diff options
| author | Konstantin Demin <rockdrilla@gmail.com> | 2024-01-09 03:40:01 +0300 |
|---|---|---|
| committer | Rui Salvaterra <rsalvaterra@gmail.com> | 2024-02-09 09:13:05 +0000 |
| commit | 2d9a0be307b534ceb717267c95402d1d707cd2c3 (patch) | |
| tree | 0a0dd7df15462b9c6690de518ad56a882da1c968 | |
| parent | 0b277f8659806f32d08dad081836523b93eee6b8 (diff) | |
| download | upstream-2d9a0be307b534ceb717267c95402d1d707cd2c3.tar.gz upstream-2d9a0be307b534ceb717267c95402d1d707cd2c3.tar.bz2 upstream-2d9a0be307b534ceb717267c95402d1d707cd2c3.zip | |
dropbear: disable two weak kex/mac algorithms
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms.
A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1]
It has no place in a potentially internet-facing daemon like dropbear.
Upstream has acknowledged this and offered this solution to disable
these two until this is made to be the default in the next release
of dropbear next year. [2]
1. https://www.openssh.com/txt/release-8.2
2. https://github.com/mkj/dropbear/issues/138
Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
| -rw-r--r-- | package/network/services/dropbear/Makefile | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 75dee77af0e..51961d3c3dd 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -110,12 +110,16 @@ CONFIGURE_ARGS += \ # - DROPBEAR_CLI_NETCAT # - DROPBEAR_DSS # - DO_MOTD +# - DROPBEAR_DH_GROUP14_SHA1 +# - DROPBEAR_SHA1_HMAC DB_OPT_COMMON = \ !!LOCAL_IDENT,"SSH-2.0-dropbear" \ DEFAULT_PATH,"$(TARGET_INIT_PATH)" \ DROPBEAR_DSS,0 \ DROPBEAR_CLI_NETCAT,0 \ DO_MOTD,0 \ + DROPBEAR_DH_GROUP14_SHA1,0 \ + DROPBEAR_SHA1_HMAC,0 \ ############################################################################## |