sftp: add configuration options to set ssh Ciphers / MACs / KeyExchange
This commit is contained in:
parent
028832ce73
commit
7042a11875
1 changed files with 63 additions and 2 deletions
|
@ -123,7 +123,10 @@ This enables the use of the following insecure ciphers and key exchange methods:
|
||||||
- diffie-hellman-group-exchange-sha256
|
- diffie-hellman-group-exchange-sha256
|
||||||
- diffie-hellman-group-exchange-sha1
|
- diffie-hellman-group-exchange-sha1
|
||||||
|
|
||||||
Those algorithms are insecure and may allow plaintext data to be recovered by an attacker.`,
|
Those algorithms are insecure and may allow plaintext data to be recovered by an attacker.
|
||||||
|
|
||||||
|
This must be false if you use either ciphers or key_exchange advanced options.
|
||||||
|
`,
|
||||||
Default: false,
|
Default: false,
|
||||||
Examples: []fs.OptionExample{
|
Examples: []fs.OptionExample{
|
||||||
{
|
{
|
||||||
|
@ -325,6 +328,46 @@ and pass variables with spaces in in quotes, eg
|
||||||
|
|
||||||
"VAR3=value with space" "VAR4=value with space" VAR5=nospacehere
|
"VAR3=value with space" "VAR4=value with space" VAR5=nospacehere
|
||||||
|
|
||||||
|
`,
|
||||||
|
Advanced: true,
|
||||||
|
}, {
|
||||||
|
Name: "ciphers",
|
||||||
|
Default: fs.SpaceSepList{},
|
||||||
|
Help: `Space separated list of ciphers to be used for session encryption, ordered by preference.
|
||||||
|
|
||||||
|
At least one must match with server configuration. This can be checked for example using ssh -Q cipher.
|
||||||
|
|
||||||
|
This must not be set if use_insecure_cipher is true.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
aes128-ctr aes192-ctr aes256-ctr aes128-gcm@openssh.com aes256-gcm@openssh.com
|
||||||
|
`,
|
||||||
|
Advanced: true,
|
||||||
|
}, {
|
||||||
|
Name: "key_exchange",
|
||||||
|
Default: fs.SpaceSepList{},
|
||||||
|
Help: `Space separated list of key exchange algorithms, ordered by preference.
|
||||||
|
|
||||||
|
At least one must match with server configuration. This can be checked for example using ssh -Q kex.
|
||||||
|
|
||||||
|
This must not be set if use_insecure_cipher is true.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
sntrup761x25519-sha512@openssh.com curve25519-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256
|
||||||
|
`,
|
||||||
|
Advanced: true,
|
||||||
|
}, {
|
||||||
|
Name: "macs",
|
||||||
|
Default: fs.SpaceSepList{},
|
||||||
|
Help: `Space separated list of MACs (message authentication code) algorithms, ordered by preference.
|
||||||
|
|
||||||
|
At least one must match with server configuration. This can be checked for example using ssh -Q mac.
|
||||||
|
|
||||||
|
Example:
|
||||||
|
|
||||||
|
umac-64-etm@openssh.com umac-128-etm@openssh.com hmac-sha2-256-etm@openssh.com
|
||||||
`,
|
`,
|
||||||
Advanced: true,
|
Advanced: true,
|
||||||
}},
|
}},
|
||||||
|
@ -362,6 +405,9 @@ type Options struct {
|
||||||
ChunkSize fs.SizeSuffix `config:"chunk_size"`
|
ChunkSize fs.SizeSuffix `config:"chunk_size"`
|
||||||
Concurrency int `config:"concurrency"`
|
Concurrency int `config:"concurrency"`
|
||||||
SetEnv fs.SpaceSepList `config:"set_env"`
|
SetEnv fs.SpaceSepList `config:"set_env"`
|
||||||
|
Ciphers fs.SpaceSepList `config:"ciphers"`
|
||||||
|
KeyExchange fs.SpaceSepList `config:"key_exchange"`
|
||||||
|
MACs fs.SpaceSepList `config:"macs"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Fs stores the interface to the remote SFTP files
|
// Fs stores the interface to the remote SFTP files
|
||||||
|
@ -702,10 +748,25 @@ func NewFs(ctx context.Context, name, root string, m configmap.Mapper) (fs.Fs, e
|
||||||
sshConfig.HostKeyCallback = hostcallback
|
sshConfig.HostKeyCallback = hostcallback
|
||||||
}
|
}
|
||||||
|
|
||||||
if opt.UseInsecureCipher {
|
if opt.UseInsecureCipher && (opt.Ciphers != nil || opt.KeyExchange != nil) {
|
||||||
|
return nil, fmt.Errorf("use_insecure_cipher must be false if ciphers or key_exchange are set in advanced configuration")
|
||||||
|
}
|
||||||
|
|
||||||
sshConfig.Config.SetDefaults()
|
sshConfig.Config.SetDefaults()
|
||||||
|
if opt.UseInsecureCipher {
|
||||||
sshConfig.Config.Ciphers = append(sshConfig.Config.Ciphers, "aes128-cbc", "aes192-cbc", "aes256-cbc", "3des-cbc")
|
sshConfig.Config.Ciphers = append(sshConfig.Config.Ciphers, "aes128-cbc", "aes192-cbc", "aes256-cbc", "3des-cbc")
|
||||||
sshConfig.Config.KeyExchanges = append(sshConfig.Config.KeyExchanges, "diffie-hellman-group-exchange-sha1", "diffie-hellman-group-exchange-sha256")
|
sshConfig.Config.KeyExchanges = append(sshConfig.Config.KeyExchanges, "diffie-hellman-group-exchange-sha1", "diffie-hellman-group-exchange-sha256")
|
||||||
|
} else {
|
||||||
|
if opt.Ciphers != nil {
|
||||||
|
sshConfig.Config.Ciphers = opt.Ciphers
|
||||||
|
}
|
||||||
|
if opt.KeyExchange != nil {
|
||||||
|
sshConfig.Config.KeyExchanges = opt.KeyExchange
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if opt.MACs != nil {
|
||||||
|
sshConfig.Config.MACs = opt.MACs
|
||||||
}
|
}
|
||||||
|
|
||||||
keyFile := env.ShellExpand(opt.KeyFile)
|
keyFile := env.ShellExpand(opt.KeyFile)
|
||||||
|
|
Loading…
Reference in a new issue