<div dir="ltr">Does anybody have an example of the external public-key authentication api<div></div><div>Sounds interesting, but I am not sure how to use this...</div><div><br></div><div>thx</div><div>Hans</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jun 15, 2020 at 5:53 PM Matt Johnston <<a href="mailto:matt@ucc.asn.au">matt@ucc.asn.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi all,<br>
<br>
Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko<br>
for adding ed25519 and chacha20-poly1305 support which have<br>
been wanted for a while.<br>
<br>
This release also supports rsa-sha2 signatures which will be<br>
required by OpenSSH in the near future - rsa with sha1 will<br>
be disabled. This doesn't require any change to<br>
hostkey/authorized_keys files.<br>
<br>
Required versions of libtomcrypt and libtommath have been<br>
increased, if the system library is older Dropbear can use<br>
its own bundled copy.<br>
<br>
As usual downloads are at<br>
<a href="https://matt.ucc.asn.au/dropbear/dropbear.html" rel="noreferrer" target="_blank">https://matt.ucc.asn.au/dropbear/dropbear.html</a><br>
<a href="https://mirror.dropbear.nl/mirror/dropbear.html" rel="noreferrer" target="_blank">https://mirror.dropbear.nl/mirror/dropbear.html</a><br>
<br>
Cheers,<br>
Matt<br>
<br>
2020.79 - 15 June 2020<br>
<br>
- Support ed25519 hostkeys and authorized_keys, many thanks to Vladislav Grishenko.<br>
This also replaces curve25519 with a TweetNaCl implementation that reduces code size.<br>
<br>
- Add chacha20-poly1305 authenticated cipher. This will perform faster than AES<br>
on many platforms. Thanks to Vladislav Grishenko<br>
<br>
- Support using rsa-sha2 signatures. No changes are needed to hostkeys/authorized_keys<br>
entries, existing RSA keys can be used with the new signature format (signatures<br>
are ephemeral within a session). Old ssh-rsa signatures will no longer<br>
be supported by OpenSSH in future so upgrading is recommended.<br>
<br>
- Use getrandom() call on Linux to ensure sufficient entropy has been gathered at startup.<br>
Dropbear now avoids reading from the random source at startup, instead waiting until<br>
the first connection. It is possible that some platforms were running without enough <br>
entropy previously, those could potentially block at first boot generating host keys.<br>
The dropbear "-R" option is one way to avoid that.<br>
<br>
- Upgrade libtomcrypt to 1.18.2 and libtommath to 1.2.0, many thanks to Steffen Jaeckel for<br>
updating Dropbear to use the current API. Dropbear's configure script will check <br>
for sufficient system library versions, otherwise using the bundled versions.<br>
<br>
- CBC ciphers, 3DES, hmac-sha1-96, and x11 forwarding are now disabled by default.<br>
They can be set in localoptions.h if required.<br>
Blowfish has been removed.<br>
<br>
- Support AES GCM, patch from Vladislav Grishenko. This is disabled by default,<br>
Dropbear doesn't currently use hardware accelerated AES.<br>
<br>
- Added an API for specifying user public keys as an authorized_keys replacement.<br>
See pubkeyapi.h for details, thanks to Fabrizio Bertocci<br>
<br>
- Fix idle detection clashing with keepalives, thanks to jcmathews<br>
<br>
- Include IP addresses in more early exit messages making it easier for fail2ban<br>
processing. Patch from Kevin Darbyshire-Bryant<br>
<br>
- scp fix for CVE-2018-20685 where a server could modify name of output files<br>
<br>
- SSH_ORIGINAL_COMMAND is set for "dropbear -c" forced command too<br>
<br>
- Fix writing key files on systems without hard links, from Matt Robinson<br>
<br>
- Compatibility fixes for IRIX from Kazuo Kuroi<br>
<br>
- Re-enable printing MOTD by default, was lost moving from options.h. Thanks to zciendor<br>
<br>
- Call fsync() is called on parent directory when writing key files to ensure they are flushed<br>
<br>
- Fix "make install" for manpages in out-of-tree builds, from Gabor Z. Papp<br>
<br>
- Some notes are added in DEVELOPER.md<br>
<br>
</blockquote></div>