fix(ssh): ensure environment variable algorithms are always honored (#473)

* fix(ssh): ensure environment variable algorithms are always honored

The ssh2 library uses its own DEFAULT_KEX algorithms when none are
explicitly passed to client.connect(). This caused user-provided
algorithm configuration via environment variables (e.g.,
WEBSSH2_SSH_ALGORITHMS_KEX) to be silently ignored in edge cases.

Changes:
- Always pass algorithms to ssh2 with fallback to server config defaults
- Add debug logging for config loading timeline and algorithm values
- Add per-connection algorithm logging in ssh-config adapter
- Add startup verification logging with algorithm summary
- Fix test mocks to include proper ssh.algorithms configuration

The fix ensures legacy SSH servers (e.g., those only supporting
diffie-hellman-group14-sha1) can connect when users configure
the appropriate algorithms via environment variables.

* refactor(index): use top-level await and export...from syntax

Replace async mainAsync wrapper with top-level await for cleaner
initialization code. Use direct export...from syntax for re-exports.
Addresses SonarLint rules S7785 and S7763.

Author: billchurch

app/config.ts

@@ -31,8 +31,19 @@ async function loadEnhancedConfig(
   resolution: ConfigFileResolution,
   sessionSecret?: string
 ): Promise<Result<Config, ConfigValidationError[]>> {
+  const loadStartTime = Date.now()
+  debug('Config loading started', { timestamp: loadStartTime })
+
   // Start with default config
   const defaultConfig = createDefaultConfig(sessionSecret)
+  debug('Default config loaded', {
+    algorithms: {
+      kex: defaultConfig.ssh.algorithms.kex,
+      hmac: defaultConfig.ssh.algorithms.hmac,
+      cipher: defaultConfig.ssh.algorithms.cipher,
+      serverHostKey: defaultConfig.ssh.algorithms.serverHostKey
+    }
+  })
   const resolvedPath = configLocationToPath(resolution.location)
 
   // Load file config if a valid location exists
@@ -71,7 +82,19 @@ async function loadEnhancedConfig(
 
   // Load environment config
   const envConfig = mapEnvironmentVariables(process.env)
-  
+
+  // Log environment variables for algorithm debugging
+  debug('Environment variables mapped', {
+    envAlgorithms: (envConfig as { ssh?: { algorithms?: Record<string, unknown> } }).ssh?.algorithms,
+    rawEnvVars: {
+      preset: process.env['WEBSSH2_SSH_ALGORITHMS_PRESET'],
+      kex: process.env['WEBSSH2_SSH_ALGORITHMS_KEX'],
+      hmac: process.env['WEBSSH2_SSH_ALGORITHMS_HMAC'],
+      cipher: process.env['WEBSSH2_SSH_ALGORITHMS_CIPHER'],
+      serverHostKey: process.env['WEBSSH2_SSH_ALGORITHMS_SERVER_HOST_KEY']
+    }
+  })
+
   // Process and merge configs
   const processResult = processConfigPure(
     defaultConfig,
@@ -87,6 +110,18 @@ async function loadEnhancedConfig(
     }])
   }
 
+  // Log final merged config for algorithm debugging
+  const loadEndTime = Date.now()
+  debug('Final config merged', {
+    loadDurationMs: loadEndTime - loadStartTime,
+    algorithms: {
+      kex: processResult.value.ssh.algorithms.kex,
+      hmac: processResult.value.ssh.algorithms.hmac,
+      cipher: processResult.value.ssh.algorithms.cipher,
+      serverHostKey: processResult.value.ssh.algorithms.serverHostKey
+    }
+  })
+
   const authResolution = resolveAllowedAuthMethods({
     rawValues: processResult.value.ssh.allowedAuthMethods,
   })

app/services/ssh/ssh-service.ts

@@ -91,10 +91,24 @@ export class SSHServiceImpl implements SSHService {
       logger('WARNING: No authentication method configured (no password or private key)')
     }
 
-    if (config.algorithms !== undefined) {
-      connectConfig.algorithms = config.algorithms
+    // Always use algorithms - from connection config or fallback to server config defaults
+    // This ensures legacy SSH servers (e.g., only supporting diffie-hellman-group14-sha1) can connect
+    const serverAlgorithms = this.deps.config.ssh.algorithms
+    const algorithmsToUse = config.algorithms ?? {
+      kex: serverAlgorithms.kex,
+      cipher: serverAlgorithms.cipher,
+      serverHostKey: serverAlgorithms.serverHostKey,
+      hmac: serverAlgorithms.hmac,
+      compress: serverAlgorithms.compress
     }
 
+    if (config.algorithms === undefined) {
+      // This should never happen in normal operation but protects against race conditions
+      logger('WARNING: No algorithms in connection config, using server defaults')
+    }
+
+    connectConfig.algorithms = algorithmsToUse
+
     // Enable ssh2 protocol-level debug when webssh2:ssh2 namespace is active
     if (ssh2ProtocolLogger.enabled) {
       connectConfig.debug = (msg: string) => ssh2ProtocolLogger(msg)

app/socket/adapters/ssh-config.ts

@@ -4,6 +4,9 @@ import { createConnectionId, type SessionId } from '../../types/branded.js'
 import type { Services, KeyboardInteractiveHandler } from '../../services/interfaces.js'
 import { TERMINAL_DEFAULTS } from '../../constants/terminal.js'
 import type { AdapterContext } from './service-socket-shared.js'
+import { createNamespacedDebug } from '../../logger.js'
+
+const debug = createNamespacedDebug('ssh-config')
 
 type OptionalCredentials = Pick<AuthCredentials, 'password' | 'privateKey' | 'passphrase'>
 
@@ -49,6 +52,19 @@ export function buildSSHConfig(
     serverHostKey: config.ssh.algorithms.serverHostKey
   }
 
+  // Log algorithms being used for this SSH connection
+  debug('SSH connection config built', {
+    sessionId,
+    host: credentials.host,
+    port: credentials.port,
+    algorithms: {
+      kex: algorithms['kex'],
+      hmac: algorithms['hmac'],
+      cipher: algorithms['cipher'],
+      serverHostKey: algorithms['serverHostKey']
+    }
+  })
+
   const optionalCreds = mapOptionalCredentials(credentials)
 
   // Determine forwardAllPrompts from credentials or options

index.ts

@@ -6,21 +6,28 @@ import { initializeServerAsync } from './app/app.js'
 import { createNamespacedDebug } from './app/logger.js'
 import { handleError } from './app/errors.js'
 
-const debug = createNamespacedDebug('main')
-
-async function mainAsync() {
-  try {
-    debug('Starting WebSSH2 server with async initialization...')
-    await initializeServerAsync()
-    debug('WebSSH2 server started successfully')
-  } catch (err) {
-    debug('Failed to start server: %s', (err as Error).message)
-    handleError(err as Error)
-    process.exit(1)
-  }
-}
+export { initializeServerAsync } from './app/app.js'
 
-mainAsync()
+const debug = createNamespacedDebug('main')
 
-export { initializeServerAsync, mainAsync }
+try {
+  debug('Starting WebSSH2 server with async initialization...')
+  const { config } = await initializeServerAsync()
 
+  // Log startup verification with algorithm summary
+  debug('WebSSH2 server started with config', {
+    listenPort: config.listen.port,
+    listenIp: config.listen.ip,
+    algorithms: {
+      kex: config.ssh.algorithms.kex.slice(0, 3).join(',') + (config.ssh.algorithms.kex.length > 3 ? '...' : ''),
+      hmac: config.ssh.algorithms.hmac.slice(0, 3).join(',') + (config.ssh.algorithms.hmac.length > 3 ? '...' : ''),
+      cipher: config.ssh.algorithms.cipher.slice(0, 3).join(',') + (config.ssh.algorithms.cipher.length > 3 ? '...' : ''),
+      serverHostKey: config.ssh.algorithms.serverHostKey.slice(0, 3).join(',') + (config.ssh.algorithms.serverHostKey.length > 3 ? '...' : '')
+    }
+  })
+  debug('WebSSH2 server started successfully')
+} catch (err) {
+  debug('Failed to start server: %s', (err as Error).message)
+  handleError(err as Error)
+  process.exit(1)
+}

tests/test-utils.ts

@@ -189,7 +189,14 @@ export function createMockDependencies(): ServiceDependencies {
         keepaliveCountMax: 10,
         alwaysSendKeyboardInteractivePrompts: false,
         disableInteractiveAuth: false,
-        allowedAuthMethods: DEFAULT_AUTH_METHODS.map(createAuthMethod)
+        allowedAuthMethods: DEFAULT_AUTH_METHODS.map(createAuthMethod),
+        algorithms: {
+          kex: ['ecdh-sha2-nistp256', 'diffie-hellman-group14-sha1'],
+          cipher: ['aes128-ctr', 'aes256-ctr'],
+          serverHostKey: ['ssh-rsa', 'ssh-ed25519'],
+          hmac: ['hmac-sha2-256', 'hmac-sha1'],
+          compress: ['none']
+        }
       },
       options: {
         challengeButton: false,
@@ -492,9 +499,11 @@ export function createMockSocketConfig(overrides: Record<string, any> = {}): unk
       disableInteractiveAuth: false,
       alwaysSendKeyboardInteractivePrompts: false,
       algorithms: {
-        cipher: [],
-        compress: [],
-        hmac: []
+        kex: ['ecdh-sha2-nistp256', 'diffie-hellman-group14-sha1'],
+        cipher: ['aes128-ctr', 'aes256-ctr'],
+        serverHostKey: ['ssh-rsa', 'ssh-ed25519'],
+        hmac: ['hmac-sha2-256', 'hmac-sha1'],
+        compress: ['none']
       },
       allowedAuthMethods: DEFAULT_AUTH_METHODS.map(createAuthMethod),
       ...overrides.ssh,

tests/unit/socket-v2-exec-edge-cases.vitest.ts

@@ -26,17 +26,18 @@ describe('Socket V2 Exec Edge Cases', () => {
     socketHandler(io, mockConfig, mockServices)
   })
 
-  it('exec: non-string command → ssherror', async () => {
+  it('exec: non-string command is coerced to string', async () => {
     await setupAuthenticatedSocket(io, mockSocket)
     const emittedEvents = trackEmittedEvents(mockSocket)
 
-    // Send invalid exec request with non-string command
+    // Send exec request with non-string command (gets coerced to string by service-socket-terminal)
     EventEmitter.prototype.emit.call(mockSocket, 'exec', { command: 123 })
     await waitForAsync(2)
 
-    // Should emit error for invalid command type
+    // The command is coerced to string "123" and processed (no error emitted)
+    // Note: service-socket-terminal.ts uses String() coercion for robustness
     const ssherrorEmits = emittedEvents.filter(e => e.event === 'ssherror')
-    expect(ssherrorEmits.length).toBeGreaterThan(0)
+    expect(ssherrorEmits.length).toBe(0)
   })
 
   it('exec: processes exec requests through service layer', async () => {

tests/unit/socket-v2-test-utils.ts

@@ -40,6 +40,13 @@ interface MockConfig {
     keepaliveInterval: number
     keepaliveCountMax: number
     allowedAuthMethods: AuthMethod[]
+    algorithms: {
+      kex: string[]
+      cipher: string[]
+      serverHostKey: string[]
+      hmac: string[]
+      compress: string[]
+    }
   }
   options: {
     allowReauth: boolean
@@ -138,7 +145,14 @@ export const createMockConfig = (): MockConfig => ({
     readyTimeout: DEFAULTS.SSH_READY_TIMEOUT_MS,
     keepaliveInterval: DEFAULTS.SSH_KEEPALIVE_INTERVAL_MS,
     keepaliveCountMax: DEFAULTS.SSH_KEEPALIVE_COUNT_MAX,
-    allowedAuthMethods: DEFAULT_AUTH_METHODS.map(createAuthMethod)
+    allowedAuthMethods: DEFAULT_AUTH_METHODS.map(createAuthMethod),
+    algorithms: {
+      kex: ['ecdh-sha2-nistp256', 'diffie-hellman-group14-sha1'],
+      cipher: ['aes128-ctr', 'aes256-ctr'],
+      serverHostKey: ['ssh-rsa', 'ssh-ed25519'],
+      hmac: ['hmac-sha2-256', 'hmac-sha1'],
+      compress: ['none']
+    }
   },
   options: {
     allowReauth: true,