ssh in lima seems to exclude aes-ctr and force aes-gcm exclusively

[apostasie]

Description

My problem here is that we do not want to carry openssl as a dependency in other parts of our systems, and our ssh client is compiled --without-openssl.

So:

$ ssh -Q cipher
aes128-ctr
aes192-ctr
aes256-ctr
chacha20-poly1305@openssh.com

Which will not work with lima apparently:

$ limactl shell foo
command-line line 0: Unsupported option "gssapiauthentication"
command-line line 0: Bad SSH2 cipher spec '^aes128-gcm@openssh.com,aes256-gcm@openssh.com'.

From a casual reading of:

lima/pkg/sshutil/sshutil.go

Lines 201 to 222 in 217da28

	if !sshInfo.openSSHVersion.LessThan(*semver.New("8.1.0")) {
	// By default, `ssh` choose chacha20-poly1305@openssh.com, even when AES accelerator is available.
	// (OpenSSH_8.1p1, macOS 11.6, MacBookPro 2020, Core i7-1068NG7)
	//
	// We prioritize AES algorithms when AES accelerator is available.
	if sshInfo.aesAccelerated {
	logrus.Debugf("AES accelerator seems available, prioritizing aes128-gcm@openssh.com and aes256-gcm@openssh.com")
	if runtime.GOOS == "windows" {
	opts = append(opts, "Ciphers=^aes128-gcm@openssh.com,aes256-gcm@openssh.com")
	} else {
	opts = append(opts, "Ciphers=\"^aes128-gcm@openssh.com,aes256-gcm@openssh.com\"")
	}
	} else {
	logrus.Debugf("AES accelerator does not seem available, prioritizing chacha20-poly1305@openssh.com")
	if runtime.GOOS == "windows" {
	opts = append(opts, "Ciphers=^chacha20-poly1305@openssh.com")
	} else {
	opts = append(opts, "Ciphers=\"^chacha20-poly1305@openssh.com\"")
	}
	}
	}
	return opts, nil

It seems to me lima is forcing gcm (when there is acceleration for aes), with a fallback on chacha - so, pretty much, forcing ciphers that also provide integrity, excluding ctr+separate mac.

I appreciate strong opinions :-) - and clearly there is nothing wrong with aes-gcm (though maybe chacha is more contentious) - so, if this was a conscious decision to make lima work exclusively for these ciphers, that is fine.

On the other hand, if this was not a concerted decision - there is nothing wrong with aes-ctr + hmac-sha2 either - so, curious about folks' opinion on this?

Thanks in advance.

[AkihiroSuda]

Yes, Lima should query ssh -Q cipher to validate available algorithms