[Buildroot] [PATCH 3/3] dropbear: Disable insecure options
Stefan Sørensen
stefan.sorensen at spectralink.com
Wed Apr 18 14:24:34 UTC 2018
The default dropbear configuration includes a number of features no longer
considered secure, so disable
3DES cipher
MD5 integrity algorithm
SHA1-96 integrity algorithm
DSS key exchange algorithm
DH Group1 key exchange algorithm
Signed-off-by: Stefan Sørensen <stefan.sorensen at spectralink.com>
---
package/dropbear/Config.in | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/package/dropbear/Config.in b/package/dropbear/Config.in
index 441c521d18..c5acd333a8 100644
--- a/package/dropbear/Config.in
+++ b/package/dropbear/Config.in
@@ -71,7 +71,7 @@ config BR2_PACKAGE_DROPBEAR_CIPHER_AES256
config BR2_PACKAGE_DROPBEAR_CIPHER_3DES
bool "3DES"
- default y
+ default n
help
Enable the 3DES cipher
@@ -99,7 +99,7 @@ menu "Dropbear cipher modes"
config BR2_PACKAGE_DROPBEAR_CIPHER_MODE_CBC
bool "CBC"
- default y
+ default n
help
Enable CBC mode for ciphers. This has security issues though
is the most compatible with older SSH implementations
@@ -124,7 +124,7 @@ config BR2_PACKAGE_DROPBEAR_HMAC_SHA1
config BR2_PACKAGE_DROPBEAR_HMAC_SHA1_96
bool "SHA1-96"
- default y
+ default n
help
Enable SHA1-96 integrity algorithm
@@ -142,7 +142,7 @@ config BR2_PACKAGE_DROPBEAR_HMAC_SHA2_512
config BR2_PACKAGE_DROPBEAR_HMAC_MD5
bool "MD5"
- default y
+ default n
help
Enable MD5 integrity algorithm. If you disable MD5, Dropbear
will fall back to SHA1 fingerprints, which are not the
@@ -160,7 +160,7 @@ config BR2_PACKAGE_DROPBEAR_KEX_RSA
config BR2_PACKAGE_DROPBEAR_KEX_DSS
bool "DSS"
- default y
+ default n
help
Enable DSS key exchange algorithm. SSH2 RFC Draft requires
DSS.
@@ -188,7 +188,7 @@ config BR2_PACKAGE_DROPBEAR_KEX_ECDH
config BR2_PACKAGE_DROPBEAR_KEX_DH_GROUP1
bool "DH Group1"
- default y
+ default n
help
Enable DH Group1 key exchange algorithm. Group1 is less
secure (1024 bit) than Group14 though is the only option for
--
2.17.0
More information about the buildroot
mailing list