bssh 2.1.2

Parallel SSH command execution tool for cluster management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378

// Copyright 2025 Lablup Inc. and Jeongkyu Shin
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//     http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.

//! SSH authentication methods and server verification.
//!
//! This module provides authentication mechanisms including:
//! - Password authentication
//! - Private key authentication (file or in-memory)
//! - Public key authentication
//! - SSH agent authentication
//! - Keyboard-interactive authentication
//!
//! It also provides server verification methods via `ServerCheckMethod`.

use russh::client::{Handle, Handler};
use std::path::PathBuf;
use std::sync::Arc;
use zeroize::Zeroizing;

/// An authentification token.
///
/// Used when creating a [`Client`] for authentification.
/// Supports password, private key, public key, SSH agent, and keyboard interactive authentication.
#[derive(Debug, Clone, PartialEq, Eq)]
#[non_exhaustive]
pub enum AuthMethod {
    Password(Zeroizing<String>),
    PrivateKey {
        /// entire contents of private key file
        key_data: Zeroizing<String>,
        key_pass: Option<Zeroizing<String>>,
    },
    PrivateKeyFile {
        key_file_path: PathBuf,
        key_pass: Option<Zeroizing<String>>,
    },
    #[cfg(not(target_os = "windows"))]
    PublicKeyFile {
        key_file_path: PathBuf,
    },
    #[cfg(not(target_os = "windows"))]
    Agent,
    KeyboardInteractive(AuthKeyboardInteractive),
}

#[derive(Debug, Clone, PartialEq, Eq)]
struct PromptResponse {
    exact: bool,
    prompt: String,
    response: Zeroizing<String>,
}

#[derive(Debug, Clone, PartialEq, Eq, Default)]
#[non_exhaustive]
pub struct AuthKeyboardInteractive {
    /// Hnts to the server the preferred methods to be used for authentication.
    submethods: Option<String>,
    responses: Vec<PromptResponse>,
}

impl AuthMethod {
    /// Convenience method to create a [`AuthMethod`] from a string literal.
    pub fn with_password(password: &str) -> Self {
        Self::Password(Zeroizing::new(password.to_string()))
    }

    pub fn with_key(key: &str, passphrase: Option<&str>) -> Self {
        Self::PrivateKey {
            key_data: Zeroizing::new(key.to_string()),
            key_pass: passphrase.map(|p| Zeroizing::new(p.to_string())),
        }
    }

    pub fn with_key_file<T: AsRef<std::path::Path>>(
        key_file_path: T,
        passphrase: Option<&str>,
    ) -> Self {
        Self::PrivateKeyFile {
            key_file_path: key_file_path.as_ref().to_path_buf(),
            key_pass: passphrase.map(|p| Zeroizing::new(p.to_string())),
        }
    }

    #[cfg(not(target_os = "windows"))]
    pub fn with_public_key_file<T: AsRef<std::path::Path>>(key_file_path: T) -> Self {
        Self::PublicKeyFile {
            key_file_path: key_file_path.as_ref().to_path_buf(),
        }
    }

    /// Creates a new SSH agent authentication method.
    ///
    /// This will attempt to authenticate using all identities available in the SSH agent.
    /// The SSH agent must be running and the SSH_AUTH_SOCK environment variable must be set.
    ///
    /// # Example
    /// ```no_run
    /// use bssh::ssh::tokio_client::AuthMethod;
    ///
    /// let auth = AuthMethod::with_agent();
    /// ```
    ///
    /// # Platform Support
    /// This method is only available on Unix-like systems (Linux, macOS, etc.).
    /// It is not available on Windows.
    #[cfg(not(target_os = "windows"))]
    pub fn with_agent() -> Self {
        Self::Agent
    }

    pub const fn with_keyboard_interactive(auth: AuthKeyboardInteractive) -> Self {
        Self::KeyboardInteractive(auth)
    }
}

impl AuthKeyboardInteractive {
    pub fn new() -> Self {
        Default::default()
    }

    /// Hnts to the server the preferred methods to be used for authentication.
    pub fn with_submethods(mut self, submethods: impl Into<String>) -> Self {
        self.submethods = Some(submethods.into());
        self
    }

    /// Adds a response to the list of responses for a given prompt.
    ///
    /// The comparison for the prompt is done using a "contains".
    pub fn with_response(mut self, prompt: impl Into<String>, response: impl Into<String>) -> Self {
        self.responses.push(PromptResponse {
            exact: false,
            prompt: prompt.into(),
            response: Zeroizing::new(response.into()),
        });

        self
    }

    /// Adds a response to the list of responses for a given exact prompt.
    pub fn with_response_exact(
        mut self,
        prompt: impl Into<String>,
        response: impl Into<String>,
    ) -> Self {
        self.responses.push(PromptResponse {
            exact: true,
            prompt: prompt.into(),
            response: Zeroizing::new(response.into()),
        });

        self
    }
}

impl PromptResponse {
    fn matches(&self, received_prompt: &str) -> bool {
        if self.exact {
            self.prompt.eq(received_prompt)
        } else {
            received_prompt.contains(&self.prompt)
        }
    }
}

impl From<AuthKeyboardInteractive> for AuthMethod {
    fn from(value: AuthKeyboardInteractive) -> Self {
        Self::with_keyboard_interactive(value)
    }
}

/// Server host key verification methods.
///
/// These methods control how the client verifies the server's host key during connection.
#[derive(Debug, Clone, PartialEq, Eq, Hash)]
#[non_exhaustive]
pub enum ServerCheckMethod {
    /// No verification - accept any host key (insecure, for testing only)
    NoCheck,
    /// Verify against a specific base64 encoded public key
    PublicKey(String),
    /// Verify against a public key file
    PublicKeyFile(String),
    /// Use default known_hosts file (~/.ssh/known_hosts)
    DefaultKnownHostsFile,
    /// Use a specific known_hosts file path
    KnownHostsFile(String),
}

impl ServerCheckMethod {
    /// Convenience method to create a [`ServerCheckMethod`] from a string literal.
    pub fn with_public_key(key: &str) -> Self {
        Self::PublicKey(key.to_string())
    }

    /// Convenience method to create a [`ServerCheckMethod`] from a string literal.
    pub fn with_public_key_file(key_file_name: &str) -> Self {
        Self::PublicKeyFile(key_file_name.to_string())
    }

    /// Convenience method to create a [`ServerCheckMethod`] from a string literal.
    pub fn with_known_hosts_file(known_hosts_file: &str) -> Self {
        Self::KnownHostsFile(known_hosts_file.to_string())
    }
}

/// This takes a handle and performs authentification with the given method.
pub(super) async fn authenticate<H: Handler>(
    handle: &mut Handle<H>,
    username: &String,
    auth: AuthMethod,
) -> Result<(), super::Error> {
    use russh::client::KeyboardInteractiveAuthResponse;

    match auth {
        AuthMethod::Password(password) => {
            let is_authentificated = handle.authenticate_password(username, &**password).await?;
            if !is_authentificated.success() {
                return Err(super::Error::PasswordWrong);
            }
        }
        AuthMethod::PrivateKey { key_data, key_pass } => {
            let cprivk =
                russh::keys::decode_secret_key(&key_data, key_pass.as_ref().map(|p| &***p))
                    .map_err(super::Error::KeyInvalid)?;
            let is_authentificated = handle
                .authenticate_publickey(
                    username,
                    russh::keys::PrivateKeyWithHashAlg::new(
                        Arc::new(cprivk),
                        handle.best_supported_rsa_hash().await?.flatten(),
                    ),
                )
                .await?;
            if !is_authentificated.success() {
                return Err(super::Error::KeyAuthFailed);
            }
        }
        AuthMethod::PrivateKeyFile {
            key_file_path,
            key_pass,
        } => {
            let cprivk =
                russh::keys::load_secret_key(key_file_path, key_pass.as_ref().map(|p| &***p))
                    .map_err(super::Error::KeyInvalid)?;
            let is_authentificated = handle
                .authenticate_publickey(
                    username,
                    russh::keys::PrivateKeyWithHashAlg::new(
                        Arc::new(cprivk),
                        handle.best_supported_rsa_hash().await?.flatten(),
                    ),
                )
                .await?;
            if !is_authentificated.success() {
                return Err(super::Error::KeyAuthFailed);
            }
        }
        #[cfg(not(target_os = "windows"))]
        AuthMethod::PublicKeyFile { key_file_path } => {
            let cpubk =
                russh::keys::load_public_key(key_file_path).map_err(super::Error::KeyInvalid)?;
            let mut agent = russh::keys::agent::client::AgentClient::connect_env()
                .await
                .unwrap();
            let mut auth_identity_found = false;
            for identity in agent
                .request_identities()
                .await
                .map_err(super::Error::KeyInvalid)?
            {
                if *identity.public_key() == cpubk {
                    auth_identity_found = true;
                    break;
                }
            }

            if !auth_identity_found {
                return Err(super::Error::KeyAuthFailed);
            }

            let is_authentificated = handle
                .authenticate_publickey_with(
                    username,
                    cpubk,
                    handle.best_supported_rsa_hash().await?.flatten(),
                    &mut agent,
                )
                .await?;
            if !is_authentificated.success() {
                return Err(super::Error::KeyAuthFailed);
            }
        }
        #[cfg(not(target_os = "windows"))]
        AuthMethod::Agent => {
            let mut agent = russh::keys::agent::client::AgentClient::connect_env()
                .await
                .map_err(|_| super::Error::AgentConnectionFailed)?;

            let identities = agent
                .request_identities()
                .await
                .map_err(|_| super::Error::AgentRequestIdentitiesFailed)?;

            if identities.is_empty() {
                return Err(super::Error::AgentNoIdentities);
            }

            let mut auth_success = false;
            for identity in identities {
                let result = handle
                    .authenticate_publickey_with(
                        username,
                        identity.public_key().into_owned(),
                        handle.best_supported_rsa_hash().await?.flatten(),
                        &mut agent,
                    )
                    .await;

                if let Ok(auth_result) = result
                    && auth_result.success()
                {
                    auth_success = true;
                    break;
                }
            }

            if !auth_success {
                return Err(super::Error::AgentAuthenticationFailed);
            }
        }
        AuthMethod::KeyboardInteractive(mut kbd) => {
            let mut res = handle
                .authenticate_keyboard_interactive_start(username, kbd.submethods)
                .await?;
            loop {
                let prompts = match res {
                    KeyboardInteractiveAuthResponse::Success => break,
                    KeyboardInteractiveAuthResponse::Failure { .. } => {
                        return Err(super::Error::KeyboardInteractiveAuthFailed);
                    }
                    KeyboardInteractiveAuthResponse::InfoRequest { prompts, .. } => prompts,
                };

                let mut responses = vec![];
                for prompt in prompts {
                    let Some(pos) = kbd
                        .responses
                        .iter()
                        .position(|pr| pr.matches(&prompt.prompt))
                    else {
                        return Err(super::Error::KeyboardInteractiveNoResponseForPrompt(
                            prompt.prompt,
                        ));
                    };
                    let pr = kbd.responses.remove(pos);
                    responses.push(pr.response.to_string());
                }

                res = handle
                    .authenticate_keyboard_interactive_respond(responses)
                    .await?;
            }
        }
    };
    Ok(())
}