Configure cryptography parameters for downstream side

[Nils98Ar]

Is this possible somehow? E.g. restricting the allowed cryptography algorithms.

It would also be okay to build a new image from source or from base image.

[tg123]

no cmd settings now
but if you prefer compile yourself, you can set it here

sshpiper/cmd/sshpiperd/daemon.go

Line 183 in c83c27c

p, err := ssh.NewSSHPiperConn(c, &d.config.PiperConfig)

d.config.PiperConfig.PublicKeyAuthAlgorithms

PR is welcomed

[Nils98Ar]

@tg123

I have never worked with go before but I think it would be good to configure this via config file and environment variables?

This seems to be the default?
https://github.com/golang/crypto/blob/v0.21.0/ssh/common.go#L142-L148

[Nils98Ar]

These are also interesting regarding security: supportedCiphers, preferredCiphers, supportedKexAlgos, serverForbiddenKexAlgos, preferredKexAlgos, supportedHostKeyAlgos, supportedMACs, hashFuncs.

Would it rather make sense to configure those per pipe or globally (e.g. in a downstream_config.yaml)?

[tg123]

no config file yet, but will add them to sshpiperd cmd args

[Nils98Ar]

@tg123 Would we rather configure the ones from ssh/server.go (e.g. PublicKeyAuthAlgorithms) or from ssh/common.go (e.g. supportedPubKeyAuthAlgos). I think the latter has more options which are used as default for the former.