lunny/gitea
Archived
1
1
Fork 1
Code Issues 1.7k Pull Requests 154 Projects Releases 128 Wiki Activity

Internal ssh server respect Ciphers, MACs and KeyExchanges settings #14523

Merged
root360-StefanHeitmueller merged 2 commits from internal-ssh-ciphers-and-macs into master 2021-01-30 13:20:33 +00:00
Conversation 0 Commits 2 Files Changed 1 +7 -3
root360-StefanHeitmueller commented 2021-01-29 16:42:32 +00:00 (Migrated from github.com)
Copy Link

Fix // TODO: Handle ciphers, keyExchanges, and macs for internal ssh server.
Fix #14518

Details see here (despite it was renamed).

Testconfig:

START_SSH_SERVER = true
SSH_SERVER_MACS  = hmac-sha2-256-etm@openssh.com, hmac-sha2-256
SSH_PORT                   = 2222

Before:

# nmap --script ssh2-enum-algos -sV -p 2222 gitea.example.com
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-29 17:46 CET
Nmap scan report for gitea.example.com (xxx.xxx.xxx.xxx)
Host is up (0.00055s latency).

PORT     STATE SERVICE VERSION
2222/tcp open  ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-Go
| ssh2-enum-algos: 
|   kex_algorithms: (5)
|       curve25519-sha256@libssh.org
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       diffie-hellman-group14-sha1
|   server_host_key_algorithms: (1)
|       ssh-rsa
|   encryption_algorithms: (5)
|       aes128-gcm@openssh.com
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|   mac_algorithms: (4)
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-256
|       hmac-sha1
|       hmac-sha1-96
|   compression_algorithms: (1)
|_      none

Afterwards:

# nmap --script ssh2-enum-algos -sV -p 2222 gitea.lan | sed 's,gitea\.lan,gitea.example.com,g'
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-29 17:47 CET
Nmap scan report for gitea.example.com (xxx.xxx.xxx.xxx)
Host is up (0.00052s latency).

PORT     STATE SERVICE VERSION
2222/tcp open  ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-Go
| ssh2-enum-algos: 
|   kex_algorithms: (6)
|       diffie-hellman-group1-sha1
|       diffie-hellman-group14-sha1
|       ecdh-sha2-nistp256
|       ecdh-sha2-nistp384
|       ecdh-sha2-nistp521
|       curve25519-sha256@libssh.org
|   server_host_key_algorithms: (1)
|       ssh-rsa
|   encryption_algorithms: (6)
|       aes128-ctr
|       aes192-ctr
|       aes256-ctr
|       aes128-gcm@openssh.com
|       arcfour256
|       arcfour128
|   mac_algorithms: (2)
|       hmac-sha2-256-etm@openssh.com
|       hmac-sha2-256
|   compression_algorithms: (1)
|_      none
Fix `// TODO: Handle ciphers, keyExchanges, and macs` for internal ssh server. Fix #14518 Details see [here](https://github.com/gliderlabs/ssh/pull/95) (despite it was [renamed](https://github.com/gliderlabs/ssh/pull/112)). Testconfig: ``` START_SSH_SERVER = true SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256 SSH_PORT = 2222 ``` Before: ``` # nmap --script ssh2-enum-algos -sV -p 2222 gitea.example.com Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-29 17:46 CET Nmap scan report for gitea.example.com (xxx.xxx.xxx.xxx) Host is up (0.00055s latency). PORT STATE SERVICE VERSION 2222/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-Go | ssh2-enum-algos: | kex_algorithms: (5) | curve25519-sha256@libssh.org | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | diffie-hellman-group14-sha1 | server_host_key_algorithms: (1) | ssh-rsa | encryption_algorithms: (5) | aes128-gcm@openssh.com | chacha20-poly1305@openssh.com | aes128-ctr | aes192-ctr | aes256-ctr | mac_algorithms: (4) | hmac-sha2-256-etm@openssh.com | hmac-sha2-256 | hmac-sha1 | hmac-sha1-96 | compression_algorithms: (1) |_ none ``` Afterwards: ``` # nmap --script ssh2-enum-algos -sV -p 2222 gitea.lan | sed 's,gitea\.lan,gitea.example.com,g' Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-29 17:47 CET Nmap scan report for gitea.example.com (xxx.xxx.xxx.xxx) Host is up (0.00052s latency). PORT STATE SERVICE VERSION 2222/tcp open ssh (protocol 2.0) | fingerprint-strings: | NULL: |_ SSH-2.0-Go | ssh2-enum-algos: | kex_algorithms: (6) | diffie-hellman-group1-sha1 | diffie-hellman-group14-sha1 | ecdh-sha2-nistp256 | ecdh-sha2-nistp384 | ecdh-sha2-nistp521 | curve25519-sha256@libssh.org | server_host_key_algorithms: (1) | ssh-rsa | encryption_algorithms: (6) | aes128-ctr | aes192-ctr | aes256-ctr | aes128-gcm@openssh.com | arcfour256 | arcfour128 | mac_algorithms: (2) | hmac-sha2-256-etm@openssh.com | hmac-sha2-256 | compression_algorithms: (1) |_ none ```
6543 (Migrated from github.com) approved these changes 2021-01-29 17:34:41 +00:00
lunny approved these changes 2021-01-30 11:25:03 +00:00
This repo is archived. You cannot comment on pull requests.
Reviewers
No reviewers
lunny
6543
Labels
Clear labels   
backport/done

   
backport/v1.0

   
backport/v1.1

   
backport/v1.10

   
backport/v1.11

   
backport/v1.12

   
backport/v1.13

   
backport/v1.14

   
backport/v1.15

   
backport/v1.2

   
backport/v1.3

   
backport/v1.4

   
backport/v1.5

   
backport/v1.6

   
backport/v1.7

   
backport/v1.8

   
backport/v1.9

   
bounty

   
changelog

   
dependencies

Pull requests that update a dependency file

  
frontport/done

   
frontport/main

   
good first issue

Likely to be an easy fix

  
Hacktoberfest

   
hacktoberfest-accepted

   
in progress

   
kind/api

   
kind/breaking

   
kind/bug

   
kind/build

   
kind/deployment

   
kind/deprecated

   
kind/docs

   
kind/enhancement

   
kind/feature

   
kind/lint

   
kind/misc

   
kind/moderation

features for moderateing spam, abuse, ...

  
kind/package

   
kind/proposal

   
kind/question

   
kind/refactor

   
kind/regression

   
kind/security

   
kind/summary

   
kind/testing

   
kind/translation

   
kind/ui

   
kind/upstream-related

An issue that is caused by an upstream dependency

  
kind/usability

   
kind/ux

   
lgtm/done

   
lgtm/need 1

   
lgtm/need 2

   
performance/bigrepo

Performance Issues affecting Big Repositories

  
performance/cpu

   
performance/memory

Performance issues affecting memory use

  
performance/speed

performance issues with slow downs

  
priority/critical

   
priority/low

   
priority/maybe

   
priority/medium

   
proposal/rejected

   
reviewed/confirmed

Issue has been reviewed and confirmed to be present or accepted to be implemented

  
reviewed/duplicate

   
reviewed/fixed

A fix for this issue is already in the attached milestone

  
reviewed/invalid

   
reviewed/not-a-bug

The reported issue is the intended behavior

  
reviewed/wontfix

   
skip-changelog

   
stale

   
status/blocked

   
status/needs-feedback

   
status/wip

   
theme/2fa

   
theme/authentication

   
theme/avatar

   
theme/backup-restore

   
theme/docker

Docker themed issued

  
theme/federation

   
theme/issues

   
theme/kanban

   
theme/markdown

   
theme/migration

Migration issues

  
theme/mobile

   
theme/pr

   
theme/signing

   
theme/sqlite

   
theme/timetracker

   
theme/webhook

   
theme/wiki
No Label
backport/done
backport/v1.0
backport/v1.1
backport/v1.10
backport/v1.11
backport/v1.12
backport/v1.13
backport/v1.14
backport/v1.15
backport/v1.2
backport/v1.3
backport/v1.4
backport/v1.5
backport/v1.6
backport/v1.7
backport/v1.8
backport/v1.9
bounty
changelog
dependencies
frontport/done
frontport/main
good first issue
Hacktoberfest
hacktoberfest-accepted
in progress
kind/api
kind/breaking
kind/bug
kind/build
kind/deployment
kind/deprecated
kind/docs
kind/enhancement
kind/feature
kind/lint
kind/misc
kind/moderation
kind/package
kind/proposal
kind/question
kind/refactor
kind/regression
kind/security
kind/summary
kind/testing
kind/translation
kind/ui
kind/upstream-related
kind/usability
kind/ux
lgtm/done
lgtm/need 1
lgtm/need 2
performance/bigrepo
performance/cpu
performance/memory
performance/speed
priority/critical
priority/low
priority/maybe
priority/medium
proposal/rejected
reviewed/confirmed
reviewed/duplicate
reviewed/fixed
reviewed/invalid
reviewed/not-a-bug
reviewed/wontfix
skip-changelog
stale
status/blocked
status/needs-feedback
status/wip
theme/2fa
theme/authentication
theme/avatar
theme/backup-restore
theme/docker
theme/federation
theme/issues
theme/kanban
theme/markdown
theme/migration
theme/mobile
theme/pr
theme/signing
theme/sqlite
theme/timetracker
theme/webhook
theme/wiki
Milestone
Clear milestone
No items
No Milestone
1.14.0
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: lunny/gitea#14523
No description provided.
Delete Branch "internal-ssh-ciphers-and-macs"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?