class Net::SSH::Authentication::KeyManager

  1. lib/net/ssh/authentication/key_manager.rb
Parent: Authentication

This class encapsulates all operations done by clients on a user's private keys. In practice, the client should never need a reference to a private key; instead, they grab a list of "identities" (public keys) that are available from the KeyManager, and then use the KeyManager to do various private key operations using those identities.

The KeyManager also uses the Agent class to encapsulate the ssh-agent. Thus, from a client's perspective it is completely hidden whether an identity comes from the ssh-agent or from a file on disk.

Included modules

  1. Loggable


key_data [R]

The list of user key data that will be examined

key_files [R]

The list of user key files that will be examined

known_identities [R]

The map of loaded identities

options [R]

The map of options that were passed to the key-manager

Public Class methods

new (logger, options={})

Create a new KeyManager. By default, the manager will use the ssh-agent if it is running and the `:use_agent` option is not false.

[show source]
# File lib/net/ssh/authentication/key_manager.rb, line 42
def initialize(logger, options={})
  self.logger = logger
  @key_files = []
  @key_data = []
  @use_agent = !(options[:use_agent] == false)
  @known_identities = {}
  @agent = nil
  @options = options

Public Instance methods

add (key_file)

Add the given key_file to the list of key files that will be used.

[show source]
# File lib/net/ssh/authentication/key_manager.rb, line 64
def add(key_file)
add_key_data (key_data_)

Add the given key_file to the list of keys that will be used.

[show source]
# File lib/net/ssh/authentication/key_manager.rb, line 70
def add_key_data(key_data_)
agent ()

Returns an Agent instance to use for communicating with an SSH agent process. Returns nil if use of an SSH agent has been disabled, or if the agent is otherwise not available.

[show source]
# File lib/net/ssh/authentication/key_manager.rb, line 177
def agent
  return unless use_agent?
  @agent ||= Agent.connect(logger)
rescue AgentNotAvailable
  @use_agent = false
clear! ()

Clear all knowledge of any loaded user keys. This also clears the list of default identity files that are to be loaded, thus making it appropriate to use if a client wishes to NOT use the default identity files.

[show source]
# File lib/net/ssh/authentication/key_manager.rb, line 56
def clear!
each_identity ()

Iterates over all available identities (public keys) known to this manager. As it finds one, it will then yield it to the caller. The origin of the identities may be from files on disk or from an ssh-agent. Note that identities from an ssh-agent are always listed first in the array, with other identities coming after.

If key manager was created with :keys_only option, any identity from ssh-agent will be ignored unless it present in key_files or key_data.

[show source]
# File lib/net/ssh/authentication/key_manager.rb, line 98
def each_identity
  prepared_identities = prepare_identities_from_files + prepare_identities_from_data

  user_identities = load_identities(prepared_identities, false)

  if agent
    agent.identities.each do |key|
      corresponding_user_identity = user_identities.detect { |identity|
        identity[:public_key] && identity[:public_key].to_pem == key.to_pem
      user_identities.delete(corresponding_user_identity) if corresponding_user_identity

      if !options[:keys_only] || corresponding_user_identity
        known_identities[key] = { :from => :agent }
        yield key

  user_identities = load_identities(user_identities, true)

  user_identities.each do |identity|
    key = identity.delete(:public_key)
    known_identities[key] = identity
    yield key

finish ()

This is used as a hint to the KeyManager indicating that the agent connection is no longer needed. Any other open resources may be closed at this time.

Calling this does NOT indicate that the KeyManager will no longer be used. Identities may still be requested and operations done on loaded identities, in which case, the agent will be automatically reconnected. This method simply allows the client connection to be closed when it will not be used in the immediate future.

[show source]
# File lib/net/ssh/authentication/key_manager.rb, line 84
def finish
  @agent.close if @agent
  @agent = nil
sign (identity, data)

Sign the given data, using the corresponding private key of the given identity. If the identity was originally obtained from an ssh-agent, then the ssh-agent will be used to sign the data, otherwise the private key for the identity will be loaded from disk (if it hasn't been loaded already) and will then be used to sign the data.

Regardless of the identity's origin or who does the signing, this will always return the signature in an SSH2-specified "signature blob" format.

[show source]
# File lib/net/ssh/authentication/key_manager.rb, line 137
def sign(identity, data)
  info = known_identities[identity] or raise KeyManagerError, "the given identity is unknown to the key manager"

  if info[:key].nil? && info[:from] == :file
      info[:key] = KeyFactory.load_private_key(info[:file], options[:passphrase], true)
    rescue Exception, OpenSSL::OpenSSLError => e
      raise KeyManagerError, "the given identity is known, but the private key could not be loaded: #{e.class} (#{e.message})"

  if info[:key]
    return Net::SSH::Buffer.from(:string, identity.ssh_type,
      :string, info[:key].ssh_do_sign(data.to_s)).to_s

  if info[:from] == :agent
    raise KeyManagerError, "the agent is no longer available" unless agent
    return agent.sign(identity, data.to_s)

  raise KeyManagerError, "[BUG] can't determine identity origin (#{info.inspect})"
use_agent= (use_agent)

Toggles whether the ssh-agent will be used or not. If true, an attempt will be made to use the ssh-agent. If false, any existing connection to an agent is closed and the agent will not be used.

[show source]
# File lib/net/ssh/authentication/key_manager.rb, line 169
def use_agent=(use_agent)
  finish if !use_agent
  @use_agent = use_agent
use_agent? ()

Identifies whether the ssh-agent will be used or not.

[show source]
# File lib/net/ssh/authentication/key_manager.rb, line 162
def use_agent?