FS#60523 - [dropbear] Included 'dropbearconvert' utility no longer properly handles OpenSSH host keys
Attached to Project:
Community Packages
Opened by Lance (Raansu) - Monday, 22 October 2018, 07:11 GMT
Last edited by Alexander F. Rødseth (xyproto) - Monday, 19 November 2018, 13:25 GMT
Opened by Lance (Raansu) - Monday, 22 October 2018, 07:11 GMT
Last edited by Alexander F. Rødseth (xyproto) - Monday, 19 November 2018, 13:25 GMT
|
Details
Description: There seems to have been a change with OpenSSH
and the way it formats it's host keys. The included Dropbear
utility 'dropbearconvert' no longer can convert them to a
format that Dropbear can make use of. In my case I'm making
use of 'mkinitcpio-systemd-tool' to aid with setting up
remote decryption of my system, this makes use of Dropbear
and 'dropbearconvert' to convert existing OpenSSH host
keys.
I was not entirely sure where to report this bug/issue, it seems to a Dropbear issue rather than a OpenSSH issue. Additional info: * package version(s) Dropbear v2018.76 OpenSSH_7.9p1, OpenSSL 1.1.1 11 Sep 2018 * config and/or log files etc. ``` [root@archiso /]# dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key Error: Unrecognised key type Error reading key from '/etc/ssh/ssh_host_rsa_key' [root@archiso /]# ``` Steps to reproduce: Generate host keys for OpenSSH with 'ssh-keygen -A' Attempt to convert any generated host keys with 'dropbearconvert openssh dropbear </path/to/ssh_host_key> </path/to/dropbear_host_key> ' |
This task depends upon
Closed by Alexander F. Rødseth (xyproto)
Monday, 19 November 2018, 13:25 GMT
Reason for closing: No response
Monday, 19 November 2018, 13:25 GMT
Reason for closing: No response
Thanks for reporting. I recently tightened up the security of dropbear, based on the advice from ssh-audit (https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/dropbear&id=76850552f9eea2289d2c016fe574ededfa9222bf).
However, the security was just a bit too tight, so I re-enabled one of the less safe options, because of this bug report: https://bugs.archlinux.org/task/60315, which lead to this change: https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/dropbear&id=fa19faf4a644be731e143d0bf09fa9de6cdf2827
The current status is that dropbear is relatively strict, security wise, but aims to be somewhat backwards compatible with old ssh clients, unless it makes things too insecure.
It could be that the above changes made "dropbearconvert" not support insecure host keys anymore.
Could you please try with a more secure host key type?
Here is the ssh-audit project page, for more information about the recommendations: https://github.com/arthepsy/ssh-audit
Someone over at the 'mkinitcpio-systemd-tool' github issues page pointed out that 'dropbearconvert' has this bit of code, https://github.com/mkj/dropbear/blob/d740dc548924f2faf0934e5f9a4b83d2b5d6902d/keyimport.c#L394
It's looking for a file signature at the beginning of a OpenSSH generated host key that isn't there in newer generated host keys.
Would you mind asking for general advice on this on the dropbear mailinglist? https://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear
> By default openssh keys are in “RFC4716” format. To convert your openssh keys, you need to generate them in the PEM format.
>
> ssh-keygen -A -m PEM
>
> You can now convert them with dropbearconvert
Did this resolve the issue?
works as well, if you prefer to use existing keys.
EDIT: bullshit, the key I tested worked anyway and didn't changed, sorry!