mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-22 12:54:53 -05:00
Configurable SSH cipher suite (#913)
* Configurable SSH cipher suite * Update configuration file comment * Add default in settings loading code * Fix fmt and log messsage * Remove default from code as this could probably might not be good idea
This commit is contained in:
parent
985a39590b
commit
7131c7d40d
4 changed files with 11 additions and 3 deletions
3
conf/app.ini
vendored
3
conf/app.ini
vendored
|
@ -125,6 +125,9 @@ SSH_PORT = 22
|
||||||
SSH_LISTEN_PORT = %(SSH_PORT)s
|
SSH_LISTEN_PORT = %(SSH_PORT)s
|
||||||
; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
|
; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
|
||||||
SSH_ROOT_PATH =
|
SSH_ROOT_PATH =
|
||||||
|
; For built-in SSH server only, choose the ciphers to support for SSH connections,
|
||||||
|
; for system SSH this setting has no effect
|
||||||
|
SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
|
||||||
; Directory to create temporary files when test public key using ssh-keygen,
|
; Directory to create temporary files when test public key using ssh-keygen,
|
||||||
; default is system temporary directory.
|
; default is system temporary directory.
|
||||||
SSH_KEY_TEST_PATH =
|
SSH_KEY_TEST_PATH =
|
||||||
|
|
|
@ -96,6 +96,7 @@ var (
|
||||||
ListenHost string `ini:"SSH_LISTEN_HOST"`
|
ListenHost string `ini:"SSH_LISTEN_HOST"`
|
||||||
ListenPort int `ini:"SSH_LISTEN_PORT"`
|
ListenPort int `ini:"SSH_LISTEN_PORT"`
|
||||||
RootPath string `ini:"SSH_ROOT_PATH"`
|
RootPath string `ini:"SSH_ROOT_PATH"`
|
||||||
|
ServerCiphers []string `ini:"SSH_SERVER_CIPHERS"`
|
||||||
KeyTestPath string `ini:"SSH_KEY_TEST_PATH"`
|
KeyTestPath string `ini:"SSH_KEY_TEST_PATH"`
|
||||||
KeygenPath string `ini:"SSH_KEYGEN_PATH"`
|
KeygenPath string `ini:"SSH_KEYGEN_PATH"`
|
||||||
AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
|
AuthorizedKeysBackup bool `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
|
||||||
|
@ -708,6 +709,7 @@ func NewContext() {
|
||||||
SSH.Domain = Domain
|
SSH.Domain = Domain
|
||||||
}
|
}
|
||||||
SSH.RootPath = path.Join(homeDir, ".ssh")
|
SSH.RootPath = path.Join(homeDir, ".ssh")
|
||||||
|
SSH.ServerCiphers = sec.Key("SSH_SERVER_CIPHERS").Strings(",")
|
||||||
SSH.KeyTestPath = os.TempDir()
|
SSH.KeyTestPath = os.TempDir()
|
||||||
if err = Cfg.Section("server").MapTo(&SSH); err != nil {
|
if err = Cfg.Section("server").MapTo(&SSH); err != nil {
|
||||||
log.Fatal(4, "Failed to map SSH settings: %v", err)
|
log.Fatal(4, "Failed to map SSH settings: %v", err)
|
||||||
|
|
|
@ -151,8 +151,11 @@ func listen(config *ssh.ServerConfig, host string, port int) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Listen starts a SSH server listens on given port.
|
// Listen starts a SSH server listens on given port.
|
||||||
func Listen(host string, port int) {
|
func Listen(host string, port int, ciphers []string) {
|
||||||
config := &ssh.ServerConfig{
|
config := &ssh.ServerConfig{
|
||||||
|
Config: ssh.Config{
|
||||||
|
Ciphers: ciphers,
|
||||||
|
},
|
||||||
PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
|
PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
|
||||||
pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key))))
|
pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key))))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|
|
@ -77,7 +77,7 @@ func GlobalInit() {
|
||||||
checkRunMode()
|
checkRunMode()
|
||||||
|
|
||||||
if setting.InstallLock && setting.SSH.StartBuiltinServer {
|
if setting.InstallLock && setting.SSH.StartBuiltinServer {
|
||||||
ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort)
|
ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers)
|
||||||
log.Info("SSH server started on %s:%v", setting.SSH.ListenHost, setting.SSH.ListenPort)
|
log.Info("SSH server started on %s:%d. Cipher list (%v)", setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue