Disable default SSH algorithms

'How Do I...' and 'How to...' Guide to Stash

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Purpose

Network administrators may wish to disable certain algorithms (ciphers, macs, key exchanges) for their SSH traffic. 

Since the client selects the algorithms after a negotiation phase the only way to disable certain algorithms is to completely exclude them from the available algorithms list on the server side.

Solution

  • Find the available algorithm names by starting Stash with debug logging enabled and looking in the atlassian-stash.log file for messages of the form:
    Available SSH CIPHER: [aes128-ctr, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc]
    Available SSH KEY_EXCHANGE: [diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1]
    Available SSH MAC: [hmac-sha2-256, hmac-sha2-512, hmac-sha1, hmac-sha1-96, hmac-md5-96]
  • Add the algorithm names you wish to disable to the plugin.ssh.disabled.ciphers, plugin.ssh.disabled.key.exchanges, and plugin.ssh.disabled.macs properties (available in Stash 3.9+) as specified in Stash config properties, and restart Stash.
  • You can verify the algorithms used by executing a remote SSH command and reading the available and negotiated algorithms in the verbose output.
    • ssh -vvv -p <stash ssh port> git@<stash host> whoami 2>&1

    • Look for debug2: kex_parse_kexinit: for available algorithms and debug1: kex: server->client for negotiated result or execute:

    • ssh -vvv -p <stash ssh port> git@<stash host> whoami 2>&1 | grep kex_parse_kexinit

    • ssh -vvv -p <stash ssh port> git@<stash host> whoami 2>&1 | grep server-\>client

  • To enable additional stronger algorithms see List ciphers used by JVM to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.

Last modified on Nov 2, 2018

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.