📄 connection.java
字号:
return authenticated;
}
/**
* A convenience wrapper function which reads in a private key (PEM format, either DSA or RSA)
* and then calls <code>authenticateWithPublicKey(String, char[], String)</code>.
* <p>
* NOTE PUTTY USERS: Event though your key file may start with "-----BEGIN..."
* it is not in the expected format. You have to convert it to the OpenSSH
* key format by using the "puttygen" tool (can be downloaded from the Putty
* website). Simply load your key and then use the "Conversions/Export OpenSSH key"
* functionality to get a proper PEM file.
*
* @param user
* A <code>String</code> holding the username.
* @param pemFile
* A <code>File</code> object pointing to a file containing a DSA or RSA
* private key of the user in OpenSSH key format (PEM, you can't miss the
* "-----BEGIN DSA PRIVATE KEY-----" or "-----BEGIN RSA PRIVATE KEY-----"
* tag).
* @param password
* If the PEM file is encrypted then you must specify the password.
* Otherwise, this argument will be ignored and can be set to <code>null</code>.
*
* @return whether the connection is now authenticated.
* @throws IOException
*/
public synchronized boolean authenticateWithPublicKey(String user, File pemFile, String password)
throws IOException
{
if (pemFile == null)
throw new IllegalArgumentException("pemFile argument is null");
char[] buff = new char[256];
CharArrayWriter cw = new CharArrayWriter();
FileReader fr = new FileReader(pemFile);
while (true)
{
int len = fr.read(buff);
if (len < 0)
break;
cw.write(buff, 0, len);
}
fr.close();
return authenticateWithPublicKey(user, cw.toCharArray(), password);
}
/**
* Close the connection to the SSH-2 server. All assigned sessions will be
* closed, too. Can be called at any time. Don't forget to call this once
* you don't need a connection anymore - otherwise the receiver thread will
* run forever.
*/
public synchronized void close()
{
Throwable t = new Throwable("Closed due to user request.");
close(t, false);
}
private void close(Throwable t, boolean hard)
{
if (cm != null)
cm.closeAllChannels();
if (tm != null)
{
tm.close(t, hard == false);
tm = null;
}
am = null;
cm = null;
authenticated = false;
}
/**
* Same as {@link #connect(ServerHostKeyVerifier, int, int) connect(null, 0, 0)}.
*
* @return see comments for the {@link #connect(ServerHostKeyVerifier, int, int) connect(ServerHostKeyVerifier, int, int)} method.
* @throws IOException
*/
public synchronized ConnectionInfo connect() throws IOException
{
return connect(null, 0, 0);
}
/**
* Same as {@link #connect(ServerHostKeyVerifier, int, int) connect(verifier, 0, 0)}.
*
* @return see comments for the {@link #connect(ServerHostKeyVerifier, int, int) connect(ServerHostKeyVerifier, int, int)} method.
* @throws IOException
*/
public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier) throws IOException
{
return connect(verifier, 0, 0);
}
/**
* Connect to the SSH-2 server and, as soon as the server has presented its
* host key, use the {@link ServerHostKeyVerifier#verifyServerHostKey(String,
* int, String, byte[]) ServerHostKeyVerifier.verifyServerHostKey()}
* method of the <code>verifier</code> to ask for permission to proceed.
* If <code>verifier</code> is <code>null</code>, then any host key will be
* accepted - this is NOT recommended, since it makes man-in-the-middle attackes
* VERY easy (somebody could put a proxy SSH server between you and the real server).
* <p>
* Note: The verifier will be called before doing any crypto calculations
* (i.e., diffie-hellman). Therefore, if you don't like the presented host key then
* no CPU cycles are wasted (and the evil server has less information about us).
* <p>
* However, it is still possible that the server presented a fake host key: the server
* cheated (typically a sign for a man-in-the-middle attack) and is not able to generate
* a signature that matches its host key. Don't worry, the library will detect such
* a scenario later when checking the signature (the signature cannot be checked before
* having completed the diffie-hellman exchange).
* <p>
* Note 2: The {@link ServerHostKeyVerifier#verifyServerHostKey(String,
* int, String, byte[]) ServerHostKeyVerifier.verifyServerHostKey()} method
* will *NOT* be called from the current thread, the call is being made from a
* background thread (there is a background dispatcher thread for every
* established connection).
* <p>
* Note 3: This method will block as long as the key exchange of the underlying connection
* has not been completed (and you have not specified any timeouts).
*
* @param verifier
* An object that implements the
* {@link ServerHostKeyVerifier} interface. Pass <code>null</code>
* to accept any server host key - NOT recommended.
*
* @param connectTimeout
* Connect the underlying TCP socket to the server with the given timeout
* value (non-negative, in milliseconds). Zero means no timeout.
*
* @param kexTimeout
* Timeout for complete connection establishment (non-negative,
* in milliseconds). Zero means no timeout. The timeout counts from the
* moment you invoke the connect() method and is cancelled as soon as the
* first key-exchange round has finished. It is possible that
* the timeout event will be fired during the invocation of the
* <code>verifier</code> callback, but it will only have an effect after
* the <code>verifier</code> returns.
*
* @return A {@link ConnectionInfo} object containing the details of
* the established connection.
*
* @throws IOException
* If any problem occurs, e.g., the server's host key is not
* accepted by the <code>verifier</code> or there is problem during
* the initial crypto setup (e.g., the signature sent by the server is wrong).
* <p>
* In case of a timeout (either connectTimeout or kexTimeout)
* a SocketTimeoutException is thrown.
*/
public synchronized ConnectionInfo connect(ServerHostKeyVerifier verifier, int connectTimeout, int kexTimeout)
throws IOException
{
final class TimeoutState
{
boolean isCancelled = false;
boolean timeoutSocketClosed = false;
}
if (tm != null)
throw new IOException("Connection to " + hostname + " is already in connected state!");
if (connectTimeout < 0)
throw new IllegalArgumentException("connectTimeout must be non-negative!");
if (kexTimeout < 0)
throw new IllegalArgumentException("kexTimeout must be non-negative!");
final TimeoutState state = new TimeoutState();
tm = new TransportManager(hostname, port);
/* Make sure that the runnable below will observe the new value of "tm"
* and "state" (the runnable will be executed in a different thread).
* Let's flush all variables. See also the comment in Channel.java if you
* are interested in the details.
*/
synchronized (tm)
{
/* We could actually synchronize on anything. */
}
try
{
TimeoutToken token = null;
if (kexTimeout > 0)
{
final Runnable timeoutHandler = new Runnable()
{
public void run()
{
synchronized (state)
{
if (state.isCancelled)
return;
state.timeoutSocketClosed = true;
tm.close(new SocketTimeoutException("The connect timeout expired"), false);
}
}
};
long timeoutHorizont = System.currentTimeMillis() + kexTimeout;
token = TimeoutService.addTimeoutHandler(timeoutHorizont, timeoutHandler);
}
try
{
tm.initialize(cryptoWishList, verifier, dhgexpara, connectTimeout, rnd);
}
catch (SocketTimeoutException se)
{
throw (SocketTimeoutException) new SocketTimeoutException(
"The connect() operation on the socket timed out.").initCause(se);
}
tm.setTcpNoDelay(tcpNoDelay);
/* Wait until first KEX has finished */
ConnectionInfo ci = tm.getConnectionInfo(1);
/* Now try to cancel the timeout, if needed */
if (token != null)
{
TimeoutService.cancelTimeoutHandler(token);
/* Were we too late? */
synchronized (state)
{
if (state.timeoutSocketClosed)
throw new IOException("This exception will be replaced by the one below =)");
/* Just in case the "cancelTimeoutHandler" invocation came just a little bit
* too late but the handler did not enter the semaphore yet - we can
* still stop it.
*/
state.isCancelled = true;
}
}
return ci;
}
catch (SocketTimeoutException ste)
{
throw ste;
}
catch (IOException e1)
{
close();
synchronized (state)
{
/* Show a clean exception, not something like "the socket is closed!?!" */
if (state.timeoutSocketClosed)
throw new SocketTimeoutException("The kexTimeout (" + kexTimeout + " ms) expired.");
}
throw (IOException) new IOException("There was a problem while talking to " + hostname + ":" + port)
.initCause(e1);
}
}
/**
* Creates a new {@link LocalPortForwarder}.
* A <code>LocalPortForwarder</code> forwards TCP/IP connections that arrive at a local
* port via the secure tunnel to another host (which may or may not be
* identical to the remote SSH-2 server).
* <p>
* This method must only be called after one has passed successfully the authentication step.
* There is no limit on the number of concurrent forwardings.
*
* @param local_port the local port the LocalPortForwarder shall bind to.
* @param host_to_connect target address (IP or hostname)
* @param port_to_connect target port
* @return A {@link LocalPortForwarder} object.
* @throws IOException
*/
public synchronized LocalPortForwarder createLocalPortForwarder(int local_port, String host_to_connect,
int port_to_connect) throws IOException
{
if (tm == null)
throw new IllegalStateException("Cannot forward ports, you need to establish a connection first.");
if (!authenticated)
throw new IllegalStateException("Cannot forward ports, connection is not authenticated.");
return new LocalPortForwarder(cm, local_port, host_to_connect, port_to_connect);
}
/**
* Creates a new {@link LocalStreamForwarder}.
* A <code>LocalStreamForwarder</code> manages an Input/Outputstream pair
* that is being forwarded via the secure tunnel into a TCP/IP connection to another host
* (which may or may not be identical to the remote SSH-2 server).
*
* @param host_to_connect
* @param port_to_connect
* @return A {@link LocalStreamForwarder} object.
* @throws IOException
*/
public synchronized LocalStreamForwarder createLocalStreamForwarder(String host_to_connect, int port_to_connect)
throws IOException
{
if (tm == null)
throw new IllegalStateException("Cannot forward, you need to establish a connection first.");
if (!authenticated)
throw new IllegalStateException("Cannot forward, connection is not authenticated.");
return new LocalStreamForwarder(cm, host_to_connect, port_to_connect);
}
/**
* Create a very basic {@link SCPClient} that can be used to copy
* files from/to the SSH-2 server.
* <p>
* Works only after one has passed successfully the authentication step.
* There is no limit on the number of concurrent SCP clients.
* <p>
* Note: This factory method will probably disappear in the future.
*
* @return A {@link SCPClient} object.
* @throws IOException
*/
public synchronized SCPClient createSCPClient() throws IOException
{
if (tm == null)
throw new IllegalStateException("Cannot create SCP client, you need to establish a connection first.");
if (!authenticated)
throw new IllegalStateException("Cannot create SCP client, connection is not authenticated.");
return new SCPClient(this);
}
/**
* Force an asynchronous key re-exchange (the call does not block). The
* latest values set for MAC, Cipher and DH group exchange parameters will
* be used. If a key exchange is currently in progress, then this method has
* the only effect that the so far specified parameters will be used for the
* next (server driven) key exchange.
* <p>
* Note: This implementation will never start a key exchange (other than the initial one)
* unless you or the SSH-2 server ask for it.
*
* @throws IOException
* In case of any failure behind the scenes.
*/
public synchronized void forceKeyExchange() throws IOException
{
if (tm == null)
throw new IllegalStateException("You need to establish a connection first.");
tm.forceKeyExchange(cryptoWishList, dhgexpara);
}
/**
* Returns a {@link ConnectionInfo} object containing the details of
* the connection. Can be called as soon as the connection has been
* established (successfully connected).
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -