~sircmpwn/alpine-aports (mirror)

[PATCH] main/dropbear: disable DSS, enable Ed25519, increase RSA host key size

Christian Dietrich
Details
Message ID
<7babbd96-c41f-1fc7-9ffa-b735e720b146@gmail.com>
DKIM signature
pass
Download raw message
Disables DSS (like OpenSSH >=7.0)
Increase RSA host key size to 3072 bit (like OpenSSH >= 8.0)
Enables Ed25519 host key generation


--- a/main/dropbear/APKBUILD
+++ b/main/dropbear/APKBUILD
@@ -3,7 +3,7 @@
  # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
  pkgname=dropbear
  pkgver=2020.81
-pkgrel=0
+pkgrel=1
  pkgdesc="small SSH 2 client/server designed for small memory environments"
  url="https://matt.ucc.asn.au/dropbear/dropbear.html"
  arch="all"
@@ -21,6 +21,7 @@
      dropbear.confd
      dropbear-0.53.1-static_build_fix.patch
      dropbear-options_sftp-server_path.patch
+    dropbear-disable_dss.patch
      "

  # secfixes:
@@ -83,7 +84,8 @@
  }

  sha512sums="2fa9d4d7dcb1c81281f5e47c8a99b7300eb46b3bb605daaec956404eae9124879a8bbbef521dea6da8b3643f3dc6f7f5005e265bfcaba97e89812f5642c294da dropbear-2020.81.tar.bz2
-9c55ab3d8b61955cde1ccc1b8acbd3d2ef123feb9489e92737304c35315d07b7f85fad8a12ac7b0ec2c1dcee3d76b8bc4aa18518f4ddd963917805db33e48826 
dropbear.initd
+601f7cece00db02ea6b913f2d10febe4a5f8a2052afe2bba47df0c1718562b78975edd4ec5715fc7d9596ce165fd9a9cf5b2b66698303cac6d2daf1bb5e7902a 
dropbear.initd
  83f2c1eaf7687917a4b2bae7d599d4378c4bd64f9126ba42fc5d235f2b3c9a474d1b3168d70ed64bb4101cc251d30bc9ae20604da9b5d819fcd635ee4d0ebb0f dropbear.confd
  413cef467db35ddc430a773af943ff650d51bdb6fb262dcabc625eb6c9f4170b5711998df5577dd05c60e21e0a9771bff022adc8273083b85a18f4d5659ffd50 dropbear-0.53.1-static_build_fix.patch
-9b078548c6850c9b45e9b68a8ebd746a4a0648607c8ad0cf4106f09f7a63768c83a3e4e4fbec38b665ae283503fd3cdd054775aa3c9afe02567be3e775aef50b 
dropbear-options_sftp-server_path.patch"
+9b078548c6850c9b45e9b68a8ebd746a4a0648607c8ad0cf4106f09f7a63768c83a3e4e4fbec38b665ae283503fd3cdd054775aa3c9afe02567be3e775aef50b 
dropbear-options_sftp-server_path.patch
+3499b70e0dd56e9772bdf2cebafa4513f75eaf07d2eb7bbe8e53ace2b4debcca0e0335b3b912fe1706e267ffaa79f58e04ce3241e482e8401bd77fd4c7d3f38b 
dropbear-disable_dss.patch"
--- /dev/null
+++ b/main/dropbear/dropbear-disable_dss.patch
@@ -0,0 +1,11 @@
+--- a/default_options.h
++++ b/default_options.h
+@@ -121,7 +121,7 @@
+  * DSS may be necessary to connect to some systems though
+    is not recommended for new keys */
+ #define DROPBEAR_RSA 1
+-#define DROPBEAR_DSS 1
++#define DROPBEAR_DSS 0
+ /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
+  * code (either ECDSA or ECDH) increases binary size - around 30kB
+  * on x86-64 */
--- a/main/dropbear/dropbear.initd
+++ b/main/dropbear/dropbear.initd
@@ -13,18 +13,18 @@
      if [ ! -e /etc/dropbear/ ] ; then
          mkdir /etc/dropbear/
      fi
-    if [ ! -e /etc/dropbear/dropbear_dss_host_key ] ; then
-        einfo "Generating DSS-Hostkey..."
-        /usr/bin/dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
-    fi
      if [ ! -e /etc/dropbear/dropbear_rsa_host_key ] ; then
          einfo "Generating RSA-Hostkey..."
-        /usr/bin/dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
+        /usr/bin/dropbearkey -t rsa -s 3072 -f 
/etc/dropbear/dropbear_rsa_host_key
      fi
      if [ ! -e /etc/dropbear/dropbear_ecdsa_host_key ] ; then
          einfo "Generating ECDSA-Hostkey..."
          /usr/bin/dropbearkey -t ecdsa -f 
/etc/dropbear/dropbear_ecdsa_host_key
      fi
+        if [ ! -e /etc/dropbear/dropbear_ed25519_host_key ] ; then
+                einfo "Generating Ed25519-Hostkey..."
+                /usr/bin/dropbearkey -t ed25519 -f 
/etc/dropbear/dropbear_ed25519_host_key
+        fi
  }

  start() {
Reply to thread Export thread (mbox)