Skip to content

ssh: allow setting allowed MAC algorithms for built-in server#6435

Merged
unknwon merged 5 commits intogogs:mainfrom
eduardok:main
Dec 4, 2020
Merged

ssh: allow setting allowed MAC algorithms for built-in server#6435
unknwon merged 5 commits intogogs:mainfrom
eduardok:main

Conversation

@eduardok
Copy link
Contributor

@eduardok eduardok commented Dec 1, 2020
edited
Loading

golang's crypto module (used by gogs with its default MACs) defines hmac-sha1-96 that is considered weak by security scanning tools such as Tenable (https://www.tenable.com/plugins/nessus/71049).
This commit's app.ini drops hmac-sha1-96 given that it is the safer option.
New configuration setting SSH_SERVER_MACS allows one to put hmac-sha1-96 back if necessary (unlikely).

Fixes issue #6434.

@eduardok
Introduce config setting to define allowed MAC algorithms
70296f0 
golang's crypto module (used by gogs with its default MACs) defines hmac-sha1-96 that is considered weak by security scanning tools such as Tenable (https://www.tenable.com/plugins/nessus/71049).
This commit's app.ini drops hmac-sha1-96 given that it is the safer option.
New configuration setting SSH_SERVER_MACS allows one to put hmac-sha1-96 back if necessary (unlikely).
unknwon
unknwon approved these changes Dec 4, 2020
View reviewed changes
Copy link
Member

@unknwon unknwon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

@unknwon unknwon added status: reviewed status: waits for QA The changes looks good, just need some sanity check from maintainers labels Dec 4, 2020
@unknwon unknwon removed the status: waits for QA The changes looks good, just need some sanity check from maintainers label Dec 4, 2020
@unknwon unknwon changed the title Introduce config setting to define allowed MAC algorithms ssh: allow setting allowed MAC algorithms for built-in server Dec 4, 2020
@unknwon unknwon merged commit c875950 into gogs:main Dec 4, 2020
@unknwon unknwon linked an issue Dec 4, 2020 that may be closed by this pull request
Allow setting allowed SSH MAC algorithms #6434
Closed
dna2github pushed a commit to dna2fork/gogs that referenced this pull request Dec 16, 2020
@eduardok @unknwon @dna2github
ssh: allow setting allowed MAC algorithms for built-in server (gogs#6435
c6ad8d3 
)

Co-authored-by: ᴜɴᴋɴᴡᴏɴ <u@gogs.io>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 15, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@unknwon unknwon unknwon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow setting allowed SSH MAC algorithms

2 participants

@eduardok @unknwon