added dropbear

author: Andreas Baumann <mail@andreasbaumann.cc> 2023-06-15 17:28:29 +0200
committer: Andreas Baumann <mail@andreasbaumann.cc> 2023-06-15 17:28:29 +0200
commit: 3b4e1a28ca48625800b7ad408fd88a0f7f342308 (patch)
tree: edbbc55f949850ab618e29ad3ddfd4800ded641b
parent: d269e28cd97bdd34a1d2278e2b1ed52b9158fc8a (diff)
download: i486tcc-linux-3b4e1a28ca48625800b7ad408fd88a0f7f342308.tar.gz
i486tcc-linux-3b4e1a28ca48625800b7ad408fd88a0f7f342308.tar.bz2
10 files changed, 690 insertions, 5 deletions
diff --git a/README b/README
index 3edbcdc..7e543c0 100644
--- a/README
+++ b/README
@@ -66,6 +66,8 @@ patches
 - vis
   * disabled probing of 'curses/termcap' with 'pkconfig', added them
     directly to 'configure'
+- dropbear
+  * patched binary locations and pathes in default_options.h
 
 dependencies
 ------------
diff --git a/configs/versions b/configs/versions
index 475dce7..f52ecc0 100644
--- a/configs/versions
+++ b/configs/versions
@@ -19,3 +19,4 @@ ABASE_VERSION="f2c13"
 NBD_VERSION="3.25"
 SAMURAI_VERSION="1.2"
 JOE_VERSION="4.6"
+DROPBEAR_VERSION="2022.83"
diff --git a/docs/goteleport.com_blog_comparing-ssh-keys.txt b/docs/goteleport.com_blog_comparing-ssh-keys.txt
new file mode 100644
index 0000000..1ba039e
--- /dev/null
+++ b/docs/goteleport.com_blog_comparing-ssh-keys.txt
@@ -0,0 +1,616 @@
+   IFRAME: [1]https://www.googletagmanager.com/ns.html?id=GTM-WMR7H6
+
+   IFRAME: [2]https://www.googletagmanager.com/ns.html?id=GTM-WMR7H6
+
+   (BUTTON)
+   [3]Platform
+
+Platform
+
+   [4]Why Teleport[5]How It Works
+   [6]Access Modules
+   [7]SSH[8]Kubernetes[9]Databases[10]Internal Applications[11]Windows
+   [12]Our Features
+   [13]Assist[14]Single Sign On[15]Just In Time Access Requests[16]Role
+   Based Access Control[17]Audit and Session Recordings[18]Device
+   Trust[19]Passwordless
+   [20]Solutions
+
+By Industry
+
+   [21]E-commerce & Entertainment[22]Financial
+   Services[23]Software-as-a-service (SaaS) Providers
+
+By Use Case
+
+   [24]Privileged Access Management[25]Machine-to-Machine
+   Access[26]Developer-friendly browser[27]Passwordless Infrastructure
+   Access
+
+By Cloud Provider
+
+   [28]Infrastructure Access for AWS
+   [29]Integrations
+   [30]Documentation
+   [31]Documentation[32]Download Teleport[33]Teleport Clients[34]How It
+   Works[35]Teleport Labs[36]Teleport Community[37]Teleport Slack
+   Channel[38]GitHub
+   [39]Learn
+   [40]The Blog[41]Our Customers[42]Resources[43]Learn[44]Events
+   [45]Pricing
+   [46]Company
+   [47]About Us[48]Careers[49]News[50]Partners
+   [51]Sign In
+
+Sign in to Teleport
+
+   Teleport Cloud LoginLogin to your Teleport Account
+   Dashboard LoginLegacy Login & Teleport Enterprise Downloads
+   [52]Get Started
+
+Table Of Contents
+
+     * [53]Encryption Within the SSH Protocol
+     * [54]Asymmetric Encryption Algorithms
+     * [55]Comparing Encryption Algorithms
+     * [56]Teleport cybersecurity blog posts and tech news
+     * [57]RSA vs. DSA vs. ECDSA vs. EdDSA
+     * [58]Conclusion
+
+   Apr 7, 2022
+
+Comparing SSH Keys - RSA, DSA, ECDSA, or EdDSA?
+
+   by [59]Ev Kontsevoy
+   comparing ssh keys
+
+   IFRAME:
+   [60]https://protocol.podigee.io/3-comparing-ssh-keys/embed?context=exte
+   rnal&theme=default
+
+   This blog post was originally released on 08/26/20.
+
+   What's worse than an unsafe private key? An unsafe public key.
+
+   The "secure" in secure shell comes from the combination of hashing,
+   symmetric encryption, and asymmetric encryption. Together, SSH uses
+   cryptographic primitives to safely connect clients and servers. In the
+   25 years since its founding, computing power and speeds in accordance
+   with [61]Moore's Law have necessitated increasingly complicated
+   low-level algorithms. This article will focus on asymmetric keygen
+   algorithms.
+
+   As of 2020, the most widely adopted algorithms are RSA, DSA, ECDSA, and
+   EdDSA, but it is RSA and EdDSA that provide the best security and
+   performance.
+
+Encryption Within the SSH Protocol
+
+   SSH is used almost universally to connect to shells on remote machines.
+   The most important part of an SSH session is establishing a secure
+   connection. This happens in two broad steps:
+     * Negotiation & Connection
+     * Authentication
+
+Negotiation & Connection
+
+   In order for an SSH session to work, both client and server must
+   support the same version of the SSH protocol. Modern clients will
+   support SSH 2.0, as SSH 1.0 has [62]identified flaws. After coming to a
+   consensus on which protocol version to follow, both machines negotiate
+   a per-session symmetric key to encrypt the connection from the outside.
+   Generating a symmetric key at this stage, when paired with the
+   asymmetric keys in authentication, prevents the entire session from
+   being [63]compromised if a key is revealed. Negotiation terms happen
+   through the [64]Diffie-Helman key exchange, which creates a shared
+   secret key to secure the whole data stream by combining the private key
+   of one party with the public key of the other. These keys are different
+   from the SSH keys used for authentication. For those interested in
+   learning more about this step, this comprehensive article, [65]SSH
+   Handshake Explained, is a great starting point.
+   shared secret creation
+   shared secret creation
+   Figure 1: Shared Secret Creation
+
+Authentication
+
+   After completing the negotiation and connection, a reliable and secure
+   channel between the client and server has been established. During the
+   KEX, the client has authenticated the server, but the server has not
+   yet authenticated the client. In most cases, public-key authentication
+   is used by the client. This method involves two keys, a [66]public and
+   private key. Either can be used to encrypt a message, but the other
+   must be used to decrypt. This is what is meant by asymmetric
+   encryption. [Figure 2] If Bob encrypts a message with Alice's public
+   key, only Alice's private key can decrypt the message. This principle
+   is what allows the SSH protocol to authenticate identity. If Alice
+   (client) can decrypt Bob's (server) message, then it proves Alice is in
+   possession of the paired private key. This is, in theory, how SSH keys
+   authentication should work. Unfortunately with the dynamic nature of
+   infrastructure today, SSH keys are increasingly shared or [67]managed
+   improperly, compromising its integrity. To learn more, read this
+   article, [68]How to SSH Properly.
+   Alice and Bob SSH keys
+   Alice and Bob SSH keys
+   [69]Figure 2: Only Alice's private key can decrypt a message signed
+   with Alice's public key
+
+Asymmetric Encryption Algorithms
+
+   What makes asymmetric encryption powerful is that a private key can be
+   used to derive a paired public key, but not the other way around. This
+   principle is core to public-key authentication. If Alice had used a
+   weak encryption algorithm that could be brute-forced by today's
+   processing capabilities, a third party could derive Alice's private key
+   using her public key. Protecting against a threat like this requires
+   careful selection of the right algorithm.
+
+   There are three classes of these algorithms commonly used for
+   asymmetric encryption: RSA, DSA, and elliptic curve based algorithms.
+   To properly evaluate the strength and integrity of each algorithm, it
+   is necessary to understand the mathematics that constitutes the core of
+   each algorithm.
+
+RSA: Integer Factorization
+
+   First used in 1978, the RSA cryptography is based on the held belief
+   that factoring large semi-prime numbers is difficult by nature. Given
+   that no general-purpose formula has been found to factor a compound
+   number into its prime factors, there is a direct relationship between
+   the size of the factors chosen and the time required to compute the
+   solution. In other words, given a number n=p\*q where p and q are
+   sufficiently large prime numbers, it can be assumed that anyone who can
+   factor n into its component parts is the only party that knows the
+   values of p and q. The same logic exists for public and private keys.
+   In fact, p & q are necessary variables for the creation of a private
+   key, and n is a variable for the subsequent public key. This
+   presentation simplifies RSA integer factorization. For those interested
+   in learning more, [70]click here.
+
+DSA: Discrete Logarithm Problem & Modular Exponentiation
+
+   DSA follows a similar schema, as RSA with public/private keypairs that
+   are mathematically related. What makes DSA different from RSA is that
+   DSA uses a different algorithm. It solves an entirely different problem
+   using different elements, equations, and steps. While the discrete log
+   problem is fun, it is [71]out of scope for this post. What is important
+   to note is the use of a randomly generated number, m, is used with
+   signing a message along with a private key, k. This number m must be
+   kept private. More in this later.
+
+ECDSA & EdDSA: Elliptic Curve Discrete Logarithm Problem
+
+   Algorithms using elliptic curves are also based on the assumption that
+   there is no generally efficient solution to solving a discrete log
+   problem. However, ECDSA/EdDSA and DSA differ in that DSA uses a
+   mathematical operation known as modular exponentiation while
+   ECDSA/EdDSA uses elliptic curves. The computational complexity of the
+   discrete log problem allows both classes of algorithms to achieve the
+   same level of security as RSA with significantly smaller keys.
+   bitcoin elliptic curve
+   bitcoin elliptic curve
+   Figure 3 - Elliptic curve, Secp256k1 used in the Bitcoin protocol
+
+Comparing Encryption Algorithms
+
+   Choosing the right algorithm depends on a few criteria:
+     * Implementation - Can the experts handle it, or does it need to be
+       rolled?
+     * Compatibility - Are there SSH clients that do not support a method?
+     * Performance - How long will it take to generate a sufficiently
+       secure key?
+     * Security - Can the public key be derived from the private key? (The
+       use of quantum computing to break encryption is not discussed in
+       this article.)
+
+RSA
+
+   Implementation
+
+   RSA libraries can be found for all major languages, including in-depth
+   libraries ([72]JS, [73]Python, [74]Go, [75]Rust, [76]C).
+   Compatibility
+
+   Usage of SHA-1 ([77]OpenSSH) or public keys under 2048-bits may be
+   unsupported.
+    Performance   Larger keys require more time to generate.
+      Security
+
+   Specialized algorithms like [78]Quadratic Sieve and [79]General Number
+   Field Sieve exist to factor integers with specific qualities.
+
+   Time has been RSA's greatest ally and greatest enemy. First published
+   in 1977, RSA has the widest support across all SSH clients and
+   languages and has truly stood the test of time as a reliable key
+   generation method. Subsequently, it has also been subject to Moore's
+   Law for decades and key bit-length has grown in size. According to NIST
+   standards, achieving 128-bit security requires a key with length 3072
+   bits whereas other algorithms use smaller keys. Bit security measures
+   the number of trials required to brute-force a key. 128 bit security
+   means 2^128 trials to break.
+   RSA key bit-length
+   RSA key bit-length
+
+   [80]Figure 4 - NIST 2020 Recommendations for RSA key bit-length
+   (Factoring Modulus)
+
+DSA
+
+   Implementation
+
+   DSA was adopted by FIPS-184 in 1994. It has ample representation in
+   [81]major crypto libraries, similar to RSA.
+   Compatibility
+
+   While DSA enjoys support for PuTTY-based clients, OpenSSH 7.0
+   [82]disables DSA by default.
+   Performance
+
+   [83]Significant improvement in key generation times to achieve
+   comparable security strengths, though recommended bit-length is the
+   same as RSA.
+      Security
+
+   DSA requires the use of a randomly generated unpredictable and secret
+   value that, [84]if discovered, can reveal the private key.
+
+   Recall earlier in the article:
+
+   "What is important to note is the use of a randomly generated number,
+   m, is used with signing a message along with a private key, k. This
+   number m must be kept privately."
+
+   The value mis meant to be a nonce, which is a unique value included in
+   many cryptographic protocols. However, the additional conditions of
+   unpredictability and secrecy makes the nonce more akin to a key, and
+   therefore extremely important.
+
+   Not only is it difficult to [85]ensure true randomness within a
+   machine, but improper implementation can break encryption. For example:
+    1. Android's Java SecureRandom class was known to create [86]colliding
+       R values. In other words, the class reused some randomly generated
+       numbers. This exposed a number of different [87]Android-based
+       Bitcoin wallets to having their private keys stolen. The
+       requirements of the nonce m means that any two instances with the
+       same nonce value could be reverse engineered and reveal the private
+       key used to sign transactions.
+    2. Taking this a step further, [88]fail0verflow discovered the private
+       key used to sign firmware updates for the Sony Playstation 3. In
+       other words, programmers could write their own code, sign it with
+       the revealed private key, and run it on the PS3. As it turns out,
+       Sony was using the [89]same random number to sign each message.
+
+ECDSA & EdDSA
+
+   The two examples above are not entirely sincere. Both Sony and the
+   Bitcoin protocol employ ECDSA, not DSA proper. ECDSA is an elliptic
+   curve implementation of DSA. Functionally, where RSA and DSA require
+   key lengths of 3072 bits to provide 128 bits of security, ECDSA can
+   accomplish the same with only 256-bit keys. However, ECDSA relies on
+   the same level of randomness as DSA, so the only gain is speed and
+   length, [90]not security.
+
+   In response to the desired speeds of elliptic curves and the undesired
+   security risks, another class of curves has gained some notoriety.
+   EdDSA solves the same discrete log problem as DSA/ECDSA, but uses a
+   different family of elliptic curves known as the [91]Edwards Curve
+   (EdDSA uses a [92]Twisted Edwards Curve). While offering slight
+   advantages in speed over ECDSA, its popularity comes from an
+   improvement in security. Instead of relying on a random number for the
+   nonce value, EdDSA generates a nonce deterministically as a hash making
+   it collision resistant.
+
+   Taking a step back, the use of elliptic curves does not automatically
+   guarantee some level of security. Not all curves are the same. Only a
+   [93]few curves have made it past rigorous testing. Luckily, the PKI
+   industry has slowly come to adopt [94]Curve25519 in particular for
+   EdDSA. Put together that makes the public-key signature algorithm,
+   [95]Ed25519.
+   Implementation
+
+   EdDSA is fairly new [96]Crypto++ and [97]cryptlib do not currently
+   support EdDSA.
+   Compatibility
+
+   Compatible with newer clients, Ed25519 has seen the [98]largest
+   adoption among the Edward Curves, though NIST also proposed Ed448 in
+   their recent draft of [99]SP 800-186.
+    Performance
+
+   Ed25519 is the fastest performing algorithm across all metrics. As with
+   ECDSA, public keys are twice the length of the desired bit security.
+      Security
+
+   EdDSA provides the [100]highest security level compared to key length.
+   It also improves on the insecurities found in ECDSA.
+
+Teleport cybersecurity blog posts and tech news
+
+   Every other week we'll send a newsletter with the latest cybersecurity
+   news and Teleport updates.
+   ____________________ (BUTTON) Subscribe
+
+RSA vs. DSA vs. ECDSA vs. EdDSA
+
+   Below we list the common differences between RSA, DSA, ECDSA, and EdDSA
+   algorithms:
+   RSA DSA ECDSA EdDSA
+   Popularity Most widely implemented and supported. Its notorious
+   security history makes it less popular. Fairly new but not as popular
+   as EdDSA. Fairly new but favoured by most modern cryptographic
+   libraries.
+   Performance Larger keys require more time to generate. Faster for
+   signature generation but slower for validation. Public keys are twice
+   the length of the desired bit security. EdDSA is the fastest performing
+   algorithm across all metrics.
+   Security Specialized algorithms like [101]Quadratic Sieve and
+   [102]General Number Field Sieve exist to factor integers with specific
+   qualities. DSA requires the use of a randomly generated unpredictable
+   and secret value that, [103]if discovered, can reveal the private key.
+   Vulnerable if pseudo random number aren't cryptographically strong.
+   EdDSA provides the highest security level compared to key length. It
+   also improves on the insecurities found in ECDSA.
+
+How to generate SSH keys with RSA, DSA, ECDSA, or EdDSA?
+
+   RSA is the default key type when generated using the ssh-keygen
+   command. To generate SSH keys with given algorithm type, supply -t flag
+   to ssh-keygen command. Below is an example of generating ed25519 key:
+$ ssh-keygen -t ed25519 -C "unique name to identify this key."
+
+   Both public and private keys (ssh key pair) are generated with the
+   above command. The private key never leave user's computer, and the
+   public key is stored in the server's authorized_keys file.
+
+   The SSH key fingerprint can be checked with the following command:
+$ ssh-keygen -l -f <key file>
+
+   For more details, [104]learn how to generate SSH keys.
+
+Conclusion
+
+   When it comes down to it, the choice is between RSA 2048/4096 and
+   Ed25519 and the trade-off is between performance and compatibility. RSA
+   is universally supported among SSH clients while EdDSA performs much
+   faster and provides the same level of security with significantly
+   smaller keys. Peter Ruppel puts the answer succinctly:
+
+     The short answer to this is: as long as the key strength is good
+     enough for the foreseeable future, it doesn't really matter. Because
+     here we are considering a signature for authentication within an SSH
+     session. The cryptographic strength of the signature just needs to
+     withstand the current, state-of-the-art attacks.
+     * [105]Ed25519 for SSH
+
+   Just don't use ECDSA/DSA!
+
+Certificates better than keys
+
+   Although keys are a relatively secure authentication method for SSH
+   when compared with password-based authentication, keys create an equal
+   amount of operational and security overhead on the administration side.
+   Key rotation and key invalidation remain a challenge that can be
+   resolved using certificate-based authentication. Teleport offers
+   [106]SSH certificate-based access solution with additional benefits of
+   audit logging, session recording, and RBAC for SSH. Teleport is open
+   source and can be used as a drop replacement for OpenSSH servers. Learn
+   why [107]certificates are better than keys for SSH and get started with
+   Teleport today -
+   [108]https://goteleport.com/docs/getting-started/linux-server/
+
+Tags
+
+     * [109]ssh
+
+Teleport Newsletter
+
+   Stay up-to-date with the newest Teleport releases by subscribing to our
+   monthly updates.
+   ____________________ (BUTTON) Subscribe
+
+Teleport Team
+
+   Protect your infrastructure with essential security & compliance
+   capabilities with Teleport Team
+   background
+
+Subscribe to our newsletter
+
+   ____________________ (BUTTON) Subscribe
+   PAM / Teleport
+     * Protocols
+          + [110]Teleport Overview
+          + [111]SSH
+          + [112]Kubernetes
+          + [113]Databases
+          + [114]Applications
+          + [115]Windows
+          + [116]Teleport Features
+          + [117]Teleport Pricing
+     * Documentation
+          + [118]Documentation home
+          + [119]How Teleport works
+          + [120]GitHub repository
+     * Learn
+          + [121]Why Teleport?
+          + [122]Blog
+          + [123]Customers
+          + [124]Resources
+          + [125]Events
+     * Company
+          + [126]About us
+          + [127]Security
+          + [128]Careers
+          + [129]News
+          + [130]Partners
+          + [131]Status
+     * Get in touch
+          + [132](855) 818 9008
+          + [133]General inquiries
+          + [134]Customer support
+          + Connect
+               o [135]Teleport Community
+               o [136]Slack
+               o [137]Github
+               o [138]Twitter
+               o [139]LinkedIn
+               o [140]YouTube
+
+   � 2023 Gravitational Inc.; all rights reserved.
+     * [141]Terms of service
+     * [142]Privacy policy
+
+References
+
+   Visible links:
+   1. https://www.googletagmanager.com/ns.html?id=GTM-WMR7H6
+   2. https://www.googletagmanager.com/ns.html?id=GTM-WMR7H6
+   3. https://goteleport.com/teleport/
+   4. https://goteleport.com/why-teleport/
+   5. https://goteleport.com/how-it-works/
+   6. https://goteleport.com/access-modules/
+   7. https://goteleport.com/ssh-server-access/
+   8. https://goteleport.com/kubernetes-access/
+   9. https://goteleport.com/database-access/
+  10. https://goteleport.com/application-access/
+  11. https://goteleport.com/desktop-access/
+  12. https://goteleport.com/features/
+  13. https://goteleport.com/features/assist/
+  14. https://goteleport.com/features/sso-for-ssh/
+  15. https://goteleport.com/features/access-requests/
+  16. https://goteleport.com/features/rbac-for-ssh/
+  17. https://goteleport.com/how-it-works/audit-logging-for-ssh-and-kubernetes/
+  18. https://goteleport.com/docs/access-controls/guides/device-trust/
+  19. https://goteleport.com/passwordless/
+  20. https://goteleport.com/
+  21. https://goteleport.com/use-cases/ecommerce-entertainment/
+  22. https://goteleport.com/use-cases/finance/
+  23. https://goteleport.com/use-cases/saas/
+  24. https://goteleport.com/use-cases/privileged-access-management/
+  25. https://goteleport.com/use-cases/machine-to-machine-access/
+  26. https://goteleport.com/connect/
+  27. https://goteleport.com/passwordless/
+  28. https://goteleport.com/use-cases/aws/
+  29. https://goteleport.com/integrations/
+  30. https://goteleport.com/docs/
+  31. https://goteleport.com/docs/
+  32. https://goteleport.com/download/
+  33. https://goteleport.com/docs/connect-your-client/introduction/
+  34. https://goteleport.com/how-it-works/
+  35. https://goteleport.com/labs/
+  36. https://goteleport.com/community/
+  37. https://goteleport.com/slack/
+  38. https://github.com/gravitational/teleport/
+  39. https://goteleport.com/resources/
+  40. https://goteleport.com/blog/
+  41. https://goteleport.com/case-study/
+  42. https://goteleport.com/resources/
+  43. https://goteleport.com/learn/
+  44. https://goteleport.com/about/events/
+  45. https://goteleport.com/pricing/
+  46. https://goteleport.com/about/
+  47. https://goteleport.com/about/
+  48. https://goteleport.com/careers/
+  49. https://goteleport.com/about/press/
+  50. https://goteleport.com/partners/
+  51. https://teleport.sh/
+  52. https://goteleport.com/signup/
+  53. https://goteleport.com/blog/comparing-ssh-keys/#encryption-within-the-ssh-protocol
+  54. https://goteleport.com/blog/comparing-ssh-keys/#asymmetric-encryption-algorithms
+  55. https://goteleport.com/blog/comparing-ssh-keys/#comparing-encryption-algorithms
+  56. https://goteleport.com/blog/comparing-ssh-keys/#teleport-cybersecurity-blog-posts-and-tech-news
+  57. https://goteleport.com/blog/comparing-ssh-keys/#rsa-vs-dsa-vs-ecdsa-vs-eddsa
+  58. https://goteleport.com/blog/comparing-ssh-keys/#conclusion
+  59. https://goteleport.com/learn/author/evkontsevoy/
+  60. https://protocol.podigee.io/3-comparing-ssh-keys/embed?context=external&theme=default
+  61. https://www.quora.com/How-does-Moore-s-Law-affect-the-security-of-cryptographic-algorithms
+  62. https://goteleport.com/blog/ssh-handshake-explained/
+  63. https://en.wikipedia.org/wiki/Forward_secrecy
+  64. https://www.youtube.com/watch?v=NmM9HA2MQGI
+  65. https://goteleport.com/blog/ssh-handshake-explained/
+  66. https://www.cloudflare.com/learning/ssl/how-does-public-key-encryption-work/
+  67. https://goteleport.com/blog/ssh-key-management/
+  68. https://goteleport.com/blog/how-to-ssh-properly/
+  69. https://en.wikipedia.org/wiki/Public-key_cryptography#/media/File:Public_key_encryption.svg
+  70. https://www.slideshare.net/dganesan11/security-of-rsa-and-integer-factorization
+  71. https://www.youtube.com/watch?v=PQ8AruHaoLo
+  72. https://gist.github.com/jo/8619441
+  73. https://cryptography.io/en/latest/
+  74. https://golang.org/pkg/crypto/rsa/
+  75. https://docs.rs/rsa/0.3.0/rsa/
+  76. https://www.libtom.net/LibTomCrypt/
+  77. https://www.openssh.com/txt/release-8.3
+  78. https://mathworld.wolfram.com/QuadraticSieve.html
+  79. https://en.wikipedia.org/wiki/General_number_field_sieve
+  80. https://www.keylength.com/en/4/
+  81. https://en.wikipedia.org/wiki/Comparison_of_cryptography_libraries
+  82. https://www.openssh.com/legacy.html
+  83. https://security.stackexchange.com/questions/97411/significance-of-the-difference-between-dsa-and-rsa-in-signature-verifying-speed
+  84. https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/
+  85. https://blog.cloudflare.com/ensuring-randomness-with-linuxs-random-number-generator/
+  86. https://crypto.stackexchange.com/questions/9694/technical-details-of-attack-on-android-bitcoin-usage-of-securerandom
+  87. https://bitcoin.org/en/alert/2013-08-11-android
+  88. https://fail0verflow.com/blog/
+  89. https://www.youtube.com/watch?v=LP1t_pzxKyE
+  90. https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/
+  91. https://en.wikipedia.org/wiki/Edwards_curve
+  92. https://en.wikipedia.org/wiki/Twisted_Edwards_curve
+  93. https://safecurves.cr.yp.to/
+  94. https://en.wikipedia.org/wiki/Curve25519
+  95. https://ed25519.cr.yp.to/
+  96. https://en.wikipedia.org/wiki/Crypto%2B%2B#Algorithms
+  97. https://en.wikipedia.org/wiki/Cryptlib#Algorithm_support
+  98. https://ianix.com/pub/ed25519-deployment.html#ed25519-libraries
+  99. https://www.nist.gov/news-events/news/2019/10/digital-signatures-and-elliptic-curve-cryptography-request-comments-draft
+ 100. https://ed25519.cr.yp.to/
+ 101. https://mathworld.wolfram.com/QuadraticSieve.html
+ 102. https://en.wikipedia.org/wiki/General_number_field_sieve
+ 103. https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/
+ 104. https://goteleport.com/blog/how-to-set-up-ssh-keys/
+ 105. https://blog.peterruppel.de/ed25519-for-ssh/
+ 106. https://goteleport.com/how-it-works/certificate-based-authentication-ssh-kubernetes/
+ 107. https://goteleport.com/blog/how-to-ssh-properly/
+ 108. https://goteleport.com/docs/getting-started/linux-server/
+ 109. https://goteleport.com/blog/tags/ssh/
+ 110. https://goteleport.com/
+ 111. https://goteleport.com/ssh-server-access/
+ 112. https://goteleport.com/kubernetes-access/
+ 113. https://goteleport.com/database-access/
+ 114. https://goteleport.com/application-access/
+ 115. https://goteleport.com/desktop-access/
+ 116. https://goteleport.com/features/
+ 117. https://goteleport.com/pricing/
+ 118. https://goteleport.com/docs/
+ 119. https://goteleport.com/how-it-works/
+ 120. https://github.com/gravitational/teleport/
+ 121. https://goteleport.com/why-teleport/
+ 122. https://goteleport.com/
+ 123. https://goteleport.com/case-study/
+ 124. https://goteleport.com/resources/
+ 125. https://goteleport.com/about/events/
+ 126. https://goteleport.com/about/
+ 127. https://goteleport.com/security/
+ 128. https://goteleport.com/careers/
+ 129. https://goteleport.com/about/press/
+ 130. https://goteleport.com/partners/
+ 131. https://status.teleport.sh/
+ 132. tel:855-818-9008
+ 133. https://goteleport.com/contact-us/
+ 134. https://goteleport.com/support/
+ 135. https://goteleport.com/community/
+ 136. https://goteleport.com/slack/
+ 137. https://github.com/gravitational/
+ 138. https://twitter.com/goteleport/
+ 139. https://www.linkedin.com/company/go-teleport/
+ 140. https://www.youtube.com/channel/UCmtTJaeEKYxCjfNGiijOyJw/
+ 141. https://goteleport.com/tos/
+ 142. https://goteleport.com/privacy/
+
+   Hidden links:
+ 144. https://goteleport.com/
+ 145. https://teleport.sh/
+ 146. https://dashboard.gravitational.com/web/login/
+ 147. https://www.linkedin.com/company/go-teleport
+ 148. https://twitter.com/goteleport/
+ 149. https://goteleport.com/blog/rss.xml
+ 150. https://goteleport.com/signup/
diff --git a/local/etc/rc.init b/local/etc/rc.init
index 50468f1..f6c7ca8 100755
--- a/local/etc/rc.init
+++ b/local/etc/rc.init
@@ -18,4 +18,15 @@ respawn getty /dev/tty3 &
 respawn getty /dev/tty4 &
 respawn getty /dev/ttyS0 &
 
+if test ! -d /etc/dropbear; then
+	echo "Generating host keys.."
+	mkdir /etc/dropbear
+	dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
+	dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
+	dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
+	dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key
+fi
+echo "Starting SSH daemon.."
+dropbear
+
 echo "Ready."
diff --git a/patches/dropbear-path.patch b/patches/dropbear-path.patch
new file mode 100644
index 0000000..fe8d49a
--- /dev/null
+++ b/patches/dropbear-path.patch
@@ -0,0 +1,31 @@
+diff -rauN dropbear-2022.83/default_options.h dropbear-2022.83-path-patch/default_options.h
+--- dropbear-2022.83/default_options.h	2022-11-14 15:30:00.000000000 +0100
++++ dropbear-2022.83-path-patch/default_options.h	2023-06-15 14:42:19.428893698 +0200
+@@ -302,7 +302,7 @@
+ 
+ /* The command to invoke for xauth when using X11 forwarding.
+  * "-q" for quiet */
+-#define XAUTH_COMMAND "/usr/bin/xauth -q"
++#define XAUTH_COMMAND "/bin/xauth -q"
+ 
+ 
+ /* If you want to enable running an sftp server (such as the one included with
+@@ -315,7 +315,7 @@
+ 
+ /* This is used by the scp binary when used as a client binary. If you're
+  * not using the Dropbear client, you'll need to change it */
+-#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
++#define DROPBEAR_PATH_SSH_PROGRAM "/bin/dbclient"
+ 
+ /* Whether to log commands executed by a client. This only logs the 
+  * (single) command sent to the server, not what a user did in a 
+@@ -351,7 +351,7 @@
+ #define DEFAULT_IDLE_TIMEOUT 0
+ 
+ /* The default path. This will often get replaced by the shell */
+-#define DEFAULT_PATH "/usr/bin:/bin"
+-#define DEFAULT_ROOT_PATH "/usr/sbin:/usr/bin:/sbin:/bin"
++#define DEFAULT_PATH "/bin"
++#define DEFAULT_ROOT_PATH "/bin"
+ 
+ #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */
diff --git a/patches/musl-1.2.3-tcc.patch b/patches/musl-tcc.patch
index 2d6bff5..2d6bff5 100644
--- a/patches/musl-1.2.3-tcc.patch
+++ b/patches/musl-tcc.patch
diff --git a/scripts/build.sh b/scripts/build.sh
index c851663..d946127 100755
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -18,8 +18,8 @@ set -e
 SCRIPT=$(readlink -f "$0")
 BASE=$(dirname ${SCRIPT})/..
 
-CPUS=$(nproc)
-#CPUS=1
+#CPUS=$(nproc)
+CPUS=1
 
 . "${BASE}/configs/versions"
 
@@ -58,7 +58,7 @@ if [ ! -f "${BASE}/build/stage0/lib/libc.a" ]; then
 	rm -rf "musl-${MUSL_VERSION}"
 	tar xf "${BASE}/downloads/musl-${MUSL_VERSION}.tar.gz"
 	cd "musl-${MUSL_VERSION}"
-	patch -Np1 < "${BASE}/patches/musl-1.2.3-tcc.patch"
+	patch -Np1 < "${BASE}/patches/musl-tcc.patch"
 	CC="${BASE}/build/stage0/bin/i386-tcc" ./configure \
 		--prefix="${BASE}/build/stage0" \
 		--target=i386-linux-musl --disable-shared
@@ -391,6 +391,26 @@ else
 	echo "stage1 joe exists"
 fi
 
+if [ ! -f "${BASE}/build/stage1/bin/dropbearmulti" ]; then
+	rm -rf "dropbear-${DROPBEAR_VERSION}"
+	tar xf "${BASE}/downloads/dropbear-${DROPBEAR_VERSION}.tar.bz2"
+	cd "dropbear-${DROPBEAR_VERSION}"
+	patch -Np1 < "${BASE}/patches/dropbear-path.patch"
+	CC="${BASE}/build/stage1/bin/i386-tcc" \
+	./configure --prefix="${BASE}/build/stage1" \
+		--enable-static --disable-shared
+	make -j$CPUS STATIC=1 MULTI=1 SCPPROGRESS=1 PROGRAMS="dropbear dbclient dropbearkey scp ssh"
+	cp dropbearmulti "${BASE}/build/stage1/bin/."
+	make -j$CPUS inst_dropbearmulti
+	rm -f "${BASE}/build/stage1/sbin/dropbear"
+	for i in dbclient dropbearkey dropbear scp ssh; do
+		ln -sf dropbearmulti "${BASE}/build/stage1/bin/${i}"
+	done
+	cd ..
+else
+	echo "stage1 dropbear exists"
+fi
+
 # TODO FROM HERE
 
 # TODO: have some way to deal with dependencies and with the user
diff --git a/scripts/download.sh b/scripts/download.sh
index 6431b07..872fe8f 100755
--- a/scripts/download.sh
+++ b/scripts/download.sh
@@ -158,6 +158,10 @@ if [ ! -f "${BASE}/downloads/linux-${LINUX_KERNEL_VERSION}.tar.gz" ]; then
 	wget -O "${BASE}/downloads/linux-${LINUX_KERNEL_VERSION}.tar.gz" "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${LINUX_KERNEL_VERSION}.tar.gz"
 fi
 
+if [ ! -f "${BASE}/downloads/dropbear-${DROPBEAR_VERSION}.tar.bz2" ]; then
+	wget -O "${BASE}/downloads/dropbear-${DROPBEAR_VERSION}.tar.bz2" "https://matt.ucc.asn.au/dropbear/releases/dropbear-${DROPBEAR_VERSION}.tar.bz2"
+fi
+
 trap - 0
 
 exit 0
diff --git a/scripts/run_qemu.sh b/scripts/run_qemu.sh
index 9ce52de..06f8338 100755
--- a/scripts/run_qemu.sh
+++ b/scripts/run_qemu.sh
@@ -4,6 +4,6 @@ qemu-nbd -f raw root.img -x ROOT &
 sleep 2 && \
 qemu-system-i386 -cpu 486 -m 18M -machine isapc \
 	-drive "file=floppy00,if=floppy,format=raw" \
-	-netdev user,id=net0,net=10.0.0.0/24,host=10.0.0.2,dhcpstart=10.0.0.16,hostfwd=tcp::8080-:80,hostfwd=udp::8081-:81 \
+	-netdev user,id=net0,net=10.0.0.0/24,host=10.0.0.2,dhcpstart=10.0.0.16,hostfwd=tcp::2222-:22 \
 	-device ne2k_isa,iobase=0x300,irq=10,netdev=net0
 pkill qemu-nbd
diff --git a/scripts/run_qemu_direct.sh b/scripts/run_qemu_direct.sh
index f8de126..0e34b13 100755
--- a/scripts/run_qemu_direct.sh
+++ b/scripts/run_qemu_direct.sh
@@ -5,6 +5,6 @@ sleep 2 && \
 qemu-system-i386 -cpu 486 -m 24M -machine isapc \
  	-kernel bzImage -initrd ramdisk.img \
  	-append	"debug loglevel=7 earlycon=vga earlycon=uart8250,io,0x3f8,9600n8 console=tty0 console=ttyS0,9600n8 iommu=off nomodeset init=/init" \
-	-netdev user,id=net0,net=10.0.0.0/24,host=10.0.0.2,dhcpstart=10.0.0.16,hostfwd=tcp::8080-:80 \
+	-netdev user,id=net0,net=10.0.0.0/24,host=10.0.0.2,dhcpstart=10.0.0.16,hostfwd=tcp::2222-:22 \
 	-device ne2k_isa,iobase=0x300,irq=10,netdev=net0
 pkill qemu-nbd
author	Andreas Baumann <mail@andreasbaumann.cc>	2023-06-15 17:28:29 +0200
committer	Andreas Baumann <mail@andreasbaumann.cc>	2023-06-15 17:28:29 +0200
commit	3b4e1a28ca48625800b7ad408fd88a0f7f342308 (patch)
tree	edbbc55f949850ab618e29ad3ddfd4800ded641b
parent	d269e28cd97bdd34a1d2278e2b1ed52b9158fc8a (diff)
download	i486tcc-linux-3b4e1a28ca48625800b7ad408fd88a0f7f342308.tar.gz i486tcc-linux-3b4e1a28ca48625800b7ad408fd88a0f7f342308.tar.bz2