-
Notifications
You must be signed in to change notification settings - Fork 115
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
dropbear/morty: Enhanced security options
We deactivate various configuration knobs which have security concerns:
* DROPBEAR_X11FWD - no need to run X over ssh
* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
reported by OpenVAS as a low severity security issue.
* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
an attacker to obtain plaintext from a block of cyphertext.
* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
newer versions mentioned as "too small for security".
Connected-to: #1161
Change-type: minor
Changelog-entry: Enhanced security options for dropbear - morty
Signed-off-by: Andrei Gherzan <andrei@resin.io>- Loading branch information
Andrei Gherzan
committed
Sep 4, 2018
1 parent
3e132c2
commit 11004be
Showing
2 changed files
with
69 additions
and
0 deletions.
There are no files selected for viewing
4 changes: 4 additions & 0 deletions
4
meta-resin-morty/recipes-core/dropbear/dropbear_2016.74.bbappend
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| FILESEXTRAPATHS_prepend := "${THISDIR}/files:" | ||
| SRC_URI += " \ | ||
| file://0001-Secure-configuration-options.patch \ | ||
| " |
65 changes: 65 additions & 0 deletions
65
meta-resin-morty/recipes-core/dropbear/files/0001-Secure-configuration-options.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| From ae62abd529b985130f747277758fa078780aeda6 Mon Sep 17 00:00:00 2001 | ||
| From: Andrei Gherzan <andrei@resin.io> | ||
| Date: Thu, 30 Aug 2018 12:33:08 +0100 | ||
| Subject: [PATCH] Secure configuration options | ||
|
|
||
| We deactivate various configuration knobs which have security concerns: | ||
|
|
||
| * DROPBEAR_X11FWD - no need to run X over ssh | ||
| * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is | ||
| reported by OpenVAS as a low severity security issue. | ||
| * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow | ||
| an attacker to obtain plaintext from a block of cyphertext. | ||
| * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in | ||
| newer versions mentioned as "too small for security". See: | ||
| https://github.com/mkj/dropbear/blob/d740dc548924f2faf0934e5f9a4b83d2b5d6902d/default_options.h#L141 | ||
|
|
||
| Signed-off-by: Andrei Gherzan <andrei@resin.io> | ||
| Upstream-status: Inappropriate [configuration] | ||
| --- | ||
| options.h | 8 ++++---- | ||
| 1 file changed, 4 insertions(+), 4 deletions(-) | ||
|
|
||
| diff --git a/options.h b/options.h | ||
| index f6705c6..ec4f414 100644 | ||
| --- a/options.h | ||
| +++ b/options.h | ||
| @@ -55,7 +55,7 @@ much traffic. */ | ||
| #define DROPBEAR_SMALL_CODE | ||
|
|
||
| /* Enable X11 Forwarding - server only */ | ||
| -#define ENABLE_X11FWD | ||
| +/* #define ENABLE_X11FWD */ | ||
|
|
||
| /* Enable TCP Fowarding */ | ||
| /* 'Local' is "-L" style (client listening port forwarded via server) | ||
| @@ -100,7 +100,7 @@ much traffic. */ | ||
|
|
||
| /* Enable CBC mode for ciphers. This has security issues though | ||
| * is the most compatible with older SSH implementations */ | ||
| -#define DROPBEAR_ENABLE_CBC_MODE | ||
| +/* #define DROPBEAR_ENABLE_CBC_MODE */ | ||
|
|
||
| /* Enable "Counter Mode" for ciphers. This is more secure than normal | ||
| * CBC mode against certain attacks. It is recommended for security | ||
| @@ -131,7 +131,7 @@ If you test it please contact the Dropbear author */ | ||
| * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, | ||
| * which are not the standard form. */ | ||
| #define DROPBEAR_SHA1_HMAC | ||
| -#define DROPBEAR_SHA1_96_HMAC | ||
| +/* #define DROPBEAR_SHA1_96_HMAC */ | ||
| #define DROPBEAR_SHA2_256_HMAC | ||
| #define DROPBEAR_SHA2_512_HMAC | ||
| #define DROPBEAR_MD5_HMAC | ||
| @@ -170,7 +170,7 @@ If you test it please contact the Dropbear author */ | ||
|
|
||
| /* Group14 (2048 bit) is recommended. Group1 is less secure (1024 bit) though | ||
| is the only option for interoperability with some older SSH programs */ | ||
| -#define DROPBEAR_DH_GROUP1 1 | ||
| +#define DROPBEAR_DH_GROUP1 0 | ||
| #define DROPBEAR_DH_GROUP14 1 | ||
|
|
||
| /* Control the memory/performance/compression tradeoff for zlib. | ||
| -- | ||
| 2.7.4 | ||
|
|