From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de) by metis.ext.pengutronix.de with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kdUVb-0004je-Iu for ptxdist@pengutronix.de; Fri, 13 Nov 2020 09:32:40 +0100 Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.92) (envelope-from ) id 1kdUVb-00FcD8-18 for ptxdist@pengutronix.de; Fri, 13 Nov 2020 09:32:39 +0100 Date: Fri, 13 Nov 2020 09:32:39 +0100 From: Michael Olbrich Message-ID: <20201113083238.GA3748985@dude03.red.stw.pengutronix.de> References: <20201106065811.1138-1-ada@thorsis.com> <20201106065811.1138-3-ada@thorsis.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20201106065811.1138-3-ada@thorsis.com> Subject: Re: [ptxdist] [PATCH v2 2/4] dropbear: Revise comments List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de On Fri, Nov 06, 2020 at 07:58:09AM +0100, Alexander Dahl wrote: > Add more section markers and update recommendations based on upstream's > 'default_options.h' file. > > Signed-off-by: Alexander Dahl > --- > rules/dropbear.in | 12 +++++++----- > rules/dropbear.make | 18 +++++++++++------- > 2 files changed, 18 insertions(+), 12 deletions(-) > > diff --git a/rules/dropbear.in b/rules/dropbear.in > index 62a4a8427..d01f2c73e 100644 > --- a/rules/dropbear.in > +++ b/rules/dropbear.in > @@ -219,7 +219,7 @@ config DROPBEAR_CTR_CIPHERS > CBC mode against certain attacks. This adds around 1kB to binary > size and is recommended for most cases. > > -comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96" > +comment "Integrity, at least one required --- sha2-256 is recommended as a default, sha1 for compatibility" > > config DROPBEAR_SHA1 > bool > @@ -273,13 +273,13 @@ config DROPBEAR_SHA512 > > config DROPBEAR_MD5 > bool > - prompt "md5" > + prompt "md5 (not recommended!)" > help > MD5 was developed by Professor Ronald L. Rivest in 1994. > Its 128 bit (16 byte) message digest makes it a faster > implementation than SHA-1. > > -comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa" > +comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys" > > config DROPBEAR_RSA > bool > @@ -293,7 +293,7 @@ config DROPBEAR_RSA > > config DROPBEAR_DSS > bool > - prompt "dss" > + prompt "dss (not recommended!)" Hmm, I'll take the patch as is, unless some other issues pop up. But what do you think about removing the DES and MD5 options entirely? I mean doing ssh with either is really pointless. Michael > help > DSS stands for Digital Signature Standard. > DSS employs the ElGamal and Schnorr PK systems to produce > @@ -308,6 +308,8 @@ config DROPBEAR_ECDSA > ECDSA stands for Elliptic Curve Digital Signature Algorithm. > ECDSA is significantly faster than RSA or DSS. > > +comment "Key exchange algorithm ---" > + > config DROPBEAR_ECDH > bool > prompt "ecdh" > @@ -377,7 +379,7 @@ config DROPBEAR_SCP > comment "OpenSSH scp is selected!" > depends on OPENSSH_SCP > > -comment "runtime options ---" > +comment "runtime options ---" > > config DROPBEAR_STARTSCRIPT > bool > diff --git a/rules/dropbear.make b/rules/dropbear.make > index acd9ef5f9..4f55fac48 100644 > --- a/rules/dropbear.make > +++ b/rules/dropbear.make > @@ -67,6 +67,7 @@ $(STATEDIR)/dropbear.prepare: > > @echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS) > > +# features > ifdef PTXCONF_DROPBEAR_DIS_X11 > @echo "ptxdist: disabling x11 forwarding" > @echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS) > @@ -76,13 +77,13 @@ else > endif > > ifdef PTXCONF_DROPBEAR_DIS_TCP > - @echo "ptxdist: disabling tcp" > + @echo "ptxdist: disabling tcp forwarding" > @echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > else > - @echo "ptxdist: enabling tcp" > + @echo "ptxdist: enabling tcp forwarding" > @echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -90,16 +91,16 @@ else > endif > > ifdef PTXCONF_DROPBEAR_DIS_AGENT > - @echo "ptxdist: disabling agent" > + @echo "ptxdist: disabling auth agent forwarding" > @echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > else > - @echo "ptxdist: enabling agent" > + @echo "ptxdist: enabling auth agent forwarding" > @echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > endif > > - > +# encryption > ifdef PTXCONF_DROPBEAR_AES128 > @echo "ptxdist: enabling aes128" > @echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -148,6 +149,7 @@ else > @echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > +# ciphers > ifdef PTXCONF_DROPBEAR_CBC_CIPHERS > @echo "ptxdist: enabling cbc ciphers" > @echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -165,6 +167,7 @@ else > @echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > +# integrity > ifdef PTXCONF_DROPBEAR_SHA1 > @echo "ptxdist: enabling sha1" > @echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -210,7 +213,7 @@ else > @echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > - > +# host key / public key > ifdef PTXCONF_DROPBEAR_RSA > @echo "ptxdist: enabling rsa" > @echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -235,6 +238,7 @@ else > @echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > +# key exchange algorithm > ifdef PTXCONF_DROPBEAR_ECDH > @echo "ptxdist: enabling ecdh" > @echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -251,7 +255,7 @@ else > @echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > - > +# authentication types > ifdef PTXCONF_DROPBEAR_PASSWD > @echo "ptxdist: enabling passwd" > @echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS) > -- > 2.27.0 > > > _______________________________________________ > ptxdist mailing list > ptxdist@pengutronix.de > To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de > _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de