BMC/Intel-BMC/openbmc.git - Intel-BMC/openbmc is a BMC implementation for servers (mirror)

Age	Commit message (Collapse)	Author	Files	Lines
2018-10-31	Dropbear SSH remove HMAC-MD5	Joseph Reynolds	1	-6/+13
	The Dropbear SSH client and server configuration is changed to not accept the HMAC-MD5 algorithm when making connections. The MD5 algorithm is no longer considered secure. With this change, Dropbear supports the following MAC algorithms: SHA1_HMAC, SHA2_256_HMAC, and SHA2_512_HMAC. Note that Dropbear does not yet support HMAC-SHA3. Tested: $ ssh -m hmac-sha1-96 root@${bmc} Unable to negotiate with ${bmc} port 22: no matching MAC found. Their offer: hmac-sha1,hmac-sha2-256,hmac-sha2-512 $ ssh root@${bmc} # worked (From meta-phosphor rev: ec86af05553a7a66af68356cb2b4ec451d5bbf91) Change-Id: Iba30c9f1ea66e2c72c75d16a16194ede808fe64a Signed-off-by: Joseph Reynolds <jrey@us.ibm.com> Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
2018-09-28	Disable medium-strength dropbear ssh ciphers	Joseph Reynolds	2	-0/+30
	This changes the Dropbear SSH server configuration so it will not accept medium-strength encryption ciphers including: CBC mode, MD5, 96-bit MAC, and triple DES. The remaining ciphers include aes128-ctr and aes256-ctr. Dropbear does not offer the arcfour cipher suite. Note that Dropbear does not use a config file and instead uses file options.h to control its features. This commit adds a patch to disable the unwanted ciphers. Tested: On the qemu-based BMC: ssh -c help 127.0.0.1 aes128-ctr,aes256-ctr Before this change, the value was: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc, twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc Attempt to contact the BMC from host: ssh -p 2222 -l root localhost # success ssh -c aes128-cbc -p 2222 -l root localhost Unable to negotiate with 127.0.0.1 port 2222: no matching cipher found. Their offer: aes128-ctr,aes256-ctr Before this change, the connection was successful. Attempt to contact the BMC from older system: ssh -V OpenSSH_5.8p1, OpenSSL 0.9.8g 19 Oct 2007 ssh -p 2222 -l root ${BMC_IP_ADDR} # success Resolves openbmc/openbmc#3186 (From meta-phosphor rev: 4ad7873e5dcd8475d48b6551002331a1efe4b2f1) Change-Id: I5648a1602a3683afd9bd90ba62d8f6e4d9237506 Signed-off-by: Joseph Reynolds <jrey@us.ibm.com> Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
2018-09-06	meta-phosphor: Move layer content from common/	Brad Bishop	4	-0/+158
	Adopt a more conventional directory hierarchy. meta-phosphor is still a _long_ way from suitable for hosting on yoctoproject.org but things like this don't help. (From meta-phosphor rev: 471cfcefa74b8c7ceb704cb670e6d915cf27c63b) Change-Id: I3f106b2f6cdc6cec734be28a6090800546f362eb Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>