diff options
| author | Joseph Reynolds <jrey@us.ibm.com> | 2018-09-26 16:31:39 -0500 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2018-09-27 21:37:27 -0400 |
| commit | a12245dbaa1455edaaf316556c1d349b7aac8265 (patch) | |
| tree | 348f5fe09d0b7e9ff47e20cb04e3b02fd706e1d6 /meta-phosphor/recipes-core | |
| parent | 341c7c38488c29ae281015ee3cff1aa0f99c7bf5 (diff) | |
| download | talos-openbmc-a12245dbaa1455edaaf316556c1d349b7aac8265.tar.gz talos-openbmc-a12245dbaa1455edaaf316556c1d349b7aac8265.zip | |
Disable medium-strength dropbear ssh ciphers
This changes the Dropbear SSH server configuration so it will not
accept medium-strength encryption ciphers including: CBC mode, MD5,
96-bit MAC, and triple DES.
The remaining ciphers include aes128-ctr and aes256-ctr. Dropbear
does not offer the arcfour cipher suite.
Note that Dropbear does not use a config file and instead uses
file options.h to control its features. This commit adds a
patch to disable the unwanted ciphers.
Tested:
On the qemu-based BMC:
ssh -c help 127.0.0.1
aes128-ctr,aes256-ctr
Before this change, the value was:
aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,
twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
Attempt to contact the BMC from host:
ssh -p 2222 -l root localhost # success
ssh -c aes128-cbc -p 2222 -l root localhost
Unable to negotiate with 127.0.0.1 port 2222: no matching cipher
found. Their offer: aes128-ctr,aes256-ctr
Before this change, the connection was successful.
Attempt to contact the BMC from older system:
ssh -V
OpenSSH_5.8p1, OpenSSL 0.9.8g 19 Oct 2007
ssh -p 2222 -l root ${BMC_IP_ADDR} # success
Resolves openbmc/openbmc#3186
(From meta-phosphor rev: 4ad7873e5dcd8475d48b6551002331a1efe4b2f1)
Change-Id: I5648a1602a3683afd9bd90ba62d8f6e4d9237506
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-phosphor/recipes-core')
| -rw-r--r-- | meta-phosphor/recipes-core/dropbear/dropbear/options.patch | 26 | ||||
| -rw-r--r-- | meta-phosphor/recipes-core/dropbear/dropbear_2017.75.bbappend | 4 |
2 files changed, 30 insertions, 0 deletions
diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/options.patch b/meta-phosphor/recipes-core/dropbear/dropbear/options.patch new file mode 100644 index 000000000..0582ca4e4 --- /dev/null +++ b/meta-phosphor/recipes-core/dropbear/dropbear/options.patch @@ -0,0 +1,26 @@ +diff --git a/options.h b/options.h +index 0c51bb1..2c38f42 100644 +--- a/options.h ++++ b/options.h +@@ -95,12 +95,9 @@ much traffic. */ + #define DROPBEAR_AES256 + /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ + /*#define DROPBEAR_BLOWFISH*/ +-#define DROPBEAR_TWOFISH256 +-#define DROPBEAR_TWOFISH128 + + /* Enable CBC mode for ciphers. This has security issues though + * is the most compatible with older SSH implementations */ +-#define DROPBEAR_ENABLE_CBC_MODE + + /* Enable "Counter Mode" for ciphers. This is more secure than normal + * CBC mode against certain attacks. It is recommended for security +@@ -130,8 +127,6 @@ If you test it please contact the Dropbear author */ + * These hashes are also used for public key fingerprints in logs. + * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, + * which are not the standard form. */ +-#define DROPBEAR_SHA1_HMAC +-#define DROPBEAR_SHA1_96_HMAC + #define DROPBEAR_SHA2_256_HMAC + #define DROPBEAR_SHA2_512_HMAC + #define DROPBEAR_MD5_HMAC diff --git a/meta-phosphor/recipes-core/dropbear/dropbear_2017.75.bbappend b/meta-phosphor/recipes-core/dropbear/dropbear_2017.75.bbappend new file mode 100644 index 000000000..0bcdf6f93 --- /dev/null +++ b/meta-phosphor/recipes-core/dropbear/dropbear_2017.75.bbappend @@ -0,0 +1,4 @@ +# TODO: Dropbear 2018.76 controls options in a different way. See +# https://github.com/openbmc/openbmc/issues/3186 +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" +SRC_URI += "file://options.patch" |
