- Sponsor
-
Notifications
You must be signed in to change notification settings - Fork 941
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limit what algorithms or ciphers are used #730
Comments
Any progress with this ? |
I use a helper function for this purpose: public static ConnectionInfo CreateConnectionInfo(string host, ushort port, string userName, AuthenticationMethod[] authenticationMethods)
{
ConnectionInfo connectionInfo = new ConnectionInfo(
host,
port,
userName,
authenticationMethods);
#region Remove insecure hashes
connectionInfo.HmacAlgorithms.Remove("hmac-md5");
connectionInfo.HmacAlgorithms.Remove("hmac-md5-96");
connectionInfo.HmacAlgorithms.Remove("hmac-sha1-96");
connectionInfo.HmacAlgorithms.Remove("hmac-sha2-256-96");
connectionInfo.HmacAlgorithms.Remove("hmac-sha2-512-96");
connectionInfo.HmacAlgorithms.Remove("hmac-ripemd160");
connectionInfo.HmacAlgorithms.Remove("hmac-ripemd160@openssh.com");
#endregion
#region Remove insecure ciphers
connectionInfo.Encryptions.Remove("blowfish-cbc");
connectionInfo.Encryptions.Remove("twofish-cbc");
connectionInfo.Encryptions.Remove("twofish128-cbc");
connectionInfo.Encryptions.Remove("twofish192-cbc");
connectionInfo.Encryptions.Remove("twofish256-cbc");
connectionInfo.Encryptions.Remove("arcfour");
connectionInfo.Encryptions.Remove("arcfour128");
connectionInfo.Encryptions.Remove("arcfour256");
connectionInfo.Encryptions.Remove("3des-cbc");
connectionInfo.Encryptions.Remove("cast128-cbc");
connectionInfo.Encryptions.Remove("aes128-cbc");
connectionInfo.Encryptions.Remove("aes192-cbc");
#endregion
#region Remove insecure key exchange algorithms
connectionInfo.KeyExchangeAlgorithms.Remove("diffie-hellman-group-exchange-sha1");
connectionInfo.KeyExchangeAlgorithms.Remove("diffie-hellman-group1-sha1");
#endregion
return connectionInfo;
} I agree that this should be configurable. However with the spread of platforms SSH.NET is targeting, this might be hard to do in a consistent manner. |
Thanks for the follow up
… On Mar 24, 2021, at 6:01 AM, Igor Milavec ***@***.***> wrote:
I use a helper function for this purpose:
public static ConnectionInfo CreateConnectionInfo(string host, ushort port, string userName, AuthenticationMethod[] authenticationMethods)
{
ConnectionInfo connectionInfo = new ConnectionInfo(
host,
port,
userName,
authenticationMethods);
#region Remove insecure hashes
connectionInfo.HmacAlgorithms.Remove("hmac-md5");
connectionInfo.HmacAlgorithms.Remove("hmac-md5-96");
connectionInfo.HmacAlgorithms.Remove("hmac-sha1-96");
connectionInfo.HmacAlgorithms.Remove("hmac-sha2-256-96");
connectionInfo.HmacAlgorithms.Remove("hmac-sha2-512-96");
connectionInfo.HmacAlgorithms.Remove("hmac-ripemd160");
***@***.***");
#endregion
#region Remove insecure ciphers
connectionInfo.Encryptions.Remove("blowfish-cbc");
connectionInfo.Encryptions.Remove("twofish-cbc");
connectionInfo.Encryptions.Remove("twofish128-cbc");
connectionInfo.Encryptions.Remove("twofish192-cbc");
connectionInfo.Encryptions.Remove("twofish256-cbc");
connectionInfo.Encryptions.Remove("arcfour");
connectionInfo.Encryptions.Remove("arcfour128");
connectionInfo.Encryptions.Remove("arcfour256");
connectionInfo.Encryptions.Remove("3des-cbc");
connectionInfo.Encryptions.Remove("cast128-cbc");
connectionInfo.Encryptions.Remove("aes128-cbc");
connectionInfo.Encryptions.Remove("aes192-cbc");
#endregion
#region Remove insecure key exchange algorithms
connectionInfo.KeyExchangeAlgorithms.Remove("diffie-hellman-group-exchange-sha1");
connectionInfo.KeyExchangeAlgorithms.Remove("diffie-hellman-group1-sha1");
#endregion
return connectionInfo;
}
I agree that this should be configurable. However with the spread of platforms SSH.NET is targeting, this might be hard to do in a consistent manner.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
@IgorMilavec I have "Add a fluent API to build client" on my bucket list. Something to discuss? |
@drieseng that would be great. Can you please form your proposal in Discussions? There are quite a few issues related to this and I would like to close them and redirect to the discussion. |
Is there a way to do this? To remove weak ones
The text was updated successfully, but these errors were encountered: