[PATCH v2] dropbear: Enable Ed25519 for normal devices
mail at aparcar.org
Thu Jul 30 20:32:34 EDT 2020
On 26.07.20 05:20, Hauke Mehrtens wrote:
> On 7/25/20 11:06 PM, Paul Spooren wrote:
>> The Ed25519 key pairs are much shorter than RSA pairs and are supported
>> by default in OpenSSH. Looking at websites explaining how to create new
>> SSH keys, many suggest using Ed25519 rather than RSA, however consider
>> the former as not yet widely established. OpenWrt likely has a positive
>> influence on that development.
>> As enabling Ed25519 is a compile time option, it is currently not
>> possible to install the feature via `opkg` nor select that option in an
>> Due to the size impact of **12kB** the option should only be enabled for
>> devices with `!SMALL_FLASH`.
>> This approach seems cleaner than splitting `dropbear` into two packages
>> like `dropbear` and `dropbear-ed25519`.
> Can we deactivate something else?
I think Rui Salvaterra is doing some space saving work around busybox, I
don't see how we can safe anything within dropbear.
>> Signed-off-by: Paul Spooren <mail at aparcar.org>
>> * Add storage impact to commit message
>> * Increase package release
>> package/network/services/dropbear/Config.in | 2 +-
>> package/network/services/dropbear/Makefile | 2 +-
>> 2 files changed, 2 insertions(+), 2 deletions(-)
>> diff --git a/package/network/services/dropbear/Config.in b/package/network/services/dropbear/Config.in
>> index 3de4189e08..2836229043 100644
>> --- a/package/network/services/dropbear/Config.in
>> +++ b/package/network/services/dropbear/Config.in
>> @@ -51,7 +51,7 @@ config DROPBEAR_ECC_FULL
>> config DROPBEAR_ED25519
>> bool "Ed25519 support"
>> - default n
>> + default y if !SMALL_FLASH
> Will this work reliable?
> When we build dropbear with the SDK the SMALL_FLASH option is not set
> and the resulting binary would be shared between small and normal targets.
Buildbots will create two separate ImageBuilders/SDKs, a regular one and
a tiny one. The tiny versions either deselect it by default if
SMALL_FLASH or contain a dropbear binary with disabled Ed25519. Because
the ImageBuilder already contains dropbear binary, it will never
download the Ed25519 supporting binary remotely.
The case that somebody builds a firmware without dropbear and then
installs it via opkg into the overlayfs should be considered as an aimed
shot in the foot and not be our problem.
>> This enables the following public key algorithm:
>> diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
>> index 0a9b5c0a99..e92ead2ff8 100644
>> --- a/package/network/services/dropbear/Makefile
>> +++ b/package/network/services/dropbear/Makefile
>> @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
>> PKG_SOURCE_URL:= \
More information about the openwrt-devel