ssh2
ssh2 copied to clipboard
mscdex
Added optional support for `diffie-hellman-group-exchange-*` kex
In response to:
// TODO: allow user implementation to provide safe prime and
// generator on demand to support group exchange on server side
New server option:
getDHParams - function - To unable support for diffie-hellman-group-exchange-* key exchanges, set this to a function that receives the client's prime size requirements and preference (minBits, prefBits, maxBits) as its three arguments, and returns either an array containing the secure prime (see crypto.createDiffieHellman) as a Buffer (array index 0), and optionally the matching generator as a Buffer (array index 1 - default: Buffer.from([0x02])) or a falsy value if no prime matching the client's request is available. Note that processing these primes is a very CPU-intensive synchronous operation that blocks Node.js' event loop for a long time upon each new handshake, therefore, the use of this property is not recommended. Default: (none)
I think the way it'd have to work is we'd pass a callback as the last argument that the end user would call with either an error or the generator and prime. I would make the generator required to simplify things.
The reason for the callback is that if someone wanted to offload the computation to a worker or child process for example, they could do so. That does complicate things a bit though because of the synchronous nature of things at the moment, but I think it's just additional work that's necessary to properly support a feature like this.
when to make the generator? I have the same problem, I used ssh2 to do gateway passthrough, but some client use diffie-hellman-group-exchange-* kex ,so can not connect.
In case someone looking for soemthing related, tabby fix this by a polyfill: https://github.com/Eugeny/tabby/blob/master/tabby-ssh/src/polyfills.ts
