Ticket Navigation

Ticket #333 (closed enhancement: fixed)

Opened 1 year ago

Last modified 1 year ago

remove dss support from dropbear

Reported by:	tg	Assigned to:	tg
Priority:	trivial	Milestone:	1.x (low prio)
Component:	packages	Version:	trunk
Keywords:		Cc:

Description

SSH offers three types of host keys: • RSAv1 • RSAv2 • DSSv2

While SSHv1 is no longer in widespread use – luckily – and thusly the dropbear init script doesn't generate a host key to support it, a DSSv2 key is still generated, even though RSAv2 has been unencumbered by patents for like five years even in the most underdeveloped countries.

When timing key generation on my WL-500g (thanks to the recent commits there), I saw that the RSA key is done almost immediately, while the DSA key takes much more time.

In my other operating system project, MirOS, I've disabled RSAv1 and DSA years ago, and nobody ever complained he could not connect to a machine.

I therefore move to remove support for DSS keys from dropbear in trunk and announce that publically.

Discussion please on freewrt-developers@ if desired.

This is not necessarily desirable for 1.1 but maybe for 1.2 – even so, we should disable it in trunk NOW and only add it back on the 1.1 branch after it's created, unless people feel 1.1 should be released without using DSA keys already (I wouldn't say no to that option).

Attachments

Change History

(in reply to: ↑ description ) 06/26/07 22:26:22 changed by wbx

Replying to tg:

SSH offers three types of host keys: • RSAv1 • RSAv2 • DSSv2 While SSHv1 is no longer in widespread use – luckily – and thusly the dropbear init script doesn't generate a host key to support it, a DSSv2 key is still generated, even though RSAv2 has been unencumbered by patents for like five years even in the most underdeveloped countries. When timing key generation on my WL-500g (thanks to the recent commits there), I saw that the RSA key is done almost immediately, while the DSA key takes much more time. In my other operating system project, MirOS, I've disabled RSAv1 and DSA years ago, and nobody ever complained he could not connect to a machine. I therefore move to remove support for DSS keys from dropbear in trunk and announce that publically. Discussion please on freewrt-developers@ if desired. This is not necessarily desirable for 1.1 but maybe for 1.2 – even so, we should disable it in trunk NOW and only add it back on the 1.1 branch after it's created, unless people feel 1.1 should be released without using DSA keys already (I wouldn't say no to that option).

I vote for removing DSA keys for FreeWRT 1.1. It is somewhat slow, and I don't think we need more then one host key on a embedded system.

Any comments?

Download in other formats: