From 29722af1ae51333a7da742b5e02a5e7fe5983aab Mon Sep 17 00:00:00 2001 From: spacetourist Date: Fri, 10 Feb 2017 19:04:43 +0000 Subject: [PATCH] Configurable SSH cipher suite (#4109) * Configurable SSH cipher suite * Maintain ordering --- conf/app.ini | 2 ++ modules/setting/setting.go | 2 ++ modules/ssh/ssh.go | 5 ++++- routers/install.go | 4 ++-- 4 files changed, 10 insertions(+), 3 deletions(-) diff --git a/conf/app.ini b/conf/app.ini index 48e483dc6..6e4e7a08e 100644 --- a/conf/app.ini +++ b/conf/app.ini @@ -116,6 +116,8 @@ SSH_LISTEN_HOST = 0.0.0.0 SSH_LISTEN_PORT = %(SSH_PORT)s ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. SSH_ROOT_PATH = +; Choose the ciphers to support for SSH connections +SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128 ; Directory to create temporary files when test publick key using ssh-keygen, ; default is system temporary directory. SSH_KEY_TEST_PATH = diff --git a/modules/setting/setting.go b/modules/setting/setting.go index b5c6d9c9c..4db8dbff3 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -85,6 +85,7 @@ var ( ListenHost string `ini:"SSH_LISTEN_HOST"` ListenPort int `ini:"SSH_LISTEN_PORT"` RootPath string `ini:"SSH_ROOT_PATH"` + ServerCiphers []string `ini:"SSH_SERVER_CIPHERS"` KeyTestPath string `ini:"SSH_KEY_TEST_PATH"` KeygenPath string `ini:"SSH_KEYGEN_PATH"` MinimumKeySizeCheck bool `ini:"-"` @@ -425,6 +426,7 @@ func NewContext() { } SSH.RootPath = path.Join(homeDir, ".ssh") + SSH.ServerCiphers = sec.Key("SSH_SERVER_CIPHERS").Strings(",") SSH.KeyTestPath = os.TempDir() if err = Cfg.Section("server").MapTo(&SSH); err != nil { log.Fatal(4, "Fail to map SSH settings: %v", err) diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go index 025d4b57c..bdb584696 100644 --- a/modules/ssh/ssh.go +++ b/modules/ssh/ssh.go @@ -148,8 +148,11 @@ func listen(config *ssh.ServerConfig, host string, port int) { } // Listen starts a SSH server listens on given port. -func Listen(host string, port int) { +func Listen(host string, port int, ciphers []string) { config := &ssh.ServerConfig{ + Config: ssh.Config{ + Ciphers: ciphers, + }, PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key)))) if err != nil { diff --git a/routers/install.go b/routers/install.go index 742c33a04..a44ae8eba 100644 --- a/routers/install.go +++ b/routers/install.go @@ -86,8 +86,8 @@ func GlobalInit() { checkRunMode() if setting.InstallLock && setting.SSH.StartBuiltinServer { - ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort) - log.Info("SSH server started on %s:%v", setting.SSH.ListenHost, setting.SSH.ListenPort) + ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers) + log.Info("SSH server started on %s:%v. Cipher list (%v)", setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers) } }