outbound/ssh: add cipher, MAC, and key exchange configuration

rojer · rojer · commit 8f58b49c5833 · 2026-04-21T11:18:20.000+03:00
Ability to specify client's cipher preference is useful.
In particular, often `aes128-gcm` is more efficient but
`chacha-poly1305` is selected instead.
diff --git a/docs/configuration/outbound/ssh.md b/docs/configuration/outbound/ssh.md
@@ -17,6 +17,16 @@
   ],
   "host_key_algorithms": [],
   "client_version": "SSH-2.0-OpenSSH_7.4p1",
+  "ciphers": [
+    "aes128-gcm@openssh.com",
+    "chacha20-poly1305@openssh.com"
+  ],
+  "macs": [
+    "hmac-sha2-256-etm@openssh.com"
+  ],
+  "key_exchanges": [
+    "curve25519-sha256"
+  ],
 
   ... // Dial Fields
 }
@@ -66,6 +76,24 @@ Host key algorithms.
 
 Client version. Random version will be used if empty.
 
+#### ciphers
+
+List of cipher algorithms to use. If empty, SSH defaults will be used.
+
+Available values: `aes128-gcm@openssh.com` | `aes256-gcm@openssh.com` | `chacha20-poly1305@openssh.com` | `aes128-ctr` | `aes192-ctr` | `aes256-ctr`.
+
+#### macs
+
+List of MAC (Message Authentication Code) algorithms to use. If empty, SSH defaults will be used.
+
+Available values: `hmac-sha2-256-etm@openssh.com` | `hmac-sha2-512-etm@openssh.com` | `hmac-sha2-256` | `hmac-sha2-512` | `hmac-sha1`.
+
+#### key_exchanges
+
+List of key exchange algorithms to use. If empty, SSH defaults will be used.
+
+Available values: `mlkem768x25519-sha256` | `curve25519-sha256` | `ecdh-sha2-nistp256` | `ecdh-sha2-nistp384` | `ecdh-sha2-nistp521` | `diffie-hellman-group14-sha256` | `diffie-hellman-group16-sha512` | `diffie-hellman-group-exchange-sha256`.
+
 ### Dial Fields
 
 See [Dial Fields](/configuration/shared/dial/) for details.
diff --git a/docs/configuration/outbound/ssh.zh.md b/docs/configuration/outbound/ssh.zh.md
@@ -17,6 +17,16 @@
   ],
   "host_key_algorithms": [],
   "client_version": "SSH-2.0-OpenSSH_7.4p1",
+  "ciphers": [
+    "aes128-gcm@openssh.com",
+    "chacha20-poly1305@openssh.com"
+  ],
+  "macs": [
+    "hmac-sha2-256-etm@openssh.com"
+  ],
+  "key_exchanges": [
+    "curve25519-sha256"
+  ],
 
   ... // 拨号字段
 }
@@ -66,6 +76,24 @@ SSH 用户, 默认使用 root。
 
 客户端版本，默认使用随机值。
 
+#### ciphers
+
+加密算法列表。留空使用 SSH 默认值。
+
+可用值: `aes128-gcm@openssh.com` | `aes256-gcm@openssh.com` | `chacha20-poly1305@openssh.com` | `aes128-ctr` | `aes192-ctr` | `aes256-ctr`。
+
+#### macs
+
+MAC（消息认证码）算法列表。留空使用 SSH 默认值。
+
+可用值: `hmac-sha2-256-etm@openssh.com` | `hmac-sha2-512-etm@openssh.com` | `hmac-sha2-256` | `hmac-sha2-512` | `hmac-sha1`。
+
+#### key_exchanges
+
+密钥交换算法列表。留空使用 SSH 默认值。
+
+可用值: `mlkem768x25519-sha256` | `curve25519-sha256` | `ecdh-sha2-nistp256` | `ecdh-sha2-nistp384` | `ecdh-sha2-nistp521` | `diffie-hellman-group14-sha256` | `diffie-hellman-group16-sha512` | `diffie-hellman-group-exchange-sha256`。
+
 ### 拨号字段
 
 参阅 [拨号字段](/zh/configuration/shared/dial/)。
diff --git a/option/ssh.go b/option/ssh.go
@@ -13,4 +13,7 @@ type SSHOutboundOptions struct {
 	HostKey              badoption.Listable[string] `json:"host_key,omitempty"`
 	HostKeyAlgorithms    badoption.Listable[string] `json:"host_key_algorithms,omitempty"`
 	ClientVersion        string                     `json:"client_version,omitempty"`
+	Ciphers              badoption.Listable[string] `json:"ciphers,omitempty"`
+	MACs                 badoption.Listable[string] `json:"macs,omitempty"`
+	KeyExchanges         badoption.Listable[string] `json:"key_exchanges,omitempty"`
 }
diff --git a/protocol/ssh/outbound.go b/protocol/ssh/outbound.go
@@ -43,6 +43,9 @@ type Outbound struct {
 	hostKey           []ssh.PublicKey
 	hostKeyAlgorithms []string
 	clientVersion     string
+	ciphers           []string
+	macs              []string
+	keyExchanges      []string
 	authMethod        []ssh.AuthMethod
 	clientAccess      sync.Mutex
 	clientConn        net.Conn
@@ -63,6 +66,9 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		user:              options.User,
 		hostKeyAlgorithms: options.HostKeyAlgorithms,
 		clientVersion:     options.ClientVersion,
+		ciphers:           options.Ciphers,
+		macs:              options.MACs,
+		keyExchanges:      options.KeyExchanges,
 	}
 	if outbound.serverAddr.Port == 0 {
 		outbound.serverAddr.Port = 22
@@ -121,6 +127,29 @@ func randomVersion() string {
 	return version
 }
 
+func validateAlgorithms(userAlgs []string, supported []string, insecure []string, algType string) ([]string, error) {
+	if len(userAlgs) == 0 {
+		return nil, nil
+	}
+	normalized := make([]string, len(userAlgs))
+	for i, alg := range userAlgs {
+		normalized[i] = strings.ToLower(alg)
+	}
+	allAlgs := make(map[string]bool)
+	for _, alg := range supported {
+		allAlgs[alg] = true
+	}
+	for _, alg := range insecure {
+		allAlgs[alg] = true
+	}
+	for _, alg := range normalized {
+		if !allAlgs[alg] {
+			return nil, E.New("unknown ", algType, ": ", alg)
+		}
+	}
+	return normalized, nil
+}
+
 func (s *Outbound) connect() (*ssh.Client, error) {
 	if s.client != nil {
 		return s.client, nil
@@ -137,6 +166,23 @@ func (s *Outbound) connect() (*ssh.Client, error) {
 	if err != nil {
 		return nil, err
 	}
+	supported := ssh.SupportedAlgorithms()
+	insecure := ssh.InsecureAlgorithms()
+	ciphers, err := validateAlgorithms(s.ciphers, supported.Ciphers, insecure.Ciphers, "cipher")
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+	macs, err := validateAlgorithms(s.macs, supported.MACs, insecure.MACs, "mac")
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
+	keyExchanges, err := validateAlgorithms(s.keyExchanges, supported.KeyExchanges, insecure.KeyExchanges, "key exchange")
+	if err != nil {
+		conn.Close()
+		return nil, err
+	}
 	config := &ssh.ClientConfig{
 		User:              s.user,
 		Auth:              s.authMethod,
@@ -154,6 +200,11 @@ func (s *Outbound) connect() (*ssh.Client, error) {
 			}
 			return E.New("host key mismatch, server send ", key.Type(), " ", base64.StdEncoding.EncodeToString(serverKey))
 		},
+		Config: ssh.Config{
+			Ciphers:      ciphers,
+			MACs:         macs,
+			KeyExchanges: keyExchanges,
+		},
 	}
 	clientConn, chans, reqs, err := ssh.NewClientConn(conn, s.serverAddr.Addr.String(), config)
 	if err != nil {
diff --git a/protocol/ssh/outbound_test.go b/protocol/ssh/outbound_test.go
@@ -0,0 +1,138 @@
+package ssh
+
+import (
+	"testing"
+
+	"golang.org/x/crypto/ssh"
+)
+
+func TestValidateAlgorithms(t *testing.T) {
+	supported := ssh.SupportedAlgorithms()
+	insecure := ssh.InsecureAlgorithms()
+
+	t.Run("empty list returns nil", func(t *testing.T) {
+		result, err := validateAlgorithms(nil, supported.Ciphers, insecure.Ciphers, "cipher")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if result != nil {
+			t.Fatalf("expected nil, got %v", result)
+		}
+	})
+
+	t.Run("valid supported ciphers", func(t *testing.T) {
+		input := []string{"aes128-gcm@openssh.com", "chacha20-poly1305@openssh.com"}
+		result, err := validateAlgorithms(input, supported.Ciphers, insecure.Ciphers, "cipher")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if len(result) != 2 {
+			t.Fatalf("expected 2 results, got %d", len(result))
+		}
+		if result[0] != "aes128-gcm@openssh.com" || result[1] != "chacha20-poly1305@openssh.com" {
+			t.Fatalf("unexpected result: %v", result)
+		}
+	})
+
+	t.Run("valid insecure ciphers", func(t *testing.T) {
+		input := []string{"aes128-cbc", "3des-cbc"}
+		result, err := validateAlgorithms(input, supported.Ciphers, insecure.Ciphers, "cipher")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if len(result) != 2 {
+			t.Fatalf("expected 2 results, got %d", len(result))
+		}
+	})
+
+	t.Run("invalid cipher returns error", func(t *testing.T) {
+		input := []string{"aes128-gcm@openssh.com", "invalid-cipher-123"}
+		_, err := validateAlgorithms(input, supported.Ciphers, insecure.Ciphers, "cipher")
+		if err == nil {
+			t.Fatal("expected error for invalid cipher")
+		}
+		expected := "unknown cipher: invalid-cipher-123"
+		if err.Error() != expected {
+			t.Fatalf("expected error %q, got %q", expected, err.Error())
+		}
+	})
+
+	t.Run("case normalization", func(t *testing.T) {
+		input := []string{"AES128-GCM@OPENSSH.COM"}
+		result, err := validateAlgorithms(input, supported.Ciphers, insecure.Ciphers, "cipher")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if result[0] != "aes128-gcm@openssh.com" {
+			t.Fatalf("expected lowercase, got %q", result[0])
+		}
+	})
+
+	t.Run("order preserved", func(t *testing.T) {
+		input := []string{"aes256-ctr", "aes128-gcm@openssh.com", "chacha20-poly1305@openssh.com"}
+		result, err := validateAlgorithms(input, supported.Ciphers, insecure.Ciphers, "cipher")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if result[0] != "aes256-ctr" || result[1] != "aes128-gcm@openssh.com" || result[2] != "chacha20-poly1305@openssh.com" {
+			t.Fatalf("order not preserved: %v", result)
+		}
+	})
+
+	t.Run("valid MACs", func(t *testing.T) {
+		input := []string{"hmac-sha2-256-etm@openssh.com"}
+		result, err := validateAlgorithms(input, supported.MACs, insecure.MACs, "mac")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if len(result) != 1 || result[0] != "hmac-sha2-256-etm@openssh.com" {
+			t.Fatalf("unexpected result: %v", result)
+		}
+	})
+
+	t.Run("invalid MAC returns error", func(t *testing.T) {
+		input := []string{"invalid-mac"}
+		_, err := validateAlgorithms(input, supported.MACs, insecure.MACs, "mac")
+		if err == nil {
+			t.Fatal("expected error for invalid mac")
+		}
+		expected := "unknown mac: invalid-mac"
+		if err.Error() != expected {
+			t.Fatalf("expected error %q, got %q", expected, err.Error())
+		}
+	})
+
+	t.Run("valid key exchanges", func(t *testing.T) {
+		input := []string{"curve25519-sha256"}
+		result, err := validateAlgorithms(input, supported.KeyExchanges, insecure.KeyExchanges, "key exchange")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if len(result) != 1 || result[0] != "curve25519-sha256" {
+			t.Fatalf("unexpected result: %v", result)
+		}
+	})
+
+	t.Run("invalid key exchange returns error", func(t *testing.T) {
+		input := []string{"invalid-kex"}
+		_, err := validateAlgorithms(input, supported.KeyExchanges, insecure.KeyExchanges, "key exchange")
+		if err == nil {
+			t.Fatal("expected error for invalid key exchange")
+		}
+		expected := "unknown key exchange: invalid-kex"
+		if err.Error() != expected {
+			t.Fatalf("expected error %q, got %q", expected, err.Error())
+		}
+	})
+
+	t.Run("duplicates passed through", func(t *testing.T) {
+		input := []string{"aes128-gcm@openssh.com", "aes128-gcm@openssh.com"}
+		result, err := validateAlgorithms(input, supported.Ciphers, insecure.Ciphers, "cipher")
+		if err != nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+		if len(result) != 2 {
+			t.Fatalf("expected 2 results (duplicates preserved), got %d", len(result))
+		}
+	})
+}

Original file line number	Diff line number	Diff line change
`@@ -13,4 +13,7 @@ type SSHOutboundOptions struct {`
`13`	`13`	HostKey badoption.Listable[string] `json:"host_key,omitempty"`
`14`	`14`	HostKeyAlgorithms badoption.Listable[string] `json:"host_key_algorithms,omitempty"`
`15`	`15`	ClientVersion string `json:"client_version,omitempty"`
	`16`	+ Ciphers badoption.Listable[string] `json:"ciphers,omitempty"`
	`17`	+ MACs badoption.Listable[string] `json:"macs,omitempty"`
	`18`	+ KeyExchanges badoption.Listable[string] `json:"key_exchanges,omitempty"`
`16`	`19`	`}`