dropbear: disable two weak kex/mac algorithms

hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. https://github.com/mkj/dropbear/issues/138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
author: Konstantin Demin <rockdrilla@gmail.com> 2024-01-09 03:40:01 +0300
committer: Rui Salvaterra <rsalvaterra@gmail.com> 2024-02-09 09:13:05 +0000
commit: 2d9a0be307b534ceb717267c95402d1d707cd2c3 (patch)
tree: 0a0dd7df15462b9c6690de518ad56a882da1c968 /package/network/services/dropbear
parent: 0b277f8659806f32d08dad081836523b93eee6b8 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index 75dee77af0..51961d3c3d 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@@ -110,12 +110,16 @@ CONFIGURE_ARGS += \
 # - DROPBEAR_CLI_NETCAT
 # - DROPBEAR_DSS
 # - DO_MOTD
+# - DROPBEAR_DH_GROUP14_SHA1
+# - DROPBEAR_SHA1_HMAC
 DB_OPT_COMMON = \
 	!!LOCAL_IDENT,"SSH-2.0-dropbear" \
 	DEFAULT_PATH,"$(TARGET_INIT_PATH)" \
 	DROPBEAR_DSS,0 \
 	DROPBEAR_CLI_NETCAT,0 \
 	DO_MOTD,0 \
+	DROPBEAR_DH_GROUP14_SHA1,0 \
+	DROPBEAR_SHA1_HMAC,0 \
 
 
 ##############################################################################
author	Konstantin Demin <rockdrilla@gmail.com>	2024-01-09 03:40:01 +0300
committer	Rui Salvaterra <rsalvaterra@gmail.com>	2024-02-09 09:13:05 +0000
commit	2d9a0be307b534ceb717267c95402d1d707cd2c3 (patch)
tree	0a0dd7df15462b9c6690de518ad56a882da1c968 /package/network/services/dropbear
parent	0b277f8659806f32d08dad081836523b93eee6b8 (diff)