Disable medium-strength dropbear ssh ciphers
This changes the Dropbear SSH server configuration so it will not
accept medium-strength encryption ciphers including: CBC mode, MD5,
96-bit MAC, and triple DES.
The remaining ciphers include aes128-ctr and aes256-ctr. Dropbear
does not offer the arcfour cipher suite.
Note that Dropbear does not use a config file and instead uses
file options.h to control its features. This commit adds a
patch to disable the unwanted ciphers.
Tested:
On the qemu-based BMC:
ssh -c help 127.0.0.1
aes128-ctr,aes256-ctr
Before this change, the value was:
aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,twofish256-cbc,
twofish-cbc,twofish128-cbc,3des-ctr,3des-cbc
Attempt to contact the BMC from host:
ssh -p 2222 -l root localhost # success
ssh -c aes128-cbc -p 2222 -l root localhost
Unable to negotiate with 127.0.0.1 port 2222: no matching cipher
found. Their offer: aes128-ctr,aes256-ctr
Before this change, the connection was successful.
Attempt to contact the BMC from older system:
ssh -V
OpenSSH_5.8p1, OpenSSL 0.9.8g 19 Oct 2007
ssh -p 2222 -l root ${BMC_IP_ADDR} # success
Resolves openbmc/openbmc#3186
Change-Id: I3c0eee11c9cc46b964be630c39bb77c482e63b08
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
diff --git a/recipes-core/dropbear/dropbear_2017.75.bbappend b/recipes-core/dropbear/dropbear_2017.75.bbappend
new file mode 100644
index 0000000..0bcdf6f
--- /dev/null
+++ b/recipes-core/dropbear/dropbear_2017.75.bbappend
@@ -0,0 +1,4 @@
+# TODO: Dropbear 2018.76 controls options in a different way. See
+# https://github.com/openbmc/openbmc/issues/3186
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://options.patch"