ssh: blacklist broken kex algorithms

2024-12-15 06:30:13 +08:00 · 2021-01-24 11:26:43 +01:00 · 2021-01-24 11:26:43 +01:00 · 5417efe558
commit 5417efe558
parent fe936c7726
3 changed files with 15 additions and 5 deletions
--- a/terminus-ssh/src/api.ts
+++ b/terminus-ssh/src/api.ts
@ -398,3 +398,9 @@ export interface SSHConnectionGroup {
    name: string
    connections: SSHConnection[]
 }
+
+export const ALGORITHM_BLACKLIST = [
+    // cause native crashes in node crypto, use EC instead
+    'diffie-hellman-group-exchange-sha256',
+    'diffie-hellman-group-exchange-sha1',
+]
--- a/terminus-ssh/src/components/editConnectionModal.component.ts
+++ b/terminus-ssh/src/components/editConnectionModal.component.ts
@ -3,7 +3,7 @@ import { Component } from '@angular/core'
 import { NgbModal, NgbActiveModal } from '@ng-bootstrap/ng-bootstrap'
 import { ElectronService, HostAppService, ConfigService } from 'terminus-core'
 import { PasswordStorageService } from '../services/passwordStorage.service'
-import { SSHConnection, LoginScript, SSHAlgorithmType } from '../api'
+import { SSHConnection, LoginScript, SSHAlgorithmType, ALGORITHM_BLACKLIST } from '../api'
 import { PromptModalComponent } from './promptModal.component'
 import { ALGORITHMS } from 'ssh2-streams/lib/constants'

@ -40,8 +40,8 @@ export class EditConnectionModalComponent {
                [SSHAlgorithmType.CIPHER]: 'CIPHER',
                [SSHAlgorithmType.HMAC]: 'HMAC',
            }[k]
-            this.supportedAlgorithms[k] = ALGORITHMS[supportedAlg]
-            this.defaultAlgorithms[k] = ALGORITHMS[defaultAlg]
+            this.supportedAlgorithms[k] = ALGORITHMS[supportedAlg].filter(x => !ALGORITHM_BLACKLIST.includes(x))
+            this.defaultAlgorithms[k] = ALGORITHMS[defaultAlg].filter(x => !ALGORITHM_BLACKLIST.includes(x))
        }
    }

--- a/terminus-ssh/src/services/ssh.service.ts
+++ b/terminus-ssh/src/services/ssh.service.ts
@ -12,7 +12,7 @@ import * as sshpk from 'sshpk'
 import { ToastrService } from 'ngx-toastr'
 import { HostAppService, Platform, Logger, LogService, ElectronService, AppService, SelectorOption, ConfigService } from 'terminus-core'
 import { SettingsTabComponent } from 'terminus-settings'
-import { SSHConnection, SSHSession } from '../api'
+import { ALGORITHM_BLACKLIST, SSHConnection, SSHSession } from '../api'
 import { PromptModalComponent } from '../components/promptModal.component'
 import { PasswordStorageService } from './passwordStorage.service'
 import { SSHTabComponent } from '../components/sshTab.component'
@ -147,6 +147,10 @@ export class SSHService {
        session.ssh = ssh
        let connected = false
        let savedPassword: string|null = null
+        const algorithms = {}
+        for (const key of Object.keys(session.connection.algorithms ?? {})) {
+            algorithms[key] = session.connection.algorithms![key].filter(x => !ALGORITHM_BLACKLIST.includes(x))
+        }
        await new Promise(async (resolve, reject) => {
            ssh.on('ready', () => {
                connected = true
@ -267,7 +271,7 @@ export class SSHService {
                        return true
                    },
                    hostHash: 'sha256' as any,
-                    algorithms: session.connection.algorithms,
+                    algorithms,
                    sock: session.jumpStream,
                    authHandler: methodsLeft => {
                        while (true) {