While this might be not 100% conforming to ssh standard (?), it is common practice. DSA is considered weak [1] and e.g. OpenSSH deprecated it with the 7.0 release back in 2015 [2].
dropbear states in its source: “DSS may be necessary to connect to some systems though is not recommended for new keys”. Furthermore: requiring both RSA _and_ DSS host keys, increases time to generate keys a lot, making this unfortunate in bootstrapping embedded targets. [1] https://security.stackexchange.com/a/112818/43663 [2] https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html Signed-off-by: Alexander Dahl <[email protected]> --- Notes: Consider this patch RFC, or just apply or drop it at will. rules/dropbear.in | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/dropbear.in b/rules/dropbear.in index fa6f283f1..107a11caf 100644 --- a/rules/dropbear.in +++ b/rules/dropbear.in @@ -284,6 +284,7 @@ comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft config DROPBEAR_RSA bool prompt "rsa" + default y help RSA was announced in 1978. The security of the RSA system is based upon the RSA Problem (RSAP). This problem is @@ -293,7 +294,6 @@ config DROPBEAR_RSA config DROPBEAR_DSS bool prompt "dss" - default y help DSS stands for Digital Signature Standard. DSS employs the ElGamal and Schnorr PK systems to produce @@ -349,7 +349,6 @@ config DROPBEAR_DROPBEAR default y select DROPBEAR_DROPBEAR_KEY select DROPBEAR_RSA - select DROPBEAR_DSS select BUSYBOX_START_STOP_DAEMON if BUSYBOX help Installs the dropbar server in /usr/sbin/dropbear on the target -- 2.20.1 _______________________________________________ ptxdist mailing list [email protected]
