karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ancoron Luciferis (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KARAF-3622) Enhance SSH configuration mechanism
Date Thu, 19 Mar 2015 14:14:38 GMT

    [ https://issues.apache.org/jira/browse/KARAF-3622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14369360#comment-14369360
] 

Ancoron Luciferis commented on KARAF-3622:
------------------------------------------

An example to check this in real life:

# On a released unmodified Karaf 3.0.3:{noformat}
$ ssh -v -c aes256-ctr,aes128-ctr -m hmac-sha2-512,hmac-sha2-256 -o KexAlgorithms=diffie-hellman-group-exchange-sha256
-p 8101 karaf@127.0.0.1
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 8101.
debug1: Connection established.
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version SSHD-CORE-0.12.0
debug1: no match: SSHD-CORE-0.12.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
no matching mac found: client hmac-sha2-512,hmac-sha2-256 server hmac-sha1
{noformat}
# On a patched 3.0.x snapshot:{noformat}
$ $ ssh -c aes256-ctr,aes128-ctr -m hmac-sha2-512,hmac-sha2-256 -o KexAlgorithms=diffie-hellman-group-exchange-sha256
-p 8101 karaf@127.0.0.1
Password authentication
Password: 
        __ __                  ____      
       / //_/____ __________ _/ __/      
      / ,<  / __ `/ ___/ __ `/ /_        
     / /| |/ /_/ / /  / /_/ / __/        
    /_/ |_|\__,_/_/   \__,_/_/         

  Apache Karaf (3.0.4-SNAPSHOT)

Hit '<tab>' for a list of available commands
and '[cmd] --help' for help on a specific command.
Hit 'system:shutdown' to shutdown Karaf.
Hit '<ctrl-d>' or type 'logout' to disconnect shell from current session.

karaf@root()>
{noformat}


> Enhance SSH configuration mechanism
> -----------------------------------
>
>                 Key: KARAF-3622
>                 URL: https://issues.apache.org/jira/browse/KARAF-3622
>             Project: Karaf
>          Issue Type: Improvement
>          Components: karaf-shell
>    Affects Versions: 3.0.3
>            Reporter: Ancoron Luciferis
>            Assignee: Jean-Baptiste Onofré
>              Labels: security
>         Attachments: karaf-3.0.x-Improve-SSH-shell-configuration-support.patch
>
>
> Currently, the SSH configuration for the remote shell provides only limited access to
the configuration capabilities of the library being used (Apache MINA/SSHD).
> E.g., it is currently not possible to configure a better HMAC than SHA1, although the
SSHD core library version 0.12+ supports at least "hmac-sha2-512" and "hmac-sha2-256".
> Also, the key exchange mechanism is currently not configurable at all, which makes it
impossible to enforce highly secure connection establishment from the server side.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message