diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt index 7836b092a3..ed492766a2 100644 --- a/Documentation/config-gerrit.txt +++ b/Documentation/config-gerrit.txt @@ -3666,6 +3666,40 @@ Supported MACs: `hmac-md5`, `hmac-md5-96`, `hmac-sha1`, `hmac-sha1-96`, + By default, all supported MACs are available. +[[sshd.kex]]sshd.kex:: ++ +-- +Available key exchange algorithms. To permit multiple algorithms, +specify multiple `sshd.kex` keys in the configuration file, one key +exchange algorithm per key. Key exchange algorithm names starting +with `+` are enabled in addition to the default key exchange +algorithms, key exchange algorithm names starting with `-` are +removed from the default key exchange algorithms. + +In the following example configuration, support for the 1024-bit +`diffie-hellman-group1-sha1` key exchange is disabled while leaving +all of the other default algorithms enabled: + +---- +[sshd] + kex = -diffie-hellman-group1-sha1 +---- + +Supported key exchange algorithms: + +* `ecdh-sha2-nistp521` +* `ecdh-sha2-nistp384` +* `ecdh-sha2-nistp256` +* `diffie-hellman-group-exchange-sha256` +* `diffie-hellman-group-exchange-sha1` +* `diffie-hellman-group14-sha1` +* `diffie-hellman-group1-sha1` + +By default, all supported key exchange algorithms are available. +Without Bouncy Castle, `diffie-hellman-group1-sha1` is the only +available algorithm. +-- + [[sshd.kerberosKeytab]]sshd.kerberosKeytab:: + Enable kerberos authentication for SSH connections. To permit diff --git a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java index 36d024d2d4..466edf53aa 100644 --- a/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java +++ b/gerrit-sshd/src/main/java/com/google/gerrit/sshd/SshDaemon.java @@ -56,7 +56,7 @@ import org.apache.sshd.common.io.IoSession; import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory; import org.apache.sshd.common.io.mina.MinaSession; import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory; -import org.apache.sshd.common.kex.BuiltinDHFactories; +import org.apache.sshd.common.kex.KeyExchange; import org.apache.sshd.common.keyprovider.KeyPairProvider; import org.apache.sshd.common.mac.Mac; import org.apache.sshd.common.random.JceRandomFactory; @@ -223,6 +223,7 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener { initProviderJce(); } initCiphers(cfg); + initKeyExchanges(cfg); initMacs(cfg); initSignatures(); initChannels(); @@ -426,14 +427,15 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener { return r.toString(); } + @SuppressWarnings("unchecked") + private void initKeyExchanges(Config cfg) { + List> a = + ServerBuilder.setUpDefaultKeyExchanges(true); + setKeyExchangeFactories(filter(cfg, "kex", + (NamedFactory[])a.toArray(new NamedFactory[a.size()]))); + } + private void initProviderBouncyCastle(Config cfg) { - setKeyExchangeFactories( - NamedFactory.Utils.setUpTransformedFactories(true, - Collections.unmodifiableList(Arrays.asList( - BuiltinDHFactories.dhg14, - BuiltinDHFactories.dhg1 - )), - ServerBuilder.DH2KEX)); NamedFactory factory; if (cfg.getBoolean("sshd", null, "testUseInsecureRandom", false)) { factory = new InsecureBouncyCastleRandom.Factory(); @@ -508,13 +510,6 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener { } private void initProviderJce() { - setKeyExchangeFactories( - NamedFactory.Utils.setUpTransformedFactories(true, - Collections.unmodifiableList(Arrays.asList( - BuiltinDHFactories.dhg1 - )), - ServerBuilder.DH2KEX)); - setKeyExchangeFactories(ServerBuilder.setUpDefaultKeyExchanges(true)); setRandomFactory(new SingletonRandomFactory(JceRandomFactory.INSTANCE)); }