install: add insecure cipher options for older devices/firmwares

Requires explicit choice via flag

fixes: https://github.com/gregtwallace/apc-p15-tool/issues/1
This commit is contained in:
Greg T. Wallace 2024-02-04 17:09:23 -05:00
parent 357503382b
commit 598c4ba9f7
2 changed files with 21 additions and 5 deletions

View file

@ -93,6 +93,20 @@ func (app *app) cmdInstall(cmdCtx context.Context, args []string) error {
// extra for some apc ups
kexAlgos = append(kexAlgos, "diffie-hellman-group-exchange-sha256")
// ciphers
// see defaults: https://cs.opensource.google/go/x/crypto/+/master:ssh/common.go;l=37
ciphers := []string{
"aes128-gcm@openssh.com", "aes256-gcm@openssh.com",
"chacha20-poly1305@openssh.com",
"aes128-ctr", "aes192-ctr", "aes256-ctr",
}
// insecure cipher options?
if app.config.install.insecureCipher != nil && *app.config.install.insecureCipher {
app.stdLogger.Println("WARNING: insecure ciphers are enabled (--insecurecipher). SSH with an insecure cipher is NOT secure and should NOT be used.")
ciphers = append(ciphers, "aes128-cbc", "3des-cbc")
}
// install file on UPS
// ssh config
config := &ssh.ClientConfig{
@ -108,7 +122,7 @@ func (app *app) cmdInstall(cmdCtx context.Context, args []string) error {
ClientVersion: fmt.Sprintf("SSH-2.0-apc-p15-tool_v%s %s-%s", appVersion, runtime.GOOS, runtime.GOARCH),
Config: ssh.Config{
KeyExchanges: kexAlgos,
// Ciphers: []string{"aes128-ctr"},
Ciphers: ciphers,
// MACs: []string{"hmac-sha2-256"},
},
// HostKeyAlgorithms: []string{"ssh-rsa"},

View file

@ -32,10 +32,11 @@ type config struct {
}
install struct {
keyCertPemCfg
hostAndPort *string
fingerprint *string
username *string
password *string
hostAndPort *string
fingerprint *string
username *string
password *string
insecureCipher *bool
}
}
@ -92,6 +93,7 @@ func (app *app) getConfig(args []string) error {
cfg.install.fingerprint = installFlags.StringLong("fingerprint", "", "the SHA256 fingerprint value of the ups' ssh server")
cfg.install.username = installFlags.StringLong("username", "", "username to login to the apc ups")
cfg.install.password = installFlags.StringLong("password", "", "password to login to the apc ups")
cfg.install.insecureCipher = installFlags.BoolLong("insecurecipher", "allows the use of insecure ssh ciphers (NOT recommended)")
installCmd := &ff.Command{
Name: "install",