From dd6104339e548353bd2dc921eab8df35997fa3cb Mon Sep 17 00:00:00 2001
From: Axel Burri <axel@tty0.ch>
Date: Sun, 20 Sep 2015 18:32:19 +0200
Subject: [PATCH] btrbk: added "ssh_cipher_spec" configuration option,
 overriding default SSH ciphers (ssh -c option)

---
 ChangeLog          | 1 +
 btrbk              | 4 ++++
 btrbk.conf.example | 1 +
 doc/btrbk.conf.5   | 8 ++++++++
 4 files changed, 14 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index b5b3c9c..5d29af1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@ btrbk-current
 
   * Added configuration option "group".
   * Allow filtering subcommands by group as well as targets.
+  * Added configuration option "ssh_cipher_spec" (close: #47).
   * Hardened ssh_filter_btrbk.sh script: fine-grained access control,
     restrict-path option, sudo option (close: #45)
 
diff --git a/btrbk b/btrbk
index 94d7c06..cee2496 100755
--- a/btrbk
+++ b/btrbk
@@ -61,6 +61,7 @@ my $file_match = qr/[0-9a-zA-Z_@\+\-\.\/]+/;  # note: ubuntu uses '@' in the sub
 my $ssh_prefix_match = qr/ssh:\/\/($ip_addr_match|$host_name_match)/;
 my $snapshot_postfix_match = qr/\.[0-9]{8}(_[0-9]+)?/;
 my $group_match = qr/[a-zA-Z0-9_:-]+/;
+my $ssh_cipher_match = qr/[a-z0-9][a-z0-9@.-]+/;
 
 my %day_of_week_map = ( monday => 1, tuesday => 2, wednesday => 3, thursday => 4, friday => 5, saturday => 6, sunday => 7 );
 
@@ -84,6 +85,7 @@ my %config_options = (
   ssh_user                  => { default => "root",   accept_regexp => qr/^[a-z_][a-z0-9_-]*$/ },
   ssh_port                  => { default => "default", accept => [ "default" ], accept_numeric => 1 },
   ssh_compression           => { default => undef,    accept => [ "yes", "no" ] },
+  ssh_cipher_spec           => { default => "default", accept_regexp => qr/^$ssh_cipher_match(,$ssh_cipher_match)*$/ },
   btrfs_progs_compat        => { default => undef,    accept => [ "yes", "no" ] },
   group                     => { default => undef,    accept_regexp => qr/^$group_match(\s*,\s*$group_match)*$/, split => qr/\s*,\s*/ },
 
@@ -238,9 +240,11 @@ sub vinfo($$)
     my $ssh_user        = config_key($config, "ssh_user");
     my $ssh_identity    = config_key($config, "ssh_identity");
     my $ssh_compression = config_key($config, "ssh_compression");
+    my $ssh_cipher_spec = config_key($config, "ssh_cipher_spec") // "default";
     my @ssh_options;
     push(@ssh_options, '-p', $ssh_port) if($ssh_port ne "default");
     push(@ssh_options, '-C') if($ssh_compression);
+    push(@ssh_options, '-c', $ssh_cipher_spec) if($ssh_cipher_spec ne "default");
     if($ssh_identity) {
       push(@ssh_options, '-i', $ssh_identity);
     } else {
diff --git a/btrbk.conf.example b/btrbk.conf.example
index 6238cbf..72146a0 100644
--- a/btrbk.conf.example
+++ b/btrbk.conf.example
@@ -53,6 +53,7 @@ snapshot_dir               _btrbk_snap
 #ssh_user                   root
 #ssh_port                   default
 #ssh_compression            no
+#ssh_cipher_spec            default
 
 # Don't wait for transaction commit on deletion. Set this to "after"
 # or "each" to make sure the deletion of subvolumes is committed to
diff --git a/doc/btrbk.conf.5 b/doc/btrbk.conf.5
index aa5b5df..5a249bc 100644
--- a/doc/btrbk.conf.5
+++ b/doc/btrbk.conf.5
@@ -173,6 +173,14 @@ Enables or disables the compression of ssh connections. Defaults to
 \[lq]no\[rq].
 .RE
 .PP
+\fBssh_cipher_spec\fR  <cipher_spec>
+.RS 4
+Selects the cipher specification for encrypting the session
+(comma-separated list of ciphers in order of preference). See the "-c
+cipher_spec" option in ssh(1) for more information. Defaults to
+\[lq]default\[rq] (the ciphers specified in \fIssh_config\fR).
+.RE
+.PP
 \fBbtrfs_commit_delete\fR  after|each|no
 .RS 4
 If set, make sure the deletion of snapshot and backup subvolumes are