ssh: Add cipher, MAC, and key exchange configuration

2026-05-13 13:57:05 +00:00 · 2026-04-28 09:01:24 +08:00 · 2026-04-28 09:01:24 +08:00 · 610aa9432d
commit 610aa9432d
parent 78f502d016
4 changed files with 72 additions and 0 deletions
--- a/docs/configuration/outbound/ssh.md
+++ b/docs/configuration/outbound/ssh.md
@ -1,3 +1,9 @@
+!!! quote "Changes in sing-box 1.14.0"
+
+    :material-plus: [cipher](#cipher)  
+    :material-plus: [mac](#mac)  
+    :material-plus: [kex_algorithm](#kex_algorithm)
+
 ### Structure

 ```json
@ -17,6 +23,9 @@
  ],
  "host_key_algorithms": [],
  "client_version": "SSH-2.0-OpenSSH_7.4p1",
+  "cipher": [],
+  "mac": [],
+  "kex_algorithm": [],

  ... // Dial Fields
 }
@ -66,6 +75,24 @@ Host key algorithms.

 Client version. Random version will be used if empty.

+#### cipher
+
+!!! question "Since sing-box 1.14.0"
+
+Allowed ciphers. Default values are used if empty.
+
+#### mac
+
+!!! question "Since sing-box 1.14.0"
+
+Allowed MAC algorithms. Default values are used if empty.
+
+#### kex_algorithm
+
+!!! question "Since sing-box 1.14.0"
+
+Allowed key exchange algorithms. Default values are used if empty.
+
 ### Dial Fields

 See [Dial Fields](/configuration/shared/dial/) for details.
--- a/docs/configuration/outbound/ssh.zh.md
+++ b/docs/configuration/outbound/ssh.zh.md
@ -1,3 +1,9 @@
+!!! quote "sing-box 1.14.0 中的更改"
+
+    :material-plus: [cipher](#cipher)  
+    :material-plus: [mac](#mac)  
+    :material-plus: [kex_algorithm](#kex_algorithm)
+
 ### 结构

 ```json
@ -17,6 +23,9 @@
  ],
  "host_key_algorithms": [],
  "client_version": "SSH-2.0-OpenSSH_7.4p1",
+  "cipher": [],
+  "mac": [],
+  "kex_algorithm": [],

  ... // 拨号字段
 }
@ -66,6 +75,24 @@ SSH 用户, 默认使用 root。

 客户端版本，默认使用随机值。

+#### cipher
+
+!!! question "自 sing-box 1.14.0 起"
+
+允许的加密算法。留空使用默认值。
+
+#### mac
+
+!!! question "自 sing-box 1.14.0 起"
+
+允许的 MAC 算法。留空使用默认值。
+
+#### kex_algorithm
+
+!!! question "自 sing-box 1.14.0 起"
+
+允许的密钥交换算法。留空使用默认值。
+
 ### 拨号字段

 参阅 [拨号字段](/zh/configuration/shared/dial/)。
--- a/option/ssh.go
+++ b/option/ssh.go
@ -13,4 +13,7 @@ type SSHOutboundOptions struct {
 	HostKey              badoption.Listable[string] `json:"host_key,omitempty"`
 	HostKeyAlgorithms    badoption.Listable[string] `json:"host_key_algorithms,omitempty"`
 	ClientVersion        string                     `json:"client_version,omitempty"`
+	Cipher               badoption.Listable[string] `json:"cipher,omitempty"`
+	MAC                  badoption.Listable[string] `json:"mac,omitempty"`
+	KexAlgorithm         badoption.Listable[string] `json:"kex_algorithm,omitempty"`
 }
--- a/protocol/ssh/outbound.go
+++ b/protocol/ssh/outbound.go
@ -42,6 +42,9 @@ type Outbound struct {
 	user              string
 	hostKey           []ssh.PublicKey
 	hostKeyAlgorithms []string
+	cipher            []string
+	mac               []string
+	kexAlgorithm      []string
 	clientVersion     string
 	authMethod        []ssh.AuthMethod
 	clientAccess      sync.Mutex
@ -62,6 +65,9 @@ func NewOutbound(ctx context.Context, router adapter.Router, logger log.ContextL
 		serverAddr:        options.ServerOptions.Build(),
 		user:              options.User,
 		hostKeyAlgorithms: options.HostKeyAlgorithms,
+		cipher:            options.Cipher,
+		mac:               options.MAC,
+		kexAlgorithm:      options.KexAlgorithm,
 		clientVersion:     options.ClientVersion,
 	}
 	if outbound.serverAddr.Port == 0 {
@ -155,6 +161,15 @@ func (s *Outbound) connect() (*ssh.Client, error) {
 			return E.New("host key mismatch, server send ", key.Type(), " ", base64.StdEncoding.EncodeToString(serverKey))
 		},
 	}
+	if len(s.cipher) > 0 {
+		config.Ciphers = s.cipher
+	}
+	if len(s.mac) > 0 {
+		config.MACs = s.mac
+	}
+	if len(s.kexAlgorithm) > 0 {
+		config.KeyExchanges = s.kexAlgorithm
+	}
 	clientConn, chans, reqs, err := ssh.NewClientConn(conn, s.serverAddr.Addr.String(), config)
 	if err != nil {
 		conn.Close()