Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dropbearkey: make rsa as a default value for -t #268

Merged
merged 1 commit into from
Dec 31, 2023
Merged

dropbearkey: make rsa as a default value for -t #268

merged 1 commit into from
Dec 31, 2023

Conversation

stokito
Copy link
Contributor

@stokito stokito commented Dec 16, 2023

The OpenSSH ssh-keygen allows to omit the -t and will use rsa by default. For a better compatibility and simplification do the same.

@stokito stokito mentioned this pull request Dec 16, 2023
Merged
@mkj
Copy link
Owner

mkj commented Dec 17, 2023

I'm not keen on this - most Dropbear targets would be better off with ed25519

@stokito
Copy link
Contributor Author

stokito commented Dec 17, 2023

I checked and it turned out that the OpenSSH just recently switched to the ed25519 by default

openssh/openssh-portable@e1c284d

On my Ubuntu it still generates rsa but on the OpenWrt it already ahve a newer version.
Also the Dropbear can be compiled without the ed25519 or rsa so I need to wrap it with conditions.
1 hour please, I'll fix that

@mkj
Copy link
Owner

mkj commented Dec 17, 2023 via email

@mkj
Copy link
Owner

mkj commented Dec 17, 2023
edited
Loading

Thinking a bit more, I guess a -t default is fine for userauth keys.

The preference order would probably be:

  • ed25519
  • rsa
  • ecdsa-sha2-nistp256
  • ecdsa-sha2-nistp384
  • ecdsa-sha2-nistp521
  • ssh-dss

(different to the sigalgs list because negotiated hostkeys have fallbacks for compatibility, whereas a generated authkey doesn't, so RSA needs to be higher)

@stokito
dropbearkey: make rsa as a default value for -t
f815e12 
The OpenSSH ssh-keygen allows to omit the -t and will use ed25519 by default.
Previously it used RSA by default.

For a better compatibility and simplification do the same.

Since any algorithm can be disabled we should make a default with a better enabled option.
@stokito
Copy link
Contributor Author

stokito commented Dec 18, 2023
edited
Loading

The PR is ready to be merged.

I removed the check for the empty -t because now this will never happen. If none of the algo is enabled then the build will be failed by a check. So we are safe here. This is nice because this makes a binary smaller which is almost never happens when adding a new feature.

@mkj mkj merged commit 41a6abc into mkj:master Dec 31, 2023
16 checks passed
@mkj
Copy link
Owner

mkj commented Dec 31, 2023

Thanks

@stokito stokito deleted the dbkey-t branch February 16, 2024 07:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stokito @mkj