forked from TrueCloudLab/rclone
sftp: add option to enable the use of aes128-cbc cipher
This commit is contained in:
parent
f424019380
commit
3684585104
2 changed files with 26 additions and 0 deletions
|
@ -154,6 +154,13 @@ or `sha1sum` as well as `echo` are in the remote's PATH.
|
|||
|
||||
The only ssh agent supported under Windows is Putty's pageant.
|
||||
|
||||
The Go SSH library disables the use of the aes128-cbc cipher by
|
||||
default, due to security concerns. This can be re-enabled on a
|
||||
per-connection basis by setting the `use_insecure_cipher` setting in
|
||||
the configuration file to `true`. Further details on the insecurity of
|
||||
this cipher can be found [in this paper]
|
||||
(http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf).
|
||||
|
||||
SFTP isn't supported under plan9 until [this
|
||||
issue](https://github.com/pkg/sftp/issues/156) is fixed.
|
||||
|
||||
|
|
19
sftp/sftp.go
19
sftp/sftp.go
|
@ -57,6 +57,19 @@ func init() {
|
|||
Name: "key_file",
|
||||
Help: "Path to unencrypted PEM-encoded private key file, leave blank to use ssh-agent.",
|
||||
Optional: true,
|
||||
}, {
|
||||
Name: "use_insecure_cipher",
|
||||
Help: "Enable the user of the aes128-cbc cipher. This cipher is insecure and may allow plaintext data to be recovered by an attacker..",
|
||||
Optional: true,
|
||||
Examples: []fs.OptionExample{
|
||||
{
|
||||
Value: "false",
|
||||
Help: "Use default Cipher list.",
|
||||
}, {
|
||||
Value: "true",
|
||||
Help: "Enables the use of the aes128-cbc cipher.",
|
||||
},
|
||||
},
|
||||
}},
|
||||
}
|
||||
fs.Register(fsi)
|
||||
|
@ -232,6 +245,7 @@ func NewFs(name, root string) (fs.Fs, error) {
|
|||
port := fs.ConfigFileGet(name, "port")
|
||||
pass := fs.ConfigFileGet(name, "pass")
|
||||
keyFile := fs.ConfigFileGet(name, "key_file")
|
||||
insecureCipher := fs.ConfigFileGetBool(name, "use_insecure_cipher")
|
||||
if user == "" {
|
||||
user = os.Getenv("USER")
|
||||
}
|
||||
|
@ -245,6 +259,11 @@ func NewFs(name, root string) (fs.Fs, error) {
|
|||
Timeout: fs.Config.ConnectTimeout,
|
||||
}
|
||||
|
||||
if insecureCipher {
|
||||
config.Config.SetDefaults()
|
||||
config.Config.Ciphers = append(config.Config.Ciphers, "aes128-cbc")
|
||||
}
|
||||
|
||||
// Add ssh agent-auth if no password or file specified
|
||||
if pass == "" && keyFile == "" {
|
||||
sshAgentClient, _, err := sshagent.New()
|
||||
|
|
Loading…
Reference in a new issue