From 85f04237160a6ea98eea4ec58f1ccab9f6bfc31a Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Mon, 17 Oct 2022 12:15:22 +0000
Subject: ssh: T4720: Ability to configure SSH-server HostKeyAlgorithms

Ability to configure SSH-server HostKeyAlgorithms.
Specifies the host key signature algorithms that the server
offers. Can accept multiple values.
---
 data/templates/ssh/sshd_config.j2 |  5 +++++
 interface-definitions/ssh.xml.in  | 13 +++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/data/templates/ssh/sshd_config.j2 b/data/templates/ssh/sshd_config.j2
index 5bbfdeb88..93735020c 100644
--- a/data/templates/ssh/sshd_config.j2
+++ b/data/templates/ssh/sshd_config.j2
@@ -62,6 +62,11 @@ ListenAddress {{ address }}
 Ciphers {{ ciphers | join(',') }}
 {% endif %}
 
+{% if hostkey_algorithm is vyos_defined %}
+# Specifies the available Host Key signature algorithms
+HostKeyAlgorithms {{ hostkey_algorithm | join(',') }}
+{% endif %}
+
 {% if mac is vyos_defined %}
 # Specifies the available MAC (message authentication code) algorithms
 MACs {{ mac | join(',') }}
diff --git a/interface-definitions/ssh.xml.in b/interface-definitions/ssh.xml.in
index f3c731fe5..2bcce2cf0 100644
--- a/interface-definitions/ssh.xml.in
+++ b/interface-definitions/ssh.xml.in
@@ -133,6 +133,19 @@
               </leafNode>
             </children>
           </node>
+          <leafNode name="hostkey-algorithm">
+            <properties>
+              <help>Allowed host key signature algorithms</help>
+              <completionHelp>
+                <!-- generated by ssh -Q HostKeyAlgorithms | tr '\n' ' ' as this will not change dynamically  -->
+                <list>ssh-ed25519 ssh-ed25519-cert-v01@openssh.com sk-ssh-ed25519@openssh.com sk-ssh-ed25519-cert-v01@openssh.com ssh-rsa rsa-sha2-256 rsa-sha2-512 ssh-dss ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521 sk-ecdsa-sha2-nistp256@openssh.com webauthn-sk-ecdsa-sha2-nistp256@openssh.com ssh-rsa-cert-v01@openssh.com rsa-sha2-256-cert-v01@openssh.com rsa-sha2-512-cert-v01@openssh.com ssh-dss-cert-v01@openssh.com ecdsa-sha2-nistp256-cert-v01@openssh.com ecdsa-sha2-nistp384-cert-v01@openssh.com ecdsa-sha2-nistp521-cert-v01@openssh.com sk-ecdsa-sha2-nistp256-cert-v01@openssh.com</list>
+              </completionHelp>
+              <multi/>
+              <constraint>
+                <regex>(ssh-ed25519|ssh-ed25519-cert-v01@openssh.com|sk-ssh-ed25519@openssh.com|sk-ssh-ed25519-cert-v01@openssh.com|ssh-rsa|rsa-sha2-256|rsa-sha2-512|ssh-dss|ecdsa-sha2-nistp256|ecdsa-sha2-nistp384|ecdsa-sha2-nistp521|sk-ecdsa-sha2-nistp256@openssh.com|webauthn-sk-ecdsa-sha2-nistp256@openssh.com|ssh-rsa-cert-v01@openssh.com|rsa-sha2-256-cert-v01@openssh.com|rsa-sha2-512-cert-v01@openssh.com|ssh-dss-cert-v01@openssh.com|ecdsa-sha2-nistp256-cert-v01@openssh.com|ecdsa-sha2-nistp384-cert-v01@openssh.com|ecdsa-sha2-nistp521-cert-v01@openssh.com|sk-ecdsa-sha2-nistp256-cert-v01@openssh.com)</regex>
+              </constraint>
+            </properties>
+          </leafNode>
           <leafNode name="key-exchange">
             <properties>
               <help>Allowed key exchange (KEX) algorithms</help>
-- 
cgit v1.2.3


From 3ff47d3388fbbcd538d262170c4950aaa61d0efe Mon Sep 17 00:00:00 2001
From: Viacheslav Hletenko <v.gletenko@vyos.io>
Date: Mon, 17 Oct 2022 13:24:48 +0000
Subject: T4720: Add smoketest for SSH NDcPP

---
 smoketest/scripts/cli/test_service_ssh.py | 37 +++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/smoketest/scripts/cli/test_service_ssh.py b/smoketest/scripts/cli/test_service_ssh.py
index 0b029dd00..8de98f34f 100755
--- a/smoketest/scripts/cli/test_service_ssh.py
+++ b/smoketest/scripts/cli/test_service_ssh.py
@@ -262,5 +262,42 @@ class TestServiceSSH(VyOSUnitTestSHIM.TestCase):
 
         self.assertFalse(process_named_running(SSHGUARD_PROCESS))
 
+
+    # Network Device Collaborative Protection Profile
+    def test_ssh_ndcpp(self):
+        ciphers = ['aes128-cbc', 'aes128-ctr', 'aes256-cbc', 'aes256-ctr']
+        host_key_algs = ['sk-ssh-ed25519@openssh.com', 'ssh-rsa', 'ssh-ed25519']
+        kexes = ['diffie-hellman-group14-sha1', 'ecdh-sha2-nistp256', 'ecdh-sha2-nistp384', 'ecdh-sha2-nistp521']
+        macs = ['hmac-sha1', 'hmac-sha2-256', 'hmac-sha2-512']
+        rekey_time = '60'
+        rekey_data = '1024'
+
+        for cipher in ciphers:
+            self.cli_set(base_path + ['ciphers', cipher])
+        for host_key in host_key_algs:
+            self.cli_set(base_path + ['hostkey-algorithm', host_key])
+        for kex in kexes:
+            self.cli_set(base_path + ['key-exchange', kex])
+        for mac in macs:
+            self.cli_set(base_path + ['mac', mac])
+        # Optional rekey parameters
+        self.cli_set(base_path + ['rekey', 'data', rekey_data])
+        self.cli_set(base_path + ['rekey', 'time', rekey_time])
+
+        # commit changes
+        self.cli_commit()
+
+        ssh_lines = ['Ciphers aes128-cbc,aes128-ctr,aes256-cbc,aes256-ctr',
+                     'HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-rsa,ssh-ed25519',
+                     'MACs hmac-sha1,hmac-sha2-256,hmac-sha2-512',
+                     'KexAlgorithms diffie-hellman-group14-sha1,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521',
+                     'RekeyLimit 1024M 60M'
+                     ]
+        tmp_sshd_conf = read_file(SSHD_CONF)
+
+        for line in ssh_lines:
+            self.assertIn(line, tmp_sshd_conf)
+
+
 if __name__ == '__main__':
     unittest.main(verbosity=2)
-- 
cgit v1.2.3