How to disable default SSH algorithms in Bitbucket Data Center
プラットフォームについて: Data Center - この記事は、Data Center プラットフォームのアトラシアン製品に適用されます。
このナレッジベース記事は製品の Data Center バージョン用に作成されています。Data Center 固有ではない機能の Data Center ナレッジベースは、製品のサーバー バージョンでも動作する可能性はありますが、テストは行われていません。サーバー*製品のサポートは 2024 年 2 月 15 日に終了しました。サーバー製品を利用している場合は、アトラシアンのサーバー製品のサポート終了のお知らせページにて移行オプションをご確認ください。
*Fisheye および Crucible は除く
要約
Network administrators may wish to disable certain algorithms (ciphers, macs, key exchanges, signatures) for their SSH traffic.
Since the client selects the algorithms after a negotiation phase the only way to disable certain algorithms is to completely exclude them from the available algorithms list on the server side.
環境
Bitbucket Data Center
ソリューション
Enable debug logging of the available ciphers, exchanges, and MACs on startup by adding the following to your bitbucket.properties file and restarting Bitbucket Data Center. More information about debug logging
logging.logger.com.atlassian.bitbucket.internal.ssh.server=DEBUGFind the available algorithm names in the
atlassian-bitbucket.logfile by looking for messages of the form:INFO [spring-startup] c.a.b.internal.ssh.server.SshServer Starting SSH server on port 7999... DEBUG [spring-startup] c.a.b.i.s.s.DefaultNamedFactoryFilter Available SSH SIGNATURE: [ecdsa-sha2-nistp256-cert-v01@openssh.com, ecdsa-sha2-nistp384-cert-v01@openssh.com, ecdsa-sha2-nistp521-cert-v01@openssh.com, ssh-ed25519-cert-v01@openssh.com, rsa-sha2-512-cert-v01@openssh.com, rsa-sha2-256-cert-v01@openssh.com, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521, ssh-ed25519, sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com, rsa-sha2-512, rsa-sha2-256, ssh-rsa, ssh-rsa-cert-v01@openssh.com, ssh-dss, ssh-dss-cert-v01@openssh.com] DEBUG [spring-startup] c.a.b.i.s.s.DefaultNamedFactoryFilter Available SSH CIPHER: [chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com] DEBUG [spring-startup] c.a.b.i.s.s.DefaultNamedFactoryFilter Available SSH KEY_EXCHANGE: [curve25519-sha256, curve25519-sha256@libssh.org, curve448-sha512, ecdh-sha2-nistp521, ecdh-sha2-nistp384, ecdh-sha2-nistp256, diffie-hellman-group-exchange-sha256, diffie-hellman-group18-sha512, diffie-hellman-group17-sha512, diffie-hellman-group16-sha512, diffie-hellman-group15-sha512, diffie-hellman-group14-sha256] DEBUG [spring-startup] c.a.b.i.s.s.DefaultNamedFactoryFilter Available SSH MAC: [hmac-sha2-256-etm@openssh.com, hmac-sha2-512-etm@openssh.com, hmac-sha1-etm@openssh.com, hmac-sha2-256, hmac-sha2-512, hmac-sha1] INFO [spring-startup] c.a.b.internal.ssh.server.SshServer Started SSH server successfully.
- Add the algorithm names you wish to disable using the properties listed below as specified in Configuration properties, and restart Bitbucket Server.
plugin.ssh.disabled.ciphersplugin.ssh.disabled.key.exchangesplugin.ssh.disabled.macs(available in Bitbucket Server 3.9+)plugin.ssh.disabled.signatures(available in Bitbucket Server 8.9.20+, 8.19.10+, 9.2+)
- Note that as of Bitbucket Data Center 5.4, some algorithms are already disabled. You will need to explicitly re-list them in your override to avoid them being re-enabled by your override of this property. Check out SSH Security properties to see the default values for these properties.
- The following ciphers are disabled by default since Bitbucket Data Center 5.4
- arcfour128
- arcfour256
- aes128-cbc
- aes192-cbc
- aes256-cbc
- 3des-cbc
- blowfish-cbc
- You can verify the algorithms used by executing a remote SSH command and reading the available and negotiated algorithms in the verbose output. However if you do not see the results you expect you should confirm that the cipher is disabled by explicitly setting it in your git config and attempting a git operation
SSH CIPHER
# Available algorithms ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep "debug2: ciphers" # Negotiated result. Look for "cipher:" ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep server-\>clientSSH KEY_EXCHANGE
# Available algorithms ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep "debug2: KEX algorithms" # Negotiated result ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep "debug1: kex: algorithm"SSH MAC
# Available algorithms ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep "debug2: MACs" # Negotiated result. Look for "MAC:" ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep server-\>client- SSH SIGNATURE
# Available algorithms ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep "debug2: host key algorithms" # Negotiated result ssh -vvv -p <bitbucket ssh port> git@<bitbucket host> whoami 2>&1 | grep "kex: host key algorithm"
To enable additional stronger algorithms see List ciphers used by JVM to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.