Add configuration of key exchange algorithms for sshd
Add new config key "sshd.kex". The default and supported values are:
1. ecdh-sha2-nistp521
2. ecdh-sha2-nistp384
3. ecdh-sha2-nistp256
4. diffie-hellman-group-exchange-sha256
5. diffie-hellman-group-exchange-sha1,
6. diffie-hellman-group14-sha1
7. diffie-hellman-group1-sha1
With Bouncy Castle installed, all of the above are supported (previously
only 6 and 7). With JCE, only 7 is available.
Bug: Issue 3517
Change-Id: I6b44e88dc4a0ff8f693f21510aba30546bf4cd99
(cherry picked from commit b4a04fa1c5)
This commit is contained in:
Scott Dial
@@ -3654,6 +3654,40 @@ Supported MACs: `hmac-md5`, `hmac-md5-96`, `hmac-sha1`, `hmac-sha1-96`,
|
|||||||
+
|
+
|
||||||
By default, all supported MACs are available.
|
By default, all supported MACs are available.
|
||||||
|
|
||||||
|
[[sshd.kex]]sshd.kex::
|
||||||
|
+
|
||||||
|
--
|
||||||
|
Available key exchange algorithms. To permit multiple algorithms,
|
||||||
|
specify multiple `sshd.kex` keys in the configuration file, one key
|
||||||
|
exchange algorithm per key. Key exchange algorithm names starting
|
||||||
|
with `+` are enabled in addition to the default key exchange
|
||||||
|
algorithms, key exchange algorithm names starting with `-` are
|
||||||
|
removed from the default key exchange algorithms.
|
||||||
|
|
||||||
|
In the following example configuration, support for the 1024-bit
|
||||||
|
`diffie-hellman-group1-sha1` key exchange is disabled while leaving
|
||||||
|
all of the other default algorithms enabled:
|
||||||
|
|
||||||
|
----
|
||||||
|
[sshd]
|
||||||
|
kex = -diffie-hellman-group1-sha1
|
||||||
|
----
|
||||||
|
|
||||||
|
Supported key exchange algorithms:
|
||||||
|
|
||||||
|
* `ecdh-sha2-nistp521`
|
||||||
|
* `ecdh-sha2-nistp384`
|
||||||
|
* `ecdh-sha2-nistp256`
|
||||||
|
* `diffie-hellman-group-exchange-sha256`
|
||||||
|
* `diffie-hellman-group-exchange-sha1`
|
||||||
|
* `diffie-hellman-group14-sha1`
|
||||||
|
* `diffie-hellman-group1-sha1`
|
||||||
|
|
||||||
|
By default, all supported key exchange algorithms are available.
|
||||||
|
Without Bouncy Castle, `diffie-hellman-group1-sha1` is the only
|
||||||
|
available algorithm.
|
||||||
|
--
|
||||||
|
|
||||||
[[sshd.kerberosKeytab]]sshd.kerberosKeytab::
|
[[sshd.kerberosKeytab]]sshd.kerberosKeytab::
|
||||||
+
|
+
|
||||||
Enable kerberos authentication for SSH connections. To permit
|
Enable kerberos authentication for SSH connections. To permit
|
||||||
|
|||||||
@@ -56,7 +56,7 @@ import org.apache.sshd.common.io.IoSession;
|
|||||||
import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory;
|
import org.apache.sshd.common.io.mina.MinaServiceFactoryFactory;
|
||||||
import org.apache.sshd.common.io.mina.MinaSession;
|
import org.apache.sshd.common.io.mina.MinaSession;
|
||||||
import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory;
|
import org.apache.sshd.common.io.nio2.Nio2ServiceFactoryFactory;
|
||||||
import org.apache.sshd.common.kex.BuiltinDHFactories;
|
import org.apache.sshd.common.kex.KeyExchange;
|
||||||
import org.apache.sshd.common.keyprovider.KeyPairProvider;
|
import org.apache.sshd.common.keyprovider.KeyPairProvider;
|
||||||
import org.apache.sshd.common.mac.Mac;
|
import org.apache.sshd.common.mac.Mac;
|
||||||
import org.apache.sshd.common.random.JceRandomFactory;
|
import org.apache.sshd.common.random.JceRandomFactory;
|
||||||
@@ -223,6 +223,7 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
|
|||||||
initProviderJce();
|
initProviderJce();
|
||||||
}
|
}
|
||||||
initCiphers(cfg);
|
initCiphers(cfg);
|
||||||
|
initKeyExchanges(cfg);
|
||||||
initMacs(cfg);
|
initMacs(cfg);
|
||||||
initSignatures();
|
initSignatures();
|
||||||
initChannels();
|
initChannels();
|
||||||
@@ -426,14 +427,15 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
|
|||||||
return r.toString();
|
return r.toString();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@SuppressWarnings("unchecked")
|
||||||
|
private void initKeyExchanges(Config cfg) {
|
||||||
|
List<NamedFactory<KeyExchange>> a =
|
||||||
|
ServerBuilder.setUpDefaultKeyExchanges(true);
|
||||||
|
setKeyExchangeFactories(filter(cfg, "kex",
|
||||||
|
(NamedFactory<KeyExchange>[])a.toArray(new NamedFactory[a.size()])));
|
||||||
|
}
|
||||||
|
|
||||||
private void initProviderBouncyCastle(Config cfg) {
|
private void initProviderBouncyCastle(Config cfg) {
|
||||||
setKeyExchangeFactories(
|
|
||||||
NamedFactory.Utils.setUpTransformedFactories(true,
|
|
||||||
Collections.unmodifiableList(Arrays.asList(
|
|
||||||
BuiltinDHFactories.dhg14,
|
|
||||||
BuiltinDHFactories.dhg1
|
|
||||||
)),
|
|
||||||
ServerBuilder.DH2KEX));
|
|
||||||
NamedFactory<Random> factory;
|
NamedFactory<Random> factory;
|
||||||
if (cfg.getBoolean("sshd", null, "testUseInsecureRandom", false)) {
|
if (cfg.getBoolean("sshd", null, "testUseInsecureRandom", false)) {
|
||||||
factory = new InsecureBouncyCastleRandom.Factory();
|
factory = new InsecureBouncyCastleRandom.Factory();
|
||||||
@@ -508,13 +510,6 @@ public class SshDaemon extends SshServer implements SshInfo, LifecycleListener {
|
|||||||
}
|
}
|
||||||
|
|
||||||
private void initProviderJce() {
|
private void initProviderJce() {
|
||||||
setKeyExchangeFactories(
|
|
||||||
NamedFactory.Utils.setUpTransformedFactories(true,
|
|
||||||
Collections.unmodifiableList(Arrays.asList(
|
|
||||||
BuiltinDHFactories.dhg1
|
|
||||||
)),
|
|
||||||
ServerBuilder.DH2KEX));
|
|
||||||
setKeyExchangeFactories(ServerBuilder.setUpDefaultKeyExchanges(true));
|
|
||||||
setRandomFactory(new SingletonRandomFactory(JceRandomFactory.INSTANCE));
|
setRandomFactory(new SingletonRandomFactory(JceRandomFactory.INSTANCE));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user