From mboxrd@z Thu Jan  1 00:00:00 1970
Return-path: <ptxdist-bounces@pengutronix.de>
Received: from [2a0a:edc0:0:1101:1d::39] (helo=dude03.red.stw.pengutronix.de)
 by metis.ext.pengutronix.de with esmtps
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92)
 (envelope-from <mol@pengutronix.de>) id 1kdUVb-0004je-Iu
 for ptxdist@pengutronix.de; Fri, 13 Nov 2020 09:32:40 +0100
Received: from mol by dude03.red.stw.pengutronix.de with local (Exim 4.92)
 (envelope-from <mol@dude03.red.stw.pengutronix.de>)
 id 1kdUVb-00FcD8-18
 for ptxdist@pengutronix.de; Fri, 13 Nov 2020 09:32:39 +0100
Date: Fri, 13 Nov 2020 09:32:39 +0100
From: Michael Olbrich <m.olbrich@pengutronix.de>
Message-ID: <20201113083238.GA3748985@dude03.red.stw.pengutronix.de>
References: <20201106065811.1138-1-ada@thorsis.com>
 <20201106065811.1138-3-ada@thorsis.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20201106065811.1138-3-ada@thorsis.com>
Subject: Re: [ptxdist] [PATCH v2 2/4] dropbear: Revise comments
List-Id: PTXdist Development Mailing List <ptxdist.pengutronix.de>
List-Unsubscribe: <http://metis.pengutronix.de/cgi-bin/mailman/options/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=unsubscribe>
List-Archive: <http://metis.pengutronix.de/cgi-bin/mailman/private/ptxdist/>
List-Post: <mailto:ptxdist@pengutronix.de>
List-Help: <mailto:ptxdist-request@pengutronix.de?subject=help>
List-Subscribe: <http://metis.pengutronix.de/cgi-bin/mailman/listinfo/ptxdist>, 
 <mailto:ptxdist-request@pengutronix.de?subject=subscribe>
Reply-To: ptxdist@pengutronix.de
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: ptxdist-bounces@pengutronix.de
Sender: "ptxdist" <ptxdist-bounces@pengutronix.de>
To: ptxdist@pengutronix.de

On Fri, Nov 06, 2020 at 07:58:09AM +0100, Alexander Dahl wrote:
> Add more section markers and update recommendations based on upstream's
> 'default_options.h' file.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> ---
>  rules/dropbear.in   | 12 +++++++-----
>  rules/dropbear.make | 18 +++++++++++-------
>  2 files changed, 18 insertions(+), 12 deletions(-)
> 
> diff --git a/rules/dropbear.in b/rules/dropbear.in
> index 62a4a8427..d01f2c73e 100644
> --- a/rules/dropbear.in
> +++ b/rules/dropbear.in
> @@ -219,7 +219,7 @@ config DROPBEAR_CTR_CIPHERS
>  	  CBC mode against certain attacks. This adds around 1kB to binary
>  	  size and is recommended for most cases.
>  
> -comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96"
> +comment "Integrity, at least one required --- sha2-256 is recommended as a default, sha1 for compatibility"
>  
>  config DROPBEAR_SHA1
>  	bool
> @@ -273,13 +273,13 @@ config DROPBEAR_SHA512
>  
>  config DROPBEAR_MD5
>  	bool
> -	prompt "md5"
> +	prompt "md5 (not recommended!)"
>  	help
>  	  MD5 was developed by Professor Ronald L. Rivest in 1994.
>  	  Its 128 bit (16 byte) message digest makes it a faster
>  	  implementation than SHA-1.
>  
> -comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa"
> +comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys"
>  
>  config DROPBEAR_RSA
>  	bool
> @@ -293,7 +293,7 @@ config DROPBEAR_RSA
>  
>  config DROPBEAR_DSS
>  	bool
> -	prompt "dss"
> +	prompt "dss (not recommended!)"

Hmm, I'll take the patch as is, unless some other issues pop up. But what
do you think about removing the DES and MD5 options entirely? I mean doing
ssh with either is really pointless.

Michael

>  	help
>  	  DSS stands for Digital Signature Standard.
>  	  DSS employs the ElGamal and Schnorr PK systems to produce
> @@ -308,6 +308,8 @@ config DROPBEAR_ECDSA
>  	  ECDSA stands for Elliptic Curve Digital Signature Algorithm.
>  	  ECDSA is significantly faster than RSA or DSS.
>  
> +comment "Key exchange algorithm ---"
> +
>  config DROPBEAR_ECDH
>  	bool
>  	prompt "ecdh"
> @@ -377,7 +379,7 @@ config DROPBEAR_SCP
>  comment "OpenSSH scp is selected!"
>  	depends on OPENSSH_SCP
>  
> -comment "runtime options   ---"
> +comment "runtime options        ---"
>  
>  config DROPBEAR_STARTSCRIPT
>  	bool
> diff --git a/rules/dropbear.make b/rules/dropbear.make
> index acd9ef5f9..4f55fac48 100644
> --- a/rules/dropbear.make
> +++ b/rules/dropbear.make
> @@ -67,6 +67,7 @@ $(STATEDIR)/dropbear.prepare:
>  
>  	@echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS)
>  
> +# features
>  ifdef PTXCONF_DROPBEAR_DIS_X11
>  	@echo "ptxdist: disabling x11 forwarding"
>  	@echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -76,13 +77,13 @@ else
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_DIS_TCP
> -	@echo "ptxdist: disabling tcp"
> +	@echo "ptxdist: disabling tcp forwarding"
>  	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  else
> -	@echo "ptxdist: enabling tcp"
> +	@echo "ptxdist: enabling tcp forwarding"
>  	@echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -90,16 +91,16 @@ else
>  endif
>  
>  ifdef PTXCONF_DROPBEAR_DIS_AGENT
> -	@echo "ptxdist: disabling agent"
> +	@echo "ptxdist: disabling auth agent forwarding"
>  	@echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS)
>  else
> -	@echo "ptxdist: enabling agent"
> +	@echo "ptxdist: enabling auth agent forwarding"
>  	@echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  	@echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -
> +# encryption
>  ifdef PTXCONF_DROPBEAR_AES128
>  	@echo "ptxdist: enabling aes128"
>  	@echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -148,6 +149,7 @@ else
>  	@echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> +# ciphers
>  ifdef PTXCONF_DROPBEAR_CBC_CIPHERS
>  	@echo "ptxdist: enabling cbc ciphers"
>  	@echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -165,6 +167,7 @@ else
>  	@echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> +# integrity
>  ifdef PTXCONF_DROPBEAR_SHA1
>  	@echo "ptxdist: enabling sha1"
>  	@echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -210,7 +213,7 @@ else
>  	@echo "#define DROPBEAR_MD5_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -
> +# host key / public key
>  ifdef PTXCONF_DROPBEAR_RSA
>  	@echo "ptxdist: enabling rsa"
>  	@echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -235,6 +238,7 @@ else
>  	@echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> +# key exchange algorithm
>  ifdef PTXCONF_DROPBEAR_ECDH
>  	@echo "ptxdist: enabling ecdh"
>  	@echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS)
> @@ -251,7 +255,7 @@ else
>  	@echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS)
>  endif
>  
> -
> +# authentication types
>  ifdef PTXCONF_DROPBEAR_PASSWD
>  	@echo "ptxdist: enabling passwd"
>  	@echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS)
> -- 
> 2.27.0
> 
> 
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
> To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
> 

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de