diff options
| author | Joseph Reynolds <joseph-reynolds@charter.net> | 2023-10-11 20:17:03 +0300 |
|---|---|---|
| committer | Adriana Kobylak <anoo@us.ibm.com> | 2024-02-20 22:23:42 +0300 |
| commit | e71e7778d61b38cde9e2bef1ab72320a45cc2b2d (patch) | |
| tree | 2f3711f79f460911f02dec1b2253989b7a3881f1 /meta-phosphor/recipes-core | |
| parent | 22f682c653ad51d5f5c1ac8a7acd73c44f8b291b (diff) | |
| download | openbmc-e71e7778d61b38cde9e2bef1ab72320a45cc2b2d.tar.xz | |
dropbear SSH server: update security options
This updates the algorithms offered by the BMC's dropbear SSH server
when making new connections.
The options.patch file is deleted because it is obsolete. The
localoptions.h file is updated to OpenBMC project preferences. For
background, see the Dropbear project default_options.h file.
Tested: Validate intended algorithms via command: ssh -vv
- Before:
debug2: host key algorithms: rsa-sha2-256,ssh-rsa
debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512
- After:
debug2: host key algorithms: rsa-sha2-256
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512
Change-Id: I0eccb572c61ce3a800d2a189e9d84eb36ff592e7
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Diffstat (limited to 'meta-phosphor/recipes-core')
| -rw-r--r-- | meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h | 10 | ||||
| -rw-r--r-- | meta-phosphor/recipes-core/dropbear/dropbear/options.patch | 33 |
2 files changed, 6 insertions, 37 deletions
diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h b/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h index 4a3ebcffe8..ea3b280de2 100644 --- a/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h +++ b/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h @@ -1,9 +1,11 @@ -// Disable CBC ciphers for modern security. -#define DROPBEAR_ENABLE_CBC_MODE 0 +// Customizations. See dropbear project default_options.h // Disable Chacha20-Poly1305 cipher. #define DROPBEAR_CHACHA20POLY1305 0 -#define DROPBEAR_SHA1_96_HMAC 0 -#define DROPBEAR_SHA2_256_HMAC 1 +#define DROPBEAR_SHA1_HMAC 0 #define DROPBEAR_SHA2_512_HMAC 1 + +#define DROPBEAR_RSA_SHA1 0 + +#define DROPBEAR_DH_GROUP14_SHA1 0 diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/options.patch b/meta-phosphor/recipes-core/dropbear/dropbear/options.patch deleted file mode 100644 index 5212243940..0000000000 --- a/meta-phosphor/recipes-core/dropbear/dropbear/options.patch +++ /dev/null @@ -1,33 +0,0 @@ -diff --git a/options.h b/options.h -index 0c51bb1..3df2d67 100644 ---- a/options.h -+++ b/options.h -@@ -95,12 +95,12 @@ much traffic. */ - #define DROPBEAR_AES256 - /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ - /*#define DROPBEAR_BLOWFISH*/ --#define DROPBEAR_TWOFISH256 --#define DROPBEAR_TWOFISH128 -+/*#define DROPBEAR_TWOFISH256*/ -+/*#define DROPBEAR_TWOFISH128*/ - - /* Enable CBC mode for ciphers. This has security issues though - * is the most compatible with older SSH implementations */ --#define DROPBEAR_ENABLE_CBC_MODE -+/*#define DROPBEAR_ENABLE_CBC_MODE*/ - - /* Enable "Counter Mode" for ciphers. This is more secure than normal - * CBC mode against certain attacks. It is recommended for security -@@ -131,10 +131,10 @@ If you test it please contact the Dropbear author */ - * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, - * which are not the standard form. */ - #define DROPBEAR_SHA1_HMAC --#define DROPBEAR_SHA1_96_HMAC -+/*#define DROPBEAR_SHA1_96_HMAC*/ - #define DROPBEAR_SHA2_256_HMAC - #define DROPBEAR_SHA2_512_HMAC --#define DROPBEAR_MD5_HMAC -+/*#define DROPBEAR_MD5_HMAC*/ - - /* You can also disable integrity. Don't bother disabling this if you're - * still using a cipher, it's relatively cheap. If you disable this it's dead |