dropbear/pyro: Enhanced security options

We deactivate various configuration knobs which have security concerns: * DROPBEAR_X11FWD - no need to run X over ssh * DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is reported by OpenVAS as a low severity security issue. * DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow an attacker to obtain plaintext from a block of cyphertext. * DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in newer versions mentioned as "too small for security". Fixes #1161 Change-type: minor Changelog-entry: Enhanced security options for dropbear - pyro Signed-off-by: Andrei Gherzan <andrei@resin.io>
balena-os · Sep 4, 2018 · 4207b25 · 4207b25
1 parent 492e266
commit 4207b25
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 0 deletions.
diff --git a/meta-resin-pyro/recipes-core/dropbear/dropbear_2016.74.bbappend b/meta-resin-pyro/recipes-core/dropbear/dropbear_2016.74.bbappend
@@ -0,0 +1,4 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/files:"
+SRC_URI += " \
+    file://0001-Secure-configuration-options.patch \
+    "
diff --git a/meta-resin-pyro/recipes-core/dropbear/files/0001-Secure-configuration-options.patch b/meta-resin-pyro/recipes-core/dropbear/files/0001-Secure-configuration-options.patch
@@ -0,0 +1,65 @@
+From ae62abd529b985130f747277758fa078780aeda6 Mon Sep 17 00:00:00 2001
+From: Andrei Gherzan <andrei@resin.io>
+Date: Thu, 30 Aug 2018 12:33:08 +0100
+Subject: [PATCH] Secure configuration options
+
+We deactivate various configuration knobs which have security concerns:
+
+* DROPBEAR_X11FWD - no need to run X over ssh
+* DROPBEAR_SHA1_96_HMAC - HMAC 96 is known to be a weak algorithm. It is
+	reported by OpenVAS as a low severity security issue.
+* DROPBEAR_ENABLE_CBC_MODE - As reported by OpenVAS, CBC mode can allow
+	an attacker to obtain plaintext from a block of cyphertext.
+* DROPBEAR_DH_GROUP1 - This is documented as "less secure" while in
+	newer versions mentioned as "too small for security". See:
+https://github.com/mkj/dropbear/blob/d740dc548924f2faf0934e5f9a4b83d2b5d6902d/default_options.h#L141
+
+Signed-off-by: Andrei Gherzan <andrei@resin.io>
+Upstream-status: Inappropriate [configuration]
+---
+ options.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/options.h b/options.h
+index f6705c6..ec4f414 100644
+--- a/options.h
++++ b/options.h
+@@ -55,7 +55,7 @@ much traffic. */
+ #define DROPBEAR_SMALL_CODE
+
+ /* Enable X11 Forwarding - server only */
+-#define ENABLE_X11FWD
++/* #define ENABLE_X11FWD */
+
+ /* Enable TCP Fowarding */
+ /* 'Local' is "-L" style (client listening port forwarded via server)
+@@ -100,7 +100,7 @@ much traffic. */
+
+ /* Enable CBC mode for ciphers. This has security issues though
+  * is the most compatible with older SSH implementations */
+-#define DROPBEAR_ENABLE_CBC_MODE
++/* #define DROPBEAR_ENABLE_CBC_MODE */
+
+ /* Enable "Counter Mode" for ciphers. This is more secure than normal
+  * CBC mode against certain attacks. It is recommended for security
+@@ -131,7 +131,7 @@ If you test it please contact the Dropbear author */
+  * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
+  * which are not the standard form. */
+ #define DROPBEAR_SHA1_HMAC
+-#define DROPBEAR_SHA1_96_HMAC
++/* #define DROPBEAR_SHA1_96_HMAC */
+ #define DROPBEAR_SHA2_256_HMAC
+ #define DROPBEAR_SHA2_512_HMAC
+ #define DROPBEAR_MD5_HMAC
+@@ -170,7 +170,7 @@ If you test it please contact the Dropbear author */
+
+ /* Group14 (2048 bit) is recommended. Group1 is less secure (1024 bit) though
+    is the only option for interoperability with some older SSH programs */
+-#define DROPBEAR_DH_GROUP1 1
++#define DROPBEAR_DH_GROUP1 0
+ #define DROPBEAR_DH_GROUP14 1
+
+ /* Control the memory/performance/compression tradeoff for zlib.
+--
+2.7.4
+