(mina-sshd) branch master updated: Improved documentation + HOWTO for strict KEX management

lgoldstein Sat, 06 Jan 2024 00:28:03 -0800

This is an automated email from the ASF dual-hosted git repository.

lgoldstein pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mina-sshd.git



The following commit(s) were added to refs/heads/master by this push:
     new 72224fa6f Improved documentation + HOWTO for strict KEX management
72224fa6f is described below

commit 72224fa6f76ef33fd80eebc46a8661866e6f7f62
Author: Lyor Goldstein <lgoldst...@apache.org>
AuthorDate: Sat Jan 6 10:20:27 2024 +0200

    Improved documentation + HOWTO for strict KEX management
---
 docs/howto.md     | 38 ++++++++++++++++++++++++++++++++++++++
 docs/standards.md | 18 ++++++++++++++++--
 2 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/docs/howto.md b/docs/howto.md
index 70f0b64e4..af3aad189 100644
--- a/docs/howto.md
+++ b/docs/howto.md
@@ -23,3 +23,41 @@ In order to achieve this one needs to use a 
`ReservedSessionMessagesHandler` on
 The idea is to prevent the normal session establish flow by taking over the 
initial handshake identification and blocking the initial KEX message from the 
server.
 
 A sample implementation can be found in the 
`EndlessTarpitSenderSupportDevelopment` class in the *sshd-contrib* package 
*test* section.
+
+## Disabling strict KEX
+
+The current code implements the 
[strict-kex](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL) 
extension by default. If users want/need to disable it, then
+this can be done *programmatically* as follows (the example is for the client, 
but a similar approach can be implemented for the server):
+
+
+```java
+class NoStrictKexSession extends ClientSessionImpl {
+    NoStrictKexSession(ClientFactoryManager client, IoSession ioSession) 
throws Exception {
+        super(client, ioSession);
+    }
+
+    @Override
+    protected Map<KexProposalOption, String> 
doStrictKexProposal(Map<KexProposalOption, String> proposal) {
+        return proposal;
+    }
+}
+
+class NoStrictKexSessionFactory extends SessionFactory {
+    NoStrictKexSessionFactory(ClientFactoryManager client) {
+        super(client);
+    }
+
+    @Override
+    protected ClientSessionImpl doCreateSession(IoSession ioSession) throws 
Exception {
+        return new NoStrictKexSession(getClient(), ioSession);
+    }
+}
+
+SshClient client = ...;
+SessionFactory factory = new NoStrictKexSessionFactory(client);
+client.setSessionFactory(factory);
+client.start();
+```
+
+If one needs to disable the protocol on a per-session basis, then it is 
possible to examine the peer's address (e.g., or anything else for that matter) 
in the `doCreateSession`
+or the `doStrictKexProposal` overrides and then invoke the super-class (for 
continuing with strict KEX) or return immediately (for disabling it).
\ No newline at end of file
diff --git a/docs/standards.md b/docs/standards.md
index d223bda4c..c2d8f28f8 100644
--- a/docs/standards.md
+++ b/docs/standards.md
@@ -35,7 +35,22 @@
 * [OpenSSH support for U2F/FIDO security 
keys](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.u2f)
     * **Note:** the server side supports these keys by default. The client 
side requires specific initialization
 * [OpenSSH public-key certificate authentication system for use by 
SSH](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.certkeys)
-* [OpenSSH strict key exchange 
extension](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL)
+* [OpenSSH 1.9 transport: strict key exchange 
extension](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL)
+* [(Some) OpenSSH SFTP 
extensions](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL)
+
+**Note:** some implementations may be limited to client-side - i.e., we 
provide a capability for the client to detect if the server
+supports the extension and then use it, but our server does not publish it as 
being supported.
+
+| Section | Extension                  | Client | Server |
+| ------- | -------------------------- | ------ | ------ |
+| 4.3     | `posix-ren...@openssh.com` | Yes    | Yes    |
+| 4.4     | `stat...@openssh.com`      | Yes    | Yes    |
+| 4.4     | `fstat...@openssh.com`     | Yes    | Yes    |
+| 4.5     | `hardl...@openssh.com`     | Yes    | Yes    |
+| 4.6     | `fs...@openssh.com`        | Yes    | Yes    |
+| 4.7     | `lsets...@openssh.com`     | Yes    | Yes    |
+| 4.8     | `lim...@openssh.com`       | Yes    | Yes    |
+| 4.10    | `copy-data`                | Yes    | Yes    |
 
 ### SFTP version 3-6 + extensions
 
@@ -50,7 +65,6 @@
 * `copy-file`, `copy-data` - [DRAFT 00 - sections 6, 
7](https://tools.ietf.org/id/draft-ietf-secsh-filexfer-extensions-00.txt)
 * `space-available` - [DRAFT 09 - section 
9.2](https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-09#section-9.2)
 * `filename-charset`, `filename-translation-control` - [DRAFT 13 - section 
6](https://tools.ietf.org/html/draft-ietf-secsh-filexfer-13#section-6) - only 
client side
-* Several [OpenSSH SFTP 
extensions](https://github.com/openssh/openssh-portable/blob/master/PROTOCOL)
 
 ### Miscellaneous

(mina-sshd) branch master updated: Improved documentation + HOWTO for strict KEX management

Reply via email to