From: Konstantin Demin Date: Tue, 9 Jan 2024 00:40:01 +0000 (+0300) Subject: dropbear: disable two weak kex/mac algorithms X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=2d9a0be307b534ceb717267c95402d1d707cd2c3;p=openwrt%2Fstaging%2Fjow.git dropbear: disable two weak kex/mac algorithms hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. https://github.com/mkj/dropbear/issues/138 Signed-off-by: John Audia Signed-off-by: Konstantin Demin --- diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 75dee77af0..51961d3c3d 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -110,12 +110,16 @@ CONFIGURE_ARGS += \ # - DROPBEAR_CLI_NETCAT # - DROPBEAR_DSS # - DO_MOTD +# - DROPBEAR_DH_GROUP14_SHA1 +# - DROPBEAR_SHA1_HMAC DB_OPT_COMMON = \ !!LOCAL_IDENT,"SSH-2.0-dropbear" \ DEFAULT_PATH,"$(TARGET_INIT_PATH)" \ DROPBEAR_DSS,0 \ DROPBEAR_CLI_NETCAT,0 \ DO_MOTD,0 \ + DROPBEAR_DH_GROUP14_SHA1,0 \ + DROPBEAR_SHA1_HMAC,0 \ ##############################################################################