Re: [yocto] Dropbear and deprecated ssh-rsa issue

[Mike Looijmans]

Met vriendelijke groet / kind regards,
Mike Looijmans
System Expert


TOPIC Embedded Products B.V.
Materiaalweg 4, 5681 RJ Best
The Netherlands

T: +31 (0) 499 33 69 69
E: mike.looijm...@topic.nl
W: www.topic.nl

Please consider the environment before printing this e-mail
On 19-06-2024 19:04, Mehmet Fide via lists.yoctoproject.org wrote:
Yes, I believe I can do that. But there are couple of options, I'm not sure 
which one to be followed:
1. Replace rsa key with ecdsa and continue with ecdsa support only. (this 
disables rsa mode)
2. Keep rsa mode on and also activate ecdsa key next to it therefore they can 
work side by side simultaneously
3. ??


Keep in mind that there are millions of released and installed systems out 
there. Their owners will get very, very angry if a software upgrade locks them 
out.

Desktop distros may be able to bluntly disable some protocols, because there's 
always a user that has access and can patch things up, but embedded systems 
often offer no access whatsoever apart from the SSH interface, so there's no 
way to go in and "fix" it if something invalidates the keys on the system.

Hence my vote is for option 3 and please ignore what the big distros do.

Four years may seem long to some people. For embedded systems, that's just a 
normal number that "uptime" would return.



Thanks.


-----Original Message-----
From: Alexander Kanavin <alex.kana...@gmail.com>
Sent: Thursday, June 13, 2024 3:28 PM
To: yocto@lists.yoctoproject.org; mehmet.f...@gmail.com
Subject: Re: [yocto] Dropbear and deprecated ssh-rsa issue

On Thu, 13 Jun 2024 at 13:20, Mehmet Fide via lists.yoctoproject.org 
<mehmet.fide=gmail....@lists.yoctoproject.org> wrote:
I was silently following the email list for a while.

Today I have a question regarding dropbear and its default recipe provided in 
poky/meta/recipes-core/dropbear.

It has been 4 years since ssh-rsa is deprecated by openssh followed by Linux 
distros and Visual Studio 2022 as of 17.10.

As I checked today, the dropbear recipe with the master poky still uses ssh-rsa 
instead of ecdsa mode which is widely accepted today.

Don't you think that it would be appropriate to change the recipe content to 
use ecdsa instead of ssh-rsa one?

Yes that would be much welcome. Can you work on that?

Alex






-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#63370): https://lists.yoctoproject.org/g/yocto/message/63370
Mute This Topic: https://lists.yoctoproject.org/mt/106649419/21656
Group Owner: yocto+ow...@lists.yoctoproject.org
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-