Disabling Dropbear ssh-rsa support?
Thibaut VARÈNE
hacks at slashdirt.org
Sat Jul 5 01:37:16 PDT 2025
> Le 5 juil. 2025 à 00:08, Tim Small <tim at seoss.co.uk> a écrit :
>
>
> On 04/07/2025 17:33, Thibaut wrote:
>> Also does this affect the ssh client as well? This may be more relevant than the server side of things: a lot old(er) SSH server implementations only offer rsa-sha1 (e.g. off the top of my head, HP iLO 4), so users may lose the ability to connect there: this should be advertised.
>
> I don't know if the proposed change would impact the dropbear ssh client either, but if it does, then a straightforward workaround to access such outdated ssh servers via an OpenWrt device, would be to use e.g. OpenSSH on the users desktop to connect through the OpenWrt device using the OpenSSH "jump host" feature:
That doesn’t solve the (more likely) use cases where the connection must originate from the OpenWrt device; e.g. for scripting automation.
> For those that don't / can't use jumphost, they could always install the openssh-client package directly on the OpenWrt device instead?
That’s a half MB package which pulls libopenssl, a 1+ MB dependency.
Regardless, IMHO such a change should at the very least be clearly documented in the release notes, so that users know what to expect.
T
More information about the openwrt-devel
mailing list