Add reviewer suggestions

51fb61ba · Javiera Tapia · 444c4ae0 · 51fb61ba · 51fb61ba · 51fb61ba
Commit 51fb61ba authored 10 months ago by Javiera Tapia
--- a/config.yml.example
+++ b/config.yml.example
@@ -98,8 +98,8 @@ sshd:
  kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]
  # Specified the ciphers allowed
  ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr]
-  # Specified the available Host Key algorithms
-  host_key_algorithms: [ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, sk-ecdsa-sha2-nistp256@openssh.com, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, sk-ssh-ed25519@openssh.com, rsa-sha2-256, rsa-sha2-512]
+  # Specified the available Public Key algorithms
+  public_key_algorithms: [ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, sk-ecdsa-sha2-nistp256@openssh.com, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, sk-ssh-ed25519@openssh.com, rsa-sha2-256, rsa-sha2-512]
  # SSH host key files.
  host_key_files:
    - /run/secrets/ssh-hostkeys/ssh_host_rsa_key

--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -47,7 +47,7 @@ type ServerConfig struct {
 	HostCertFiles           []string     `yaml:"host_cert_files,omitempty"`
 	MACs                    []string     `yaml:"macs"`
 	KexAlgorithms           []string     `yaml:"kex_algorithms"`
-	HostKeyAlgorithms       []string     `yaml:"host_key_algorithms"`
+	PublicKeyAlgorithms     []string     `yaml:"public_key_algorithms"`
 	Ciphers                 []string     `yaml:"ciphers"`
 	GSSAPI                  GSSAPIConfig `yaml:"gssapi,omitempty"`
 }

--- a/internal/sshd/server_config.go
+++ b/internal/sshd/server_config.go
@@ -36,19 +36,6 @@ var (
 		"diffie-hellman-group14-sha256",
 		"diffie-hellman-group14-sha1",
 	}
-
-	supportedHostKeyAlgorithms = []string{
-		"ssh-rsa",
-		"ssh-dss",
-		"ecdsa-sha2-nistp256",
-		"sk-ecdsa-sha2-nistp256@openssh.com",
-		"ecdsa-sha2-nistp384",
-		"ecdsa-sha2-nistp521",
-		"ssh-ed25519",
-		"sk-ssh-ed25519@openssh.com",
-		"rsa-sha2-256",
-		"rsa-sha2-512",
-	}
 )

 type serverConfig struct {
@@ -279,10 +266,8 @@ func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig {
 		sshCfg.Ciphers = s.cfg.Server.Ciphers
 	}

-	if len(s.cfg.Server.HostKeyAlgorithms) > 0 {
-		sshCfg.PublicKeyAuthAlgorithms = s.cfg.Server.HostKeyAlgorithms
-	} else {
-		sshCfg.PublicKeyAuthAlgorithms = supportedHostKeyAlgorithms
+	if len(s.cfg.Server.PublicKeyAlgorithms) > 0 {
+		sshCfg.PublicKeyAuthAlgorithms = s.cfg.Server.PublicKeyAlgorithms
 	}

 	for _, key := range s.hostKeys {

--- a/internal/sshd/server_config_test.go
+++ b/internal/sshd/server_config_test.go
@@ -251,7 +251,6 @@ func TestDefaultAlgorithms(t *testing.T) {

 	require.Equal(t, supportedMACs, sshServerConfig.MACs)
 	require.Equal(t, supportedKeyExchanges, sshServerConfig.KeyExchanges)
-	require.Equal(t, supportedHostKeyAlgorithms, sshServerConfig.PublicKeyAuthAlgorithms)
 	require.Nil(t, sshServerConfig.Ciphers)

 	sshServerConfig.SetDefaults()
@@ -275,15 +274,15 @@ func TestCustomAlgorithms(t *testing.T) {
 	customMACs := []string{"hmac-sha2-512-etm@openssh.com"}
 	customKexAlgos := []string{"curve25519-sha256"}
 	customCiphers := []string{"aes256-gcm@openssh.com"}
-	customHostAlgos := []string{"rsa-sha2-256"}
+	customPublicKeyAlgorithms := []string{"rsa-sha2-256"}

 	srvCfg := &serverConfig{
 		cfg: &config.Config{
 			Server: config.ServerConfig{
-				MACs:              customMACs,
-				KexAlgorithms:     customKexAlgos,
-				Ciphers:           customCiphers,
-				HostKeyAlgorithms: customHostAlgos,
+				MACs:                customMACs,
+				KexAlgorithms:       customKexAlgos,
+				Ciphers:             customCiphers,
+				PublicKeyAlgorithms: customPublicKeyAlgorithms,
 			},
 		},
 	}
@@ -292,7 +291,7 @@ func TestCustomAlgorithms(t *testing.T) {
 	require.Equal(t, customMACs, sshServerConfig.MACs)
 	require.Equal(t, customKexAlgos, sshServerConfig.KeyExchanges)
 	require.Equal(t, customCiphers, sshServerConfig.Ciphers)
-	require.Equal(t, customHostAlgos, sshServerConfig.PublicKeyAuthAlgorithms)
+	require.Equal(t, customPublicKeyAlgorithms, sshServerConfig.PublicKeyAuthAlgorithms)

 	sshServerConfig.SetDefaults()


--- a/internal/sshd/sshd.go
+++ b/internal/sshd/sshd.go
@@ -110,7 +110,15 @@ func (s *Server) listen(ctx context.Context) error {
 		log.ContextLogger(ctx).Info("Proxy protocol is enabled")
 	}

-	log.WithContextFields(ctx, log.Fields{"tcp_address": sshListener.Addr().String()}).Info("Listening for SSH connections")
+	fields := log.Fields{
+		"tcp_address": sshListener.Addr().String(),
+	}
+
+	if len(s.serverConfig.cfg.Server.PublicKeyAlgorithms) > 0 {
+		fields["supported_public_key_algorithms"] = s.serverConfig.cfg.Server.PublicKeyAlgorithms
+	}
+
+	log.WithContextFields(ctx, fields).Info("Listening for SSH connections")

 	s.listener = sshListener