Comments (7)
graysky2
commented on August 23, 2024
1
I used the same trick to disable those successfully. Thanks!
#define DROPBEAR_RSA_SHA1 0
#define DROPBEAR_DH_GROUP14_SHA1 0
#define DROPBEAR_SHA1_HMAC 0
from dropbear.
mkj
commented on August 23, 2024
diffie-hellman-group14-sha1 and hmac-sha1 could probably be disabled imminently. Direct replacements diffie-hellman-group14-sha256 and hmac-sha2-256 were added in Dropbear 2018.76 and 2013.56 respectively, and ECDH methods were earlier too.
The bigger question would be when to disable ssh-rsa - Dropbear only added support for rsa-sha2 a year ago so it might be a bit premature to remove since people are still using older software. They are not long lived signatures, only during KEX.
To avoid a common confusion - once rsa-sha algorithm is removed, existing ssh-rsa hostkeys and authentication keys (authorized_keys) will still work. The client and server just use a different signature format ssh-sha2- internally. (ssh-agents might need upgrading too).
I don't think hmac-sha2-256 should be removed, Dropbear doesn't implement [email protected] which would be the higher preference. Since 2020.79 Dropbear's first preference cipher is [email protected] so the mac algorithm doesn't matter in that case.
from dropbear.
graysky2
commented on August 23, 2024
This fell of my RADAR... is it something you need do or are these command line switches I can try to disable?
from dropbear.
mkj
commented on August 23, 2024
The others were dropped,ssh-rsa will be retired in a future release.
from dropbear.
mkj
commented on August 23, 2024
I'll probably disable it by default in a release next year.
In the interim it can be disabled at build time by putting
#define DROPBEAR_RSA_SHA1 0
in localoptions.h
…On 2022-11-07 6:09 pm, cirdecH wrote:
Hello @mkj [1], to summarize this issue. To have the ssh-rsa warning from ssh-audit removed, we don't have a config to edit. We should wait for a future release ?
--
Reply to this email directly, view it on GitHub [2], or unsubscribe [3].
You are receiving this because you were mentioned.Message ID: ***@***.***>
from dropbear.
graysky2
commented on August 23, 2024
@mkj - what are your thoughts on the other algorithms called out in the ssh-audit report?
# key exchange algorithms
(kex) diffie-hellman-group14-sha1 -- [warn] using weak hashing algorithm
# message authentication code algorithms
(mac) hmac-sha1 -- [warn] using encrypt-and-MAC mode
`- [warn] using weak hashing algorithm
`- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
(mac) hmac-sha2-256 -- [warn] using encrypt-and-MAC mode
`- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56
# algorithm recommendations
(rec) -diffie-hellman-group14-sha1 -- kex algorithm to remove
(rec) -hmac-sha1 -- mac algorithm to remove
(rec) -hmac-sha2-256 -- mac algorithm to remove
from dropbear.
mkj
commented on August 23, 2024
diffie-hellman-group14-sha1 and hmac-sha1 should eventually be disabled by default, probably at the same time as ssh-rsa with sha1.
I'm not intending to remove hmac-sha2-256. From what I can tell ssh-audit flags it because it has problems with CBC ciphers, but Dropbear disables those. [email protected] is a higher priority too.
from dropbear.
Related Issues (20)
- Feature request: Add support for /etc/nologin
- OpenSSH Client(but not dbclient) connection times out HOT 6
- Building with glibc-1.31+ HOT 4
- cant use -i options!! HOT 1
- build error when SK_KEYS is set and only one of ECDSA or ED25519 HOT 4
- configure --disable-plugin will actually enable it
- musl build fails with --disable-pututline HOT 4
- error: 'struct AuthState' has no member named 'pubkey_options' HOT 1
- Dropear on musl uses utmp/wtmp invalidated paths from paths.h HOT 1
- Request: disable weak and suspect crypto HOT 3
- Does it support Windows? HOT 1
- compression issue
- Noob question: I want to change host key on my Remarkable 2 tablet HOT 2
- Feature request: Certificate-based SSH logins HOT 1
- ssh-audit result for dropbear 2022.83 HOT 2
- curve255.19.c:91:12: runtime error: left shift of negative value -329 HOT 1
- Feature request: options to penalize undesirable behavior HOT 2
- dropbear starts despite NO_START=1 HOT 2
- Does Dropbear support specifying non system usernames in the configuration file? HOT 1
- build with old GNU Make (3.79.1) causes error
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dropbear.