forked from gitea/gitea
1
0
Fork 0

Configurable SSH cipher suite (#913)

* Configurable SSH cipher suite

* Update configuration file comment

* Add default in settings loading code

* Fix fmt and log messsage

* Remove default from code as this could probably might not be good idea
This commit is contained in:
spacetourist 2017-10-21 14:13:41 +01:00 committed by Lauris BH
parent 985a39590b
commit 7131c7d40d
4 changed files with 11 additions and 3 deletions

3
conf/app.ini vendored
View File

@ -125,6 +125,9 @@ SSH_PORT = 22
SSH_LISTEN_PORT = %(SSH_PORT)s SSH_LISTEN_PORT = %(SSH_PORT)s
; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
SSH_ROOT_PATH = SSH_ROOT_PATH =
; For built-in SSH server only, choose the ciphers to support for SSH connections,
; for system SSH this setting has no effect
SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
; Directory to create temporary files when test public key using ssh-keygen, ; Directory to create temporary files when test public key using ssh-keygen,
; default is system temporary directory. ; default is system temporary directory.
SSH_KEY_TEST_PATH = SSH_KEY_TEST_PATH =

View File

@ -96,6 +96,7 @@ var (
ListenHost string `ini:"SSH_LISTEN_HOST"` ListenHost string `ini:"SSH_LISTEN_HOST"`
ListenPort int `ini:"SSH_LISTEN_PORT"` ListenPort int `ini:"SSH_LISTEN_PORT"`
RootPath string `ini:"SSH_ROOT_PATH"` RootPath string `ini:"SSH_ROOT_PATH"`
ServerCiphers []string `ini:"SSH_SERVER_CIPHERS"`
KeyTestPath string `ini:"SSH_KEY_TEST_PATH"` KeyTestPath string `ini:"SSH_KEY_TEST_PATH"`
KeygenPath string `ini:"SSH_KEYGEN_PATH"` KeygenPath string `ini:"SSH_KEYGEN_PATH"`
AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"` AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
@ -708,6 +709,7 @@ func NewContext() {
SSH.Domain = Domain SSH.Domain = Domain
} }
SSH.RootPath = path.Join(homeDir, ".ssh") SSH.RootPath = path.Join(homeDir, ".ssh")
SSH.ServerCiphers = sec.Key("SSH_SERVER_CIPHERS").Strings(",")
SSH.KeyTestPath = os.TempDir() SSH.KeyTestPath = os.TempDir()
if err = Cfg.Section("server").MapTo(&SSH); err != nil { if err = Cfg.Section("server").MapTo(&SSH); err != nil {
log.Fatal(4, "Failed to map SSH settings: %v", err) log.Fatal(4, "Failed to map SSH settings: %v", err)

View File

@ -151,8 +151,11 @@ func listen(config *ssh.ServerConfig, host string, port int) {
} }
// Listen starts a SSH server listens on given port. // Listen starts a SSH server listens on given port.
func Listen(host string, port int) { func Listen(host string, port int, ciphers []string) {
config := &ssh.ServerConfig{ config := &ssh.ServerConfig{
Config: ssh.Config{
Ciphers: ciphers,
},
PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key)))) pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key))))
if err != nil { if err != nil {

View File

@ -77,7 +77,7 @@ func GlobalInit() {
checkRunMode() checkRunMode()
if setting.InstallLock && setting.SSH.StartBuiltinServer { if setting.InstallLock && setting.SSH.StartBuiltinServer {
ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort) ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers)
log.Info("SSH server started on %s:%v", setting.SSH.ListenHost, setting.SSH.ListenPort) log.Info("SSH server started on %s:%d. Cipher list (%v)", setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers)
} }
} }