Merge branch '701-sshd-limit-server_host_key_algorithms-e-g-exclude-ssh-rsa' into 'main'

sshd: limit server_host_key_algorithms in server config

See merge request https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/986



Merged-by: Ash McKenzie <amckenzie@gitlab.com>
Approved-by: Ash McKenzie <amckenzie@gitlab.com>
Reviewed-by: Ash McKenzie <amckenzie@gitlab.com>
Co-authored-by: Javiera Tapia <jtapia@gitlab.com>

config.yml.example

@@ -98,6 +98,8 @@ sshd:
   kex_algorithms: [curve25519-sha256, curve25519-sha256@libssh.org, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha256, diffie-hellman-group14-sha1]
   # Specified the ciphers allowed
   ciphers: [aes128-gcm@openssh.com, chacha20-poly1305@openssh.com, aes256-gcm@openssh.com, aes128-ctr, aes192-ctr,aes256-ctr]
+  # Specified the available Public Key algorithms
+  public_key_algorithms: [ssh-rsa, ssh-dss, ecdsa-sha2-nistp256, sk-ecdsa-sha2-nistp256@openssh.com, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, sk-ssh-ed25519@openssh.com, rsa-sha2-256, rsa-sha2-512]
   # SSH host key files.
   host_key_files:
     - /run/secrets/ssh-hostkeys/ssh_host_rsa_key

internal/config/config.go

@@ -47,6 +47,7 @@ type ServerConfig struct {
 	HostCertFiles           []string     `yaml:"host_cert_files,omitempty"`
 	MACs                    []string     `yaml:"macs"`
 	KexAlgorithms           []string     `yaml:"kex_algorithms"`
+	PublicKeyAlgorithms     []string     `yaml:"public_key_algorithms"`
 	Ciphers                 []string     `yaml:"ciphers"`
 	GSSAPI                  GSSAPIConfig `yaml:"gssapi,omitempty"`
 }

internal/sshd/server_config.go

@@ -266,6 +266,10 @@ func (s *serverConfig) get(ctx context.Context) *ssh.ServerConfig {
 		sshCfg.Ciphers = s.cfg.Server.Ciphers
 	}
 
+	if len(s.cfg.Server.PublicKeyAlgorithms) > 0 {
+		sshCfg.PublicKeyAuthAlgorithms = s.cfg.Server.PublicKeyAlgorithms
+	}
+
 	for _, key := range s.hostKeys {
 		sshCfg.AddHostKey(key)
 	}

internal/sshd/server_config_test.go

@@ -266,6 +266,7 @@ func TestDefaultAlgorithms(t *testing.T) {
 		"aes192-ctr",
 		"aes256-ctr",
 	}
+
 	require.Equal(t, sshServerConfig.Ciphers, defaultCiphers)
 }
 
@@ -273,13 +274,15 @@ func TestCustomAlgorithms(t *testing.T) {
 	customMACs := []string{"hmac-sha2-512-etm@openssh.com"}
 	customKexAlgos := []string{"curve25519-sha256"}
 	customCiphers := []string{"aes256-gcm@openssh.com"}
+	customPublicKeyAlgorithms := []string{"rsa-sha2-256"}
 
 	srvCfg := &serverConfig{
 		cfg: &config.Config{
 			Server: config.ServerConfig{
-				MACs:          customMACs,
-				KexAlgorithms: customKexAlgos,
-				Ciphers:       customCiphers,
+				MACs:                customMACs,
+				KexAlgorithms:       customKexAlgos,
+				Ciphers:             customCiphers,
+				PublicKeyAlgorithms: customPublicKeyAlgorithms,
 			},
 		},
 	}
@@ -288,6 +291,7 @@ func TestCustomAlgorithms(t *testing.T) {
 	require.Equal(t, customMACs, sshServerConfig.MACs)
 	require.Equal(t, customKexAlgos, sshServerConfig.KeyExchanges)
 	require.Equal(t, customCiphers, sshServerConfig.Ciphers)
+	require.Equal(t, customPublicKeyAlgorithms, sshServerConfig.PublicKeyAuthAlgorithms)
 
 	sshServerConfig.SetDefaults()
 

internal/sshd/sshd.go

@@ -110,7 +110,15 @@ func (s *Server) listen(ctx context.Context) error {
 		log.ContextLogger(ctx).Info("Proxy protocol is enabled")
 	}
 
-	log.WithContextFields(ctx, log.Fields{"tcp_address": sshListener.Addr().String()}).Info("Listening for SSH connections")
+	fields := log.Fields{
+		"tcp_address": sshListener.Addr().String(),
+	}
+
+	if len(s.serverConfig.cfg.Server.PublicKeyAlgorithms) > 0 {
+		fields["supported_public_key_algorithms"] = s.serverConfig.cfg.Server.PublicKeyAlgorithms
+	}
+
+	log.WithContextFields(ctx, fields).Info("Listening for SSH connections")
 
 	s.listener = sshListener