JSch 在不更改代码的情况下禁用特定密码
JSch Disable specific Ciphers without changing code
我与多家金融机构合作,其中一家要求我们禁用一些用于连接它们的密码。具体来说,他们要求删除 hmac-md5 和 aes128-ctr,并且他们建议我们删除 aes128-cbc,因为它们不太安全。
有没有办法通过命令行开关或 Java 安全文件轻松删除这些密码?
查看一些示例,看起来我必须在没有上述三个的情况下构建我想要的列表(从 AES 示例复制的糟糕示例):
session.setConfig("cipher.s2c", "aes128-cbc,3des-cbc,blowfish-cbc");
session.setConfig("cipher.c2s", "aes128-cbc,3des-cbc,blowfish-cbc");
session.setConfig("CheckCiphers", "aes128-cbc");
显然,如果他们在服务器端删除它们,我的客户端将不会使用它们,但我可以看到这种情况变得越来越普遍。我现在真的不想经历代码更改。
调试日志中的片段:
INFO: Remote version string: SSH-2.0-WS_FTP-SSH_8.5.0
INFO: Local version string: SSH-2.0-JSCH-0.1.54
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
INFO: kex: server: ssh-dss,ssh-rsa
INFO: kex: server: aes256-ctr,aes192-ctr,aes128-ctr,3des-cbc,blowfish-cbc,aes256-cbc,aes128-cbc
INFO: kex: server: aes256-ctr,aes192-ctr,aes128-ctr,3des-cbc,blowfish-cbc,aes256-cbc,aes128-cbc
INFO: kex: server: hmac-sha1,hmac-md5,hmac-sha2-256,hmac-sha2-384,hmac-sha2-512
INFO: kex: server: hmac-sha1,hmac-md5,hmac-sha2-256,hmac-sha2-384,hmac-sha2-512
INFO: kex: server: none
INFO: kex: server: none
INFO: kex: server:
INFO: kex: server:
INFO: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client:
INFO: kex: client:
INFO: kex: server->client aes128-ctr hmac-md5 none
INFO: kex: client->server aes128-ctr hmac-md5 none
默认情况下,JSch 不会从任何地方加载默认配置。
因此无法更改配置,除非您的代码已明确为此做好准备。
虽然有一种简单的方法可以实现这一点。您可以使用 OpenSSHConfig class that is able to parse a file with a syntax of common OpenSSH ssh_config file.
OpenSSHConfig config = new OpenSSHConfig();
config.parse("/some/path/ssh_config-like-file");
JSch.setConfigRepository(config);
ssh_config-like 文件可以包含:
Ciphers aes128-cbc,3des-cbc,blowfish-cbc
话虽如此,他们要求您删除密码确实没有任何意义。不允许在他们的服务器上使用密码是他们的工作。
我与多家金融机构合作,其中一家要求我们禁用一些用于连接它们的密码。具体来说,他们要求删除 hmac-md5 和 aes128-ctr,并且他们建议我们删除 aes128-cbc,因为它们不太安全。
有没有办法通过命令行开关或 Java 安全文件轻松删除这些密码?
查看一些示例,看起来我必须在没有上述三个的情况下构建我想要的列表(从 AES 示例复制的糟糕示例):
session.setConfig("cipher.s2c", "aes128-cbc,3des-cbc,blowfish-cbc");
session.setConfig("cipher.c2s", "aes128-cbc,3des-cbc,blowfish-cbc");
session.setConfig("CheckCiphers", "aes128-cbc");
显然,如果他们在服务器端删除它们,我的客户端将不会使用它们,但我可以看到这种情况变得越来越普遍。我现在真的不想经历代码更改。
调试日志中的片段:
INFO: Remote version string: SSH-2.0-WS_FTP-SSH_8.5.0
INFO: Local version string: SSH-2.0-JSCH-0.1.54
INFO: CheckCiphers: aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,3des-ctr,arcfour,arcfour128,arcfour256
INFO: CheckKexes: diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
INFO: CheckSignatures: ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: SSH_MSG_KEXINIT sent
INFO: SSH_MSG_KEXINIT received
INFO: kex: server: diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group-exchange-sha256
INFO: kex: server: ssh-dss,ssh-rsa
INFO: kex: server: aes256-ctr,aes192-ctr,aes128-ctr,3des-cbc,blowfish-cbc,aes256-cbc,aes128-cbc
INFO: kex: server: aes256-ctr,aes192-ctr,aes128-ctr,3des-cbc,blowfish-cbc,aes256-cbc,aes128-cbc
INFO: kex: server: hmac-sha1,hmac-md5,hmac-sha2-256,hmac-sha2-384,hmac-sha2-512
INFO: kex: server: hmac-sha1,hmac-md5,hmac-sha2-256,hmac-sha2-384,hmac-sha2-512
INFO: kex: server: none
INFO: kex: server: none
INFO: kex: server:
INFO: kex: server:
INFO: kex: client: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
INFO: kex: client: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: aes128-ctr,aes128-cbc,3des-ctr,3des-cbc,blowfish-cbc,aes192-ctr,aes192-cbc,aes256-ctr,aes256-cbc
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha1-96,hmac-md5-96
INFO: kex: client: none
INFO: kex: client: none
INFO: kex: client:
INFO: kex: client:
INFO: kex: server->client aes128-ctr hmac-md5 none
INFO: kex: client->server aes128-ctr hmac-md5 none
默认情况下,JSch 不会从任何地方加载默认配置。
因此无法更改配置,除非您的代码已明确为此做好准备。
虽然有一种简单的方法可以实现这一点。您可以使用 OpenSSHConfig class that is able to parse a file with a syntax of common OpenSSH ssh_config file.
OpenSSHConfig config = new OpenSSHConfig();
config.parse("/some/path/ssh_config-like-file");
JSch.setConfigRepository(config);
ssh_config-like 文件可以包含:
Ciphers aes128-cbc,3des-cbc,blowfish-cbc
话虽如此,他们要求您删除密码确实没有任何意义。不允许在他们的服务器上使用密码是他们的工作。