[英]How to disable diffie-hellman-group1-sha1 in ganymed-ssh2-build210.jar
In Java we are using ganymed-ssh2-build210.jar for connecting to the server via ssh. 在Java中,我们使用ganymed-ssh2-build210.jar通过ssh连接到服务器。 I need to restrict the weaker algorithm " diffie-hellman-group1-sha1 " specifically.
我需要专门限制较弱的算法“ diffie-hellman-group1-sha1”。
Is there any customizable settings in ganymed-ssh2-build210.jar that allows to restrict this ? ganymed-ssh2-build210.jar中是否有任何可限制此设置的可自定义设置?
Is there any java.security setting available for restricting the same ? 是否有任何java.security设置可用于限制相同设置?
If you cannot control the server but the library on the client. 如果您无法控制服务器,但只能控制客户端上的库。
Following might be an option 以下可能是一个选择
ch/ethz/ssh2/transport/KexManager.java
to not support anymore diffie-hellman-group1-sha1
ch/ethz/ssh2/transport/KexManager.java
为不再支持ch/ethz/ssh2/transport/KexManager.java
diffie-hellman-group1-sha1
ganymed-ssh2-build210_1.jar
and use this one with the client application ganymed-ssh2-build210_1.jar
并将其与客户端应用程序一起使用 edit Find a step-by-step instruction to verify the above. 编辑查找分步说明以验证以上内容。
Assume following structure 假设以下结构
bin/
apache-sshd-1.6.0.tar.gz
ganymed-ssh2-build210.jar
ganymed-ssh2-build210-sources.jar
SshClientDemo.java
SshServerDemo.java
SshServerDemo.java SshServerDemo.java
package sub.optimal;
import java.nio.file.Paths;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.server.scp.ScpCommandFactory;
import org.apache.sshd.server.shell.InteractiveProcessShellFactory;
import org.apache.sshd.server.shell.ProcessShellFactory;
public class SshServerDemo extends Thread {
public static void main(String[] args) throws Exception {
Logger.getGlobal().setLevel(Level.FINEST);
SshServer sshd = SshServer.setUpDefaultServer();
sshd.setPort(2222);
sshd.setKeyPairProvider(
new SimpleGeneratorHostKeyProvider(Paths.get("hostkey.ser"))
);
sshd.setShellFactory(InteractiveProcessShellFactory.INSTANCE);
sshd.setCommandFactory(
new ScpCommandFactory.Builder().withDelegate(
cmd -> new ProcessShellFactory(
GenericUtils.split(cmd, ' ')
).create()
).build()
);
List<NamedFactory<KeyExchange>> keyExchangeFactories;
keyExchangeFactories = sshd.getKeyExchangeFactories();
keyExchangeFactories.removeIf(
e -> !e.getName().equals("diffie-hellman-group1-sha1")
);
sshd.setKeyExchangeFactories(keyExchangeFactories);
sshd.setPasswordAuthenticator(
(username, password, session) -> username.equals(password)
);
sshd.start();
Thread.sleep(Long.MAX_VALUE);
}
}
SshClientDemo.java SshClientDemo.java
package sub.optimal;
import ch.ethz.ssh2.Connection;
import ch.ethz.ssh2.Session;
import ch.ethz.ssh2.StreamGobbler;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class SshClientDemo {
public static void main(String[] args) throws Exception {
Connection conn = new Connection("localhost", 2222);
conn.connect();
boolean isAuthenticated = conn.authenticateWithPassword("foo", "foo");
Session sess = conn.openSession();
System.out.println("session is authenticated: " + isAuthenticated);
sess.execCommand("echo I'm there...");
InputStream stdout = new StreamGobbler(sess.getStdout());
BufferedReader br = new BufferedReader(new InputStreamReader(stdout));
while (true) {
String line = br.readLine();
if (line == null) {
break;
}
System.out.println(line);
}
sess.close();
conn.close();
}
}
extract the Apache server 提取Apache服务器
tar xzf apache-sshd-1.6.0.tar.gz
compile the demo classes 编译演示类
javac -cp "apache-sshd-1.6.0/lib/*" -d bin/ SshServerDemo.java javac -cp ganymed-ssh2-build210.jar -d bin/ SshClientDemo.java
extract the KexManager.java
提取
KexManager.java
jar vxf ganymed-ssh2-build210-sources.jar \\ ch/ethz/ssh2/transport/KexManager.java
modify the file KexManager.java
修改文件
KexManager.java
public static final String[] getDefaultKexAlgorithmList() { return new String[] { "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1"// , // "diffie-hellman-group1-sha1" }; } ... public static final void checkKexAlgorithmList(String[] algos) ... if ("diffie-hellman-group14-sha1".equals(algos[i])) continue; // if ("diffie-hellman-group1-sha1".equals(algos[i])) // continue; ...
compile the patched KexManager.java
编译修补的
KexManager.java
javac -cp ganymed-ssh2-build210.jar ch/ethz/ssh2/transport/KexManager.java
create a patched library 创建一个补丁库
cp ganymed-ssh2-build210.jar ganymed-ssh2-build210-patched.jar jar vuf ganymed-ssh2-build210-patched.jar \\ ch/ethz/ssh2/transport/KexManager.class
in command line session ONE 在命令行会话ONE中
start the server 启动服务器
java -cp "bin/:apache-sshd-1.6.0/lib/*" sub.optimal.SshServerDemo
in command line session TWO 在两个命令行会话中
check first the key exchange algos supported by the server 首先检查服务器支持的密钥交换算法
ssh -vv foo@localhost -p 2222
in the output only the diffie-hellman-group1-sha1
is reported 在输出中仅报告
diffie-hellman-group1-sha1
debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group1-sha1
run the client with the un-patched library 使用未修补的库运行客户端
java -cp bin/:ganymed-ssh2-build210.jar sub.optimal.SshClientDemo
output 产量
session is authenticated: true I'm there...
run the client with the patched library 使用补丁库运行客户端
java -cp bin/:ganymed-ssh2-build210-patched.jar sub.optimal.SshClientDemo
output 产量
Caused by: java.io.IOException: Cannot negotiate, proposals do not match.
on the server log 在服务器日志上
Unable to negotiate key exchange for kex algorithms \\ (client: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 \\ / server: diffie-hellman-group1-sha1)
That proves that the SshClientDemo with the patched library cannot use the key exchange algorithm diffie-hellman-group1-sha1
to connect to the server (which for the PoC only support this one). 这证明带有修补库的SshClientDemo无法使用密钥交换算法
diffie-hellman-group1-sha1
连接到服务器(对于PoC仅支持该服务器)。
You want to change allowed ciphers on the server rather than in your client, otherwise anyone can bypass this easily. 您想在服务器上而不是在客户端上更改允许的密码,否则任何人都可以轻松绕过此密码。
Check answer: https://unix.stackexchange.com/questions/333728/ssh-how-to-disable-weak-ciphers 检查答案: https : //unix.stackexchange.com/questions/333728/ssh-how-to-disable-weak-ciphers
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.