diff options
author | Joseph Reynolds <jrey@us.ibm.com> | 2018-09-27 00:31:39 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-09-28 04:37:27 +0300 |
commit | a12245dbaa1455edaaf316556c1d349b7aac8265 (patch) | |
tree | 348f5fe09d0b7e9ff47e20cb04e3b02fd706e1d6 /meta-phosphor/recipes-extended/sdbusplus | |
parent | 341c7c38488c29ae281015ee3cff1aa0f99c7bf5 (diff) | |
download | openbmc-a12245dbaa1455edaaf316556c1d349b7aac8265.tar.xz |
Disable medium-strength dropbear ssh ciphers
This changes the Dropbear SSH server configuration so it will not
accept medium-strength encryption ciphers including: CBC mode, MD5,
96-bit MAC, and triple DES.
The remaining ciphers include aes128-ctr and aes256-ctr. Dropbear
does not offer the arcfour cipher suite.
Note that Dropbear does not use a config file and instead uses
file options.h to control its features. This commit adds a
patch to disable the unwanted ciphers.
Tested:
On the qemu-based BMC:
ssh -c help 127.0.0.1
aes128-ctr,aes256-ctr
Before this change, the value was:
aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,
twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
Attempt to contact the BMC from host:
ssh -p 2222 -l root localhost # success
ssh -c aes128-cbc -p 2222 -l root localhost
Unable to negotiate with 127.0.0.1 port 2222: no matching cipher
found. Their offer: aes128-ctr,aes256-ctr
Before this change, the connection was successful.
Attempt to contact the BMC from older system:
ssh -V
OpenSSH_5.8p1, OpenSSL 0.9.8g 19 Oct 2007
ssh -p 2222 -l root ${BMC_IP_ADDR} # success
Resolves openbmc/openbmc#3186
(From meta-phosphor rev: 4ad7873e5dcd8475d48b6551002331a1efe4b2f1)
Change-Id: I5648a1602a3683afd9bd90ba62d8f6e4d9237506
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-phosphor/recipes-extended/sdbusplus')
0 files changed, 0 insertions, 0 deletions