diff --git a/lib/vagrant/patches/net-ssh.rb b/lib/vagrant/patches/net-ssh.rb index 35b0292a0..a5d65a23a 100644 --- a/lib/vagrant/patches/net-ssh.rb +++ b/lib/vagrant/patches/net-ssh.rb @@ -4,6 +4,32 @@ require "net/ssh" # these patches pull 6.1.0 up to the as of now # current 6.2.0 beta if Net::SSH::Version::STRING == "6.1.0" + require "net/ssh/authentication/methods/publickey" + Net::SSH::Authentication::Methods::Publickey.class_eval do + def rsa_compat_build_request(pub_key, *args) + s_ver_str = session.transport.server_version.version.match(/OpenSSH_(?\d+\.\d+)/)[:version] + begin + s_ver = Gem::Version.new(s_ver_str) + if s_ver >= Gem::Version.new("7.2") && pub_key.is_a?(OpenSSL::PKey::RSA) + pub_key.deprecated_ssh_rsa = true + debug { "public key has been marked for deprecated ssh-rsa SHA1 behavior" } + info = key_manager.known_identities[pub_key] + if info && info[:key] + info[:key].deprecated_ssh_rsa = true + debug { "private key has been marked for deprecated ssh-rsa SHA1 behavior" } + else + warn { "cannot deprecate ssh rsa on private key, not loaded (#{info[:file]})" } + end + end + rescue ArgumentError + warn { "failed to parse OpenSSH version (raw: #{session.transport.server_version.version} attempted: #{s_ver_str}" } + end + _raw_build_request(pub_key, *args) + end + alias_method :_raw_build_request, :build_request + alias_method :build_request, :rsa_compat_build_request + end + require "net/ssh/authentication/agent" # net/ssh/authentication/agent Net::SSH::Authentication::Agent.class_eval do @@ -87,6 +113,8 @@ if Net::SSH::Version::STRING == "6.1.0" require "net/ssh/transport/openssl" # net/ssh/transport/openssl OpenSSL::PKey::RSA.class_eval do + attr_accessor :deprecated_ssh_rsa + def ssh_do_verify(sig, data, options = {}) digester = if options[:host_key] == "rsa-sha2-512" @@ -99,6 +127,22 @@ if Net::SSH::Version::STRING == "6.1.0" verify(digester, sig, data) end + + def ssh_type + deprecated_ssh_rsa ? signature_algorithm : "ssh-rsa" + end + + def signature_algorithm + "rsa-sha2-256" + end + + def ssh_do_sign(data) + if deprecated_ssh_rsa + sign(OpenSSL::Digest::SHA256.new, data) + else + sign(OpenSSL::Digest::SHA1.new, data) + end + end end OpenSSL::PKey::DSA.class_eval do diff --git a/vagrant.gemspec b/vagrant.gemspec index 1643681b4..99ed2083c 100644 --- a/vagrant.gemspec +++ b/vagrant.gemspec @@ -24,7 +24,7 @@ Gem::Specification.new do |s| s.add_dependency "listen", "~> 3.4" s.add_dependency "log4r", "~> 1.1.9", "< 1.1.11" s.add_dependency "mime-types", "~> 3.3" - s.add_dependency "net-ssh", ">= 6.1.0", "< 7" + s.add_dependency "net-ssh", ">= 6.1.0", "< 6.2" s.add_dependency "net-sftp", "~> 3.0" s.add_dependency "net-scp", "~> 1.2.0" s.add_dependency "rb-kqueue", "~> 0.2.0"