for agent unix socket
*
2017-01-08 02:51:56 +01:00
* @var string
2014-12-30 03:44:31 +01:00
* @access private
*/
2017-01-08 02:51:56 +01:00
private $socket_buffer = '';
2014-12-30 03:44:31 +01:00
/**
* Tracking the number of bytes we are expecting
* to arrive for the agent socket on the SSH data
* channel
2017-01-08 02:51:56 +01:00
*
* @var int
* @access private
*/
private $expected_bytes = 0;
/**
* The current request channel
*
* @var int
* @access private
2014-12-30 03:44:31 +01:00
*/
2017-01-08 02:51:56 +01:00
private $request_channel;
2014-12-30 03:44:31 +01:00
/**
* Default Constructor
*
2014-12-15 18:25:46 +01:00
* @return \phpseclib\System\SSH\Agent
* @throws \phpseclib\Exception\BadConfigurationException if SSH_AUTH_SOCK cannot be found
* @throws \RuntimeException on connection errors
* @access public
*/
2017-01-08 02:51:56 +01:00
public function __construct()
{
switch (true) {
case isset($_SERVER['SSH_AUTH_SOCK']):
$address = $_SERVER['SSH_AUTH_SOCK'];
break;
case isset($_ENV['SSH_AUTH_SOCK']):
$address = $_ENV['SSH_AUTH_SOCK'];
break;
default:
throw new BadConfigurationException('SSH_AUTH_SOCK not found');
}
$this->fsock = fsockopen('unix://' . $address, 0, $errno, $errstr);
if (!$this->fsock) {
throw new \RuntimeException("Unable to connect to ssh-agent (Error $errno: $errstr)");
}
}
/**
* Request Identities
*
* See "2.5.2 Requesting a list of protocol 2 keys"
2014-12-15 18:25:46 +01:00
* Returns an array containing zero or more \phpseclib\System\SSH\Agent\Identity objects
*
* @return array
* @throws \RuntimeException on receipt of unexpected packets
* @access public
*/
2017-01-08 02:51:56 +01:00
public function requestIdentities()
{
if (!$this->fsock) {
2016-11-30 22:19:23 +01:00
return [];
}
$packet = pack('NC', 1, self::SSH_AGENTC_REQUEST_IDENTITIES);
if (strlen($packet) != fputs($this->fsock, $packet)) {
throw new \RuntimeException('Connection closed while requesting identities');
}
$length = current(unpack('N', fread($this->fsock, 4)));
$type = ord(fread($this->fsock, 1));
if ($type != self::SSH_AGENT_IDENTITIES_ANSWER) {
throw new \RuntimeException('Unable to request identities');
}
2016-11-30 22:19:23 +01:00
$identities = [];
$keyCount = current(unpack('N', fread($this->fsock, 4)));
for ($i = 0; $i < $keyCount; $i++) {
$length = current(unpack('N', fread($this->fsock, 4)));
$key_blob = fread($this->fsock, $length);
2016-05-12 22:28:40 +02:00
$key_str = 'ssh-rsa ' . Base64::encode($key_blob);
$length = current(unpack('N', fread($this->fsock, 4)));
if ($length) {
$key_str.= ' ' . fread($this->fsock, $length);
}
$length = current(unpack('N', substr($key_blob, 0, 4)));
$key_type = substr($key_blob, 4, $length);
switch ($key_type) {
case 'ssh-rsa':
2014-12-17 01:16:54 +01:00
$key = new RSA();
$key->load($key_str);
break;
case 'ssh-dss':
// not currently supported
break;
}
// resources are passed by reference by default
if (isset($key)) {
2014-12-15 18:25:46 +01:00
$identity = new Identity($this->fsock);
$identity->setPublicKey($key);
$identity->setPublicKeyBlob($key_blob);
$identities[] = $identity;
unset($key);
}
}
return $identities;
}
2014-12-30 03:44:31 +01:00
/**
* Signal that agent forwarding should
* be requested when a channel is opened
2014-12-30 03:44:31 +01:00
*
* @param Net_SSH2 $ssh
* @return bool
2014-12-30 03:44:31 +01:00
* @access public
*/
2017-01-08 02:51:56 +01:00
public function startSSHForwarding($ssh)
2014-12-30 03:44:31 +01:00
{
if ($this->forward_status == self::FORWARD_NONE) {
$this->forward_status = self::FORWARD_REQUEST;
2014-12-30 03:44:31 +01:00
}
}
/**
* Request agent forwarding of remote server
2014-12-30 03:44:31 +01:00
*
* @param Net_SSH2 $ssh
* @return bool
2014-12-30 03:44:31 +01:00
* @access private
*/
2017-01-08 02:51:56 +01:00
private function request_forwarding($ssh)
2014-12-30 03:44:31 +01:00
{
2017-01-08 02:51:56 +01:00
$this->request_channel = Objects::callFunc($ssh, 'get_open_channel');
if ($this->request_channel === false) {
return false;
}
2014-12-30 03:44:31 +01:00
2015-07-15 03:52:31 +02:00
$packet = pack(
'CNNa*C',
NET_SSH2_MSG_CHANNEL_REQUEST,
2017-01-08 02:51:56 +01:00
Objects::getVar($ssh, 'server_channels')[$this->request_channel],
2015-07-15 03:52:31 +02:00
strlen('auth-agent-req@openssh.com'),
'auth-agent-req@openssh.com',
1
);
2014-12-30 03:44:31 +01:00
2017-01-08 02:51:56 +01:00
$this->update_channel_status($ssh, NET_SSH2_MSG_CHANNEL_REQUEST);
if (!Objects::callFunc($ssh, 'send_binary_packet', [$packet])) {
2014-12-30 03:44:31 +01:00
return false;
}
2017-01-08 02:51:56 +01:00
$response = Objects::callFunc($ssh, 'get_channel_packet', [$this->request_channel]);
2014-12-30 03:44:31 +01:00
if ($response === false) {
return false;
}
2017-01-08 02:51:56 +01:00
$this->update_channel_status($ssh, NET_SSH2_MSG_CHANNEL_OPEN);
$this->forward_status = self::FORWARD_ACTIVE;
2014-12-30 03:44:31 +01:00
return true;
}
/**
* On successful channel open
2014-12-30 03:44:31 +01:00
*
* This method is called upon successful channel
* open to give the SSH Agent an opportunity
* to take further action. i.e. request agent forwarding
2014-12-30 03:44:31 +01:00
*
* @param Net_SSH2 $ssh
* @access private
*/
2017-01-21 22:51:49 +01:00
private function on_channel_open($ssh)
2014-12-30 03:44:31 +01:00
{
if ($this->forward_status == self::FORWARD_REQUEST) {
2017-01-08 02:51:56 +01:00
$this->request_forwarding($ssh);
2014-12-30 03:44:31 +01:00
}
}
/**
* Forward data to SSH Agent and return data reply
*
* @param string $data
2014-12-30 03:44:31 +01:00
* @return data from SSH Agent
* @throws \RuntimeException on connection errors
2014-12-30 03:44:31 +01:00
* @access private
*/
2017-01-08 02:51:56 +01:00
private function forward_data($data)
2014-12-30 03:44:31 +01:00
{
if ($this->expected_bytes > 0) {
$this->socket_buffer.= $data;
2014-12-30 03:44:31 +01:00
$this->expected_bytes -= strlen($data);
} else {
$agent_data_bytes = current(unpack('N', $data));
$current_data_bytes = strlen($data);
$this->socket_buffer = $data;
if ($current_data_bytes != $agent_data_bytes + 4) {
$this->expected_bytes = ($agent_data_bytes + 4) - $current_data_bytes;
return false;
}
}
if (strlen($this->socket_buffer) != fwrite($this->fsock, $this->socket_buffer)) {
throw new \RuntimeException('Connection closed attempting to forward data to SSH agent');
2014-12-30 03:44:31 +01:00
}
$this->socket_buffer = '';
$this->expected_bytes = 0;
$agent_reply_bytes = current(unpack('N', fread($this->fsock, 4)));
$agent_reply_data = fread($this->fsock, $agent_reply_bytes);
$agent_reply_data = current(unpack('a*', $agent_reply_data));
return pack('Na*', $agent_reply_bytes, $agent_reply_data);
}
2017-01-08 02:51:56 +01:00
/**
* Forward data to SSH Agent and return data reply
*
* @param \phpseclib\Net\SSH2 $ssh
* @param integer $status
* @access private
*/
private function update_channel_status($ssh, $status)
{
$temp = Objects::getVar($ssh, 'channel_status');
$temp[$this->request_channel] = $status;
Objects::setVar($ssh, 'channel_status', $temp);
}
}