[OE-core] [PATCH] disable medium-strength dropbear ssh ciphers
Andre McCurdy
armccurdy at gmail.com
Wed Sep 12 22:02:00 UTC 2018
On Wed, Sep 12, 2018 at 2:51 PM, Burton, Ross <ross.burton at intel.com> wrote:
> Yes, I'm aware that dropbear looks for that, but it won't be looking
> in the recipe folder. If you added it in SRC_URI then it would be in
> WORKDIR which is almost the right place, but not quite.
>
> Patching default_options does seem like the best idea moving forwards though.
Getting the changes upstream would be the preferred option.
If we want to carry an OE specific change to the defaults which
upstream won't accept then it should probably be under the control of
a PACKAGECONFIG option in the recipe - which implies somehow making
the options controllable via a configure or compile time option rather
than a hardcoded patch.
> Ross
>
> On 12 September 2018 at 22:04, <joseph-reynolds at charter.net> wrote:
>>>From: "Burton, Ross"
>>>To: joseph-reynolds at charter.net
>>>Cc: "openembedded-core at lists.openembedded.org"
>>>Sent: Wednesday September 12 2018 7:20:27AM
>>>Subject: Re: [OE-core] [PATCH] disable medium-strength dropbear ssh ciphers
>>>
>>>Presumably this doesn't actually work as you're just adding a file to
>>>git without actually referring to it anywhere.
>>>
>>
>> Thanks for your email. I am still trying to get the Dropbear patch
>> upstreamed. (This is my first patch, so I am a bit of an open source noob.)
>>
>> To address your concern: Dropbear version 2018.76 and later build process
>> specifically looks for the localoptions.h file as the way to customize
>> dropbear. (Note the 2017.75 and earlier versions use a different mechanism
>> to customize.) See the Makefile.in file for details.
>>
>> However, now I am wondering if patching Dropbear's default_options.h file
>> would be a better way to make this change. Adding a localoption.h file is
>> the way to customize dropbear. But I want to change the *default* behavior
>> of dropbear so that it uses the same encryption ciphers as OpenSSH. I think
>> patching default_options.h would be better way to accomplish that goal. And
>> that patch could be applied to the Dropbear project itself.
>>
>>>Ross
>>>
>>>On 7 September 2018 at 20:16, <joseph-reynolds at charter.net> wrote:
>>> This changes the Dropbear SSH server configuration so it will not
>>> accept medium-strength encryption ciphers including: CBC mode, MD5,
>>> 96-bit MAC, and triple DES.
>>>
>>> Upstream-Status: Pending
>>>
>>> Signed-off-by: Joseph Reynolds <joseph-reynolds at charter.net>
>>> ---
>>> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
>>> 1 file changed, 8 insertions(+)
>>> create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h
>>>
>>> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
>>> b/meta/recipes-core/dropbear/dropbear/localoptions.h
>>> new file mode 100644
>>> index 0000000..ec48c26
>>> --- /dev/null
>>> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
>>> @@ -0,0 +1,8 @@
>>> +/* Customize dropbear per default_options.h in the dropbear project */
>>> +
>>> +/* Disable insecure ciphers */
>>> +#define DROPBEAR_TWOFISH256 0
>>> +#define DROPBEAR_TWOFISH128 0
>>> +#define DROPBEAR_ENABLE_CBC_MODE 0
>>> +#define DROPBEAR_SHA1_HMAC 0
>>> +#define DROPBEAR_SHA1_96_HMAC 0
>>> --
>>> 2.7.2
>>>
>>>
>>>
>>> --
>>> _______________________________________________
>>> Openembedded-core mailing list
>>> Openembedded-core at lists.openembedded.org
>>>
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>> /> >
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
More information about the Openembedded-core
mailing list