ssh: blacklist broken kex algorithms

terminus-ssh/src/api.ts

@@ -398,3 +398,9 @@ export interface SSHConnectionGroup {
     name: string
     connections: SSHConnection[]
 }
+
+export const ALGORITHM_BLACKLIST = [
+    // cause native crashes in node crypto, use EC instead
+    'diffie-hellman-group-exchange-sha256',
+    'diffie-hellman-group-exchange-sha1',
+]

terminus-ssh/src/components/editConnectionModal.component.ts

@@ -3,7 +3,7 @@ import { Component } from '@angular/core'
 import { NgbModal, NgbActiveModal } from '@ng-bootstrap/ng-bootstrap'
 import { ElectronService, HostAppService, ConfigService } from 'terminus-core'
 import { PasswordStorageService } from '../services/passwordStorage.service'
-import { SSHConnection, LoginScript, SSHAlgorithmType } from '../api'
+import { SSHConnection, LoginScript, SSHAlgorithmType, ALGORITHM_BLACKLIST } from '../api'
 import { PromptModalComponent } from './promptModal.component'
 import { ALGORITHMS } from 'ssh2-streams/lib/constants'
 
@@ -40,8 +40,8 @@ export class EditConnectionModalComponent {
                 [SSHAlgorithmType.CIPHER]: 'CIPHER',
                 [SSHAlgorithmType.HMAC]: 'HMAC',
             }[k]
-            this.supportedAlgorithms[k] = ALGORITHMS[supportedAlg]
+            this.supportedAlgorithms[k] = ALGORITHMS[supportedAlg].filter(x => !ALGORITHM_BLACKLIST.includes(x))
-            this.defaultAlgorithms[k] = ALGORITHMS[defaultAlg]
+            this.defaultAlgorithms[k] = ALGORITHMS[defaultAlg].filter(x => !ALGORITHM_BLACKLIST.includes(x))
         }
     }
 

terminus-ssh/src/services/ssh.service.ts

@@ -12,7 +12,7 @@ import * as sshpk from 'sshpk'
 import { ToastrService } from 'ngx-toastr'
 import { HostAppService, Platform, Logger, LogService, ElectronService, AppService, SelectorOption, ConfigService } from 'terminus-core'
 import { SettingsTabComponent } from 'terminus-settings'
-import { SSHConnection, SSHSession } from '../api'
+import { ALGORITHM_BLACKLIST, SSHConnection, SSHSession } from '../api'
 import { PromptModalComponent } from '../components/promptModal.component'
 import { PasswordStorageService } from './passwordStorage.service'
 import { SSHTabComponent } from '../components/sshTab.component'
@@ -147,6 +147,10 @@ export class SSHService {
         session.ssh = ssh
         let connected = false
         let savedPassword: string|null = null
+        const algorithms = {}
+        for (const key of Object.keys(session.connection.algorithms ?? {})) {
+            algorithms[key] = session.connection.algorithms![key].filter(x => !ALGORITHM_BLACKLIST.includes(x))
+        }
         await new Promise(async (resolve, reject) => {
             ssh.on('ready', () => {
                 connected = true
@@ -267,7 +271,7 @@ export class SSHService {
                         return true
                     },
                     hostHash: 'sha256' as any,
-                    algorithms: session.connection.algorithms,
+                    algorithms,
                     sock: session.jumpStream,
                     authHandler: methodsLeft => {
                         while (true) {