Java 如何在ganymed-ssh2-build210.jar中禁用diffie-hellman-group1-sha1
在Java中,我们使用ganymed-ssh2-build210.jar通过ssh连接到服务器。我需要特别限制较弱的算法“diffie-hellman-group1-sha1” ganymed-ssh2-build210.jar中是否有任何可自定义的设置允许限制此操作Java 如何在ganymed-ssh2-build210.jar中禁用diffie-hellman-group1-sha1,java,ssh,diffie-hellman,java-security,ganymede,Java,Ssh,Diffie Hellman,Java Security,Ganymede,在Java中,我们使用ganymed-ssh2-build210.jar通过ssh连接到服务器。我需要特别限制较弱的算法“diffie-hellman-group1-sha1” ganymed-ssh2-build210.jar中是否有任何可自定义的设置允许限制此操作 是否有任何java.security设置可用于限制相同的密码?您希望更改服务器上而不是客户端上允许的密码,否则任何人都可以轻松绕过此设置 检查答案:您希望更改服务器上而不是客户端上允许的密码,否则任何人都可以轻松绕过此操作 检查答
是否有任何java.security设置可用于限制相同的密码?您希望更改服务器上而不是客户端上允许的密码,否则任何人都可以轻松绕过此设置
检查答案:您希望更改服务器上而不是客户端上允许的密码,否则任何人都可以轻松绕过此操作
检查答案:如果您无法控制服务器,但无法控制客户端上的库 以下可能是一种选择
- 获取库的源代码
- 修改
不再支持ch/ethz/ssh2/transport/KexManager.javadiffie-hellman-group1-sha1 - 编译修改后的代码
- 将补丁库创建为
,并将此库与客户端应用程序一起使用ganymed-ssh2-build210_1.jar
bin/
apache-sshd-1.6.0.tar.gz
ganymed-ssh2-build210.jar
ganymed-ssh2-build210-sources.jar
SshClientDemo.java
SshServerDemo.java
- 下载档案
package sub.optimal;
import java.nio.file.Paths;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.server.scp.ScpCommandFactory;
import org.apache.sshd.server.shell.InteractiveProcessShellFactory;
import org.apache.sshd.server.shell.ProcessShellFactory;
public class SshServerDemo extends Thread {
public static void main(String[] args) throws Exception {
Logger.getGlobal().setLevel(Level.FINEST);
SshServer sshd = SshServer.setUpDefaultServer();
sshd.setPort(2222);
sshd.setKeyPairProvider(
new SimpleGeneratorHostKeyProvider(Paths.get("hostkey.ser"))
);
sshd.setShellFactory(InteractiveProcessShellFactory.INSTANCE);
sshd.setCommandFactory(
new ScpCommandFactory.Builder().withDelegate(
cmd -> new ProcessShellFactory(
GenericUtils.split(cmd, ' ')
).create()
).build()
);
List<NamedFactory<KeyExchange>> keyExchangeFactories;
keyExchangeFactories = sshd.getKeyExchangeFactories();
keyExchangeFactories.removeIf(
e -> !e.getName().equals("diffie-hellman-group1-sha1")
);
sshd.setKeyExchangeFactories(keyExchangeFactories);
sshd.setPasswordAuthenticator(
(username, password, session) -> username.equals(password)
);
sshd.start();
Thread.sleep(Long.MAX_VALUE);
}
}
package sub.optimal;
import ch.ethz.ssh2.Connection;
import ch.ethz.ssh2.Session;
import ch.ethz.ssh2.StreamGobbler;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class SshClientDemo {
public static void main(String[] args) throws Exception {
Connection conn = new Connection("localhost", 2222);
conn.connect();
boolean isAuthenticated = conn.authenticateWithPassword("foo", "foo");
Session sess = conn.openSession();
System.out.println("session is authenticated: " + isAuthenticated);
sess.execCommand("echo I'm there...");
InputStream stdout = new StreamGobbler(sess.getStdout());
BufferedReader br = new BufferedReader(new InputStreamReader(stdout));
while (true) {
String line = br.readLine();
if (line == null) {
break;
}
System.out.println(line);
}
sess.close();
conn.close();
}
}
- 解压缩Apache服务器
tar xzf apache-sshd-1.6.0.tar.gz - 编译演示类
javac -cp "apache-sshd-1.6.0/lib/*" -d bin/ SshServerDemo.java javac -cp ganymed-ssh2-build210.jar -d bin/ SshClientDemo.java - 提取
KexManager.javajar vxf ganymed-ssh2-build210-sources.jar \ ch/ethz/ssh2/transport/KexManager.javapublic static final String[] getDefaultKexAlgorithmList() { return new String[] { "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1"// , // "diffie-hellman-group1-sha1" }; } ... public static final void checkKexAlgorithmList(String[] algos) ... if ("diffie-hellman-group14-sha1".equals(algos[i])) continue; // if ("diffie-hellman-group1-sha1".equals(algos[i])) // continue; ...javac -cp ganymed-ssh2-build210.jar ch/ethz/ssh2/transport/KexManager.java - 修改文件
KexManager.javajar vxf ganymed-ssh2-build210-sources.jar \ ch/ethz/ssh2/transport/KexManager.javapublic static final String[] getDefaultKexAlgorithmList() { return new String[] { "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1"// , // "diffie-hellman-group1-sha1" }; } ... public static final void checkKexAlgorithmList(String[] algos) ... if ("diffie-hellman-group14-sha1".equals(algos[i])) continue; // if ("diffie-hellman-group1-sha1".equals(algos[i])) // continue; ...javac -cp ganymed-ssh2-build210.jar ch/ethz/ssh2/transport/KexManager.java - 编译补丁的
KexManager.javajar vxf ganymed-ssh2-build210-sources.jar \ ch/ethz/ssh2/transport/KexManager.javapublic static final String[] getDefaultKexAlgorithmList() { return new String[] { "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1"// , // "diffie-hellman-group1-sha1" }; } ... public static final void checkKexAlgorithmList(String[] algos) ... if ("diffie-hellman-group14-sha1".equals(algos[i])) continue; // if ("diffie-hellman-group1-sha1".equals(algos[i])) // continue; ...javac -cp ganymed-ssh2-build210.jar ch/ethz/ssh2/transport/KexManager.java - 创建一个补丁库
cp ganymed-ssh2-build210.jar ganymed-ssh2-build210-patched.jar jar vuf ganymed-ssh2-build210-patched.jar \ ch/ethz/ssh2/transport/KexManager.class
- 启动服务器
java -cp "bin/:apache-sshd-1.6.0/lib/*" sub.optimal.SshServerDemossh -vv foo@localhost -p 2222
- 首先检查服务器支持的密钥交换算法
java -cp "bin/:apache-sshd-1.6.0/lib/*" sub.optimal.SshServerDemo
在输出中,仅报告ssh -vv foo@localhost -p 2222diffie-hellman-group1-sha1debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group1-sha1 - 使用未修补的库运行客户端
java -cp bin/:ganymed-ssh2-build210.jar sub.optimal.SshClientDemo
输出java -cp bin/:ganymed-ssh2-build210-patched.jar sub.optimal.SshClientDemosession is authenticated: true I'm there...Caused by: java.io.IOException: Cannot negotiate, proposals do not match. - 使用已修补的库运行客户端
java -cp bin/:ganymed-ssh2-build210.jar sub.optimal.SshClientDemo
输出java -cp bin/:ganymed-ssh2-build210-patched.jar sub.optimal.SshClientDemosession is authenticated: true I'm there...
在服务器日志上Caused by: java.io.IOException: Cannot negotiate, proposals do not match.Unable to negotiate key exchange for kex algorithms \ (client: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 \ / server: diffie-hellman-group1-sha1)
这证明了带有补丁库的SshClientDemo无法使用密钥交换算法
diffie-hellman-group1-sha1- 获取库的源代码
- 修改
不再支持ch/ethz/ssh2/transport/KexManager.javadiffie-hellman-group1-sha1 - 编译修改后的代码
- 将补丁库创建为
,并将此库与客户端应用程序一起使用ganymed-ssh2-build210_1.jar
bin/
apache-sshd-1.6.0.tar.gz
ganymed-ssh2-build210.jar
ganymed-ssh2-build210-sources.jar
SshClientDemo.java
SshServerDemo.java
- 下载档案
package sub.optimal;
import java.nio.file.Paths;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.sshd.common.NamedFactory;
import org.apache.sshd.common.kex.KeyExchange;
import org.apache.sshd.common.util.GenericUtils;
import org.apache.sshd.server.SshServer;
import org.apache.sshd.server.keyprovider.SimpleGeneratorHostKeyProvider;
import org.apache.sshd.server.scp.ScpCommandFactory;
import org.apache.sshd.server.shell.InteractiveProcessShellFactory;
import org.apache.sshd.server.shell.ProcessShellFactory;
public class SshServerDemo extends Thread {
public static void main(String[] args) throws Exception {
Logger.getGlobal().setLevel(Level.FINEST);
SshServer sshd = SshServer.setUpDefaultServer();
sshd.setPort(2222);
sshd.setKeyPairProvider(
new SimpleGeneratorHostKeyProvider(Paths.get("hostkey.ser"))
);
sshd.setShellFactory(InteractiveProcessShellFactory.INSTANCE);
sshd.setCommandFactory(
new ScpCommandFactory.Builder().withDelegate(
cmd -> new ProcessShellFactory(
GenericUtils.split(cmd, ' ')
).create()
).build()
);
List<NamedFactory<KeyExchange>> keyExchangeFactories;
keyExchangeFactories = sshd.getKeyExchangeFactories();
keyExchangeFactories.removeIf(
e -> !e.getName().equals("diffie-hellman-group1-sha1")
);
sshd.setKeyExchangeFactories(keyExchangeFactories);
sshd.setPasswordAuthenticator(
(username, password, session) -> username.equals(password)
);
sshd.start();
Thread.sleep(Long.MAX_VALUE);
}
}
package sub.optimal;
import ch.ethz.ssh2.Connection;
import ch.ethz.ssh2.Session;
import ch.ethz.ssh2.StreamGobbler;
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
public class SshClientDemo {
public static void main(String[] args) throws Exception {
Connection conn = new Connection("localhost", 2222);
conn.connect();
boolean isAuthenticated = conn.authenticateWithPassword("foo", "foo");
Session sess = conn.openSession();
System.out.println("session is authenticated: " + isAuthenticated);
sess.execCommand("echo I'm there...");
InputStream stdout = new StreamGobbler(sess.getStdout());
BufferedReader br = new BufferedReader(new InputStreamReader(stdout));
while (true) {
String line = br.readLine();
if (line == null) {
break;
}
System.out.println(line);
}
sess.close();
conn.close();
}
}
- 解压缩Apache服务器
tar xzf apache-sshd-1.6.0.tar.gz - 编译演示类
javac -cp "apache-sshd-1.6.0/lib/*" -d bin/ SshServerDemo.java javac -cp ganymed-ssh2-build210.jar -d bin/ SshClientDemo.java - 提取
KexManager.javajar vxf ganymed-ssh2-build210-sources.jar \ ch/ethz/ssh2/transport/KexManager.javapublic static final String[] getDefaultKexAlgorithmList() { return new String[] { "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1"// , // "diffie-hellman-group1-sha1" }; } ... public static final void checkKexAlgorithmList(String[] algos) ... if ("diffie-hellman-group14-sha1".equals(algos[i])) continue; // if ("diffie-hellman-group1-sha1".equals(algos[i])) // continue; ...javac -cp ganymed-ssh2-build210.jar ch/ethz/ssh2/transport/KexManager.java - 修改文件
KexManager.javajar vxf ganymed-ssh2-build210-sources.jar \ ch/ethz/ssh2/transport/KexManager.javapublic static final String[] getDefaultKexAlgorithmList() { return new String[] { "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1"// , // "diffie-hellman-group1-sha1" }; } ... public static final void checkKexAlgorithmList(String[] algos) ... if ("diffie-hellman-group14-sha1".equals(algos[i])) continue; // if ("diffie-hellman-group1-sha1".equals(algos[i])) // continue; ...javac -cp ganymed-ssh2-build210.jar ch/ethz/ssh2/transport/KexManager.java - 编译补丁的
KexManager.javajar vxf ganymed-ssh2-build210-sources.jar \ ch/ethz/ssh2/transport/KexManager.javapublic static final String[] getDefaultKexAlgorithmList() { return new String[] { "diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1"// , // "diffie-hellman-group1-sha1" }; } ... public static final void checkKexAlgorithmList(String[] algos) ... if ("diffie-hellman-group14-sha1".equals(algos[i])) continue; // if ("diffie-hellman-group1-sha1".equals(algos[i])) // continue; ...javac -cp ganymed-ssh2-build210.jar ch/ethz/ssh2/transport/KexManager.java - 创建一个补丁库
cp ganymed-ssh2-build210.jar ganymed-ssh2-build210-patched.jar jar vuf ganymed-ssh2-build210-patched.jar \ ch/ethz/ssh2/transport/KexManager.class
- 启动服务器
java -cp "bin/:apache-sshd-1.6.0/lib/*" sub.optimal.SshServerDemossh -vv foo@localhost -p 2222
- 首先检查服务器支持的密钥交换算法
java -cp "bin/:apache-sshd-1.6.0/lib/*" sub.optimal.SshServerDemo
在输出中,仅报告ssh -vv foo@localhost -p 2222diffie-hellman-group1-sha1debug2: peer server KEXINIT proposal debug2: KEX algorithms: diffie-hellman-group1-sha1 - 使用未修补的库运行客户端
java -cp bin/:ganymed-ssh2-build210.jar sub.optimal.SshClientDemo
输出java -cp bin/:ganymed-ssh2-build210-patched.jar sub.optimal.SshClientDemosession is authenticated: true I'm there...Caused by: java.io.IOException: Cannot negotiate, proposals do not match. - 使用已修补的库运行客户端
java -cp bin/:ganymed-ssh2-build210.jar sub.optimal.SshClientDemo
输出java -cp bin/:ganymed-ssh2-build210-patched.jar sub.optimal.SshClientDemosession is authenticated: true I'm there...
在服务器日志上Caused by: java.io.IOException: Cannot negotiate, proposals do not match.Unable to negotiate key exchange for kex algorithms \ (client: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 \ / server: diffie-hellman-group1-sha1)
这证明了带有补丁库的SshClientDemo不能使用密钥交换算法
diffie-hellman-group1-sha1