summaryrefslogtreecommitdiff
path: root/meta-phosphor/recipes-core/dropbear
AgeCommit message (Collapse)AuthorFilesLines
2019-09-25ssh: Allow ssh authentication only for admin privRichard Marian Thomaiyar2-1/+4
Restrict SSH authentication only for priv-admin users instead of all privileged users, for security reasons. This avoids low level privilege user in establishing a SSH connection Tested: 1. Verified ssh works fine for any priv-admin user 2. Blocked for all other non-admin users. (From meta-phosphor rev: f15b0ea6b5a35edfec285aa7e734ff34739c4898) Change-Id: I5659eb504ed76133cd1b4ade6511d419fb239419 Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com> Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
2019-01-09reset upstream subtrees to yocto 2.6Brad Bishop5-139/+7
Reset the following subtrees on thud HEAD: poky: 87e3a9739d meta-openembedded: 6094ae18c8 meta-security: 31dc4e7532 meta-raspberrypi: a48743dc36 meta-xilinx: c42016e2e6 Also re-apply backports that didn't make it into thud: poky: 17726d0 systemd-systemctl-native: handle Install wildcards meta-openembedded: 4321a5d libtinyxml2: update to 7.0.1 042f0a3 libcereal: Add native and nativesdk classes e23284f libcereal: Allow empty package 030e8d4 rsyslog: curl-less build with fmhttp PACKAGECONFIG 179a1b9 gtest: update to 1.8.1 Squashed OpenBMC subtree compatibility updates: meta-aspeed: Brad Bishop (1): aspeed: add yocto 2.6 compatibility meta-ibm: Brad Bishop (1): ibm: prepare for yocto 2.6 meta-ingrasys: Brad Bishop (1): ingrasys: set layer compatibility to yocto 2.6 meta-openpower: Brad Bishop (1): openpower: set layer compatibility to yocto 2.6 meta-phosphor: Brad Bishop (3): phosphor: set layer compatibility to thud phosphor: libgpg-error: drop patches phosphor: react to fitimage artifact rename Ed Tanous (4): Dropbear: upgrade options for latest upgrade yocto2.6: update openssl options busybox: remove upstream watchdog patch systemd: Rebase CONFIG_CGROUP_BPF patch Change-Id: I7b1fe71cca880d0372a82d94b5fd785323e3a9e7 Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
2018-10-31Dropbear SSH remove HMAC-MD5Joseph Reynolds1-6/+13
The Dropbear SSH client and server configuration is changed to not accept the HMAC-MD5 algorithm when making connections. The MD5 algorithm is no longer considered secure. With this change, Dropbear supports the following MAC algorithms: SHA1_HMAC, SHA2_256_HMAC, and SHA2_512_HMAC. Note that Dropbear does not yet support HMAC-SHA3. Tested: $ ssh -m hmac-sha1-96 root@${bmc} Unable to negotiate with ${bmc} port 22: no matching MAC found. Their offer: hmac-sha1,hmac-sha2-256,hmac-sha2-512 $ ssh root@${bmc} # worked (From meta-phosphor rev: ec86af05553a7a66af68356cb2b4ec451d5bbf91) Change-Id: Iba30c9f1ea66e2c72c75d16a16194ede808fe64a Signed-off-by: Joseph Reynolds <jrey@us.ibm.com> Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
2018-09-28Disable medium-strength dropbear ssh ciphersJoseph Reynolds2-0/+30
This changes the Dropbear SSH server configuration so it will not accept medium-strength encryption ciphers including: CBC mode, MD5, 96-bit MAC, and triple DES. The remaining ciphers include aes128-ctr and aes256-ctr. Dropbear does not offer the arcfour cipher suite. Note that Dropbear does not use a config file and instead uses file options.h to control its features. This commit adds a patch to disable the unwanted ciphers. Tested: On the qemu-based BMC: ssh -c help 127.0.0.1 aes128-ctr,aes256-ctr Before this change, the value was: aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc, twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc Attempt to contact the BMC from host: ssh -p 2222 -l root localhost # success ssh -c aes128-cbc -p 2222 -l root localhost Unable to negotiate with 127.0.0.1 port 2222: no matching cipher found. Their offer: aes128-ctr,aes256-ctr Before this change, the connection was successful. Attempt to contact the BMC from older system: ssh -V OpenSSH_5.8p1, OpenSSL 0.9.8g 19 Oct 2007 ssh -p 2222 -l root ${BMC_IP_ADDR} # success Resolves openbmc/openbmc#3186 (From meta-phosphor rev: 4ad7873e5dcd8475d48b6551002331a1efe4b2f1) Change-Id: I5648a1602a3683afd9bd90ba62d8f6e4d9237506 Signed-off-by: Joseph Reynolds <jrey@us.ibm.com> Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
2018-09-06meta-phosphor: Move layer content from common/Brad Bishop4-0/+158
Adopt a more conventional directory hierarchy. meta-phosphor is still a _long_ way from suitable for hosting on yoctoproject.org but things like this don't help. (From meta-phosphor rev: 471cfcefa74b8c7ceb704cb670e6d915cf27c63b) Change-Id: I3f106b2f6cdc6cec734be28a6090800546f362eb Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
generated by cgit v1.2.3 (git 2.39.0) at 2024-07-31 14:26:16 +0300