Dropbear 2020.79

[Matt Johnston]

There are various examples at https://github.com/fabriziobertocci/dropbear-epka

Cheers,
Matt


> On Wed 17/6/2020, at 6:38 pm, Hans Harder <hans at atbas.org> wrote:
> 
> Does anybody have an example of the external public-key authentication api
> Sounds interesting, but I am not sure how to use this...
> 
> thx
> Hans
> 
> On Mon, Jun 15, 2020 at 5:53 PM Matt Johnston <matt at ucc.asn.au <mailto:matt at ucc.asn.au>> wrote:
> Hi all,
> 
> Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko
> for adding ed25519 and chacha20-poly1305 support which have
> been wanted for a while.
> 
> This release also supports rsa-sha2 signatures which will be
> required by OpenSSH in the near future - rsa with sha1 will
> be disabled. This doesn't require any change to
> hostkey/authorized_keys files.
> 
> Required versions of libtomcrypt and libtommath have been
> increased, if the system library is older Dropbear can use
> its own bundled copy.
> 
> As usual downloads are at
> https://matt.ucc.asn.au/dropbear/dropbear.html <https://matt.ucc.asn.au/dropbear/dropbear.html>
> https://mirror.dropbear.nl/mirror/dropbear.html <https://mirror.dropbear.nl/mirror/dropbear.html>
> 
> Cheers,
> Matt
> 
> 2020.79 - 15 June 2020
> 
> - Support ed25519 hostkeys and authorized_keys, many thanks to Vladislav Grishenko.
>   This also replaces curve25519 with a TweetNaCl implementation that reduces code size.
> 
> - Add chacha20-poly1305 authenticated cipher. This will perform faster than AES
>   on many platforms. Thanks to Vladislav Grishenko
> 
> - Support using rsa-sha2 signatures. No changes are needed to hostkeys/authorized_keys
>   entries, existing RSA keys can be used with the new signature format (signatures
>   are ephemeral within a session). Old ssh-rsa signatures will no longer
>   be supported by OpenSSH in future so upgrading is recommended.
> 
> - Use getrandom() call on Linux to ensure sufficient entropy has been gathered at startup.
>   Dropbear now avoids reading from the random source at startup, instead waiting until
>   the first connection. It is possible that some platforms were running without enough 
>   entropy previously, those could potentially block at first boot generating host keys.
>   The dropbear "-R" option is one way to avoid that.
> 
> - Upgrade libtomcrypt to 1.18.2 and libtommath to 1.2.0, many thanks to Steffen Jaeckel for
>   updating Dropbear to use the current API. Dropbear's configure script will check 
>   for sufficient system library versions, otherwise using the bundled versions.
> 
> - CBC ciphers, 3DES, hmac-sha1-96, and x11 forwarding are now disabled by default.
>   They can be set in localoptions.h if required.
>   Blowfish has been removed.
> 
> - Support AES GCM, patch from Vladislav Grishenko. This is disabled by default,
>   Dropbear doesn't currently use hardware accelerated AES.
> 
> - Added an API for specifying user public keys as an authorized_keys replacement.
>   See pubkeyapi.h for details, thanks to Fabrizio Bertocci
> 
> - Fix idle detection clashing with keepalives, thanks to jcmathews
> 
> - Include IP addresses in more early exit messages making it easier for fail2ban
>   processing. Patch from Kevin Darbyshire-Bryant
> 
> - scp fix for CVE-2018-20685 where a server could modify name of output files
> 
> - SSH_ORIGINAL_COMMAND is set for "dropbear -c" forced command too
> 
> - Fix writing key files on systems without hard links, from Matt Robinson
> 
> - Compatibility fixes for IRIX from Kazuo Kuroi
> 
> - Re-enable printing MOTD by default, was lost moving from options.h. Thanks to zciendor
> 
> - Call fsync() is called on parent directory when writing key files to ensure they are flushed
> 
> - Fix "make install" for manpages in out-of-tree builds, from Gabor Z. Papp
> 
> - Some notes are added in DEVELOPER.md
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20200617/403ace3f/attachment.htm