Open QuantumLibet opened 7 months ago
Hi @QuantumLibet, thanks for writing this report. Looking more into this, I'm suspecting that the report is a bit inaccurate since Soft Serve uses Golang SSH and not Dropbear. The version reported is also misleading because that's the default version Wish uses. Let me know if this helps :)
Hi @aymanbagabas.
Thank you for your feedback. However, I was in no way concerned with the exact identification of the SSH engine. The post is a feature request to enable configurability of the SSH server.
Is your feature request related to a problem? Please describe.
It would be great, if the soft-serve SSH server could be configurable.
Background: When auditing SSH servers using
https://github.com/jtesta/ssh-audit
, it appears that the soft-serve SSH server has several security vulnerabilities. These vulnerabilities are likely related to the default configuration of the included dropbear SSH server.Describe the solution you'd like
To improve security, additional configuration parameters for SSH configuration such as KExAlgorithms, Ciphers, and MACs could be added to the soft-serve config.yaml.
Alternatively, soft-serve could read the sshd configuration files from the same path as the 'key_path' config option, for example, 'server_config_path: ssh/sshd_config'.
Additional context
The following is the output of ssh-audit v3.1.0 agains soft-serve v0.7.4 (d483565). The command used was:
docker run --rm positronsecurity/ssh-audit 1.2.3.4 -p 23231
Please note the CVE's at the beginning and the '[fail]' and '[warn]' remarks. The original is using colors, which makes things easier to read.