Thanks, applied. Michael
[sent from post-receive hook] On Fri, 27 Mar 2020 10:52:15 +0100, Alexander Dahl <[email protected]> wrote: > While this might be not 100% conforming to ssh standard (?), it is > common practice. DSA is considered weak [1] and e.g. OpenSSH deprecated > it with the 7.0 release back in 2015 [2]. > > dropbear states in its source: “DSS may be necessary to connect to some > systems though is not recommended for new keys”. > > Furthermore: requiring both RSA _and_ DSS host keys, increases time to > generate keys a lot, making this unfortunate in bootstrapping embedded > targets. > > [1] https://security.stackexchange.com/a/112818/43663 > [2] > https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html > > Signed-off-by: Alexander Dahl <[email protected]> > --- > > Notes: > Consider this patch RFC, or just apply or drop it at will. > > rules/dropbear.in | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/rules/dropbear.in b/rules/dropbear.in > index fa6f283f1..107a11caf 100644 > --- a/rules/dropbear.in > +++ b/rules/dropbear.in > @@ -284,6 +284,7 @@ comment "Hostkey/public key algorithms, at least one > required --- SSH2 RFC Draft > config DROPBEAR_RSA > bool > prompt "rsa" > + default y > help > RSA was announced in 1978. The security of the RSA system > is based upon the RSA Problem (RSAP). This problem is > @@ -293,7 +294,6 @@ config DROPBEAR_RSA > config DROPBEAR_DSS > bool > prompt "dss" > - default y > help > DSS stands for Digital Signature Standard. > DSS employs the ElGamal and Schnorr PK systems to produce > @@ -349,7 +349,6 @@ config DROPBEAR_DROPBEAR > default y > select DROPBEAR_DROPBEAR_KEY > select DROPBEAR_RSA > - select DROPBEAR_DSS > select BUSYBOX_START_STOP_DAEMON if BUSYBOX > help > Installs the dropbar server in /usr/sbin/dropbear on the target > _______________________________________________ ptxdist mailing list [email protected]
