ssh: allow setting allowed MAC algorithms for built-in server (#6435)

Co-authored-by: ᴜɴᴋɴᴡᴏɴ <u@gogs.io>

CHANGELOG.md

@@ -7,7 +7,8 @@ All notable changes to Gogs are documented in this file.
 ### Added
 
 - An unlisted option is added when create or migrate a repository. Unlisted repositories are public but not being listed for users without direct access in the UI. [#5733](https://github.com/gogs/gogs/issues/5733)
-- Add new configuration option `[git.timeout] DIFF` for customizing operation timeout of `git diff`. [#6315](https://github.com/gogs/gogs/issues/6315)
+- New configuration option `[git.timeout] DIFF` for customizing operation timeout of `git diff`. [#6315](https://github.com/gogs/gogs/issues/6315)
+- New configuration option `[server] SSH_SERVER_MACS` for setting list of accepted MACs for connections to builtin SSH server. [#6434](https://github.com/gogs/gogs/issues/6434)
 
 ### Changed
 
@@ -17,7 +18,7 @@ All notable changes to Gogs are documented in this file.
 
 ### Fixed
 
-- Add `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409) 
+- Add `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409)
 - [Security] Potential SSRF attack by CRLF injection via repository migration. [#6413](https://github.com/gogs/gogs/issues/6413)
 
 

conf/app.ini

@@ -81,6 +81,8 @@ SSH_LISTEN_HOST = 0.0.0.0
 SSH_LISTEN_PORT = %(SSH_PORT)s
 ; The list of accepted ciphers for connections to builtin SSH server.
 SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, arcfour256, arcfour128
+; The list of accepted MACs for connections to builtin SSH server.
+SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256, hmac-sha1
 
 ; Define allowed algorithms and their minimum key length (use -1 to disable a type).
 [ssh.minimum_key_sizes]

conf/locale/locale_en-US.ini

@@ -1204,6 +1204,7 @@ config.ssh.start_builtin_server = Start builtin server
 config.ssh.listen_host = Listen host
 config.ssh.listen_port = Listen port
 config.ssh.server_ciphers = Server ciphers
+config.ssh.server_macs = Server MACs
 
 config.repo_config = Repository configuration
 config.repo.root_path = Root path

go.sum

@@ -5,6 +5,7 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/Knetic/govaluate v3.0.1-0.20171022003610-9aa49832a739+incompatible/go.mod h1:r7JcOSlj0wfOMncg0iLm8Leh48TZaKVeNIfJntJ2wa0=
 github.com/Masterminds/semver/v3 v3.1.0 h1:Y2lUDsFKVRSYGojLJ1yLxSXdMmMYTYls0rCvoqmMUQk=
 github.com/Masterminds/semver/v3 v3.1.0/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
+github.com/Masterminds/semver/v3 v3.1.1 h1:hLg3sBzpNErnxhQtUy/mmLR2I9foDujNK030IGemrRc=
 github.com/Masterminds/semver/v3 v3.1.1/go.mod h1:VPu/7SZ7ePZ3QOrcuXROw5FAcLl4a0cBrbBpGY/8hQs=
 github.com/Shopify/sarama v1.19.0/go.mod h1:FVkBWblsNy7DGZRfXLU0O9RCGt5g3g3yEuWXgklEdEo=
 github.com/Shopify/toxiproxy v2.1.4+incompatible/go.mod h1:OXgGpZ6Cli1/URJOF1DMxUHB2q5Ap20/P/eIdh4G0pI=
@@ -754,6 +755,7 @@ gorm.io/driver/postgres v1.0.5 h1:raX6ezL/ciUmaYTvOq48jq1GE95aMC0CmxQYbxQ4Ufw=
 gorm.io/driver/postgres v1.0.5/go.mod h1:qrD92UurYzNctBMVCJ8C3VQEjffEuphycXtxOudXNCA=
 gorm.io/driver/sqlite v1.1.3 h1:BYfdVuZB5He/u9dt4qDpZqiqDJ6KhPqs5QUqsr/Eeuc=
 gorm.io/driver/sqlite v1.1.3/go.mod h1:AKDgRWk8lcSQSw+9kxCJnX/yySj8G3rdwYlU57cB45c=
+gorm.io/driver/sqlite v1.1.4 h1:PDzwYE+sI6De2+mxAneV9Xs11+ZyKV6oxD3wDGkaNvM=
 gorm.io/driver/sqlite v1.1.4/go.mod h1:mJCeTFr7+crvS+TRnWc5Z3UvwxUN1BGBLMrf5LA9DYw=
 gorm.io/driver/sqlserver v1.0.4 h1:V15fszi0XAo7fbx3/cF50ngshDSN4QT0MXpWTylyPTY=
 gorm.io/driver/sqlserver v1.0.4/go.mod h1:ciEo5btfITTBCj9BkoUVDvgQbUdLWQNqdFY5OGuGnRg=

internal/conf/static.go

@@ -59,6 +59,7 @@ var (
 		ListenHost         string   `ini:"SSH_LISTEN_HOST"`
 		ListenPort         int      `ini:"SSH_LISTEN_PORT"`
 		ServerCiphers      []string `ini:"SSH_SERVER_CIPHERS"`
+		ServerMACs         []string `ini:"SSH_SERVER_MACS"`
 	}
 
 	// Repository settings

internal/conf/testdata/TestInit.golden.ini

@@ -31,6 +31,7 @@ START_SSH_SERVER=false
 SSH_LISTEN_HOST=0.0.0.0
 SSH_LISTEN_PORT=22
 SSH_SERVER_CIPHERS=aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128
+SSH_SERVER_MACS=hmac-sha2-256-etm@openssh.com,hmac-sha2-256,hmac-sha1
 
 [repository]
 ROOT=/tmp/gogs-repositories

internal/route/install.go

@@ -98,9 +98,10 @@ func GlobalInit(customConf string) error {
 	}
 
 	if conf.SSH.StartBuiltinServer {
-		ssh.Listen(conf.SSH.ListenHost, conf.SSH.ListenPort, conf.SSH.ServerCiphers)
+		ssh.Listen(conf.SSH.ListenHost, conf.SSH.ListenPort, conf.SSH.ServerCiphers, conf.SSH.ServerMACs)
 		log.Info("SSH server started on %s:%v", conf.SSH.ListenHost, conf.SSH.ListenPort)
 		log.Trace("SSH server cipher list: %v", conf.SSH.ServerCiphers)
+		log.Trace("SSH server MAC list: %v", conf.SSH.ServerMACs)
 	}
 
 	if conf.SSH.RewriteAuthorizedKeysAtStart {

internal/ssh/ssh.go

@@ -162,10 +162,11 @@ func listen(config *ssh.ServerConfig, host string, port int) {
 }
 
 // Listen starts a SSH server listens on given port.
-func Listen(host string, port int, ciphers []string) {
+func Listen(host string, port int, ciphers, macs []string) {
 	config := &ssh.ServerConfig{
 		Config: ssh.Config{
 			Ciphers: ciphers,
+			MACs:    macs,
 		},
 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
 			pkey, err := db.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key))))

templates/admin/config.tmpl

@@ -101,6 +101,8 @@
 							<dd>{{.SSH.ListenPort}}</dd>
 							<dt>{{.i18n.Tr "admin.config.ssh.server_ciphers"}}</dt>
 							<dd><code>{{.SSH.ServerCiphers}}</code></dd>
+							<dt>{{.i18n.Tr "admin.config.ssh.server_macs"}}</dt>
+							<dd><code>{{.SSH.ServerMACs}}</code></dd>
 						{{end}}
 					</dl>
 				</div>