diff options
author | Alexander Dahl <ada@thorsis.com> | 2020-03-11 14:24:08 +0100 |
---|---|---|
committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2020-03-20 13:18:55 +0100 |
commit | d00ed9036f22713fe1741c62f6800ae4cda634fa (patch) | |
tree | 0e8002769efdfe1f83a79d73c04ce945e83a7397 | |
parent | 91e5a872e2559830f180ad34eece7fbaf7adb9c6 (diff) | |
download | ptxdist-d00ed9036f22713fe1741c62f6800ae4cda634fa.tar.gz ptxdist-d00ed9036f22713fe1741c62f6800ae4cda634fa.tar.xz |
dropbear: Disable default selection of DSS
While this might be not 100% conforming to ssh standard (?), it is
common practice. DSA is considered weak [1] and e.g. OpenSSH deprecated
it with the 7.0 release back in 2015 [2].
dropbear states in its source: “DSS may be necessary to connect to some
systems though is not recommended for new keys”.
Furthermore: requiring both RSA _and_ DSS host keys, increases time to
generate keys a lot, making this unfortunate in bootstrapping embedded
targets.
[1] https://security.stackexchange.com/a/112818/43663
[2] https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html
Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20200311132408.11924-4-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
-rw-r--r-- | rules/dropbear.in | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/rules/dropbear.in b/rules/dropbear.in index fa6f283f1..107a11caf 100644 --- a/rules/dropbear.in +++ b/rules/dropbear.in @@ -284,6 +284,7 @@ comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft config DROPBEAR_RSA bool prompt "rsa" + default y help RSA was announced in 1978. The security of the RSA system is based upon the RSA Problem (RSAP). This problem is @@ -293,7 +294,6 @@ config DROPBEAR_RSA config DROPBEAR_DSS bool prompt "dss" - default y help DSS stands for Digital Signature Standard. DSS employs the ElGamal and Schnorr PK systems to produce @@ -349,7 +349,6 @@ config DROPBEAR_DROPBEAR default y select DROPBEAR_DROPBEAR_KEY select DROPBEAR_RSA - select DROPBEAR_DSS select BUSYBOX_START_STOP_DAEMON if BUSYBOX help Installs the dropbar server in /usr/sbin/dropbear on the target |