diff options
author | Joseph Reynolds <jrey@us.ibm.com> | 2018-10-09 22:53:15 +0300 |
---|---|---|
committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-10-31 14:33:21 +0300 |
commit | 1597b9231e2cdd8860317a94dd1b2118cc36da60 (patch) | |
tree | 549397433dc8c40dc6960d1bdbf32bb7c197f9d7 /meta-phosphor | |
parent | 8c01c500cdfb3b71294e1b6eea60c0d9dbb8124c (diff) | |
download | openbmc-1597b9231e2cdd8860317a94dd1b2118cc36da60.tar.xz |
Dropbear SSH remove HMAC-MD5
The Dropbear SSH client and server configuration is changed to not
accept the HMAC-MD5 algorithm when making connections.
The MD5 algorithm is no longer considered secure.
With this change, Dropbear supports the following MAC algorithms:
SHA1_HMAC, SHA2_256_HMAC, and SHA2_512_HMAC.
Note that Dropbear does not yet support HMAC-SHA3.
Tested:
$ ssh -m hmac-sha1-96 root@${bmc}
Unable to negotiate with ${bmc} port 22:
no matching MAC found.
Their offer: hmac-sha1,hmac-sha2-256,hmac-sha2-512
$ ssh root@${bmc} # worked
(From meta-phosphor rev: ec86af05553a7a66af68356cb2b4ec451d5bbf91)
Change-Id: Iba30c9f1ea66e2c72c75d16a16194ede808fe64a
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-phosphor')
-rw-r--r-- | meta-phosphor/recipes-core/dropbear/dropbear/options.patch | 19 |
1 files changed, 13 insertions, 6 deletions
diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/options.patch b/meta-phosphor/recipes-core/dropbear/dropbear/options.patch index 0582ca4e4..521224394 100644 --- a/meta-phosphor/recipes-core/dropbear/dropbear/options.patch +++ b/meta-phosphor/recipes-core/dropbear/dropbear/options.patch @@ -1,26 +1,33 @@ diff --git a/options.h b/options.h -index 0c51bb1..2c38f42 100644 +index 0c51bb1..3df2d67 100644 --- a/options.h +++ b/options.h -@@ -95,12 +95,9 @@ much traffic. */ +@@ -95,12 +95,12 @@ much traffic. */ #define DROPBEAR_AES256 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ /*#define DROPBEAR_BLOWFISH*/ -#define DROPBEAR_TWOFISH256 -#define DROPBEAR_TWOFISH128 ++/*#define DROPBEAR_TWOFISH256*/ ++/*#define DROPBEAR_TWOFISH128*/ /* Enable CBC mode for ciphers. This has security issues though * is the most compatible with older SSH implementations */ -#define DROPBEAR_ENABLE_CBC_MODE ++/*#define DROPBEAR_ENABLE_CBC_MODE*/ /* Enable "Counter Mode" for ciphers. This is more secure than normal * CBC mode against certain attacks. It is recommended for security -@@ -130,8 +127,6 @@ If you test it please contact the Dropbear author */ - * These hashes are also used for public key fingerprints in logs. +@@ -131,10 +131,10 @@ If you test it please contact the Dropbear author */ * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * which are not the standard form. */ --#define DROPBEAR_SHA1_HMAC + #define DROPBEAR_SHA1_HMAC -#define DROPBEAR_SHA1_96_HMAC ++/*#define DROPBEAR_SHA1_96_HMAC*/ #define DROPBEAR_SHA2_256_HMAC #define DROPBEAR_SHA2_512_HMAC - #define DROPBEAR_MD5_HMAC +-#define DROPBEAR_MD5_HMAC ++/*#define DROPBEAR_MD5_HMAC*/ + + /* You can also disable integrity. Don't bother disabling this if you're + * still using a cipher, it's relatively cheap. If you disable this it's dead |