Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configurable Cipher, KEX, and MAC. #1062

Closed
russjones opened this issue Jun 9, 2017 · 0 comments
Closed

Configurable Cipher, KEX, and MAC. #1062

russjones opened this issue Jun 9, 2017 · 0 comments
Assignees
@russjones
Labels
enhancement
Milestone
2.2

Comments

@russjones
Copy link
Contributor

russjones commented Jun 9, 2017
edited
Loading

Problem

At the moment, Teleport does not allow you to select the ciphers, key exchange algorithms, or MAC algorithms that the client and/or server support.

This is typically not an problem, as the Go SSH library supports sensible defaults and most users would not benefit from changing the defaults. However, in certain situations it would be clearly advantageous to control this:

  • If a security vulnerability in the cipher, key exchange algorithm, or MAC is discovered, Teleport users have to wait for Teleport developers (and/or Go developers) to update Teleport and then redeploy.
  • In certain restricted environments where only approved cryptographic primitives can be used, Teleport is a non-starter.

Proposed Solution

To support both sensible defaults as well as configurability, Teleport should add a optional configuration section that allows defining the cipher, key exchange algorithm, and MAC used on the server initially (and potentially follow up with allowing you to configure the client at some time in the future). If either of the three are specified, we override the sensible defaults.

At the time of writing, the SSH library we use, supports the following ciphers:

aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
arcfour256
arcfour128

The following key exchange algorithms:

kexAlgoCurve25519SHA256
kexAlgoECDH256
kexAlgoECDH384
kexAlgoECDH521
kexAlgoDH14SHA1
kexAlgoDH1SHA1

The following MACs:

hmac-sha2-256-etm@openssh.com
hmac-sha2-256
hmac-sha1
hmac-sha1-96

Changes to configuration

The changes would be made to the teleport section of the file configuration. All three fields (ciphers, kex_algos, and mac_algos) are optional and are a list of strings. If any of the three fields is provided, at least one value should exist for it. If no value is provided, the default values that the Go SSH library provides will be used.

teleport:
  ciphers:
    - cipher1
    - cipher
    ...
    - cipherN
  kex_algos:
    - kex1
    - kex2
    ...
    - kexN
  mac_algos:
    - mac1
    - mac2
    ...
    - macN
Examples

A few sample configurations:

teleport:
teleport:
  ciphers:
    - aes128-ctr
  kex_algos:
    - kexAlgoCurve25519SHA256
    - kexAlgoECDH256
  mac_algos:
    - hmac-sha2-256-etm@openssh.com
    - hmac-sha2-256
    - hmac-sha1
    - hmac-sha1-96

Changes in code

The server needs to be updated to propagate configuration to Config in ServerConfig.

Changes to documentation

We should document the these additions fields and possible values for them.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@russjones russjones

Labels
enhancement
Projects
None yet
Milestone
2.2
Development

No branches or pull requests
1 participant
@russjones