comparison src/ch/ethz/ssh2/Connection.java @ 273:91a31873c42a ganymed

start conversion from trilead to ganymed
author Carl Byington <carl@five-ten-sg.com>
date Fri, 18 Jul 2014 11:21:46 -0700
parents
children 486df527ddc5
comparison
equal deleted inserted replaced
272:ce2f4e397703 273:91a31873c42a
1 /*
2 * Copyright (c) 2006-2011 Christian Plattner. All rights reserved.
3 * Please refer to the LICENSE.txt for licensing details.
4 */
5
6 package ch.ethz.ssh2;
7
8 import java.io.CharArrayWriter;
9 import java.io.File;
10 import java.io.FileReader;
11 import java.io.IOException;
12 import java.net.InetSocketAddress;
13 import java.net.Socket;
14 import java.net.SocketTimeoutException;
15 import java.security.SecureRandom;
16 import java.util.ArrayList;
17 import java.util.List;
18 import java.util.Set;
19
20 import ch.ethz.ssh2.auth.AgentProxy;
21 import ch.ethz.ssh2.auth.AuthenticationManager;
22 import ch.ethz.ssh2.channel.ChannelManager;
23 import ch.ethz.ssh2.compression.CompressionFactory;
24 import ch.ethz.ssh2.crypto.CryptoWishList;
25 import ch.ethz.ssh2.crypto.cipher.BlockCipherFactory;
26 import ch.ethz.ssh2.crypto.digest.MAC;
27 import ch.ethz.ssh2.packets.PacketIgnore;
28 import ch.ethz.ssh2.transport.ClientTransportManager;
29 import ch.ethz.ssh2.transport.HTTPProxyClientTransportManager;
30 import ch.ethz.ssh2.transport.KexManager;
31 import ch.ethz.ssh2.util.TimeoutService;
32 import ch.ethz.ssh2.util.TimeoutService.TimeoutToken;
33
34 /**
35 * A <code>Connection</code> is used to establish an encrypted TCP/IP
36 * connection to a SSH-2 server.
37 * <p/>
38 * Typically, one
39 * <ol>
40 * <li>creates a {@link #Connection(String) Connection} object.</li>
41 * <li>calls the {@link #connect() connect()} method.</li>
42 * <li>calls some of the authentication methods (e.g., {@link #authenticateWithPublicKey(String, File, String) authenticateWithPublicKey()}).</li>
43 * <li>calls one or several times the {@link #openSession() openSession()} method.</li>
44 * <li>finally, one must close the connection and release resources with the {@link #close() close()} method.</li>
45 * </ol>
46 *
47 * @author Christian Plattner
48 * @version $Id: Connection.java 160 2014-05-01 14:30:26Z dkocher@sudo.ch $
49 */
50
51 public class Connection {
52 /**
53 * The identifier presented to the SSH-2 server. This is the same
54 * as the "softwareversion" defined in RFC 4253.
55 * <p/>
56 * <b>NOTE: As per the RFC, the "softwareversion" string MUST consist of printable
57 * US-ASCII characters, with the exception of whitespace characters and the minus sign (-).</b>
58 */
59 private String softwareversion
60 = String.format("Ganymed_%s", Version.getSpecification());
61
62 /* Will be used to generate all random data needed for the current connection.
63 * Note: SecureRandom.nextBytes() is thread safe.
64 */
65
66 private SecureRandom generator;
67
68 /**
69 * Unless you know what you are doing, you will never need this.
70 *
71 * @return The list of supported cipher algorithms by this implementation.
72 */
73 public static synchronized String[] getAvailableCiphers() {
74 return BlockCipherFactory.getDefaultCipherList();
75 }
76
77 /**
78 * Unless you know what you are doing, you will never need this.
79 *
80 * @return The list of supported MAC algorthims by this implementation.
81 */
82 public static synchronized String[] getAvailableMACs() {
83 return MAC.getMacList();
84 }
85
86 /**
87 * Unless you know what you are doing, you will never need this.
88 *
89 * @return The list of supported server host key algorthims by this implementation.
90 */
91 public static synchronized String[] getAvailableServerHostKeyAlgorithms() {
92 return KexManager.getDefaultServerHostkeyAlgorithmList();
93 }
94
95 private AuthenticationManager am;
96
97 private boolean authenticated;
98 private ChannelManager cm;
99
100 private CryptoWishList cryptoWishList
101 = new CryptoWishList();
102
103 private DHGexParameters dhgexpara
104 = new DHGexParameters();
105
106 private final String hostname;
107
108 private final int port;
109
110 private ClientTransportManager tm;
111
112 private boolean tcpNoDelay = false;
113
114 private HTTPProxyData proxy;
115
116 private List<ConnectionMonitor> connectionMonitors
117 = new ArrayList<ConnectionMonitor>();
118
119 /**
120 * Prepares a fresh <code>Connection</code> object which can then be used
121 * to establish a connection to the specified SSH-2 server.
122 * <p/>
123 * Same as {@link #Connection(String, int) Connection(hostname, 22)}.
124 *
125 * @param hostname the hostname of the SSH-2 server.
126 */
127 public Connection(String hostname) {
128 this(hostname, 22);
129 }
130
131 /**
132 * Prepares a fresh <code>Connection</code> object which can then be used
133 * to establish a connection to the specified SSH-2 server.
134 *
135 * @param hostname the host where we later want to connect to.
136 * @param port port on the server, normally 22.
137 */
138 public Connection(String hostname, int port) {
139 this.hostname = hostname;
140 this.port = port;
141 }
142
143 /**
144 * Prepares a fresh <code>Connection</code> object which can then be used
145 * to establish a connection to the specified SSH-2 server.
146 *
147 * @param hostname the host where we later want to connect to.
148 * @param port port on the server, normally 22.
149 * @param softwareversion Allows you to set a custom "softwareversion" string as defined in RFC 4253.
150 * <b>NOTE: As per the RFC, the "softwareversion" string MUST consist of printable
151 * US-ASCII characters, with the exception of whitespace characters and the minus sign (-).</b>
152 */
153 public Connection(String hostname, int port, String softwareversion) {
154 this.hostname = hostname;
155 this.port = port;
156 this.softwareversion = softwareversion;
157 }
158
159 public Connection(String hostname, int port, final HTTPProxyData proxy) {
160 this.hostname = hostname;
161 this.port = port;
162 this.proxy = proxy;
163 }
164
165 public Connection(String hostname, int port, String softwareversion, final HTTPProxyData proxy) {
166 this.hostname = hostname;
167 this.port = port;
168 this.softwareversion = softwareversion;
169 this.proxy = proxy;
170 }
171
172 /**
173 * After a successful connect, one has to authenticate oneself. This method
174 * is based on DSA (it uses DSA to sign a challenge sent by the server).
175 * <p/>
176 * If the authentication phase is complete, <code>true</code> will be
177 * returned. If the server does not accept the request (or if further
178 * authentication steps are needed), <code>false</code> is returned and
179 * one can retry either by using this or any other authentication method
180 * (use the <code>getRemainingAuthMethods</code> method to get a list of
181 * the remaining possible methods).
182 *
183 * @param user A <code>String</code> holding the username.
184 * @param pem A <code>String</code> containing the DSA private key of the
185 * user in OpenSSH key format (PEM, you can't miss the
186 * "-----BEGIN DSA PRIVATE KEY-----" tag). The string may contain
187 * linefeeds.
188 * @param password If the PEM string is 3DES encrypted ("DES-EDE3-CBC"), then you
189 * must specify the password. Otherwise, this argument will be
190 * ignored and can be set to <code>null</code>.
191 * @return whether the connection is now authenticated.
192 * @throws IOException
193 * @deprecated You should use one of the {@link #authenticateWithPublicKey(String, File, String) authenticateWithPublicKey()}
194 * methods, this method is just a wrapper for it and will
195 * disappear in future builds.
196 */
197 public synchronized boolean authenticateWithDSA(String user, String pem, String password) throws IOException {
198 if(tm == null) {
199 throw new IllegalStateException("Connection is not established!");
200 }
201
202 if(authenticated) {
203 throw new IllegalStateException("Connection is already authenticated!");
204 }
205
206 if(am == null) {
207 am = new AuthenticationManager(tm);
208 }
209
210 if(cm == null) {
211 cm = new ChannelManager(tm);
212 }
213
214 if(user == null) {
215 throw new IllegalArgumentException("user argument is null");
216 }
217
218 if(pem == null) {
219 throw new IllegalArgumentException("pem argument is null");
220 }
221
222 authenticated = am.authenticatePublicKey(user, pem.toCharArray(), password, getOrCreateSecureRND());
223
224 return authenticated;
225 }
226
227 /**
228 * A wrapper that calls {@link #authenticateWithKeyboardInteractive(String, String[], InteractiveCallback)
229 * authenticateWithKeyboardInteractivewith} a <code>null</code> submethod list.
230 *
231 * @param user A <code>String</code> holding the username.
232 * @param cb An <code>InteractiveCallback</code> which will be used to
233 * determine the responses to the questions asked by the server.
234 * @return whether the connection is now authenticated.
235 * @throws IOException
236 */
237 public synchronized boolean authenticateWithKeyboardInteractive(String user, InteractiveCallback cb)
238 throws IOException {
239 return authenticateWithKeyboardInteractive(user, null, cb);
240 }
241
242 /**
243 * After a successful connect, one has to authenticate oneself. This method
244 * is based on "keyboard-interactive", specified in
245 * draft-ietf-secsh-auth-kbdinteract-XX. Basically, you have to define a
246 * callback object which will be feeded with challenges generated by the
247 * server. Answers are then sent back to the server. It is possible that the
248 * callback will be called several times during the invocation of this
249 * method (e.g., if the server replies to the callback's answer(s) with
250 * another challenge...)
251 * <p/>
252 * If the authentication phase is complete, <code>true</code> will be
253 * returned. If the server does not accept the request (or if further
254 * authentication steps are needed), <code>false</code> is returned and
255 * one can retry either by using this or any other authentication method
256 * (use the <code>getRemainingAuthMethods</code> method to get a list of
257 * the remaining possible methods).
258 * <p/>
259 * Note: some SSH servers advertise "keyboard-interactive", however, any
260 * interactive request will be denied (without having sent any challenge to
261 * the client).
262 *
263 * @param user A <code>String</code> holding the username.
264 * @param submethods An array of submethod names, see
265 * draft-ietf-secsh-auth-kbdinteract-XX. May be <code>null</code>
266 * to indicate an empty list.
267 * @param cb An <code>InteractiveCallback</code> which will be used to
268 * determine the responses to the questions asked by the server.
269 * @return whether the connection is now authenticated.
270 * @throws IOException
271 */
272 public synchronized boolean authenticateWithKeyboardInteractive(String user, String[] submethods,
273 InteractiveCallback cb) throws IOException {
274 if(cb == null) {
275 throw new IllegalArgumentException("Callback may not ne NULL!");
276 }
277
278 if(tm == null) {
279 throw new IllegalStateException("Connection is not established!");
280 }
281
282 if(authenticated) {
283 throw new IllegalStateException("Connection is already authenticated!");
284 }
285
286 if(am == null) {
287 am = new AuthenticationManager(tm);
288 }
289
290 if(cm == null) {
291 cm = new ChannelManager(tm);
292 }
293
294 if(user == null) {
295 throw new IllegalArgumentException("user argument is null");
296 }
297
298 authenticated = am.authenticateInteractive(user, submethods, cb);
299
300 return authenticated;
301 }
302
303 public synchronized boolean authenticateWithAgent(String user, AgentProxy proxy) throws IOException {
304 if(tm == null) {
305 throw new IllegalStateException("Connection is not established!");
306 }
307
308 if(authenticated) {
309 throw new IllegalStateException("Connection is already authenticated!");
310 }
311
312 if(am == null) {
313 am = new AuthenticationManager(tm);
314 }
315
316 if(cm == null) {
317 cm = new ChannelManager(tm);
318 }
319
320 if(user == null) {
321 throw new IllegalArgumentException("user argument is null");
322 }
323
324 authenticated = am.authenticatePublicKey(user, proxy);
325
326 return authenticated;
327 }
328
329 /**
330 * After a successful connect, one has to authenticate oneself. This method
331 * sends username and password to the server.
332 * <p/>
333 * If the authentication phase is complete, <code>true</code> will be
334 * returned. If the server does not accept the request (or if further
335 * authentication steps are needed), <code>false</code> is returned and
336 * one can retry either by using this or any other authentication method
337 * (use the <code>getRemainingAuthMethods</code> method to get a list of
338 * the remaining possible methods).
339 * <p/>
340 * Note: if this method fails, then please double-check that it is actually
341 * offered by the server (use {@link #getRemainingAuthMethods(String) getRemainingAuthMethods()}.
342 * <p/>
343 * Often, password authentication is disabled, but users are not aware of it.
344 * Many servers only offer "publickey" and "keyboard-interactive". However,
345 * even though "keyboard-interactive" *feels* like password authentication
346 * (e.g., when using the putty or openssh clients) it is *not* the same mechanism.
347 *
348 * @param user
349 * @param password
350 * @return if the connection is now authenticated.
351 * @throws IOException
352 */
353 public synchronized boolean authenticateWithPassword(String user, String password) throws IOException {
354 if(tm == null) {
355 throw new IllegalStateException("Connection is not established!");
356 }
357
358 if(authenticated) {
359 throw new IllegalStateException("Connection is already authenticated!");
360 }
361
362 if(am == null) {
363 am = new AuthenticationManager(tm);
364 }
365
366 if(cm == null) {
367 cm = new ChannelManager(tm);
368 }
369
370 if(user == null) {
371 throw new IllegalArgumentException("user argument is null");
372 }
373
374 if(password == null) {
375 throw new IllegalArgumentException("password argument is null");
376 }
377
378 authenticated = am.authenticatePassword(user, password);
379
380 return authenticated;
381 }
382
383 /**
384 * After a successful connect, one has to authenticate oneself.
385 * This method can be used to explicitly use the special "none"
386 * authentication method (where only a username has to be specified).
387 * <p/>
388 * Note 1: The "none" method may always be tried by clients, however as by
389 * the specs, the server will not explicitly announce it. In other words,
390 * the "none" token will never show up in the list returned by
391 * {@link #getRemainingAuthMethods(String)}.
392 * <p/>
393 * Note 2: no matter which one of the authenticateWithXXX() methods
394 * you call, the library will always issue exactly one initial "none"
395 * authentication request to retrieve the initially allowed list of
396 * authentication methods by the server. Please read RFC 4252 for the
397 * details.
398 * <p/>
399 * If the authentication phase is complete, <code>true</code> will be
400 * returned. If further authentication steps are needed, <code>false</code>
401 * is returned and one can retry by any other authentication method
402 * (use the <code>getRemainingAuthMethods</code> method to get a list of
403 * the remaining possible methods).
404 *
405 * @param user
406 * @return if the connection is now authenticated.
407 * @throws IOException
408 */
409 public synchronized boolean authenticateWithNone(String user) throws IOException {
410 if(tm == null) {
411 throw new IllegalStateException("Connection is not established!");
412 }
413
414 if(authenticated) {
415 throw new IllegalStateException("Connection is already authenticated!");
416 }
417
418 if(am == null) {
419 am = new AuthenticationManager(tm);
420 }
421
422 if(cm == null) {
423 cm = new ChannelManager(tm);
424 }
425
426 if(user == null) {
427 throw new IllegalArgumentException("user argument is null");
428 }
429
430 /* Trigger the sending of the PacketUserauthRequestNone packet */
431 /* (if not already done) */
432
433 authenticated = am.authenticateNone(user);
434
435 return authenticated;
436 }
437
438 /**
439 * After a successful connect, one has to authenticate oneself.
440 * The authentication method "publickey" works by signing a challenge
441 * sent by the server. The signature is either DSA or RSA based - it
442 * just depends on the type of private key you specify, either a DSA
443 * or RSA private key in PEM format. And yes, this is may seem to be a
444 * little confusing, the method is called "publickey" in the SSH-2 protocol
445 * specification, however since we need to generate a signature, you
446 * actually have to supply a private key =).
447 * <p/>
448 * The private key contained in the PEM file may also be encrypted ("Proc-Type: 4,ENCRYPTED").
449 * The library supports DES-CBC and DES-EDE3-CBC encryption, as well
450 * as the more exotic PEM encrpytions AES-128-CBC, AES-192-CBC and AES-256-CBC.
451 * <p/>
452 * If the authentication phase is complete, <code>true</code> will be
453 * returned. If the server does not accept the request (or if further
454 * authentication steps are needed), <code>false</code> is returned and
455 * one can retry either by using this or any other authentication method
456 * (use the <code>getRemainingAuthMethods</code> method to get a list of
457 * the remaining possible methods).
458 * <p/>
459 * NOTE PUTTY USERS: Event though your key file may start with "-----BEGIN..."
460 * it is not in the expected format. You have to convert it to the OpenSSH
461 * key format by using the "puttygen" tool (can be downloaded from the Putty
462 * website). Simply load your key and then use the "Conversions/Export OpenSSH key"
463 * functionality to get a proper PEM file.
464 *
465 * @param user A <code>String</code> holding the username.
466 * @param pemPrivateKey A <code>char[]</code> containing a DSA or RSA private key of the
467 * user in OpenSSH key format (PEM, you can't miss the
468 * "-----BEGIN DSA PRIVATE KEY-----" or "-----BEGIN RSA PRIVATE KEY-----"
469 * tag). The char array may contain linebreaks/linefeeds.
470 * @param password If the PEM structure is encrypted ("Proc-Type: 4,ENCRYPTED") then
471 * you must specify a password. Otherwise, this argument will be ignored
472 * and can be set to <code>null</code>.
473 * @return whether the connection is now authenticated.
474 * @throws IOException
475 */
476 public synchronized boolean authenticateWithPublicKey(String user, char[] pemPrivateKey, String password)
477 throws IOException {
478 if(tm == null) {
479 throw new IllegalStateException("Connection is not established!");
480 }
481
482 if(authenticated) {
483 throw new IllegalStateException("Connection is already authenticated!");
484 }
485
486 if(am == null) {
487 am = new AuthenticationManager(tm);
488 }
489
490 if(cm == null) {
491 cm = new ChannelManager(tm);
492 }
493
494 if(user == null) {
495 throw new IllegalArgumentException("user argument is null");
496 }
497
498 if(pemPrivateKey == null) {
499 throw new IllegalArgumentException("pemPrivateKey argument is null");
500 }
501
502 authenticated = am.authenticatePublicKey(user, pemPrivateKey, password, getOrCreateSecureRND());
503
504 return authenticated;
505 }
506
507 /**
508 * A convenience wrapper function which reads in a private key (PEM format, either DSA or RSA)
509 * and then calls <code>authenticateWithPublicKey(String, char[], String)</code>.
510 * <p/>
511 * NOTE PUTTY USERS: Event though your key file may start with "-----BEGIN..."
512 * it is not in the expected format. You have to convert it to the OpenSSH
513 * key format by using the "puttygen" tool (can be downloaded from the Putty
514 * website). Simply load your key and then use the "Conversions/Export OpenSSH key"
515 * functionality to get a proper PEM file.
516 *
517 * @param user A <code>String</code> holding the username.
518 * @param pemFile A <code>File</code> object pointing to a file containing a DSA or RSA
519 * private key of the user in OpenSSH key format (PEM, you can't miss the
520 * "-----BEGIN DSA PRIVATE KEY-----" or "-----BEGIN RSA PRIVATE KEY-----"
521 * tag).
522 * @param password If the PEM file is encrypted then you must specify the password.
523 * Otherwise, this argument will be ignored and can be set to <code>null</code>.
524 * @return whether the connection is now authenticated.
525 * @throws IOException
526 */
527 public synchronized boolean authenticateWithPublicKey(String user, File pemFile, String password)
528 throws IOException {
529 if(pemFile == null) {
530 throw new IllegalArgumentException("pemFile argument is null");
531 }
532
533 char[] buff = new char[256];
534
535 CharArrayWriter cw = new CharArrayWriter();
536
537 FileReader fr = new FileReader(pemFile);
538
539 while(true) {
540 int len = fr.read(buff);
541 if(len < 0) {
542 break;
543 }
544 cw.write(buff, 0, len);
545 }
546
547 fr.close();
548
549 return authenticateWithPublicKey(user, cw.toCharArray(), password);
550 }
551
552 /**
553 * Add a {@link ConnectionMonitor} to this connection. Can be invoked at any time,
554 * but it is best to add connection monitors before invoking
555 * <code>connect()</code> to avoid glitches (e.g., you add a connection monitor after
556 * a successful connect(), but the connection has died in the mean time. Then,
557 * your connection monitor won't be notified.)
558 * <p/>
559 * You can add as many monitors as you like. If a monitor has already been added, then
560 * this method does nothing.
561 *
562 * @param cmon An object implementing the {@link ConnectionMonitor} interface.
563 * @see ConnectionMonitor
564 */
565 public synchronized void addConnectionMonitor(ConnectionMonitor cmon) {
566 if(!connectionMonitors.contains(cmon)) {
567 connectionMonitors.add(cmon);
568 if(tm != null) {
569 tm.setConnectionMonitors(connectionMonitors);
570 }
571 }
572 }
573
574 /**
575 * Remove a {@link ConnectionMonitor} from this connection.
576 *
577 * @param cmon
578 * @return whether the monitor could be removed
579 */
580 public synchronized boolean removeConnectionMonitor(ConnectionMonitor cmon) {
581 boolean existed = connectionMonitors.remove(cmon);
582 if(tm != null) {
583 tm.setConnectionMonitors(connectionMonitors);
584 }
585 return existed;
586 }
587
588 /**
589 * Close the connection to the SSH-2 server. All assigned sessions will be
590 * closed, too. Can be called at any time. Don't forget to call this once
591 * you don't need a connection anymore - otherwise the receiver thread may
592 * run forever.
593 */
594 public synchronized void close() {
595 if(cm != null) {
596 cm.closeAllChannels();
597 }
598 if(tm != null) {
599 tm.close();
600 tm = null;
601 }
602 am = null;
603 cm = null;
604 authenticated = false;
605 }
606
607 public synchronized void close(IOException t) {
608 if(cm != null) {
609 cm.closeAllChannels();
610 }
611 if(tm != null) {
612 tm.close(t);
613 tm = null;
614 }
615 am = null;
616 cm = null;
617 authenticated = false;
618 }
619
620 /**
621 * Same as {@link #connect(ServerHostKeyVerifier, int, int) connect(null, 0, 0)}.
622 *
623 * @return see comments for the {@link #connect(ServerHostKeyVerifier, int, int) connect(ServerHostKeyVerifier, int, int)} method.
624 * @throws IOException
625 */
626 public synchronized ConnectionInfo connect() throws IOException {
627 return connect(null, 0, 0);
628 }
629
630 /**
631 * Same as {@link #connect(ServerHostKeyVerifier, int, int) connect(verifier, 0, 0)}.
632 *
633 * @return see comments for the {@link #connect(ServerHostKeyVerifier, int, int) connect(ServerHostKeyVerifier, int, int)} method.
634 * @throws IOException
635 */
636 public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier) throws IOException {
637 return connect(verifier, 0, 0);
638 }
639
640 /**
641 * Connect to the SSH-2 server and, as soon as the server has presented its
642 * host key, use the {@link ServerHostKeyVerifier#verifyServerHostKey(String,
643 * int, String, byte[]) ServerHostKeyVerifier.verifyServerHostKey()}
644 * method of the <code>verifier</code> to ask for permission to proceed.
645 * If <code>verifier</code> is <code>null</code>, then any host key will be
646 * accepted - this is NOT recommended, since it makes man-in-the-middle attackes
647 * VERY easy (somebody could put a proxy SSH server between you and the real server).
648 * <p/>
649 * Note: The verifier will be called before doing any crypto calculations
650 * (i.e., diffie-hellman). Therefore, if you don't like the presented host key then
651 * no CPU cycles are wasted (and the evil server has less information about us).
652 * <p/>
653 * However, it is still possible that the server presented a fake host key: the server
654 * cheated (typically a sign for a man-in-the-middle attack) and is not able to generate
655 * a signature that matches its host key. Don't worry, the library will detect such
656 * a scenario later when checking the signature (the signature cannot be checked before
657 * having completed the diffie-hellman exchange).
658 * <p/>
659 * Note 2: The {@link ServerHostKeyVerifier#verifyServerHostKey(String,
660 * int, String, byte[]) ServerHostKeyVerifier.verifyServerHostKey()} method
661 * will *NOT* be called from the current thread, the call is being made from a
662 * background thread (there is a background dispatcher thread for every
663 * established connection).
664 * <p/>
665 * Note 3: This method will block as long as the key exchange of the underlying connection
666 * has not been completed (and you have not specified any timeouts).
667 * <p/>
668 * Note 4: If you want to re-use a connection object that was successfully connected,
669 * then you must call the {@link #close()} method before invoking <code>connect()</code> again.
670 *
671 * @param verifier An object that implements the
672 * {@link ServerHostKeyVerifier} interface. Pass <code>null</code>
673 * to accept any server host key - NOT recommended.
674 * @param connectTimeout Connect the underlying TCP socket to the server with the given timeout
675 * value (non-negative, in milliseconds). Zero means no timeout.
676 * @param kexTimeout Timeout for complete connection establishment (non-negative,
677 * in milliseconds). Zero means no timeout. The timeout counts from the
678 * moment you invoke the connect() method and is cancelled as soon as the
679 * first key-exchange round has finished. It is possible that
680 * the timeout event will be fired during the invocation of the
681 * <code>verifier</code> callback, but it will only have an effect after
682 * the <code>verifier</code> returns.
683 * @return A {@link ConnectionInfo} object containing the details of
684 * the established connection.
685 * @throws IOException If any problem occurs, e.g., the server's host key is not
686 * accepted by the <code>verifier</code> or there is problem during
687 * the initial crypto setup (e.g., the signature sent by the server is wrong).
688 * <p/>
689 * In case of a timeout (either connectTimeout or kexTimeout)
690 * a SocketTimeoutException is thrown.
691 * <p/>
692 * An exception may also be thrown if the connection was already successfully
693 * connected (no matter if the connection broke in the mean time) and you invoke
694 * <code>connect()</code> again without having called {@link #close()} first.
695 * <p/>
696 * If a HTTP proxy is being used and the proxy refuses the connection,
697 * then a {@link HTTPProxyException} may be thrown, which
698 * contains the details returned by the proxy. If the proxy is buggy and does
699 * not return a proper HTTP response, then a normal IOException is thrown instead.
700 */
701 public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier, int connectTimeout, int kexTimeout)
702 throws IOException {
703 final class TimeoutState {
704 boolean isCancelled = false;
705 boolean timeoutSocketClosed = false;
706 }
707
708 if(tm != null) {
709 throw new IllegalStateException(String.format("Connection to %s is already in connected state", hostname));
710 }
711
712 if(connectTimeout < 0) {
713 throw new IllegalArgumentException("connectTimeout must be non-negative!");
714 }
715
716 if(kexTimeout < 0) {
717 throw new IllegalArgumentException("kexTimeout must be non-negative!");
718 }
719
720 final TimeoutState state = new TimeoutState();
721
722 if(null == proxy) {
723 tm = new ClientTransportManager(new Socket());
724 }
725 else {
726 tm = new HTTPProxyClientTransportManager(new Socket(), proxy);
727 }
728 tm.setSoTimeout(connectTimeout);
729 tm.setTcpNoDelay(tcpNoDelay);
730 tm.setConnectionMonitors(connectionMonitors);
731
732 try {
733 TimeoutToken token = null;
734
735 if(kexTimeout > 0) {
736 final Runnable timeoutHandler = new Runnable() {
737 @Override
738 public void run() {
739 synchronized(state) {
740 if(state.isCancelled) {
741 return;
742 }
743 state.timeoutSocketClosed = true;
744 tm.close(new SocketTimeoutException("The connect timeout expired"));
745 }
746 }
747 };
748
749 long timeoutHorizont = System.currentTimeMillis() + kexTimeout;
750
751 token = TimeoutService.addTimeoutHandler(timeoutHorizont, timeoutHandler);
752 }
753
754 tm.connect(hostname, port, softwareversion, cryptoWishList, verifier, dhgexpara, connectTimeout,
755 getOrCreateSecureRND());
756
757 /* Wait until first KEX has finished */
758
759 ConnectionInfo ci = tm.getConnectionInfo(1);
760
761 /* Now try to cancel the timeout, if needed */
762
763 if(token != null) {
764 TimeoutService.cancelTimeoutHandler(token);
765
766 /* Were we too late? */
767
768 synchronized(state) {
769 if(state.timeoutSocketClosed) {
770 throw new IOException("This exception will be replaced by the one below =)");
771 }
772 /* Just in case the "cancelTimeoutHandler" invocation came just a little bit
773 * too late but the handler did not enter the semaphore yet - we can
774 * still stop it.
775 */
776 state.isCancelled = true;
777 }
778 }
779
780 return ci;
781 }
782 catch(SocketTimeoutException e) {
783 throw e;
784 }
785 catch(HTTPProxyException e) {
786 throw e;
787 }
788 catch(IOException e) {
789 // This will also invoke any registered connection monitors
790 close(e);
791
792 synchronized(state) {
793 /* Show a clean exception, not something like "the socket is closed!?!" */
794 if(state.timeoutSocketClosed) {
795 throw new SocketTimeoutException(String.format("The kexTimeout (%d ms) expired.", kexTimeout));
796 }
797 }
798 throw e;
799 }
800 }
801
802 /**
803 * Creates a new {@link LocalPortForwarder}.
804 * A <code>LocalPortForwarder</code> forwards TCP/IP connections that arrive at a local
805 * port via the secure tunnel to another host (which may or may not be
806 * identical to the remote SSH-2 server).
807 * <p/>
808 * This method must only be called after one has passed successfully the authentication step.
809 * There is no limit on the number of concurrent forwardings.
810 *
811 * @param local_port the local port the LocalPortForwarder shall bind to.
812 * @param host_to_connect target address (IP or hostname)
813 * @param port_to_connect target port
814 * @return A {@link LocalPortForwarder} object.
815 * @throws IOException
816 */
817 public synchronized LocalPortForwarder createLocalPortForwarder(int local_port, String host_to_connect,
818 int port_to_connect) throws IOException {
819 this.checkConnection();
820
821 return new LocalPortForwarder(cm, local_port, host_to_connect, port_to_connect);
822 }
823
824 /**
825 * Creates a new {@link LocalPortForwarder}.
826 * A <code>LocalPortForwarder</code> forwards TCP/IP connections that arrive at a local
827 * port via the secure tunnel to another host (which may or may not be
828 * identical to the remote SSH-2 server).
829 * <p/>
830 * This method must only be called after one has passed successfully the authentication step.
831 * There is no limit on the number of concurrent forwardings.
832 *
833 * @param addr specifies the InetSocketAddress where the local socket shall be bound to.
834 * @param host_to_connect target address (IP or hostname)
835 * @param port_to_connect target port
836 * @return A {@link LocalPortForwarder} object.
837 * @throws IOException
838 */
839 public synchronized LocalPortForwarder createLocalPortForwarder(InetSocketAddress addr, String host_to_connect,
840 int port_to_connect) throws IOException {
841 this.checkConnection();
842
843 return new LocalPortForwarder(cm, addr, host_to_connect, port_to_connect);
844 }
845
846 /**
847 * Creates a new {@link LocalStreamForwarder}.
848 * A <code>LocalStreamForwarder</code> manages an Input/Outputstream pair
849 * that is being forwarded via the secure tunnel into a TCP/IP connection to another host
850 * (which may or may not be identical to the remote SSH-2 server).
851 *
852 * @param host_to_connect
853 * @param port_to_connect
854 * @return A {@link LocalStreamForwarder} object.
855 * @throws IOException
856 */
857 public synchronized LocalStreamForwarder createLocalStreamForwarder(String host_to_connect, int port_to_connect)
858 throws IOException {
859 this.checkConnection();
860
861 return new LocalStreamForwarder(cm, host_to_connect, port_to_connect);
862 }
863
864 /**
865 * Create a very basic {@link SCPClient} that can be used to copy
866 * files from/to the SSH-2 server.
867 * <p/>
868 * Works only after one has passed successfully the authentication step.
869 * There is no limit on the number of concurrent SCP clients.
870 * <p/>
871 * Note: This factory method will probably disappear in the future.
872 *
873 * @return A {@link SCPClient} object.
874 * @throws IOException
875 */
876 public synchronized SCPClient createSCPClient() throws IOException {
877 this.checkConnection();
878
879 return new SCPClient(this);
880 }
881
882 /**
883 * Force an asynchronous key re-exchange (the call does not block). The
884 * latest values set for MAC, Cipher and DH group exchange parameters will
885 * be used. If a key exchange is currently in progress, then this method has
886 * the only effect that the so far specified parameters will be used for the
887 * next (server driven) key exchange.
888 * <p/>
889 * Note: This implementation will never start a key exchange (other than the initial one)
890 * unless you or the SSH-2 server ask for it.
891 *
892 * @throws IOException In case of any failure behind the scenes.
893 */
894 public synchronized void forceKeyExchange() throws IOException {
895 this.checkConnection();
896
897 tm.forceKeyExchange(cryptoWishList, dhgexpara, null, null);
898 }
899
900 /**
901 * Returns the hostname that was passed to the constructor.
902 *
903 * @return the hostname
904 */
905 public synchronized String getHostname() {
906 return hostname;
907 }
908
909 /**
910 * Returns the port that was passed to the constructor.
911 *
912 * @return the TCP port
913 */
914 public synchronized int getPort() {
915 return port;
916 }
917
918 /**
919 * Returns a {@link ConnectionInfo} object containing the details of
920 * the connection. Can be called as soon as the connection has been
921 * established (successfully connected).
922 *
923 * @return A {@link ConnectionInfo} object.
924 * @throws IOException In case of any failure behind the scenes.
925 */
926 public synchronized ConnectionInfo getConnectionInfo() throws IOException {
927 this.checkConnection();
928
929 return tm.getConnectionInfo(1);
930 }
931
932 /**
933 * After a successful connect, one has to authenticate oneself. This method
934 * can be used to tell which authentication methods are supported by the
935 * server at a certain stage of the authentication process (for the given
936 * username).
937 * <p/>
938 * Note 1: the username will only be used if no authentication step was done
939 * so far (it will be used to ask the server for a list of possible
940 * authentication methods by sending the initial "none" request). Otherwise,
941 * this method ignores the user name and returns a cached method list
942 * (which is based on the information contained in the last negative server response).
943 * <p/>
944 * Note 2: the server may return method names that are not supported by this
945 * implementation.
946 * <p/>
947 * After a successful authentication, this method must not be called
948 * anymore.
949 *
950 * @param user A <code>String</code> holding the username.
951 * @return a (possibly emtpy) array holding authentication method names.
952 * @throws IOException
953 */
954 public synchronized String[] getRemainingAuthMethods(String user) throws IOException {
955 if(user == null) {
956 throw new IllegalArgumentException("user argument may not be NULL!");
957 }
958
959 if(tm == null) {
960 throw new IllegalStateException("Connection is not established!");
961 }
962
963 if(authenticated) {
964 throw new IllegalStateException("Connection is already authenticated!");
965 }
966
967 if(am == null) {
968 am = new AuthenticationManager(tm);
969 }
970
971 if(cm == null) {
972 cm = new ChannelManager(tm);
973 }
974
975 final Set<String> remainingMethods = am.getRemainingMethods(user);
976 return remainingMethods.toArray(new String[remainingMethods.size()]);
977 }
978
979 /**
980 * Determines if the authentication phase is complete. Can be called at any
981 * time.
982 *
983 * @return <code>true</code> if no further authentication steps are
984 * needed.
985 */
986 public synchronized boolean isAuthenticationComplete() {
987 return authenticated;
988 }
989
990 /**
991 * Returns true if there was at least one failed authentication request and
992 * the last failed authentication request was marked with "partial success"
993 * by the server. This is only needed in the rare case of SSH-2 server setups
994 * that cannot be satisfied with a single successful authentication request
995 * (i.e., multiple authentication steps are needed.)
996 * <p/>
997 * If you are interested in the details, then have a look at RFC4252.
998 *
999 * @return if the there was a failed authentication step and the last one
1000 * was marked as a "partial success".
1001 */
1002 public synchronized boolean isAuthenticationPartialSuccess() {
1003 if(am == null) {
1004 return false;
1005 }
1006 return am.getPartialSuccess();
1007 }
1008
1009 /**
1010 * Checks if a specified authentication method is available. This method is
1011 * actually just a wrapper for {@link #getRemainingAuthMethods(String)
1012 * getRemainingAuthMethods()}.
1013 *
1014 * @param user A <code>String</code> holding the username.
1015 * @param method An authentication method name (e.g., "publickey", "password",
1016 * "keyboard-interactive") as specified by the SSH-2 standard.
1017 * @return if the specified authentication method is currently available.
1018 * @throws IOException
1019 */
1020 public synchronized boolean isAuthMethodAvailable(String user, String method) throws IOException {
1021 String methods[] = getRemainingAuthMethods(user);
1022 for(final String m : methods) {
1023 if(m.compareTo(method) == 0) {
1024 return true;
1025 }
1026 }
1027 return false;
1028 }
1029
1030 private SecureRandom getOrCreateSecureRND() {
1031 if(generator == null) {
1032 generator = new SecureRandom();
1033 }
1034 return generator;
1035 }
1036
1037 /**
1038 * Open a new {@link Session} on this connection. Works only after one has passed
1039 * successfully the authentication step. There is no limit on the number of
1040 * concurrent sessions.
1041 *
1042 * @return A {@link Session} object.
1043 * @throws IOException
1044 */
1045 public synchronized Session openSession() throws IOException {
1046 this.checkConnection();
1047
1048 return new Session(cm, getOrCreateSecureRND());
1049 }
1050
1051 /**
1052 * Send an SSH_MSG_IGNORE packet. This method will generate a random data attribute
1053 * (length between 0 (invlusive) and 16 (exclusive) bytes, contents are random bytes).
1054 * <p/>
1055 * This method must only be called once the connection is established.
1056 *
1057 * @throws IOException
1058 */
1059 public synchronized void sendIgnorePacket() throws IOException {
1060 SecureRandom rnd = getOrCreateSecureRND();
1061
1062 byte[] data = new byte[rnd.nextInt(16)];
1063 rnd.nextBytes(data);
1064
1065 sendIgnorePacket(data);
1066 }
1067
1068 /**
1069 * Send an SSH_MSG_IGNORE packet with the given data attribute.
1070 * <p/>
1071 * This method must only be called once the connection is established.
1072 *
1073 * @throws IOException
1074 */
1075 public synchronized void sendIgnorePacket(byte[] data) throws IOException {
1076 this.checkConnection();
1077
1078 PacketIgnore pi = new PacketIgnore(data);
1079
1080 tm.sendMessage(pi.getPayload());
1081 }
1082
1083 /**
1084 * Controls whether compression is used on the link or not.
1085 */
1086 public synchronized void setCompression(String[] algorithms) {
1087 CompressionFactory.checkCompressorList(algorithms);
1088 cryptoWishList.c2s_comp_algos = algorithms;
1089 }
1090
1091 public synchronized void enableCompression() {
1092 cryptoWishList.c2s_comp_algos = CompressionFactory.getDefaultCompressorList();
1093 cryptoWishList.s2c_comp_algos = CompressionFactory.getDefaultCompressorList();
1094 }
1095
1096 public synchronized void disableCompression() {
1097 cryptoWishList.c2s_comp_algos = new String[]{"none"};
1098 cryptoWishList.s2c_comp_algos = new String[]{"none"};
1099 }
1100
1101 /**
1102 * Unless you know what you are doing, you will never need this.
1103 */
1104 public synchronized void setClient2ServerCiphers(final String[] ciphers) {
1105 if((ciphers == null) || (ciphers.length == 0)) {
1106 throw new IllegalArgumentException();
1107 }
1108 BlockCipherFactory.checkCipherList(ciphers);
1109 cryptoWishList.c2s_enc_algos = ciphers;
1110 }
1111
1112 /**
1113 * Unless you know what you are doing, you will never need this.
1114 */
1115 public synchronized void setClient2ServerMACs(final String[] macs) {
1116 MAC.checkMacList(macs);
1117 cryptoWishList.c2s_mac_algos = macs;
1118 }
1119
1120 /**
1121 * Sets the parameters for the diffie-hellman group exchange. Unless you
1122 * know what you are doing, you will never need this. Default values are
1123 * defined in the {@link DHGexParameters} class.
1124 *
1125 * @param dgp {@link DHGexParameters}, non null.
1126 */
1127 public synchronized void setDHGexParameters(DHGexParameters dgp) {
1128 if(dgp == null) {
1129 throw new IllegalArgumentException();
1130 }
1131
1132 dhgexpara = dgp;
1133 }
1134
1135 /**
1136 * Unless you know what you are doing, you will never need this.
1137 */
1138 public synchronized void setServer2ClientCiphers(final String[] ciphers) {
1139 BlockCipherFactory.checkCipherList(ciphers);
1140 cryptoWishList.s2c_enc_algos = ciphers;
1141 }
1142
1143 /**
1144 * Unless you know what you are doing, you will never need this.
1145 */
1146 public synchronized void setServer2ClientMACs(final String[] macs) {
1147 MAC.checkMacList(macs);
1148 cryptoWishList.s2c_mac_algos = macs;
1149 }
1150
1151 /**
1152 * Define the set of allowed server host key algorithms to be used for
1153 * the following key exchange operations.
1154 * <p/>
1155 * Unless you know what you are doing, you will never need this.
1156 *
1157 * @param algos An array of allowed server host key algorithms.
1158 * SSH-2 defines <code>ssh-dss</code> and <code>ssh-rsa</code>.
1159 * The entries of the array must be ordered after preference, i.e.,
1160 * the entry at index 0 is the most preferred one. You must specify
1161 * at least one entry.
1162 */
1163 public synchronized void setServerHostKeyAlgorithms(final String[] algos) {
1164 KexManager.checkServerHostkeyAlgorithmsList(algos);
1165 cryptoWishList.serverHostKeyAlgorithms = algos;
1166 }
1167
1168 /**
1169 * Enable/disable TCP_NODELAY (disable/enable Nagle's algorithm) on the underlying socket.
1170 * <p/>
1171 * Can be called at any time. If the connection has not yet been established
1172 * then the passed value will be stored and set after the socket has been set up.
1173 * The default value that will be used is <code>false</code>.
1174 *
1175 * @param enable the argument passed to the <code>Socket.setTCPNoDelay()</code> method.
1176 * @throws IOException
1177 */
1178 public synchronized void setTCPNoDelay(boolean enable) throws IOException {
1179 tcpNoDelay = enable;
1180 if(tm != null) {
1181 tm.setTcpNoDelay(enable);
1182 }
1183 }
1184
1185 /**
1186 * Request a remote port forwarding.
1187 * If successful, then forwarded connections will be redirected to the given target address.
1188 * You can cancle a requested remote port forwarding by calling
1189 * {@link #cancelRemotePortForwarding(int) cancelRemotePortForwarding()}.
1190 * <p/>
1191 * A call of this method will block until the peer either agreed or disagreed to your request-
1192 * <p/>
1193 * Note 1: this method typically fails if you
1194 * <ul>
1195 * <li>pass a port number for which the used remote user has not enough permissions (i.e., port
1196 * &lt; 1024)</li>
1197 * <li>or pass a port number that is already in use on the remote server</li>
1198 * <li>or if remote port forwarding is disabled on the server.</li>
1199 * </ul>
1200 * <p/>
1201 * Note 2: (from the openssh man page): By default, the listening socket on the server will be
1202 * bound to the loopback interface only. This may be overriden by specifying a bind address.
1203 * Specifying a remote bind address will only succeed if the server's <b>GatewayPorts</b> option
1204 * is enabled (see sshd_config(5)).
1205 *
1206 * @param bindAddress address to bind to on the server:
1207 * <ul>
1208 * <li>"" means that connections are to be accepted on all protocol families
1209 * supported by the SSH implementation</li>
1210 * <li>"0.0.0.0" means to listen on all IPv4 addresses</li>
1211 * <li>"::" means to listen on all IPv6 addresses</li>
1212 * <li>"localhost" means to listen on all protocol families supported by the SSH
1213 * implementation on loopback addresses only, [RFC3330] and RFC3513]</li>
1214 * <li>"127.0.0.1" and "::1" indicate listening on the loopback interfaces for
1215 * IPv4 and IPv6 respectively</li>
1216 * </ul>
1217 * @param bindPort port number to bind on the server (must be &gt; 0)
1218 * @param targetAddress the target address (IP or hostname)
1219 * @param targetPort the target port
1220 * @throws IOException
1221 */
1222 public synchronized void requestRemotePortForwarding(String bindAddress, int bindPort, String targetAddress,
1223 int targetPort) throws IOException {
1224 this.checkConnection();
1225
1226 if((bindAddress == null) || (targetAddress == null) || (bindPort <= 0) || (targetPort <= 0)) {
1227 throw new IllegalArgumentException();
1228 }
1229
1230 cm.requestGlobalForward(bindAddress, bindPort, targetAddress, targetPort);
1231 }
1232
1233 /**
1234 * Cancel an earlier requested remote port forwarding.
1235 * Currently active forwardings will not be affected (e.g., disrupted).
1236 * Note that further connection forwarding requests may be received until
1237 * this method has returned.
1238 *
1239 * @param bindPort the allocated port number on the server
1240 * @throws IOException if the remote side refuses the cancel request or another low
1241 * level error occurs (e.g., the underlying connection is closed)
1242 */
1243 public synchronized void cancelRemotePortForwarding(int bindPort) throws IOException {
1244 this.checkConnection();
1245
1246 cm.requestCancelGlobalForward(bindPort);
1247 }
1248
1249 /**
1250 * Provide your own instance of SecureRandom. Can be used, e.g., if you
1251 * want to seed the used SecureRandom generator manually.
1252 * <p/>
1253 * The SecureRandom instance is used during key exchanges, public key authentication,
1254 * x11 cookie generation and the like.
1255 *
1256 * @param rnd a SecureRandom instance
1257 */
1258 public synchronized void setSecureRandom(SecureRandom rnd) {
1259 if(rnd == null) {
1260 throw new IllegalArgumentException();
1261 }
1262 this.generator = rnd;
1263 }
1264
1265 private void checkConnection() throws IllegalStateException {
1266 if(tm == null) {
1267 throw new IllegalStateException("You need to establish a connection first.");
1268 }
1269 if(!authenticated) {
1270 throw new IllegalStateException("The connection is not authenticated.");
1271 }
1272 }
1273 }