From 2d9a0be307b534ceb717267c95402d1d707cd2c3 Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Tue, 9 Jan 2024 03:40:01 +0300 Subject: [PATCH] dropbear: disable two weak kex/mac algorithms hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. https://github.com/mkj/dropbear/issues/138 Signed-off-by: John Audia Signed-off-by: Konstantin Demin --- package/network/services/dropbear/Makefile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 75dee77af0..51961d3c3d 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -110,12 +110,16 @@ CONFIGURE_ARGS += \ # - DROPBEAR_CLI_NETCAT # - DROPBEAR_DSS # - DO_MOTD +# - DROPBEAR_DH_GROUP14_SHA1 +# - DROPBEAR_SHA1_HMAC DB_OPT_COMMON = \ !!LOCAL_IDENT,"SSH-2.0-dropbear" \ DEFAULT_PATH,"$(TARGET_INIT_PATH)" \ DROPBEAR_DSS,0 \ DROPBEAR_CLI_NETCAT,0 \ DO_MOTD,0 \ + DROPBEAR_DH_GROUP14_SHA1,0 \ + DROPBEAR_SHA1_HMAC,0 \ ############################################################################## -- 2.30.2