Add configuration options for allowed downstream algorithms (#504)

* Add configuration options for allowed downstream algorithms * Refactor daemon configuration to set allowed downstream algorithms * Ensure default configuration values are set consistently in newDaemon
tg123 · Dec 26, 2024 · b2f7f79 · b2f7f79
1 parent 502eb4b
commit b2f7f79
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 0 deletions.
diff --git a/cmd/sshpiperd/daemon.go b/cmd/sshpiperd/daemon.go
@@ -47,6 +47,17 @@ func generateSshKey(keyfile string) error {
 
 func newDaemon(ctx *cli.Context) (*daemon, error) {
 	config := &plugin.GrpcPluginConfig{}
+
+	config.Ciphers = ctx.StringSlice("allowed-downstream-ciphers-algos")
+	config.MACs = ctx.StringSlice("allowed-downstream-macs-algos")
+	config.KeyExchanges = ctx.StringSlice("allowed-downstream-keyexchange-algos")
+	config.PublicKeyAuthAlgorithms = ctx.StringSlice("allowed-downstream-pubkey-algos")
+
+	config.SetDefaults()
+
+	// tricky, call SetDefaults, in first call, Cipers, Macs, Kex will be nil if [] and the second call will set the default values
+	// this can be ignored because sshpiper.go will call SetDefaults again before use it
+	// however, this is to make sure that the default values are set no matter sshiper.go calls SetDefaults or not
 	config.SetDefaults()
 
 	keybase64 := ctx.String("server-key-data")

diff --git a/cmd/sshpiperd/main.go b/cmd/sshpiperd/main.go
@@ -178,6 +178,30 @@ func main() {
 				Usage:   "allowed proxy addresses, only connections from these ip ranges are allowed to send a proxy header based on the PROXY protocol, empty will disable the PROXY protocol support",
 				EnvVars: []string{"SSHPIPERD_ALLOWED_PROXY_ADDRESSES"},
 			},
+			&cli.StringSliceFlag{
+				Name:    "allowed-downstream-keyexchange-algos",
+				Value:   cli.NewStringSlice(),
+				Usage:   "allowed key exchange algorithms for downstream connections, empty will allow default algorithms",
+				EnvVars: []string{"SSHPIPERD_ALLOWED_DOWNSTREAM_KEYEXCHANGE_ALGOS"},
+			},
+			&cli.StringSliceFlag{
+				Name:    "allowed-downstream-ciphers-algos",
+				Value:   cli.NewStringSlice(),
+				Usage:   "allowed ciphers algorithms for downstream connections, empty will allow default algorithms",
+				EnvVars: []string{"SSHPIPERD_ALLOWED_DOWNSTREAM_CIPHERS_ALGOS"},
+			},
+			&cli.StringSliceFlag{
+				Name:    "allowed-downstream-macs-algos",
+				Value:   cli.NewStringSlice(),
+				Usage:   "allowed macs algorithms for downstream connections, empty will allow default algorithms",
+				EnvVars: []string{"SSHPIPERD_ALLOWED_DOWNSTREAM_MACS_ALGOS"},
+			},
+			&cli.StringSliceFlag{
+				Name:    "allowed-downstream-pubkey-algos",
+				Value:   cli.NewStringSlice(),
+				Usage:   "allowed public key algorithms for downstream connections, empty will allow default algorithms",
+				EnvVars: []string{"SSHPIPERD_ALLOWED_DOWNSTREAM_PUBKEY_ALGOS"},
+			},
 		},
 		Action: func(ctx *cli.Context) error {
 			level, err := log.ParseLevel(ctx.String("log-level"))