27.02.2018, 17:54, "Matt Johnston" <m...@ucc.asn.au>: > Hi all, > > Dropbear 2018.76 is released. As well as the usual > improvements and bugfixes this release simplifies > local configuration options. > You will probably need to adjust your build configuration. > > Rather than modifying options.h, local options are now > placed in localoptions.h where they will override defaults. > The header file default_options.h lists the available > options similar to the old options.h - it should be left > unmodified. > > There are a few other deprecations/changes to take note of. > > Cheers, > Matt > > https://matt.ucc.asn.au/dropbear/dropbear.html > https://dropbear.nl/mirror/dropbear.html > > 2018.76 - 27 February 2018 > > = = = Configuration/compatibility changes > IMPORTANT > Custom configuration is now specified in local_options.h rather than > options.h > Available options and defaults can be seen in default_options.h > > To migrate your configuration, compare your customised options.h against the > upstream options.h from your relevant version. Any customised options should > be put in localoptions.h > > - "configure --enable-static" should now be used instead of "make STATIC=1" > This will avoid 'hardened build' flags that conflict with static binaries > > - Set 'hardened build' flags by default if supported by the compiler. > These can be disabled with configure --disable-harden if needed. > -Wl,-pie > -Wl,-z,now -Wl,-z,relro > -fstack-protector-strong > -D_FORTIFY_SOURCE=2 > # spectre v2 mitigation > -mfunction-return=thunk > -mindirect-branch=thunk > > Spectre patch from Loganaden Velvindron > > - "dropbear -r" option for hostkeys no longer attempts to load the default > hostkey paths as well. If desired these can be specified manually. > Patch from CamVan Nguyen > > - group1-sha1 key exchange is disabled in the server by default since > the fixed 1024-bit group may be susceptible to attacks > > - twofish ciphers are now disabled in the default configuration > > - Default generated ECDSA key size is now 256 (rather than 521) > for better interoperability > > - Minimum RSA key length has been increased to 1024 bits > > = = = Other features and fixes > > - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant > > - Add 'dbclient -J &fd' to allow dbclient to connect over an existing socket. > See dbclient manpage for a socat example. Patch from Harald Becker
Wouldn't it be better to support -o ProxyUseFdPass like in OpenSSH? > > - Add "-c forced_command" option. Patch from Jeremy Kerr > > - Restricted group -G option added with patch from stellarpower > > - Support server-chosen TCP forwarding ports, patch from houseofkodai > > - Allow choosing outgoing address for dbclient with -b > [bind_address][:bind_port] > Patch from houseofkodai > > - Makefile will now rebuild object files when header files are modified > > - Add group14-256 and group16 key exchange options > > - curve25519-sha256 also supported without @libssh.org suffix > > - Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1 > This fixes building with some recent versions of clang > > - Set PAM_RHOST which is needed by modules such as pam_abl > > - Improvements to DSS and RSA public key validation, found by OSS-Fuzz. > > - Don't exit when an authorized_keys file has malformed entries. Found by > OSS-Fuzz > > - Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz > > - Numerous code cleanups and small issues fixed by Francois Perrad > > - Test for pkt_sched.h rather than SO_PRIORITY which was problematic with > some musl > platforms. Reported by Oliver Schneider and Andrew Bainbridge > > - Fix some platform portability problems, from Ben Gardner > > - Add EXEEXT filename suffix for building dropbearmulti, from William Foster > > - Support --enable-<option> properly for configure, from Stefan Hauser > > - configure have_openpty result can be cached, from Eric Bénard > > - handle platforms that return close() < -1 on failure, from Marco Wenzel > > - Build and configuration cleanups from Michael Witten > > - Fix libtomcrypt/libtommath linking order, from Andre McCurdy > > - Fix old Linux platforms that have SYS_clock_gettime but not CLOCK_MONOTONIC > > - Update curve25519-donna implementation to current version -- Regards, Konstantin