ssh-audit result for dropbear 2022.83

Question

ssh-audit result for dropbear 2022.83

kavithabk opened this issue 5 months ago · 2 comments

Hi
ssh-audit shows below output
algorithm recommendations (for Dropbear SSH 2022.83)
(rec) -ssh-rsa -- key algorithm to remove
(rec) +diffie-hellman-group16-sha512-- kex algorithm to append
(rec) +ssh-ed25519 -- key algorithm to append
(rec) +twofish128-ctr -- enc algorithm to append
(rec) +twofish256-ctr -- enc algorithm to append
(rec) !rsa-sha2-256 -- key algorithm to change (increase modulus size to 3072 bits or larger)
(rec) -hmac-sha2-256 -- mac algorithm to remove

But I see recommended is only
https://github.com/jtesta/ssh-audit/wiki/Dropbear-2022.83

Does it mean in dropbear 2022.83
we cant remove -hmac-sha2-256 , ssh-rsa ?
Also we cant add +twofish128-ctr , twofish256-ctr as its not supported?

Answer 1 · 2024-06-11T13:14:31.000Z

The localoptions.h settings at that link are good, they'll be the defaults in a future release. (similar discussion in #304)

ssh-audit's other advice is hit and miss. hmac-sha2-256 is a good MAC, and twofish isn't implemented by many SSH programs.

ssh-rsa as a signature will be disabled by #define DROPBEAR_RSA_SHA1 0, but as a key format it is fine to remain (the signatures will use sha256).

Answer 2 · 2024-06-11T19:05:40.000Z

Thanks for information