btrbk: added "ssh_cipher_spec" configuration option, overriding default SSH ciphers (ssh -c option)

2015-09-20 18:32:19 +02:00 · 2015-09-20 18:32:19 +02:00 · dd6104339e
parent 4115941478
commit dd6104339e
4 changed files with 14 additions and 0 deletions
--- a/1
+++ b/1
@ -2,6 +2,7 @@ btrbk-current

  * Added configuration option "group".
  * Allow filtering subcommands by group as well as targets.
+  * Added configuration option "ssh_cipher_spec" (close: #47).
  * Hardened ssh_filter_btrbk.sh script: fine-grained access control,
    restrict-path option, sudo option (close: #45)

--- a/4
+++ b/4
@ -61,6 +61,7 @@ my $file_match = qr/[0-9a-zA-Z_@\+\-\.\/]+/;  # note: ubuntu uses '@' in the sub
 my $ssh_prefix_match = qr/ssh:\/\/($ip_addr_match|$host_name_match)/;
 my $snapshot_postfix_match = qr/\.[0-9]{8}(_[0-9]+)?/;
 my $group_match = qr/[a-zA-Z0-9_:-]+/;
+my $ssh_cipher_match = qr/[a-z0-9][a-z0-9@.-]+/;

 my %day_of_week_map = ( monday => 1, tuesday => 2, wednesday => 3, thursday => 4, friday => 5, saturday => 6, sunday => 7 );

@ -84,6 +85,7 @@ my %config_options = (
  ssh_user                  => { default => "root",   accept_regexp => qr/^[a-z_][a-z0-9_-]*$/ },
  ssh_port                  => { default => "default", accept => [ "default" ], accept_numeric => 1 },
  ssh_compression           => { default => undef,    accept => [ "yes", "no" ] },
+  ssh_cipher_spec           => { default => "default", accept_regexp => qr/^$ssh_cipher_match(,$ssh_cipher_match)*$/ },
  btrfs_progs_compat        => { default => undef,    accept => [ "yes", "no" ] },
  group                     => { default => undef,    accept_regexp => qr/^$group_match(\s*,\s*$group_match)*$/, split => qr/\s*,\s*/ },

@ -238,9 +240,11 @@ sub vinfo($$)
    my $ssh_user        = config_key($config, "ssh_user");
    my $ssh_identity    = config_key($config, "ssh_identity");
    my $ssh_compression = config_key($config, "ssh_compression");
+    my $ssh_cipher_spec = config_key($config, "ssh_cipher_spec") // "default";
    my @ssh_options;
    push(@ssh_options, '-p', $ssh_port) if($ssh_port ne "default");
    push(@ssh_options, '-C') if($ssh_compression);
+    push(@ssh_options, '-c', $ssh_cipher_spec) if($ssh_cipher_spec ne "default");
    if($ssh_identity) {
      push(@ssh_options, '-i', $ssh_identity);
    } else {
--- a/btrbk.conf.example
+++ b/btrbk.conf.example
@ -53,6 +53,7 @@ snapshot_dir               _btrbk_snap
 #ssh_user                   root
 #ssh_port                   default
 #ssh_compression            no
+#ssh_cipher_spec            default

 # Don't wait for transaction commit on deletion. Set this to "after"
 # or "each" to make sure the deletion of subvolumes is committed to
--- a/doc/btrbk.conf.5
+++ b/doc/btrbk.conf.5
@ -173,6 +173,14 @@ Enables or disables the compression of ssh connections. Defaults to
 \[lq]no\[rq].
 .RE
 .PP
+\fBssh_cipher_spec\fR  <cipher_spec>
+.RS 4
+Selects the cipher specification for encrypting the session
+(comma-separated list of ciphers in order of preference). See the "-c
+cipher_spec" option in ssh(1) for more information. Defaults to
+\[lq]default\[rq] (the ciphers specified in \fIssh_config\fR).
+.RE
+.PP
 \fBbtrfs_commit_delete\fR  after|each|no
 .RS 4
 If set, make sure the deletion of snapshot and backup subvolumes are