510Connectbot: src/ch/ethz/ssh2/Connection.java comparison

comparison src/ch/ethz/ssh2/Connection.java @ 342:175c7d68f3c4

merge ganymed into mainline

author	Carl Byington <carl@five-ten-sg.com>
date	Thu, 31 Jul 2014 16:33:38 -0700
parents	cd1d87edcbf6
children	b40bc65fa09a

comparison

equal deleted inserted replaced

-:ce2f4e397703
+:175c7d68f3c4
+/*
+* Copyright (c) 2006-2011 Christian Plattner. All rights reserved.
+* Please refer to the LICENSE.txt for licensing details.
+*/
+package ch.ethz.ssh2;
+import java.io.CharArrayWriter;
+import java.io.File;
+import java.io.FileReader;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+import java.net.SocketTimeoutException;
+import java.security.KeyPair;
+import java.security.SecureRandom;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import ch.ethz.ssh2.auth.AgentProxy;
+import ch.ethz.ssh2.auth.AuthenticationManager;
+import ch.ethz.ssh2.channel.ChannelManager;
+import ch.ethz.ssh2.compression.CompressionFactory;
+import ch.ethz.ssh2.crypto.CryptoWishList;
+import ch.ethz.ssh2.crypto.cipher.BlockCipherFactory;
+import ch.ethz.ssh2.crypto.digest.MAC;
+import ch.ethz.ssh2.packets.PacketIgnore;
+import ch.ethz.ssh2.transport.ClientTransportManager;
+import ch.ethz.ssh2.transport.HTTPProxyClientTransportManager;
+import ch.ethz.ssh2.transport.KexManager;
+import ch.ethz.ssh2.util.TimeoutService;
+import ch.ethz.ssh2.util.TimeoutService.TimeoutToken;
+/**
+* A <code>Connection</code> is used to establish an encrypted TCP/IP
+* connection to a SSH-2 server.
+* <p/>
+* Typically, one
+* <ol>
+* <li>creates a {@link #Connection(String) Connection} object.</li>
+* <li>calls the {@link #connect() connect()} method.</li>
+* <li>calls some of the authentication methods (e.g., {@link #authenticateWithPublicKey(String, File, String) authenticateWithPublicKey()}).</li>
+* <li>calls one or several times the {@link #openSession() openSession()} method.</li>
+* <li>finally, one must close the connection and release resources with the {@link #close() close()} method.</li>
+* </ol>
+*
+* @author Christian Plattner
+* @version $Id: Connection.java 160 2014-05-01 14:30:26Z dkocher@sudo.ch $
+*/
+public class Connection {
+/**
+* The identifier presented to the SSH-2 server. This is the same
+* as the "softwareversion" defined in RFC 4253.
+* <p/>
+* <b>NOTE: As per the RFC, the "softwareversion" string MUST consist of printable
+* US-ASCII characters, with the exception of whitespace characters and the minus sign (-).</b>
+*/
+private String softwareversion
+= String.format("Ganymed_%s", Version.getSpecification());
+/* Will be used to generate all random data needed for the current connection.
+* Note: SecureRandom.nextBytes() is thread safe.
+*/
+private SecureRandom generator;
+/**
+* Unless you know what you are doing, you will never need this.
+*
+* @return The list of supported cipher algorithms by this implementation.
+*/
+public static synchronized String[] getAvailableCiphers() {
+return BlockCipherFactory.getDefaultCipherList();
+}
+/**
+* Unless you know what you are doing, you will never need this.
+*
+* @return The list of supported MAC algorthims by this implementation.
+*/
+public static synchronized String[] getAvailableMACs() {
+return MAC.getMacList();
+}
+/**
+* Unless you know what you are doing, you will never need this.
+*
+* @return The list of supported server host key algorthims by this implementation.
+*/
+public static synchronized String[] getAvailableServerHostKeyAlgorithms() {
+return KexManager.getDefaultServerHostkeyAlgorithmList();
+}
+private AuthenticationManager am;
+private boolean authenticated;
+private ChannelManager cm;
+private CryptoWishList cryptoWishList
+= new CryptoWishList();
+private DHGexParameters dhgexpara
+= new DHGexParameters();
+private final String hostname;
+private final int port;
+private ClientTransportManager tm;
+private boolean tcpNoDelay = false;
+private HTTPProxyData proxy;
+private List<ConnectionMonitor> connectionMonitors
+= new ArrayList<ConnectionMonitor>();
+/**
+* Prepares a fresh <code>Connection</code> object which can then be used
+* to establish a connection to the specified SSH-2 server.
+* <p/>
+* Same as {@link #Connection(String, int) Connection(hostname, 22)}.
+*
+* @param hostname the hostname of the SSH-2 server.
+*/
+public Connection(String hostname) {
+this(hostname, 22);
+}
+/**
+* Prepares a fresh <code>Connection</code> object which can then be used
+* to establish a connection to the specified SSH-2 server.
+*
+* @param hostname the host where we later want to connect to.
+* @param port     port on the server, normally 22.
+*/
+public Connection(String hostname, int port) {
+this.hostname = hostname;
+this.port = port;
+}
+/**
+* Prepares a fresh <code>Connection</code> object which can then be used
+* to establish a connection to the specified SSH-2 server.
+*
+* @param hostname        the host where we later want to connect to.
+* @param port            port on the server, normally 22.
+* @param softwareversion Allows you to set a custom "softwareversion" string as defined in RFC 4253.
+*                        <b>NOTE: As per the RFC, the "softwareversion" string MUST consist of printable
+*                        US-ASCII characters, with the exception of whitespace characters and the minus sign (-).</b>
+*/
+public Connection(String hostname, int port, String softwareversion) {
+this.hostname = hostname;
+this.port = port;
+this.softwareversion = softwareversion;
+}
+public Connection(String hostname, int port, final HTTPProxyData proxy) {
+this.hostname = hostname;
+this.port = port;
+this.proxy = proxy;
+}
+public Connection(String hostname, int port, String softwareversion, final HTTPProxyData proxy) {
+this.hostname = hostname;
+this.port = port;
+this.softwareversion = softwareversion;
+this.proxy = proxy;
+}
+/**
+* After a successful connect, one has to authenticate oneself. This method
+* is based on DSA (it uses DSA to sign a challenge sent by the server).
+* <p/>
+* If the authentication phase is complete, <code>true</code> will be
+* returned. If the server does not accept the request (or if further
+* authentication steps are needed), <code>false</code> is returned and
+* one can retry either by using this or any other authentication method
+* (use the <code>getRemainingAuthMethods</code> method to get a list of
+* the remaining possible methods).
+*
+* @param user     A <code>String</code> holding the username.
+* @param pem      A <code>String</code> containing the DSA private key of the
+*                 user in OpenSSH key format (PEM, you can't miss the
+*                 "-----BEGIN DSA PRIVATE KEY-----" tag). The string may contain
+*                 linefeeds.
+* @param password If the PEM string is 3DES encrypted ("DES-EDE3-CBC"), then you
+*                 must specify the password. Otherwise, this argument will be
+*                 ignored and can be set to <code>null</code>.
+* @return whether the connection is now authenticated.
+* @throws IOException
+* @deprecated You should use one of the {@link #authenticateWithPublicKey(String, File, String) authenticateWithPublicKey()}
+* methods, this method is just a wrapper for it and will
+* disappear in future builds.
+*/
+@Deprecated
+public synchronized boolean authenticateWithDSA(String user, String pem, String password) throws IOException {
+if (tm == null) {
+throw new IllegalStateException("Connection is not established!");
+}
+if (authenticated) {
+throw new IllegalStateException("Connection is already authenticated!");
+}
+if (am == null) {
+am = new AuthenticationManager(tm);
+}
+if (cm == null) {
+cm = new ChannelManager(tm);
+}
+if (user == null) {
+throw new IllegalArgumentException("user argument is null");
+}
+if (pem == null) {
+throw new IllegalArgumentException("pem argument is null");
+}
+authenticated = am.authenticatePublicKey(user, pem.toCharArray(), password, getOrCreateSecureRND());
+return authenticated;
+}
+/**
+* A wrapper that calls {@link #authenticateWithKeyboardInteractive(String, String[], InteractiveCallback)
+* authenticateWithKeyboardInteractivewith} a <code>null</code> submethod list.
+*
+* @param user A <code>String</code> holding the username.
+* @param cb   An <code>InteractiveCallback</code> which will be used to
+*             determine the responses to the questions asked by the server.
+* @return whether the connection is now authenticated.
+* @throws IOException
+*/
+public synchronized boolean authenticateWithKeyboardInteractive(String user, InteractiveCallback cb)
+throws IOException {
+return authenticateWithKeyboardInteractive(user, null, cb);
+}
+/**
+* After a successful connect, one has to authenticate oneself. This method
+* is based on "keyboard-interactive", specified in
+* draft-ietf-secsh-auth-kbdinteract-XX. Basically, you have to define a
+* callback object which will be feeded with challenges generated by the
+* server. Answers are then sent back to the server. It is possible that the
+* callback will be called several times during the invocation of this
+* method (e.g., if the server replies to the callback's answer(s) with
+* another challenge...)
+* <p/>
+* If the authentication phase is complete, <code>true</code> will be
+* returned. If the server does not accept the request (or if further
+* authentication steps are needed), <code>false</code> is returned and
+* one can retry either by using this or any other authentication method
+* (use the <code>getRemainingAuthMethods</code> method to get a list of
+* the remaining possible methods).
+* <p/>
+* Note: some SSH servers advertise "keyboard-interactive", however, any
+* interactive request will be denied (without having sent any challenge to
+* the client).
+*
+* @param user       A <code>String</code> holding the username.
+* @param submethods An array of submethod names, see
+*                   draft-ietf-secsh-auth-kbdinteract-XX. May be <code>null</code>
+*                   to indicate an empty list.
+* @param cb         An <code>InteractiveCallback</code> which will be used to
+*                   determine the responses to the questions asked by the server.
+* @return whether the connection is now authenticated.
+* @throws IOException
+*/
+public synchronized boolean authenticateWithKeyboardInteractive(String user, String[] submethods,
+InteractiveCallback cb) throws IOException {
+if (cb == null) {
+throw new IllegalArgumentException("Callback may not ne NULL!");
+}
+if (tm == null) {
+throw new IllegalStateException("Connection is not established!");
+}
+if (authenticated) {
+throw new IllegalStateException("Connection is already authenticated!");
+}
+if (am == null) {
+am = new AuthenticationManager(tm);
+}
+if (cm == null) {
+cm = new ChannelManager(tm);
+}
+if (user == null) {
+throw new IllegalArgumentException("user argument is null");
+}
+authenticated = am.authenticateInteractive(user, submethods, cb);
+return authenticated;
+}
+public synchronized boolean authenticateWithAgent(String user, AgentProxy proxy) throws IOException {
+if (tm == null) {
+throw new IllegalStateException("Connection is not established!");
+}
+if (authenticated) {
+throw new IllegalStateException("Connection is already authenticated!");
+}
+if (am == null) {
+am = new AuthenticationManager(tm);
+}
+if (cm == null) {
+cm = new ChannelManager(tm);
+}
+if (user == null) {
+throw new IllegalArgumentException("user argument is null");
+}
+authenticated = am.authenticatePublicKey(user, proxy);
+return authenticated;
+}
+/**
+* After a successful connect, one has to authenticate oneself. This method
+* sends username and password to the server.
+* <p/>
+* If the authentication phase is complete, <code>true</code> will be
+* returned. If the server does not accept the request (or if further
+* authentication steps are needed), <code>false</code> is returned and
+* one can retry either by using this or any other authentication method
+* (use the <code>getRemainingAuthMethods</code> method to get a list of
+* the remaining possible methods).
+* <p/>
+* Note: if this method fails, then please double-check that it is actually
+* offered by the server (use {@link #getRemainingAuthMethods(String) getRemainingAuthMethods()}.
+* <p/>
+* Often, password authentication is disabled, but users are not aware of it.
+* Many servers only offer "publickey" and "keyboard-interactive". However,
+* even though "keyboard-interactive" *feels* like password authentication
+* (e.g., when using the putty or openssh clients) it is *not* the same mechanism.
+*
+* @param user
+* @param password
+* @return if the connection is now authenticated.
+* @throws IOException
+*/
+public synchronized boolean authenticateWithPassword(String user, String password) throws IOException {
+if (tm == null) {
+throw new IllegalStateException("Connection is not established!");
+}
+if (authenticated) {
+throw new IllegalStateException("Connection is already authenticated!");
+}
+if (am == null) {
+am = new AuthenticationManager(tm);
+}
+if (cm == null) {
+cm = new ChannelManager(tm);
+}
+if (user == null) {
+throw new IllegalArgumentException("user argument is null");
+}
+if (password == null) {
+throw new IllegalArgumentException("password argument is null");
+}
+authenticated = am.authenticatePassword(user, password);
+return authenticated;
+}
+/**
+* After a successful connect, one has to authenticate oneself.
+* This method can be used to explicitly use the special "none"
+* authentication method (where only a username has to be specified).
+* <p/>
+* Note 1: The "none" method may always be tried by clients, however as by
+* the specs, the server will not explicitly announce it. In other words,
+* the "none" token will never show up in the list returned by
+* {@link #getRemainingAuthMethods(String)}.
+* <p/>
+* Note 2: no matter which one of the authenticateWithXXX() methods
+* you call, the library will always issue exactly one initial "none"
+* authentication request to retrieve the initially allowed list of
+* authentication methods by the server. Please read RFC 4252 for the
+* details.
+* <p/>
+* If the authentication phase is complete, <code>true</code> will be
+* returned. If further authentication steps are needed, <code>false</code>
+* is returned and one can retry by any other authentication method
+* (use the <code>getRemainingAuthMethods</code> method to get a list of
+* the remaining possible methods).
+*
+* @param user
+* @return if the connection is now authenticated.
+* @throws IOException
+*/
+public synchronized boolean authenticateWithNone(String user) throws IOException {
+if (tm == null) {
+throw new IllegalStateException("Connection is not established!");
+}
+if (authenticated) {
+throw new IllegalStateException("Connection is already authenticated!");
+}
+if (am == null) {
+am = new AuthenticationManager(tm);
+}
+if (cm == null) {
+cm = new ChannelManager(tm);
+}
+if (user == null) {
+throw new IllegalArgumentException("user argument is null");
+}
+/* Trigger the sending of the PacketUserauthRequestNone packet */
+/* (if not already done)                                       */
+authenticated = am.authenticateNone(user);
+return authenticated;
+}
+/**
+* After a successful connect, one has to authenticate oneself.
+* The authentication method "publickey" works by signing a challenge
+* sent by the server. The signature is either DSA or RSA based - it
+* just depends on the type of private key you specify, either a DSA
+* or RSA private key in PEM format. And yes, this is may seem to be a
+* little confusing, the method is called "publickey" in the SSH-2 protocol
+* specification, however since we need to generate a signature, you
+* actually have to supply a private key =).
+* <p/>
+* The private key contained in the PEM file may also be encrypted ("Proc-Type: 4,ENCRYPTED").
+* The library supports DES-CBC and DES-EDE3-CBC encryption, as well
+* as the more exotic PEM encrpytions AES-128-CBC, AES-192-CBC and AES-256-CBC.
+* <p/>
+* If the authentication phase is complete, <code>true</code> will be
+* returned. If the server does not accept the request (or if further
+* authentication steps are needed), <code>false</code> is returned and
+* one can retry either by using this or any other authentication method
+* (use the <code>getRemainingAuthMethods</code> method to get a list of
+* the remaining possible methods).
+* <p/>
+* NOTE PUTTY USERS: Event though your key file may start with "-----BEGIN..."
+* it is not in the expected format. You have to convert it to the OpenSSH
+* key format by using the "puttygen" tool (can be downloaded from the Putty
+* website). Simply load your key and then use the "Conversions/Export OpenSSH key"
+* functionality to get a proper PEM file.
+*
+* @param user          A <code>String</code> holding the username.
+* @param pemPrivateKey A <code>char[]</code> containing a DSA or RSA private key of the
+*                      user in OpenSSH key format (PEM, you can't miss the
+*                      "-----BEGIN DSA PRIVATE KEY-----" or "-----BEGIN RSA PRIVATE KEY-----"
+*                      tag). The char array may contain linebreaks/linefeeds.
+* @param password      If the PEM structure is encrypted ("Proc-Type: 4,ENCRYPTED") then
+*                      you must specify a password. Otherwise, this argument will be ignored
+*                      and can be set to <code>null</code>.
+* @return whether the connection is now authenticated.
+* @throws IOException
+*/
+public synchronized boolean authenticateWithPublicKey(String user, char[] pemPrivateKey, String password)
+throws IOException {
+if (tm == null) {
+throw new IllegalStateException("Connection is not established!");
+}
+if (authenticated) {
+throw new IllegalStateException("Connection is already authenticated!");
+}
+if (am == null) {
+am = new AuthenticationManager(tm);
+}
+if (cm == null) {
+cm = new ChannelManager(tm);
+}
+if (user == null) {
+throw new IllegalArgumentException("user argument is null");
+}
+if (pemPrivateKey == null) {
+throw new IllegalArgumentException("pemPrivateKey argument is null");
+}
+authenticated = am.authenticatePublicKey(user, pemPrivateKey, password, getOrCreateSecureRND());
+return authenticated;
+}
+/**
+* After a successful connect, one has to authenticate oneself. The
+* authentication method "publickey" works by signing a challenge sent by
+* the server. The signature is either DSA or RSA based - it just depends on
+* the type of private key you specify, either a DSA or RSA private key in
+* PEM format. And yes, this is may seem to be a little confusing, the
+* method is called "publickey" in the SSH-2 protocol specification, however
+* since we need to generate a signature, you actually have to supply a
+* private key =).
+* <p>
+* If the authentication phase is complete, <code>true</code> will be
+* returned. If the server does not accept the request (or if further
+* authentication steps are needed), <code>false</code> is returned and
+* one can retry either by using this or any other authentication method
+* (use the <code>getRemainingAuthMethods</code> method to get a list of
+* the remaining possible methods).
+*
+* @param user
+*            A <code>String</code> holding the username.
+* @param pair
+*            A <code>RSAPrivateKey</code> or <code>DSAPrivateKey</code>
+*            containing a DSA or RSA private key of
+*            the user in Trilead object format.
+*
+* @return whether the connection is now authenticated.
+* @throws IOException
+*/
+public synchronized boolean authenticateWithPublicKey(String user, KeyPair pair)
+throws IOException {
+if (tm == null)
+throw new IllegalStateException("Connection is not established!");
+if (authenticated)
+throw new IllegalStateException("Connection is already authenticated!");
+if (am == null)
+am = new AuthenticationManager(tm);
+if (cm == null)
+cm = new ChannelManager(tm);
+if (user == null)
+throw new IllegalArgumentException("user argument is null");
+if (pair == null)
+throw new IllegalArgumentException("Key pair argument is null");
+authenticated = am.authenticatePublicKey(user, pair, getOrCreateSecureRND());
+return authenticated;
+}
+/**
+* A convenience wrapper function which reads in a private key (PEM format, either DSA or RSA)
+* and then calls <code>authenticateWithPublicKey(String, char[], String)</code>.
+* <p/>
+* NOTE PUTTY USERS: Event though your key file may start with "-----BEGIN..."
+* it is not in the expected format. You have to convert it to the OpenSSH
+* key format by using the "puttygen" tool (can be downloaded from the Putty
+* website). Simply load your key and then use the "Conversions/Export OpenSSH key"
+* functionality to get a proper PEM file.
+*
+* @param user     A <code>String</code> holding the username.
+* @param pemFile  A <code>File</code> object pointing to a file containing a DSA or RSA
+*                 private key of the user in OpenSSH key format (PEM, you can't miss the
+*                 "-----BEGIN DSA PRIVATE KEY-----" or "-----BEGIN RSA PRIVATE KEY-----"
+*                 tag).
+* @param password If the PEM file is encrypted then you must specify the password.
+*                 Otherwise, this argument will be ignored and can be set to <code>null</code>.
+* @return whether the connection is now authenticated.
+* @throws IOException
+*/
+public synchronized boolean authenticateWithPublicKey(String user, File pemFile, String password)
+throws IOException {
+if (pemFile == null) {
+throw new IllegalArgumentException("pemFile argument is null");
+}
+char[] buff = new char[256];
+CharArrayWriter cw = new CharArrayWriter();
+FileReader fr = new FileReader(pemFile);
+while (true) {
+int len = fr.read(buff);
+if (len < 0) {
+break;
+}
+cw.write(buff, 0, len);
+}
+fr.close();
+return authenticateWithPublicKey(user, cw.toCharArray(), password);
+}
+/**
+* Add a {@link ConnectionMonitor} to this connection. Can be invoked at any time,
+* but it is best to add connection monitors before invoking
+* <code>connect()</code> to avoid glitches (e.g., you add a connection monitor after
+* a successful connect(), but the connection has died in the mean time. Then,
+* your connection monitor won't be notified.)
+* <p/>
+* You can add as many monitors as you like. If a monitor has already been added, then
+* this method does nothing.
+*
+* @param cmon An object implementing the {@link ConnectionMonitor} interface.
+* @see ConnectionMonitor
+*/
+public synchronized void addConnectionMonitor(ConnectionMonitor cmon) {
+if (!connectionMonitors.contains(cmon)) {
+connectionMonitors.add(cmon);
+if (tm != null) {
+tm.setConnectionMonitors(connectionMonitors);
+}
+}
+}
+/**
+* Remove a {@link ConnectionMonitor} from this connection.
+*
+* @param cmon
+* @return whether the monitor could be removed
+*/
+public synchronized boolean removeConnectionMonitor(ConnectionMonitor cmon) {
+boolean existed = connectionMonitors.remove(cmon);
+if (tm != null) {
+tm.setConnectionMonitors(connectionMonitors);
+}
+return existed;
+}
+/**
+* Controls whether compression is used on the link or not.
+* <p>
+* Note: This can only be called before connect()
+* @param enabled whether to enable compression
+* @throws IOException
+*/
+public synchronized void setCompression(boolean enabled) throws IOException {
+if (tm != null)
+throw new IOException("Connection to " + hostname + " is already in connected state!");
+if (enabled) enableCompression();
+else         disableCompression();
+}
+/**
+* Close the connection to the SSH-2 server. All assigned sessions will be
+* closed, too. Can be called at any time. Don't forget to call this once
+* you don't need a connection anymore - otherwise the receiver thread may
+* run forever.
+*/
+public synchronized void close() {
+Throwable t = new Throwable("Closed due to user request.");
+close(t, false);
+}
+public synchronized void close(Throwable t, boolean hard) {
+if (cm != null) {
+cm.closeAllChannels();
+}
+if (tm != null) {
+tm.close(t, hard == false);
+tm = null;
+}
+am = null;
+cm = null;
+authenticated = false;
+}
+/**
+* Same as {@link #connect(ServerHostKeyVerifier, int, int) connect(null, 0, 0)}.
+*
+* @return see comments for the {@link #connect(ServerHostKeyVerifier, int, int) connect(ServerHostKeyVerifier, int, int)} method.
+* @throws IOException
+*/
+public synchronized ConnectionInfo connect() throws IOException {
+return connect(null, 0, 0);
+}
+/**
+* Same as {@link #connect(ServerHostKeyVerifier, int, int) connect(verifier, 0, 0)}.
+*
+* @return see comments for the {@link #connect(ServerHostKeyVerifier, int, int) connect(ServerHostKeyVerifier, int, int)} method.
+* @throws IOException
+*/
+public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier) throws IOException {
+return connect(verifier, 0, 0);
+}
+/**
+* Connect to the SSH-2 server and, as soon as the server has presented its
+* host key, use the {@link ServerHostKeyVerifier#verifyServerHostKey(String,
+* int, String, byte[]) ServerHostKeyVerifier.verifyServerHostKey()}
+* method of the <code>verifier</code> to ask for permission to proceed.
+* If <code>verifier</code> is <code>null</code>, then any host key will be
+* accepted - this is NOT recommended, since it makes man-in-the-middle attackes
+* VERY easy (somebody could put a proxy SSH server between you and the real server).
+* <p/>
+* Note: The verifier will be called before doing any crypto calculations
+* (i.e., diffie-hellman). Therefore, if you don't like the presented host key then
+* no CPU cycles are wasted (and the evil server has less information about us).
+* <p/>
+* However, it is still possible that the server presented a fake host key: the server
+* cheated (typically a sign for a man-in-the-middle attack) and is not able to generate
+* a signature that matches its host key. Don't worry, the library will detect such
+* a scenario later when checking the signature (the signature cannot be checked before
+* having completed the diffie-hellman exchange).
+* <p/>
+* Note 2: The  {@link ServerHostKeyVerifier#verifyServerHostKey(String,
+* int, String, byte[]) ServerHostKeyVerifier.verifyServerHostKey()} method
+* will *NOT* be called from the current thread, the call is being made from a
+* background thread (there is a background dispatcher thread for every
+* established connection).
+* <p/>
+* Note 3: This method will block as long as the key exchange of the underlying connection
+* has not been completed (and you have not specified any timeouts).
+* <p/>
+* Note 4: If you want to re-use a connection object that was successfully connected,
+* then you must call the {@link #close()} method before invoking <code>connect()</code> again.
+*
+* @param verifier       An object that implements the
+*                       {@link ServerHostKeyVerifier} interface. Pass <code>null</code>
+*                       to accept any server host key - NOT recommended.
+* @param connectTimeout Connect the underlying TCP socket to the server with the given timeout
+*                       value (non-negative, in milliseconds). Zero means no timeout.
+* @param kexTimeout     Timeout for complete connection establishment (non-negative,
+*                       in milliseconds). Zero means no timeout. The timeout counts from the
+*                       moment you invoke the connect() method and is cancelled as soon as the
+*                       first key-exchange round has finished. It is possible that
+*                       the timeout event will be fired during the invocation of the
+*                       <code>verifier</code> callback, but it will only have an effect after
+*                       the <code>verifier</code> returns.
+* @return A {@link ConnectionInfo} object containing the details of
+* the established connection.
+* @throws IOException If any problem occurs, e.g., the server's host key is not
+*                     accepted by the <code>verifier</code> or there is problem during
+*                     the initial crypto setup (e.g., the signature sent by the server is wrong).
+*                     <p/>
+*                     In case of a timeout (either connectTimeout or kexTimeout)
+*                     a SocketTimeoutException is thrown.
+*                     <p/>
+*                     An exception may also be thrown if the connection was already successfully
+*                     connected (no matter if the connection broke in the mean time) and you invoke
+*                     <code>connect()</code> again without having called {@link #close()} first.
+*                     <p/>
+*                     If a HTTP proxy is being used and the proxy refuses the connection,
+*                     then a {@link HTTPProxyException} may be thrown, which
+*                     contains the details returned by the proxy. If the proxy is buggy and does
+*                     not return a proper HTTP response, then a normal IOException is thrown instead.
+*/
+public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier, int connectTimeout, int kexTimeout)
+throws IOException {
+final class TimeoutState {
+boolean isCancelled = false;
+boolean timeoutSocketClosed = false;
+}
+if (tm != null) {
+throw new IllegalStateException(String.format("Connection to %s is already in connected state", hostname));
+}
+if (connectTimeout < 0) {
+throw new IllegalArgumentException("connectTimeout must be non-negative!");
+}
+if (kexTimeout < 0) {
+throw new IllegalArgumentException("kexTimeout must be non-negative!");
+}
+final TimeoutState state = new TimeoutState();
+if (null == proxy) {
+tm = new ClientTransportManager(new Socket());
+}
+else {
+tm = new HTTPProxyClientTransportManager(new Socket(), proxy);
+}
+tm.setSoTimeout(connectTimeout);
+tm.setTcpNoDelay(tcpNoDelay);
+tm.setConnectionMonitors(connectionMonitors);
+try {
+TimeoutToken token = null;
+if (kexTimeout > 0) {
+final Runnable timeoutHandler = new Runnable() {
+public void run() {
+synchronized (state) {
+if (state.isCancelled) {
+return;
+}
+state.timeoutSocketClosed = true;
+tm.close(new SocketTimeoutException("The connect timeout expired"), false);
+}
+}
+};
+long timeoutHorizont = System.currentTimeMillis() + kexTimeout;
+token = TimeoutService.addTimeoutHandler(timeoutHorizont, timeoutHandler);
+}
+tm.connect(hostname, port, softwareversion, cryptoWishList, verifier, dhgexpara, connectTimeout,
+getOrCreateSecureRND());
+/* Wait until first KEX has finished */
+ConnectionInfo ci = tm.getConnectionInfo(1);
+/* Now try to cancel the timeout, if needed */
+if (token != null) {
+TimeoutService.cancelTimeoutHandler(token);
+/* Were we too late? */
+synchronized (state) {
+if (state.timeoutSocketClosed) {
+throw new IOException("This exception will be replaced by the one below =)");
+}
+/* Just in case the "cancelTimeoutHandler" invocation came just a little bit
+* too late but the handler did not enter the semaphore yet - we can
+* still stop it.
+*/
+state.isCancelled = true;
+}
+}
+return ci;
+}
+catch (SocketTimeoutException e) {
+throw e;
+}
+catch (HTTPProxyException e) {
+throw e;
+}
+catch (IOException e) {
+// This will also invoke any registered connection monitors
+close(e, false);
+synchronized (state) {
+/* Show a clean exception, not something like "the socket is closed!?!" */
+if (state.timeoutSocketClosed) {
+throw new SocketTimeoutException(String.format("The kexTimeout (%d ms) expired.", kexTimeout));
+}
+}
+throw e;
+}
+}
+/**
+* Creates a new {@link LocalPortForwarder}.
+* A <code>LocalPortForwarder</code> forwards TCP/IP connections that arrive at a local
+* port via the secure tunnel to another host (which may or may not be
+* identical to the remote SSH-2 server).
+* <p/>
+* This method must only be called after one has passed successfully the authentication step.
+* There is no limit on the number of concurrent forwardings.
+*
+* @param local_port      the local port the LocalPortForwarder shall bind to.
+* @param host_to_connect target address (IP or hostname)
+* @param port_to_connect target port
+* @return A {@link LocalPortForwarder} object.
+* @throws IOException
+*/
+public synchronized LocalPortForwarder createLocalPortForwarder(int local_port, String host_to_connect,
+int port_to_connect) throws IOException {
+this.checkConnection();
+return new LocalPortForwarder(cm, local_port, host_to_connect, port_to_connect);
+}
+/**
+* Creates a new {@link LocalPortForwarder}.
+* A <code>LocalPortForwarder</code> forwards TCP/IP connections that arrive at a local
+* port via the secure tunnel to another host (which may or may not be
+* identical to the remote SSH-2 server).
+* <p/>
+* This method must only be called after one has passed successfully the authentication step.
+* There is no limit on the number of concurrent forwardings.
+*
+* @param addr            specifies the InetSocketAddress where the local socket shall be bound to.
+* @param host_to_connect target address (IP or hostname)
+* @param port_to_connect target port
+* @return A {@link LocalPortForwarder} object.
+* @throws IOException
+*/
+public synchronized LocalPortForwarder createLocalPortForwarder(InetSocketAddress addr, String host_to_connect,
+int port_to_connect) throws IOException {
+this.checkConnection();
+return new LocalPortForwarder(cm, addr, host_to_connect, port_to_connect);
+}
+/**
+* Creates a new {@link LocalStreamForwarder}.
+* A <code>LocalStreamForwarder</code> manages an Input/Outputstream pair
+* that is being forwarded via the secure tunnel into a TCP/IP connection to another host
+* (which may or may not be identical to the remote SSH-2 server).
+*
+* @param host_to_connect
+* @param port_to_connect
+* @return A {@link LocalStreamForwarder} object.
+* @throws IOException
+*/
+public synchronized LocalStreamForwarder createLocalStreamForwarder(String host_to_connect, int port_to_connect)
+throws IOException {
+this.checkConnection();
+return new LocalStreamForwarder(cm, host_to_connect, port_to_connect);
+}
+/**
+* Creates a new {@link DynamicPortForwarder}. A
+* <code>DynamicPortForwarder</code> forwards TCP/IP connections that arrive
+* at a local port via the secure tunnel to another host that is chosen via
+* the SOCKS protocol.
+* <p>
+* This method must only be called after one has passed successfully the
+* authentication step. There is no limit on the number of concurrent
+* forwardings.
+*
+* @param local_port
+* @return A {@link DynamicPortForwarder} object.
+* @throws IOException
+*/
+public synchronized DynamicPortForwarder createDynamicPortForwarder(int local_port) throws IOException {
+if (tm == null)
+throw new IllegalStateException("Cannot forward ports, you need to establish a connection first.");
+if (!authenticated)
+throw new IllegalStateException("Cannot forward ports, connection is not authenticated.");
+return new DynamicPortForwarder(cm, local_port);
+}
+/**
+* Creates a new {@link DynamicPortForwarder}. A
+* <code>DynamicPortForwarder</code> forwards TCP/IP connections that arrive
+* at a local port via the secure tunnel to another host that is chosen via
+* the SOCKS protocol.
+* <p>
+* This method must only be called after one has passed successfully the
+* authentication step. There is no limit on the number of concurrent
+* forwardings.
+*
+* @param addr
+*            specifies the InetSocketAddress where the local socket shall
+*            be bound to.
+* @return A {@link DynamicPortForwarder} object.
+* @throws IOException
+*/
+public synchronized DynamicPortForwarder createDynamicPortForwarder(InetSocketAddress addr) throws IOException {
+if (tm == null)
+throw new IllegalStateException("Cannot forward ports, you need to establish a connection first.");
+if (!authenticated)
+throw new IllegalStateException("Cannot forward ports, connection is not authenticated.");
+return new DynamicPortForwarder(cm, addr);
+}
+/**
+* Create a very basic {@link SCPClient} that can be used to copy
+* files from/to the SSH-2 server.
+* <p/>
+* Works only after one has passed successfully the authentication step.
+* There is no limit on the number of concurrent SCP clients.
+* <p/>
+* Note: This factory method will probably disappear in the future.
+*
+* @return A {@link SCPClient} object.
+* @throws IOException
+*/
+public synchronized SCPClient createSCPClient() throws IOException {
+this.checkConnection();
+return new SCPClient(this);
+}
+/**
+* Force an asynchronous key re-exchange (the call does not block). The
+* latest values set for MAC, Cipher and DH group exchange parameters will
+* be used. If a key exchange is currently in progress, then this method has
+* the only effect that the so far specified parameters will be used for the
+* next (server driven) key exchange.
+* <p/>
+* Note: This implementation will never start a key exchange (other than the initial one)
+* unless you or the SSH-2 server ask for it.
+*
+* @throws IOException In case of any failure behind the scenes.
+*/
+public synchronized void forceKeyExchange() throws IOException {
+this.checkConnection();
+tm.forceKeyExchange(cryptoWishList, dhgexpara, null, null, null);
+}
+/**
+* Returns the hostname that was passed to the constructor.
+*
+* @return the hostname
+*/
+public synchronized String getHostname() {
+return hostname;
+}
+/**
+* Returns the port that was passed to the constructor.
+*
+* @return the TCP port
+*/
+public synchronized int getPort() {
+return port;
+}
+/**
+* Returns a {@link ConnectionInfo} object containing the details of
+* the connection. Can be called as soon as the connection has been
+* established (successfully connected).
+*
+* @return A {@link ConnectionInfo} object.
+* @throws IOException In case of any failure behind the scenes.
+*/
+public synchronized ConnectionInfo getConnectionInfo() throws IOException {
+this.checkConnection();
+return tm.getConnectionInfo(1);
+}
+/**
+* After a successful connect, one has to authenticate oneself. This method
+* can be used to tell which authentication methods are supported by the
+* server at a certain stage of the authentication process (for the given
+* username).
+* <p/>
+* Note 1: the username will only be used if no authentication step was done
+* so far (it will be used to ask the server for a list of possible
+* authentication methods by sending the initial "none" request). Otherwise,
+* this method ignores the user name and returns a cached method list
+* (which is based on the information contained in the last negative server response).
+* <p/>
+* Note 2: the server may return method names that are not supported by this
+* implementation.
+* <p/>
+* After a successful authentication, this method must not be called
+* anymore.
+*
+* @param user A <code>String</code> holding the username.
+* @return a (possibly emtpy) array holding authentication method names.
+* @throws IOException
+*/
+public synchronized String[] getRemainingAuthMethods(String user) throws IOException {
+if (user == null) {
+throw new IllegalArgumentException("user argument may not be NULL!");
+}
+if (tm == null) {
+throw new IllegalStateException("Connection is not established!");
+}
+if (authenticated) {
+throw new IllegalStateException("Connection is already authenticated!");
+}
+if (am == null) {
+am = new AuthenticationManager(tm);
+}
+if (cm == null) {
+cm = new ChannelManager(tm);
+}
+final Set<String> remainingMethods = am.getRemainingMethods(user);
+return remainingMethods.toArray(new String[remainingMethods.size()]);
+}
+/**
+* Determines if the authentication phase is complete. Can be called at any
+* time.
+*
+* @return <code>true</code> if no further authentication steps are
+* needed.
+*/
+public synchronized boolean isAuthenticationComplete() {
+return authenticated;
+}
+/**
+* Returns true if there was at least one failed authentication request and
+* the last failed authentication request was marked with "partial success"
+* by the server. This is only needed in the rare case of SSH-2 server setups
+* that cannot be satisfied with a single successful authentication request
+* (i.e., multiple authentication steps are needed.)
+* <p/>
+* If you are interested in the details, then have a look at RFC4252.
+*
+* @return if the there was a failed authentication step and the last one
+* was marked as a "partial success".
+*/
+public synchronized boolean isAuthenticationPartialSuccess() {
+if (am == null) {
+return false;
+}
+return am.getPartialSuccess();
+}
+/**
+* Checks if a specified authentication method is available. This method is
+* actually just a wrapper for {@link #getRemainingAuthMethods(String)
+* getRemainingAuthMethods()}.
+*
+* @param user   A <code>String</code> holding the username.
+* @param method An authentication method name (e.g., "publickey", "password",
+*               "keyboard-interactive") as specified by the SSH-2 standard.
+* @return if the specified authentication method is currently available.
+* @throws IOException
+*/
+public synchronized boolean isAuthMethodAvailable(String user, String method) throws IOException {
+String methods[] = getRemainingAuthMethods(user);
+for (final String m : methods) {
+if (m.compareTo(method) == 0) {
+return true;
+}
+}
+return false;
+}
+private SecureRandom getOrCreateSecureRND() {
+if (generator == null) {
+generator = new SecureRandom();
+}
+return generator;
+}
+/**
+* Open a new {@link Session} on this connection. Works only after one has passed
+* successfully the authentication step. There is no limit on the number of
+* concurrent sessions.
+*
+* @return A {@link Session} object.
+* @throws IOException
+*/
+public synchronized Session openSession() throws IOException {
+this.checkConnection();
+return new Session(cm, getOrCreateSecureRND());
+}
+/**
+* Send an SSH_MSG_IGNORE packet. This method will generate a random data attribute
+* (length between 0 (invlusive) and 16 (exclusive) bytes, contents are random bytes).
+* <p/>
+* This method must only be called once the connection is established.
+*
+* @throws IOException
+*/
+public synchronized void sendIgnorePacket() throws IOException {
+SecureRandom rnd = getOrCreateSecureRND();
+byte[] data = new byte[rnd.nextInt(16)];
+rnd.nextBytes(data);
+sendIgnorePacket(data);
+}
+/**
+* Send an SSH_MSG_IGNORE packet with the given data attribute.
+* <p/>
+* This method must only be called once the connection is established.
+*
+* @throws IOException
+*/
+public synchronized void sendIgnorePacket(byte[] data) throws IOException {
+this.checkConnection();
+PacketIgnore pi = new PacketIgnore(data);
+tm.sendMessage(pi.getPayload());
+}
+/**
+* Controls whether compression is used on the link or not.
+*/
+public synchronized void setCompression(String[] algorithms) {
+CompressionFactory.checkCompressorList(algorithms);
+cryptoWishList.c2s_comp_algos = algorithms;
+}
+public synchronized void enableCompression() {
+cryptoWishList.c2s_comp_algos = CompressionFactory.getDefaultCompressorList();
+cryptoWishList.s2c_comp_algos = CompressionFactory.getDefaultCompressorList();
+}
+public synchronized void disableCompression() {
+cryptoWishList.c2s_comp_algos = new String[] {"none"};
+cryptoWishList.s2c_comp_algos = new String[] {"none"};
+}
+/**
+* Unless you know what you are doing, you will never need this.
+*/
+public synchronized void setClient2ServerCiphers(final String[] ciphers) {
+if ((ciphers == null) || (ciphers.length == 0)) {
+throw new IllegalArgumentException();
+}
+BlockCipherFactory.checkCipherList(ciphers);
+cryptoWishList.c2s_enc_algos = ciphers;
+}
+/**
+* Unless you know what you are doing, you will never need this.
+*/
+public synchronized void setClient2ServerMACs(final String[] macs) {
+MAC.checkMacList(macs);
+cryptoWishList.c2s_mac_algos = macs;
+}
+/**
+* Sets the parameters for the diffie-hellman group exchange. Unless you
+* know what you are doing, you will never need this. Default values are
+* defined in the {@link DHGexParameters} class.
+*
+* @param dgp {@link DHGexParameters}, non null.
+*/
+public synchronized void setDHGexParameters(DHGexParameters dgp) {
+if (dgp == null) {
+throw new IllegalArgumentException();
+}
+dhgexpara = dgp;
+}
+/**
+* Unless you know what you are doing, you will never need this.
+*/
+public synchronized void setServer2ClientCiphers(final String[] ciphers) {
+BlockCipherFactory.checkCipherList(ciphers);
+cryptoWishList.s2c_enc_algos = ciphers;
+}
+/**
+* Unless you know what you are doing, you will never need this.
+*/
+public synchronized void setServer2ClientMACs(final String[] macs) {
+MAC.checkMacList(macs);
+cryptoWishList.s2c_mac_algos = macs;
+}
+/**
+* Define the set of allowed server host key algorithms to be used for
+* the following key exchange operations.
+* <p/>
+* Unless you know what you are doing, you will never need this.
+*
+* @param algos An array of allowed server host key algorithms.
+*              SSH-2 defines <code>ssh-dss</code> and <code>ssh-rsa</code>.
+*              The entries of the array must be ordered after preference, i.e.,
+*              the entry at index 0 is the most preferred one. You must specify
+*              at least one entry.
+*/
+public synchronized void setServerHostKeyAlgorithms(final String[] algos) {
+KexManager.checkServerHostkeyAlgorithmsList(algos);
+cryptoWishList.serverHostKeyAlgorithms = algos;
+}
+/**
+* Enable/disable TCP_NODELAY (disable/enable Nagle's algorithm) on the underlying socket.
+* <p/>
+* Can be called at any time. If the connection has not yet been established
+* then the passed value will be stored and set after the socket has been set up.
+* The default value that will be used is <code>false</code>.
+*
+* @param enable the argument passed to the <code>Socket.setTCPNoDelay()</code> method.
+* @throws IOException
+*/
+public synchronized void setTCPNoDelay(boolean enable) throws IOException {
+tcpNoDelay = enable;
+if (tm != null) {
+tm.setTcpNoDelay(enable);
+}
+}
+/**
+* Used to tell the library that the connection shall be established through
+* a proxy server. It only makes sense to call this method before calling
+* the {@link #connect() connect()} method.
+* <p>
+* At the moment, only HTTP proxies are supported.
+* <p>
+* Note: This method can be called any number of times. The
+* {@link #connect() connect()} method will use the value set in the last
+* preceding invocation of this method.
+*
+* @see HTTPProxyData
+*
+* @param proxy
+*            Connection information about the proxy. If <code>null</code>,
+*            then no proxy will be used (non surprisingly, this is also the
+*            default).
+*/
+public synchronized void setProxyData(HTTPProxyData proxy) {
+this.proxy = proxy;
+}
+/**
+* Request a remote port forwarding.
+* If successful, then forwarded connections will be redirected to the given target address.
+* You can cancle a requested remote port forwarding by calling
+* {@link #cancelRemotePortForwarding(int) cancelRemotePortForwarding()}.
+* <p/>
+* A call of this method will block until the peer either agreed or disagreed to your request-
+* <p/>
+* Note 1: this method typically fails if you
+* <ul>
+* <li>pass a port number for which the used remote user has not enough permissions (i.e., port
+* &lt; 1024)</li>
+* <li>or pass a port number that is already in use on the remote server</li>
+* <li>or if remote port forwarding is disabled on the server.</li>
+* </ul>
+* <p/>
+* Note 2: (from the openssh man page): By default, the listening socket on the server will be
+* bound to the loopback interface only. This may be overriden by specifying a bind address.
+* Specifying a remote bind address will only succeed if the server's <b>GatewayPorts</b> option
+* is enabled (see sshd_config(5)).
+*
+* @param bindAddress   address to bind to on the server:
+*                      <ul>
+*                      <li>"" means that connections are to be accepted on all protocol families
+*                      supported by the SSH implementation</li>
+*                      <li>"0.0.0.0" means to listen on all IPv4 addresses</li>
+*                      <li>"::" means to listen on all IPv6 addresses</li>
+*                      <li>"localhost" means to listen on all protocol families supported by the SSH
+*                      implementation on loopback addresses only, [RFC3330] and RFC3513]</li>
+*                      <li>"127.0.0.1" and "::1" indicate listening on the loopback interfaces for
+*                      IPv4 and IPv6 respectively</li>
+*                      </ul>
+* @param bindPort      port number to bind on the server (must be &gt; 0)
+* @param targetAddress the target address (IP or hostname)
+* @param targetPort    the target port
+* @throws IOException
+*/
+public synchronized void requestRemotePortForwarding(String bindAddress, int bindPort, String targetAddress,
+int targetPort) throws IOException {
+this.checkConnection();
+if ((bindAddress == null) || (targetAddress == null) || (bindPort <= 0) || (targetPort <= 0)) {
+throw new IllegalArgumentException();
+}
+cm.requestGlobalForward(bindAddress, bindPort, targetAddress, targetPort);
+}
+/**
+* Cancel an earlier requested remote port forwarding.
+* Currently active forwardings will not be affected (e.g., disrupted).
+* Note that further connection forwarding requests may be received until
+* this method has returned.
+*
+* @param bindPort the allocated port number on the server
+* @throws IOException if the remote side refuses the cancel request or another low
+*                     level error occurs (e.g., the underlying connection is closed)
+*/
+public synchronized void cancelRemotePortForwarding(int bindPort) throws IOException {
+this.checkConnection();
+cm.requestCancelGlobalForward(bindPort);
+}
+/**
+* Provide your own instance of SecureRandom. Can be used, e.g., if you
+* want to seed the used SecureRandom generator manually.
+* <p/>
+* The SecureRandom instance is used during key exchanges, public key authentication,
+* x11 cookie generation and the like.
+*
+* @param rnd a SecureRandom instance
+*/
+public synchronized void setSecureRandom(SecureRandom rnd) {
+if (rnd == null) {
+throw new IllegalArgumentException();
+}
+this.generator = rnd;
+}
+private void checkConnection() throws IllegalStateException {
+if (tm == null) {
+throw new IllegalStateException("You need to establish a connection first.");
+}
+if (!authenticated) {
+throw new IllegalStateException("The connection is not authenticated.");
+}
+}
+}

Mercurial > 510Connectbot

comparison src/ch/ethz/ssh2/Connection.java @ 342:175c7d68f3c4