From 12403bdfb098d8118df734275c302c8c5de20ee4 Mon Sep 17 00:00:00 2001 From: Gibheer Date: Tue, 16 Feb 2016 23:01:56 +0100 Subject: allow native and ssh-keygen public key check This commit adds the possibibility to use either the native golang libraries or ssh-keygen to check public keys. The check is adjusted depending on the settings, so that only supported keys are let through. This commit also brings back the blacklist feature, which was removed in 7ef9a055886574655d9f2be70c957bc16bf30500. This allows to blacklist algorythms or keys based on the key length. This works with the native and the ssh-keygen way. Because of #2179 it also includes a way to adjust the path to ssh-keygen and the working directory for ssh-keygen. With this, sysadmins should be able to adjust the settings in a way, that SELinux is okay with it. In the worst case, they can switch to the native implementation and only loose support for ed25519 keys at the moment. There are some other places which need adjustment to utilize the parameters and the native implementation, but this sets the ground work. --- conf/app.ini | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'conf') diff --git a/conf/app.ini b/conf/app.ini index 277f313d52..b444665b42 100644 --- a/conf/app.ini +++ b/conf/app.ini @@ -66,6 +66,13 @@ START_SSH_SERVER = false SSH_PORT = 22 ; Root path of SSH directory SSH_ROOT_PATH = +; override engine choice to check public keys (default: 'ssh-keygen' when +; DISABLE_SSH is set to false else 'native') +SSH_PUBLICKEY_CHECK = +; directory to create temporary files when using ssh-keygen (default: /tmp) +SSH_WORK_PATH = +; path to ssh-keygen (default: result of `which ssh-keygen`) +SSH_KEYGEN_PATH = ; Disable CDN even in "prod" mode OFFLINE_MODE = false DISABLE_ROUTER_LOG = false @@ -127,6 +134,15 @@ ENABLE_REVERSE_PROXY_AUTHENTICATION = false ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = false ; Enable captcha validation for registration ENABLE_CAPTCHA = true +; Do not check minimum key size with corresponding type +ENABLE_MINIMUM_KEY_SIZE_CHECK = false + +; define allowed algorithms and their minimum key length (use -1 to disable a type) +[service.minimum_key_sizes] +ED25519 = 256 +ECDSA = 256 +RSA = 2048 +DSA = 1024 [webhook] ; Hook task queue length -- cgit v1.2.3