Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SFTP - security options improvment #1961

Closed
DoctorD90 opened this issue Aug 18, 2020 · 5 comments
Closed

SFTP - security options improvment #1961

DoctorD90 opened this issue Aug 18, 2020 · 5 comments
Assignees
@TranceLove
Labels
Area-Ssh/Scp/Sftp Issue-Feature A feature request or improvement.
Milestone
v3.7

Comments

@DoctorD90
Copy link

Hi! The app is amazing! I was using and it seems GREAT!
i'd like to ask if it'd be possible to increase/upgrade security options for the sftp protocol.
Actually Im using a ed25519 key type, but I noticed Amaze offers: ssh-rsa,ssh-dss [preauth]

Moreover ( I didn't edited my server to test them ), if Amaze could support most recents:

Thanks!
@TranceLove
Copy link
Collaborator

Amaze's SSH implementation depends on hierynomus/sshj, with some little tweak that disabled ECDSA (although on-device test did passed for ED25519 keys) to for stock and our own BouncyCastle co-existence.

After #1881 and #1890 merged to enable full BouncyCastle usage in our app maybe we can lift the tweaks to see if everything still work.

But for the new ciphers you mentioned, I could find chacha20-poly1305 in BouncyCastle, but not sure if it can be used with sshj itself.

Adding these ciphers may take time. Can't tell if it'll be at 3.6, but shall not happen at 3.5 cycle as we push hard towards public beta and release.

Anyway, let's lift the tweak first.

@TranceLove TranceLove self-assigned this Aug 18, 2020
TranceLove added a commit that referenced this issue Aug 18, 2020
@TranceLove
Lifting tweaks in CustomSshJConfig to enable advanced crypto features
0534ce1 
Addresses #1961.

Previously due to preventing conflict with stock BouncyCastle on Android devices some tweaks were added to CustomSshJConfig. But with full adaptation of BouncyCastle over the stock one it should be safe to remove the tweaks and use stock features as much as possible.

Tested on Fairphone 3 running LineageOS 16.0 (9.0), using ED25519 private key to authenticate against OpenSSH server 8.2p1 on Ubuntu 20.04.
@TranceLove TranceLove mentioned this issue Aug 18, 2020
Merged
4 tasks
@TranceLove TranceLove added Area-Ssh/Scp/Sftp Issue-Feature A feature request or improvement. labels Aug 18, 2020
@TranceLove TranceLove added this to the v3.5 milestone Aug 18, 2020
TranceLove added a commit that referenced this issue Aug 19, 2020
@TranceLove
Lifting tweaks in CustomSshJConfig to enable advanced crypto features
14691f2 
Addresses #1961.

Previously due to preventing conflict with stock BouncyCastle on Android devices some tweaks were added to CustomSshJConfig. But with full adaptation of BouncyCastle over the stock one it should be safe to remove the tweaks and use stock features as much as possible.

Tested on Fairphone 3 running LineageOS 16.0 (9.0), using ED25519 private key to authenticate against OpenSSH server 8.2p1 on Ubuntu 20.04.
@VishalNehra VishalNehra modified the milestones: v3.5, v3.6 Aug 20, 2020
@TranceLove
Copy link
Collaborator

TranceLove commented Aug 23, 2020
edited
Loading

Implement aes128-gcm@openssh.com/aes256-gcm@openssh.com support, may take work done on Apache Mina SSHD as reference.
apache/mina-sshd#132

chacha20-poly1305@openssh.com cipher support is still work in progress.
https://issues.apache.org/jira/browse/SSHD-1017

@TranceLove
Copy link
Collaborator

Support for AES-GCM cipher is being implemented at sshj upstream: hierynomus/sshj#630

@TranceLove
Copy link
Collaborator

TranceLove commented May 9, 2021
edited
Loading

chacha20-poly1305@openssh.com support had been implemented at sshj upstream: hierynomus/sshj#682.

As soon as a new sshj is released, upgrade the lib will close this issue. Let's hope this will happen in 3.6 series then :)

@VishalNehra VishalNehra modified the milestones: v3.6, v3.7 Jun 10, 2021
@TranceLove TranceLove modified the milestones: v3.7, v4.0 Sep 25, 2021
@TranceLove
Copy link
Collaborator

With #2909 merged, chacha20-poly1305@openssh.com support in place, this should be marked as closed.

@EmmanuelMess EmmanuelMess modified the milestones: v4.0, v3.7 Dec 22, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TranceLove TranceLove

Labels
Area-Ssh/Scp/Sftp Issue-Feature A feature request or improvement.
Projects
None yet
Milestone
v3.7
Development

No branches or pull requests
4 participants
@TranceLove @VishalNehra @DoctorD90 @EmmanuelMess