Disable default SSH algorithms

Purpose

Network administrators may wish to disable certain algorithms (ciphers, macs, key exchanges) for their SSH traffic. 

Since the client selects the algorithms after a negotiation phase the only way to disable certain algorithms is to completely exclude them from the available algorithms list on the server side.

Solution

• Find the available algorithm names by starting Stash with debug logging enabled and looking in the atlassian-stash.log file for messages of the form:
  Available SSH CIPHER: [aes128-ctr, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc]
Available SSH KEY_EXCHANGE: [diffie-hellman-group-exchange-sha256, diffie-hellman-group-exchange-sha1, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group14-sha1, diffie-hellman-group1-sha1]
  Available SSH MAC: [hmac-sha2-256, hmac-sha2-512, hmac-sha1, hmac-sha1-96, hmac-md5-96]

• Add the algorithm names you wish to disable to the plugin.ssh.disabled.ciphers, plugin.ssh.disabled.key.exchanges, and plugin.ssh.disabled.macs properties (available in Stash 3.9+) as specified in Stash config properties, and restart Stash.
• You can verify the algorithms used by executing a remote SSH command and reading the available and negotiated algorithms in the verbose output.

  • ssh -vvv -p <stash ssh port> git@<stash host> whoami 2>&1

  • Look for debug2: kex_parse_kexinit: for available algorithms and debug1: kex: server->client for negotiated result or execute:

  • ssh -vvv -p <stash ssh port> git@<stash host> whoami 2>&1 | grep kex_parse_kexinit

  • ssh -vvv -p <stash ssh port> git@<stash host> whoami 2>&1 | grep server-\>client

• To enable additional stronger algorithms see List ciphers used by JVM to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.