* [PATCH v2] dropbear: disable medium-strength ssh ciphers
@ 2018-09-12 21:56 joseph-reynolds
2018-09-12 22:03 ` ✗ patchtest: failure for " Patchwork
2018-09-13 16:00 ` [PATCH v2] " Burton, Ross
0 siblings, 2 replies; 5+ messages in thread
From: joseph-reynolds @ 2018-09-12 21:56 UTC (permalink / raw)
To: 'openembedded-core@lists.openembedded.org'
[-- Attachment #1: Type: text/plain, Size: 1020 bytes --]
This changes the Dropbear SSH server configuration so it will not
accept medium-strength encryption ciphers including: CBC mode, MD5,
96-bit MAC, and triple DES. This is consistent with the default
supported OpenSSH ciphers.
Upstream-Status: Pending
Signed-off-by: Joseph Reynolds
---
meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
1 file changed, 8 insertions(+)
create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h
diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
b/meta/recipes-core/dropbear/dropbear/localoptions.h
new file mode 100644
index 0000000..ec48c26
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
@@ -0,0 +1,8 @@
+/* Customize dropbear per default_options.h in the dropbear project
*/
+
+/* Disable insecure ciphers */
+#define DROPBEAR_TWOFISH256 0
+#define DROPBEAR_TWOFISH128 0
+#define DROPBEAR_ENABLE_CBC_MODE 0
+#define DROPBEAR_SHA1_HMAC 0
+#define DROPBEAR_SHA1_96_HMAC 0
--
1.8.3.1
[-- Attachment #2: Type: text/html, Size: 1160 bytes --]
^ permalink raw reply related [flat|nested] 5+ messages in thread
* ✗ patchtest: failure for dropbear: disable medium-strength ssh ciphers
2018-09-12 21:56 [PATCH v2] dropbear: disable medium-strength ssh ciphers joseph-reynolds
@ 2018-09-12 22:03 ` Patchwork
2018-09-13 16:00 ` [PATCH v2] " Burton, Ross
1 sibling, 0 replies; 5+ messages in thread
From: Patchwork @ 2018-09-12 22:03 UTC (permalink / raw)
To: joseph-reynolds; +Cc: openembedded-core
== Series Details ==
Series: dropbear: disable medium-strength ssh ciphers
Revision: 1
URL : https://patchwork.openembedded.org/series/14051/
State : failure
== Summary ==
Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:
* Issue Series cannot be parsed correctly due to malformed diff lines [test_mbox_format]
Suggested fix Create the series again using git-format-patch and ensure it can be applied using git am
Diff line */
* Issue Series does not apply on top of target branch [test_series_merge_on_head]
Suggested fix Rebase your series on top of targeted branch
Targeted branch master (currently at b7f3f7ecfd)
If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).
---
Guidelines: https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] dropbear: disable medium-strength ssh ciphers
2018-09-12 21:56 [PATCH v2] dropbear: disable medium-strength ssh ciphers joseph-reynolds
2018-09-12 22:03 ` ✗ patchtest: failure for " Patchwork
@ 2018-09-13 16:00 ` Burton, Ross
2018-09-13 16:47 ` Alexander Kanavin
1 sibling, 1 reply; 5+ messages in thread
From: Burton, Ross @ 2018-09-13 16:00 UTC (permalink / raw)
To: joseph-reynolds; +Cc: openembedded-core
This still can't be actually used, because dropbear won't be looking
in the recipe folder and nothing puts that file into the source tree.
Put a #error in it if you don't believe me. :)
Ross
On 12 September 2018 at 22:56, <joseph-reynolds@charter.net> wrote:
> This changes the Dropbear SSH server configuration so it will not
> accept medium-strength encryption ciphers including: CBC mode, MD5,
> 96-bit MAC, and triple DES. This is consistent with the default
> supported OpenSSH ciphers.
>
> Upstream-Status: Pending
>
> Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
> ---
> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
> 1 file changed, 8 insertions(+)
> create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h
>
> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
> b/meta/recipes-core/dropbear/dropbear/localoptions.h
> new file mode 100644
> index 0000000..ec48c26
> --- /dev/null
> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
> @@ -0,0 +1,8 @@
> +/* Customize dropbear per default_options.h in the dropbear project */
> +
> +/* Disable insecure ciphers */
> +#define DROPBEAR_TWOFISH256 0
> +#define DROPBEAR_TWOFISH128 0
> +#define DROPBEAR_ENABLE_CBC_MODE 0
> +#define DROPBEAR_SHA1_HMAC 0
> +#define DROPBEAR_SHA1_96_HMAC 0
> --
> 1.8.3.1
>
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] dropbear: disable medium-strength ssh ciphers
2018-09-13 16:00 ` [PATCH v2] " Burton, Ross
@ 2018-09-13 16:47 ` Alexander Kanavin
0 siblings, 0 replies; 5+ messages in thread
From: Alexander Kanavin @ 2018-09-13 16:47 UTC (permalink / raw)
To: Burton, Ross; +Cc: openembedded-core, joseph-reynolds
Actually, I'd rather have an 'upstream first' policy in this specific
case. If the change is good and desirable, please work with the
upstream to merge it there.
Alex
2018-09-13 18:00 GMT+02:00 Burton, Ross <ross.burton@intel.com>:
> This still can't be actually used, because dropbear won't be looking
> in the recipe folder and nothing puts that file into the source tree.
> Put a #error in it if you don't believe me. :)
>
> Ross
>
> On 12 September 2018 at 22:56, <joseph-reynolds@charter.net> wrote:
>> This changes the Dropbear SSH server configuration so it will not
>> accept medium-strength encryption ciphers including: CBC mode, MD5,
>> 96-bit MAC, and triple DES. This is consistent with the default
>> supported OpenSSH ciphers.
>>
>> Upstream-Status: Pending
>>
>> Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
>> ---
>> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>> create mode 100644 meta/recipes-core/dropbear/dropbear/localoptions.h
>>
>> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
>> b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> new file mode 100644
>> index 0000000..ec48c26
>> --- /dev/null
>> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> @@ -0,0 +1,8 @@
>> +/* Customize dropbear per default_options.h in the dropbear project */
>> +
>> +/* Disable insecure ciphers */
>> +#define DROPBEAR_TWOFISH256 0
>> +#define DROPBEAR_TWOFISH128 0
>> +#define DROPBEAR_ENABLE_CBC_MODE 0
>> +#define DROPBEAR_SHA1_HMAC 0
>> +#define DROPBEAR_SHA1_96_HMAC 0
>> --
>> 1.8.3.1
>>
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH v2] dropbear: disable medium-strength ssh ciphers
@ 2018-09-13 19:45 joseph-reynolds
0 siblings, 0 replies; 5+ messages in thread
From: joseph-reynolds @ 2018-09-13 19:45 UTC (permalink / raw)
To: 'Burton, Ross'; +Cc: 'openembedded-core@lists.openembedded.org'
[-- Attachment #1: Type: text/plain, Size: 2760 bytes --]
>From: "Burton, Ross"
>To: joseph-reynolds@charter.net
>Cc: "openembedded-core@lists.openembedded.org"
>Sent: Thursday September 13 2018 11:00:26AM
>Subject: Re: [OE-core] [PATCH v2] dropbear: disable medium-strength
ssh ciphers
>
>This still can't be actually used, because dropbear won't be looking
>in the recipe folder and nothing puts that file into the source
tree.
>Put a #error in it if you don't believe me. :)
Thanks for pointing that out. I had conflated the OE & Yocto recipes,
then forgot to include the recipe change in my patch. My home project
is actually https://github.com/openbmc/openbmc, so I set out to
upstream this change to Yocto/Poky, OE, and Dropbear. Thanks for your
patience, as this is my first attempt to upstream.
My second issue is creating a correct patch. I used git format-patch
HEAD^ and then cut/paste the result into my web-based email reader.
The patch appears correct, but the automation says my patch is
mal-formed. I am still trying to enable sending plain-text email from
my shell environment.
Finally, I want to change my approach. I had been updating the
dropbear localoptions.h file to customize Dropbear's behavior. But I
really want to change Dropbear's default behavior for everyone, which
means I should update default_options.h and leave localoptions.h
alone. I plan to create a pull request to update the Dropbear project
default_options.h file, and a patch for openembedded-core to change
the dropbear_2018.76.bb recipe to pick up the Dropbear patch.
- Joseph
>Ross>
>
>On 12 September 2018 at 22:56, wrote:
>> This changes the Dropbear SSH server configuration so it will not
>> accept medium-strength encryption ciphers including: CBC mode,
MD5,
>> 96-bit MAC, and triple DES. This is consistent with the default
>> supported OpenSSH ciphers.
>>
>> Upstream-Status: Pending
>>
>> Signed-off-by: Joseph Reynolds
>> ---
>> meta/recipes-core/dropbear/dropbear/localoptions.h | 8 ++++++++
>> 1 file changed, 8 insertions(+)
>> create mode 100644
meta/recipes-core/dropbear/dropbear/localoptions.h
>>
>> diff --git a/meta/recipes-core/dropbear/dropbear/localoptions.h
>> b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> new file mode 100644
>> index 0000000..ec48c26
>> --- /dev/null
>> +++ b/meta/recipes-core/dropbear/dropbear/localoptions.h
>> @@ -0,0 +1,8 @@
>> +/* Customize dropbear per default_options.h in the dropbear
project */
>> +
>> +/* Disable insecure ciphers */
>> +#define DROPBEAR_TWOFISH256 0
>> +#define DROPBEAR_TWOFISH128 0
>> +#define DROPBEAR_ENABLE_CBC_MODE 0
>> +#define DROPBEAR_SHA1_HMAC 0
>> +#define DROPBEAR_SHA1_96_HMAC 0
>> --
>> 1.8.3.1
>>
>>
>> --
[-- Attachment #2: Type: text/html, Size: 3738 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-09-13 19:45 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-09-12 21:56 [PATCH v2] dropbear: disable medium-strength ssh ciphers joseph-reynolds
2018-09-12 22:03 ` ✗ patchtest: failure for " Patchwork
2018-09-13 16:00 ` [PATCH v2] " Burton, Ross
2018-09-13 16:47 ` Alexander Kanavin
2018-09-13 19:45 joseph-reynolds
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.