* [PATCH v2] dropbear: disable medium-strength ssh ciphers
@ 2018-09-12 21:56 joseph-reynolds
2018-09-12 22:03 ` ✗ patchtest: failure for " Patchwork
2018-09-13 16:00 ` [PATCH v2] " Burton, Ross
0 siblings, 2 replies; 4+ messages in thread
From: joseph-reynolds @ 2018-09-12 21:56 UTC (permalink / raw)
To: 'openembedded-core@lists.openembedded.org'
[-- Attachment #1: Type: text/plain, Size: 1020 bytes --]
This changes the Dropbear SSH server configuration so it will not
accept medium-strength encryption ciphers including: CBC mode, MD5,
96-bit MAC, and triple DES. This is consistent with the default
supported OpenSSH ciphers.
Upstream-Status: Pending
Signed-off-by: Joseph Reynolds
---
meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
1 file changed, 8 insertions(+)
create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h
diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
b/meta/recipes-core/dropbear/dropbear/localoptions.h
new file mode 100644
index 0000000..ec48c26
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
@@ -0,0 +1,8 @@
+/* Customize dropbear per default_options.h in the dropbear project
*/
+
+/* Disable insecure ciphers */
+#define DROPBEAR_TWOFISH256 0
+#define DROPBEAR_TWOFISH128 0
+#define DROPBEAR_ENABLE_CBC_MODE 0
+#define DROPBEAR_SHA1_HMAC 0
+#define DROPBEAR_SHA1_96_HMAC 0
--
1.8.3.1
[-- Attachment #2: Type: text/html, Size: 1160 bytes --]
^ permalink raw reply related [flat|nested] 4+ messages in thread
* ✗ patchtest: failure for dropbear: disable medium-strength ssh ciphers
2018-09-12 21:56 [PATCH v2] dropbear: disable medium-strength ssh ciphers joseph-reynolds
@ 2018-09-12 22:03 ` Patchwork
2018-09-13 16:00 ` [PATCH v2] " Burton, Ross
1 sibling, 0 replies; 4+ messages in thread
From: Patchwork @ 2018-09-12 22:03 UTC (permalink / raw)
To: joseph-reynolds; +Cc: openembedded-core
== Series Details ==
Series: dropbear: disable medium-strength ssh ciphers
Revision: 1
URL : https://patchwork.openembedded.org/series/14051/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series cannot be parsed correctly due to malformed diff lines [test_mbox_format]
Suggested fix Create the series again using git-format-patch and ensure it can be applied using git am
Diff line */
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch master (currently at b7f3f7ecfd)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] dropbear: disable medium-strength ssh ciphers
2018-09-12 21:56 [PATCH v2] dropbear: disable medium-strength ssh ciphers joseph-reynolds
2018-09-12 22:03 ` ✗ patchtest: failure for " Patchwork
@ 2018-09-13 16:00 ` Burton, Ross
2018-09-13 16:47 ` Alexander Kanavin
1 sibling, 1 reply; 4+ messages in thread
From: Burton, Ross @ 2018-09-13 16:00 UTC (permalink / raw)
To: joseph-reynolds; +Cc: openembedded-core@lists.openembedded.org
This still can't be actually used, because dropbear won't be looking
in the recipe folder and nothing puts that file into the source tree.
Put a #error in it if you don't believe me. :)
Ross
On 12 September 2018 at 22:56, <joseph-reynolds@charter.net> wrote:
> This changes the Dropbear SSH server configuration so it will not
> accept medium-strength encryption ciphers including: CBC mode, MD5,
> 96-bit MAC, and triple DES. This is consistent with the default
> supported OpenSSH ciphers.
>
> Upstream-Status: Pending
>
> Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
> ---
> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
> 1 file changed, 8 insertions(+)
> create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h
>
> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
> b/meta/recipes-core/dropbear/dropbear/localoptions.h
> new file mode 100644
> index 0000000..ec48c26
> --- /dev/null
> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
> @@ -0,0 +1,8 @@
> +/* Customize dropbear per default_options.h in the dropbear project */
> +
> +/* Disable insecure ciphers */
> +#define DROPBEAR_TWOFISH256 0
> +#define DROPBEAR_TWOFISH128 0
> +#define DROPBEAR_ENABLE_CBC_MODE 0
> +#define DROPBEAR_SHA1_HMAC 0
> +#define DROPBEAR_SHA1_96_HMAC 0
> --
> 1.8.3.1
>
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] dropbear: disable medium-strength ssh ciphers
2018-09-13 16:00 ` [PATCH v2] " Burton, Ross
@ 2018-09-13 16:47 ` Alexander Kanavin
0 siblings, 0 replies; 4+ messages in thread
From: Alexander Kanavin @ 2018-09-13 16:47 UTC (permalink / raw)
To: Burton, Ross; +Cc: openembedded-core@lists.openembedded.org, joseph-reynolds
Actually, I'd rather have an 'upstream first' policy in this specific
case. If the change is good and desirable, please work with the
upstream to merge it there.
Alex
2018-09-13 18:00 GMT+02:00 Burton, Ross <ross.burton@intel.com>:
> This still can't be actually used, because dropbear won't be looking
> in the recipe folder and nothing puts that file into the source tree.
> Put a #error in it if you don't believe me. :)
>
> Ross
>
> On 12 September 2018 at 22:56, <joseph-reynolds@charter.net> wrote:
>> This changes the Dropbear SSH server configuration so it will not
>> accept medium-strength encryption ciphers including: CBC mode, MD5,
>> 96-bit MAC, and triple DES. This is consistent with the default
>> supported OpenSSH ciphers.
>>
>> Upstream-Status: Pending
>>
>> Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
>> ---
>> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>> create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h
>>
>> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
>> b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> new file mode 100644
>> index 0000000..ec48c26
>> --- /dev/null
>> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> @@ -0,0 +1,8 @@
>> +/* Customize dropbear per default_options.h in the dropbear project */
>> +
>> +/* Disable insecure ciphers */
>> +#define DROPBEAR_TWOFISH256 0
>> +#define DROPBEAR_TWOFISH128 0
>> +#define DROPBEAR_ENABLE_CBC_MODE 0
>> +#define DROPBEAR_SHA1_HMAC 0
>> +#define DROPBEAR_SHA1_96_HMAC 0
>> --
>> 1.8.3.1
>>
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-09-13 16:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-09-12 21:56 [PATCH v2] dropbear: disable medium-strength ssh ciphers joseph-reynolds
2018-09-12 22:03 ` ✗ patchtest: failure for " Patchwork
2018-09-13 16:00 ` [PATCH v2] " Burton, Ross
2018-09-13 16:47 ` Alexander Kanavin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox