Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit what algorithms or ciphers are used #730

Closed
rykr opened this issue Sep 21, 2020 · 5 comments
Closed

Limit what algorithms or ciphers are used #730

rykr opened this issue Sep 21, 2020 · 5 comments

Comments

@rykr
Copy link

rykr commented Sep 21, 2020

Is there a way to do this? To remove weak ones

@j3zz3r
Copy link

j3zz3r commented Jan 14, 2021

Any progress with this ?
Interested in historic versions specific cipher support lists. Would like to progress hardening, removing weak cipher support.

@IgorMilavec
Copy link
Collaborator

I use a helper function for this purpose:

        public static ConnectionInfo CreateConnectionInfo(string host, ushort port, string userName, AuthenticationMethod[] authenticationMethods)
        {
            ConnectionInfo connectionInfo = new ConnectionInfo(
                host,
                port,
                userName,
                authenticationMethods);

            #region Remove insecure hashes
            connectionInfo.HmacAlgorithms.Remove("hmac-md5");
            connectionInfo.HmacAlgorithms.Remove("hmac-md5-96");
            connectionInfo.HmacAlgorithms.Remove("hmac-sha1-96");
            connectionInfo.HmacAlgorithms.Remove("hmac-sha2-256-96");
            connectionInfo.HmacAlgorithms.Remove("hmac-sha2-512-96");
            connectionInfo.HmacAlgorithms.Remove("hmac-ripemd160");
            connectionInfo.HmacAlgorithms.Remove("hmac-ripemd160@openssh.com");
            #endregion
            #region Remove insecure ciphers
            connectionInfo.Encryptions.Remove("blowfish-cbc");
            connectionInfo.Encryptions.Remove("twofish-cbc");
            connectionInfo.Encryptions.Remove("twofish128-cbc");
            connectionInfo.Encryptions.Remove("twofish192-cbc");
            connectionInfo.Encryptions.Remove("twofish256-cbc");
            connectionInfo.Encryptions.Remove("arcfour");
            connectionInfo.Encryptions.Remove("arcfour128");
            connectionInfo.Encryptions.Remove("arcfour256");
            connectionInfo.Encryptions.Remove("3des-cbc");
            connectionInfo.Encryptions.Remove("cast128-cbc");
            connectionInfo.Encryptions.Remove("aes128-cbc");
            connectionInfo.Encryptions.Remove("aes192-cbc");
            #endregion
            #region Remove insecure key exchange algorithms
            connectionInfo.KeyExchangeAlgorithms.Remove("diffie-hellman-group-exchange-sha1");
            connectionInfo.KeyExchangeAlgorithms.Remove("diffie-hellman-group1-sha1");
            #endregion

            return connectionInfo;
        }

I agree that this should be configurable. However with the spread of platforms SSH.NET is targeting, this might be hard to do in a consistent manner.

@rykr
Copy link
Author

rykr commented Mar 24, 2021 via email

@drieseng
Copy link
Member

@IgorMilavec I have "Add a fluent API to build client" on my bucket list. Something to discuss?

@IgorMilavec
Copy link
Collaborator

@drieseng that would be great. Can you please form your proposal in Discussions? There are quite a few issues related to this and I would like to close them and redirect to the discussion.
I think what needs to be discussed apart from API design is how to group algorithms (weak/strong, by some standard, ...).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants