>From: "Burton, Ross" >To: joseph-reyno...@charter.net >Cc: "openembedded-core@lists.openembedded.org" >Sent: Thursday September 13 2018 11:00:26AM >Subject: Re: [OE-core] [PATCH v2] dropbear: disable medium-strength ssh ciphers > >This still can't be actually used, because dropbear won't be looking >in the recipe folder and nothing puts that file into the source tree. >Put a #error in it if you don't believe me. :)
Thanks for pointing that out. I had conflated the OE & Yocto recipes, then forgot to include the recipe change in my patch. My home project is actually https://github.com/openbmc/openbmc, so I set out to upstream this change to Yocto/Poky, OE, and Dropbear. Thanks for your patience, as this is my first attempt to upstream. My second issue is creating a correct patch. I used git format-patch HEAD^ and then cut/paste the result into my web-based email reader. The patch appears correct, but the automation says my patch is mal-formed. I am still trying to enable sending plain-text email from my shell environment. Finally, I want to change my approach. I had been updating the dropbear localoptions.h file to customize Dropbear's behavior. But I really want to change Dropbear's default behavior for everyone, which means I should update default_options.h and leave localoptions.h alone. I plan to create a pull request to update the Dropbear project default_options.h file, and a patch for openembedded-core to change the dropbear_2018.76.bb recipe to pick up the Dropbear patch. - Joseph >Ross> > >On 12 September 2018 at 22:56, wrote: >> This changes the Dropbear SSH server configuration so it will not >> accept medium-strength encryption ciphers including: CBC mode, MD5, >> 96-bit MAC, and triple DES. This is consistent with the default >> supported OpenSSH ciphers. >> >> Upstream-Status: Pending >> >> Signed-off-by: Joseph Reynolds >> --- >> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h >> >> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h >> b/meta/recipes-core/dropbear/dropbear/localoptions.h >> new file mode 100644 >> index 0000000..ec48c26 >> --- /dev/null >> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h >> @@ -0,0 +1,8 @@ >> +/* Customize dropbear per default_options.h in the dropbear project */ >> + >> +/* Disable insecure ciphers */ >> +#define DROPBEAR_TWOFISH256 0 >> +#define DROPBEAR_TWOFISH128 0 >> +#define DROPBEAR_ENABLE_CBC_MODE 0 >> +#define DROPBEAR_SHA1_HMAC 0 >> +#define DROPBEAR_SHA1_96_HMAC 0 >> -- >> 1.8.3.1 >> >> >> --
-- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core