andrewmusselman opened a new issue, #677:
URL: https://github.com/apache/tooling-trusted-releases/issues/677
**ASVS References:** 11.3.1 (INFO-02), 11.3.2 (Finding 1 — Medium)
### Description
The SSH server created via `asyncssh.create_server()` in `atr/ssh.py` (line
~147) does not specify explicit `encryption_algs`, `kex_algs`, or `mac_algs`.
While asyncssh's current defaults are secure, relying on implicit defaults
means:
- A client could potentially negotiate a legacy algorithm if one is
supported by the library.
- Future library updates could change defaults without the application
noticing.
- There is no auditable record of which algorithms are intentionally
permitted.
### Current code
```python
server = await asyncssh.create_server(
SSHServer,
server_host_keys=[key_path],
process_factory=process_factory,
host=_CONFIG.SSH_HOST,
port=_CONFIG.SSH_PORT,
encoding=None,
)
```
### Recommended remediation
```python
APPROVED_CIPHERS = [
'[email protected]',
'[email protected]',
'aes256-ctr',
'aes128-ctr',
]
APPROVED_KEX = [
'curve25519-sha256',
'ecdh-sha2-nistp256',
'diffie-hellman-group16-sha512',
]
APPROVED_MACS = [
'[email protected]',
'[email protected]',
]
server = await asyncssh.create_server(
SSHServer,
server_host_keys=[key_path],
process_factory=process_factory,
host=_CONFIG.SSH_HOST,
port=_CONFIG.SSH_PORT,
encoding=None,
encryption_algs=APPROVED_CIPHERS,
kex_algs=APPROVED_KEX,
mac_algs=APPROVED_MACS,
)
```
### Severity
Medium — This is the only non-informational finding across all three audits.
It is a defense-in-depth gap, not an active vulnerability.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
