From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
Received: from mail.thorsis.com ([92.198.35.195])
 by metis.ext.pengutronix.de with esmtps
 (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <ada@thorsis.com>) id 1kaaOJ-0003Ph-Gn
 for ptxdist@pengutronix.de; Thu, 05 Nov 2020 09:13:08 +0100
Received: from localhost (localhost [127.0.0.1])
 by mail.thorsis.com (Postfix) with ESMTP id B920F3F08
 for <ptxdist@pengutronix.de>; Thu,  5 Nov 2020 09:13:06 +0100 (CET)
Received: from mail.thorsis.com ([127.0.0.1])
 by localhost (mail.thorsis.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id FlK717O8XtPE for <ptxdist@pengutronix.de>;
 Thu,  5 Nov 2020 09:13:06 +0100 (CET)
Received: from adahl by ada.ifak-system.com with local (Exim 4.92)
 (envelope-from <ada@thorsis.com>) id 1kaaOE-0001m0-D4
 for ptxdist@pengutronix.de; Thu, 05 Nov 2020 09:13:02 +0100
From: Alexander Dahl <ada@thorsis.com>
Date: Thu,  5 Nov 2020 09:13:00 +0100
Message-Id: <20201105081302.6770-3-ada@thorsis.com>
In-Reply-To: <20201105081302.6770-1-ada@thorsis.com>
References: <20201105081302.6770-1-ada@thorsis.com>
Subject: [ptxdist] [PATCH 2/4] dropbear: Revise comments
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ptxdist-bounces@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
To: ptxdist@pengutronix.de

Add more section markers and update recommendations based on upstream's
'default_options.h' file.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/dropbear.in   | 12 +++++++-----
 rules/dropbear.make | 18 +++++++++++-------
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/rules/dropbear.in b/rules/dropbear.in
index 62a4a8427..d01f2c73e 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -219,7 +219,7 @@ config DROPBEAR_CTR_CIPHERS
 	  CBC mode against certain attacks. This adds around 1kB to binary
 	  size and is recommended for most cases.
 
-comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96"
+comment "Integrity, at least one required --- sha2-256 is recommended as a default, sha1 for compatibility"
 
 config DROPBEAR_SHA1
 	bool
@@ -273,13 +273,13 @@ config DROPBEAR_SHA512
 
 config DROPBEAR_MD5
 	bool
-	prompt "md5"
+	prompt "md5 (not recommended!)"
 	help
 	  MD5 was developed by Professor Ronald L. Rivest in 1994.
 	  Its 128 bit (16 byte) message digest makes it a faster
 	  implementation than SHA-1.
 
-comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa"
+comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys"
 
 config DROPBEAR_RSA
 	bool
@@ -293,7 +293,7 @@ config DROPBEAR_RSA
 
 config DROPBEAR_DSS
 	bool
-	prompt "dss"
+	prompt "dss (not recommended!)"
 	help
 	  DSS stands for Digital Signature Standard.
 	  DSS employs the ElGamal and Schnorr PK systems to produce
@@ -308,6 +308,8 @@ config DROPBEAR_ECDSA
 	  ECDSA stands for Elliptic Curve Digital Signature Algorithm.
 	  ECDSA is significantly faster than RSA or DSS.
 
+comment "Key exchange algorithm ---"
+
 config DROPBEAR_ECDH
 	bool
 	prompt "ecdh"
@@ -377,7 +379,7 @@ config DROPBEAR_SCP
 comment "OpenSSH scp is selected!"
 	depends on OPENSSH_SCP
 
-comment "runtime options   ---"
+comment "runtime options        ---"
 
 config DROPBEAR_STARTSCRIPT
 	bool
diff --git a/rules/dropbear.make b/rules/dropbear.make
index acd9ef5f9..4f55fac48 100644
--- a/rules/dropbear.make
+++ b/rules/dropbear.make
@@ -67,6 +67,7 @@ $(STATEDIR)/dropbear.prepare:
 
 	@echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS)
 
+# features
 ifdef PTXCONF_DROPBEAR_DIS_X11
 	@echo "ptxdist: disabling x11 forwarding"
 	@echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS)
@@ -76,13 +77,13 @@ else
 endif
 
 ifdef PTXCONF_DROPBEAR_DIS_TCP
-	@echo "ptxdist: disabling tcp"
+	@echo "ptxdist: disabling tcp forwarding"
 	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 else
-	@echo "ptxdist: enabling tcp"
+	@echo "ptxdist: enabling tcp forwarding"
 	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -90,16 +91,16 @@ else
 endif
 
 ifdef PTXCONF_DROPBEAR_DIS_AGENT
-	@echo "ptxdist: disabling agent"
+	@echo "ptxdist: disabling auth agent forwarding"
 	@echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
 else
-	@echo "ptxdist: enabling agent"
+	@echo "ptxdist: enabling auth agent forwarding"
 	@echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 	@echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-
+# encryption
 ifdef PTXCONF_DROPBEAR_AES128
 	@echo "ptxdist: enabling aes128"
 	@echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -148,6 +149,7 @@ else
 	@echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
+# ciphers
 ifdef PTXCONF_DROPBEAR_CBC_CIPHERS
 	@echo "ptxdist: enabling cbc ciphers"
 	@echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -165,6 +167,7 @@ else
 	@echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
+# integrity
 ifdef PTXCONF_DROPBEAR_SHA1
 	@echo "ptxdist: enabling sha1"
 	@echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -210,7 +213,7 @@ else
 	@echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-
+# host key / public key
 ifdef PTXCONF_DROPBEAR_RSA
 	@echo "ptxdist: enabling rsa"
 	@echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -235,6 +238,7 @@ else
 	@echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
+# key exchange algorithm
 ifdef PTXCONF_DROPBEAR_ECDH
 	@echo "ptxdist: enabling ecdh"
 	@echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS)
@@ -251,7 +255,7 @@ else
 	@echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS)
 endif
 
-
+# authentication types
 ifdef PTXCONF_DROPBEAR_PASSWD
 	@echo "ptxdist: enabling passwd"
 	@echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
-- 
2.27.0


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de