Openembedded Core Discussions
 help / color / mirror / Atom feed
* [PATCH v2] dropbear: disable medium-strength ssh ciphers
@ 2018-09-12 21:56 joseph-reynolds
  2018-09-13 16:00 ` Burton, Ross
  0 siblings, 1 reply; 4+ messages in thread
From: joseph-reynolds @ 2018-09-12 21:56 UTC (permalink / raw)
  To: 'openembedded-core@lists.openembedded.org'

[-- Attachment #1: Type: text/plain, Size: 1020 bytes --]

This changes the Dropbear SSH server configuration so it will not
accept medium-strength encryption ciphers including: CBC mode, MD5,
96-bit MAC, and triple DES. This is consistent with the default
supported OpenSSH ciphers.

Upstream-Status: Pending

Signed-off-by: Joseph Reynolds 
---
 meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h

diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
b/meta/recipes-core/dropbear/dropbear/localoptions.h
new file mode 100644
index 0000000..ec48c26
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
@@ -0,0 +1,8 @@
+/* Customize dropbear per default_options.h in the dropbear project
*/
+
+/* Disable insecure ciphers */
+#define DROPBEAR_TWOFISH256 0
+#define DROPBEAR_TWOFISH128 0
+#define DROPBEAR_ENABLE_CBC_MODE 0
+#define DROPBEAR_SHA1_HMAC 0
+#define DROPBEAR_SHA1_96_HMAC 0
-- 
1.8.3.1



[-- Attachment #2: Type: text/html, Size: 1160 bytes --]

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH v2] dropbear: disable medium-strength ssh ciphers
  2018-09-12 21:56 joseph-reynolds
@ 2018-09-13 16:00 ` Burton, Ross
  2018-09-13 16:47   ` Alexander Kanavin
  0 siblings, 1 reply; 4+ messages in thread
From: Burton, Ross @ 2018-09-13 16:00 UTC (permalink / raw)
  To: joseph-reynolds; +Cc: openembedded-core@lists.openembedded.org

This still can't be actually used, because dropbear won't be looking
in the recipe folder and nothing puts that file into the source tree.
Put a #error in it if you don't believe me. :)

Ross

On 12 September 2018 at 22:56,  <joseph-reynolds@charter.net> wrote:
> This changes the Dropbear SSH server configuration so it will not
> accept medium-strength encryption ciphers including: CBC mode, MD5,
> 96-bit MAC, and triple DES.  This is consistent with the default
> supported OpenSSH ciphers.
>
> Upstream-Status: Pending
>
> Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
> ---
>  meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
>  1 file changed, 8 insertions(+)
>  create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h
>
> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
> b/meta/recipes-core/dropbear/dropbear/localoptions.h
> new file mode 100644
> index 0000000..ec48c26
> --- /dev/null
> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
> @@ -0,0 +1,8 @@
> +/* Customize dropbear per default_options.h in the dropbear project */
> +
> +/* Disable insecure ciphers */
> +#define DROPBEAR_TWOFISH256 0
> +#define DROPBEAR_TWOFISH128 0
> +#define DROPBEAR_ENABLE_CBC_MODE 0
> +#define DROPBEAR_SHA1_HMAC 0
> +#define DROPBEAR_SHA1_96_HMAC 0
> --
> 1.8.3.1
>
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH v2] dropbear: disable medium-strength ssh ciphers
  2018-09-13 16:00 ` Burton, Ross
@ 2018-09-13 16:47   ` Alexander Kanavin
  0 siblings, 0 replies; 4+ messages in thread
From: Alexander Kanavin @ 2018-09-13 16:47 UTC (permalink / raw)
  To: Burton, Ross; +Cc: openembedded-core@lists.openembedded.org, joseph-reynolds

Actually, I'd rather have an 'upstream first' policy in this specific
case. If the change is good and desirable, please work with the
upstream to merge it there.

Alex

2018-09-13 18:00 GMT+02:00 Burton, Ross <ross.burton@intel.com>:
> This still can't be actually used, because dropbear won't be looking
> in the recipe folder and nothing puts that file into the source tree.
> Put a #error in it if you don't believe me. :)
>
> Ross
>
> On 12 September 2018 at 22:56,  <joseph-reynolds@charter.net> wrote:
>> This changes the Dropbear SSH server configuration so it will not
>> accept medium-strength encryption ciphers including: CBC mode, MD5,
>> 96-bit MAC, and triple DES.  This is consistent with the default
>> supported OpenSSH ciphers.
>>
>> Upstream-Status: Pending
>>
>> Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
>> ---
>>  meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>>  create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h
>>
>> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
>> b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> new file mode 100644
>> index 0000000..ec48c26
>> --- /dev/null
>> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> @@ -0,0 +1,8 @@
>> +/* Customize dropbear per default_options.h in the dropbear project */
>> +
>> +/* Disable insecure ciphers */
>> +#define DROPBEAR_TWOFISH256 0
>> +#define DROPBEAR_TWOFISH128 0
>> +#define DROPBEAR_ENABLE_CBC_MODE 0
>> +#define DROPBEAR_SHA1_HMAC 0
>> +#define DROPBEAR_SHA1_96_HMAC 0
>> --
>> 1.8.3.1
>>
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH v2] dropbear: disable medium-strength ssh ciphers
@ 2018-09-13 19:45 joseph-reynolds
  0 siblings, 0 replies; 4+ messages in thread
From: joseph-reynolds @ 2018-09-13 19:45 UTC (permalink / raw)
  To: 'Burton, Ross'; +Cc: 'openembedded-core@lists.openembedded.org'

[-- Attachment #1: Type: text/plain, Size: 2760 bytes --]

>From: "Burton, Ross" 
>To: joseph-reynolds@charter.net
>Cc: "openembedded-core@lists.openembedded.org"
>Sent: Thursday September 13 2018 11:00:26AM
>Subject: Re: [OE-core] [PATCH v2] dropbear: disable medium-strength
ssh ciphers
>
 >This still can't be actually used, because dropbear won't be looking
 >in the recipe folder and nothing puts that file into the source
tree.
 >Put a #error in it if you don't believe me. :)

Thanks for pointing that out. I had conflated the OE & Yocto recipes,
then forgot to include the recipe change in my patch. My home project
is actually https://github.com/openbmc/openbmc, so I set out to
upstream this change to Yocto/Poky, OE, and Dropbear. Thanks for your
patience, as this is my first attempt to upstream.

My second issue is creating a correct patch. I used git format-patch
HEAD^ and then cut/paste the result into my web-based email reader.
The patch appears correct, but the automation says my patch is
mal-formed. I am still trying to enable sending plain-text email from
my shell environment.

Finally, I want to change my approach. I had been updating the
dropbear localoptions.h file to customize Dropbear's behavior. But I
really want to change Dropbear's default behavior for everyone, which
means I should update default_options.h and leave localoptions.h
alone. I plan to create a pull request to update the Dropbear project
default_options.h file, and a patch for openembedded-core to change
the dropbear_2018.76.bb recipe to pick up the Dropbear patch.

- Joseph

>Ross>
 >
 >On 12 September 2018 at 22:56,  wrote:
 >> This changes the Dropbear SSH server configuration so it will not
 >> accept medium-strength encryption ciphers including: CBC mode,
MD5,
 >> 96-bit MAC, and triple DES. This is consistent with the default
 >> supported OpenSSH ciphers.
 >>
 >> Upstream-Status: Pending
 >>
 >> Signed-off-by: Joseph Reynolds 
 >> ---
 >> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
 >> 1 file changed, 8 insertions(+)
 >> create mode 100644
meta/recipes-core/dropbear/dropbear/localoptions.h
 >>
 >> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
 >> b/meta/recipes-core/dropbear/dropbear/localoptions.h
 >> new file mode 100644
 >> index 0000000..ec48c26
 >> --- /dev/null
>> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
 >> @@ -0,0 +1,8 @@
 >> +/* Customize dropbear per default_options.h in the dropbear
project */
 >> +
 >> +/* Disable insecure ciphers */
 >> +#define DROPBEAR_TWOFISH256 0
 >> +#define DROPBEAR_TWOFISH128 0
 >> +#define DROPBEAR_ENABLE_CBC_MODE 0
 >> +#define DROPBEAR_SHA1_HMAC 0
 >> +#define DROPBEAR_SHA1_96_HMAC 0
 >> --
 >> 1.8.3.1
 >>
 >>
 >> --


[-- Attachment #2: Type: text/html, Size: 3738 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-09-13 19:45 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-09-13 19:45 [PATCH v2] dropbear: disable medium-strength ssh ciphers joseph-reynolds
  -- strict thread matches above, loose matches on Subject: below --
2018-09-12 21:56 joseph-reynolds
2018-09-13 16:00 ` Burton, Ross
2018-09-13 16:47   ` Alexander Kanavin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox