-
-
Notifications
You must be signed in to change notification settings - Fork 5.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update SSH server #18711
Update SSH server #18711
Conversation
Gusted
commented
Feb 10, 2022
- Update SSH server libraries to support extensions negotations.
- The extensions negotations are needed to communitcate with algorithms are accepted for "publickey" auth.
- This PR adds 2 libraries. The modifed golang.org/x/crypto libraries(this in order to not mismatch with types in ssh.go) and a patched "github.com/gliderlabs/ssh" that has been modified in order to use the modified crypto library.
- Resolves RSA public keys cannot authenticate against internal SSH if the client has a recent ssh version (which disables ssh-rsa algorithm) #17798
- Update SSH server libraries to support extensions negotations. - The extensions negotations are needed to communitcate with algorithms are accepted for "publickey" auth. - This PR adds 2 libraries. The modifed golang.org/x/crypto libraries(this in order to not mismatch with types in ssh.go) and a patched "github.com/gliderlabs/ssh" that has been modified in order to use the modified crypto library. - Resolves go-gitea#17798
Would it be better to have the fork that is currently in |
I don't have the permission to add new repos to the gitea org. So if a gitea owner would like to do that. CC @zeripath @techknowlogick |
Sorry I don't have owner control of the gitea org on gitea.com 😝 @Gusted - I think migrate the repo - then open a transfer request to give it to the gitea org. |
@zeripath Done! |
well that worked! repo added to the appropriate teams and trust model changed to committer. |
@zeripath Forgot that. Now you have the power. I have set the protected branch on that new repository. |
Switch to the gitea-owned version
Updated the PR. Side-note: we currently have some other depedency under the ownership of gitea maintainers(and some even on github), I guess it's better to slowly move them as well to a gitea instance? |
I think we need the gliderlabs patch to also use a gitea fork of go-crypto too |
- Avoid some problems with golang not picking up the replace on the forked version.
The commit that's patched on top of x/crypto: https://gitea.com/gitea/go-crypto/commit/31cfbd2326cbe371d5e8ea590d60a70fc98f85a5 |
I think we should just move the requisite parts of crypto/ssh into our fork of gliderlabs/ssh that way we can avoid a fork of x/crypto because whilst I don't mind forking the SSH server, I think forking x/crypto is too much. |
So the problem is as follows:
It's more or less dependency hell as of now, but that's because of how the tooling works with golang. |
Codecov Report
@@ Coverage Diff @@
## main #18711 +/- ##
==========================================
- Coverage 46.62% 46.55% -0.07%
==========================================
Files 854 854
Lines 122587 122921 +334
==========================================
+ Hits 57153 57231 +78
- Misses 58537 58769 +232
- Partials 6897 6921 +24
Continue to review full report at Codecov.
|
Would it be possible to contribute the fixes in https://gitea.com/gitea/go-crypto upstream so that others are benefit? |
with this we need to maintain the golang crypto lib ourselve :/ and make sure we dont miss related security fixes etc ...! |
Ah well, it's already a PR which includes more standardized specification golang/crypto#197, the PR hasn't been active, hence why we're now forking it.
I'm looking into using the forked crypto library only for the SSH server part, such we can still use the regular x/crypto library. It was already proposed by zeripath to create our own SSH library which would be much more flexible. Such we don't have to mess around in the package itself but rather can implement such changes within gitea, but that's a long-term option. Also the SSH part of the crypto library is such a mess and most of the code was made a decade ago, that's already a security risk on it's own. |
Adding blocked status because gitea.com/gitea/go-crypto needs to be updated to include the latest changes from upstream x/crypto |
we only use the ssh part - so it should be fine! |
the ssh package is part of x/crypto and has recently got some nice updates: https://github.com/golang/crypto/commits/master and allowed me for a recent PR as well: #19097 |
PR that needs to be merged first: https://gitea.com/gitea/go-crypto/pulls/3 |
☝️ reviewed |
All good from my side now. |
Closing, Go finally seems intrested to fix this. https://go-review.googlesource.com/c/crypto/+/447757 |