From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mtaout003-public.msg.strl.va.charter.net (mtaout003-public.msg.strl.va.charter.net [68.114.190.28]) by mail.openembedded.org (Postfix) with ESMTP id 5000E745ED for ; Thu, 13 Sep 2018 19:45:44 +0000 (UTC) Received: from impout001 ([68.114.189.16]) by mtaout003.msg.strl.va.charter.net (InterMail vM.9.00.023.01 201-2473-194) with ESMTP id <20180913194545.BUXR7355.mtaout003.msg.strl.va.charter.net@impout001>; Thu, 13 Sep 2018 14:45:45 -0500 Received: from localhost ([68.114.5.181]) by impout001 with charter.net id b7ll1y0053uLLH8017llTy; Thu, 13 Sep 2018 14:45:45 -0500 X-Authority-Analysis: v=2.2 cv=ffHd8wYF c=1 sm=1 tr=0 a=VBTjg2AHeJkaqYfRu568yw==:117 a=VBTjg2AHeJkaqYfRu568yw==:17 a=fJkqCKB1fTMA:10 a=x7bEGLp0ZPQA:10 a=hOpmn2quAAAA:8 a=Q4-j1AaZAAAA:8 a=NEAV23lmAAAA:8 a=_PVZOzHT9zynZaEzAOEA:9 a=QEXdDO2ut3YA:10 a=QyXUC8HyAAAA:8 a=YShdRTrQ18BYbtu_:21 a=_W_S_7VecoQA:10 a=GyA-uvUxXSCciAkwuKQO:22 a=9H3Qd4_ONW2Ztcrla5EB:22 Message-ID: From: joseph-reynolds@charter.net To: "'Burton, Ross'" X-Mailer: Atmail 7.1.1.13434 X-Originating-IP: [129.42.161.36] Date: Thu, 13 Sep 2018 14:45:45 -0500 MIME-Version: 1.0 Cc: "'openembedded-core@lists.openembedded.org'" Subject: Re: [PATCH v2] dropbear: disable medium-strength ssh ciphers X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Sep 2018 19:45:44 -0000 Content-Type: multipart/alternative; boundary="=_b8e0205fcee86ebac26df4da80e6b553" --=_b8e0205fcee86ebac26df4da80e6b553 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable >From: "Burton, Ross" =0A>To: joseph-reynolds@charter.net=0A>Cc: "openem= bedded-core@lists.openembedded.org"=0A>Sent: Thursday September 13 2018= 11:00:26AM=0A>Subject: Re: [OE-core] [PATCH v2] dropbear: disable mediu= m-strength=0Assh ciphers=0A>=0A >This still can't be actually used, beca= use dropbear won't be looking=0A >in the recipe folder and nothing puts= that file into the source=0Atree.=0A >Put a #error in it if you don't b= elieve me. :)=0A=0AThanks for pointing that out. I had conflated the OE= & Yocto recipes,=0Athen forgot to include the recipe change in my patch= . My home project=0Ais actually https://github.com/openbmc/openbmc, so I= set out to=0Aupstream this change to Yocto/Poky, OE, and Dropbear. Than= ks for your=0Apatience, as this is my first attempt to upstream.=0A=0AMy= second issue is creating a correct patch. I used git format-patch=0AHEA= D^ and then cut/paste the result into my web-based email reader.=0AThe p= atch appears correct, but the automation says my patch is=0Amal-formed.= I am still trying to enable sending plain-text email from=0Amy shell en= vironment.=0A=0AFinally, I want to change my approach. I had been updati= ng the=0Adropbear localoptions.h file to customize Dropbear's behavior.= But I=0Areally want to change Dropbear's default behavior for everyone,= which=0Ameans I should update default_options.h and leave localoptions.= h=0Aalone. I plan to create a pull request to update the Dropbear projec= t=0Adefault_options.h file, and a patch for openembedded-core to change= =0Athe dropbear_2018.76.bb recipe to pick up the Dropbear patch.=0A=0A-= Joseph=0A=0A>Ross>=0A >=0A >On 12 September 2018 at 22:56, wrote:=0A >= > This changes the Dropbear SSH server configuration so it will not=0A >= > accept medium-strength encryption ciphers including: CBC mode,=0AMD5,= =0A >> 96-bit MAC, and triple DES. This is consistent with the default= =0A >> supported OpenSSH ciphers.=0A >>=0A >> Upstream-Status: Pending= =0A >>=0A >> Signed-off-by: Joseph Reynolds =0A >> ---=0A >> meta/recipe= s-core/dropbear/dropbear/localoptions.h | 8 ++++++++=0A >> 1 file change= d, 8 insertions(+)=0A >> create mode 100644=0Ameta/recipes-core/dropbear= /dropbear/localoptions.h=0A >>=0A >> diff --git a/meta/recipes-core/drop= bear/dropbear/localoptions.h=0A >> b/meta/recipes-core/dropbear/dropbear= /localoptions.h=0A >> new file mode 100644=0A >> index 0000000..ec48c26= =0A >> --- /dev/null=0A>> +++ b/meta/recipes-core/dropbear/dropbear/loca= loptions.h=0A >> @@ -0,0 +1,8 @@=0A >> +/* Customize dropbear per defaul= t_options.h in the dropbear=0Aproject */=0A >> +=0A >> +/* Disable insec= ure ciphers */=0A >> +#define DROPBEAR_TWOFISH256 0=0A >> +#define DROPB= EAR_TWOFISH128 0=0A >> +#define DROPBEAR_ENABLE_CBC_MODE 0=0A >> +#defin= e DROPBEAR_SHA1_HMAC 0=0A >> +#define DROPBEAR_SHA1_96_HMAC 0=0A >> --= =0A >> 1.8.3.1=0A >>=0A >>=0A >> --=0A --=_b8e0205fcee86ebac26df4da80e6b553 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable >From: "Burton, Ross"
>To:= joseph-reynolds@charter.net
>Cc: "openembedded-core@lists.openemb= edded.org"
>Sent: Thursday September 13 2018 11:00:26AM
>Sub= ject: Re: [OE-core] [PATCH v2] dropbear: disable medium-strength ssh cip= hers
>
>This still can't be actually used, because dropbear= won't be looking
=0A >in the recipe folder and nothing puts that= file into the source tree.
=0A >Put a #error in it if you don't b= elieve me. :)

Thanks for pointi= ng that out.  I had conflated the OE & Yocto recipes, then forg= ot to include the recipe change in my patch.  My home project is ac= tually https://github.com/openbmc/openbmc, so I set out to upstream this= change to Yocto/Poky, OE, and Dropbear.  Thanks for your patience,= as this is my first attempt to upstream.

M= y second issue is creating a correct patch.  I used  git forma= t-patch HEAD^  and then cut/paste the result into my web-based emai= l reader.  The patch appears correct, but the automation says my pa= tch is mal-formed.  I am still trying to enable sending plain-text= email from my shell environment.

Fin= ally, I want to change my approach.  I had been updating the dropbe= ar localoptions.h file to customize Dropbear's behavior.  But I rea= lly want to change Dropbear's default behavior for everyone, which means= I should update default_options.h and leave localoptions.h alone. = I plan to create a pull request to update the Dropbear project default_= options.h file, and a patch for openembedded-core to change the dropbear= _2018.76.bb recipe to pick up the Dropbear patch.

- Joseph

>= Ross
>
=0A >
=0A >O= n 12 September 2018 at 22:56, <joseph-reynolds@charter.net> wrote:=
=0A >> This changes the Dropbear SSH server configuration so i= t will not
=0A >> accept medium-strength encryption ciphers inc= luding: CBC mode, MD5,
=0A >> 96-bit MAC, and triple DES. This= is consistent with the default
=0A >> supported OpenSSH cipher= s.
=0A >>
=0A >> Upstream-Status: Pending
=0A >&= gt;
=0A >> Signed-off-by: Joseph Reynolds <joseph-reynolds@c= harter.net>
=0A >> ---
=0A >> meta/recipes-core/dro= pbear/dropbear/localoptions.h | 8 ++++++++
=0A >> 1 file change= d, 8 insertions(+)
=0A >> create mode 100644 meta/recipes-core/= dropbear/dropbear/localoptions.h
=0A >>
=0A >> diff --= git a/meta/recipes-core/dropbear/dropbear/localoptions.h
=0A >>= b/meta/recipes-core/dropbear/dropbear/localoptions.h
=0A >> ne= w file mode 100644
=0A >> index 0000000..ec48c26
=0A >>= ; --- /dev/null
>> +++ b/meta/recipes-core/dropbear/dropbear/lo= caloptions.h
=0A >> @@ -0,0 +1,8 @@
=0A >> +/* Customi= ze dropbear per default_options.h in the dropbear project */
=0A >= > +
=0A >> +/* Disable insecure ciphers */
=0A >> += #define DROPBEAR_TWOFISH256 0
=0A >> +#define DROPBEAR_TWOFISH1= 28 0
=0A >> +#define DROPBEAR_ENABLE_CBC_MODE 0
=0A >>= +#define DROPBEAR_SHA1_HMAC 0
=0A >> +#define DROPBEAR_SHA1_96= _HMAC 0
=0A >> --
=0A >> 1.8.3.1
=0A >>
= =0A >>
=0A >> --

=0A --=_b8e0205fcee86ebac26df4da80e6b553--