Support newer SSH key types?

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Goto page Previous  1, 2, 3  Next
Author Message
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Sep 15, 2022 12:51    Post subject: Reply with quote
Something lost in translation there @mwchang? Perhaps another cup of exercise on your corporate rooftop.

Anyway ECC is all patented shit, its been around for a long time but not adopted, which is likely why RSA is still so prevalent.

In any case its not about security, its about key size and speed. You want security look elsewhere.

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
Sponsor
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Thu Sep 15, 2022 16:05    Post subject: Reply with quote
the-joker wrote:
Something lost in translation there @mwchang? Perhaps another cup of exercise on your corporate rooftop.

Anyway ECC is all patented shit, its been around for a long time but not adopted, which is likely why RSA is still so prevalent.

In any case its not about security, its about key size and speed. You want security look elsewhere.

I meant you could apply EC to all keys, not just DSA. What's bad with long encryption keys? It's always the basis of security, right?

Are they after some dark magic when they claimed EC might lead to shorter keys while escaping dictionary hack? Well... I think those mathematicians really need to smoke something I don't understand. Or were they all bluffing? Smile

Should we go all out to conspire and talk about hidden back-doors in all computer micro-codes, firmware and software? Wink

Anyway, I don't smoke nor drink strange molecules, and I have listed those old tickets related to ECDSA.

Back to our regularly scheduled programs...

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Sep 15, 2022 16:59    Post subject: Reply with quote
Since ECC is patented tech you can only see the patches up at OpenSSL and other implementation to see what curves they are using.

This isn't the same 1 + 1 = 2 math or -(-1) -(-1) = 2, and long isn't always the most secure, I think you have it a little backwards. You should read up on it, sorry teaching and hand holding is closed permanently by order of the maximum chief of the minimum staff..

_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Thu Sep 15, 2022 17:28    Post subject: Reply with quote
to mention it again ECDSA is not EdDSA (Ed25519 is a EdDSA variant)

ECDSA has some known vulnerabilities (weak random number generator, side channel attacks etc)

ECDSA uses for example NIST / CIA curves hehehe see >

https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm#Security

EdDSA uses a different curve, is immune to weak random number generators and many side-channel attacks and collisions.

https://en.wikipedia.org/wiki/EdDSA#Secure_coding

and what is bad about long keys? with increasing length they become slower and slower and can fill your nvram.
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Thu Sep 15, 2022 17:28    Post subject: Reply with quote
the-joker wrote:
Since ECC is patented tech you can only see the patches up at OpenSSL and other implementation to see what curves they are using.

This isn't the same 1 + 1 = 2 math or -(-1) -(-1) = 2, and long isn't always the most secure, I think you have it a little backwards. You should read up on it, sorry teaching and hand holding is closed permanently by order of the maximum chief of the minimum staff..

In the end, it's just some convoluted mathematics. Later!

I will continue to use RSA 2, until OpenSSH changes. Wink

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
the-joker
DD-WRT Developer/Maintainer


Joined: 31 Jul 2021
Posts: 2146
Location: All over YOUR webs

PostPosted: Thu Sep 15, 2022 17:30    Post subject: Reply with quote
In the end is just hot air also Wink and with that here's my dragons breath 🔥🐉
_________________
Saving your retinas from the burn!🔥
DD-WRT Inspired themes for routers
DD-WRT Inspired themes for the phpBB Forum
DD-WRT Inspired themes for the SVN Trac & FTP site
Join in for a chat @ #style_it_themes_public:matrix.org or #style_it_themes:discord

DD-WRT UI Themes Bug Reporting and Discussion thread

Router: ANus RT-AC68U E1 (recognized as C1)
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Fri Sep 16, 2022 13:01    Post subject: Reply with quote
the-joker wrote:
In the end is just hot air also Wink and with that here's my dragons breath 🔥🐉

It's indeed very hot in Hong Kong. And we got global warming... hot air... Wink

Don't forget to drink water if not tea while using computers.

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Wed Nov 16, 2022 5:06    Post subject: Reply with quote
Possibly related:

Changeset 50862 – DD-WRT
* update dropbear: add new files
https://svn.dd-wrt.com/changeset/50862

Changeset 50872 – DD-WRT
* try ed25519
https://svn.dd-wrt.com/changeset/50872

Changeset 50864 – DD-WRT
* switch to ecdsa
https://svn.dd-wrt.com/changeset/50864

Changeset 50877 – DD-WRT
* update zlib-ng: add new files
https://svn.dd-wrt.com/changeset/50877

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Wed Nov 16, 2022 6:07    Post subject: Reply with quote
The zlib updates may be "related", but all of these relate to ed25519 / dropbear update:

Changeset [50875] by brainslayer
fix download
Changeset [50874] by brainslayer
try ed25519
Changeset [50873] by brainslayer
try ed25519
Changeset [50872] by brainslayer
try ed25519
-
Changeset [50870] by brainslayer
change key size
Changeset [50869] by brainslayer
obsolete
-
Changeset [50867] by brainslayer
switch to ecdsa
Changeset [50866] by brainslayer
switch to ecdsa
Changeset [50865] by brainslayer
switch to ecdsa
Changeset [50864] by brainslayer
switch to ecdsa
Changeset [50863] by brainslayer
update dropbear: remove old files
Changeset [50862] by brainslayer
update dropbear: add new files

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Wed Nov 16, 2022 9:40    Post subject: Reply with quote
It's been in there for a while, but it's not decided yet whether it will stay.

https://svn.dd-wrt.com/changeset/50789
https://svn.dd-wrt.com/changeset/50790

But it works at the moment, the GUI also supports ED25519

it is 100-1000x faster than RSA 4096

a complete key generation and conversion to the OpenSSH format takes 20ms on my R7800
so keep your fingers crossed and hope it will be accepted
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Wed Nov 16, 2022 10:25    Post subject: Reply with quote
ho1Aetoo wrote:
But it works at the moment, the GUI also supports ED25519

it is 100-1000x faster than RSA 4096

a complete key generation and conversion to the OpenSSH format takes 20ms on my R7800
so keep your fingers crossed and hope it will be accepted

You could use faster PCs running a Linux VM to generate long OpenSSH RSA keys, then copy them into DD-WRT. Anyway, no harm having more choices. Smile

Lately people were talking about using certificates to do password-less SSH logins.

openssh certificate authentication - Google Search
https://www.google.com/search?q=openssh+certificate+authentication

In the future, maybe Dropbear should just be replaced by OpenSSH.

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
ho1Aetoo
DD-WRT Guru


Joined: 19 Feb 2019
Posts: 2927
Location: Germany

PostPosted: Wed Nov 16, 2022 10:57    Post subject: Reply with quote
My PCs only run Linux, so there is no need to use any VM.

But that doesn't change the fact that users like you don't use Linux.
Besides, you can create keys in the WebIF of the router since a short time.
But this takes up to 10 minutes with long RSA keys on slow routers.

With ED25519, this can be done in no time even on slow hardware.
mwchang
DD-WRT Guru


Joined: 26 Mar 2013
Posts: 1855
Location: Hung Hom, Hong Kong

PostPosted: Wed Nov 16, 2022 11:33    Post subject: Reply with quote
ho1Aetoo wrote:
My PCs only run Linux, so there is no need to use any VM.
But that doesn't change the fact that users like you don't use Linux.

I do run a Fedora VM, so I generate my long RSA keys there. Smile
Quote:
Besides, you can create keys in the WebIF of the router since a short time.
But this takes up to 10 minutes with long RSA keys on slow routers.
With ED25519, this can be done in no time even on slow hardware.

Agree that no harm having choices...

_________________
Router: Asus RT-N18U (rev. A1)

Drink, Blink, Stretch! Live long and prosper! May the Force and farces be with you!

Facebook: https://www.facebook.com/changmanwai
Website: https://sites.google.com/site/changmw
SETI@Home profile: http://setiathome.berkeley.edu/view_profile.php?userid=211832
GitHub: https://github.com/changmw/changmw
dale_gribble39
DD-WRT Guru


Joined: 11 Jun 2022
Posts: 1899

PostPosted: Wed Nov 16, 2022 17:21    Post subject: Reply with quote
Correct. This has always been a matter of which option is more secure and maturity of key algorithm. The key factor here is if all targets with dropbear included meet firmware image size constraints, as we already know.

ho1Aetoo wrote:
It's been in there for a while, but it's not decided yet whether it will stay.

https://svn.dd-wrt.com/changeset/50789
https://svn.dd-wrt.com/changeset/50790

But it works at the moment, the GUI also supports ED25519

it is 100-1000x faster than RSA 4096

a complete key generation and conversion to the OpenSSH format takes 20ms on my R7800
so keep your fingers crossed and hope it will be accepted

_________________
"The woods are lovely, dark and deep,
But I have promises to keep,
And miles to go before I sleep,
And miles to go before I sleep." - Robert Frost

"I am one of the noticeable ones - notice me" - Dale Frances McKenzie Bozzio

<fact>code knows no gender</fact>

This is me, knowing I've ruffled your feathers, and not giving a ****
Some people are still hard-headed.

--------------------------------------
Mac Pro (Mid 2012) - Two 2.4GHz 6-Core Intel Xeon E5645 processors 64GB 1333MHz DDR3 ECC SDRAM OpenSUSE Leap 15.5
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Wed Nov 16, 2022 17:40    Post subject: Reply with quote
mwchang wrote:
In the future, maybe Dropbear should just be replaced by OpenSSH.


As far as my understanding goes Dropbear is smaller than OpenSSh and excellent alternative for running on routers...you can install OpenSSh via entware...(sadly entware guys dont update their packages that often any more)

you can generate key's in many different ways, using linux, puttygen or whatever...
but gen those on router side is cool future to have too...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum