Add BOSH properties for configurable diego-sshd SSH algorithms

jobs/cc_deployment_updater/templates/cloud_controller_ng.yml.erb

@@ -128,6 +128,24 @@ diego:
     send_timeout: <%= p("cc.diego.bbs.send_timeout") %>
     receive_timeout: <%= p("cc.diego.bbs.receive_timeout") %>
   pid_limit: <%= p("cc.diego.pid_limit") %>
+<% if_link("cloud_controller_internal") do |cc_internal|
+     sshd_ciphers = cc_internal.p("cc.diego.sshd.allowed_ciphers", nil)
+     sshd_host_key_algs = cc_internal.p("cc.diego.sshd.allowed_host_key_algorithms", nil)
+     sshd_kex = cc_internal.p("cc.diego.sshd.allowed_key_exchanges", nil)
+     sshd_macs = cc_internal.p("cc.diego.sshd.allowed_macs", nil)
+     if sshd_ciphers || sshd_host_key_algs || sshd_kex || sshd_macs %>
+  sshd:
+<%     if sshd_ciphers %>
+    allowed_ciphers: "<%= sshd_ciphers %>"
+<%     end; if sshd_host_key_algs %>
+    allowed_host_key_algorithms: "<%= sshd_host_key_algs %>"
+<%     end; if sshd_kex %>
+    allowed_key_exchanges: "<%= sshd_kex %>"
+<%     end; if sshd_macs %>
+    allowed_macs: "<%= sshd_macs %>"
+<%     end
+     end
+   end %>
 
 default_app_memory: <%= p("cc.default_app_memory") %>
 default_app_disk_in_mb: <%= p("cc.default_app_disk_in_mb") %>

jobs/cloud_controller_clock/templates/cloud_controller_ng.yml.erb

@@ -350,6 +350,24 @@ diego:
     send_timeout: <%= p("cc.diego.bbs.send_timeout") %>
     receive_timeout: <%= p("cc.diego.bbs.receive_timeout") %>
   pid_limit: <%= p("cc.diego.pid_limit") %>
+<% if_link("cloud_controller_internal") do |cc_internal|
+     sshd_ciphers = cc_internal.p("cc.diego.sshd.allowed_ciphers", nil)
+     sshd_host_key_algs = cc_internal.p("cc.diego.sshd.allowed_host_key_algorithms", nil)
+     sshd_kex = cc_internal.p("cc.diego.sshd.allowed_key_exchanges", nil)
+     sshd_macs = cc_internal.p("cc.diego.sshd.allowed_macs", nil)
+     if sshd_ciphers || sshd_host_key_algs || sshd_kex || sshd_macs %>
+  sshd:
+<%     if sshd_ciphers %>
+    allowed_ciphers: "<%= sshd_ciphers %>"
+<%     end; if sshd_host_key_algs %>
+    allowed_host_key_algorithms: "<%= sshd_host_key_algs %>"
+<%     end; if sshd_kex %>
+    allowed_key_exchanges: "<%= sshd_kex %>"
+<%     end; if sshd_macs %>
+    allowed_macs: "<%= sshd_macs %>"
+<%     end
+     end
+   end %>
 
 <% if p("routing_api.enabled") %>
 routing_api:

jobs/cloud_controller_ng/spec

@@ -241,6 +241,10 @@ provides:
   - cc.droplets.connection_config
   - cc.buildpacks.connection_config
   - cc.storage_cli_optional_flags
+  - cc.diego.sshd.allowed_ciphers
+  - cc.diego.sshd.allowed_host_key_algorithms
+  - cc.diego.sshd.allowed_key_exchanges
+  - cc.diego.sshd.allowed_macs
 
 consumes:
 - name: database
@@ -1277,6 +1281,15 @@ properties:
     description: "Maximum pid limit for containerized work running user-provided code"
     default: 1024
 
+  cc.diego.sshd.allowed_ciphers:
+    description: "Comma separated list of allowed SSH cipher algorithms for diego-sshd. If not set, diego-sshd will use its defaults."
+  cc.diego.sshd.allowed_host_key_algorithms:
+    description: "Comma separated list of allowed SSH host key algorithms for diego-sshd. If not set, diego-sshd will use its defaults."
+  cc.diego.sshd.allowed_key_exchanges:
+    description: "Comma separated list of allowed SSH key exchange algorithms for diego-sshd. If not set, diego-sshd will use its defaults."
+  cc.diego.sshd.allowed_macs:
+    description: "Comma separated list of allowed SSH MAC algorithms for diego-sshd. If not set, diego-sshd will use its defaults."
+
   cc.logcache.host:
     description: "Hostname of the Logcache server"
     default: doppler.service.cf.internal

jobs/cloud_controller_ng/templates/cloud_controller_ng.yml.erb

@@ -560,6 +560,22 @@ diego:
   enable_declarative_asset_downloads: <%= p("cc.diego.enable_declarative_asset_downloads") %>
   use_privileged_containers_for_running: <%= p("cc.diego.use_privileged_containers_for_running") %>
   use_privileged_containers_for_staging: <%= p("cc.diego.use_privileged_containers_for_staging") %>
+<% sshd_ciphers = p("cc.diego.sshd.allowed_ciphers", nil)
+   sshd_host_key_algs = p("cc.diego.sshd.allowed_host_key_algorithms", nil)
+   sshd_kex = p("cc.diego.sshd.allowed_key_exchanges", nil)
+   sshd_macs = p("cc.diego.sshd.allowed_macs", nil)
+   if sshd_ciphers || sshd_host_key_algs || sshd_kex || sshd_macs %>
+  sshd:
+<%   if sshd_ciphers %>
+    allowed_ciphers: "<%= sshd_ciphers %>"
+<%   end; if sshd_host_key_algs %>
+    allowed_host_key_algorithms: "<%= sshd_host_key_algs %>"
+<%   end; if sshd_kex %>
+    allowed_key_exchanges: "<%= sshd_kex %>"
+<%   end; if sshd_macs %>
+    allowed_macs: "<%= sshd_macs %>"
+<%   end
+   end %>
 
 perm:
   enabled: false

jobs/cloud_controller_worker/templates/cloud_controller_ng.yml.erb

@@ -329,6 +329,24 @@ diego:
     send_timeout: <%= p("cc.diego.bbs.send_timeout") %>
     receive_timeout: <%= p("cc.diego.bbs.receive_timeout") %>
   pid_limit: <%= p("cc.diego.pid_limit") %>
+<% if_link("cloud_controller_internal") do |cc_internal|
+     sshd_ciphers = cc_internal.p("cc.diego.sshd.allowed_ciphers", nil)
+     sshd_host_key_algs = cc_internal.p("cc.diego.sshd.allowed_host_key_algorithms", nil)
+     sshd_kex = cc_internal.p("cc.diego.sshd.allowed_key_exchanges", nil)
+     sshd_macs = cc_internal.p("cc.diego.sshd.allowed_macs", nil)
+     if sshd_ciphers || sshd_host_key_algs || sshd_kex || sshd_macs %>
+  sshd:
+<%     if sshd_ciphers %>
+    allowed_ciphers: "<%= sshd_ciphers %>"
+<%     end; if sshd_host_key_algs %>
+    allowed_host_key_algorithms: "<%= sshd_host_key_algs %>"
+<%     end; if sshd_kex %>
+    allowed_key_exchanges: "<%= sshd_kex %>"
+<%     end; if sshd_macs %>
+    allowed_macs: "<%= sshd_macs %>"
+<%     end
+     end
+   end %>
 
 <% if p("routing_api.enabled") %>
 routing_api:

spec/cloud_controller_ng/cloud_controller_ng_spec.rb

@@ -533,6 +533,48 @@ module Test
             end
           end
 
+          describe 'diego.sshd config' do
+            it 'does not render sshd section when properties are not set' do
+              template_hash = YAML.safe_load(template.render(merged_manifest_properties, consumes: links))
+              expect(template_hash['diego']['sshd']).to be_nil
+            end
+
+            context 'when SSH algorithms are configured' do
+              before do
+                merged_manifest_properties['cc']['diego']['sshd'] = {
+                  'allowed_ciphers' => 'cipher-1,cipher-2',
+                  'allowed_host_key_algorithms' => 'hostkeyalg-1,hostkeyalg-2',
+                  'allowed_key_exchanges' => 'kex-1,kex-2',
+                  'allowed_macs' => 'mac-1,mac-2'
+                }
+              end
+
+              it 'renders the configured SSH algorithms' do
+                template_hash = YAML.safe_load(template.render(merged_manifest_properties, consumes: links))
+                expect(template_hash['diego']['sshd']['allowed_ciphers']).to eq('cipher-1,cipher-2')
+                expect(template_hash['diego']['sshd']['allowed_host_key_algorithms']).to eq('hostkeyalg-1,hostkeyalg-2')
+                expect(template_hash['diego']['sshd']['allowed_key_exchanges']).to eq('kex-1,kex-2')
+                expect(template_hash['diego']['sshd']['allowed_macs']).to eq('mac-1,mac-2')
+              end
+            end
+
+            context 'when only some SSH algorithms are configured' do
+              before do
+                merged_manifest_properties['cc']['diego']['sshd'] = {
+                  'allowed_ciphers' => 'cipher-1,cipher-2'
+                }
+              end
+
+              it 'renders only the configured properties' do
+                template_hash = YAML.safe_load(template.render(merged_manifest_properties, consumes: links))
+                expect(template_hash['diego']['sshd']['allowed_ciphers']).to eq('cipher-1,cipher-2')
+                expect(template_hash['diego']['sshd']['allowed_host_key_algorithms']).to be_nil
+                expect(template_hash['diego']['sshd']['allowed_key_exchanges']).to be_nil
+                expect(template_hash['diego']['sshd']['allowed_macs']).to be_nil
+              end
+            end
+          end
+
           describe 'broker_client_max_async_poll_interval_seconds config' do
             it 'defaults to 86400 seconds' do
               template_hash = YAML.safe_load(template.render(merged_manifest_properties, consumes: links))