From 368458510462f542b68d1b433358cc630b7a7ebc Mon Sep 17 00:00:00 2001
From: Jon Fautley <jon@dead.li>
Date: Fri, 8 Dec 2017 12:22:09 +0000
Subject: [PATCH] sftp: add option to enable the use of aes128-cbc cipher

---
 docs/content/sftp.md |  7 +++++++
 sftp/sftp.go         | 19 +++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/docs/content/sftp.md b/docs/content/sftp.md
index 989e6cff7..4f58cc70f 100644
--- a/docs/content/sftp.md
+++ b/docs/content/sftp.md
@@ -154,6 +154,13 @@ or `sha1sum` as well as `echo` are in the remote's PATH.
 
 The only ssh agent supported under Windows is Putty's pageant.
 
+The Go SSH library disables the use of the aes128-cbc cipher by
+default, due to security concerns. This can be re-enabled on a
+per-connection basis by setting the `use_insecure_cipher` setting in
+the configuration file to `true`. Further details on the insecurity of
+this cipher can be found [in this paper]
+(http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf).
+
 SFTP isn't supported under plan9 until [this
 issue](https://github.com/pkg/sftp/issues/156) is fixed.
 
diff --git a/sftp/sftp.go b/sftp/sftp.go
index ff7d0ee63..5d424c5d1 100644
--- a/sftp/sftp.go
+++ b/sftp/sftp.go
@@ -57,6 +57,19 @@ func init() {
 			Name:     "key_file",
 			Help:     "Path to unencrypted PEM-encoded private key file, leave blank to use ssh-agent.",
 			Optional: true,
+		}, {
+			Name:     "use_insecure_cipher",
+			Help:     "Enable the user of the aes128-cbc cipher. This cipher is insecure and may allow plaintext data to be recovered by an attacker..",
+			Optional: true,
+			Examples: []fs.OptionExample{
+				{
+					Value: "false",
+					Help:  "Use default Cipher list.",
+				}, {
+					Value: "true",
+					Help:  "Enables the use of the aes128-cbc cipher.",
+				},
+			},
 		}},
 	}
 	fs.Register(fsi)
@@ -232,6 +245,7 @@ func NewFs(name, root string) (fs.Fs, error) {
 	port := fs.ConfigFileGet(name, "port")
 	pass := fs.ConfigFileGet(name, "pass")
 	keyFile := fs.ConfigFileGet(name, "key_file")
+	insecureCipher := fs.ConfigFileGetBool(name, "use_insecure_cipher")
 	if user == "" {
 		user = os.Getenv("USER")
 	}
@@ -245,6 +259,11 @@ func NewFs(name, root string) (fs.Fs, error) {
 		Timeout:         fs.Config.ConnectTimeout,
 	}
 
+	if insecureCipher {
+		config.Config.SetDefaults()
+		config.Config.Ciphers = append(config.Config.Ciphers, "aes128-cbc")
+	}
+
 	// Add ssh agent-auth if no password or file specified
 	if pass == "" && keyFile == "" {
 		sshAgentClient, _, err := sshagent.New()