Disables DSS (like OpenSSH >=7.0)
Increase RSA host key size to 3072 bit (like OpenSSH >= 8.0)
Enables Ed25519 host key generation
--- a/main/dropbear/APKBUILD
+++ b/main/dropbear/APKBUILD
@@ -3,7 +3,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=dropbear
pkgver=2020.81
-pkgrel=0
+pkgrel=1
pkgdesc="small SSH 2 client/server designed for small memory environments"
url="https://matt.ucc.asn.au/dropbear/dropbear.html"
arch="all"
@@ -21,6 +21,7 @@
dropbear.confd
dropbear-0.53.1-static_build_fix.patch
dropbear-options_sftp-server_path.patch
+ dropbear-disable_dss.patch
"
# secfixes:
@@ -83,7 +84,8 @@
}
sha512sums="2fa9d4d7dcb1c81281f5e47c8a99b7300eb46b3bb605daaec956404eae9124879a8bbbef521dea6da8b3643f3dc6f7f5005e265bfcaba97e89812f5642c294da dropbear-2020.81.tar.bz2
-9c55ab3d8b61955cde1ccc1b8acbd3d2ef123feb9489e92737304c35315d07b7f85fad8a12ac7b0ec2c1dcee3d76b8bc4aa18518f4ddd963917805db33e48826
dropbear.initd
+601f7cece00db02ea6b913f2d10febe4a5f8a2052afe2bba47df0c1718562b78975edd4ec5715fc7d9596ce165fd9a9cf5b2b66698303cac6d2daf1bb5e7902a
dropbear.initd
83f2c1eaf7687917a4b2bae7d599d4378c4bd64f9126ba42fc5d235f2b3c9a474d1b3168d70ed64bb4101cc251d30bc9ae20604da9b5d819fcd635ee4d0ebb0f dropbear.confd
413cef467db35ddc430a773af943ff650d51bdb6fb262dcabc625eb6c9f4170b5711998df5577dd05c60e21e0a9771bff022adc8273083b85a18f4d5659ffd50 dropbear-0.53.1-static_build_fix.patch
-9b078548c6850c9b45e9b68a8ebd746a4a0648607c8ad0cf4106f09f7a63768c83a3e4e4fbec38b665ae283503fd3cdd054775aa3c9afe02567be3e775aef50b
dropbear-options_sftp-server_path.patch"
+9b078548c6850c9b45e9b68a8ebd746a4a0648607c8ad0cf4106f09f7a63768c83a3e4e4fbec38b665ae283503fd3cdd054775aa3c9afe02567be3e775aef50b
dropbear-options_sftp-server_path.patch
+3499b70e0dd56e9772bdf2cebafa4513f75eaf07d2eb7bbe8e53ace2b4debcca0e0335b3b912fe1706e267ffaa79f58e04ce3241e482e8401bd77fd4c7d3f38b
dropbear-disable_dss.patch"
--- /dev/null
+++ b/main/dropbear/dropbear-disable_dss.patch
@@ -0,0 +1,11 @@
+--- a/default_options.h
++++ b/default_options.h
+@@ -121,7 +121,7 @@
+ * DSS may be necessary to connect to some systems though
+ is not recommended for new keys */
+ #define DROPBEAR_RSA 1
+-#define DROPBEAR_DSS 1
++#define DROPBEAR_DSS 0
+ /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
+ * code (either ECDSA or ECDH) increases binary size - around 30kB
+ * on x86-64 */
--- a/main/dropbear/dropbear.initd
+++ b/main/dropbear/dropbear.initd
@@ -13,18 +13,18 @@
if [ ! -e /etc/dropbear/ ] ; then
mkdir /etc/dropbear/
fi
- if [ ! -e /etc/dropbear/dropbear_dss_host_key ] ; then
- einfo "Generating DSS-Hostkey..."
- /usr/bin/dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
- fi
if [ ! -e /etc/dropbear/dropbear_rsa_host_key ] ; then
einfo "Generating RSA-Hostkey..."
- /usr/bin/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
+ /usr/bin/dropbearkey -t rsa -s 3072 -f
/etc/dropbear/dropbear_rsa_host_key
fi
if [ ! -e /etc/dropbear/dropbear_ecdsa_host_key ] ; then
einfo "Generating ECDSA-Hostkey..."
/usr/bin/dropbearkey -t ecdsa -f
/etc/dropbear/dropbear_ecdsa_host_key
fi
+ if [ ! -e /etc/dropbear/dropbear_ed25519_host_key ] ; then
+ einfo "Generating Ed25519-Hostkey..."
+ /usr/bin/dropbearkey -t ed25519 -f
/etc/dropbear/dropbear_ed25519_host_key
+ fi
}
start() {