Configure cryptography parameters for downstream side

[Nils98Ar]

Is this possible somehow? E.g. restricting the allowed cryptography algorithms.

It would also be okay to build a new image from source or from base image.

[tg123]

no cmd settings now
but if you prefer compile yourself, you can set it here

sshpiper/cmd/sshpiperd/daemon.go

Line 183 in c83c27c

p, err := ssh.NewSSHPiperConn(c, &d.config.PiperConfig)

d.config.PiperConfig.PublicKeyAuthAlgorithms

PR is welcomed

[Nils98Ar]

@tg123

I have never worked with go before but I think it would be good to configure this via config file and environment variables?

This seems to be the default?
https://github.com/golang/crypto/blob/v0.21.0/ssh/common.go#L142-L148

[Nils98Ar]

These are also interesting regarding security: supportedCiphers, preferredCiphers, supportedKexAlgos, serverForbiddenKexAlgos, preferredKexAlgos, supportedHostKeyAlgos, supportedMACs, hashFuncs.

Would it rather make sense to configure those per pipe or globally (e.g. in a downstream_config.yaml)?

[tg123]

no config file yet, but will add them to sshpiperd cmd args

[Nils98Ar]

@tg123 Would we rather configure the ones from ssh/server.go (e.g. PublicKeyAuthAlgorithms) or from ssh/common.go (e.g. supportedPubKeyAuthAlgos). I think the latter has more options which are used as default for the former.

[Nils98Ar]

no config file yet, but will add them to sshpiperd cmd args

We still need to configure the crypto parameters like key exchange algorithm, auth algorithms, ciphers, signature algorith etc.

Might it be possible to add cmd args for those?

[tg123]

yes i will add it soon