don't mention SHA1 in order to not confuse users - SHA1 support is already disabled (except RSA-SHA1 signagures).
ref: https://github.com/openwrt/openwrt/issues/15281
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- update dropbear to latest stable 2024.85;
for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop cherry-picked patches (merged in release 2024.84)
- refresh remaining patches
Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
The DropBear's dropbearkey supports limited set of arguments of
OpenSSH ssh-keygen: -t, -q -N -Y
After the change you can generate a key with the same command.
Still many features of the original OpenSSH ssh-keygen are absent in
the dropbearkey.
If it's needed then users should install openssh-keygen package that
will replace the /usr/bin/ssh-keygen with the full version.
Signed-off-by: Sergey Ponomarev <stokito@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/14174
[ wrap commit description to 80 columns ]
Link: https://github.com/openwrt/openwrt/pull/14174
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
- introduce 'DirectInterface' option to bind exactly to specified interface;
fixes#9666 and late IPv4/IPv6 address assignment
- option 'DirectInterface' takes precedence over 'Interface'
- improve interface/address handling,
e.g. verify count of listening endpoints due to dropbear limit (10 for now)
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- correct maximum receive window size
- adjust receive window size against maximum allowed value
- warn about too high receive window size in syslog
improves f95eecfb
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
end users should have done this since OpenWrt 19.07.
if they didn't do this yet - perform auto-transition.
schedule 'rsakeyfile' removal for next year release.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
these options allow one to configure U2F/FIDO support in more granular way
inspired by upstream commit aa6559db
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
reduces binary/package size and increases overall performance
also:
- adjust 910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
to build without DROPBEAR_RSA/DROPBEAR_RSA_SHA256
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
hmac-sha1 and diffie-hellman-group14-sha1 are weak algorithms.
A future deprecation notice of ssh-rsa (2048-bit) has been issued. [1]
It has no place in a potentially internet-facing daemon like dropbear.
Upstream has acknowledged this and offered this solution to disable
these two until this is made to be the default in the next release
of dropbear next year. [2]
1. https://www.openssh.com/txt/release-8.2
2. https://github.com/mkj/dropbear/issues/138
Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- "default n" is not needed: options are not selected by default
- wrap config on 80 characters width (assuming tab is 8 characters long)
- add feature cost size and security notes for DROPBEAR_AGENTFORWARD
and DROPBEAR_DBCLIENT_AGENTFORWARD:
describe why and where it should be disabled
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- switch DB_OPT_COMMON and DB_OPT_CONFIG to comma-separated lists:
this allows to have values with "|" in DB_OPT_COMMON and DB_OPT_CONFIG
which is more likely to be than values with commas;
use $(comma) variable for values with commas.
- sort DB_OPT_COMMON and DB_OPT_CONFIG to have "overrides" on top of list.
- allow DB_OPT_COMMON to have values with commas.
- allow to replace multiline definitions in sysoptions.h.
improves e1bd9645
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- update dropbear to latest stable 2022.83;
for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
- drop patches:
- 001-fix-MAX_UNAUTH_CLIENTS-regression.patch
- rework patches:
- 901-bundled-libs-cflags.patch
- refresh remaining patches
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Increasing the receive window size improves throughout on higher-latency
links such as WAN connections. The current default of 24KB caps out at
around 500 KB/s.
Increasing the receive buffer to 256KB increases the throughput to at
least 11 MB/s.
Signed-off-by: David Bauer <mail@david-bauer.net>
At least Fedora and RHEL 9 set RSAMinSize=2048, so when trying to use
failsafe, we get 'Bad server host key: Invalid key length'
To workaround the issue, we can use: ssh -o RSAMinSize=1024 ...
Generating 2048 bits RSA is extremely slow, so add ed25519.
We keep RSA 1024 to be as compatible as possible.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
adds ForceCommand option. If the command is specified,
it forces users to execute the command when they log in.
Signed-off-by: Nozomi Miyamori <inspc43313@yahoo.co.jp>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Based on Paul Fertser <fercerpav@gmail.com>'s guidance:
Change AUTORELEASE in rules.mk to:
```
AUTORELEASE = $(if $(DUMP),0,$(shell sed -i "s/\$$(AUTORELEASE)/$(call commitcount,1)/" $(CURDIR)/Makefile))
```
then update all affected packages by:
```
for i in $(git grep -l PKG_RELEASE:=.*AUTORELEASE | sed 's^.*/\([^/]*\)/Makefile^\1^';);
do
make package/$i/clean
done
```
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
This reduces open coding and allows to easily add a knob to enable
it treewide, where chosen packages can still opt-out via "no-lto".
Some packages used LTO, but not the linker plugin. This unifies 'em
all to attempt to produce better code.
Quoting man gcc(1):
"This improves the quality of optimization by exposing more code to the
link-time optimizer."
Also use -flto=auto instead of -flto=jobserver, as it's not guaranteed
that every buildsystem uses +$(MAKE) correctly.
Signed-off-by: Andre Heider <a.heider@gmail.com>
This reduces open coding and allows to easily add a knob to
enable it treewide, where chosen packages can still opt-out via
"no-gc-sections".
Note: libnl, mbedtls and opkg only used the CFLAGS part without the
LDFLAGS counterpart. That doesn't help at all if the goal is to produce
smaller binaries. I consider that an accident, and this fixes it.
Note: there are also packages using only the LDFLAGS part. I didn't
touch those, as gc might have been disabled via CFLAGS intentionally.
Signed-off-by: Andre Heider <a.heider@gmail.com>
* SSH agent forwarding might cause security issues, locally and on the jump
machine (https://defn.io/2019/04/12/ssh-forwarding/). So allow to
completely disabling it.
* separate options for client and server
* keep it enabled by default
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
with xinetd allowed+blocked (ipv6) hosts could be set
what is not possible with stock dropbear package
The file size increased 12 Bytes, so this "opimisation" did not really helped.
Within a compressed storage format it is 0..
ipk: 111.171 -> 111.361 = 190 bytes
bin: 215.128 -> 215.140 = 12 bytes
Signed-off-by: Fritz D. Ansel <fdansel@yandex.ru>
Before this commit, it was assumed that mkhash is in the PATH. While
this was fine for the normal build workflow, this led to some issues if
make TOPDIR="$(pwd)" -C "$pkgdir" compile
was called manually. In most of the cases, I just saw warnings like this:
make: Entering directory '/home/.../package/gluon-status-page'
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
bash: line 1: mkhash: command not found
[...]
While these were only warnings and the package still compiled sucessfully,
I also observed that some package even fail to build because of this.
After applying this commit, the variable $(MKHASH) is introduced. This
variable points to $(STAGING_DIR_HOST)/bin/mkhash, which is always the
correct path.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Bump package version after previous changes.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
[added missing commit description]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
binary size cost is much less than 1k.
tested on ath79/generic:
bin: 215128 -> 215132 (+4b)
ipk: 111183 -> 111494 (+311b)
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
this commit removes manual recipes for options and introduces mapping lists:
- DB_OPT_COMMON holds option mappings which are common for all builds;
- DB_OPT_CONFIG holds option mappings which are depend on config settings.
DB_OPT_COMMON is space-separated list of 'words', each of them is in format:
'header_option|value'
'header_option' is added with value 'value' to 'localoptions.h'.
if 'header_option' is preceded by two exclamation marks ('!!')
then option is not added to 'localoptions.h' but replaced in 'sysoptions.h'.
in short:
option|value - add option to localoptions.h
!!option|value - replace option in sysoptions.h
DB_OPT_CONFIG is space-separated list of 'words', each of them is in format:
'header_option|config_variable|value_enabled|value_disabled'
'header_option' is handled likewise in DB_OPT_COMMON.
if 'config_variable' is enabled (technically: not disabled)
then 'header_option' is set to 'value_enabled' and 'value_disabled' otherwise.
in short:
option|config|enabled|disabled = add option to localoptions.h
!!option|config|enabled|disabled = replace option in sysoptions.h
option := (config) ? enabled : disabled
If you're not sure that option's value doesn't have '|' within - add your recipe
manually right after '$(Build/Configure/dropbear_headers)' and write some words
about your decision.
PS about two exclamation marks:
early idea was to use one exclamation mark to denote such header options
but then i thought single exclamation mark may be overlooked by mistake.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
- add two helper functions to avoid mistakes with
choice of correct header file to work with
- update rules accordingly
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
put static options at first place, then place configurable options.
also put DROPBEAR_ECC right before DROPBEAR_ECC_FULL to ease maintainance.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
this option was disabled in 2011 and these long nine years showed us that change was definitely wrong.
binary size cost is much less than 1k.
tested on ath79/generic:
bin: 215128 -> 215128 (no change)
ipk: 111108 -> 111183 (+75b)
Fixes: 3c801b3dc0 ("tune some more options by default to decrease size")
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Update dropbear to latest stable 2.81; for the changes see https://matt.ucc.asn.au/dropbear/CHANGES
Refresh patches
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The Ed25519 key pairs are much shorter than RSA pairs and are supported
by default in OpenSSH. Looking at websites explaining how to create new
SSH keys, many suggest using Ed25519 rather than RSA, however consider
the former as not yet widely established. OpenWrt likely has a positive
influence on that development.
As enabling Ed25519 is a compile time option, it is currently not
possible to install the feature via `opkg` nor select that option in an
ImageBuilder.
Due to the size impact of **12kB** the option should only be enabled for
devices with `!SMALL_FLASH`.
This approach seems cleaner than splitting `dropbear` into two packages
like `dropbear` and `dropbear-ed25519`.
Signed-off-by: Paul Spooren <mail@aparcar.org>
If not needed, disabling scp allows for a nice size reduction.
Dropbear executable size comparison:
153621 bytes (baseline)
133077 bytes (without scp)
In other words, we trim a total of 20544 bytes.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
The ssh symlink was still being created even when dbclient was disabled in the
build configuration. Fix this annoyance.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Upstream in commit 972d723484d8 ("split signkey_type and signature_type
for RSA sha1 vs sha256") has added strict checking of pubkey algorithms
which made keys with SHA-256 hashing algorithm unusable as they still
reuse the `ssh-rsa` public key format. So fix this by disabling the
check for `rsa-sha2-256` pubkeys.
Ref: https://tools.ietf.org/html/rfc8332#section-3
Fixes: d4c80f5b17 ("dropbear: bump to 2020.80")
Tested-by: Russell Senior <russell@personaltelco.net>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This replaces deprecated backticks by more versatile $(...) syntax.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
[add commit description]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Backport patches which fix compile issue for uClibc-ng :
dbrandom.c:174:8: warning: implicit declaration of function 'getrandom'; did you mean 'genrandom'? [-Wimplicit-function-declaration]
ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
^~~~~~~~~
genrandom
dbrandom.c:174:36: error: 'GRND_NONBLOCK' undeclared (first use in this function); did you mean 'SOCK_NONBLOCK'?
ret = getrandom(buf, sizeof(buf), GRND_NONBLOCK);
^~~~~~~~~~~~~
SOCK_NONBLOCK
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
- drop patches (applied upstream):
* 010-backport-change-address-logging.patch
* 020-backport-ed25519-support.patch
* 021-backport-chacha20-poly1305-support.patch
- backport patches:
* 010-backport-disable-toom-and-karatsuba.patch:
reduce dropbear binary size (about ~8Kb).
- refresh patches.
- don't bother anymore with following config options
because they are disabled in upstream too:
* DROPBEAR_3DES
* DROPBEAR_ENABLE_CBC_MODE
* DROPBEAR_SHA1_96_HMAC
- explicitly disable DO_MOTD as it was before commit a1099ed:
upstream has (accidentally) switched it to 0 in release 2019.77,
but reverted back in release 2020.79.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
201e359 Handle early exit when addrstring isn't set
fa4c464 Improve address logging on early exit messages (#83)
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>