[OE-core] [PATCH] disable medium-strength dropbear ssh ciphers
Burton, Ross
ross.burton at intel.com
Wed Sep 12 21:51:23 UTC 2018
Yes, I'm aware that dropbear looks for that, but it won't be looking
in the recipe folder. If you added it in SRC_URI then it would be in
WORKDIR which is almost the right place, but not quite.
Patching default_options does seem like the best idea moving forwards though.
Ross
On 12 September 2018 at 22:04, <joseph-reynolds at charter.net> wrote:
>>From: "Burton, Ross"
>>To: joseph-reynolds at charter.net
>>Cc: "openembedded-core at lists.openembedded.org"
>>Sent: Wednesday September 12 2018 7:20:27AM
>>Subject: Re: [OE-core] [PATCH] disable medium-strength dropbear ssh ciphers
>>
>>Presumably this doesn't actually work as you're just adding a file to
>>git without actually referring to it anywhere.
>>
>
> Thanks for your email. I am still trying to get the Dropbear patch
> upstreamed. (This is my first patch, so I am a bit of an open source noob.)
>
> To address your concern: Dropbear version 2018.76 and later build process
> specifically looks for the localoptions.h file as the way to customize
> dropbear. (Note the 2017.75 and earlier versions use a different mechanism
> to customize.) See the Makefile.in file for details.
>
> However, now I am wondering if patching Dropbear's default_options.h file
> would be a better way to make this change. Adding a localoption.h file is
> the way to customize dropbear. But I want to change the *default* behavior
> of dropbear so that it uses the same encryption ciphers as OpenSSH. I think
> patching default_options.h would be better way to accomplish that goal. And
> that patch could be applied to the Dropbear project itself.
>
>>Ross
>>
>>On 7 September 2018 at 20:16, <joseph-reynolds at charter.net> wrote:
>> This changes the Dropbear SSH server configuration so it will not
>> accept medium-strength encryption ciphers including: CBC mode, MD5,
>> 96-bit MAC, and triple DES.
>>
>> Upstream-Status: Pending
>>
>> Signed-off-by: Joseph Reynolds <joseph-reynolds at charter.net>
>> ---
>> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>> create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h
>>
>> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
>> b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> new file mode 100644
>> index 0000000..ec48c26
>> --- /dev/null
>> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> @@ -0,0 +1,8 @@
>> +/* Customize dropbear per default_options.h in the dropbear project */
>> +
>> +/* Disable insecure ciphers */
>> +#define DROPBEAR_TWOFISH256 0
>> +#define DROPBEAR_TWOFISH128 0
>> +#define DROPBEAR_ENABLE_CBC_MODE 0
>> +#define DROPBEAR_SHA1_HMAC 0
>> +#define DROPBEAR_SHA1_96_HMAC 0
>> --
>> 2.7.2
>>
>>
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core at lists.openembedded.org
>>
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> /> >
More information about the Openembedded-core
mailing list