On 27/09/2014 23:34, Weedy wrote: > I got bit by this last week when I audited my ssh config and dropped all > weak/slow ciphers. > Couldn't log into my routers and had to add md5 ciphers and macs back. > You must rebuild dropbear package cleanly to test this patch
Save the patch as file located on package/network/services/dropbear/patches/600-enable-hmac-sha2.patch, relative to OpenWrt source directory. The patch is available here http://patchwork.openwrt.org/patch/6322/ Do "make clean" to clean up the package, and then "make" to build the firmware. Flash the resulting firmware and test connecting to dropbear ssh daemon. To test using hmac-sha2-256, run this command ssh -o MACs=hmac-sha2-256 root@OpenWrt To test using hmac-sha2-512, run this command ssh -o MACs=hmac-sha2-512 root@OpenWrt For your information, there is almost no difference between message authentication algorithm in time needed to establish ssh connection. I perform the test on my TL-MR3220 (AR9330, mips, dropbear 2014.65, r42321). The identity file is cached via ssh-agent. The test commands are bellow. time ssh -o MACs=hmac-md5 OpenWrt /bin/true time ssh -o MACs=hmac-sha1 OpenWrt /bin/true time ssh -o MACs=hmac-sha2-256 OpenWrt /bin/true time ssh -o MACs=hmac-sha2-512 OpenWrt /bin/true Here are time needed to establish ssh connection +---------+----------+----------+----------+----------+ |time\hmac| md5 | sha1 | sha256 | sha512 | +---------+----------+----------+----------+----------+ | real | 0m3.526s | 0m3.631s | 0m3.519s | 0m3.543s | | user | 0m0.015s | 0m0.061s | 0m0.015s | 0m0.031s | | sys | 0m0.077s | 0m0.046s | 0m0.093s | 0m0.092s | +---------+----------+----------+----------+----------+ Putty and Bitvise will try connecting using hmac-sha2-256 when available, whereas OpenSSH will use hmac-md5 by default. I hope this information will be a good reason for enabling sha2-based hmac on dropbear by default. _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
