SyncTERM SSH support

+ Enabled all ssh2-streams supported KEX, ciphers, etc. for now. Will communicate with Deuce about this.
2018-11-04 19:29:51 -07:00 · 2018-11-04 19:29:51 -07:00 · 25560cb47a
parent 206312302a
commit 25560cb47a
2 changed files with 53 additions and 1 deletions
--- a/core/config.js
+++ b/core/config.js
@ -242,6 +242,57 @@ function getDefaultConfig() {
                privateKeyPem       : paths.join(__dirname, './../config/ssh_private_key.pem'),
                firstMenu           : 'sshConnected',
                firstMenuNewUser    : 'sshConnectedNewUser',
+
+                //
+                //  SSH details that can affect security. Stronger ciphers are better for example,
+                //  but terminals such as SyncTERM require KEX diffie-hellman-group14-sha1,
+                //  cipher 3des-cbc, etc.
+                //
+                //  See https://github.com/mscdex/ssh2-streams for the full list of supported
+                //  algorithms.
+                //
+                algorithms : {
+                    kex : [
+                        'ecdh-sha2-nistp256',
+                        'ecdh-sha2-nistp384',
+                        'ecdh-sha2-nistp521',
+                        'diffie-hellman-group-exchange-sha256',
+                        'diffie-hellman-group14-sha1',
+                        'diffie-hellman-group-exchange-sha1',
+                        'diffie-hellman-group1-sha1',
+                    ],
+                    cipher : [
+                        'aes128-ctr',
+                        'aes192-ctr',
+                        'aes256-ctr',
+                        'aes128-gcm',
+                        'aes128-gcm@openssh.com',
+                        'aes256-gcm',
+                        'aes256-gcm@openssh.com',
+                        'aes256-cbc',
+                        'aes192-cbc',
+                        'aes128-cbc',
+                        'blowfish-cbc',
+                        '3des-cbc',
+                        'arcfour256',
+                        'arcfour128',
+                        'cast128-cbc',
+                        'arcfour',
+                    ],
+                    hmac : [
+                        'hmac-sha2-256',
+                        'hmac-sha2-512',
+                        'hmac-sha1',
+                        'hmac-md5',
+                        'hmac-sha2-256-96',
+                        'hmac-sha2-512-96',
+                        'hmac-ripemd160',
+                        'hmac-sha1-96',
+                        'hmac-md5-96',
+                    ],
+                    //  note that we disable compression by default due to issues with many clients. YMMV.
+                    compress : [ 'none' ]
+                },
            },
            webSocket : {
                ws : {
--- a/core/servers/login/ssh.js
+++ b/core/servers/login/ssh.js
@ -251,12 +251,13 @@ exports.getModule = class SSHServerModule extends LoginServerModule {
            ident : 'enigma-bbs-' + enigVersion + '-srv',

            //  Note that sending 'banner' breaks at least EtherTerm!
+
            debug : (sshDebugLine) => {
                if(true === config.loginServers.ssh.traceConnections) {
                    Log.trace(`SSH: ${sshDebugLine}`);
                }
            },
-            algorithms: { compress: ['none'] },
+            algorithms : config.loginServers.ssh.algorithms,
        };

        this.server = ssh2.Server(serverConf);