Does anybody have an example of the external public-key authentication api Sounds interesting, but I am not sure how to use this...
thx Hans On Mon, Jun 15, 2020 at 5:53 PM Matt Johnston <m...@ucc.asn.au> wrote: > Hi all, > > Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko > for adding ed25519 and chacha20-poly1305 support which have > been wanted for a while. > > This release also supports rsa-sha2 signatures which will be > required by OpenSSH in the near future - rsa with sha1 will > be disabled. This doesn't require any change to > hostkey/authorized_keys files. > > Required versions of libtomcrypt and libtommath have been > increased, if the system library is older Dropbear can use > its own bundled copy. > > As usual downloads are at > https://matt.ucc.asn.au/dropbear/dropbear.html > https://mirror.dropbear.nl/mirror/dropbear.html > > Cheers, > Matt > > 2020.79 - 15 June 2020 > > - Support ed25519 hostkeys and authorized_keys, many thanks to Vladislav > Grishenko. > This also replaces curve25519 with a TweetNaCl implementation that > reduces code size. > > - Add chacha20-poly1305 authenticated cipher. This will perform faster > than AES > on many platforms. Thanks to Vladislav Grishenko > > - Support using rsa-sha2 signatures. No changes are needed to > hostkeys/authorized_keys > entries, existing RSA keys can be used with the new signature format > (signatures > are ephemeral within a session). Old ssh-rsa signatures will no longer > be supported by OpenSSH in future so upgrading is recommended. > > - Use getrandom() call on Linux to ensure sufficient entropy has been > gathered at startup. > Dropbear now avoids reading from the random source at startup, instead > waiting until > the first connection. It is possible that some platforms were running > without enough > entropy previously, those could potentially block at first boot > generating host keys. > The dropbear "-R" option is one way to avoid that. > > - Upgrade libtomcrypt to 1.18.2 and libtommath to 1.2.0, many thanks to > Steffen Jaeckel for > updating Dropbear to use the current API. Dropbear's configure script > will check > for sufficient system library versions, otherwise using the bundled > versions. > > - CBC ciphers, 3DES, hmac-sha1-96, and x11 forwarding are now disabled by > default. > They can be set in localoptions.h if required. > Blowfish has been removed. > > - Support AES GCM, patch from Vladislav Grishenko. This is disabled by > default, > Dropbear doesn't currently use hardware accelerated AES. > > - Added an API for specifying user public keys as an authorized_keys > replacement. > See pubkeyapi.h for details, thanks to Fabrizio Bertocci > > - Fix idle detection clashing with keepalives, thanks to jcmathews > > - Include IP addresses in more early exit messages making it easier for > fail2ban > processing. Patch from Kevin Darbyshire-Bryant > > - scp fix for CVE-2018-20685 where a server could modify name of output > files > > - SSH_ORIGINAL_COMMAND is set for "dropbear -c" forced command too > > - Fix writing key files on systems without hard links, from Matt Robinson > > - Compatibility fixes for IRIX from Kazuo Kuroi > > - Re-enable printing MOTD by default, was lost moving from options.h. > Thanks to zciendor > > - Call fsync() is called on parent directory when writing key files to > ensure they are flushed > > - Fix "make install" for manpages in out-of-tree builds, from Gabor Z. Papp > > - Some notes are added in DEVELOPER.md > >
