[OE-core] [PATCH v2] dropbear: disable medium-strength ssh ciphers
joseph-reynolds at charter.net
joseph-reynolds at charter.net
Thu Sep 13 19:45:45 UTC 2018
>From: "Burton, Ross"
>To: joseph-reynolds at charter.net
>Cc: "openembedded-core at lists.openembedded.org"
>Sent: Thursday September 13 2018 11:00:26AM
>Subject: Re: [OE-core] [PATCH v2] dropbear: disable medium-strength
ssh ciphers
>
>This still can't be actually used, because dropbear won't be looking
>in the recipe folder and nothing puts that file into the source
tree.
>Put a #error in it if you don't believe me. :)
Thanks for pointing that out. I had conflated the OE & Yocto recipes,
then forgot to include the recipe change in my patch. My home project
is actually https://github.com/openbmc/openbmc, so I set out to
upstream this change to Yocto/Poky, OE, and Dropbear. Thanks for your
patience, as this is my first attempt to upstream.
My second issue is creating a correct patch. I used git format-patch
HEAD^ and then cut/paste the result into my web-based email reader.
The patch appears correct, but the automation says my patch is
mal-formed. I am still trying to enable sending plain-text email from
my shell environment.
Finally, I want to change my approach. I had been updating the
dropbear localoptions.h file to customize Dropbear's behavior. But I
really want to change Dropbear's default behavior for everyone, which
means I should update default_options.h and leave localoptions.h
alone. I plan to create a pull request to update the Dropbear project
default_options.h file, and a patch for openembedded-core to change
the dropbear_2018.76.bb recipe to pick up the Dropbear patch.
- Joseph
>Ross>
>
>On 12 September 2018 at 22:56, wrote:
>> This changes the Dropbear SSH server configuration so it will not
>> accept medium-strength encryption ciphers including: CBC mode,
MD5,
>> 96-bit MAC, and triple DES. This is consistent with the default
>> supported OpenSSH ciphers.
>>
>> Upstream-Status: Pending
>>
>> Signed-off-by: Joseph Reynolds
>> ---
>> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>> create mode 100644
meta/recipes-core/dropbear/dropbear/localoptions.h
>>
>> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
>> b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> new file mode 100644
>> index 0000000..ec48c26
>> --- /dev/null
>> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> @@ -0,0 +1,8 @@
>> +/* Customize dropbear per default_options.h in the dropbear
project */
>> +
>> +/* Disable insecure ciphers */
>> +#define DROPBEAR_TWOFISH256 0
>> +#define DROPBEAR_TWOFISH128 0
>> +#define DROPBEAR_ENABLE_CBC_MODE 0
>> +#define DROPBEAR_SHA1_HMAC 0
>> +#define DROPBEAR_SHA1_96_HMAC 0
>> --
>> 1.8.3.1
>>
>>
>> --
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20180913/e7a69bfb/attachment-0002.html>
More information about the Openembedded-core
mailing list