Weak support for Diffie Hellman groups for SSH KEX

[hiddeco]

Discussion ref: #1319

We do at present only support a very limited set of Diffie Hellman groups as SSH KEX algorithms, and based on the data gathered from the discussion above, this becomes an issue when people have hardened their on-primes Git instances.

Our options to extend support for more groups is limited, as we depend on golang/crypto implementations.

Based on the information from the discussion above, I see two options:

1. Provide configuration flags in the flux CLI and controllers or related (Custom Resource Definition) APIs to extend the configuration of default supported KEX algorithms.
2. Add diffie-hellman-group-exchange-sha256 to our own defaults in all SSH clients across the project, but as the least preferred option. This means the algorithm will only be selected if no other option is found when the client and server exchange supported algorithms.

Because the list of supported algorithms in golang/crypto is almost static, and the work required to implement option 1 takes a lot more time than option 2, my personal preference is to go with the latter option, which should automagically resolve things for most people.

[hiddeco]

Rough sketch of the steps that would be required to implement option 2:

• Add a public PreferredKexAlgos variable to the ssh package in fluxcd/pkg, this variable should match the preferredKexAlgos from golang/crypto but include kexAlgoDHGEXSHA256 at the end (list of string values available here: https://github.com/golang/crypto/blob/0c34fe9e7dc2486962ef9867e3edb3503537209f/ssh/kex.go#L23-L34).
• Optionally: add a helper (SetPreferredKeyAlgos or MakeDefaultClientConfig) to this same package that makes it easier to configure the ClientConfig.Config.KeyExchanges on a given ClientConfig.
• Use the PreferredKexAlgos or the added helper in the Flux components that make use of the ssh.ClientConfig, from the top of my head these are (should be taken care of in item order):
  • fluxcd/source-controller
  • fluxcd/image-automation-controller
  • fluxcd/flux2
    NB: sometimes the usage of ssh.ClientConfig may be hidden, source-controller for example largely makes it look like it depends on go-git/transport/ssh, but this package uses golang/crypto.

Some more details about what you are actually configuring, because it is always handy to know what exactly you are fiddling with, besides that you make it work:

• https://tools.ietf.org/html/rfc4253
• https://tools.ietf.org/html/rfc4253#section-6.5
• https://tools.ietf.org/html/rfc4253#section-7

[stefanprodan]

@hiddeco was this covered in #1443 ?

[hiddeco]

No, this is another issue.

[0x6a77]

maybe this workaround is helpful for anyone up against this problem (#1319)

after research into a possible p/r here, i didn't see a way to access ssh.config from fluxcd — it seems like this has to get solved in go-git, or better yet, golang/crypto should support ssh_config. (tho' i might be wrong.) in the meantime i got this to work with fluxcd/terraform-provider-flux changes!

the basic strategy is to switch to libgit2 and "proto-sed" a configmap-based /etc/ssh_config volume mount into the sync manifests as they get processed. each pod then gets an /etc/ssh/ssh_config file with the needed keyex changes. @hiddeco it might be cool to use the HelmRelease configmap volume mount idiom in flux_sync — i bet it will be useful to allow easy volume mounting into the flux install and sync pods

data "flux_sync" "main" {
  target_path        = var.flux_paths
  url                = var.flux_git_url
  branch             = var.git_branch_name
  git_implementation = "libgit2"
}

resource "kubectl_manifest" "sync" {
  for_each   = {
  for v in local.sync : lower(join("/", compact([
    v.data.apiVersion,
    v.data.kind,
    lookup(v.data.metadata, "namespace", ""),
    v.data.metadata.name]))) => replace(
                                  v.content,
                                  "/(?sm)(.*volumeMounts:)(.*volumes:)(.*)/",
                                  "$${1}\n        - mountPath: /etc/ssh/\n          name: ssh-config\n          readOnly: true$${2}\n      - configMap:\n          name: ssh-config\n        name: ssh-config$${3}"
                                )
  }
  yaml_body  = each.value
}

resource "kubernetes_config_map" "ssh-config" {
  metadata {
    name      = "ssh-config"
    namespace = "flux-system"
  }

  data = {
    ssh_config = <<EOF
Host *
  SendEnv LANG LC_*
  #Legacy changes
  KexAlgorithms +diffie-hellman-group-exchange-sha256
EOF
  }
}

[pjbgf]

This is now fixed based on:

• upstream changes to support and prefer safer key exchange algorithms
• The new --ssh-kex-algos flag which allows users to define their own set of preferred algorithms (provided they are supported by go crypto). xref:
  • Add flag to allow configuration of SSH kex algos source-controller#655
  • Add flag to allow configuration of ssh kex algos image-automation-controller#351

Closing as there seem to be nothing else left to do here, apart from the occasional update to the latest golang.org/x/crypto, which is already done as part of the project's housekeeping.