dropbear: Disable default selection of DSS

While this might be not 100% conforming to ssh standard (?), it is
common practice.  DSA is considered weak [1] and e.g. OpenSSH deprecated
it with the 7.0 release back in 2015 [2].

dropbear states in its source: “DSS may be necessary to connect to some
systems though is not recommended for new keys”.

Furthermore: requiring both RSA _and_ DSS host keys, increases time to
generate keys a lot, making this unfortunate in bootstrapping embedded
targets.

[1] https://security.stackexchange.com/a/112818/43663
[2] https://lists.mindrot.org/pipermail/openssh-unix-announce/2015-August/000122.html

Signed-off-by: Alexander Dahl <ada@thorsis.com>
Message-Id: <20200311132408.11924-4-ada@thorsis.com>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>

1 files changed, 1 insertions, 2 deletions

diff --git a/rules/dropbear.in b/rules/dropbear.in
index fa6f283f1..107a11caf 100644
--- a/rules/dropbear.in
+++ b/rules/dropbear.in
@@ -284,6 +284,7 @@ comment "Hostkey/public key algorithms, at least one required --- SSH2 RFC Draft
 config DROPBEAR_RSA
 	bool
 	prompt "rsa"
+	default y
 	help
 	  RSA was announced in 1978. The security of the RSA system
 	  is based upon the RSA Problem (RSAP). This problem is
@@ -293,7 +294,6 @@ config DROPBEAR_RSA
 config DROPBEAR_DSS
 	bool
 	prompt "dss"
-	default y
 	help
 	  DSS stands for Digital Signature Standard.
 	  DSS employs the ElGamal and Schnorr PK systems to produce
@@ -349,7 +349,6 @@ config DROPBEAR_DROPBEAR
 	default y
 	select DROPBEAR_DROPBEAR_KEY
 	select DROPBEAR_RSA
-	select DROPBEAR_DSS
 	select BUSYBOX_START_STOP_DAEMON if BUSYBOX
 	help
 	  Installs the dropbar server in /usr/sbin/dropbear on the target