[OE-core] [PATCH] disable medium-strength dropbear ssh ciphers
joseph-reynolds at charter.net
joseph-reynolds at charter.net
Wed Sep 12 21:04:03 UTC 2018
>From: "Burton, Ross"
>To: joseph-reynolds at charter.net
>Cc: "openembedded-core at lists.openembedded.org"
>Sent: Wednesday September 12 2018 7:20:27AM
>Subject: Re: [OE-core] [PATCH] disable medium-strength dropbear ssh
ciphers
>
>Presumably this doesn't actually work as you're just adding a file
to
>git without actually referring to it anywhere.
>
Thanks for your email. I am still trying to get the Dropbear patch
upstreamed. (This is my first patch, so I am a bit of an open source
noob.)
To address your concern: Dropbear version 2018.76 and later build
process specifically looks for the localoptions.h file as the way to
customize dropbear. (Note the 2017.75 and earlier versions use a
different mechanism to customize.) See the Makefile.in file for
details.
However, now I am wondering if patching Dropbear's default_options.h
file would be a better way to make this change. Adding a localoption.h
file is the way to customize dropbear. But I want to change the
*default* behavior of dropbear so that it uses the same encryption
ciphers as OpenSSH. I think patching default_options.h would be better
way to accomplish that goal. And that patch could be applied to the
Dropbear project itself.
>Ross
>
>On 7 September 2018 at 20:16, wrote:
> This changes the Dropbear SSH server configuration so it will not
> accept medium-strength encryption ciphers including: CBC mode, MD5,
> 96-bit MAC, and triple DES.
>
> Upstream-Status: Pending
>
> Signed-off-by: Joseph Reynolds
> ---
> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
> 1 file changed, 8 insertions(+)
> create mode 100644
meta/recipes-core/dropbear/dropbear/localoptions.h
>
> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
> b/meta/recipes-core/dropbear/dropbear/localoptions.h
> new file mode 100644
> index 0000000..ec48c26
> --- /dev/null
> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
> @@ -0,0 +1,8 @@
> +/* Customize dropbear per default_options.h in the dropbear
project */
> +
> +/* Disable insecure ciphers */
> +#define DROPBEAR_TWOFISH256 0
> +#define DROPBEAR_TWOFISH128 0
> +#define DROPBEAR_ENABLE_CBC_MODE 0
> +#define DROPBEAR_SHA1_HMAC 0
> +#define DROPBEAR_SHA1_96_HMAC 0
> --
> 2.7.2
>
>
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20180912/b2771e8a/attachment-0002.html>
More information about the Openembedded-core
mailing list