Skip to content

Restrict algorithms for host key exchange #9214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 20, 2025
Merged

Restrict algorithms for host key exchange #9214

merged 2 commits into from
Jun 20, 2025
+6 −1

Conversation

neumayer
Copy link

@neumayer neumayer commented Jun 18, 2025
edited by taylorsilva
Loading

Currently, "ssh-rsa" is offered as host key algorithm by TSA for worker registration on port 2222. This seems to be flagged at least by some security scanners as "using deprecated SHA1 cryptographic settings to communicate."

This can be verified with:

nmap -Pn --script ssh2-enum-algos -sV -p 2222 tsa.example.com

And results in:

| server_host_key_algorithms: (3)
| rsa-sha2-256
| rsa-sha2-512
| ssh-rsa

This can be addressed by specifying the allowed host key algorithms on the server side as outlined here:

golang/go#52132

Changes proposed by this PR

closes #9212

@neumayer neumayer requested a review from a team as a code owner June 18, 2025 07:21
taylorsilva
taylorsilva requested changes Jun 19, 2025
View reviewed changes
Copy link
Member

@taylorsilva taylorsilva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, I rebased your branch onto master. One of the PR checks was failing, seemingly due to a change in goimport's behaviour.

@taylorsilva taylorsilva moved this from Todo to In Progress in Pull Requests Jun 19, 2025
@neumayer
Copy link
Author

I can't access the logs of that failure. But in line with your comment before, I assume it's unrelated to my change.

Robert Neumayer added 2 commits June 20, 2025 15:33
Restrict algorithms for host key exchange
18ce703 
Currently, "ssh-rsa" is offered as host key algorithm by TSA for worker
registration on port 2222. This seems to be flagged at least by some
security scanners as "using deprecated SHA1 cryptographic settings to
communicate."

This can be verified with:

nmap -Pn --script ssh2-enum-algos -sV -p 2222 tsa.example.com

And results in:

|   server_host_key_algorithms: (3)
|       rsa-sha2-256
|       rsa-sha2-512
|       ssh-rsa

This can be addressed by specifying the allowed host key algorithms on
the server side as outlined here:

golang/go#52132

Signed-off-by: Robert Neumayer <robert.neumayer@proton.me>
Log the standard way
622dcab 
Signed-off-by: Robert Neumayer <robert.neumayer@proton.me>
@taylorsilva
Copy link
Member

taylorsilva commented Jun 20, 2025
edited
Loading

You are correct. There's been a single test in that test suite that's been flaking in CI when there's high CPU usage. Re-running it.

Edit: Yup, it's green now.

taylorsilva
taylorsilva approved these changes Jun 20, 2025
View reviewed changes
Copy link
Member

@taylorsilva taylorsilva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved! Just going to let the integration tests go green and then I'll merge. Thanks again for the PR 🙏

@taylorsilva
Copy link
Member

@neumayer I added you to the all team in the Concourse org here, you should get an email from Github to accept the invite. That'll allow you to see the logs from the PR checks. Will make any future contributions you make easier :)

@taylorsilva taylorsilva merged commit 4e1aa2b into concourse:master Jun 20, 2025
12 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Pull Requests Jun 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@taylorsilva taylorsilva taylorsilva approved these changes

Assignees
No one assigned
Labels
enhancement
Projects
Pull Requests
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

TSA offers "ssh-rsa" as host key algorithm
2 participants
@neumayer @taylorsilva