>From: "Burton, Ross" >To: joseph-reyno...@charter.net >Cc: "openembedded-core@lists.openembedded.org" >Sent: Wednesday September 12 2018 7:20:27AM >Subject: Re: [OE-core] [PATCH] disable medium-strength dropbear ssh ciphers > >Presumably this doesn't actually work as you're just adding a file to >git without actually referring to it anywhere. > Thanks for your email. I am still trying to get the Dropbear patch upstreamed. (This is my first patch, so I am a bit of an open source noob.)
To address your concern: Dropbear version 2018.76 and later build process specifically looks for the localoptions.h file as the way to customize dropbear. (Note the 2017.75 and earlier versions use a different mechanism to customize.) See the Makefile.in file for details. However, now I am wondering if patching Dropbear's default_options.h file would be a better way to make this change. Adding a localoption.h file is the way to customize dropbear. But I want to change the *default* behavior of dropbear so that it uses the same encryption ciphers as OpenSSH. I think patching default_options.h would be better way to accomplish that goal. And that patch could be applied to the Dropbear project itself. >Ross > >On 7 September 2018 at 20:16, wrote: > This changes the Dropbear SSH server configuration so it will not > accept medium-strength encryption ciphers including: CBC mode, MD5, > 96-bit MAC, and triple DES. > > Upstream-Status: Pending > > Signed-off-by: Joseph Reynolds > --- > meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++ > 1 file changed, 8 insertions(+) > create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h > > diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h > b/meta/recipes-core/dropbear/dropbear/localoptions.h > new file mode 100644 > index 0000000..ec48c26 > --- /dev/null > +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h > @@ -0,0 +1,8 @@ > +/* Customize dropbear per default_options.h in the dropbear project */ > + > +/* Disable insecure ciphers */ > +#define DROPBEAR_TWOFISH256 0 > +#define DROPBEAR_TWOFISH128 0 > +#define DROPBEAR_ENABLE_CBC_MODE 0 > +#define DROPBEAR_SHA1_HMAC 0 > +#define DROPBEAR_SHA1_96_HMAC 0 > -- > 2.7.2 > > > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org >
-- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
