Allow configuring SSH server algorithms

MACs, Ciphers and KEX algorithms now can be configured If the values are empty, reasonable defaults are used

Allow configuring SSH server algorithms
76916bfc · Igor Drozdov · 483ff50f · 76916bfc · 76916bfc · 76916bfc
Commit 76916bfc authored 2 years ago by Igor Drozdov
--- a/config.yml.example
+++ b/config.yml.example
@@ -84,6 +84,12 @@ sshd:
  readiness_probe: "/start"
  # The endpoint that returns 200 OK if the server is alive. Defaults to "/health".
  liveness_probe: "/health"
+  # Specifies the available message authentication code algorithms that are used for protecting data integrity
+  macs: [hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1]
+  # Specifies the available Key Exchange algorithms
+  kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]
+  # Specified the ciphers allowed
+  ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr]
  # SSH host key files.
  host_key_files:
    - /run/secrets/ssh-hostkeys/ssh_host_rsa_key

--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -32,6 +32,9 @@ type ServerConfig struct {
 	ReadinessProbe             string   `yaml:"readiness_probe"`
 	LivenessProbe              string   `yaml:"liveness_probe"`
 	HostKeyFiles               []string `yaml:"host_key_files,omitempty"`
+	MACs                       []string `yaml:"macs"`
+	KexAlgorithms              []string `yaml:"kex_algorithms"`
+	Ciphers                    []string `yaml:"ciphers"`
 }

 type HttpSettingsConfig struct {

--- a/internal/sshd/server_config.go
+++ b/internal/sshd/server_config.go
@@ -16,6 +16,14 @@ import (
 	"gitlab.com/gitlab-org/labkit/log"
 )

+var supportedMACs = []string{
+	"hmac-sha2-256-etm@openssh.com",
+	"hmac-sha2-512-etm@openssh.com",
+	"hmac-sha2-256",
+	"hmac-sha2-512",
+	"hmac-sha1",
+}
+
 type serverConfig struct {
 	cfg                  *config.Config
 	hostKeys             []ssh.Signer
@@ -86,6 +94,20 @@ func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig {
 		},
 	}

+	if len(s.cfg.Server.MACs) > 0 {
+		sshCfg.MACs = s.cfg.Server.MACs
+	} else {
+		sshCfg.MACs = supportedMACs
+	}
+
+	if len(s.cfg.Server.KexAlgorithms) > 0 {
+		sshCfg.KeyExchanges = s.cfg.Server.KexAlgorithms
+	}
+
+	if len(s.cfg.Server.Ciphers) > 0 {
+		sshCfg.Ciphers = s.cfg.Server.Ciphers
+	}
+
 	for _, key := range s.hostKeys {
 		sshCfg.AddHostKey(key)
 	}

--- a/internal/sshd/server_config_test.go
+++ b/internal/sshd/server_config_test.go
@@ -80,6 +80,67 @@ func TestFailedGetAuthKey(t *testing.T) {
 	}
 }

+func TestDefaultAlgorithms(t *testing.T) {
+	srvCfg := &serverConfig{cfg: &config.Config{}}
+	sshServerConfig := srvCfg.get(context.Background())
+
+	require.Equal(t, supportedMACs, sshServerConfig.MACs)
+	require.Nil(t, sshServerConfig.KeyExchanges)
+	require.Nil(t, sshServerConfig.Ciphers)
+
+	sshServerConfig.SetDefaults()
+
+	require.Equal(t, supportedMACs, sshServerConfig.MACs)
+
+	defaultKeyExchanges := []string{
+		"curve25519-sha256",
+		"curve25519-sha256@libssh.org",
+		"ecdh-sha2-nistp256",
+		"ecdh-sha2-nistp384",
+		"ecdh-sha2-nistp521",
+		"diffie-hellman-group14-sha256",
+		"diffie-hellman-group14-sha1",
+	}
+	require.Equal(t, defaultKeyExchanges, sshServerConfig.KeyExchanges)
+
+	defaultCiphers := []string{
+		"aes128-gcm@openssh.com",
+		"chacha20-poly1305@openssh.com",
+		"aes256-gcm@openssh.com",
+		"aes128-ctr",
+		"aes192-ctr",
+		"aes256-ctr",
+	}
+	require.Equal(t, defaultCiphers, sshServerConfig.Ciphers)
+}
+
+func TestCustomAlgorithms(t *testing.T) {
+	customMACs := []string{"hmac-sha2-512-etm@openssh.com"}
+	customKexAlgos := []string{"curve25519-sha256"}
+	customCiphers := []string{"aes256-gcm@openssh.com"}
+
+	srvCfg := &serverConfig{
+		cfg: &config.Config{
+			Server: config.ServerConfig{
+				MACs:          customMACs,
+				KexAlgorithms: customKexAlgos,
+				Ciphers:       customCiphers,
+			},
+		},
+	}
+	sshServerConfig := srvCfg.get(context.Background())
+
+	require.Equal(t, customMACs, sshServerConfig.MACs)
+	require.Equal(t, customKexAlgos, sshServerConfig.KeyExchanges)
+	require.Equal(t, customCiphers, sshServerConfig.Ciphers)
+
+	sshServerConfig.SetDefaults()
+
+	require.Equal(t, customMACs, sshServerConfig.MACs)
+	require.Equal(t, customKexAlgos, sshServerConfig.KeyExchanges)
+	require.Equal(t, customCiphers, sshServerConfig.Ciphers)
+}
+
 func rsaPublicKey(t *testing.T) ssh.PublicKey {
 	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
 	require.NoError(t, err)