[OE-core] [PATCH] disable medium-strength dropbear ssh ciphers

joseph-reynolds at charter.net joseph-reynolds at charter.net
Wed Sep 12 21:04:03 UTC 2018 

>From: "Burton, Ross" 
>To: joseph-reynolds at charter.net
>Cc: "openembedded-core at lists.openembedded.org"
>Sent: Wednesday September 12 2018 7:20:27AM
>Subject: Re: [OE-core] [PATCH] disable medium-strength dropbear ssh
ciphers
>
 >Presumably this doesn't actually work as you're just adding a file
to
 >git without actually referring to it anywhere.
 >
Thanks for your email. I am still trying to get the Dropbear patch
upstreamed. (This is my first patch, so I am a bit of an open source
noob.)

To address your concern: Dropbear version 2018.76 and later build
process specifically looks for the localoptions.h file as the way to
customize dropbear. (Note the 2017.75 and earlier versions use a
different mechanism to customize.) See the Makefile.in file for
details.

However, now I am wondering if patching Dropbear's default_options.h
file would be a better way to make this change. Adding a localoption.h
file is the way to customize dropbear. But I want to change the
*default* behavior of dropbear so that it uses the same encryption
ciphers as OpenSSH. I think patching default_options.h would be better
way to accomplish that goal. And that patch could be applied to the
Dropbear project itself.
 >Ross
 >
 >On 7 September 2018 at 20:16,  wrote:
 > This changes the Dropbear SSH server configuration so it will not
 > accept medium-strength encryption ciphers including: CBC mode, MD5,
 > 96-bit MAC, and triple DES.
 >
 > Upstream-Status: Pending
 >
 > Signed-off-by: Joseph Reynolds 
 > ---
 > meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
 > 1 file changed, 8 insertions(+)
 > create mode 100644
meta/recipes-core/dropbear/dropbear/localoptions.h
 >
 > diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
 > b/meta/recipes-core/dropbear/dropbear/localoptions.h
 > new file mode 100644
 > index 0000000..ec48c26
 > --- /dev/null
 > +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
 > @@ -0,0 +1,8 @@
 > +/* Customize dropbear per default_options.h in the dropbear
project */
 > +
 > +/* Disable insecure ciphers */
 > +#define DROPBEAR_TWOFISH256 0
 > +#define DROPBEAR_TWOFISH128 0
 > +#define DROPBEAR_ENABLE_CBC_MODE 0
 > +#define DROPBEAR_SHA1_HMAC 0
 > +#define DROPBEAR_SHA1_96_HMAC 0
 > --
 > 2.7.2
 >
 >
 >
 > --
 > _______________________________________________
 > Openembedded-core mailing list
 > Openembedded-core at lists.openembedded.org
 >
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20180912/b2771e8a/attachment-0002.html>

More information about the Openembedded-core mailing list