<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">There are various examples at <a href="https://github.com/fabriziobertocci/dropbear-epka" class="">https://github.com/fabriziobertocci/dropbear-epka</a><div class=""><br class=""></div><div class="">Cheers,</div><div class="">Matt</div><div class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Wed 17/6/2020, at 6:38 pm, Hans Harder <<a href="mailto:hans@atbas.org" class="">hans@atbas.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Does anybody have an example of the external public-key authentication api<div class=""></div><div class="">Sounds interesting, but I am not sure how to use this...</div><div class=""><br class=""></div><div class="">thx</div><div class="">Hans</div></div><br class=""><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 15, 2020 at 5:53 PM Matt Johnston <<a href="mailto:matt@ucc.asn.au" class="">matt@ucc.asn.au</a>> wrote:<br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all,<br class="">
<br class="">
Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko<br class="">
for adding ed25519 and chacha20-poly1305 support which have<br class="">
been wanted for a while.<br class="">
<br class="">
This release also supports rsa-sha2 signatures which will be<br class="">
required by OpenSSH in the near future - rsa with sha1 will<br class="">
be disabled. This doesn't require any change to<br class="">
hostkey/authorized_keys files.<br class="">
<br class="">
Required versions of libtomcrypt and libtommath have been<br class="">
increased, if the system library is older Dropbear can use<br class="">
its own bundled copy.<br class="">
<br class="">
As usual downloads are at<br class="">
<a href="https://matt.ucc.asn.au/dropbear/dropbear.html" rel="noreferrer" target="_blank" class="">https://matt.ucc.asn.au/dropbear/dropbear.html</a><br class="">
<a href="https://mirror.dropbear.nl/mirror/dropbear.html" rel="noreferrer" target="_blank" class="">https://mirror.dropbear.nl/mirror/dropbear.html</a><br class="">
<br class="">
Cheers,<br class="">
Matt<br class="">
<br class="">
2020.79 - 15 June 2020<br class="">
<br class="">
- Support ed25519 hostkeys and authorized_keys, many thanks to Vladislav Grishenko.<br class="">
This also replaces curve25519 with a TweetNaCl implementation that reduces code size.<br class="">
<br class="">
- Add chacha20-poly1305 authenticated cipher. This will perform faster than AES<br class="">
on many platforms. Thanks to Vladislav Grishenko<br class="">
<br class="">
- Support using rsa-sha2 signatures. No changes are needed to hostkeys/authorized_keys<br class="">
entries, existing RSA keys can be used with the new signature format (signatures<br class="">
are ephemeral within a session). Old ssh-rsa signatures will no longer<br class="">
be supported by OpenSSH in future so upgrading is recommended.<br class="">
<br class="">
- Use getrandom() call on Linux to ensure sufficient entropy has been gathered at startup.<br class="">
Dropbear now avoids reading from the random source at startup, instead waiting until<br class="">
the first connection. It is possible that some platforms were running without enough <br class="">
entropy previously, those could potentially block at first boot generating host keys.<br class="">
The dropbear "-R" option is one way to avoid that.<br class="">
<br class="">
- Upgrade libtomcrypt to 1.18.2 and libtommath to 1.2.0, many thanks to Steffen Jaeckel for<br class="">
updating Dropbear to use the current API. Dropbear's configure script will check <br class="">
for sufficient system library versions, otherwise using the bundled versions.<br class="">
<br class="">
- CBC ciphers, 3DES, hmac-sha1-96, and x11 forwarding are now disabled by default.<br class="">
They can be set in localoptions.h if required.<br class="">
Blowfish has been removed.<br class="">
<br class="">
- Support AES GCM, patch from Vladislav Grishenko. This is disabled by default,<br class="">
Dropbear doesn't currently use hardware accelerated AES.<br class="">
<br class="">
- Added an API for specifying user public keys as an authorized_keys replacement.<br class="">
See pubkeyapi.h for details, thanks to Fabrizio Bertocci<br class="">
<br class="">
- Fix idle detection clashing with keepalives, thanks to jcmathews<br class="">
<br class="">
- Include IP addresses in more early exit messages making it easier for fail2ban<br class="">
processing. Patch from Kevin Darbyshire-Bryant<br class="">
<br class="">
- scp fix for CVE-2018-20685 where a server could modify name of output files<br class="">
<br class="">
- SSH_ORIGINAL_COMMAND is set for "dropbear -c" forced command too<br class="">
<br class="">
- Fix writing key files on systems without hard links, from Matt Robinson<br class="">
<br class="">
- Compatibility fixes for IRIX from Kazuo Kuroi<br class="">
<br class="">
- Re-enable printing MOTD by default, was lost moving from options.h. Thanks to zciendor<br class="">
<br class="">
- Call fsync() is called on parent directory when writing key files to ensure they are flushed<br class="">
<br class="">
- Fix "make install" for manpages in out-of-tree builds, from Gabor Z. Papp<br class="">
<br class="">
- Some notes are added in DEVELOPER.md<br class="">
<br class="">
</blockquote></div>
</div></blockquote></div><br class=""></div></body></html>