FS#60315 - [dropbear] new, strict localoptions.h breaks remote ssh access

Attached to Project: Community Packages
Opened by b3niup (b3niup) - Friday, 05 October 2018, 09:11 GMT
Last edited by Alexander F. Rødseth (xyproto) - Saturday, 06 October 2018, 19:02 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Alexander F. Rødseth (xyproto)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:
New dropbear release breaks remote ssh access for people using ECDSA, ECDH, DSS and few other algorithms because of it's very strict localoptions.h that disables almost all options.

Additional info:
* package version: 2018.76-2
This task depends upon

Closed by  Alexander F. Rødseth (xyproto)
Saturday, 06 October 2018, 19:02 GMT
Reason for closing:  Fixed
Comment by Alexander F. Rødseth (xyproto) - Friday, 05 October 2018, 19:30 GMT
Thanks for reporting.

The settings are as recommended by ssh-audit: https://github.com/arthepsy/ssh-audit

* Which algorithm/cipher do you need enabled?
* Do you have an old ssh client that can not connect to dropbear with the strict settings? If yes, please provide the name and version number of the ssh client.

I'm trying to find out if this is mostly a theoretical problem, or if the recommended settings by ssh-audit are too strict also for ssh clients provided by Arch Linux, or for any specific ssh clients.

I would ideally like to keep dropbear strict, but if I could enable an option to help a specific ssh client work again, I would be happy to look into that and consider the options.
Comment by b3niup (b3niup) - Saturday, 06 October 2018, 04:04 GMT
Hi, thanks for your response.

I am aware of ssh-audit recommendations.
But such a dramatic change in minor version locked me out of few systems, because I'm using ecdsa ssh keypair. It's, as far as I know, plenty strong and secure, but still disabled in this build.

So personally I need at least DROPBEAR_ECDSA enabled, but I guess it'd be ok to add DROPBEAR_ECDH as well.
Comment by Alexander F. Rødseth (xyproto) - Saturday, 06 October 2018, 15:15 GMT
I am sorry you were locked out. I updated the dropbear package to have DROPBEAR_ECDSA enabled, despite the recommendation from ssh-audit to disable it.

The updated package will appear in [community] shortly, please test.
Comment by b3niup (b3niup) - Saturday, 06 October 2018, 18:51 GMT
I've already built it with DROPBEAR_ECDSA yesterday and now it's working fine :)
Thanks!

Loading...