Add configuration options for allowed downstream algorithms

tg123 · Dec 25, 2024 · e70c281 · e70c281
1 parent 502eb4b
commit e70c281
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/cmd/sshpiperd/daemon.go b/cmd/sshpiperd/daemon.go
@@ -135,6 +135,11 @@ func newDaemon(ctx *cli.Context) (*daemon, error) {
 		}
 	}
 
+	config.PublicKeyAuthAlgorithms = ctx.StringSlice("allowed-downstream-pubkey-algos")
+	config.Ciphers = ctx.StringSlice("allowed-downstream-ciphers-algos")
+	config.MACs = ctx.StringSlice("allowed-downstream-macs-algos")
+	config.KeyExchanges = ctx.StringSlice("allowed-downstream-keyexchange-algos")
+
 	return &daemon{
 		config:         config,
 		lis:            lis,

diff --git a/cmd/sshpiperd/main.go b/cmd/sshpiperd/main.go
@@ -178,6 +178,30 @@ func main() {
 				Usage:   "allowed proxy addresses, only connections from these ip ranges are allowed to send a proxy header based on the PROXY protocol, empty will disable the PROXY protocol support",
 				EnvVars: []string{"SSHPIPERD_ALLOWED_PROXY_ADDRESSES"},
 			},
+			&cli.StringSliceFlag{
+				Name:    "allowed-downstream-keyexchange-algos",
+				Value:   cli.NewStringSlice(),
+				Usage:   "allowed key exchange algorithms for downstream connections, empty will allow default algorithms",
+				EnvVars: []string{"SSHPIPERD_ALLOWED_DOWNSTREAM_KEYEXCHANGE_ALGOS"},
+			},
+			&cli.StringSliceFlag{
+				Name:    "allowed-downstream-ciphers-algos",
+				Value:   cli.NewStringSlice(),
+				Usage:   "allowed ciphers algorithms for downstream connections, empty will allow default algorithms",
+				EnvVars: []string{"SSHPIPERD_ALLOWED_DOWNSTREAM_CIPHERS_ALGOS"},
+			},
+			&cli.StringSliceFlag{
+				Name:    "allowed-downstream-macs-algos",
+				Value:   cli.NewStringSlice(),
+				Usage:   "allowed macs algorithms for downstream connections, empty will allow default algorithms",
+				EnvVars: []string{"SSHPIPERD_ALLOWED_DOWNSTREAM_MACS_ALGOS"},
+			},
+			&cli.StringSliceFlag{
+				Name:    "allowed-downstream-pubkey-algos",
+				Value:   cli.NewStringSlice(),
+				Usage:   "allowed public key algorithms for downstream connections, empty will allow default algorithms",
+				EnvVars: []string{"SSHPIPERD_ALLOWED_DOWNSTREAM_PUBKEY_ALGOS"},
+			},
 		},
 		Action: func(ctx *cli.Context) error {
 			level, err := log.ParseLevel(ctx.String("log-level"))