Disable default SSH algorithms
Network administrators may wish to disable certain algorithms (ciphers, macs, key exchanges) for their SSH traffic.
Since the client selects the algorithms after a negotiation phase the only way to disable certain algorithms is to completely exclude them from the available algorithms list on the server side.
- Find the available algorithm names by starting Stash with debug logging enabled and looking in the
atlassian-stash.logfile for messages of the form:
Available SSH KEY_EXCHANGE: [diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1]
Available SSH CIPHER: [aes128-ctr, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc]
Available SSH MAC: [hmac-sha2-256, hmac-sha2-512, hmac-sha1, hmac-sha1-96, hmac-md5-96]
- Add the algorithm names you wish to disable to the
plugin.ssh.disabled.macsproperties (available in Stash 3.9+) as specified in Stash config properties, and restart Stash.
- You can verify the algorithms used by executing a remote SSH command and reading the available and negotiated algorithms in the verbose output.
ssh -vvv -p <stash ssh port> git@<stash host> whoami 2>&1
debug2: kex_parse_kexinit:for available algorithms and
debug1: kex: server->clientfor negotiated result or execute:
ssh -vvv -p <stash ssh port> git@<stash host> whoami 2>&1 | grep kex_parse_kexinit
ssh -vvv -p <stash ssh port> git@<stash host> whoami 2>&1 | grep server-\>client
To enable additional stronger algorithms see List ciphers used by JVM to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.