Support configurable SSHD algorithms to disable weak/legacy defaults #599
Description
Issue
The diego-sshd process supports flags to allow-list host key algorithms, MACs, KEXs, and ciphers. However, the Cloud Controller does not currently provide a mechanism to pass these parameters when building the LRP action.
Context
When building the action for sshd in the application's LRP, the crypto algorithms are not configured, causing the process to fall back to defaults. This allows potentially vulnerable or deprecated algorithms to remain active.
For example, ssh-rsa (which uses the insecure SHA-1 hash) is allowed by default, failing modern security compliance scans.
cloud_controller/diego/main_lrp_action_builder.rb#L103-L116
action(::Diego::Bbs::Models::RunAction.new(
user: user,
path: '/tmp/lifecycle/diego-sshd',
args: [
"-address=#{sprintf('0.0.0.0:%<port>d', port: DEFAULT_SSH_PORT)}",
"-hostKey=#{ssh_key.private_key}",
"-authorizedKey=#{ssh_key.authorized_key}",
'-inheritDaemonEnv',
'-logLevel=fatal'
],
env: environment_variables,
resource_limits: ::Diego::Bbs::Models::ResourceLimits.new(nofile: process.file_descriptors),
log_source: SSHD_LOG_SOURCE
))Related PRs
Proposed solutions
Add configuration for allowed_ciphers, allowed_macs, allowed_key_exchanges and allowed_host_key_algorithms here:
capi-release/jobs/cloud_controller_ng/spec
Lines 283 to 298 in d32560e