Merge branch 'develop' into 'master'v4.2.0

DTail: Restrict SSH MAC algorithms allowed - Update of few dependencies

See merge request Storage/dtail!7

15 files changed, 56 insertions, 26 deletions

diff --git a/Makefile b/Makefile
index 680cef6..d764051 100644
--- a/Makefile
+++ b/Makefile
@@ -33,7 +33,7 @@ clean:
 	  test -f $$cmd && rm $$cmd; \
 	done
 vet:
-	find . -type d | egrep -v '(./samples|./log|./doc)' | while read dir; do \
+	find . -type d | egrep -v '(./examples|./log|./doc)' | while read dir; do \
 	  echo ${GO} vet $$dir; \
 	  ${GO} vet $$dir; \
 	done
diff --git a/doc/installation.md b/doc/installation.md
index 0f6143b..a2c271a 100644
--- a/doc/installation.md
+++ b/doc/installation.md
@@ -53,18 +53,18 @@ uid=1001(dserver) 1001=670(dserver) groups=1001(dserver)
 % sudo chown -R dserver:dserver /var/run/dserver
 ```
 
-4. Install the ``dtail.json`` config to ``/etc/dserver/dtail.json``. An example can be found [here](../samples/dtail.json.sample).
+4. Install the ``dtail.json`` config to ``/etc/dserver/dtail.json``. An example can be found [here](../examples/dtail.json.example).
 
 ```console
 % sudo mkdir /etc/dserver
-% curl https://raw.githubusercontent.com/mimecast/dtail/master/samples/dtail.json.sample |
+% curl https://raw.githubusercontent.com/mimecast/dtail/master/examples/dtail.json.example |
     sudo tee /etc/dserver/dtail.json
 ```
 
-5. It is recommended to configure DTail server as a service to ``systemd``. An example unit file for ``systemd`` can be found [here](../samples/dserver.service.sample).
+5. It is recommended to configure DTail server as a service to ``systemd``. An example unit file for ``systemd`` can be found [here](../examples/dserver.service.example).
 
 ```console
-% curl https://raw.githubusercontent.com/mimecast/dtail/master/samples/dserver.service.sample |
+% curl https://raw.githubusercontent.com/mimecast/dtail/master/examples/dserver.service.example |
     sudo tee /etc/systemd/system/dserver.service
 % sudo systemctl daemon-reload
 % sudo systemctl enable dserver
@@ -97,15 +97,15 @@ To start the DTail server via ``systemd`` run:
 
 The DTail server now runs as a ``systemd`` service under system user ``dserver``. However, the system user ``dserver`` has no permissions to read the SSH public keys from ``/home/USER/.ssh/authorized_keys``. Therefore, no user would be able to establish an SSH session to DTail server. As an alternative path DTail server also checks for public SSH key files in ``/var/run/dserver/cache/USER.authorized_keys``.
 
-It is recommended to execute [update_key_cache.sh](../samples/update_key_cache.sh.sample) periodically to update the key cache. In case you manage your public SSH keys via Puppet you could subscribe the script to corresponding module. Or alternatively just configure a cron job or a systemd timer to run every once in a while, e.g. every 30 minutes:
+It is recommended to execute [update_key_cache.sh](../examples/update_key_cache.sh.example) periodically to update the key cache. In case you manage your public SSH keys via Puppet you could subscribe the script to corresponding module. Or alternatively just configure a cron job or a systemd timer to run every once in a while, e.g. every 30 minutes:
 
 ```console
-% curl https://raw.githubusercontent.com/mimecast/dtail/master/samples/update_key_cache.sh.sample |
+% curl https://raw.githubusercontent.com/mimecast/dtail/master/examples/update_key_cache.sh.example |
     sudo tee /var/run/dserver/update_key_cache.sh
 % sudo chmod 755 /var/run/dserver/update_key_cache.sh
-% curl https://raw.githubusercontent.com/mimecast/dtail/master/samples/dserver-update-keycache.service.sample |
+% curl https://raw.githubusercontent.com/mimecast/dtail/master/examples/dserver-update-keycache.service.example |
     sudo tee /etc/systemd/system/dserver-update-keycache.service
-% curl https://raw.githubusercontent.com/mimecast/dtail/master/samples/dserver-update-keycache.timer.sample |
+% curl https://raw.githubusercontent.com/mimecast/dtail/master/examples/dserver-update-keycache.timer.example |
     sudo tee /etc/systemd/system/dserver-update-keycache.timer
 % sudo systemctl daemon-reload
 % sudo systemctl start dserver-update-keycache.service
@@ -119,7 +119,7 @@ Now you should be able to use DTail client like outlined in the [Quick Starting
 
 # Monitor it
 
-To verify that DTail server is up and running and functioning as expected, you should configure the Nagios check [check_dserver.sh](../samples/check_dserver.sh.sample) in your monitoring system. The check has to be executed locally on the server (e.g. via NRPE). How to configure the monitoring system in detail is out of scope of this guide.
+To verify that DTail server is up and running and functioning as expected, you should configure the Nagios check [check_dserver.sh](../examples/check_dserver.sh.example) in your monitoring system. The check has to be executed locally on the server (e.g. via NRPE). How to configure the monitoring system in detail is out of scope of this guide.
 
 ```console
 % ./check_dserver.sh
diff --git a/samples/check_dserver.sh.sample b/examples/check_dserver.sh.example
index 77f01f0..77f01f0 100755
--- a/samples/check_dserver.sh.sample
+++ b/examples/check_dserver.sh.example
diff --git a/samples/dserver-update-keycache.service.sample b/examples/dserver-update-keycache.service.example
index 7e6144c..7e6144c 100644
--- a/samples/dserver-update-keycache.service.sample
+++ b/examples/dserver-update-keycache.service.example
diff --git a/samples/dserver-update-keycache.timer.sample b/examples/dserver-update-keycache.timer.example
index e7158ca..e7158ca 100644
--- a/samples/dserver-update-keycache.timer.sample
+++ b/examples/dserver-update-keycache.timer.example
diff --git a/samples/dserver.service.sample b/examples/dserver.service.example
index c5e5e59..c5e5e59 100644
--- a/samples/dserver.service.sample
+++ b/examples/dserver.service.example
diff --git a/samples/dtail.json.sample b/examples/dtail.json.example
index 26eb8a1..26eb8a1 100644
--- a/samples/dtail.json.sample
+++ b/examples/dtail.json.example
diff --git a/samples/dtail.schema.json b/examples/dtail.schema.json
index 1ee9980..d13b133 100755
--- a/samples/dtail.schema.json
+++ b/examples/dtail.schema.json
@@ -347,6 +347,24 @@
         "SSHBindAddress": {
           "type": "string"
         },
+        "KeyExchanges": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "Ciphers": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
+        "MACs": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          }
+        },
         "HostKeyFile": {
           "type": "string"
         },
diff --git a/samples/update_key_cache.sh.sample b/examples/update_key_cache.sh.example
index 9817f04..9817f04 100644
--- a/samples/update_key_cache.sh.sample
+++ b/examples/update_key_cache.sh.example
diff --git a/go.mod b/go.mod
index c61f05b..5c9cf64 100644
--- a/go.mod
+++ b/go.mod
@@ -4,10 +4,10 @@ go 1.20
 
 require (
 	github.com/DataDog/zstd v1.5.5
-	golang.org/x/crypto v0.8.0
+	golang.org/x/crypto v0.9.0
 )
 
 require (
-	golang.org/x/sys v0.7.0 // indirect
-	golang.org/x/term v0.7.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
+	golang.org/x/term v0.8.0 // indirect
 )
diff --git a/go.sum b/go.sum
index 584b186..5e3fe8c 100644
--- a/go.sum
+++ b/go.sum
@@ -1,8 +1,8 @@
 github.com/DataDog/zstd v1.5.5 h1:oWf5W7GtOLgp6bciQYDmhHHjdhYkALu6S/5Ni9ZgSvQ=
 github.com/DataDog/zstd v1.5.5/go.mod h1:g4AWEaM3yOg3HYfnJ3YIawPnVdXJh9QME85blwSAmyw=
-golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
-golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
-golang.org/x/sys v0.7.0 h1:3jlCCIQZPdOYu1h8BkNvLz8Kgwtae2cagcG/VamtZRU=
-golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
-golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
+golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
+golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.8.0 h1:n5xxQn2i3PC0yLAbjTpNT85q/Kgzcr2gIoX9OrJUols=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
diff --git a/internal/clients/stats.go b/internal/clients/stats.go
index 1315aea..2da3cf7 100644
--- a/internal/clients/stats.go
+++ b/internal/clients/stats.go
@@ -34,7 +34,7 @@ func newTailStats(servers int) *stats {
 	}
 }
 
-// Start starts printing client connection stats every time a signal is recieved or
+// Start starts printing client connection stats every time a signal is received or
 // connection count has changed.
 func (s *stats) Start(ctx context.Context, throttleCh <-chan struct{},
 	statsCh <-chan string, quiet bool) {
diff --git a/internal/config/server.go b/internal/config/server.go
index 4c96567..cb9ca2b 100644
--- a/internal/config/server.go
+++ b/internal/config/server.go
@@ -61,6 +61,12 @@ type ServerConfig struct {
 	Schedule []Scheduled `json:",omitempty"`
 	// Continuous mapreduce jobs
 	Continuous []Continuous `json:",omitempty"`
+	// The allowed key exchanges algorithms.
+	KeyExchanges []string `json:",omitempty"`
+	// The allowed cipher algorithms.
+	Ciphers []string `json:",omitempty"`
+	// The allowed MAC algorithms.
+	MACs []string `json:",omitempty"`
 }
 
 // Create a new default server configuration.
diff --git a/internal/server/server.go b/internal/server/server.go
index 30602ff..761880d 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -39,11 +39,17 @@ func New() *Server {
 	dlog.Server.Info("Starting server", version.String())
 
 	s := Server{
-		sshServerConfig: &gossh.ServerConfig{},
-		catLimiter:      make(chan struct{}, config.Server.MaxConcurrentCats),
-		tailLimiter:     make(chan struct{}, config.Server.MaxConcurrentTails),
-		sched:           newScheduler(),
-		cont:            newContinuous(),
+		sshServerConfig: &gossh.ServerConfig{
+			Config: gossh.Config{
+				KeyExchanges: config.Server.KeyExchanges,
+				Ciphers:      config.Server.Ciphers,
+				MACs:         config.Server.MACs,
+			},
+		},
+		catLimiter:  make(chan struct{}, config.Server.MaxConcurrentCats),
+		tailLimiter: make(chan struct{}, config.Server.MaxConcurrentTails),
+		sched:       newScheduler(),
+		cont:        newContinuous(),
 	}
 
 	s.sshServerConfig.PasswordCallback = s.Callback
diff --git a/internal/version/version.go b/internal/version/version.go
index f381be6..90073b5 100644
--- a/internal/version/version.go
+++ b/internal/version/version.go
@@ -13,7 +13,7 @@ const (
 	// Name of DTail.
 	Name string = "DTail"
 	// Version of DTail.
-	Version string = "4.1.1"
+	Version string = "4.2.0"
 	// Additional information for DTail
 	Additional string = "Have a lot of fun!"
 )