[OpenWrt-Devel] [PATCH] [package] dropbear: enable sha2-based hmac by default.

Alive alive4ever at live.com
Sat Sep 27 13:29:07 EDT 2014


On 27/09/2014 23:34, Weedy wrote:
> I got bit by this last week when I audited my ssh config and dropped all
> weak/slow ciphers.
> Couldn't log into my routers and had to add md5 ciphers and macs back.
> 
You must rebuild dropbear package cleanly to test this patch

Save the patch as file located on
package/network/services/dropbear/patches/600-enable-hmac-sha2.patch,
relative to OpenWrt source directory. The patch is available here
http://patchwork.openwrt.org/patch/6322/

Do "make clean" to clean up the package, and then "make" to build the
firmware.
Flash the resulting firmware and test connecting to dropbear ssh daemon.

To test using hmac-sha2-256, run this command
ssh -o MACs=hmac-sha2-256 root at OpenWrt
To test using hmac-sha2-512, run this command
ssh -o MACs=hmac-sha2-512 root at OpenWrt

For your information, there is almost no difference between message
authentication algorithm in time needed to establish ssh connection.

I perform the test on my TL-MR3220 (AR9330, mips, dropbear 2014.65,
r42321). The identity file is cached via ssh-agent. The test commands
are bellow.
time ssh -o MACs=hmac-md5 OpenWrt /bin/true
time ssh -o MACs=hmac-sha1 OpenWrt /bin/true
time ssh -o MACs=hmac-sha2-256 OpenWrt /bin/true
time ssh -o MACs=hmac-sha2-512 OpenWrt /bin/true

Here are time needed to establish ssh connection
+---------+----------+----------+----------+----------+
|time\hmac|    md5   |   sha1   |  sha256  |  sha512  |
+---------+----------+----------+----------+----------+
| real    | 0m3.526s | 0m3.631s | 0m3.519s | 0m3.543s |
| user    | 0m0.015s | 0m0.061s | 0m0.015s | 0m0.031s |
| sys     | 0m0.077s | 0m0.046s | 0m0.093s | 0m0.092s |
+---------+----------+----------+----------+----------+

Putty and Bitvise will try connecting using hmac-sha2-256 when
available, whereas OpenSSH will use hmac-md5 by default.

I hope this information will be a good reason for enabling sha2-based
hmac on dropbear by default.
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel



More information about the openwrt-devel mailing list