Message ID | 20200725210620.1596581-1-mail@aparcar.org |
---|---|
State | Superseded |
Headers | show |
Series | [v2] dropbear: Enable Ed25519 for normal devices | expand |
On 7/25/20 11:06 PM, Paul Spooren wrote: > The Ed25519 key pairs are much shorter than RSA pairs and are supported > by default in OpenSSH. Looking at websites explaining how to create new > SSH keys, many suggest using Ed25519 rather than RSA, however consider > the former as not yet widely established. OpenWrt likely has a positive > influence on that development. > > As enabling Ed25519 is a compile time option, it is currently not > possible to install the feature via `opkg` nor select that option in an > ImageBuilder. > > Due to the size impact of **12kB** the option should only be enabled for > devices with `!SMALL_FLASH`. > > This approach seems cleaner than splitting `dropbear` into two packages > like `dropbear` and `dropbear-ed25519`. Can we deactivate something else? > > Signed-off-by: Paul Spooren <mail@aparcar.org> > --- > v2: > * Add storage impact to commit message > * Increase package release > > package/network/services/dropbear/Config.in | 2 +- > package/network/services/dropbear/Makefile | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) > > diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in > index 3de4189e08..2836229043 100644 > --- a/package/network/services/dropbear/Config.in > +++ b/package/network/services/dropbear/Config.in > @@ -51,7 +51,7 @@ config DROPBEAR_ECC_FULL > > config DROPBEAR_ED25519 > bool "Ed25519 support" > - default n > + default y if !SMALL_FLASH Will this work reliable? When we build dropbear with the SDK the SMALL_FLASH option is not set and the resulting binary would be shared between small and normal targets. > help > This enables the following public key algorithm: > ssh-ed25519 > diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile > index 0a9b5c0a99..e92ead2ff8 100644 > --- a/package/network/services/dropbear/Makefile > +++ b/package/network/services/dropbear/Makefile > @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk > > PKG_NAME:=dropbear > PKG_VERSION:=2020.80 > -PKG_RELEASE:=1 > +PKG_RELEASE:=2 > > PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 > PKG_SOURCE_URL:= \ >
On 26.07.20 05:20, Hauke Mehrtens wrote: > On 7/25/20 11:06 PM, Paul Spooren wrote: >> The Ed25519 key pairs are much shorter than RSA pairs and are supported >> by default in OpenSSH. Looking at websites explaining how to create new >> SSH keys, many suggest using Ed25519 rather than RSA, however consider >> the former as not yet widely established. OpenWrt likely has a positive >> influence on that development. >> >> As enabling Ed25519 is a compile time option, it is currently not >> possible to install the feature via `opkg` nor select that option in an >> ImageBuilder. >> >> Due to the size impact of **12kB** the option should only be enabled for >> devices with `!SMALL_FLASH`. >> >> This approach seems cleaner than splitting `dropbear` into two packages >> like `dropbear` and `dropbear-ed25519`. > Can we deactivate something else? I think Rui Salvaterra is doing some space saving work around busybox, I don't see how we can safe anything within dropbear. >> Signed-off-by: Paul Spooren <mail@aparcar.org> >> --- >> v2: >> * Add storage impact to commit message >> * Increase package release >> >> package/network/services/dropbear/Config.in | 2 +- >> package/network/services/dropbear/Makefile | 2 +- >> 2 files changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in >> index 3de4189e08..2836229043 100644 >> --- a/package/network/services/dropbear/Config.in >> +++ b/package/network/services/dropbear/Config.in >> @@ -51,7 +51,7 @@ config DROPBEAR_ECC_FULL >> >> config DROPBEAR_ED25519 >> bool "Ed25519 support" >> - default n >> + default y if !SMALL_FLASH > Will this work reliable? > When we build dropbear with the SDK the SMALL_FLASH option is not set > and the resulting binary would be shared between small and normal targets. Buildbots will create two separate ImageBuilders/SDKs, a regular one and a tiny one. The tiny versions either deselect it by default if SMALL_FLASH or contain a dropbear binary with disabled Ed25519. Because the ImageBuilder already contains dropbear binary, it will never download the Ed25519 supporting binary remotely. The case that somebody builds a firmware without dropbear and then installs it via opkg into the overlayfs should be considered as an aimed shot in the foot and not be our problem. >> help >> This enables the following public key algorithm: >> ssh-ed25519 >> diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile >> index 0a9b5c0a99..e92ead2ff8 100644 >> --- a/package/network/services/dropbear/Makefile >> +++ b/package/network/services/dropbear/Makefile >> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk >> >> PKG_NAME:=dropbear >> PKG_VERSION:=2020.80 >> -PKG_RELEASE:=1 >> +PKG_RELEASE:=2 >> >> PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 >> PKG_SOURCE_URL:= \ >>
diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in index 3de4189e08..2836229043 100644 --- a/package/network/services/dropbear/Config.in +++ b/package/network/services/dropbear/Config.in @@ -51,7 +51,7 @@ config DROPBEAR_ECC_FULL config DROPBEAR_ED25519 bool "Ed25519 support" - default n + default y if !SMALL_FLASH help This enables the following public key algorithm: ssh-ed25519 diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index 0a9b5c0a99..e92ead2ff8 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dropbear PKG_VERSION:=2020.80 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \
The Ed25519 key pairs are much shorter than RSA pairs and are supported by default in OpenSSH. Looking at websites explaining how to create new SSH keys, many suggest using Ed25519 rather than RSA, however consider the former as not yet widely established. OpenWrt likely has a positive influence on that development. As enabling Ed25519 is a compile time option, it is currently not possible to install the feature via `opkg` nor select that option in an ImageBuilder. Due to the size impact of **12kB** the option should only be enabled for devices with `!SMALL_FLASH`. This approach seems cleaner than splitting `dropbear` into two packages like `dropbear` and `dropbear-ed25519`. Signed-off-by: Paul Spooren <mail@aparcar.org> --- v2: * Add storage impact to commit message * Increase package release package/network/services/dropbear/Config.in | 2 +- package/network/services/dropbear/Makefile | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)