diff options
author | Stan Hu <stanhu@gmail.com> | 2022-05-20 17:00:24 +0000 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2022-05-20 17:00:24 +0000 |
commit | 1f89ece0aebb72e92c4e82760120ad32db62e268 (patch) | |
tree | 935a3b810324efce6b5424117ee32c1266387a41 | |
parent | 216446d817f9446d31d384369ad0343424106363 (diff) | |
parent | 6a76b027fd18b218f6c935762e24c8e1c5cd6c0d (diff) | |
download | gitlab-shell-1f89ece0aebb72e92c4e82760120ad32db62e268.tar.gz |
Merge branch 'id-set-supported-kex-algos' into 'main'
Narrow supported kex algorithms
See merge request gitlab-org/gitlab-shell!638
-rw-r--r-- | config.yml.example | 2 | ||||
-rw-r--r-- | internal/sshd/server_config.go | 27 | ||||
-rw-r--r-- | internal/sshd/server_config_test.go | 14 |
3 files changed, 23 insertions, 20 deletions
diff --git a/config.yml.example b/config.yml.example index 0e75d75..1fdb6f9 100644 --- a/config.yml.example +++ b/config.yml.example @@ -89,7 +89,7 @@ sshd: # Specifies the available message authentication code algorithms that are used for protecting data integrity macs: [hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1] # Specifies the available Key Exchange algorithms - kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1] + kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256] # Specified the ciphers allowed ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr] # SSH host key files. diff --git a/internal/sshd/server_config.go b/internal/sshd/server_config.go index 9727023..14aa470 100644 --- a/internal/sshd/server_config.go +++ b/internal/sshd/server_config.go @@ -16,13 +16,24 @@ import ( "gitlab.com/gitlab-org/labkit/log" ) -var supportedMACs = []string{ - "hmac-sha2-256-etm@openssh.com", - "hmac-sha2-512-etm@openssh.com", - "hmac-sha2-256", - "hmac-sha2-512", - "hmac-sha1", -} +var ( + supportedMACs = []string{ + "hmac-sha2-256-etm@openssh.com", + "hmac-sha2-512-etm@openssh.com", + "hmac-sha2-256", + "hmac-sha2-512", + "hmac-sha1", + } + + supportedKeyExchanges = []string{ + "curve25519-sha256", + "curve25519-sha256@libssh.org", + "ecdh-sha2-nistp256", + "ecdh-sha2-nistp384", + "ecdh-sha2-nistp521", + "diffie-hellman-group14-sha256", + } +) type serverConfig struct { cfg *config.Config @@ -102,6 +113,8 @@ func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig { if len(s.cfg.Server.KexAlgorithms) > 0 { sshCfg.KeyExchanges = s.cfg.Server.KexAlgorithms + } else { + sshCfg.KeyExchanges = supportedKeyExchanges } if len(s.cfg.Server.Ciphers) > 0 { diff --git a/internal/sshd/server_config_test.go b/internal/sshd/server_config_test.go index 296a417..f7e0575 100644 --- a/internal/sshd/server_config_test.go +++ b/internal/sshd/server_config_test.go @@ -85,23 +85,13 @@ func TestDefaultAlgorithms(t *testing.T) { sshServerConfig := srvCfg.get(context.Background()) require.Equal(t, supportedMACs, sshServerConfig.MACs) - require.Nil(t, sshServerConfig.KeyExchanges) + require.Equal(t, supportedKeyExchanges, sshServerConfig.KeyExchanges) require.Nil(t, sshServerConfig.Ciphers) sshServerConfig.SetDefaults() require.Equal(t, supportedMACs, sshServerConfig.MACs) - - defaultKeyExchanges := []string{ - "curve25519-sha256", - "curve25519-sha256@libssh.org", - "ecdh-sha2-nistp256", - "ecdh-sha2-nistp384", - "ecdh-sha2-nistp521", - "diffie-hellman-group14-sha256", - "diffie-hellman-group14-sha1", - } - require.Equal(t, defaultKeyExchanges, sshServerConfig.KeyExchanges) + require.Equal(t, supportedKeyExchanges, sshServerConfig.KeyExchanges) defaultCiphers := []string{ "aes128-gcm@openssh.com", |