From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH v2 2/4] dropbear: Revise comments
Date: Fri, 13 Nov 2020 09:32:39 +0100 [thread overview]
Message-ID: <20201113083238.GA3748985@dude03.red.stw.pengutronix.de> (raw)
In-Reply-To: <20201106065811.1138-3-ada@thorsis.com>
On Fri, Nov 06, 2020 at 07:58:09AM +0100, Alexander Dahl wrote:
> Add more section markers and update recommendations based on upstream's
> 'default_options.h' file.
>
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> ---
> rules/dropbear.in | 12 +++++++-----
> rules/dropbear.make | 18 +++++++++++-------
> 2 files changed, 18 insertions(+), 12 deletions(-)
>
> diff --git a/rules/dropbear.in b/rules/dropbear.in
> index 62a4a8427..d01f2c73e 100644
> --- a/rules/dropbear.in
> +++ b/rules/dropbear.in
> @@ -219,7 +219,7 @@ config DROPBEAR_CTR_CIPHERS
> CBC mode against certain attacks. This adds around 1kB to binary
> size and is recommended for most cases.
>
> -comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96"
> +comment "Integrity, at least one required --- sha2-256 is recommended as a default, sha1 for compatibility"
>
> config DROPBEAR_SHA1
> bool
> @@ -273,13 +273,13 @@ config DROPBEAR_SHA512
>
> config DROPBEAR_MD5
> bool
> - prompt "md5"
> + prompt "md5 (not recommended!)"
> help
> MD5 was developed by Professor Ronald L. Rivest in 1994.
> Its 128 bit (16 byte) message digest makes it a faster
> implementation than SHA-1.
>
> -comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa"
> +comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys"
>
> config DROPBEAR_RSA
> bool
> @@ -293,7 +293,7 @@ config DROPBEAR_RSA
>
> config DROPBEAR_DSS
> bool
> - prompt "dss"
> + prompt "dss (not recommended!)"
Hmm, I'll take the patch as is, unless some other issues pop up. But what
do you think about removing the DES and MD5 options entirely? I mean doing
ssh with either is really pointless.
Michael
> help
> DSS stands for Digital Signature Standard.
> DSS employs the ElGamal and Schnorr PK systems to produce
> @@ -308,6 +308,8 @@ config DROPBEAR_ECDSA
> ECDSA stands for Elliptic Curve Digital Signature Algorithm.
> ECDSA is significantly faster than RSA or DSS.
>
> +comment "Key exchange algorithm ---"
> +
> config DROPBEAR_ECDH
> bool
> prompt "ecdh"
> @@ -377,7 +379,7 @@ config DROPBEAR_SCP
> comment "OpenSSH scp is selected!"
> depends on OPENSSH_SCP
>
> -comment "runtime options ---"
> +comment "runtime options ---"
>
> config DROPBEAR_STARTSCRIPT
> bool
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index acd9ef5f9..4f55fac48 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -67,6 +67,7 @@ $(STATEDIR)/dropbear.prepare:
>
> @echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS)
>
> +# features
> ifdef PTXCONF_DROPBEAR_DIS_X11
> @echo "ptxdist: disabling x11 forwarding"
> @echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -76,13 +77,13 @@ else
> endif
>
> ifdef PTXCONF_DROPBEAR_DIS_TCP
> - @echo "ptxdist: disabling tcp"
> + @echo "ptxdist: disabling tcp forwarding"
> @echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> @echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> @echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> @echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> else
> - @echo "ptxdist: enabling tcp"
> + @echo "ptxdist: enabling tcp forwarding"
> @echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> @echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> @echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -90,16 +91,16 @@ else
> endif
>
> ifdef PTXCONF_DROPBEAR_DIS_AGENT
> - @echo "ptxdist: disabling agent"
> + @echo "ptxdist: disabling auth agent forwarding"
> @echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> @echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> else
> - @echo "ptxdist: enabling agent"
> + @echo "ptxdist: enabling auth agent forwarding"
> @echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> @echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> endif
>
> -
> +# encryption
> ifdef PTXCONF_DROPBEAR_AES128
> @echo "ptxdist: enabling aes128"
> @echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -148,6 +149,7 @@ else
> @echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS)
> endif
>
> +# ciphers
> ifdef PTXCONF_DROPBEAR_CBC_CIPHERS
> @echo "ptxdist: enabling cbc ciphers"
> @echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -165,6 +167,7 @@ else
> @echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS)
> endif
>
> +# integrity
> ifdef PTXCONF_DROPBEAR_SHA1
> @echo "ptxdist: enabling sha1"
> @echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -210,7 +213,7 @@ else
> @echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
> endif
>
> -
> +# host key / public key
> ifdef PTXCONF_DROPBEAR_RSA
> @echo "ptxdist: enabling rsa"
> @echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -235,6 +238,7 @@ else
> @echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)
> endif
>
> +# key exchange algorithm
> ifdef PTXCONF_DROPBEAR_ECDH
> @echo "ptxdist: enabling ecdh"
> @echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -251,7 +255,7 @@ else
> @echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS)
> endif
>
> -
> +# authentication types
> ifdef PTXCONF_DROPBEAR_PASSWD
> @echo "ptxdist: enabling passwd"
> @echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
> --
> 2.27.0
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
>
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
next prev parent reply other threads:[~2020-11-13 8:32 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-06 6:58 [ptxdist] [PATCH v2 0/4] dropbear: version bump 2019.78 -> 2020.81 Alexander Dahl
2020-11-06 6:58 ` [ptxdist] [PATCH v2 1/4] dropbear: Consider licenses of bundled libs Alexander Dahl
2020-11-06 6:58 ` [ptxdist] [PATCH v2 2/4] dropbear: Revise comments Alexander Dahl
2020-11-13 8:32 ` Michael Olbrich [this message]
2020-11-06 6:58 ` [ptxdist] [PATCH v2 3/4] dropbear: version bump 2019.78 -> 2020.79 Alexander Dahl
2020-11-06 6:58 ` [ptxdist] [PATCH v2 4/4] dropbear: version bump 2020.79 -> 2020.81 Alexander Dahl
2020-11-13 10:26 ` Michael Olbrich
2020-11-13 13:28 ` Alexander Dahl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201113083238.GA3748985@dude03.red.stw.pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox