Configurable SSH cipher suite (#913)
* Configurable SSH cipher suite * Update configuration file comment * Add default in settings loading code * Fix fmt and log messsage * Remove default from code as this could probably might not be good idea
This commit is contained in:
		
							parent
							
								
									985a39590b
								
							
						
					
					
						commit
						7131c7d40d
					
				
							
								
								
									
										3
									
								
								conf/app.ini
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										3
									
								
								conf/app.ini
									
									
									
									
										vendored
									
									
								
							| @ -125,6 +125,9 @@ SSH_PORT = 22 | |||||||
| SSH_LISTEN_PORT = %(SSH_PORT)s | SSH_LISTEN_PORT = %(SSH_PORT)s | ||||||
| ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. | ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. | ||||||
| SSH_ROOT_PATH = | SSH_ROOT_PATH = | ||||||
|  | ; For built-in SSH server only, choose the ciphers to support for SSH connections, | ||||||
|  | ; for system SSH this setting has no effect | ||||||
|  | SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128 | ||||||
| ; Directory to create temporary files when test public key using ssh-keygen, | ; Directory to create temporary files when test public key using ssh-keygen, | ||||||
| ; default is system temporary directory. | ; default is system temporary directory. | ||||||
| SSH_KEY_TEST_PATH = | SSH_KEY_TEST_PATH = | ||||||
|  | |||||||
| @ -96,6 +96,7 @@ var ( | |||||||
| 		ListenHost           string         `ini:"SSH_LISTEN_HOST"` | 		ListenHost           string         `ini:"SSH_LISTEN_HOST"` | ||||||
| 		ListenPort           int            `ini:"SSH_LISTEN_PORT"` | 		ListenPort           int            `ini:"SSH_LISTEN_PORT"` | ||||||
| 		RootPath             string         `ini:"SSH_ROOT_PATH"` | 		RootPath             string         `ini:"SSH_ROOT_PATH"` | ||||||
|  | 		ServerCiphers        []string       `ini:"SSH_SERVER_CIPHERS"` | ||||||
| 		KeyTestPath          string         `ini:"SSH_KEY_TEST_PATH"` | 		KeyTestPath          string         `ini:"SSH_KEY_TEST_PATH"` | ||||||
| 		KeygenPath           string         `ini:"SSH_KEYGEN_PATH"` | 		KeygenPath           string         `ini:"SSH_KEYGEN_PATH"` | ||||||
| 		AuthorizedKeysBackup bool           `ini:"SSH_AUTHORIZED_KEYS_BACKUP"` | 		AuthorizedKeysBackup bool           `ini:"SSH_AUTHORIZED_KEYS_BACKUP"` | ||||||
| @ -708,6 +709,7 @@ func NewContext() { | |||||||
| 		SSH.Domain = Domain | 		SSH.Domain = Domain | ||||||
| 	} | 	} | ||||||
| 	SSH.RootPath = path.Join(homeDir, ".ssh") | 	SSH.RootPath = path.Join(homeDir, ".ssh") | ||||||
|  | 	SSH.ServerCiphers = sec.Key("SSH_SERVER_CIPHERS").Strings(",") | ||||||
| 	SSH.KeyTestPath = os.TempDir() | 	SSH.KeyTestPath = os.TempDir() | ||||||
| 	if err = Cfg.Section("server").MapTo(&SSH); err != nil { | 	if err = Cfg.Section("server").MapTo(&SSH); err != nil { | ||||||
| 		log.Fatal(4, "Failed to map SSH settings: %v", err) | 		log.Fatal(4, "Failed to map SSH settings: %v", err) | ||||||
|  | |||||||
| @ -151,8 +151,11 @@ func listen(config *ssh.ServerConfig, host string, port int) { | |||||||
| } | } | ||||||
| 
 | 
 | ||||||
| // Listen starts a SSH server listens on given port.
 | // Listen starts a SSH server listens on given port.
 | ||||||
| func Listen(host string, port int) { | func Listen(host string, port int, ciphers []string) { | ||||||
| 	config := &ssh.ServerConfig{ | 	config := &ssh.ServerConfig{ | ||||||
|  | 		Config: ssh.Config{ | ||||||
|  | 			Ciphers: ciphers, | ||||||
|  | 		}, | ||||||
| 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { | 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { | ||||||
| 			pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key)))) | 			pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key)))) | ||||||
| 			if err != nil { | 			if err != nil { | ||||||
|  | |||||||
| @ -77,7 +77,7 @@ func GlobalInit() { | |||||||
| 	checkRunMode() | 	checkRunMode() | ||||||
| 
 | 
 | ||||||
| 	if setting.InstallLock && setting.SSH.StartBuiltinServer { | 	if setting.InstallLock && setting.SSH.StartBuiltinServer { | ||||||
| 		ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort) | 		ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers) | ||||||
| 		log.Info("SSH server started on %s:%v", setting.SSH.ListenHost, setting.SSH.ListenPort) | 		log.Info("SSH server started on %s:%d. Cipher list (%v)", setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers) | ||||||
| 	} | 	} | ||||||
| } | } | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user