Configurable SSH cipher suite (#913)

* Configurable SSH cipher suite

* Update configuration file comment

* Add default in settings loading code

* Fix fmt and log messsage

* Remove default from code as this could probably might not be good idea

Author: spacetourist

conf/app.ini

@@ -125,6 +125,9 @@ SSH_PORT = 22
 SSH_LISTEN_PORT = %(SSH_PORT)s
 ; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
 SSH_ROOT_PATH =
+; For built-in SSH server only, choose the ciphers to support for SSH connections,
+; for system SSH this setting has no effect
+SSH_SERVER_CIPHERS = aes128-ctr, aes192-ctr, aes256-ctr, [email protected], arcfour256, arcfour128
 ; Directory to create temporary files when test public key using ssh-keygen,
 ; default is system temporary directory.
 SSH_KEY_TEST_PATH =

modules/setting/setting.go

@@ -96,6 +96,7 @@ var (
 		ListenHost           string         `ini:"SSH_LISTEN_HOST"`
 		ListenPort           int            `ini:"SSH_LISTEN_PORT"`
 		RootPath             string         `ini:"SSH_ROOT_PATH"`
+		ServerCiphers        []string       `ini:"SSH_SERVER_CIPHERS"`
 		KeyTestPath          string         `ini:"SSH_KEY_TEST_PATH"`
 		KeygenPath           string         `ini:"SSH_KEYGEN_PATH"`
 		AuthorizedKeysBackup bool           `ini:"SSH_AUTHORIZED_KEYS_BACKUP"`
@@ -708,6 +709,7 @@ func NewContext() {
 		SSH.Domain = Domain
 	}
 	SSH.RootPath = path.Join(homeDir, ".ssh")
+	SSH.ServerCiphers = sec.Key("SSH_SERVER_CIPHERS").Strings(",")
 	SSH.KeyTestPath = os.TempDir()
 	if err = Cfg.Section("server").MapTo(&SSH); err != nil {
 		log.Fatal(4, "Failed to map SSH settings: %v", err)

modules/ssh/ssh.go

@@ -151,8 +151,11 @@ func listen(config *ssh.ServerConfig, host string, port int) {
 }
 
 // Listen starts a SSH server listens on given port.
-func Listen(host string, port int) {
+func Listen(host string, port int, ciphers []string) {
 	config := &ssh.ServerConfig{
+		Config: ssh.Config{
+			Ciphers: ciphers,
+		},
 		PublicKeyCallback: func(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
 			pkey, err := models.SearchPublicKeyByContent(strings.TrimSpace(string(ssh.MarshalAuthorizedKey(key))))
 			if err != nil {

routers/init.go

@@ -77,7 +77,7 @@ func GlobalInit() {
 	checkRunMode()
 
 	if setting.InstallLock && setting.SSH.StartBuiltinServer {
-		ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort)
-		log.Info("SSH server started on %s:%v", setting.SSH.ListenHost, setting.SSH.ListenPort)
+		ssh.Listen(setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers)
+		log.Info("SSH server started on %s:%d. Cipher list (%v)", setting.SSH.ListenHost, setting.SSH.ListenPort, setting.SSH.ServerCiphers)
 	}
 }