Dropbear 2016.73

Matt Johnston matt at ucc.asn.au
Sun Mar 20 22:57:27 AWST 2016 

Hi Hans,

sysoptions.h is intentional, those options haven't been tested
enough to make them readily accessible. sysoptions.h's warning applies:
 * You shouldn't edit this file unless you know you need to. 

When the draft was proposing group14-256 and group16-256 I
tested against OpenSSH [1], but the spec has now moved to
group16-sha512.

Hopefully they should be ready in the next Dropbear release,
also with the ability to disable sha1 in other place it is used.

Cheers,
Matt

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2515

On Sun, Mar 20, 2016 at 11:05:48AM +0100, Hans Harder wrote:
> Hi Matt,
> 
> noticed that in sysoptions.h this is added  at line 130
> 
> /* These are disabled in Dropbear 2016.73 by default since the spec
>    draft-ietf-curdle-ssh-kex-sha2-02 is under development. */
> #define DROPBEAR_DH_GROUP14_256 0
> #define DROPBEAR_DH_GROUP16 0
> 
> 
> Should that not be in options.h  underneath  line 174
> 
> /* Group14 (2048 bit) is recommended. Group1 is less secure (1024 bit)
> though
>    is the only option for interoperability with some older SSH programs */
> #define DROPBEAR_DH_GROUP1 1
> #define DROPBEAR_DH_GROUP14 1
> 
> 
> Hans
> 
> 
> 
> 
> 
> 
> On Fri, Mar 18, 2016 at 4:52 PM, Matt Johnston <matt at ucc.asn.au> wrote:
> 
> > Hi all,
> >
> > Dropbear 2016.73 is released. It has a few new features and
> > other small improvements.
> >
> > Download at https://matt.ucc.asn.au/dropbear/dropbear.html
> >
> > Cheers,
> > Matt
> >
> > 2016.73 - 18 March 2016
> >
> > - Support syslog in dbclient, option -o usesyslog=yes. Patch from
> > Konstantin Tokarev
> >
> > - Kill a proxycommand when dbclient exits, patch from Konstantin Tokarev
> >
> > - Option to exit when a TCP forward fails, patch from Konstantin Tokarev
> >
> > - New "-o" option parsing from Konstantin Tokarev. This allows handling
> > some extra options
> >   in the style of OpenSSH, though implementing all OpenSSH options is not
> > planned.
> >
> > - Fix crash when fallback initshells() is used, reported by Michael Nowak
> > and Mike Tzou
> >
> > - Allow specifying commands eg "dropbearmulti dbclient ..." instead of
> > symlinks
> >
> > - Various cleanups for issues found by a lint tool, patch from Francois
> > Perrad
> >
> > - Fix tab indent consistency, patch from Francois Perrad
> >
> > - Fix issues found by cppcheck, reported by Mike Tzou
> >
> > - Use system memset_s() or explicit_bzero() if available to clear memory.
> > Also make
> >   libtomcrypt/libtommath routines use that (or Dropbear's own m_burn()).
> >
> > - Prevent scp failing when the local user doesn't exist. Based on patch
> > from Michael Witten.
> >
> > - Improved Travis CI test running, thanks to Mike Tzou
> >
> > - Improve some code that was flagged by Coverity and Fortify Static Code
> > Analyzer
> >

More information about the Dropbear mailing list