[yocto-security] Should dropbear ssh disallow SHA1
Burton, Ross
ross.burton at intel.com
Wed May 8 01:31:34 PDT 2019
On Wed, 8 May 2019 at 00:36, Joseph Reynolds <jrey at linux.ibm.com> wrote:
> The OpenBMC project [1] uses Yocto/poky, including the dropbear ssh
> server. We are changing the default ciphers offered by dropbear to
> disallow SHA1, because we believe this level of security is correct for
> our project. The change is currently in code review [2].
>
> Would you like to make this change or a similar change in Yocto/poky?
> Even if doing so might break compatibility with older ssh clients? See
> our code review [2] for considerations.
I'd say yes, it's a broken cipher and we should be as secure as
realistically possible out of the box.
Ross
More information about the yocto-security
mailing list