Matt Johnston
Matt Johnston
Thanks tjk, I've rebased this manually and merged it (with a few changes on top, and fuzzing)
I think this is already covered in extra changes I added to #269 . Let me know if there is something missing.
Thanks, sorry for the delay getting this merged
Thanks for the Dropbear log, I'll have a look (might be a bit delayed)
`restrict` should be supported since Dropbear 2022.82, is it using an older version? I'll add `no-user-rc` support.
Dropbear will have the same warning about `authorized_keys` permissions, fwiw
Not sure if I'll get the release made in the next week, otherwise it'll be after mid-January. Note that Terrapin doesn't reduce the security of Dropbear at all, it doesn't...
For reference, this commit can be cherrypicked if desired https://github.com/mkj/dropbear/commit/6e43be5c7b99dbee49dc72b6f989f29fdd7e9356 `Implement Strict KEX mode` With description in https://github.com/mkj/dropbear/commit/66bc1fcdee594c6cb1139df0ef8a6c9c5fc3fde3 https://github.com/mkj/dropbear/blob/66bc1fcdee594c6cb1139df0ef8a6c9c5fc3fde3/CHANGES#L12-L23
The problem is we don't know which salt to use for an invalid user. See the comment https://github.com/mkj/dropbear/commit/8b4f60a7a113f4e9ae801dea88606f2663728f03#commitcomment-89492985
I'll explain the details. For `/etc/shadow` each user has a line like ``` matt:$6$s0VE2ZnkcTqeBvUv$vILqFJV2lc64O/M7bjvVfBe6JJ2SvlgmJs4Tz3FWEk3CdUSGqfwsdKxNR58qjz2MB5Sc2T2uqTD2q2imgGYpc1:19488:0:99999:7::: ``` For Dropbear to run crypt() to check the password hash of a user (or pretend...