[jira] [Commented] (KARAF-3622) Enhance SSH configuration mechanism

Thu, 19 Mar 2015 07:15:06 -0700 

    [ 
https://issues.apache.org/jira/browse/KARAF-3622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14369360#comment-14369360
 ] 

Ancoron Luciferis commented on KARAF-3622:
------------------------------------------

An example to check this in real life:

# On a released unmodified Karaf 3.0.3:{noformat}
$ ssh -v -c aes256-ctr,aes128-ctr -m hmac-sha2-512,hmac-sha2-256 -o 
KexAlgorithms=diffie-hellman-group-exchange-sha256 -p 8101 [email protected]
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 8101.
debug1: Connection established.
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version SSHD-CORE-0.12.0
debug1: no match: SSHD-CORE-0.12.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
no matching mac found: client hmac-sha2-512,hmac-sha2-256 server hmac-sha1
{noformat}
# On a patched 3.0.x snapshot:{noformat}
$ $ ssh -c aes256-ctr,aes128-ctr -m hmac-sha2-512,hmac-sha2-256 -o 
KexAlgorithms=diffie-hellman-group-exchange-sha256 -p 8101 [email protected]
Password authentication
Password: 
        __ __                  ____      
       / //_/____ __________ _/ __/      
      / ,<  / __ `/ ___/ __ `/ /_        
     / /| |/ /_/ / /  / /_/ / __/        
    /_/ |_|\__,_/_/   \__,_/_/         

  Apache Karaf (3.0.4-SNAPSHOT)

Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit 'system:shutdown' to shutdown Karaf.
Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.

karaf@root()>
{noformat}


> Enhance SSH configuration mechanism
> -----------------------------------
>
>                 Key: KARAF-3622
>                 URL: https://issues.apache.org/jira/browse/KARAF-3622
>             Project: Karaf
>          Issue Type: Improvement
>          Components: karaf-shell
>    Affects Versions: 3.0.3
>            Reporter: Ancoron Luciferis
>            Assignee: Jean-Baptiste Onofré
>              Labels: security
>         Attachments: karaf-3.0.x-Improve-SSH-shell-configuration-support.patch
>
>
> Currently, the SSH configuration for the remote shell provides only limited 
> access to the configuration capabilities of the library being used (Apache 
> MINA/SSHD).
> E.g., it is currently not possible to configure a better HMAC than SHA1, 
> although the SSHD core library version 0.12+ supports at least 
> "hmac-sha2-512" and "hmac-sha2-256".
> Also, the key exchange mechanism is currently not configurable at all, which 
> makes it impossible to enforce highly secure connection establishment from 
> the server side.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to