feat!: harden SSH server handler security
- Restrict auth methods to PUBLICKEY only (no none, password, hostbased, or keyboard-interactive advertised during negotiation) - Log all denied channel types (session, x11, forwarded-tcpip) and dangerous request types (exec, shell, subsystem, pty, env, x11, agent) - Explicitly reject all dangerous channel request handlers (exec, shell, subsystem, pty, env, x11, agent forwarding) with channel_failure responses instead of russh's default silent Ok(()) which leaves clients hanging and is a footgun if session channels are ever allowed - Explicitly reject tcpip_forward, streamlocal_forward with logged warnings - Log signal requests at debug level (harmless, no response needed) - Override handlers in both core ServerHandler and NapiServerHandler - Add tracing dependency to wraith-napi for security event logging - Set preferred algorithms explicitly (russh::Preferred::DEFAULT which uses only modern KEX/cipher/MAC algorithms)
This commit is contained in:
@@ -19,4 +19,5 @@ async-trait = "0.1"
|
||||
rustls-pemfile = "2"
|
||||
rustls-pki-types = "1"
|
||||
iroh = "0.34"
|
||||
url = "2"
|
||||
url = "2"
|
||||
tracing = "0.1"
|
||||
Reference in New Issue
Block a user