Received: from mail-ej1-f41.google.com (mail-ej1-f41.google.com [209.85.218.41]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 66852780ECF for ; Sun, 13 Jun 2021 15:30:16 +0000 (UTC) Received: by mail-ej1-f41.google.com with SMTP id k7so12238615ejv.12 for ; Sun, 13 Jun 2021 08:30:16 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=4p8PM0TqfPlbXbC5VUPj50YFqq3lYqkvnmz/j6nAAVg=; b=FJB5lP5YNiZZPV/4isaQon1wJ60v2vPDcKvC09Vc2hBlA5jYlqI3L6rxgzgot+QHcy eEawD6tjfO3ASmOsGKmjtg8iNhS0aRQYfFvZfOeNYk+Vuq4GUs0QfcThlCMUQXBvm7V0 2Xo7hbe5NNilC0U4/l1xCDu6fIRLk++Y3EHGwTuuMt/pGO87ztYaSz8y0qpICoxWxaQm G46t0Ziku+GCVf2R0LJ2IomIYxACHNJQsxPFr+q2bvL9+L0Ka9pnH4WGwmjO0+1RCZ2B 78u99HHwM/G3OTvfQ5msyYmwyZ6ODRWwAlUlF1mG7K9Dvw118IPZHTFqylhpJW4Ilzdo c5Ug== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=4p8PM0TqfPlbXbC5VUPj50YFqq3lYqkvnmz/j6nAAVg=; b=Zs1e3C6ykDOPajvfcN8K2ZLr5u7o33GAGBiVO0BHLkA1QiRDwjNE3yWTQ+YfPQco6P 1jtXytNF+6KboXccWi/309/2clEJR8XpSiG1PKQgm3cXvb21oIeF9jgYTbKuzJkqKukb q9dNeUkwfQsafCXtigMgjXb+6l/xrooRNRakPVH7mYGg7ucDC+EcuKNHKWpg0pXjAuJp 4o1FwK5o3qZr0HuTDl+37Ef+oL/6+yxqUbh/EHH7bqDDyYsUGo+ai89NCD2V9JJQDzhD Ud5MZYPK1vLbmDwCZ0qk2bb7P0igMsfKhSfQUSbI+h6LOncf9WkuFFqwfJx4bJH6O0/K CTWg== X-Gm-Message-State: AOAM531FncXHan/CzODoh3r5G70RDTopwWTpo+purb45xC4R4qlvK7Bl kebnL5roPCNWzNvPNQ6WxpruqWfVB6UzNQ== X-Google-Smtp-Source: ABdhPJyfiZpavJTEI7DFlRCG91mfLQAvGJGnAe43R7UhAKy417DbfMXJyGDn0uFExd6FcIrcMKQ6dw== X-Received: by 2002:a17:907:2be5:: with SMTP id gv37mr12256736ejc.237.1623598215363; Sun, 13 Jun 2021 08:30:15 -0700 (PDT) Received: from [134.93.170.106] (pc11-imb008.imb.uni-mainz.de. [134.93.170.106]) by smtp.gmail.com with ESMTPSA id a7sm4963312ejr.110.2021.06.13.08.30.14 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Sun, 13 Jun 2021 08:30:14 -0700 (PDT) To: alpine-aports@lists.alpinelinux.org From: Christian Dietrich Subject: [PATCH] main/dropbear: disable DSS, enable Ed25519, increase RSA host key size Message-ID: <7babbd96-c41f-1fc7-9ffa-b735e720b146@gmail.com> Date: Sun, 13 Jun 2021 17:30:13 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.8.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Disables DSS (like OpenSSH >=7.0) Increase RSA host key size to 3072 bit (like OpenSSH >= 8.0) Enables Ed25519 host key generation --- a/main/dropbear/APKBUILD +++ b/main/dropbear/APKBUILD @@ -3,7 +3,7 @@  # Maintainer: Natanael Copa  pkgname=dropbear  pkgver=2020.81 -pkgrel=0 +pkgrel=1  pkgdesc="small SSH 2 client/server designed for small memory environments"  url="https://matt.ucc.asn.au/dropbear/dropbear.html"  arch="all" @@ -21,6 +21,7 @@      dropbear.confd      dropbear-0.53.1-static_build_fix.patch      dropbear-options_sftp-server_path.patch +    dropbear-disable_dss.patch      "  # secfixes: @@ -83,7 +84,8 @@  }  sha512sums="2fa9d4d7dcb1c81281f5e47c8a99b7300eb46b3bb605daaec956404eae9124879a8bbbef521dea6da8b3643f3dc6f7f5005e265bfcaba97e89812f5642c294da dropbear-2020.81.tar.bz2 -9c55ab3d8b61955cde1ccc1b8acbd3d2ef123feb9489e92737304c35315d07b7f85fad8a12ac7b0ec2c1dcee3d76b8bc4aa18518f4ddd963917805db33e48826 dropbear.initd +601f7cece00db02ea6b913f2d10febe4a5f8a2052afe2bba47df0c1718562b78975edd4ec5715fc7d9596ce165fd9a9cf5b2b66698303cac6d2daf1bb5e7902a dropbear.initd  83f2c1eaf7687917a4b2bae7d599d4378c4bd64f9126ba42fc5d235f2b3c9a474d1b3168d70ed64bb4101cc251d30bc9ae20604da9b5d819fcd635ee4d0ebb0f dropbear.confd  413cef467db35ddc430a773af943ff650d51bdb6fb262dcabc625eb6c9f4170b5711998df5577dd05c60e21e0a9771bff022adc8273083b85a18f4d5659ffd50 dropbear-0.53.1-static_build_fix.patch -9b078548c6850c9b45e9b68a8ebd746a4a0648607c8ad0cf4106f09f7a63768c83a3e4e4fbec38b665ae283503fd3cdd054775aa3c9afe02567be3e775aef50b dropbear-options_sftp-server_path.patch" +9b078548c6850c9b45e9b68a8ebd746a4a0648607c8ad0cf4106f09f7a63768c83a3e4e4fbec38b665ae283503fd3cdd054775aa3c9afe02567be3e775aef50b dropbear-options_sftp-server_path.patch +3499b70e0dd56e9772bdf2cebafa4513f75eaf07d2eb7bbe8e53ace2b4debcca0e0335b3b912fe1706e267ffaa79f58e04ce3241e482e8401bd77fd4c7d3f38b dropbear-disable_dss.patch" --- /dev/null +++ b/main/dropbear/dropbear-disable_dss.patch @@ -0,0 +1,11 @@ +--- a/default_options.h ++++ b/default_options.h +@@ -121,7 +121,7 @@ +  * DSS may be necessary to connect to some systems though +    is not recommended for new keys */ + #define DROPBEAR_RSA 1 +-#define DROPBEAR_DSS 1 ++#define DROPBEAR_DSS 0 + /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC +  * code (either ECDSA or ECDH) increases binary size - around 30kB +  * on x86-64 */ --- a/main/dropbear/dropbear.initd +++ b/main/dropbear/dropbear.initd @@ -13,18 +13,18 @@      if [ ! -e /etc/dropbear/ ] ; then          mkdir /etc/dropbear/      fi -    if [ ! -e /etc/dropbear/dropbear_dss_host_key ] ; then -        einfo "Generating DSS-Hostkey..." -        /usr/bin/dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key -    fi      if [ ! -e /etc/dropbear/dropbear_rsa_host_key ] ; then          einfo "Generating RSA-Hostkey..." -        /usr/bin/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key +        /usr/bin/dropbearkey -t rsa -s 3072 -f /etc/dropbear/dropbear_rsa_host_key      fi      if [ ! -e /etc/dropbear/dropbear_ecdsa_host_key ] ; then          einfo "Generating ECDSA-Hostkey..."          /usr/bin/dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key      fi +        if [ ! -e /etc/dropbear/dropbear_ed25519_host_key ] ; then +                einfo "Generating Ed25519-Hostkey..." +                /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key +        fi  }  start() {