Repository: karaf
Updated Branches:
refs/heads/karaf-4.0.x 1db9d014e -> 9d30b8c83
[KARAF-3622]Enhance SSH configuration mechanism
(cherry picked from commit 44323c27529c8668db6cc836f00d0bb75e2cb4d5)
Conflicts:
shell/ssh/src/main/java/org/apache/karaf/shell/ssh/SshUtils.java
Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/9c878c99
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/9c878c99
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/9c878c99
Branch: refs/heads/karaf-4.0.x
Commit: 9c878c992a2fa2b516089b47687475211b799ba9
Parents: 20120ad
Author: Freeman Fang <[email protected]>
Authored: Wed Nov 2 15:57:41 2016 +0800
Committer: Freeman Fang <[email protected]>
Committed: Wed Nov 2 17:47:35 2016 +0800
----------------------------------------------------------------------
.../resources/etc/org.apache.karaf.shell.cfg | 20 +++
shell/ssh/pom.xml | 6 +
.../org/apache/karaf/shell/ssh/Activator.java | 6 +-
.../org/apache/karaf/shell/ssh/SshUtils.java | 133 ++++++++++++-------
.../apache/karaf/shell/ssh/SshUtilsTest.java | 103 ++++++++++++++
5 files changed, 215 insertions(+), 53 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/karaf/blob/9c878c99/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.shell.cfg
----------------------------------------------------------------------
diff --git
a/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.shell.cfg
b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.shell.cfg
index de4b163..e996b1b 100644
---
a/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.shell.cfg
+++
b/assemblies/features/base/src/main/resources/resources/etc/org.apache.karaf.shell.cfg
@@ -93,4 +93,24 @@ hostKeyFormat = simple
# This property define the default value when you use the Karaf shell console.
# You can change the completion mode directly in the shell console, using
shell:completion command.
#
+
+#
+# Override allowed SSH cipher algorithms.
+# Default: aes128-ctr,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc
+#
+# ciphers = aes128-ctr,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc
+
+#
+# Override allowed SSH HMAC algorithms.
+# Default: hmac-sha2-512,hmac-sha2-256,hmac-sha1
+#
+# macs = hmac-sha2-512,hmac-sha2-256,hmac-sha1
+
+#
+# Override allowed SSH key exchange algorithms.
+# Default:
diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
+#
+# kexAlgorithms =
diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
+
+
completionMode = GLOBAL
http://git-wip-us.apache.org/repos/asf/karaf/blob/9c878c99/shell/ssh/pom.xml
----------------------------------------------------------------------
diff --git a/shell/ssh/pom.xml b/shell/ssh/pom.xml
index 6df2159..685f18b 100644
--- a/shell/ssh/pom.xml
+++ b/shell/ssh/pom.xml
@@ -103,6 +103,12 @@
<version>${commons-io.version}</version>
<scope>test</scope>
</dependency>
+
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-simple</artifactId>
+ <scope>test</scope>
+ </dependency>
</dependencies>
<build>
http://git-wip-us.apache.org/repos/asf/karaf/blob/9c878c99/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
index 70a8899..ad1c3b7 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java
@@ -148,8 +148,9 @@ public class Activator extends BaseActivator implements
ManagedService {
String authMethods = getString("authMethods",
"keyboard-interactive,password,publickey");
int keySize = getInt("keySize", 4096);
String algorithm = getString("algorithm", "RSA");
- String macs = getString("macs", "hmac-sha1");
- String ciphers = getString("ciphers",
"aes256-ctr,aes192-ctr,aes128-ctr,arcfour256");
+ String macs = getString("macs",
"hmac-sha2-512,hmac-sha2-256,hmac-sha1");
+ String ciphers = getString("ciphers",
"aes128-ctr,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc");
+ String kexAlgorithms = getString("kexAlgorithms",
"diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1");
String welcomeBanner = getString("welcomeBanner", null);
AbstractGeneratorHostKeyProvider keyPairProvider;
@@ -181,6 +182,7 @@ public class Activator extends BaseActivator implements
ManagedService {
server.setHost(sshHost);
server.setMacFactories(SshUtils.buildMacs(macs));
server.setCipherFactories(SshUtils.buildCiphers(ciphers));
+
server.setKeyExchangeFactories(SshUtils.buildKexAlgorithms(kexAlgorithms));
server.setShellFactory(new ShellFactoryImpl(sessionFactory));
server.setCommandFactory(new ScpCommandFactory(new
ShellCommandFactory(sessionFactory)));
server.setSubsystemFactories(Arrays.<NamedFactory<org.apache.sshd.server.Command>>asList(new
SftpSubsystem.Factory()));
http://git-wip-us.apache.org/repos/asf/karaf/blob/9c878c99/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/SshUtils.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/SshUtils.java
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/SshUtils.java
index 7f29803..18e819c 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/SshUtils.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/SshUtils.java
@@ -18,82 +18,113 @@
*/
package org.apache.karaf.shell.ssh;
-import java.security.InvalidKeyException;
import java.util.ArrayList;
-import java.util.Arrays;
import java.util.Collection;
-import java.util.Iterator;
-import java.util.LinkedList;
import java.util.List;
+import org.apache.sshd.SshBuilder;
+import org.apache.sshd.SshServer;
+import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.Cipher;
+import org.apache.sshd.common.Compression;
+import org.apache.sshd.common.KeyExchange;
import org.apache.sshd.common.Mac;
-import org.apache.sshd.common.NamedFactory;
-import org.apache.sshd.common.cipher.AES128CBC;
-import org.apache.sshd.common.cipher.AES128CTR;
-import org.apache.sshd.common.cipher.AES192CBC;
-import org.apache.sshd.common.cipher.AES256CBC;
-import org.apache.sshd.common.cipher.AES256CTR;
-import org.apache.sshd.common.cipher.ARCFOUR128;
-import org.apache.sshd.common.cipher.ARCFOUR256;
-import org.apache.sshd.common.cipher.BlowfishCBC;
-import org.apache.sshd.common.cipher.TripleDESCBC;
-import org.apache.sshd.common.mac.HMACMD5;
-import org.apache.sshd.common.mac.HMACMD596;
-import org.apache.sshd.common.mac.HMACSHA1;
-import org.apache.sshd.common.mac.HMACSHA196;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
public class SshUtils {
- public static <S> List<NamedFactory<S>> filter(Collection<NamedFactory<S>>
factories, String names) {
+ private static final Logger LOGGER =
LoggerFactory.getLogger(SshUtils.class);
+
+ public static <S> List<NamedFactory<S>> filter(Class<S> type,
+ Collection<NamedFactory<S>> factories, String names) {
List<NamedFactory<S>> list = new ArrayList<NamedFactory<S>>();
for (String name : names.split(",")) {
+ name = name.trim();
+ boolean found = false;
for (NamedFactory<S> factory : factories) {
if (factory.getName().equals(name)) {
list.add(factory);
+ found = true;
+ break;
}
}
+ if (!found) {
+ LOGGER.warn("Configured " + type.getSimpleName().toLowerCase()
+ + " '" + name + "' not available");
+ }
}
return list;
}
public static List<NamedFactory<Mac>> buildMacs(String names) {
- return filter(Arrays.<NamedFactory<Mac>>asList(
- new HMACMD5.Factory(),
- new HMACSHA1.Factory(),
- new HMACMD596.Factory(),
- new HMACSHA196.Factory()),
- names);
+ return filter(Mac.class, new ServerConfig().getMacFactories(), names);
}
+
public static List<NamedFactory<Cipher>> buildCiphers(String names) {
- List<NamedFactory<Cipher>> avail = new
LinkedList<NamedFactory<Cipher>>();
- avail.add(new AES128CTR.Factory());
- avail.add(new AES256CTR.Factory());
- avail.add(new ARCFOUR128.Factory());
- avail.add(new ARCFOUR256.Factory());
- avail.add(new AES128CBC.Factory());
- avail.add(new TripleDESCBC.Factory());
- avail.add(new BlowfishCBC.Factory());
- avail.add(new AES192CBC.Factory());
- avail.add(new AES256CBC.Factory());
-
- avail = filter(avail, names);
-
- for (Iterator<NamedFactory<Cipher>> i = avail.iterator();
i.hasNext();) {
- final NamedFactory<Cipher> f = i.next();
- try {
- final Cipher c = f.create();
- final byte[] key = new byte[c.getBlockSize()];
- final byte[] iv = new byte[c.getIVSize()];
- c.init(Cipher.Mode.Encrypt, key, iv);
- } catch (InvalidKeyException e) {
- i.remove();
- } catch (Exception e) {
- i.remove();
- }
+ ServerConfig defaults = new ServerConfig();
+ List<NamedFactory<Cipher>> avail = defaults.getCipherFactories();
+ return filter(Cipher.class, avail, names);
+ }
+
+ public static List<NamedFactory<KeyExchange>> buildKexAlgorithms(String
names) {
+ ServerConfig defaults = new ServerConfig();
+ List<NamedFactory<KeyExchange>> avail =
defaults.getKeyExchangeFactories();
+
+ return filter(KeyExchange.class, avail, names);
+ }
+
+ /**
+ * Simple helper class to avoid duplicating available configuration
entries.
+ */
+ private static final class ServerConfig extends SshBuilder.ServerBuilder {
+
+ public ServerConfig() {
+ this.build();
+ }
+
+ /**
+ * Just initializes the default configuration - does not create a
+ * server instance.
+ *
+ * @return always <code>null</code>
+ */
+ @Override
+ public SshServer build() {
+ return this.build(true);
+ }
+
+ /**
+ * Just initializes the default configuration - does not create a
+ * server instance.
+ *
+ * @return always <code>null</code>
+ */
+ @Override
+ public SshServer build(boolean isFillWithDefaultValues) {
+ if (isFillWithDefaultValues) {
+ this.fillWithDefaultValues();
+ }
+ return null;
+ }
+
+ public List<NamedFactory<KeyExchange>> getKeyExchangeFactories() {
+ return keyExchangeFactories;
+ }
+
+ public List<NamedFactory<Cipher>> getCipherFactories() {
+ return cipherFactories;
+ }
+
+ public List<NamedFactory<Compression>> getCompressionFactories() {
+ return compressionFactories;
+ }
+
+ public List<NamedFactory<Mac>> getMacFactories() {
+ return macFactories;
}
- return avail;
}
}
http://git-wip-us.apache.org/repos/asf/karaf/blob/9c878c99/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/SshUtilsTest.java
----------------------------------------------------------------------
diff --git
a/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/SshUtilsTest.java
b/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/SshUtilsTest.java
new file mode 100644
index 0000000..6456167
--- /dev/null
+++ b/shell/ssh/src/test/java/org/apache/karaf/shell/ssh/SshUtilsTest.java
@@ -0,0 +1,103 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.karaf.shell.ssh;
+
+import java.io.IOException;
+import java.util.List;
+import org.apache.sshd.common.Cipher;
+import org.apache.sshd.common.KeyExchange;
+import org.apache.sshd.common.Mac;
+import org.apache.sshd.common.NamedFactory;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+public class SshUtilsTest {
+
+
+ @Test
+ public void testCiphersDefault() throws IOException {
+ // verify our default configuration...
+ String ciphers =
"aes128-ctr,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc";
+
+ List<NamedFactory<Cipher>> list = SshUtils.buildCiphers(ciphers);
+
+ // verify that all configured ciphers are actually resolved...
+ for (String cipher : ciphers.split(",")) {
+ boolean found = false;
+ for (NamedFactory<Cipher> factory : list) {
+ if (factory.getName().equalsIgnoreCase(cipher)) {
+ found = true;
+ break;
+ }
+ }
+
+ if (!found) {
+ Assert.fail("Configured default cipher '" + cipher + "' cannot
be resolved");
+ }
+ }
+ }
+
+ @Test
+ public void testMacsDefault() throws IOException {
+ // verify our default configuration...
+ String macs = "hmac-sha2-512,hmac-sha2-256,hmac-sha1";
+
+ List<NamedFactory<Mac>> list = SshUtils.buildMacs(macs);
+
+ // verify that all configured HMACs are actually resolved...
+ for (String mac : macs.split(",")) {
+ boolean found = false;
+ for (NamedFactory<Mac> factory : list) {
+ if (factory.getName().equalsIgnoreCase(mac)) {
+ found = true;
+ break;
+ }
+ }
+
+ if (!found) {
+ Assert.fail("Configured default HMAC '" + mac + "' cannot be
resolved");
+ }
+ }
+ }
+
+ @Test
+ public void testKexAlgorithmsDefault() throws IOException {
+ // verify our default configuration...
+ String kexAlgorithms =
"diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1";
+
+ List<NamedFactory<KeyExchange>> list =
SshUtils.buildKexAlgorithms(kexAlgorithms);
+
+ // verify that all configured key exchange algorithms are actually
resolved...
+ for (String kex : kexAlgorithms.split(",")) {
+ boolean found = false;
+ for (NamedFactory<KeyExchange> factory : list) {
+ if (factory.getName().equalsIgnoreCase(kex)) {
+ found = true;
+ break;
+ }
+ }
+
+ if (!found) {
+ Assert.fail("Configured default key exchange algorithm '" +
kex + "' cannot be resolved");
+ }
+ }
+ }
+}
+
