As we reevaluate how to best support and maintain Staging Ref in the future, we encourage development teams using this environment to highlight their use cases in the following issue: https://gitlab.com/gitlab-com/gl-infra/software-delivery/framework/software-delivery-framework-issue-tracker/-/issues/36.

Skip to content
Snippets Groups Projects
Commit 6a76b027 authored by Igor Drozdov's avatar Igor Drozdov
Browse files

Narrow supported kex algorithms 

We don't support diffie-hellman-group14-sha1 via OpenSSH currently
Let's avoid introducing it in gitlab-sshd because it's using
weak hashing algorithm
parent 216446d8
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
config.yml.example
+ 1
1
View file @ 6a76b027
@@ -89,7 +89,7 @@ sshd:
# Specifies the available message authentication code algorithms that are used for protecting data integrity
macs: [hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1]
# Specifies the available Key Exchange algorithms
kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]
kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256]
# Specified the ciphers allowed
ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr]
# SSH host key files.
internal/sshd/server_config.go
+ 20
7
View file @ 6a76b027
@@ -16,13 +16,24 @@ import (
"gitlab.com/gitlab-org/labkit/log"
)
var supportedMACs = []string{
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1",
}
var (
supportedMACs = []string{
"hmac-sha2-256-etm@openssh.com",
"hmac-sha2-512-etm@openssh.com",
"hmac-sha2-256",
"hmac-sha2-512",
"hmac-sha1",
}
supportedKeyExchanges = []string{
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group14-sha256",
}
)
type serverConfig struct {
cfg *config.Config
@@ -102,6 +113,8 @@ func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig {
if len(s.cfg.Server.KexAlgorithms) > 0 {
sshCfg.KeyExchanges = s.cfg.Server.KexAlgorithms
} else {
sshCfg.KeyExchanges = supportedKeyExchanges
}
if len(s.cfg.Server.Ciphers) > 0 {
internal/sshd/server_config_test.go
+ 2
12
View file @ 6a76b027
@@ -85,23 +85,13 @@ func TestDefaultAlgorithms(t *testing.T) {
sshServerConfig := srvCfg.get(context.Background())
require.Equal(t, supportedMACs, sshServerConfig.MACs)
require.Nil(t, sshServerConfig.KeyExchanges)
require.Equal(t, supportedKeyExchanges, sshServerConfig.KeyExchanges)
require.Nil(t, sshServerConfig.Ciphers)
sshServerConfig.SetDefaults()
require.Equal(t, supportedMACs, sshServerConfig.MACs)
defaultKeyExchanges := []string{
"curve25519-sha256",
"curve25519-sha256@libssh.org",
"ecdh-sha2-nistp256",
"ecdh-sha2-nistp384",
"ecdh-sha2-nistp521",
"diffie-hellman-group14-sha256",
"diffie-hellman-group14-sha1",
}
require.Equal(t, defaultKeyExchanges, sshServerConfig.KeyExchanges)
require.Equal(t, supportedKeyExchanges, sshServerConfig.KeyExchanges)
defaultCiphers := []string{
"aes128-gcm@openssh.com",
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

As we reevaluate how to best support and maintain Staging Ref in the future, we encourage development teams using this environment to highlight their use cases in the following issue: https://gitlab.com/gitlab-com/gl-infra/software-delivery/framework/software-delivery-framework-issue-tracker/-/issues/36.