Google Git
Sign in
gerrit / gerrit / a0f77df3aa3536a0b25c8db0fc607d629786ffb0^! / . / Documentation / config-gerrit.txt
commita0f77df3aa3536a0b25c8db0fc607d629786ffb0[log] [tgz]
authorDavid Ostrovsky <david@ostrovsky.org>Mon Jun 07 23:04:35 2021 +0200
committerFabio Ponciroli <ponch78@gmail.com>Fri Jun 25 15:00:31 2021 +0200
treeed5d2fdb96fa0ec2d7b8e5b6b6beae03d66b4517
parenta1d51e57b50b0a8f07d5f45bb4e2ef4aec316c6f [diff] [blame]
SSH transport: Re-enable weak kex algorithms

After the upgrade of MINA SSHD to 2.6.0, this change was included: [1],
that disabled weak kex algorithms per default, to be aligned with
OpenSSH: [2].

Keep the weak kex algorithms disabled per default, but add new
configuration option to re-enable them. We should also deprecate those
algorithms in next gerrit releases and consider to remove support for
weak kex algorithms in future gerrit releases.

[1] https://issues.apache.org/jira/browse/SSHD-1004
[2] https://www.zdnet.com/article/openssh-to-deprecate-sha-1-logins-due-to-security-risk

Bug: Issue 14644
Change-Id: Icd8680a68f4859c631984a514c6f299cd2c7e77e

diff --git a/Documentation/config-gerrit.txt b/Documentation/config-gerrit.txt
index 1c98b9af..93d2a52 100644
--- a/Documentation/config-gerrit.txt
+++ b/Documentation/config-gerrit.txt

@@ -5107,6 +5107,16 @@
 +
 By default, all supported MACs are available.
 
+[[sshd.enableDeprecatedKexAlgorithms]]sshd.enableDeprecatedKexAlgorithms::
++
+Enable deprecated kex algorithms:
++
+* `diffie-hellman-group1-sha1`
+* `diffie-hellman-group14-sha1`
+* `diffie-hellman-group-exchange-sha1`
+
+By default, the deprecated kex algorithms are disabled.
+
 [[sshd.kex]]sshd.kex::
 +
 --
@@ -5117,24 +5127,20 @@
 algorithms, key exchange algorithm names starting with `-` are
 removed from the default key exchange algorithms.
 
-In the following example configuration, support for the 1024-bit
-`diffie-hellman-group1-sha1` key exchange is disabled while leaving
-all of the other default algorithms enabled:
-
-----
-[sshd]
-  kex = -diffie-hellman-group1-sha1
-----
-
 Supported key exchange algorithms:
 
 * `ecdh-sha2-nistp521`
 * `ecdh-sha2-nistp384`
 * `ecdh-sha2-nistp256`
 * `diffie-hellman-group-exchange-sha256`
-* `diffie-hellman-group-exchange-sha1`
-* `diffie-hellman-group14-sha1`
-* `diffie-hellman-group1-sha1`
+* `diffie-hellman-group18-sha512`
+* `diffie-hellman-group17-sha512`
+* `diffie-hellman-group16-sha512`
+* `diffie-hellman-group15-sha512`
+* `diffie-hellman-group14-sha256`
+
+See link:#sshd.enableDeprecatedKexAlgorithms[sshd.enableDeprecatedKexAlgorithms]
+for deprecated key algorithms and how to enable them.
 
 By default, all supported key exchange algorithms are available.