Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enable more secure SSH algorithms und ciphers for dropbear #223

Closed
jbacksch opened this issue Oct 28, 2014 · 9 comments
Closed

enable more secure SSH algorithms und ciphers for dropbear #223

jbacksch opened this issue Oct 28, 2014 · 9 comments
Assignees
@neocturne
Labels
0. type: enhancement The changeset is an enhancement
Milestone
2016.2

Comments

@jbacksch
Copy link

Please enable more secure SSH algorithms und ciphers hmac-sha2-256 and hmac-sha2-512 for dropbear recommed by BetterCrypto p.19 https://bettercrypto.org/static/applied-crypto-hardening.pdf.

A patch is available for OpenWrt at http://patchwork.openwrt.org/patch/6322/.
@tcatm
Copy link

tcatm commented Oct 28, 2014

This is not critical as SSH is not used on Gluon by default. If OpenWrt decides to merge thoses patches, they'll make it into Gluon eventually.

@neocturne
Copy link
Member

I don't think @tcatm's argument is valid, as SSH many people use SSH with Gluon. We do so ourselves and we recommend others to do so.

The more interesting question is if the patch is important enough to include it even though OpenWrt hasn't so far. In my opionion it isn't, as HMAC-SHA1 is much stronger than SHA1 itself. Even HMAC-MD5 is considered quite secure despite MD5's weaknesses, with HMAC-SHA1 we'll be fine for many years.

So I agree with @tcatm's opinion to wait until these patches make it into OpenWrt.

@tcatm tcatm added the 2. status: wontfix The issue raised is out of scope for this project label Mar 3, 2015
@tcatm tcatm closed this as completed Mar 3, 2015
@tcatm tcatm removed the 2. status: wontfix The issue raised is out of scope for this project label Mar 3, 2015
@rotanid
Copy link
Member

rotanid commented May 11, 2016

time has passed, but current gluon versions dropbear still doesn't support modern cryptography?
also, this doesn't affect only MAC, but also KeyExchange, curve25519 or sha256 aren't supported there, either...

@neocturne
Copy link
Member

OpenWrt has enabled curve25519-sha256 by default since January, so I think we should backport that change now.

@neocturne neocturne reopened this May 11, 2016
@rotanid rotanid added the 0. type: enhancement The changeset is an enhancement label Aug 22, 2016
@neocturne neocturne added this to the 2016.2 milestone Aug 22, 2016
@neocturne neocturne self-assigned this Aug 22, 2016
@neocturne
Copy link
Member

curve25519-sha256 support is backported now.

@nomaster
Copy link

I have just tried to use my ssh-ed25519 key, but I was unable to log in. Is it supported?

@neocturne
Copy link
Member

@nomaster: no, ed25519 is not supported at all by the current dropbear version 2016.74, I don't know if it is in development. Also, we use the default dropbear config from LEDE, which disables ECDSA using the NIST curves to save space.

curve25519-sha256 is supported as a key exchange method, but that's as far as ECC support goes at the moment.

ecsv pushed a commit to FreifunkVogtland/gluon that referenced this issue Jun 9, 2017
@neocturne
dropbear: update to LEDE 277f85c21ae0ede4e15e66cbd801b9fb502531df
49252b5 
Includes a few security updates and enables Curve25519 support.

Fixes freifunk-gluon#223
@maurerle
Copy link
Member

Dropbear supports ed25519 since 05.2020:
mkj/dropbear#91

Release Notes:
https://github.com/mkj/dropbear/releases/tag/DROPBEAR_2020.79

OpenWRT Master (not released) is supporting it
https://github.com/openwrt/openwrt/blob/master/package/network/services/dropbear/Makefile

@mweinelt
Copy link
Contributor

it is very unlikely that we will backport this. The OpenWrt team plans to do a new release soon and then we will benefit from those changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neocturne neocturne

Labels
0. type: enhancement The changeset is an enhancement
Projects
None yet
Milestone
2016.2
Development

No branches or pull requests
7 participants
@nomaster @mweinelt @tcatm @neocturne @rotanid @jbacksch @maurerle