You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A system like OpenWISP can manage an etherogeneous network of OpenWrt routers running both newer and older versions of dropbear.
SSH connections via paramiko to newer versions of dropbear will work.
SSH connections via paramiko to older versions of dropbear will not work.
We can apply the fix disabled_algorithms=dict(pubkeys=["rsa-sha2-512", "rsa-sha2-256"]),, but wouldn't that mean that on new version of dropbear we'd be using the old sha1?
I think a good solution could be to change this code as follows:
And allow us to pass a list of preferred_rsa_keys which is backward compatible with old systems.
Sometimes old routers cannot be upgraded because they're EOL, but customers may want to keep using them in their internal network which they consider secure for internal usage by their employees. It wouldn't be great to force them to throw those away just because of this, sooner or later these routers will die anyway but it's better to have an easier way to maintain backward compatibility and support them.
The text was updated successfully, but these errors were encountered:
Follow up of #1961.
Let's consider the following situation.
A system like OpenWISP can manage an etherogeneous network of OpenWrt routers running both newer and older versions of dropbear.
SSH connections via paramiko to newer versions of dropbear will work.
SSH connections via paramiko to older versions of dropbear will not work.
We can apply the fix
disabled_algorithms=dict(pubkeys=["rsa-sha2-512", "rsa-sha2-256"]),
, but wouldn't that mean that on new version of dropbear we'd be using the old sha1?I think a good solution could be to change this code as follows:
paramiko/paramiko/transport.py
Lines 1338 to 1343 in f2b4be8
And allow us to pass a list of
preferred_rsa_keys
which is backward compatible with old systems.Sometimes old routers cannot be upgraded because they're EOL, but customers may want to keep using them in their internal network which they consider secure for internal usage by their employees. It wouldn't be great to force them to throw those away just because of this, sooner or later these routers will die anyway but it's better to have an easier way to maintain backward compatibility and support them.
The text was updated successfully, but these errors were encountered: