Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Internal ssh server respect Ciphers, MACs and KeyExchanges settings #14523

Merged
merged 2 commits into from
Jan 30, 2021

Conversation

root360-StefanHeitmueller
Copy link
Contributor

@root360-StefanHeitmueller root360-StefanHeitmueller commented Jan 29, 2021

Fix // TODO: Handle ciphers, keyExchanges, and macs for internal ssh server.
Fix #14518

Details see here (despite it was renamed).

Testconfig:

START_SSH_SERVER = true
SSH_SERVER_MACS  = [email protected], hmac-sha2-256
SSH_PORT                   = 2222

Before:

# nmap --script ssh2-enum-algos -sV -p 2222 gitea.example.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-29 17:46 CET
Nmap scan report for gitea.example.com (xxx.xxx.xxx.xxx)
Host is up (0.00055s latency).

PORT     STATE SERVICE VERSION
2222/tcp open  ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-Go
| ssh2-enum-algos: 
|   kex_algorithms: (5)
|       [email protected]
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (1)
|       ssh-rsa
|   encryption_algorithms: (5)
|       [email protected]
|       [email protected]
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms: (4)
|       [email protected]
|       hmac-sha2-256
|       hmac-sha1
|       hmac-sha1-96
|   compression_algorithms: (1)
|_      none

Afterwards:

# nmap --script ssh2-enum-algos -sV -p 2222 gitea.lan | sed 's,gitea\.lan,gitea.example.com,g'
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-29 17:47 CET
Nmap scan report for gitea.example.com (xxx.xxx.xxx.xxx)
Host is up (0.00052s latency).

PORT     STATE SERVICE VERSION
2222/tcp open  ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-Go
| ssh2-enum-algos: 
|   kex_algorithms: (6)
|       diffie-hellman-group1-sha1
|       diffie-hellman-group14-sha1
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       [email protected]
|   server_host_key_algorithms: (1)
|       ssh-rsa
|   encryption_algorithms: (6)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       [email protected]
|       arcfour256
|       arcfour128
|   mac_algorithms: (2)
|       [email protected]
|       hmac-sha2-256
|   compression_algorithms: (1)
|_      none

@6543 6543 added the type/bug label Jan 29, 2021
@6543 6543 added this to the 1.14.0 milestone Jan 29, 2021
@6543 6543 changed the title configure internal ssh server w/ macs and ciphers, refs #14518 Internal ssh server respect Ciphers, MACs and KeyExchanges settings Jan 29, 2021
@6543
Copy link
Member

6543 commented Jan 29, 2021

@root360-StefanHeitmueller pleace make fmt and commit

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Jan 29, 2021
@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Jan 29, 2021
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Jan 30, 2021
@6543
Copy link
Member

6543 commented Jan 30, 2021

@root360-StefanHeitmueller pleace update

@6543
Copy link
Member

6543 commented Jan 30, 2021

@morph027 ping

@root360-StefanHeitmueller
Copy link
Contributor Author

@6543 what's missing in the commit? the format fix has been pushed already, CI is passing.

@lafriks
Copy link
Member

lafriks commented Jan 30, 2021

Need to update with base branch

@root360-StefanHeitmueller
Copy link
Contributor Author

Done.

@6543 6543 merged commit eea4197 into go-gitea:master Jan 30, 2021
@6543
Copy link
Member

6543 commented Jan 30, 2021

@root360-StefanHeitmueller can you send a backport?

@root360-StefanHeitmueller
Copy link
Contributor Author

Sure. For the release/v1.13 branch?

@root360-StefanHeitmueller root360-StefanHeitmueller deleted the internal-ssh-ciphers-and-macs branch January 30, 2021 15:30
@6543
Copy link
Member

6543 commented Jan 30, 2021

@root360-StefanHeitmueller yes, just cherry pick the squashed commit ...

@root360-StefanHeitmueller
Copy link
Contributor Author

Should be there in #14530

@lunny lunny added the backport/done All backports for this PR have been created label Feb 1, 2021
a1012112796 added a commit to a1012112796/gitea that referenced this pull request Feb 3, 2021
* master: (28 commits)
  [Docs] Clone filters (go-gitea#14555)
  update docs to show latest stable version (1.13.2) (go-gitea#14550)
  Adding Chi's GetHead middleware (go-gitea#14541)
  Changelog v1.13.2 (go-gitea#14535) (go-gitea#14543)
  [skip ci] Updated translations via Crowdin
  [API] List, Check, Add & delete endpoints for repository teams (go-gitea#13630)
  [skip ci] Updated translations via Crowdin
  rm redirect (go-gitea#14534)
  Upgrade 'css-minimizer-webpack-plugin' to the latest version (go-gitea#14527)
  Set the name Mapper in migrations (go-gitea#14526)
  Internal ssh server respect Ciphers, MACs and KeyExchanges settings (go-gitea#14523)
  Move middlewares to web/middleware (go-gitea#14480)
  Add Doctor FixWrongUserType (go-gitea#14522)
  [skip ci] Updated translations via Crowdin
  noop (go-gitea#14521)
  Update docs and comments to remove macaron (go-gitea#14491)
  [skip ci] Updated translations via Crowdin
  Fix json charset bug (go-gitea#14514)
  enhancement: add signoff option in commit form (go-gitea#14516)
  Fix load time bug (go-gitea#14508)
  ...
@go-gitea go-gitea locked and limited conversation to collaborators Mar 11, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
backport/done All backports for this PR have been created lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

build in ssh server ignore restricting macs settings
5 participants