From 0a1169e659ec596172ac7d67acb1c9b8fc2bb385 Mon Sep 17 00:00:00 2001 From: Yi FU Date: Wed, 10 Jul 2019 14:23:02 +0200 Subject: [PATCH] ssh: opt-in support for diffie-hellman-group-exchange-sha256 diffie-hellman-group-exchange-sha1 - fixes #1810 --- backend/sftp/sftp.go | 5 +++-- docs/content/sftp.md | 16 ++++++++-------- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/backend/sftp/sftp.go b/backend/sftp/sftp.go index d7b921f26..25457b130 100644 --- a/backend/sftp/sftp.go +++ b/backend/sftp/sftp.go @@ -86,7 +86,7 @@ when the ssh-agent contains many keys.`, Default: false, }, { Name: "use_insecure_cipher", - Help: "Enable the use of the aes128-cbc cipher. This cipher is insecure and may allow plaintext data to be recovered by an attacker.", + Help: "Enable the use of the aes128-cbc cipher and diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1 key exchange. Those algorithms are insecure and may allow plaintext data to be recovered by an attacker.", Default: false, Examples: []fs.OptionExample{ { @@ -94,7 +94,7 @@ when the ssh-agent contains many keys.`, Help: "Use default Cipher list.", }, { Value: "true", - Help: "Enables the use of the aes128-cbc cipher.", + Help: "Enables the use of the aes128-cbc cipher and diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1 key exchange.", }, }, }, { @@ -345,6 +345,7 @@ func NewFs(name, root string, m configmap.Mapper) (fs.Fs, error) { if opt.UseInsecureCipher { sshConfig.Config.SetDefaults() sshConfig.Config.Ciphers = append(sshConfig.Config.Ciphers, "aes128-cbc") + sshConfig.Config.KeyExchanges = append(sshConfig.Config.KeyExchanges, "diffie-hellman-group-exchange-sha1", "diffie-hellman-group-exchange-sha256") } keyFile := env.ShellExpand(opt.KeyFile) diff --git a/docs/content/sftp.md b/docs/content/sftp.md index 05fc177d7..a54a1bd63 100644 --- a/docs/content/sftp.md +++ b/docs/content/sftp.md @@ -75,22 +75,22 @@ host> example.com SSH username, leave blank for current username, ncw user> sftpuser SSH port, leave blank to use default (22) -port> +port> SSH password, leave blank to use ssh-agent. y) Yes type in my own password g) Generate random password n) No leave this optional password blank y/g/n> n Path to unencrypted PEM-encoded private key file, leave blank to use ssh-agent. -key_file> +key_file> Remote config -------------------- [remote] host = example.com user = sftpuser -port = -pass = -key_file = +port = +pass = +key_file = -------------------- y) Yes this is OK e) Edit this remote @@ -243,7 +243,7 @@ when the ssh-agent contains many keys. #### --sftp-use-insecure-cipher -Enable the use of the aes128-cbc cipher. This cipher is insecure and may allow plaintext data to be recovered by an attacker. +Enable the use of the aes128-cbc cipher and diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1 key exchange. Those algorithms are insecure and may allow plaintext data to be recovered by an attacker. - Config: use_insecure_cipher - Env Var: RCLONE_SFTP_USE_INSECURE_CIPHER @@ -253,7 +253,7 @@ Enable the use of the aes128-cbc cipher. This cipher is insecure and may allow p - "false" - Use default Cipher list. - "true" - - Enables the use of the aes128-cbc cipher. + - Enables the use of the aes128-cbc cipher and diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1 key exchange. #### --sftp-disable-hashcheck @@ -325,7 +325,7 @@ return the total space, free space, and used space on the remote for the disk of the specified path on the remote or, if not set, the disk of the root on the remote. `about` will fail if it does not have shell -access or if `df` is not in the remote's PATH. +access or if `df` is not in the remote's PATH. Note that some SFTP servers (eg Synology) the paths are different for SSH and SFTP so the hashes can't be calculated properly. For them