tg123
commented
7 months ago no cmd settings now but if you prefer compile yourself, you can set it here
d.config.PiperConfig.PublicKeyAuthAlgorithmsPR is welcomed
Open Nils98Ar opened 7 months ago
tg123
commented
7 months ago no cmd settings now but if you prefer compile yourself, you can set it here
d.config.PiperConfig.PublicKeyAuthAlgorithmsPR is welcomed
Nils98Ar
commented
7 months ago @tg123
I have never worked with go before but I think it would be good to configure this via config file and environment variables?
This seems to be the default? https://github.com/golang/crypto/blob/v0.21.0/ssh/common.go#L142-L148
Nils98Ar
commented
7 months ago These are also interesting regarding security: supportedCiphers, preferredCiphers, supportedKexAlgos, serverForbiddenKexAlgos, preferredKexAlgos, supportedHostKeyAlgos, supportedMACs, hashFuncs.
Would it rather make sense to configure those per pipe or globally (e.g. in a downstream_config.yaml)?
tg123
commented
7 months ago no config file yet, but will add them to sshpiperd cmd args
Nils98Ar
commented
7 months ago @tg123 Would we rather configure the ones from ssh/server.go (e.g. PublicKeyAuthAlgorithms) or from ssh/common.go (e.g. supportedPubKeyAuthAlgos). I think the latter has more options which are used as default for the former.
Nils98Ar
commented
1 day ago no config file yet, but will add them to sshpiperd cmd args
We still need to configure the crypto parameters like key exchange algorithm, auth algorithms, ciphers, signature algorith etc.
Might it be possible to add cmd args for those?
tg123
commented
1 day ago yes i will add it soon
Is this possible somehow? E.g. restricting the allowed cryptography algorithms.
It would also be okay to build a new image from source or from base image.