They're enabled by default in 2015.67 Cheers, Matt
On 7 February 2015 7:03:43 pm AWST, Richard Hansen <[email protected]> wrote: >** Description changed: > >+ [Impact] >+ > Since version 2013.56, dropbear has supported the hmac-sha2-256 and > hmac-sha2-512 MAC algorithms, but they are disabled by default. > According to the dropbear changelog, enabling them is a matter of > uncommenting the following two lines in options.h: > >- /*#define DROPBEAR_SHA2_256_HMAC*/ >- /*#define DROPBEAR_SHA2_512_HMAC*/ >+ /*#define DROPBEAR_SHA2_256_HMAC*/ >+ /*#define DROPBEAR_SHA2_512_HMAC*/ > > Due to recent NSA revelations, some people are recommending users > disable certain algorithms. If the recommendations at > <https://stribika.github.io/2015/01/04/secure-secure-shell.html> are >followed, there are no MAC algorithms left that dropbear supports >unless > hmac-sha2-256 and hmac-sha2-512 are enabled. >+ >+ [Test Case] >+ >+ Setup steps: >+ 1. install dropbear and openssh-client: >+ sudo apt-get install dropbear openssh-client >+ 2. if you have openssh-server installed, stop it: >+ sudo service ssh stop >+ 3. make sure that the dropbear service is enabled by editing >+ /etc/default/dropbear and setting the NO_START variable to 0 >like >+ this: >+ NO_START=0 >+ 4. start the dropbear service: >+ sudo service dropbear start >+ >+ Test steps: >+ 5. try the hmac-sha2-256 MAC: >+ ssh -o UserKnownHostsFile=/dev/null \ >+ -o MACs=hmac-sha2-256 localhost >+ 6. try the hmac-sha2-512 MAC: >+ ssh -o UserKnownHostsFile=/dev/null \ >+ -o MACs=hmac-sha2-512 localhost >+ >+ Cleanup steps: >+ 7. stop the dropbear service: >+ sudo service dropbear stop >+ 8. if you edited /etc/default/dropbear to enable the dropbear >+ service, disable it again by editing /etc/default/dropbear and >+ setting the NO_START variable to 1 like this: >+ NO_START=1 >+ 9. if you stopped the OpenSSH server, restart it: >+ sudo service ssh start >+ >+ [Regression Potential] >+ >+ * Due to being disabled by default upstream, the implementations of >+ the new MAC algorithms are probably not as well tested as the old >+ MAC algorithms. This may increase the likelihood of >compatibility >+ or security bugs. >+ * SSH clients are likely to prefer the new MAC algorithms over the >+ old MAC algorithms. If either the client or server has an >+ implementation bug, the ability to connect may be impaired unless >+ the user configures the client to disallow the new algorithms or >+ prefer the old algorithms (e.g., via the ssh_config "MACs" >+ directive in OpenSSH). >+ * The new MAC algorithms may negatively impact performance. > >-- >You received this bug notification because you are subscribed to >dropbear in Ubuntu. >https://bugs.launchpad.net/bugs/1409798 > >Title: > enable hmac-sha2-256, hmac-sha2-512 MAC algorithms > >To manage notifications about this bug go to: >https://bugs.launchpad.net/ubuntu/+source/dropbear/+bug/1409798/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1409798 Title: enable hmac-sha2-256, hmac-sha2-512 MAC algorithms To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dropbear/+bug/1409798/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
