Configurable SSH cipher suite #913
Conversation
lunny
added
the
type/feature
|
LGTM |
tboerger
added
the
lgtm/need 1
conf/app.ini
Outdated
| @@ -110,6 +110,8 @@ SSH_PORT = 22 | |||
| SSH_LISTEN_PORT = %(SSH_PORT)s | |||
| ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. | |||
| SSH_ROOT_PATH = | |||
| ; Choose the ciphers to support for SSH connections | |||
There was a problem hiding this comment.
Please make it clear that this only affects Built-In SSH-server
There was a problem hiding this comment.
; For built-in SSH server only, choose the ciphers to support for SSH connections,
; for system SSH this setting has no effect
routers/init.go
Outdated
| ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort) | ||
| log.Info("SSH server started on %s:%v", setting.SSH.ListenHost, setting.SSH.ListenPort) | ||
| ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers) | ||
| log.Info("SSH server started on %s:%v. Cipher list (%v)", setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers) |
There was a problem hiding this comment.
ListenPort should use %d not %v
|
Not exactly happy about having configs that only affect the build-in server, but for this it's hard to do otherwise 🙁 |
routers/init.go
Outdated
| @@ -75,7 +75,7 @@ func GlobalInit() { | |||
| checkRunMode() | |||
|
|
|||
| if setting.InstallLock && setting.SSH.StartBuiltinServer { | |||
| ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort) | |||
| log.Info("SSH server started on %s:%v", setting.SSH.ListenHost, setting.SSH.ListenPort) | |||
| ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers) | |||
There was a problem hiding this comment.
Please use tabs for indentation
|
Can I suggest that you prioritize AES-GCM above everything else? I think an authenticated encryption mode should be first on everyone's list. It might be nice to prevent the use of the arcfour suites entirely. Since most modern chips have the AES-NI instruction set to accelerate AES operations most people would see better performance too. |
|
@aaronjwood Yes. I think the default values should be security enough. |
lunny
added
the
issue/needs-feedback
|
It seems no response here, let's move it to v1.2 |
|
According to the Go SSH documentation on ssh.Config, So it might be best to leave that ini option undefined by default, unless this cipher set differs from the default Go one and there is a specific rationale for such. |
modules/setting/setting.go
Outdated
| @@ -618,6 +619,7 @@ please consider changing to GITEA_CUSTOM`) | |||
| } | |||
|
|
|||
| SSH.RootPath = path.Join(homeDir, ".ssh") | |||
| SSH.ServerCiphers = sec.Key("SSH_SERVER_CIPHERS").Strings(",") | |||
|
It's somewhat ironic that Gogs is ahead of the community fork made to speed things up... |
tboerger
added
lgtm/done
|
As @evantbyrne said, keep the default as Go did maybe a good choice. @spacetourist maybe you can change this? |
|
Any news ? |
|
If @evantbyrne no response. I think maintainers could do something.
|
|
|
@bkcsoft @ethantkoenig fixed |
Codecov Report
@@ Coverage Diff @@
## master #913 +/- ##
=======================================
Coverage 26.91% 26.91%
=======================================
Files 87 87
Lines 17286 17286
=======================================
Hits 4652 4652
Misses 11955 11955
Partials 679 679Continue to review full report at Codecov.
|
lafriks
removed
the
issue/needs-feedback
|
Make LG-TM work again |
|
This patch will report below error using SSH to |
As requested, merging change from Gogs.io