Install on Edgerouter X and update dropbear from 2017.75 to 2019.78

Hello together,

as I am just setting up an Edgerouter X freshly with OpenWRT, I would like to update the dropbear package from 2017.75 to 2019.78.

How must I proceed to do this?

Thanks for any directions.

cu,
agerhard

Aside from updating the package in a new installation - how can the maintainer "OpenWrt team" of the package in the stable release be contacted to update this in general?

https://openwrt.org/packages/pkgdata/dropbear

In general the release builds don't get backported package upgrades unless there is a major security issue. So the advice would be to use a snapshot build, which for some targets (including yours, mipsel_24kc) are building 2019.78.

It may be possible to install only the snapshot dropbear package from here http://downloads.openwrt.org/snapshots/packages/mipsel_24kc/base/dropbear_2019.78-2_mipsel_24kc.ipk on top of a stable build. This has a serious risk of breaking dropbear, which means of course you can't ssh to the router so be prepared for serial recovery.

Finally you could try to port and build yourself, which sometimes works just to change the source version in the Makefile.

Hello mk24, thanks for your hints. Will check whether I have the capabilities to do this.

Regarding

still as a layman I found in the change details, that an available patch for "Spectre" is currently not part of OpenWRT due to this
https://matt.ucc.asn.au/dropbear/CHANGES

and here I found curren further remarks:
" Dropbear version v2017.75, for example, still diffie-hellman-group1-sha1 as a key diffie-hellman-group1-sha1 , which has already been removed in OpenSSH version 6.7 due to the Logjam attack . Due to the offered key exchange protocols and message authentication code algorithms (MAC) I even had to adapt my local OpenSSH client configuration"
" The parameters aes256-ctr and hmac-sha2-256 I added manually, otherwise no SSH connection with the OpenWrt router was possible. It's high time the Dropbear package was updated in OpenWrt."

Any way known to highlight this to OpenWRT team?

Send a message to the mailing-list.

This isn't an issue if your SSH client is recent and knows to demand a more secure DH group.

For example I have a router running dropbear 17. On my Linux PC with OpenSSH run ssh -v to the router and observe the following crypto was negotiated:

debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-md5 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-md5 compression: none

That will be a reasonably safe connection. It would be nice to see stronger session ciphers but at least it is not 3DES.

1 Like

An alternative is to use snapshots or make your own builds using the master branch: https://openwrt.org/docs/guide-developer/build-system/use-buildsystem

I'm using the latter on my ERX - dropbear version is:

~# dropbear -V
Dropbear v2019.78
1 Like