* Configurable SSH cipher suite * Update configuration file comment * Add default in settings loading code * Fix fmt and log messsage * Remove default from code as this could probably might not be good ideatags/v1.3.0-rc1
@@ -125,6 +125,9 @@ SSH_PORT = 22 | |||
SSH_LISTEN_PORT = %(SSH_PORT)s | |||
; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'. | |||
SSH_ROOT_PATH = | |||
; For built-in SSH server only, choose the ciphers to support for SSH connections, | |||
; for system SSH this setting has no effect | |||
SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128 | |||
; Directory to create temporary files when test public key using ssh-keygen, | |||
; default is system temporary directory. | |||
SSH_KEY_TEST_PATH = |
@@ -96,6 +96,7 @@ var ( | |||
ListenHost string `ini:"SSH_LISTEN_HOST"` | |||
ListenPort int `ini:"SSH_LISTEN_PORT"` | |||
RootPath string `ini:"SSH_ROOT_PATH"` | |||
ServerCiphers []string `ini:"SSH_SERVER_CIPHERS"` | |||
KeyTestPath string `ini:"SSH_KEY_TEST_PATH"` | |||
KeygenPath string `ini:"SSH_KEYGEN_PATH"` | |||
AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"` | |||
@@ -708,6 +709,7 @@ func NewContext() { | |||
SSH.Domain = Domain | |||
} | |||
SSH.RootPath = path.Join(homeDir, ".ssh") | |||
SSH.ServerCiphers = sec.Key("SSH_SERVER_CIPHERS").Strings(",") | |||
SSH.KeyTestPath = os.TempDir() | |||
if err = Cfg.Section("server").MapTo(&SSH); err != nil { | |||
log.Fatal(4, "Failed to map SSH settings: %v", err) |
@@ -151,8 +151,11 @@ func listen(config *ssh.ServerConfig, host string, port int) { | |||
} | |||
// Listen starts a SSH server listens on given port. | |||
func Listen(host string, port int) { | |||
func Listen(host string, port int, ciphers []string) { | |||
config := &ssh.ServerConfig{ | |||
Config: ssh.Config{ | |||
Ciphers: ciphers, | |||
}, | |||
PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { | |||
pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key)))) | |||
if err != nil { |
@@ -77,7 +77,7 @@ func GlobalInit() { | |||
checkRunMode() | |||
if setting.InstallLock && setting.SSH.StartBuiltinServer { | |||
ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort) | |||
log.Info("SSH server started on %s:%v", setting.SSH.ListenHost, setting.SSH.ListenPort) | |||
ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers) | |||
log.Info("SSH server started on %s:%d. Cipher list (%v)", setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers) | |||
} | |||
} |