Re: [PATCH v2] dropbear: disable medium-strength ssh ciphers

[joseph-reynolds@charter.net]

[-- Attachment #1: Type: text/plain, Size: 2760 bytes --]

>From: "Burton, Ross" 
>To: joseph-reynolds@charter.net
>Cc: "openembedded-core@lists.openembedded.org"
>Sent: Thursday September 13 2018 11:00:26AM
>Subject: Re: [OE-core] [PATCH v2] dropbear: disable medium-strength
ssh ciphers
>
 >This still can't be actually used, because dropbear won't be looking
 >in the recipe folder and nothing puts that file into the source
tree.
 >Put a #error in it if you don't believe me. :)

Thanks for pointing that out. I had conflated the OE & Yocto recipes,
then forgot to include the recipe change in my patch. My home project
is actually https://github.com/openbmc/openbmc, so I set out to
upstream this change to Yocto/Poky, OE, and Dropbear. Thanks for your
patience, as this is my first attempt to upstream.

My second issue is creating a correct patch. I used git format-patch
HEAD^ and then cut/paste the result into my web-based email reader.
The patch appears correct, but the automation says my patch is
mal-formed. I am still trying to enable sending plain-text email from
my shell environment.

Finally, I want to change my approach. I had been updating the
dropbear localoptions.h file to customize Dropbear's behavior. But I
really want to change Dropbear's default behavior for everyone, which
means I should update default_options.h and leave localoptions.h
alone. I plan to create a pull request to update the Dropbear project
default_options.h file, and a patch for openembedded-core to change
the dropbear_2018.76.bb recipe to pick up the Dropbear patch.

- Joseph

>Ross>
 >
 >On 12 September 2018 at 22:56,  wrote:
 >> This changes the Dropbear SSH server configuration so it will not
 >> accept medium-strength encryption ciphers including: CBC mode,
MD5,
 >> 96-bit MAC, and triple DES. This is consistent with the default
 >> supported OpenSSH ciphers.
 >>
 >> Upstream-Status: Pending
 >>
 >> Signed-off-by: Joseph Reynolds 
 >> ---
 >> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
 >> 1 file changed, 8 insertions(+)
 >> create mode 100644
meta/recipes-core/dropbear/dropbear/localoptions.h
 >>
 >> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
 >> b/meta/recipes-core/dropbear/dropbear/localoptions.h
 >> new file mode 100644
 >> index 0000000..ec48c26
 >> --- /dev/null
>> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
 >> @@ -0,0 +1,8 @@
 >> +/* Customize dropbear per default_options.h in the dropbear
project */
 >> +
 >> +/* Disable insecure ciphers */
 >> +#define DROPBEAR_TWOFISH256 0
 >> +#define DROPBEAR_TWOFISH128 0
 >> +#define DROPBEAR_ENABLE_CBC_MODE 0
 >> +#define DROPBEAR_SHA1_HMAC 0
 >> +#define DROPBEAR_SHA1_96_HMAC 0
 >> --
 >> 1.8.3.1
 >>
 >>
 >> --


[-- Attachment #2: Type: text/html, Size: 3738 bytes --]