While this might be not 100% conforming to ssh standard (?), it is
common practice.  DSA is considered weak [1] and e.g. OpenSSH deprecated
it with the 7.0 release back in 2015 [2].

dropbear states in its source: “DSS may be necessary to connect to some
systems though is not recommended for new keys”.

Furthermore: requiring both RSA _and_ DSS host keys, increases time to
generate keys a lot, making this unfortunate in bootstrapping embedded
targets.

[1] https://security.stackexchange.com/a/112818/43663
[2] 
https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html

Signed-off-by: Alexander Dahl <a...@thorsis.com>
---

Notes:
    Consider this patch RFC, or just apply or drop it at will.

 rules/dropbear.in | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/rules/dropbear.in b/rules/dropbear.in
index fa6f283f1..107a11caf 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -284,6 +284,7 @@ comment "Hostkey/public key algorithms, at least one 
required --- SSH2 RFC Draft
 config DROPBEAR_RSA
        bool
        prompt "rsa"
+       default y
        help
          RSA was announced in 1978. The security of the RSA system
          is based upon the RSA Problem (RSAP). This problem is
@@ -293,7 +294,6 @@ config DROPBEAR_RSA
 config DROPBEAR_DSS
        bool
        prompt "dss"
-       default y
        help
          DSS stands for Digital Signature Standard.
          DSS employs the ElGamal and Schnorr PK systems to produce
@@ -349,7 +349,6 @@ config DROPBEAR_DROPBEAR
        default y
        select DROPBEAR_DROPBEAR_KEY
        select DROPBEAR_RSA
-       select DROPBEAR_DSS
        select BUSYBOX_START_STOP_DAEMON if BUSYBOX
        help
          Installs the dropbar server in /usr/sbin/dropbear on the target
-- 
2.20.1


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de

Reply via email to