Merge branch 'master' into ev/i

Jirachai · Jun 12, 2017 · d046eae · d046eae
2 parents 3ff5820 + f697a0b
commit d046eae
Show file tree

Hide file tree

Showing 14 changed files with 434 additions and 44 deletions.
diff --git a/docs/2.0/admin-guide.md b/docs/2.0/admin-guide.md
@@ -190,6 +190,34 @@ teleport:
     storage:
         type: bolt
 
+    # Cipher algorithms that the server supports. This section only needs to be
+    # set if you want to override the defaults.
+    ciphers:
+      - aes128-ctr
+      - aes192-ctr
+      - aes256-ctr
+      - [email protected]
+      - arcfour256
+      - arcfour128
+
+    # Key exchange algorithms that the server supports. This section only needs
+    # to be set if you want to override the defaults.
+    kex_algos:
+      - kexAlgoCurve25519SHA256
+      - kexAlgoECDH256
+      - kexAlgoECDH384
+      - kexAlgoECDH521
+      - kexAlgoDH14SHA1
+      - kexAlgoDH1SHA1
+
+    # Message authentication code (MAC) algorithms that the server supports.
+    # This section only needs to be set if you want to override the defaults.
+    mac_algos:
+      - [email protected]
+      - hmac-sha2-256
+      - hmac-sha1
+      - hmac-sha1-96
+
 # This section configures the 'auth service':
 auth_service:
     # Turns 'auth' role on. Default is 'yes'

diff --git a/fixtures/certs/identities/ca.pem b/fixtures/certs/identities/ca.pem
@@ -0,0 +1 @@
+@cert-authority *.turing.local ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEk4cVIiydp9xSPIb8UqXpShY8zPlk/lpR69UL+0+RnNXtQl7GcQUZsrXDB2gOCfj+doKZj8Pt8oQVSDJF/vKhr+KS2Z+LC2Gyt8D5IY/acyyhSN5VoIo0JzIOr5CPGJNpLChREFuveV30hLihSfY52cqSvu7N5u34BlZ29WTLeBD9WssAG5HZUES8Xo3neHBl4SOck+mdiUvOIPhcnPiYRmYltOI3GJRu5y1xGemoPU3MnMziQMqnKCc2+To6IC8CkeQqa8D//BxLjenjSgn1K/SLUHraMb5qCmf77fyshj6A9jamgo0UOaOqem+jyg8idnz6JbVfXwW0nEaSyPzX type=host
diff --git a/fixtures/certs/identities/key-cert-ca.pem b/fixtures/certs/identities/key-cert-ca.pem
@@ -0,0 +1,29 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEAvensowyZI/NJNiSdopl0E12+FX4xFx8TwpV+LsNE4e3Sejcb
+ym/gHwG2hXWLt8SY8lIRZB4NIT7TIXv7m6tMK3o5E7WMHfO4lo/MLvmoks4kXsaY
+VwpcTbfEVr/tZoAFWbgUjx4OI8pK2M6WkDqpiIjnDAabphacANnFzUYC2xHWeLsK
+TYwWMMRooIdZudDohb3Fxb68LxpJKg8BMSGgqkqCvhNzZky7eiOXk1b43YcUsyqs
+Beub2PV1qoeMNST9jRwkEpModq5QuFjNJqZMi+GZiXSLERY9Q8Tezr5muh0vACiX
+og8koblqLp8ArKCt96J46/om/XGFAL7Ck3QfaQIDAQABAoIBAQC8/4DNXytEWMiC
+RnxOJhMbds5Fy3kFPptGqcmStifmA+zUTeWtWBseIHFJbgqmztM7TKscDMAaVtB8
+4Usrx5SdLByDXchcwoDv7ZlRIoo910Lgwxk2fgwQGBMgFg8nU75/ZC+pokqGGbrU
++vth+89eHoh5MlZSOuvz+MXeHI+Y/Pep5l6reqV3c4EqvncV8Ws31+wNRlpJJZ5a
+hpJhwJTkFW9Ry/ifQ7Ub/mYOrXKe1Y8eak6zFMab//8t9zxSTzCPwNrXMx8AzCZy
+G3TBw2UEkU2dUFH3/5hg7tgdE+xPYH/6tGozmE1luK+LRIJ/bd9uW7sSGXQq8bGB
+u/M9LmeRAoGBANz+Rvhzl5cjjvUpjLcsu2tGjWK5uAvbcHTQd8bjHQINtKTQREFo
+CoEA8DD6qiyhgwuH7BIVNjjOr9LcMjuorgbcVTOBVM5RLG7KUUPCDDejlmLI+s9w
+8VKv6Vx8bt8901IUsIhNJtfoZOXEBbJVDsU3iD5zFrA9dj2EQNWG2D8lAoGBANv/
+T4NMs174oyrZYRTHOoepvlvX9zm9Ptcz9P7GcdZbg3jkQSXKAZqUwczDT8FzdxXH
+ycwaCsVpikEPGJaKCnhSV1Kh2tR8H05kOxPy3vzpzsFtfrFyTPFzydOES//A+ZHD
+ydcNph1K8Ztx+1YzTOj9KjOyuRpb5kUvO2c4zp31AoGBAK9HTusIY5eQsHZq+hze
+8dfoIYPIYd2lstAz+Ixa3kseq8R9G2X1Kz+eiuOOLSMxB0tCB09gW5068eGAnKcM
+5tqyLzGmxqjNYTyOY14mrqICseiwF54oqn823xRn7VhLJSzZFBtHdiORQ1Wp4ArN
+w+VQYlOF3Nz0IrAwEWxKg4GxAoGBANlBOHShukF/qSMXqRer59ExgBuTG0KZ8QT0
++mzf7GuT1DH+t5dp9kuBvCFKf+i67k9EDbTRwvFRWIcHMXD4wX4xUqr3y/Mq4H+5
+293Haw64lsXOK99w0Stg/V80txjKqauZfioyAGnNKOwpk9t8reconBSR2tp9Btor
+2q4FG4ZBAoGANLnC8I3eHWSj3/ME+tOCu7EiiDtiE2Kt1UEtreQGyeF/cPBsDiSF
+3XxgYO9bCh0TGX52e4Bfffra5f1Hvgw84dESQWunYJByb19a737MI8RN+RHKjaSo
+rBjbUpA16Fi8NSro/mXDLCh8mTzu0tPG+e1jqcEVc5JDLYIau12j6jw=
+-----END RSA PRIVATE KEY-----
+[email protected] AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg0NeCnpO5ZAzWmMX6XwjrFyDi+JRrPLNb0vrEYqJp+bEAAAADAQABAAABAQC96eyjDJkj80k2JJ2imXQTXb4VfjEXHxPClX4uw0Th7dJ6NxvKb+AfAbaFdYu3xJjyUhFkHg0hPtMhe/ubq0wrejkTtYwd87iWj8wu+aiSziRexphXClxNt8RWv+1mgAVZuBSPHg4jykrYzpaQOqmIiOcMBpumFpwA2cXNRgLbEdZ4uwpNjBYwxGigh1m50OiFvcXFvrwvGkkqDwExIaCqSoK+E3NmTLt6I5eTVvjdhxSzKqwF65vY9XWqh4w1JP2NHCQSkyh2rlC4WM0mpkyL4ZmJdIsRFj1DxN7Ovma6HS8AKJeiDyShuWounwCsoK33onjr+ib9cYUAvsKTdB9pAAAAAAAAAAAAAAABAAAACmVrb250c2V2b3kAAAAOAAAACmVrb250c2V2b3kAAAAAAAAAAAAAAABZPPDKAAAAAAAAAHYAAAAWcGVybWl0LXBvcnQtZm9yd2FyZGluZwAAAAAAAAAKcGVybWl0LXB0eQAAAAAAAAAOdGVsZXBvcnQtcm9sZXMAAAAwAAAALHsidmVyc2lvbiI6InYxIiwicm9sZXMiOlsidXNlcjpla29udHNldm95Il19AAAAAAAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBAMA/0pVkfFhDPUDosZpM9nP/r/t6tORkmhXCxMkLZiS7+kg0htYSDLmwFGfzgSbYAH6Bryu9BZOxv1W23WW9oW7IdJpwfCpuyzFoRN0/2mHhAAHETtxucksTgYNwN+dDXF/IzG/QGVYswP4ENte4ZuNsd3bquBu+opK7CXU4B+UtsY0JUcV7gU5TzCZBdFpzLgB2VUpiHlFg0PUuV74aZmwzHlwoONBSIn2FZpHmvN2ZUdqTHSjof1vgH20cScMWGk05dFuM5gWjHEYC1gwdPpmTGcgN93SAQwKiAUQ6ZnJ+lVhzSp+/vxVz/aecDnrza+xI26DnB/nEEiCMu92WYxEAAAEPAAAAB3NzaC1yc2EAAAEAQRUml83QKsEeWB0WswfR1rvEzzumYRn/CAMTSGsF99bNzHmZ0lJbwCzNdl0hlJ3tGVPhANL5WwWuiLN1q6O8qrUU4cGJK3L8eNFUXmJIVc1xH2bIaws+nHikqPHnxbtAzJBbHeCngBX7eVT69bW6AdgWSHSzlPRaAaApMoEwVIMKOLiedjy7D9s/Cd+GtOtxTMoG/LmFBnvUiuXWwiQ658MRrg65ATl0x24ErJqz2cnj52Sy5G6SNUrENRqkP8TxRtp6a+FT1oJQ/2LqLwnlPQpb41j6fDqLRa47NU2TRnYRv0rhCMHO5tIhA51qhRlU9R2m5BH5o1JswN/phMgbjg==
+@cert-authority *.turing.local ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEk4cVIiydp9xSPIb8UqXpShY8zPlk/lpR69UL+0+RnNXtQl7GcQUZsrXDB2gOCfj+doKZj8Pt8oQVSDJF/vKhr+KS2Z+LC2Gyt8D5IY/acyyhSN5VoIo0JzIOr5CPGJNpLChREFuveV30hLihSfY52cqSvu7N5u34BlZ29WTLeBD9WssAG5HZUES8Xo3neHBl4SOck+mdiUvOIPhcnPiYRmYltOI3GJRu5y1xGemoPU3MnMziQMqnKCc2+To6IC8CkeQqa8D//BxLjenjSgn1K/SLUHraMb5qCmf77fyshj6A9jamgo0UOaOqem+jyg8idnz6JbVfXwW0nEaSyPzX type=host
diff --git a/lib/config/configuration.go b/lib/config/configuration.go
@@ -221,6 +221,17 @@ func ApplyFileConfig(fc *FileConfig, cfg *service.Config) error {
 		cfg.Auth.DynamicConfig = *fc.SeedConfig
 	}
 
+	// apply ciphers, kex algorithms, and mac algorithms
+	if fc.Ciphers != nil {
+		cfg.Ciphers = fc.Ciphers
+	}
+	if fc.KEXAlgorithms != nil {
+		cfg.KEXAlgorithms = fc.KEXAlgorithms
+	}
+	if fc.MACAlgorithms != nil {
+		cfg.MACAlgorithms = fc.MACAlgorithms
+	}
+
 	// apply connection throttling:
 	limiters := []limiter.LimiterConfig{
 		cfg.SSH.Limiter,

diff --git a/lib/config/configuration_test.go b/lib/config/configuration_test.go
@@ -335,6 +335,48 @@ teleport:
 	}
 }
 
+// TestFileConfigCheck makes sure we don't start with invalid settings.
+func (s *ConfigTestSuite) TestFileConfigCheck(c *check.C) {
+	tests := []struct {
+		inConfigString string
+		outError       bool
+	}{
+		// 0 - all defaults, valid
+		{
+			`
+teleport:
+`,
+			false,
+		},
+		// 1 - invalid cipher, not valid
+		{
+			`
+teleport:
+  ciphers:
+    - aes256-ctr
+    - fake-cipher
+  kex_algos:
+    - kexAlgoCurve25519SHA256
+  mac_algos:
+    - [email protected]
+`,
+			true,
+		},
+	}
+
+	// run tests
+	for i, tt := range tests {
+		comment := check.Commentf("Test %v", i)
+
+		_, err := ReadConfig(bytes.NewBufferString(tt.inConfigString))
+		if tt.outError {
+			c.Assert(err, check.NotNil, comment)
+		} else {
+			c.Assert(err, check.IsNil, comment)
+		}
+	}
+}
+
 func (s *ConfigTestSuite) TestApplyConfig(c *check.C) {
 	conf, err := ReadConfig(bytes.NewBufferString(SmallConfigString))
 	c.Assert(err, check.IsNil)

diff --git a/lib/config/fileconf.go b/lib/config/fileconf.go
@@ -28,7 +28,7 @@ import (
 	"strings"
 	"time"
 
-	"gopkg.in/yaml.v2"
+	"golang.org/x/crypto/ssh"
 
 	"github.com/gravitational/teleport"
 	"github.com/gravitational/teleport/lib/auth"
@@ -39,6 +39,8 @@ import (
 	"github.com/gravitational/teleport/lib/utils"
 
 	"github.com/gravitational/trace"
+
+	"gopkg.in/yaml.v2"
 )
 
 var (
@@ -123,6 +125,9 @@ var (
 		"ttl":                false,
 		"issuer":             false,
 		"permit_user_env":    false,
+		"ciphers":            false,
+		"kex_algos":          false,
+		"mac_algos":          false,
 	}
 )
 
@@ -176,6 +181,11 @@ func ReadConfig(reader io.Reader) (*FileConfig, error) {
 	if err = yaml.Unmarshal(bytes, &fc); err != nil {
 		return nil, trace.BadParameter("failed to parse Teleport configuration: %v", err)
 	}
+	// don't start Teleport with invalid ciphers, kex algorithms, or mac algorithms.
+	err = fc.Check()
+	if err != nil {
+		return nil, trace.BadParameter("failed to parse Teleport configuration: %v", err)
+	}
 	// now check for unknown (misspelled) config keys:
 	var validateKeys func(m YAMLMap) error
 	validateKeys = func(m YAMLMap) error {
@@ -279,6 +289,32 @@ func (conf *FileConfig) DebugDumpToYAML() string {
 	return string(bytes)
 }
 
+// Check ensures that the ciphers, kex algorithms, and mac algorithms set
+// are supported by golang.org/x/crypto/ssh. This ensures we don't start
+// Teleport with invalid configuration.
+func (conf *FileConfig) Check() error {
+	var sc ssh.Config
+	sc.SetDefaults()
+
+	for _, c := range conf.Ciphers {
+		if utils.SliceContainsStr(sc.Ciphers, c) == false {
+			return trace.BadParameter("cipher %q not supported", c)
+		}
+	}
+	for _, k := range conf.KEXAlgorithms {
+		if utils.SliceContainsStr(sc.KeyExchanges, k) == false {
+			return trace.BadParameter("KEX %q not supported", k)
+		}
+	}
+	for _, m := range conf.MACAlgorithms {
+		if utils.SliceContainsStr(sc.MACs, m) == false {
+			return trace.BadParameter("MAC %q not supported", m)
+		}
+	}
+
+	return nil
+}
+
 // ConnectionRate configures rate limiter
 type ConnectionRate struct {
 	Period  time.Duration `yaml:"period"`
@@ -320,6 +356,18 @@ type Global struct {
 	// Each service (like proxy, auth, node) can find the key it needs
 	// by looking into certificate
 	Keys []KeyPair `yaml:"keys,omitempty"`
+
+	// Ciphers is a list of ciphers that the server supports. If omitted,
+	// the defaults will be used.
+	Ciphers []string `yaml:"ciphers,omitempty"`
+
+	// KEXAlgorithms is a list of key exchange (KEX) algorithms that the
+	// server supports. If omitted, the defaults will be used.
+	KEXAlgorithms []string `yaml:"kex_algos,omitempty"`
+
+	// MACAlgorithms is a list of message authentication codes (MAC) that
+	// the server supports. If omitted the defaults will be used.
+	MACAlgorithms []string `yaml:"mac_algos,omitempty"`
 }
 
 // CachePolicy is used to control  local cache

diff --git a/lib/service/cfg.go b/lib/service/cfg.go
@@ -23,6 +23,8 @@ import (
 	"os"
 	"time"
 
+	"golang.org/x/crypto/ssh"
+
 	"github.com/gravitational/teleport/lib/auth"
 	"github.com/gravitational/teleport/lib/backend"
 	"github.com/gravitational/teleport/lib/backend/boltbk"
@@ -114,6 +116,18 @@ type Config struct {
 
 	// Access is a service that controls access
 	Access services.Access
+
+	// Ciphers is a list of ciphers that the server supports. If omitted,
+	// the defaults will be used.
+	Ciphers []string
+
+	// KEXAlgorithms is a list of key exchange (KEX) algorithms that the
+	// server supports. If omitted, the defaults will be used.
+	KEXAlgorithms []string
+
+	// MACAlgorithms is a list of message authentication codes (MAC) that
+	// the server supports. If omitted the defaults will be used.
+	MACAlgorithms []string
 }
 
 // ApplyToken assigns a given token to all internal services but only if token
@@ -281,6 +295,11 @@ func MakeDefaultConfig() (config *Config) {
 
 // ApplyDefaults applies default values to the existing config structure
 func ApplyDefaults(cfg *Config) {
+	// get defaults for cipher, kex algorithms, and mac algorithms from
+	// golang.org/x/crypto/ssh default config.
+	var sc ssh.Config
+	sc.SetDefaults()
+
 	hostname, err := os.Hostname()
 	if err != nil {
 		hostname = "localhost"
@@ -291,6 +310,9 @@ func ApplyDefaults(cfg *Config) {
 	cfg.Hostname = hostname
 	cfg.DataDir = defaults.DataDir
 	cfg.Console = os.Stdout
+	cfg.Ciphers = sc.Ciphers
+	cfg.KEXAlgorithms = sc.KeyExchanges
+	cfg.MACAlgorithms = sc.MACs
 
 	// defaults for the auth service:
 	cfg.Auth.Enabled = true

diff --git a/lib/service/service.go b/lib/service/service.go
@@ -546,6 +546,9 @@ func (process *TeleportProcess) initSSH() error {
 			srv.SetLabels(cfg.SSH.Labels, cfg.SSH.CmdLabels),
 			srv.SetNamespace(namespace),
 			srv.SetPermitUserEnvironment(cfg.SSH.PermitUserEnvironment),
+			srv.SetCiphers(cfg.Ciphers),
+			srv.SetKEXAlgorithms(cfg.KEXAlgorithms),
+			srv.SetMACAlgorithms(cfg.MACAlgorithms),
 		)
 		if err != nil {
 			return trace.Wrap(err)
@@ -706,6 +709,9 @@ func (process *TeleportProcess) initProxyEndpoint(conn *Connector) error {
 		srv.SetProxyMode(tsrv),
 		srv.SetSessionServer(conn.Client),
 		srv.SetAuditLog(conn.Client),
+		srv.SetCiphers(cfg.Ciphers),
+		srv.SetKEXAlgorithms(cfg.KEXAlgorithms),
+		srv.SetMACAlgorithms(cfg.MACAlgorithms),
 	)
 	if err != nil {
 		return trace.Wrap(err)

diff --git a/lib/srv/sshserver.go b/lib/srv/sshserver.go
@@ -98,6 +98,18 @@ type Server struct {
 	// permitUserEnvironment controls if this server will read ~/.tsh/environment
 	// before creating a new session.
 	permitUserEnvironment bool
+
+	// ciphers is a list of ciphers that the server supports. If omitted,
+	// the defaults will be used.
+	ciphers []string
+
+	// kexAlgorithms is a list of key exchange (KEX) algorithms that the
+	// server supports. If omitted, the defaults will be used.
+	kexAlgorithms []string
+
+	// macAlgorithms is a list of message authentication codes (MAC) that
+	// the server supports. If omitted the defaults will be used.
+	macAlgorithms []string
 }
 
 // ServerOption is a functional option passed to the server
@@ -200,6 +212,27 @@ func SetPermitUserEnvironment(permitUserEnvironment bool) ServerOption {
 	}
 }
 
+func SetCiphers(ciphers []string) ServerOption {
+	return func(s *Server) error {
+		s.ciphers = ciphers
+		return nil
+	}
+}
+
+func SetKEXAlgorithms(kexAlgorithms []string) ServerOption {
+	return func(s *Server) error {
+		s.kexAlgorithms = kexAlgorithms
+		return nil
+	}
+}
+
+func SetMACAlgorithms(macAlgorithms []string) ServerOption {
+	return func(s *Server) error {
+		s.macAlgorithms = macAlgorithms
+		return nil
+	}
+}
+
 // New returns an unstarted server
 func New(addr utils.NetAddr,
 	hostname string,
@@ -252,7 +285,10 @@ func New(addr utils.NetAddr,
 		addr, s, signers,
 		sshutils.AuthMethods{PublicKey: s.keyAuth},
 		sshutils.SetLimiter(s.limiter),
-		sshutils.SetRequestHandler(s))
+		sshutils.SetRequestHandler(s),
+		sshutils.SetCiphers(s.ciphers),
+		sshutils.SetKEXAlgorithms(s.kexAlgorithms),
+		sshutils.SetMACAlgorithms(s.macAlgorithms))
 	if err != nil {
 		return nil, trace.Wrap(err)
 	}

diff --git a/lib/sshutils/server.go b/lib/sshutils/server.go
@@ -149,6 +149,36 @@ func SetRequestHandler(req RequestHandler) ServerOption {
 	}
 }
 
+func SetCiphers(ciphers []string) ServerOption {
+	return func(s *Server) error {
+		log.Debugf("[SSH:%v] Supported Ciphers: %q", s.component, ciphers)
+		if ciphers != nil {
+			s.cfg.Ciphers = ciphers
+		}
+		return nil
+	}
+}
+
+func SetKEXAlgorithms(kexAlgorithms []string) ServerOption {
+	return func(s *Server) error {
+		log.Debugf("[SSH:%v] Supported KEX algorithms: %q", s.component, kexAlgorithms)
+		if kexAlgorithms != nil {
+			s.cfg.KeyExchanges = kexAlgorithms
+		}
+		return nil
+	}
+}
+
+func SetMACAlgorithms(macAlgorithms []string) ServerOption {
+	return func(s *Server) error {
+		log.Debugf("[SSH:%v] Supported MAC algorithms: %q", s.component, macAlgorithms)
+		if macAlgorithms != nil {
+			s.cfg.MACs = macAlgorithms
+		}
+		return nil
+	}
+}
+
 func (s *Server) Addr() string {
 	return s.listener.Addr().String()
 }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		@cert-authority *.turing.local ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDEk4cVIiydp9xSPIb8UqXpShY8zPlk/lpR69UL+0+RnNXtQl7GcQUZsrXDB2gOCfj+doKZj8Pt8oQVSDJF/vKhr+KS2Z+LC2Gyt8D5IY/acyyhSN5VoIo0JzIOr5CPGJNpLChREFuveV30hLihSfY52cqSvu7N5u34BlZ29WTLeBD9WssAG5HZUES8Xo3neHBl4SOck+mdiUvOIPhcnPiYRmYltOI3GJRu5y1xGemoPU3MnMziQMqnKCc2+To6IC8CkeQqa8D//BxLjenjSgn1K/SLUHraMb5qCmf77fyshj6A9jamgo0UOaOqem+jyg8idnz6JbVfXwW0nEaSyPzX type=host