sftp: add option to enable the use of aes128-cbc cipher

This commit is contained in:
Jon Fautley 2017-12-08 12:22:09 +00:00 committed by Nick Craig-Wood
parent f424019380
commit 3684585104
2 changed files with 26 additions and 0 deletions

View file

@ -154,6 +154,13 @@ or `sha1sum` as well as `echo` are in the remote's PATH.
The only ssh agent supported under Windows is Putty's pageant.
The Go SSH library disables the use of the aes128-cbc cipher by
default, due to security concerns. This can be re-enabled on a
per-connection basis by setting the `use_insecure_cipher` setting in
the configuration file to `true`. Further details on the insecurity of
this cipher can be found [in this paper]
(http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf).
SFTP isn't supported under plan9 until [this
issue](https://github.com/pkg/sftp/issues/156) is fixed.

View file

@ -57,6 +57,19 @@ func init() {
Name: "key_file",
Help: "Path to unencrypted PEM-encoded private key file, leave blank to use ssh-agent.",
Optional: true,
}, {
Name: "use_insecure_cipher",
Help: "Enable the user of the aes128-cbc cipher. This cipher is insecure and may allow plaintext data to be recovered by an attacker..",
Optional: true,
Examples: []fs.OptionExample{
{
Value: "false",
Help: "Use default Cipher list.",
}, {
Value: "true",
Help: "Enables the use of the aes128-cbc cipher.",
},
},
}},
}
fs.Register(fsi)
@ -232,6 +245,7 @@ func NewFs(name, root string) (fs.Fs, error) {
port := fs.ConfigFileGet(name, "port")
pass := fs.ConfigFileGet(name, "pass")
keyFile := fs.ConfigFileGet(name, "key_file")
insecureCipher := fs.ConfigFileGetBool(name, "use_insecure_cipher")
if user == "" {
user = os.Getenv("USER")
}
@ -245,6 +259,11 @@ func NewFs(name, root string) (fs.Fs, error) {
Timeout: fs.Config.ConnectTimeout,
}
if insecureCipher {
config.Config.SetDefaults()
config.Config.Ciphers = append(config.Config.Ciphers, "aes128-cbc")
}
// Add ssh agent-auth if no password or file specified
if pass == "" && keyFile == "" {
sshAgentClient, _, err := sshagent.New()