Sven/proxmox-selfservice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Viel neues

Browse Source
This commit is contained in:
Sven Steinert
2026-04-30 12:06:00 +02:00
parent 118809bfae
commit fce31ebcd7
1274 changed files with 181255 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

299
qa-tool/htdocs/oidc/phpseclib/System/SSH/Agent.php Normal file
View File

@@ -0,0 +1,299 @@
<?php
/**
* Pure-PHP ssh-agent client.
*
* {@internal See http://api.libssh.org/rfc/PROTOCOL.agent}
*
* PHP version 5
*
* Here are some examples of how to use this library:
* <code>
* <?php
* include 'vendor/autoload.php';
*
* $agent = new \phpseclib3\System\SSH\Agent();
*
* $ssh = new \phpseclib3\Net\SSH2('www.domain.tld');
* if (!$ssh->login('username', $agent)) {
* exit('Login Failed');
* }
*
* echo $ssh->exec('pwd');
* echo $ssh->exec('ls -la');
* ?>
* </code>
*
* @author Jim Wigginton <terrafrost@php.net>
* @copyright 2014 Jim Wigginton
* @license http://www.opensource.org/licenses/mit-license.html MIT License
* @link http://phpseclib.sourceforge.net
*/
declare(strict_types=1);
namespace phpseclib3\System\SSH;
use phpseclib3\Common\Functions\Strings;
use phpseclib3\Crypt\Common\PublicKey;
use phpseclib3\Crypt\PublicKeyLoader;
use phpseclib3\Exception\BadConfigurationException;
use phpseclib3\Exception\RuntimeException;
use phpseclib3\Net\SSH2;
use phpseclib3\System\SSH\Agent\Identity;
/**
* Pure-PHP ssh-agent client identity factory
*
* requestIdentities() method pumps out \phpseclib3\System\SSH\Agent\Identity objects
*
* @author Jim Wigginton <terrafrost@php.net>
*/
class Agent
{
use Common\Traits\ReadBytes;
// Message numbers
// to request SSH1 keys you have to use SSH_AGENTC_REQUEST_RSA_IDENTITIES (1)
public const SSH_AGENTC_REQUEST_IDENTITIES = 11;
// this is the SSH2 response; the SSH1 response is SSH_AGENT_RSA_IDENTITIES_ANSWER (2).
public const SSH_AGENT_IDENTITIES_ANSWER = 12;
// the SSH1 request is SSH_AGENTC_RSA_CHALLENGE (3)
public const SSH_AGENTC_SIGN_REQUEST = 13;
// the SSH1 response is SSH_AGENT_RSA_RESPONSE (4)
public const SSH_AGENT_SIGN_RESPONSE = 14;
// Agent forwarding status
// no forwarding requested and not active
public const FORWARD_NONE = 0;
// request agent forwarding when opportune
public const FORWARD_REQUEST = 1;
// forwarding has been request and is active
public const FORWARD_ACTIVE = 2;
/**
* Unused
*/
public const SSH_AGENT_FAILURE = 5;
/**
* Socket Resource
*
* @var resource
*/
private $fsock;
/**
* Agent forwarding status
*
* @var int
*/
private $forward_status = self::FORWARD_NONE;
/**
* Buffer for accumulating forwarded authentication
* agent data arriving on SSH data channel destined
* for agent unix socket
*
* @var string
*/
private $socket_buffer = '';
/**
* Tracking the number of bytes we are expecting
* to arrive for the agent socket on the SSH data
* channel
*
* @var int
*/
private $expected_bytes = 0;
/**
* Default Constructor
*
* @return Agent
* @throws BadConfigurationException if SSH_AUTH_SOCK cannot be found
* @throws RuntimeException on connection errors
*/
public function __construct(?string $address = null)
{
if (!$address) {
switch (true) {
case isset($_SERVER['SSH_AUTH_SOCK']):
$address = $_SERVER['SSH_AUTH_SOCK'];
break;
case isset($_ENV['SSH_AUTH_SOCK']):
$address = $_ENV['SSH_AUTH_SOCK'];
break;
default:
throw new BadConfigurationException('SSH_AUTH_SOCK not found');
}
}
if (in_array('unix', stream_get_transports())) {
$this->fsock = fsockopen('unix://' . $address, 0, $errno, $errstr);
if (!$this->fsock) {
throw new RuntimeException("Unable to connect to ssh-agent (Error $errno: $errstr)");
}
} else {
if (substr($address, 0, 9) != '\\\\.\\pipe\\' || str_contains(substr($address, 9), '\\')) {
throw new RuntimeException('Address is not formatted as a named pipe should be');
}
$this->fsock = fopen($address, 'r+b');
if (!$this->fsock) {
throw new RuntimeException('Unable to open address');
}
}
}
/**
* Request Identities
*
* See "2.5.2 Requesting a list of protocol 2 keys"
* Returns an array containing zero or more \phpseclib3\System\SSH\Agent\Identity objects
*
* @throws RuntimeException on receipt of unexpected packets
*/
public function requestIdentities(): array
{
if (!$this->fsock) {
return [];
}
$packet = pack('NC', 1, self::SSH_AGENTC_REQUEST_IDENTITIES);
if (strlen($packet) != fwrite($this->fsock, $packet)) {
throw new RuntimeException('Connection closed while requesting identities');
}
$length = current(unpack('N', $this->readBytes(4)));
$packet = $this->readBytes($length);
[$type, $keyCount] = Strings::unpackSSH2('CN', $packet);
if ($type != self::SSH_AGENT_IDENTITIES_ANSWER) {
throw new RuntimeException('Unable to request identities');
}
$identities = [];
for ($i = 0; $i < $keyCount; $i++) {
[$key_blob, $comment] = Strings::unpackSSH2('ss', $packet);
$temp = $key_blob;
[$key_type] = Strings::unpackSSH2('s', $temp);
switch ($key_type) {
case 'ssh-rsa':
case 'ssh-dss':
case 'ssh-ed25519':
case 'ecdsa-sha2-nistp256':
case 'ecdsa-sha2-nistp384':
case 'ecdsa-sha2-nistp521':
$key = PublicKeyLoader::load($key_type . ' ' . base64_encode($key_blob));
}
// resources are passed by reference by default
if (isset($key)) {
$identity = (new Identity($this->fsock))
->withPublicKey($key)
->withPublicKeyBlob($key_blob)
->withComment($comment);
$identities[] = $identity;
unset($key);
}
}
return $identities;
}
/**
* Returns the SSH Agent identity matching a given public key or null if no identity is found
*
* @return ?Identity
*/
public function findIdentityByPublicKey(PublicKey $key)
{
$identities = $this->requestIdentities();
$key = (string) $key;
foreach ($identities as $identity) {
if (((string) $identity->getPublicKey()) == $key) {
return $identity;
}
}
return null;
}
/**
* Signal that agent forwarding should
* be requested when a channel is opened
*/
public function startSSHForwarding(): void
{
if ($this->forward_status == self::FORWARD_NONE) {
$this->forward_status = self::FORWARD_REQUEST;
}
}
/**
* Request agent forwarding of remote server
*/
private function request_forwarding(SSH2 $ssh): bool
{
if (!$ssh->requestAgentForwarding()) {
return false;
}
$this->forward_status = self::FORWARD_ACTIVE;
return true;
}
/**
* On successful channel open
*
* This method is called upon successful channel
* open to give the SSH Agent an opportunity
* to take further action. i.e. request agent forwarding
*/
public function registerChannelOpen(SSH2 $ssh): void
{
if ($this->forward_status == self::FORWARD_REQUEST) {
$this->request_forwarding($ssh);
}
}
/**
* Forward data to SSH Agent and return data reply
*
* @return string Data from SSH Agent
* @throws RuntimeException on connection errors
*/
public function forwardData(string $data)
{
if ($this->expected_bytes > 0) {
$this->socket_buffer .= $data;
$this->expected_bytes -= strlen($data);
} else {
$agent_data_bytes = current(unpack('N', $data));
$current_data_bytes = strlen($data);
$this->socket_buffer = $data;
if ($current_data_bytes != $agent_data_bytes + 4) {
$this->expected_bytes = ($agent_data_bytes + 4) - $current_data_bytes;
return false;
}
}
if (strlen($this->socket_buffer) != fwrite($this->fsock, $this->socket_buffer)) {
throw new RuntimeException('Connection closed attempting to forward data to SSH agent');
}
$this->socket_buffer = '';
$this->expected_bytes = 0;
$agent_reply_bytes = current(unpack('N', $this->readBytes(4)));
$agent_reply_data = $this->readBytes($agent_reply_bytes);
$agent_reply_data = current(unpack('a*', $agent_reply_data));
return pack('Na*', $agent_reply_bytes, $agent_reply_data);
}
}

333
qa-tool/htdocs/oidc/phpseclib/System/SSH/Agent/Identity.php Normal file
View File

@@ -0,0 +1,333 @@
<?php
/**
* Pure-PHP ssh-agent client.
*
* {@internal See http://api.libssh.org/rfc/PROTOCOL.agent}
*
* PHP version 5
*
* @author Jim Wigginton <terrafrost@php.net>
* @copyright 2009 Jim Wigginton
* @license http://www.opensource.org/licenses/mit-license.html MIT License
* @link http://phpseclib.sourceforge.net
*/
declare(strict_types=1);
namespace phpseclib3\System\SSH\Agent;
use phpseclib3\Common\Functions\Strings;
use phpseclib3\Crypt\Common\PrivateKey;
use phpseclib3\Crypt\Common\PublicKey;
use phpseclib3\Crypt\DSA;
use phpseclib3\Crypt\EC;
use phpseclib3\Crypt\RSA;
use phpseclib3\Exception\RuntimeException;
use phpseclib3\Exception\UnsupportedAlgorithmException;
use phpseclib3\System\SSH\Agent;
use phpseclib3\System\SSH\Common\Traits\ReadBytes;
/**
* Pure-PHP ssh-agent client identity object
*
* Instantiation should only be performed by \phpseclib3\System\SSH\Agent class.
* This could be thought of as implementing an interface that phpseclib3\Crypt\RSA
* implements. ie. maybe a Net_SSH_Auth_PublicKey interface or something.
* The methods in this interface would be getPublicKey and sign since those are the
* methods phpseclib looks for to perform public key authentication.
*
* @author Jim Wigginton <terrafrost@php.net>
* @internal
*/
class Identity implements PrivateKey
{
use ReadBytes;
// Signature Flags
// See https://tools.ietf.org/html/draft-miller-ssh-agent-00#section-5.3
public const SSH_AGENT_RSA2_256 = 2;
public const SSH_AGENT_RSA2_512 = 4;
/**
* Key Object
*
* @var PublicKey
* @see self::getPublicKey()
*/
private $key;
/**
* Key Blob
*
* @var string
* @see self::sign()
*/
private $key_blob;
/**
* Socket Resource
*
* @var resource
* @see self::sign()
*/
private $fsock;
/**
* Signature flags
*
* @var int
* @see self::sign()
* @see self::setHash()
*/
private $flags = 0;
/**
* Comment
*
* @var null|string
*/
private $comment;
/**
* Curve Aliases
*
* @var array
*/
private static $curveAliases = [
'secp256r1' => 'nistp256',
'secp384r1' => 'nistp384',
'secp521r1' => 'nistp521',
'Ed25519' => 'Ed25519',
];
/**
* Default Constructor.
*
* @param resource $fsock
*/
public function __construct($fsock)
{
$this->fsock = $fsock;
}
/**
* Set Public Key
*
* Called by \phpseclib3\System\SSH\Agent::requestIdentities()
*/
public function withPublicKey(PublicKey $key): Identity
{
if ($key instanceof EC) {
if (is_array($key->getCurve()) || !isset(self::$curveAliases[$key->getCurve()])) {
throw new UnsupportedAlgorithmException('The only supported curves are nistp256, nistp384, nistp512 and Ed25519');
}
}
$new = clone $this;
$new->key = $key;
return $new;
}
/**
* Set Public Key
*
* Called by \phpseclib3\System\SSH\Agent::requestIdentities(). The key blob could be extracted from $this->key
* but this saves a small amount of computation.
*/
public function withPublicKeyBlob(string $key_blob): Identity
{
$new = clone $this;
$new->key_blob = $key_blob;
return $new;
}
/**
* Get Public Key
*
* Wrapper for $this->key->getPublicKey()
*/
public function getPublicKey(): PublicKey
{
return $this->key;
}
/**
* Sets the hash
*/
public function withHash(string $hash): Identity
{
$new = clone $this;
$hash = strtolower($hash);
if ($this->key instanceof RSA) {
$new->flags = 0;
switch ($hash) {
case 'sha1':
break;
case 'sha256':
$new->flags = self::SSH_AGENT_RSA2_256;
break;
case 'sha512':
$new->flags = self::SSH_AGENT_RSA2_512;
break;
default:
throw new UnsupportedAlgorithmException('The only supported hashes for RSA are sha1, sha256 and sha512');
}
}
if ($this->key instanceof EC) {
switch ($this->key->getCurve()) {
case 'secp256r1':
$expectedHash = 'sha256';
break;
case 'secp384r1':
$expectedHash = 'sha384';
break;
//case 'secp521r1':
//case 'Ed25519':
default:
$expectedHash = 'sha512';
}
if ($hash != $expectedHash) {
throw new UnsupportedAlgorithmException('The only supported hash for ' . self::$curveAliases[$this->key->getCurve()] . ' is ' . $expectedHash);
}
}
if ($this->key instanceof DSA) {
if ($hash != 'sha1') {
throw new UnsupportedAlgorithmException('The only supported hash for DSA is sha1');
}
}
return $new;
}
/**
* Sets the padding
*
* Only PKCS1 padding is supported
*/
public function withPadding(int $padding): Identity
{
if (!$this->key instanceof RSA) {
throw new UnsupportedAlgorithmException('Only RSA keys support padding');
}
if ($padding != RSA::SIGNATURE_PKCS1 && $padding != RSA::SIGNATURE_RELAXED_PKCS1) {
throw new UnsupportedAlgorithmException('ssh-agent can only create PKCS1 signatures');
}
return $this;
}
/**
* Determines the signature padding mode
*
* Valid values are: ASN1, SSH2, Raw
*/
public function withSignatureFormat(string $format): Identity
{
if ($this->key instanceof RSA) {
throw new UnsupportedAlgorithmException('Only DSA and EC keys support signature format setting');
}
if ($format != 'SSH2') {
throw new UnsupportedAlgorithmException('Only SSH2-formatted signatures are currently supported');
}
return $this;
}
/**
* Returns the curve
*
* Returns a string if it's a named curve, an array if not
*
* @return string|array
*/
public function getCurve()
{
if (!$this->key instanceof EC) {
throw new UnsupportedAlgorithmException('Only EC keys have curves');
}
return $this->key->getCurve();
}
/**
* Create a signature
*
* See "2.6.2 Protocol 2 private key signature request"
*
* @param string $message
* @throws RuntimeException on connection errors
* @throws UnsupportedAlgorithmException if the algorithm is unsupported
*/
public function sign($message): string
{
// the last parameter (currently 0) is for flags and ssh-agent only defines one flag (for ssh-dss): SSH_AGENT_OLD_SIGNATURE
$packet = Strings::packSSH2(
'CssN',
Agent::SSH_AGENTC_SIGN_REQUEST,
$this->key_blob,
$message,
$this->flags
);
$packet = Strings::packSSH2('s', $packet);
if (strlen($packet) != fwrite($this->fsock, $packet)) {
throw new RuntimeException('Connection closed during signing');
}
$length = current(unpack('N', $this->readBytes(4)));
$packet = $this->readBytes($length);
[$type, $signature_blob] = Strings::unpackSSH2('Cs', $packet);
if ($type != Agent::SSH_AGENT_SIGN_RESPONSE) {
throw new RuntimeException('Unable to retrieve signature');
}
if (!$this->key instanceof RSA) {
return $signature_blob;
}
[$type, $signature_blob] = Strings::unpackSSH2('ss', $signature_blob);
return $signature_blob;
}
/**
* Returns the private key
*
* @param array $options optional
*/
public function toString(string $type, array $options = []): string
{
throw new RuntimeException('ssh-agent does not provide a mechanism to get the private key');
}
/**
* Sets the password
*
* @return never
*/
public function withPassword(?string $password = null): PrivateKey
{
throw new RuntimeException('ssh-agent does not provide a mechanism to get the private key');
}
/**
* Sets the comment
*/
public function withComment($comment = null)
{
$new = clone $this;
$new->comment = $comment;
return $new;
}
/**
* Returns the comment
*
* @return null|string
*/
public function getComment()
{
return $this->comment;
}
}

43
qa-tool/htdocs/oidc/phpseclib/System/SSH/Common/Traits/ReadBytes.php Normal file
View File

@@ -0,0 +1,43 @@
<?php
/**
* ReadBytes trait
*
* PHP version 5
*
* @author Jim Wigginton <terrafrost@php.net>
* @copyright 2015 Jim Wigginton
* @license http://www.opensource.org/licenses/mit-license.html MIT License
* @link http://phpseclib.sourceforge.net
*/
declare(strict_types=1);
namespace phpseclib3\System\SSH\Common\Traits;
use phpseclib3\Exception\RuntimeException;
/**
* ReadBytes trait
*
* @author Jim Wigginton <terrafrost@php.net>
*/
trait ReadBytes
{
/**
* Read data
*
* @throws RuntimeException on connection errors
*/
public function readBytes(int $length): string
{
$temp = fread($this->fsock, $length);
if ($temp === false) {
throw new RuntimeException('\fread() failed.');
}
if (strlen($temp) !== $length) {
throw new RuntimeException("Expected $length bytes; got " . strlen($temp));
}
return $temp;
}
}