Improved documentation + HOWTO for strict KEX management

apache · Jan 6, 2024 · 72224fa · 72224fa
1 parent e5c48cd
commit 72224fa
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 2 deletions.
diff --git a/docs/howto.md b/docs/howto.md
@@ -23,3 +23,41 @@ In order to achieve this one needs to use a `ReservedSessionMessagesHandler` on
 The idea is to prevent the normal session establish flow by taking over the initial handshake identification and blocking the initial KEX message from the server.
 
 A sample implementation can be found in the `EndlessTarpitSenderSupportDevelopment` class in the *sshd-contrib* package *test* section.
+
+## Disabling strict KEX
+
+The current code implements the [strict-kex](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL) extension by default. If users want/need to disable it, then
+this can be done *programmatically* as follows (the example is for the client, but a similar approach can be implemented for the server):
+
+
+```java
+class NoStrictKexSession extends ClientSessionImpl {
+    NoStrictKexSession(ClientFactoryManager client, IoSession ioSession) throws Exception {
+        super(client, ioSession);
+    }
+
+    @Override
+    protected Map<KexProposalOption, String> doStrictKexProposal(Map<KexProposalOption, String> proposal) {
+        return proposal;
+    }
+}
+
+class NoStrictKexSessionFactory extends SessionFactory {
+    NoStrictKexSessionFactory(ClientFactoryManager client) {
+        super(client);
+    }
+
+    @Override
+    protected ClientSessionImpl doCreateSession(IoSession ioSession) throws Exception {
+        return new NoStrictKexSession(getClient(), ioSession);
+    }
+}
+
+SshClient client = ...;
+SessionFactory factory = new NoStrictKexSessionFactory(client);
+client.setSessionFactory(factory);
+client.start();
+```
+
+If one needs to disable the protocol on a per-session basis, then it is possible to examine the peer's address (e.g., or anything else for that matter) in the `doCreateSession`
+or the `doStrictKexProposal` overrides and then invoke the super-class (for continuing with strict KEX) or return immediately (for disabling it).
diff --git a/docs/standards.md b/docs/standards.md
@@ -35,7 +35,22 @@
 * [OpenSSH support for U2F/FIDO security keys](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f)
     * **Note:** the server side supports these keys by default. The client side requires specific initialization
 * [OpenSSH public-key certificate authentication system for use by SSH](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)
-* [OpenSSH strict key exchange extension](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL)
+* [OpenSSH 1.9 transport: strict key exchange extension](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL)
+* [(Some) OpenSSH SFTP extensions](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL)
+
+**Note:** some implementations may be limited to client-side - i.e., we provide a capability for the client to detect if the server
+supports the extension and then use it, but our server does not publish it as being supported.
+
+| Section | Extension                  | Client | Server |
+| ------- | -------------------------- | ------ | ------ |
+| 4.3     | `posix-rename@openssh.com` | Yes    | Yes    |
+| 4.4     | `statvfs@openssh.com`      | Yes    | Yes    |
+| 4.4     | `fstatvfs@openssh.com`     | Yes    | Yes    |
+| 4.5     | `hardlink@openssh.com`     | Yes    | Yes    |
+| 4.6     | `fsync@openssh.com`        | Yes    | Yes    |
+| 4.7     | `lsetstat@openssh.com`     | Yes    | Yes    |
+| 4.8     | `limits@openssh.com`       | Yes    | Yes    |
+| 4.10    | `copy-data`                | Yes    | Yes    |
 
 ### SFTP version 3-6 + extensions
 
@@ -50,7 +65,6 @@
 * `copy-file`, `copy-data` - [DRAFT 00 - sections 6, 7](https://tools.ietf.org/id/draft-ietf-secsh-filexfer-extensions-00.txt)
 * `space-available` - [DRAFT 09 - section 9.2](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-09#section-9.2)
 * `filename-charset`, `filename-translation-control` - [DRAFT 13 - section 6](https://tools.ietf.org/html/draft-ietf-secsh-filexfer-13#section-6) - only client side
-* Several [OpenSSH SFTP extensions](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL)
 
 ### Miscellaneous