SSH Proxy with Password Authentication

[petkoval]

Summary

After a pentest has been executed an issue with ssh-proxy was found. The service obviously accepts password authentication. Due to the limitations of the test, no automated tools were used to test for valid username/password‐combinations. Two key exchange algorithms, namely diffie-hellman-group14-sha1 and ecdh-sha2-nistp384, are considered weak by the tool sslcan.

Expected Result

According to the penetration testers:

It is assumed that this is for administrative use. In that case the support of password logins poses an additional risk. The “weak” key exchange ciphers currently do not add a noticeable risk here. However, it remains unclear, why an SSH service is exposed to the internet. While an unnecessary service without further findings would usually result in a finding of a low severity, the severity was raised to medium in this case, due to risk that is related to password logins. It should be analysed, if the SSH service needs to be exposed to the internet and if so, if access can be restricted to known source IP addresses. It should also be assessed, if password login can be switched off.

Questions:

1. Is it possible ssh-proxy feature to be enabled only for specific applications by the app developers?
2. Is it possible that the key exchange algorithms be enhanced with "stronger" ones?
3. Is it possible that the access be restricted to known source IP addresses?

Context

Diego version 2.49.0
Infrastructure - Azure

Steps to Reproduce

Run penetration test with sslcan.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

[petkoval]

Hello Colleagues,

Is there any process around this story?
I have no access to the story and our customers are about to escalate already.

Thanks & Best regards,
Alexander

[ameowlia]

Apologizes for missing this. Thank you for pinging us on slack.

Is it possible ssh-proxy feature to be enabled only for specific applications by the app developers?

Yes. Please see this doc to see how you can limit who can ssh and what apps can be ssh-ed onto.

Is it possible that the key exchange algorithms be enhanced with "stronger" ones?

Yes, you can supply your own key exchange algorithms using the diego.ssh_proxy.allowed_keyexchanges bosh property seen here.

Is it possible that the access be restricted to known source IP addresses?

This is something you would have to configure outside of Cloud Foundry, such as configuring your ssh LB.

Closing now.