Configurable SSH key exchange algorithm and MAC suite (#2806)
This commit is contained in:
parent
d94e2a1c22
commit
eecaba2031
4 changed files with 24 additions and 4 deletions
6
conf/app.ini
vendored
6
conf/app.ini
vendored
|
@ -128,6 +128,12 @@ SSH_ROOT_PATH =
|
||||||
; For built-in SSH server only, choose the ciphers to support for SSH connections,
|
; For built-in SSH server only, choose the ciphers to support for SSH connections,
|
||||||
; for system SSH this setting has no effect
|
; for system SSH this setting has no effect
|
||||||
SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
|
SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
|
||||||
|
; For built-in SSH server only, choose the key exchange algorithms to support for SSH connections,
|
||||||
|
; for system SSH this setting has no effect
|
||||||
|
SSH_SERVER_KEY_EXCHANGES = diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, curve25519-sha256@libssh.org
|
||||||
|
; For built-in SSH server only, choose the MACs to support for SSH connections,
|
||||||
|
; for system SSH this setting has no effect
|
||||||
|
SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1, hmac-sha1-96
|
||||||
; Directory to create temporary files when test public key using ssh-keygen,
|
; Directory to create temporary files when test public key using ssh-keygen,
|
||||||
; default is system temporary directory.
|
; default is system temporary directory.
|
||||||
SSH_KEY_TEST_PATH =
|
SSH_KEY_TEST_PATH =
|
||||||
|
|
|
@ -98,6 +98,8 @@ var (
|
||||||
ListenPort int `ini:"SSH_LISTEN_PORT"`
|
ListenPort int `ini:"SSH_LISTEN_PORT"`
|
||||||
RootPath string `ini:"SSH_ROOT_PATH"`
|
RootPath string `ini:"SSH_ROOT_PATH"`
|
||||||
ServerCiphers []string `ini:"SSH_SERVER_CIPHERS"`
|
ServerCiphers []string `ini:"SSH_SERVER_CIPHERS"`
|
||||||
|
ServerKeyExchanges []string `ini:"SSH_SERVER_KEY_EXCHANGES"`
|
||||||
|
ServerMACs []string `ini:"SSH_SERVER_MACS"`
|
||||||
KeyTestPath string `ini:"SSH_KEY_TEST_PATH"`
|
KeyTestPath string `ini:"SSH_KEY_TEST_PATH"`
|
||||||
KeygenPath string `ini:"SSH_KEYGEN_PATH"`
|
KeygenPath string `ini:"SSH_KEYGEN_PATH"`
|
||||||
AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
|
AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
|
||||||
|
@ -110,6 +112,8 @@ var (
|
||||||
Domain: "",
|
Domain: "",
|
||||||
Port: 22,
|
Port: 22,
|
||||||
ServerCiphers: []string{"aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "arcfour256", "arcfour128"},
|
ServerCiphers: []string{"aes128-ctr", "aes192-ctr", "aes256-ctr", "aes128-gcm@openssh.com", "arcfour256", "arcfour128"},
|
||||||
|
ServerKeyExchanges: []string{"diffie-hellman-group1-sha1", "diffie-hellman-group14-sha1", "ecdh-sha2-nistp256", "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "curve25519-sha256@libssh.org"},
|
||||||
|
ServerMACs: []string{"hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96"},
|
||||||
KeygenPath: "ssh-keygen",
|
KeygenPath: "ssh-keygen",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -732,6 +736,14 @@ func NewContext() {
|
||||||
if len(serverCiphers) > 0 {
|
if len(serverCiphers) > 0 {
|
||||||
SSH.ServerCiphers = serverCiphers
|
SSH.ServerCiphers = serverCiphers
|
||||||
}
|
}
|
||||||
|
serverKeyExchanges := sec.Key("SSH_SERVER_KEY_EXCHANGES").Strings(",")
|
||||||
|
if len(serverKeyExchanges) > 0 {
|
||||||
|
SSH.ServerKeyExchanges = serverKeyExchanges
|
||||||
|
}
|
||||||
|
serverMACs := sec.Key("SSH_SERVER_MACS").Strings(",")
|
||||||
|
if len(serverMACs) > 0 {
|
||||||
|
SSH.ServerMACs = serverMACs
|
||||||
|
}
|
||||||
SSH.KeyTestPath = os.TempDir()
|
SSH.KeyTestPath = os.TempDir()
|
||||||
if err = Cfg.Section("server").MapTo(&SSH); err != nil {
|
if err = Cfg.Section("server").MapTo(&SSH); err != nil {
|
||||||
log.Fatal(4, "Failed to map SSH settings: %v", err)
|
log.Fatal(4, "Failed to map SSH settings: %v", err)
|
||||||
|
|
|
@ -151,10 +151,12 @@ func listen(config *ssh.ServerConfig, host string, port int) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Listen starts a SSH server listens on given port.
|
// Listen starts a SSH server listens on given port.
|
||||||
func Listen(host string, port int, ciphers []string) {
|
func Listen(host string, port int, ciphers []string, keyExchanges []string, macs []string) {
|
||||||
config := &ssh.ServerConfig{
|
config := &ssh.ServerConfig{
|
||||||
Config: ssh.Config{
|
Config: ssh.Config{
|
||||||
Ciphers: ciphers,
|
Ciphers: ciphers,
|
||||||
|
KeyExchanges: keyExchanges,
|
||||||
|
MACs: macs,
|
||||||
},
|
},
|
||||||
PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
|
PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
|
||||||
pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key))))
|
pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key))))
|
||||||
|
|
|
@ -81,7 +81,7 @@ func GlobalInit() {
|
||||||
checkRunMode()
|
checkRunMode()
|
||||||
|
|
||||||
if setting.InstallLock && setting.SSH.StartBuiltinServer {
|
if setting.InstallLock && setting.SSH.StartBuiltinServer {
|
||||||
ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers)
|
ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs)
|
||||||
log.Info("SSH server started on %s:%d. Cipher list (%v)", setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers)
|
log.Info("SSH server started on %s:%d. Cipher list (%v), key exchange algorithms (%v), MACs (%v)", setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers, setting.SSH.ServerKeyExchanges, setting.SSH.ServerMACs)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Reference in a new issue