diff --git a/src/etc/inc/plugins.inc.d/openssh.inc b/src/etc/inc/plugins.inc.d/openssh.inc index 61af6584a..e8c4fd989 100644 --- a/src/etc/inc/plugins.inc.d/openssh.inc +++ b/src/etc/inc/plugins.inc.d/openssh.inc @@ -173,6 +173,15 @@ function openssh_configure_do($verbose = false, $interface = '') $sshconf .= "ChallengeResponseAuthentication no\n"; $sshconf .= "PasswordAuthentication no\n"; } + if (!empty($sshcfg['kex'])) { + $sshconf .= "KexAlgorithms {$sshcfg['kex']}\n"; + } + if (!empty($sshcfg['ciphers'])) { + $sshconf .= "Ciphers {$sshcfg['ciphers']}\n"; + } + if (!empty($sshcfg['macs'])) { + $sshconf .= "MACs {$sshcfg['macs']}\n"; + } foreach ($keys_all as $name) { $file = "/conf/sshd/{$name}"; if (!file_exists($file)) { diff --git a/src/opnsense/scripts/openssh/ssh_query.py b/src/opnsense/scripts/openssh/ssh_query.py new file mode 100755 index 000000000..7fb8853db --- /dev/null +++ b/src/opnsense/scripts/openssh/ssh_query.py @@ -0,0 +1,43 @@ +#!/usr/local/bin/python3 + +""" + Copyright (c) 2020 Ad Schellevis + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, + OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + POSSIBILITY OF SUCH DAMAGE. + +""" +import subprocess +import ujson +import argparse + +if __name__ == '__main__': + parser = argparse.ArgumentParser() + parser.add_argument('option', help='query option', choices=['kex', 'mac', 'cipher']) + args = parser.parse_args() + + result = list() + for l in subprocess.run(['/usr/local/bin/ssh', '-Q', args.option], capture_output=True).stdout.decode().split('\n'): + if len(l.strip()) > 1: + result.append(l.strip()) + sorted(result) + print(ujson.dumps(result)) diff --git a/src/opnsense/service/conf/actions.d/actions_openssh.conf b/src/opnsense/service/conf/actions.d/actions_openssh.conf index 389e4d060..2fb798657 100644 --- a/src/opnsense/service/conf/actions.d/actions_openssh.conf +++ b/src/opnsense/service/conf/actions.d/actions_openssh.conf @@ -15,3 +15,9 @@ command:/bin/pkill -TERM sshd parameters: type:script message:stopping openssh + +[query] +command:/usr/local/opnsense/scripts/openssh/ssh_query.py +parameters: %s +type:script_output +message: query options %s diff --git a/src/www/system_advanced_admin.php b/src/www/system_advanced_admin.php index b843bddb7..005466ebd 100644 --- a/src/www/system_advanced_admin.php +++ b/src/www/system_advanced_admin.php @@ -66,6 +66,10 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig['enablesshd'] = $config['system']['ssh']['enabled']; $pconfig['sshport'] = $config['system']['ssh']['port']; $pconfig['sshinterfaces'] = !empty($config['system']['ssh']['interfaces']) ? explode(',', $config['system']['ssh']['interfaces']) : array(); + $pconfig['ssh-kex'] = !empty($config['system']['ssh']['kex']) ? explode(',', $config['system']['ssh']['kex']) : array(); + $pconfig['ssh-ciphers'] = !empty($config['system']['ssh']['ciphers']) ? explode(',', $config['system']['ssh']['ciphers']) : array(); + $pconfig['ssh-macs'] = !empty($config['system']['ssh']['macs']) ? explode(',', $config['system']['ssh']['macs']) : array(); + /* XXX listtag "fun" */ $pconfig['sshlogingroup'] = !empty($config['system']['ssh']['group'][0]) ? $config['system']['ssh']['group'][0] : null; $pconfig['sshpasswordauth'] = isset($config['system']['ssh']['passwordauth']); @@ -235,6 +239,11 @@ if ($_SERVER['REQUEST_METHOD'] === 'GET') { $config['system']['ssh']['interfaces'] = !empty($pconfig['sshinterfaces']) ? implode(',', $pconfig['sshinterfaces']) : null; + $config['system']['ssh']['kex'] = !empty($pconfig['ssh-kex']) ? implode(',', $pconfig['ssh-kex']) : null; + $config['system']['ssh']['ciphers'] = !empty($pconfig['ssh-ciphers']) ? implode(',', $pconfig['ssh-ciphers']) : null; + $config['system']['ssh']['macs'] = !empty($pconfig['ssh-macs']) ? implode(',', $pconfig['ssh-macs']) : null; + + if (!empty($pconfig['enablesshd'])) { $config['system']['ssh']['enabled'] = 'enabled'; } elseif (isset($config['system']['ssh']['enabled'])) { @@ -709,6 +718,60 @@ $(document).ready(function() { + + + + + + + + + + + + + + + + + + + + +