From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: In-Reply-To: <20201116080552.25031-4-ada@thorsis.com> MIME-Version: 1.0 Message-Id: From: Michael Olbrich Date: Fri, 20 Nov 2020 08:56:20 +0100 Subject: Re: [ptxdist] [APPLIED] dropbear: Revise comments List-Id: PTXdist Development Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: ptxdist@pengutronix.de Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ptxdist-bounces@pengutronix.de Sender: "ptxdist" To: ptxdist@pengutronix.de Cc: Alexander Dahl Thanks, applied as 55129e58359e94cecae7c158d63cbf9d0a44ea6f. Michael [sent from post-receive hook] On Fri, 20 Nov 2020 08:56:20 +0100, Alexander Dahl wrote: > Add more section markers and update recommendations based on upstream's > 'default_options.h' file. > > Signed-off-by: Alexander Dahl > Message-Id: <20201116080552.25031-4-ada@thorsis.com> > Signed-off-by: Michael Olbrich > > diff --git a/rules/dropbear.in b/rules/dropbear.in > index d23f9b17f02a..7f777ae648fd 100644 > --- a/rules/dropbear.in > +++ b/rules/dropbear.in > @@ -208,7 +208,7 @@ config DROPBEAR_CTR_CIPHERS > CBC mode against certain attacks. This adds around 1kB to binary > size and is recommended for most cases. > > -comment "Integrity, at least one required --- RFC Draft requires sha1-hmac and recommends sha1-96" > +comment "Integrity, at least one required --- sha2-256 is recommended as a default, sha1 for compatibility" > > config DROPBEAR_SHA1 > bool > @@ -260,7 +260,7 @@ config DROPBEAR_SHA512 > SHA-1. SHA-2 consists of a set of four hash functions with digests > that are 224, 256, 384 or 512 bits. > > -comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft requires dss, recommends rsa" > +comment "Hostkey/public key algorithms, at least one required --- RSA is recommended, DSS is not recommended for new keys" > > config DROPBEAR_RSA > bool > @@ -279,6 +279,8 @@ config DROPBEAR_ECDSA > ECDSA stands for Elliptic Curve Digital Signature Algorithm. > ECDSA is significantly faster than RSA or DSS. > > +comment "Key exchange algorithm ---" > + > config DROPBEAR_ECDH > bool > prompt "ecdh" > @@ -348,7 +350,7 @@ config DROPBEAR_SCP > comment "OpenSSH scp is selected!" > depends on OPENSSH_SCP > > -comment "runtime options ---" > +comment "runtime options ---" > > config DROPBEAR_STARTSCRIPT > bool > diff --git a/rules/dropbear.make b/rules/dropbear.make > index 9403afd006d7..e422eb4d5e1e 100644 > --- a/rules/dropbear.make > +++ b/rules/dropbear.make > @@ -67,6 +67,7 @@ $(STATEDIR)/dropbear.prepare: > > @echo "/* localoptions.h created by ptxdist */" > $(DROPBEAR_LOCALOPTIONS) > > +# features > ifdef PTXCONF_DROPBEAR_DIS_X11 > @echo "ptxdist: disabling x11 forwarding" > @echo "#define DROPBEAR_X11FWD 0" >> $(DROPBEAR_LOCALOPTIONS) > @@ -76,13 +77,13 @@ else > endif > > ifdef PTXCONF_DROPBEAR_DIS_TCP > - @echo "ptxdist: disabling tcp" > + @echo "ptxdist: disabling tcp forwarding" > @echo "#define DROPBEAR_CLI_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_CLI_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_SVR_LOCALTCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_SVR_REMOTETCPFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > else > - @echo "ptxdist: enabling tcp" > + @echo "ptxdist: enabling tcp forwarding" > @echo "#define DROPBEAR_CLI_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_CLI_REMOTETCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_SVR_LOCALTCPFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -90,16 +91,16 @@ else > endif > > ifdef PTXCONF_DROPBEAR_DIS_AGENT > - @echo "ptxdist: disabling agent" > + @echo "ptxdist: disabling auth agent forwarding" > @echo "#define DROPBEAR_SVR_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_CLI_AGENTFWD 0" >> $(DROPBEAR_LOCALOPTIONS) > else > - @echo "ptxdist: enabling agent" > + @echo "ptxdist: enabling auth agent forwarding" > @echo "#define DROPBEAR_SVR_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > @echo "#define DROPBEAR_CLI_AGENTFWD 1" >> $(DROPBEAR_LOCALOPTIONS) > endif > > - > +# encryption > ifdef PTXCONF_DROPBEAR_AES128 > @echo "ptxdist: enabling aes128" > @echo "#define DROPBEAR_AES128 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -140,6 +141,7 @@ else > @echo "#define DROPBEAR_TWOFISH128 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > +# ciphers > ifdef PTXCONF_DROPBEAR_CBC_CIPHERS > @echo "ptxdist: enabling cbc ciphers" > @echo "#define DROPBEAR_ENABLE_CBC_MODE 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -157,6 +159,7 @@ else > @echo "#define DROPBEAR_ENABLE_CTR_MODE 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > +# integrity > ifdef PTXCONF_DROPBEAR_SHA1 > @echo "ptxdist: enabling sha1" > @echo "#define DROPBEAR_SHA1_HMAC 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -193,7 +196,7 @@ else > @echo "#define DROPBEAR_SHA2_512_HMAC 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > - > +# host key / public key > ifdef PTXCONF_DROPBEAR_RSA > @echo "ptxdist: enabling rsa" > @echo "#define DROPBEAR_RSA 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -210,6 +213,7 @@ else > @echo "#define DROPBEAR_ECDSA 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > +# key exchange algorithm > ifdef PTXCONF_DROPBEAR_ECDH > @echo "ptxdist: enabling ecdh" > @echo "#define DROPBEAR_ECDH 1" >> $(DROPBEAR_LOCALOPTIONS) > @@ -226,7 +230,7 @@ else > @echo "#define DROPBEAR_CURVE25519 0" >> $(DROPBEAR_LOCALOPTIONS) > endif > > - > +# authentication types > ifdef PTXCONF_DROPBEAR_PASSWD > @echo "ptxdist: enabling passwd" > @echo "#define DROPBEAR_SVR_PASSWORD_AUTH 1" >> $(DROPBEAR_LOCALOPTIONS) _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de