Add/Provide a feature flag to exclude Host-Key Algorithms for the SSHD Plugin

[hpriya19]

What feature do you want to see added?

The SSHD Server Plugin currently supports EXCLUDED_MACS, EXCLUDED_KEY_EXCHANGES, and ENABLED_CIPHERS (which already omits all cbc* ciphers). However, it does not provide a way to exclude specific host-key algorithms or to explicitly enable modern host-key types.

We need the ability to disable ssh-rsa (flagged as weak by our security team) and to enable ECDSA/ED25519 host-key algorithms. Requesting support for configuration options that allow selecting or excluding host-key algorithms accordingly.

We are using SSHD Server version: 3.237.v883d165a_c1d3
Jenkins Core version: 2.492.3

Upstream changes

Flag introduced in https://github.com/jenkinsci/sshd-plugin/blob/3.237.v883d165a_c1d3/src/main/java/org/jenkinsci/main/modules/sshd/SSHD.java

Are you interested in contributing this feature?

[hpriya19]

A workaround I used to update host-key algorithm to

import org.jenkinsci.main.modules.sshd.SSHD
import org.apache.sshd.server.SshServer
import org.apache.sshd.common.keyprovider.AbstractKeyPairProvider
import org.apache.sshd.common.session.SessionContext
import java.security.KeyPair
import java.security.KeyPairGenerator

def sshdInstance = SSHD.get()

def serverField = sshdInstance.getClass().getDeclaredField("sshd")
serverField.setAccessible(true)
SshServer server = serverField.get(sshdInstance)

if (server == null) {
    println "SSHD server is not initialized or disabled."
    return
}

server.setKeyPairProvider(new AbstractKeyPairProvider() {
    @Override
    Iterable<KeyPair> loadKeys(SessionContext session) {
        try {
            KeyPairGenerator kpg = KeyPairGenerator.getInstance("Ed25519")
            KeyPair kp = kpg.generateKeyPair()
            return [kp]
        } catch (Exception e) {
            println "Error generating ED25519 key: ${e}"
            return []
        }
    }

    Iterable<String> getKeyTypes() {
        return ["ssh-ed25519"]
    }
})

server.getKeyPairProvider().getKeyTypes().each { 
    println "Host Key Algorithm: ${it}" 
}

This replaces ssh-rsa to ssh-ed25519

I am not sure if this would have an impact to the functionality of the Plugin or if this is supported way to update the HostKey Algorithm.

[hpriya19]

@timja Can you please help me with this? Is the workaround script shared above a safe option - wondering if that'll break other dependent Plugin functionality 🤔
Is there any release version we can expect with a new feature-flag enabled for the SSHD Plugin to exclude Host-key algorithms or enable stronger algorithms other than ssh-rsa?

[timja]

Should be safe as this is just for the CLI.

Do you use the SSH based CLI? If not there’s instructions in the README for how to disable it