git commit: [KARAF-2639] Provide a way to configure ciphers and macs and use only the secured one by default

gnodet Wed, 18 Dec 2013 13:49:34 -0800

Updated Branches:
  refs/heads/karaf-2.x ef651d7c9 -> a7e5444e6


[KARAF-2639] Provide a way to configure ciphers and macs and use only the 
secured one by default

Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/a7e5444e
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/a7e5444e
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/a7e5444e

Branch: refs/heads/karaf-2.x
Commit: a7e5444e6a16860f724105f6ab03955e0227ea6f
Parents: ef651d7
Author: Guillaume Nodet <[email protected]>
Authored: Wed Dec 18 22:48:53 2013 +0100
Committer: Guillaume Nodet <[email protected]>
Committed: Wed Dec 18 22:48:53 2013 +0100

----------------------------------------------------------------------
 .../org/apache/karaf/shell/ssh/SshUtils.java    | 99 ++++++++++++++++++++
 .../resources/OSGI-INF/blueprint/shell-ssh.xml  | 12 +++
 2 files changed, 111 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/a7e5444e/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/SshUtils.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/SshUtils.java 
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/SshUtils.java
new file mode 100644
index 0000000..7f29803
--- /dev/null
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/SshUtils.java
@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.karaf.shell.ssh;
+
+import java.security.InvalidKeyException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
+import org.apache.sshd.common.Cipher;
+import org.apache.sshd.common.Mac;
+import org.apache.sshd.common.NamedFactory;
+import org.apache.sshd.common.cipher.AES128CBC;
+import org.apache.sshd.common.cipher.AES128CTR;
+import org.apache.sshd.common.cipher.AES192CBC;
+import org.apache.sshd.common.cipher.AES256CBC;
+import org.apache.sshd.common.cipher.AES256CTR;
+import org.apache.sshd.common.cipher.ARCFOUR128;
+import org.apache.sshd.common.cipher.ARCFOUR256;
+import org.apache.sshd.common.cipher.BlowfishCBC;
+import org.apache.sshd.common.cipher.TripleDESCBC;
+import org.apache.sshd.common.mac.HMACMD5;
+import org.apache.sshd.common.mac.HMACMD596;
+import org.apache.sshd.common.mac.HMACSHA1;
+import org.apache.sshd.common.mac.HMACSHA196;
+
+public class SshUtils {
+
+    public static <S> List<NamedFactory<S>> filter(Collection<NamedFactory<S>> 
factories, String names) {
+        List<NamedFactory<S>> list = new ArrayList<NamedFactory<S>>();
+        for (String name : names.split(",")) {
+            for (NamedFactory<S> factory : factories) {
+                if (factory.getName().equals(name)) {
+                    list.add(factory);
+                }
+            }
+        }
+        return list;
+    }
+
+    public static List<NamedFactory<Mac>> buildMacs(String names) {
+        return filter(Arrays.<NamedFactory<Mac>>asList(
+                        new HMACMD5.Factory(),
+                        new HMACSHA1.Factory(),
+                        new HMACMD596.Factory(),
+                        new HMACSHA196.Factory()),
+                names);
+    }
+
+    public static List<NamedFactory<Cipher>> buildCiphers(String names) {
+        List<NamedFactory<Cipher>> avail = new 
LinkedList<NamedFactory<Cipher>>();
+        avail.add(new AES128CTR.Factory());
+        avail.add(new AES256CTR.Factory());
+        avail.add(new ARCFOUR128.Factory());
+        avail.add(new ARCFOUR256.Factory());
+        avail.add(new AES128CBC.Factory());
+        avail.add(new TripleDESCBC.Factory());
+        avail.add(new BlowfishCBC.Factory());
+        avail.add(new AES192CBC.Factory());
+        avail.add(new AES256CBC.Factory());
+
+        avail = filter(avail, names);
+
+        for (Iterator<NamedFactory<Cipher>> i = avail.iterator(); 
i.hasNext();) {
+            final NamedFactory<Cipher> f = i.next();
+            try {
+                final Cipher c = f.create();
+                final byte[] key = new byte[c.getBlockSize()];
+                final byte[] iv = new byte[c.getIVSize()];
+                c.init(Cipher.Mode.Encrypt, key, iv);
+            } catch (InvalidKeyException e) {
+                i.remove();
+            } catch (Exception e) {
+                i.remove();
+            }
+        }
+        return avail;
+    }
+
+}

http://git-wip-us.apache.org/repos/asf/karaf/blob/a7e5444e/shell/ssh/src/main/resources/OSGI-INF/blueprint/shell-ssh.xml
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/resources/OSGI-INF/blueprint/shell-ssh.xml 
b/shell/ssh/src/main/resources/OSGI-INF/blueprint/shell-ssh.xml
index 8787c3a..6a79a42 100644
--- a/shell/ssh/src/main/resources/OSGI-INF/blueprint/shell-ssh.xml
+++ b/shell/ssh/src/main/resources/OSGI-INF/blueprint/shell-ssh.xml
@@ -47,6 +47,8 @@
             <cm:property name="authMethods" 
value="keyboard-interactive,password,publickey"/>
             <cm:property name="keySize" value="1024"/>
             <cm:property name="algorithm" value="DSA"/>
+            <cm:property name="macs" value="hmac-sha1" />
+            <cm:property name="ciphers" 
value="aes256-ctr,aes192-ctr,aes128-ctr,arcfour256" />
         </cm:default-properties>
     </cm:property-placeholder>
 
@@ -78,6 +80,16 @@
     <bean id="sshServer" class="org.apache.sshd.SshServer" 
factory-method="setUpDefaultServer" scope="prototype">
         <property name="port" value="${sshPort}"/>
         <property name="host" value="${sshHost}"/>
+        <property name="macFactories">
+            <bean class="org.apache.karaf.shell.ssh.SshUtils" 
factory-method="buildMacs">
+                <argument value="${macs}" />
+            </bean>
+        </property>
+        <property name="cipherFactories">
+            <bean class="org.apache.karaf.shell.ssh.SshUtils" 
factory-method="buildCiphers">
+                <argument value="${ciphers}" />
+            </bean>
+        </property>
         <property name="shellFactory">
             <bean class="org.apache.karaf.shell.ssh.ShellFactoryImpl">
                 <property name="commandProcessor" ref="commandProcessor"/>

git commit: [KARAF-2639] Provide a way to configure ciphers and macs and use only the secured one by default

Reply via email to