diff options
| author | spacetourist <guy.callum@gmail.com> | 2017-10-21 14:13:41 +0100 |
|---|---|---|
| committer | Lauris BH <lauris@nix.lv> | 2017-10-21 16:13:41 +0300 |
| commit | 7131c7d40d4f5bd32b16031e884153548eee133f (patch) | |
| tree | 99fa77ac1d785be873ddb0c955f6eeab828baaee | |
| parent | 985a39590ba07798dd6e6097e0c10401764c27fb (diff) | |
| download | gitea-7131c7d40d4f5bd32b16031e884153548eee133f.tar.gz gitea-7131c7d40d4f5bd32b16031e884153548eee133f.zip | |
Configurable SSH cipher suite (#913)
* Configurable SSH cipher suite
* Update configuration file comment
* Add default in settings loading code
* Fix fmt and log messsage
* Remove default from code as this could probably might not be good idea
| -rw-r--r-- | conf/app.ini | 3 | ||||
| -rw-r--r-- | modules/setting/setting.go | 2 | ||||
| -rw-r--r-- | modules/ssh/ssh.go | 5 | ||||
| -rw-r--r-- | routers/init.go | 4 |
4 files changed, 11 insertions, 3 deletions
diff --git a/conf/app.ini b/conf/app.ini index 6524486b82..3b1bccf816 100644 --- a/conf/app.ini +++ b/conf/app.ini @@ -125,6 +125,9 @@ SSH_PORT = 22 SSH_LISTEN_PORT = %(SSH_PORT)s ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. SSH_ROOT_PATH = +; For built-in SSH server only, choose the ciphers to support for SSH connections, +; for system SSH this setting has no effect +SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128 ; Directory to create temporary files when test public key using ssh-keygen, ; default is system temporary directory. SSH_KEY_TEST_PATH = diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 0bd73b8cba..0be95daadd 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -96,6 +96,7 @@ var ( ListenHost string `ini:"SSH_LISTEN_HOST"` ListenPort int `ini:"SSH_LISTEN_PORT"` RootPath string `ini:"SSH_ROOT_PATH"` + ServerCiphers []string `ini:"SSH_SERVER_CIPHERS"` KeyTestPath string `ini:"SSH_KEY_TEST_PATH"` KeygenPath string `ini:"SSH_KEYGEN_PATH"` AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"` @@ -708,6 +709,7 @@ func NewContext() { SSH.Domain = Domain } SSH.RootPath = path.Join(homeDir, ".ssh") + SSH.ServerCiphers = sec.Key("SSH_SERVER_CIPHERS").Strings(",") SSH.KeyTestPath = os.TempDir() if err = Cfg.Section("server").MapTo(&SSH); err != nil { log.Fatal(4, "Failed to map SSH settings: %v", err) diff --git a/modules/ssh/ssh.go b/modules/ssh/ssh.go index 36a383fa86..62edaf15bc 100644 --- a/modules/ssh/ssh.go +++ b/modules/ssh/ssh.go @@ -151,8 +151,11 @@ func listen(config *ssh.ServerConfig, host string, port int) { } // Listen starts a SSH server listens on given port. -func Listen(host string, port int) { +func Listen(host string, port int, ciphers []string) { config := &ssh.ServerConfig{ + Config: ssh.Config{ + Ciphers: ciphers, + }, PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key)))) if err != nil { diff --git a/routers/init.go b/routers/init.go index d04ffea4c1..006f285266 100644 --- a/routers/init.go +++ b/routers/init.go @@ -77,7 +77,7 @@ func GlobalInit() { checkRunMode() if setting.InstallLock && setting.SSH.StartBuiltinServer { - ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort) - log.Info("SSH server started on %s:%v", setting.SSH.ListenHost, setting.SSH.ListenPort) + ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers) + log.Info("SSH server started on %s:%d. Cipher list (%v)", setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers) } } |