FS#60315 - [dropbear] new, strict localoptions.h breaks remote ssh access
Attached to Project:
Community Packages
Opened by b3niup (b3niup) - Friday, 05 October 2018, 09:11 GMT
Last edited by Alexander F. Rødseth (xyproto) - Saturday, 06 October 2018, 19:02 GMT
Opened by b3niup (b3niup) - Friday, 05 October 2018, 09:11 GMT
Last edited by Alexander F. Rødseth (xyproto) - Saturday, 06 October 2018, 19:02 GMT
|
Details
Description:
New dropbear release breaks remote ssh access for people using ECDSA, ECDH, DSS and few other algorithms because of it's very strict localoptions.h that disables almost all options. Additional info: * package version: 2018.76-2 |
This task depends upon
Closed by Alexander F. Rødseth (xyproto)
Saturday, 06 October 2018, 19:02 GMT
Reason for closing: Fixed
Saturday, 06 October 2018, 19:02 GMT
Reason for closing: Fixed
The settings are as recommended by ssh-audit: https://github.com/arthepsy/ssh-audit
* Which algorithm/cipher do you need enabled?
* Do you have an old ssh client that can not connect to dropbear with the strict settings? If yes, please provide the name and version number of the ssh client.
I'm trying to find out if this is mostly a theoretical problem, or if the recommended settings by ssh-audit are too strict also for ssh clients provided by Arch Linux, or for any specific ssh clients.
I would ideally like to keep dropbear strict, but if I could enable an option to help a specific ssh client work again, I would be happy to look into that and consider the options.
I am aware of ssh-audit recommendations.
But such a dramatic change in minor version locked me out of few systems, because I'm using ecdsa ssh keypair. It's, as far as I know, plenty strong and secure, but still disabled in this build.
So personally I need at least DROPBEAR_ECDSA enabled, but I guess it'd be ok to add DROPBEAR_ECDH as well.
The updated package will appear in [community] shortly, please test.
Thanks!