dropbear: disable two weak kex/mac algorithms

hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms. A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1] It has no place in a potentially internet-facing daemon like dropbear. Upstream has acknowledged this and offered this solution to disable these two until this is made to be the default in the next release of dropbear next year. [2] 1. https://www.openssh.com/txt/release-8.2 2. https://github.com/mkj/dropbear/issues/138 Signed-off-by: John Audia <therealgraysky@proton.me> Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
2025-04-17 15:59:37 +00:00 · 2024-01-09 03:40:01 +03:00 · 2024-01-09 03:40:01 +03:00 · 2d9a0be307
commit 2d9a0be307
parent 0b277f8659
1 changed files with 4 additions and 0 deletions
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
@ -110,12 +110,16 @@ CONFIGURE_ARGS += \
 # - DROPBEAR_CLI_NETCAT
 # - DROPBEAR_DSS
 # - DO_MOTD
+# - DROPBEAR_DH_GROUP14_SHA1
+# - DROPBEAR_SHA1_HMAC
 DB_OPT_COMMON = \
 	!!LOCAL_IDENT,"SSH-2.0-dropbear" \
 	DEFAULT_PATH,"$(TARGET_INIT_PATH)" \
 	DROPBEAR_DSS,0 \
 	DROPBEAR_CLI_NETCAT,0 \
 	DO_MOTD,0 \
+	DROPBEAR_DH_GROUP14_SHA1,0 \
+	DROPBEAR_SHA1_HMAC,0 \


 ##############################################################################