ACIL FM
Dark
Refresh
Current DIR:
/usr/share/crypto-policies/python/policygenerators
/
usr
share
crypto-policies
python
policygenerators
Upload
Zip Selected
Delete Selected
Pilih semua
Nama
Ukuran
Permission
Aksi
__pycache__
-
chmod
Open
Rename
Delete
bind.py
2.68 MB
chmod
View
DL
Edit
Rename
Delete
configgenerator.py
464 B
chmod
View
DL
Edit
Rename
Delete
gnutls.py
9.88 MB
chmod
View
DL
Edit
Rename
Delete
java.py
8.57 MB
chmod
View
DL
Edit
Rename
Delete
krb5.py
1.91 MB
chmod
View
DL
Edit
Rename
Delete
libreswan.py
7.4 MB
chmod
View
DL
Edit
Rename
Delete
libssh.py
5.19 MB
chmod
View
DL
Edit
Rename
Delete
nss.py
6.65 MB
chmod
View
DL
Edit
Rename
Delete
openssh.py
11.62 MB
chmod
View
DL
Edit
Rename
Delete
openssl.py
11.57 MB
chmod
View
DL
Edit
Rename
Delete
sequoia.py
7.13 MB
chmod
View
DL
Edit
Rename
Delete
__init__.py
980 B
chmod
View
DL
Edit
Rename
Delete
Edit file: /usr/share/crypto-policies/python/policygenerators/openssh.py
# SPDX-License-Identifier: LGPL-2.1-or-later # Copyright (c) 2019 Red Hat, Inc. # Copyright (c) 2019 Tomáš Mráz <tmraz@fedoraproject.org> import os import re import subprocess from tempfile import mkstemp from .configgenerator import ConfigGenerator class OpenSSHGenerator(ConfigGenerator): cipher_map = { 'AES-256-GCM': 'aes256-gcm@openssh.com', 'AES-256-CTR': 'aes256-ctr', 'AES-192-GCM': '', # not supported 'AES-192-CTR': 'aes192-ctr', 'AES-128-GCM': 'aes128-gcm@openssh.com', 'AES-128-CTR': 'aes128-ctr', 'CHACHA20-POLY1305': 'chacha20-poly1305@openssh.com', 'CAMELLIA-256-GCM': '', 'AES-256-CCM': '', 'AES-192-CCM': '', 'AES-128-CCM': '', 'CAMELLIA-128-GCM': '', 'AES-256-CBC': 'aes256-cbc', 'AES-192-CBC': 'aes192-cbc', 'AES-128-CBC': 'aes128-cbc', 'CAMELLIA-256-CBC': '', 'CAMELLIA-128-CBC': '', 'RC4-128': '', 'DES-CBC': '', 'CAMELLIA-128-CTS': '', '3DES-CBC': '3des-cbc' } mac_map_etm = { 'HMAC-MD5': 'hmac-md5-etm@openssh.com', 'UMAC-64': 'umac-64-etm@openssh.com', 'UMAC-128': 'umac-128-etm@openssh.com', 'HMAC-SHA1': 'hmac-sha1-etm@openssh.com', 'HMAC-SHA2-256': 'hmac-sha2-256-etm@openssh.com', 'HMAC-SHA2-512': 'hmac-sha2-512-etm@openssh.com' } mac_map = { 'HMAC-MD5': 'hmac-md5', 'UMAC-64': 'umac-64@openssh.com', 'UMAC-128': 'umac-128@openssh.com', 'HMAC-SHA1': 'hmac-sha1', 'HMAC-SHA2-256': 'hmac-sha2-256', 'HMAC-SHA2-512': 'hmac-sha2-512' } kx_map = { 'ECDHE-SECP521R1-SHA2-512': 'ecdh-sha2-nistp521', 'ECDHE-SECP384R1-SHA2-384': 'ecdh-sha2-nistp384', 'ECDHE-SECP256R1-SHA2-256': 'ecdh-sha2-nistp256', 'ECDHE-X25519-SHA2-256': ( 'curve25519-sha256' ',' 'curve25519-sha256@libssh.org' ), 'DHE-FFDHE-1024-SHA1': 'diffie-hellman-group1-sha1', 'DHE-FFDHE-2048-SHA1': 'diffie-hellman-group14-sha1', 'DHE-FFDHE-2048-SHA2-256': 'diffie-hellman-group14-sha256', 'DHE-FFDHE-4096-SHA2-512': 'diffie-hellman-group16-sha512', 'DHE-FFDHE-8192-SHA2-512': 'diffie-hellman-group18-sha512', 'SNTRUP-X25519-SHA2-512': 'sntrup761x25519-sha512@openssh.com', } gx_map = { 'DHE-SHA1': 'diffie-hellman-group-exchange-sha1', 'DHE-SHA2-256': 'diffie-hellman-group-exchange-sha256', } gss_kx_map = { 'DHE-GSS-SHA1': 'gss-gex-sha1-', 'DHE-GSS-FFDHE-1024-SHA1': 'gss-group1-sha1-', 'DHE-GSS-FFDHE-2048-SHA1': 'gss-group14-sha1-', 'DHE-GSS-FFDHE-2048-SHA2-256': 'gss-group14-sha256-', 'ECDHE-GSS-SECP256R1-SHA2-256': 'gss-nistp256-sha256-', 'ECDHE-GSS-X25519-SHA2-256': 'gss-curve25519-sha256-', 'DHE-GSS-FFDHE-4096-SHA2-512': 'gss-group16-sha512-', } sign_map = { 'RSA-SHA1': 'ssh-rsa', 'DSA-SHA1': 'ssh-dss', 'RSA-SHA2-256': 'rsa-sha2-256', 'RSA-SHA2-512': 'rsa-sha2-512', 'ECDSA-SHA2-256': 'ecdsa-sha2-nistp256', 'ECDSA-SHA2-256-FIDO': 'sk-ecdsa-sha2-nistp256@openssh.com', 'ECDSA-SHA2-384': 'ecdsa-sha2-nistp384', 'ECDSA-SHA2-512': 'ecdsa-sha2-nistp521', 'EDDSA-ED25519': 'ssh-ed25519', 'EDDSA-ED25519-FIDO': 'sk-ssh-ed25519@openssh.com', } sign_map_certs = { 'RSA-SHA1': 'ssh-rsa-cert-v01@openssh.com', 'DSA-SHA1': 'ssh-dss-cert-v01@openssh.com', 'RSA-SHA2-256': 'rsa-sha2-256-cert-v01@openssh.com', 'RSA-SHA2-512': 'rsa-sha2-512-cert-v01@openssh.com', 'ECDSA-SHA2-256': 'ecdsa-sha2-nistp256-cert-v01@openssh.com', 'ECDSA-SHA2-256-FIDO': 'sk-ecdsa-sha2-nistp256-cert-v01@openssh.com', 'ECDSA-SHA2-384': 'ecdsa-sha2-nistp384-cert-v01@openssh.com', 'ECDSA-SHA2-512': 'ecdsa-sha2-nistp521-cert-v01@openssh.com', 'EDDSA-ED25519': 'ssh-ed25519-cert-v01@openssh.com', 'EDDSA-ED25519-FIDO': 'sk-ssh-ed25519-cert-v01@openssh.com', } @classmethod def generate_options(cls, policy, local_kx_map, local_gss_kx_map, do_host_key): p = policy.enabled cfg = '' sep = ',' s = '' for i in p['cipher']: try: s = cls.append(s, cls.cipher_map[i], sep) except KeyError: pass if s: cfg += f'Ciphers {s}\n' s = '' if policy.enums['etm'] != 'DISABLE_ETM': for i in p['mac']: try: s = cls.append(s, cls.mac_map_etm[i], sep) except KeyError: pass if policy.enums['etm'] != 'DISABLE_NON_ETM': for i in p['mac']: try: s = cls.append(s, cls.mac_map[i], sep) except KeyError: pass if s: cfg += f'MACs {s}\n' s = '' gss = '' for kx in p['key_exchange']: for h in p['hash']: if policy.integers['arbitrary_dh_groups']: try: val = cls.gx_map[kx + '-' + h] s = cls.append(s, val, sep) except KeyError: pass try: val = local_gss_kx_map[kx + '-' + h] gss = cls.append(gss, val, sep) except KeyError: pass for g in p['group']: try: val = local_kx_map[kx + '-' + g + '-' + h] s = cls.append(s, val, sep) except KeyError: pass try: val = local_gss_kx_map[kx + '-' + g + '-' + h] gss = cls.append(gss, val, sep) except KeyError: pass if gss: cfg += f'GSSAPIKexAlgorithms {gss}\n' else: cfg += 'GSSAPIKeyExchange no\n' if s: cfg += f'KexAlgorithms {s}\n' s = '' for i in p['sign']: try: s = cls.append(s, cls.sign_map[i], sep) except KeyError: pass if policy.integers['ssh_certs']: try: s = cls.append(s, cls.sign_map_certs[i], sep) except KeyError: pass if s: # As OpenSSH currently ignores existing known host # entries with this setting we cannot use it on client. # Otherwise we could break existing users. if do_host_key: cfg += f'HostKeyAlgorithms {s}\n' cfg += f'PubkeyAcceptedAlgorithms {s}\n' s = '' for i in p['sign']: try: s = cls.append(s, cls.sign_map[i], sep) except KeyError: pass if s: cfg += f'CASignatureAlgorithms {s}\n' if policy.integers['min_rsa_size'] > 0: min_rsa_optname = _min_rsa_size_option() if min_rsa_optname is not None: cfg += f"{min_rsa_optname} {policy.integers['min_rsa_size']}\n" return cfg class OpenSSHClientGenerator(OpenSSHGenerator): CONFIG_NAME = 'openssh' SCOPES = {'ssh', 'openssh', 'openssh-client'} @classmethod def generate_config(cls, policy): local_kx_map = dict(cls.kx_map) local_gss_kx_map = dict(cls.gss_kx_map) return cls.generate_options(policy, local_kx_map, local_gss_kx_map, do_host_key=False) @classmethod def test_config(cls, config): if os.getenv('OLD_OPENSSH') == '1': return True if not os.access('/usr/bin/ssh', os.X_OK): return True if os.getenv('OPENSSH_MIN_RSA_SIZE_FORCE') == '1': config = re.sub(f'{_min_rsa_size_option()}.*', '', config) fd, path = mkstemp() ret = 255 try: with os.fdopen(fd, 'w') as f: f.write(config) try: ret = subprocess.call(f'/usr/bin/ssh -G -F {path} ' 'bogus654_server >/dev/null', shell=True) except subprocess.CalledProcessError: cls.eprint("/usr/bin/ssh: Execution failed") finally: os.unlink(path) if ret: cls.eprint('There is an error in OpenSSH server generated policy') cls.eprint(f'Policy:\n{config}') return False return True class OpenSSHServerGenerator(OpenSSHGenerator): CONFIG_NAME = 'opensshserver' SCOPES = {'ssh', 'openssh', 'openssh-server'} # We need to restart here, # since systemd needs to pick up new command line options RELOAD_CMD = 'systemctl try-restart sshd.service 2>/dev/null || :\n' @classmethod def generate_config(cls, policy): return cls.generate_options(policy, cls.kx_map, cls.gss_kx_map, do_host_key=True) @classmethod def _test_setup(cls): _fd, path = mkstemp() os.unlink(path) ret = 255 try: ret = subprocess.call('/usr/bin/ssh-keygen -t rsa -b 3072 ' f'-f {path} -N "" >/dev/null', shell=True) except subprocess.CalledProcessError: cls.eprint("/usr/bin/ssh-keygen: Execution failed") if ret: cls.eprint("SSH Keygen failed when testing OpenSSH server policy") return '' return path @classmethod def _test_cleanup(cls, path): if path: os.unlink(path) @classmethod def test_config(cls, config): if os.getenv('OLD_OPENSSH') == '1': return True if not os.access('/usr/sbin/sshd', os.X_OK): return True if os.getenv('OPENSSH_MIN_RSA_SIZE_FORCE') == '1': config = re.sub(f'{_min_rsa_size_option()}.*', '', config) host_key_filename = cls._test_setup() if not host_key_filename: return False fd, path = mkstemp() ret = 255 try: with os.fdopen(fd, 'w') as f: f.write(config) try: ret = subprocess.call('/usr/sbin/sshd -T ' f'-h {host_key_filename} -f {path} ' '>/dev/null', shell=True) except subprocess.CalledProcessError: cls.eprint("/usr/sbin/sshd: Execution failed") finally: os.unlink(path) cls._test_cleanup(host_key_filename) if ret: cls.eprint('There is an error in OpenSSH server generated policy') cls.eprint(f'Policy:\n{config}') return False return True def _openssh_version(): try: ssh_version = subprocess.run(['/usr/bin/ssh', '-V'], check=False, stderr=subprocess.PIPE).stderr.decode() ver = re.match(r'OpenSSH_(\d+).(\d+)p.*', ssh_version) if ver: return tuple(int(n) for n in ver.groups()) except (FileNotFoundError, PermissionError): return None return None def _min_rsa_size_option(): MIN_RSA_DEFAULT = 'RequiredRSASize' min_rsa_size_force = os.getenv('OPENSSH_MIN_RSA_SIZE', MIN_RSA_DEFAULT) if min_rsa_size_force == 'none': return None if min_rsa_size_force == 'auto': openssh_version = _openssh_version() if openssh_version and openssh_version > (9, 0): return 'RequiredRSASize' return None return min_rsa_size_force
Simpan
Batal
Isi Zip:
Unzip
Create
Buat Folder
Buat File
Terminal / Execute
Run
Chmod Bulk
All File
All Folder
All File dan Folder
Apply