diff options
author | Stan Hu <stanhu@gmail.com> | 2022-05-20 09:49:58 -0700 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2022-05-20 09:49:58 -0700 |
commit | 639e2ee38e409a5f14cfb511b253c839b49ecd62 (patch) | |
tree | 432776adecea5bf49c99df540603fab5f11865dc | |
parent | 216446d817f9446d31d384369ad0343424106363 (diff) | |
download | gitlab-shell-sh-drop-diffie-hellman-group14-sha1.tar.gz |
Drop diffie-hellman-group14-sha1 kex by defaultsh-drop-diffie-hellman-group14-sha1
OpenSSH doesn't offer this key exchange algorithm, and ssh-audit
considers it weak, so let's drop it by default.
Changelog: changed
-rw-r--r-- | config.yml.example | 2 | ||||
-rw-r--r-- | internal/sshd/server_config.go | 11 | ||||
-rw-r--r-- | internal/sshd/server_config_test.go | 3 |
3 files changed, 13 insertions, 3 deletions
diff --git a/config.yml.example b/config.yml.example index 0e75d75..1fdb6f9 100644 --- a/config.yml.example +++ b/config.yml.example @@ -89,7 +89,7 @@ sshd: # Specifies the available message authentication code algorithms that are used for protecting data integrity macs: [hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1] # Specifies the available Key Exchange algorithms - kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1] + kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256] # Specified the ciphers allowed ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr] # SSH host key files. diff --git a/internal/sshd/server_config.go b/internal/sshd/server_config.go index 9727023..b2bccf2 100644 --- a/internal/sshd/server_config.go +++ b/internal/sshd/server_config.go @@ -24,6 +24,15 @@ var supportedMACs = []string{ "hmac-sha1", } +var supportedKeyExchanges = []string{ + "curve25519-sha256", + "curve25519-sha256@libssh.org", + "ecdh-sha2-nistp256", + "ecdh-sha2-nistp384", + "ecdh-sha2-nistp521", + "diffie-hellman-group14-sha256", +} + type serverConfig struct { cfg *config.Config hostKeys []ssh.Signer @@ -102,6 +111,8 @@ func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig { if len(s.cfg.Server.KexAlgorithms) > 0 { sshCfg.KeyExchanges = s.cfg.Server.KexAlgorithms + } else { + sshCfg.KeyExchanges = supportedKeyExchanges } if len(s.cfg.Server.Ciphers) > 0 { diff --git a/internal/sshd/server_config_test.go b/internal/sshd/server_config_test.go index 296a417..027c4bb 100644 --- a/internal/sshd/server_config_test.go +++ b/internal/sshd/server_config_test.go @@ -85,7 +85,7 @@ func TestDefaultAlgorithms(t *testing.T) { sshServerConfig := srvCfg.get(context.Background()) require.Equal(t, supportedMACs, sshServerConfig.MACs) - require.Nil(t, sshServerConfig.KeyExchanges) + require.Equal(t, supportedKeyExchanges, sshServerConfig.KeyExchanges) require.Nil(t, sshServerConfig.Ciphers) sshServerConfig.SetDefaults() @@ -99,7 +99,6 @@ func TestDefaultAlgorithms(t *testing.T) { "ecdh-sha2-nistp384", "ecdh-sha2-nistp521", "diffie-hellman-group14-sha256", - "diffie-hellman-group14-sha1", } require.Equal(t, defaultKeyExchanges, sshServerConfig.KeyExchanges) |