如何在ganymed-ssh2-build210.jar中禁用diffie-hellman-group1-sha1
[英]How to disable diffie-hellman-group1-sha1 in ganymed-ssh2-build210.jar
问题描述
In Java we are using ganymed-ssh2-build210.jar for connecting to the server via ssh. 
在Java中,我们使用ganymed-ssh2-build210.jar通过ssh连接到服务器。 I need to restrict the weaker algorithm " diffie-hellman-group1-sha1 " specifically. 我需要专门限制较弱的算法“ diffie-hellman-group1-sha1”。
Is there any customizable settings in ganymed-ssh2-build210.jar that allows to restrict this ? ganymed-ssh2-build210.jar中是否有任何可限制此设置的可自定义设置?
Is there any java.security setting available for restricting the same ? 是否有任何java.security设置可用于限制相同设置?
2 个解决方案
解决方案1
2 2017-09-27 12:09:38
If you cannot control the server but the library on the client. 如果您无法控制服务器,但只能控制客户端上的库。
Following might be an option 以下可能是一个选择
- get the source of the library ganymed-ssh2-build210-sources.jar 获取库源ganymed-ssh2-build210-sources.jar
- amend
ch/ethz/ssh2/transport/KexManager.javato not support anymorediffie-hellman-group1-sha1将ch/ethz/ssh2/transport/KexManager.java为不再支持ch/ethz/ssh2/transport/KexManager.javadiffie-hellman-group1-sha1 - compile the amended code 编译修改后的代码
- create the patched library as
ganymed-ssh2-build210_1.jarand use this one with the client application将修补的库创建为ganymed-ssh2-build210_1.jar并将其与客户端应用程序一起使用
edit Find a step-by-step instruction to verify the above. 编辑查找分步说明以验证以上内容。
Assume following structure 假设以下结构
bin/
apache-sshd-1.6.0.tar.gz
ganymed-ssh2-build210.jar
ganymed-ssh2-build210-sources.jar
SshClientDemo.java
SshServerDemo.java
- download the archives 下载档案
choose a mirror for apache-sshd-1.6.0.tar.gz为apache-sshd-1.6.0.tar.gz选择一个镜像
ganymed-ssh2-build210.jarganymed-ssh2-build210.jar
ganymed-ssh2-build210-sources.jarganymed-ssh2-build210-sources.jar
SshServerDemo.java SshServerDemo.java
package sub.optimal;
import java.nio.file.Paths;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.server.scp.ScpCommandFactory;
import org.apache.sshd.server.shell.InteractiveProcessShellFactory;
import org.apache.sshd.server.shell.ProcessShellFactory;
public class SshServerDemo extends Thread {
public static void main(String[] args) throws Exception {
Logger.getGlobal().setLevel(Level.FINEST);
SshServer sshd = SshServer.setUpDefaultServer();
sshd.setPort(2222);
sshd.setKeyPairProvider(
new SimpleGeneratorHostKeyProvider(Paths.get("hostkey.ser"))
);
sshd.setShellFactory(InteractiveProcessShellFactory.INSTANCE);
sshd.setCommandFactory(
new ScpCommandFactory.Builder().withDelegate(
cmd -> new ProcessShellFactory(
GenericUtils.split(cmd, ' ')
).create()
).build()
);
List<NamedFactory<KeyExchange>> keyExchangeFactories;
keyExchangeFactories = sshd.getKeyExchangeFactories();
keyExchangeFactories.removeIf(
e -> !e.getName().equals("diffie-hellman-group1-sha1")
);
sshd.setKeyExchangeFactories(keyExchangeFactories);
sshd.setPasswordAuthenticator(
(username, password, session) -> username.equals(password)
);
sshd.start();
Thread.sleep(Long.MAX_VALUE);
}
}
SshClientDemo.java SshClientDemo.java
package sub.optimal;
import ch.ethz.ssh2.Connection;
import ch.ethz.ssh2.Session;
import ch.ethz.ssh2.StreamGobbler;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class SshClientDemo {
public static void main(String[] args) throws Exception {
Connection conn = new Connection("localhost", 2222);
conn.connect();
boolean isAuthenticated = conn.authenticateWithPassword("foo", "foo");
Session sess = conn.openSession();
System.out.println("session is authenticated: " + isAuthenticated);
sess.execCommand("echo I'm there...");
InputStream stdout = new StreamGobbler(sess.getStdout());
BufferedReader br = new BufferedReader(new InputStreamReader(stdout));
while (true) {
String line = br.readLine();
if (line == null) {
break;
}
System.out.println(line);
}
sess.close();
conn.close();
}
}
extract the Apache server
提取Apache服务器 tar xzf apache-sshd-1.6.0.tar.gzcompile the demo classes
编译演示类 javac -cp "apache-sshd-1.6.0/lib/*" -d bin/ SshServerDemo.java javac -cp ganymed-ssh2-build210.jar -d bin/ SshClientDemo.javaextract the
KexManager.java提取KexManager.javajar vxf ganymed-ssh2-build210-sources.jar \\ ch/ethz/ssh2/transport/KexManager.javamodify the file
KexManager.java修改文件KexManager.javapublic static final String[] getDefaultKexAlgorithmList() { return new String[] { "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1"// , // "diffie-hellman-group1-sha1" }; } ... public static final void checkKexAlgorithmList(String[] algos) ... if ("diffie-hellman-group14-sha1".equals(algos[i])) continue; // if ("diffie-hellman-group1-sha1".equals(algos[i])) // continue; ...compile the patched
KexManager.java编译修补的KexManager.javajavac -cp ganymed-ssh2-build210.jar ch/ethz/ssh2/transport/KexManager.javacreate a patched library
创建一个补丁库 cp ganymed-ssh2-build210.jar ganymed-ssh2-build210-patched.jar jar vuf ganymed-ssh2-build210-patched.jar \\ ch/ethz/ssh2/transport/KexManager.class
in command line session ONE 在命令行会话ONE中
start the server
启动服务器 java -cp "bin/:apache-sshd-1.6.0/lib/*" sub.optimal.SshServerDemo
in command line session TWO 在两个命令行会话中
check first the key exchange algos supported by the server
首先检查服务器支持的密钥交换算法 ssh -vv foo@localhost -p 2222in the output only the
diffie-hellman-group1-sha1is reported在输出中仅报告diffie-hellman-group1-sha1debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group1-sha1run the client with the un-patched library
使用未修补的库运行客户端 java -cp bin/:ganymed-ssh2-build210.jar sub.optimal.SshClientDemooutput
产量 session is authenticated: true I'm there...run the client with the patched library
使用补丁库运行客户端 java -cp bin/:ganymed-ssh2-build210-patched.jar sub.optimal.SshClientDemooutput
产量 Caused by: java.io.IOException: Cannot negotiate, proposals do not match.on the server log
在服务器日志上 Unable to negotiate key exchange for kex algorithms \\ (client: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 \\ / server: diffie-hellman-group1-sha1)
That proves that the SshClientDemo with the patched library cannot use the key exchange algorithm diffie-hellman-group1-sha1 to connect to the server (which for the PoC only support this one). 这证明带有修补库的SshClientDemo无法使用密钥交换算法diffie-hellman-group1-sha1连接到服务器(对于PoC仅支持该服务器)。
解决方案2
1 2017-09-27 11:25:24
You want to change allowed ciphers on the server rather than in your client, otherwise anyone can bypass this easily. 您想在服务器上而不是在客户端上更改允许的密码,否则任何人都可以轻松绕过此密码。
Check answer: https://unix.stackexchange.com/questions/333728/ssh-how-to-disable-weak-ciphers 检查答案: https : //unix.stackexchange.com/questions/333728/ssh-how-to-disable-weak-ciphers
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.