From ebfb4c78948bb27cf1175d5c24ccf95717d16fbd Mon Sep 17 00:00:00 2001 From: Somtochi Onyekwere Date: Wed, 28 Apr 2021 12:38:04 +0100 Subject: [PATCH 1/3] Add preferred key algorithms Signed-off-by: Somtochi Onyekwere --- ssh/kex.go | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 ssh/kex.go diff --git a/ssh/kex.go b/ssh/kex.go new file mode 100644 index 00000000..bbc7a9bf --- /dev/null +++ b/ssh/kex.go @@ -0,0 +1,48 @@ +/* +Copyright 2021 The Flux authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ssh + +import "golang.org/x/crypto/ssh" + +const ( + kexAlgoDH1SHA1 = "diffie-hellman-group1-sha1" + kexAlgoDH14SHA1 = "diffie-hellman-group14-sha1" + kexAlgoECDH256 = "ecdh-sha2-nistp256" + kexAlgoECDH384 = "ecdh-sha2-nistp384" + kexAlgoECDH521 = "ecdh-sha2-nistp521" + kexAlgoCurve25519SHA256 = "curve25519-sha256@libssh.org" + + // For the following kex only the client half contains a production + // ready implementation. The server half only consists of a minimal + // implementation to satisfy the automated tests. + kexAlgoDHGEXSHA1 = "diffie-hellman-group-exchange-sha1" + kexAlgoDHGEXSHA256 = "diffie-hellman-group-exchange-sha256" +) + +var PreferredKexAlgos = []string{ + kexAlgoCurve25519SHA256, + kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521, + kexAlgoDH14SHA1, + kexAlgoDHGEXSHA256, +} + +// SetPreferredKeyAlgos sets default key algorithms on ClientConfig +func SetPreferredKeyAlgos(config *ssh.ClientConfig) { + if config != nil { + config.KeyExchanges = PreferredKexAlgos + } +} From 6b082c397e8770955b3e4d05e4e3072208a8fa97 Mon Sep 17 00:00:00 2001 From: Somtochi Onyekwere Date: Wed, 28 Apr 2021 13:45:07 +0100 Subject: [PATCH 2/3] Adds better comments Signed-off-by: Somtochi Onyekwere --- ssh/kex.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ssh/kex.go b/ssh/kex.go index bbc7a9bf..5744841d 100644 --- a/ssh/kex.go +++ b/ssh/kex.go @@ -18,6 +18,8 @@ package ssh import "golang.org/x/crypto/ssh" +// These string constant are gotten from golang/crypto +// https://github.com/golang/crypto/blob/0c34fe9e7dc2486962ef9867e3edb3503537209f/ssh/kex.go#L23-L34 const ( kexAlgoDH1SHA1 = "diffie-hellman-group1-sha1" kexAlgoDH14SHA1 = "diffie-hellman-group14-sha1" @@ -33,6 +35,8 @@ const ( kexAlgoDHGEXSHA256 = "diffie-hellman-group-exchange-sha256" ) +// This is aligned with the preferredKeyAlgos from golang/crypto but includes kexAlgoDHGEXSHA256. + var PreferredKexAlgos = []string{ kexAlgoCurve25519SHA256, kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521, @@ -40,7 +44,7 @@ var PreferredKexAlgos = []string{ kexAlgoDHGEXSHA256, } -// SetPreferredKeyAlgos sets default key algorithms on ClientConfig +// SetPreferredKeyAlgos sets the PreferredKexAlgos algorithms on a given ClientConfig func SetPreferredKeyAlgos(config *ssh.ClientConfig) { if config != nil { config.KeyExchanges = PreferredKexAlgos From 85a5bcf8dc4f5826d8cbec406264335ecd8bef3e Mon Sep 17 00:00:00 2001 From: Somtochi Onyekwere Date: Wed, 28 Apr 2021 14:22:33 +0100 Subject: [PATCH 3/3] Adds better comments Signed-off-by: Somtochi Onyekwere --- ssh/kex.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ssh/kex.go b/ssh/kex.go index 5744841d..5d709eed 100644 --- a/ssh/kex.go +++ b/ssh/kex.go @@ -18,7 +18,7 @@ package ssh import "golang.org/x/crypto/ssh" -// These string constant are gotten from golang/crypto +// These string constants are copied from golang/crypto // https://github.com/golang/crypto/blob/0c34fe9e7dc2486962ef9867e3edb3503537209f/ssh/kex.go#L23-L34 const ( kexAlgoDH1SHA1 = "diffie-hellman-group1-sha1" @@ -35,8 +35,8 @@ const ( kexAlgoDHGEXSHA256 = "diffie-hellman-group-exchange-sha256" ) -// This is aligned with the preferredKeyAlgos from golang/crypto but includes kexAlgoDHGEXSHA256. - +// PreferredKeyAlgos is aligned with the preferredKeyAlgos from golang/crypto +// but includes kexAlgoDHGEXSHA256 as the least preferred option. var PreferredKexAlgos = []string{ kexAlgoCurve25519SHA256, kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521, @@ -44,7 +44,7 @@ var PreferredKexAlgos = []string{ kexAlgoDHGEXSHA256, } -// SetPreferredKeyAlgos sets the PreferredKexAlgos algorithms on a given ClientConfig +// SetPreferredKeyAlgos sets the PreferredKexAlgos on a given ClientConfig. func SetPreferredKeyAlgos(config *ssh.ClientConfig) { if config != nil { config.KeyExchanges = PreferredKexAlgos