dropbear: disable two weak kex/mac algorithms
authorKonstantin Demin <rockdrilla@gmail.com>
Tue, 9 Jan 2024 00:40:01 +0000 (03:40 +0300)
committerRui Salvaterra <rsalvaterra@gmail.com>
Fri, 9 Feb 2024 09:13:05 +0000 (09:13 +0000)
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms.
A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1]

It has no place in a potentially internet-facing daemon like dropbear.
Upstream has acknowledged this and offered this solution to disable
these two until this is made to be the default in the next release
of dropbear next year. [2]

1. https://www.openssh.com/txt/release-8.2
2. https://github.com/mkj/dropbear/issues/138

Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
package/network/services/dropbear/Makefile

index 75dee77af0e30cc193534e86a9a3b90d081c538e..51961d3c3dd10d096887810048b4065876287364 100644 (file)
@@ -110,12 +110,16 @@ CONFIGURE_ARGS += \
 # - DROPBEAR_CLI_NETCAT
 # - DROPBEAR_DSS
 # - DO_MOTD
+# - DROPBEAR_DH_GROUP14_SHA1
+# - DROPBEAR_SHA1_HMAC
 DB_OPT_COMMON = \
        !!LOCAL_IDENT,"SSH-2.0-dropbear" \
        DEFAULT_PATH,"$(TARGET_INIT_PATH)" \
        DROPBEAR_DSS,0 \
        DROPBEAR_CLI_NETCAT,0 \
        DO_MOTD,0 \
+       DROPBEAR_DH_GROUP14_SHA1,0 \
+       DROPBEAR_SHA1_HMAC,0 \
 
 
 ##############################################################################