4 files changed, 78 insertions, 33 deletions
diff --git a/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch
new file mode 100644
index 0000000000..967b66322f
--- /dev/null
+++ b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch
@@ -0,0 +1,74 @@
+From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001
+From: Konstantin Demin <rockdrilla@gmail.com>
+Date: Fri, 9 May 2025 22:39:35 +0300
+Subject: [PATCH] Fix proxycmd without netcat
+fixes e5a0ef27c2 "Execute multihop commands directly, no shell"
+Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
+Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/5cc0127000db5f7567b54d0495fb91a8e452fe09]
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/cli-main.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+diff --git a/src/cli-main.c b/src/cli-main.c
+index 2fafa88..0a052a3 100644
+--- a/src/cli-main.c
+++ b/src/cli-main.c
+@@ -77,7 +77,11 @@ int main(int argc, char ** argv) {
+        }
+ 
+ #if DROPBEAR_CLI_PROXYCMD
+-       if (cli_opts.proxycmd || cli_opts.proxyexec) {
+       if (cli_opts.proxycmd
+#if DROPBEAR_CLI_MULTIHOP
+               || cli_opts.proxyexec
+#endif
+       ) {
+                cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
+                if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR ||
+                        signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR ||
+@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) {
+        dropbear_exit("Failed to run '%s'\n", cmd);
+ }
+ 
+#if DROPBEAR_CLI_MULTIHOP
+ static void exec_proxy_cmd(const void *unused) {
+        (void)unused;
+        run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd);
+        dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]);
+ }
+#endif
+ 
+ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+        char * cmd_arg = NULL;
+@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+                cmd_arg = m_malloc(shell_cmdlen);
+                snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd);
+                exec_fn = shell_proxy_cmd;
+#if DROPBEAR_CLI_MULTIHOP
+        } else {
+                /* No shell */
+                exec_fn = exec_proxy_cmd;
+#endif
+        }
+ 
+        ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out);
+@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int *sock_in, int *sock_out, pid_t *pid_out) {
+ cleanup:
+        m_free(cli_opts.proxycmd);
+        m_free(cmd_arg);
+#if DROPBEAR_CLI_MULTIHOP
+        if (cli_opts.proxyexec) {
+                char **a = NULL;
+                for (a = cli_opts.proxyexec; *a; a++) {
+@@ -166,6 +175,7 @@ cleanup:
+                }
+                m_free(cli_opts.proxyexec);
+        }
+#endif
+ }
+ 
+ static void kill_proxy_sighandler(int UNUSED(signo)) {
diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
index 9c1dd3f606..0687e5dab1 100644
--- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
+++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
@@ -12,7 +12,7 @@ diff --git a/src/default_options.h b/src/default_options.h
 index 6e970bb..ccc8b47 100644
 --- a/src/default_options.h
 +++ b/src/default_options.h
-@@ -311,7 +311,7 @@ group1 in Dropbear server too */
+@@ -317,7 +317,7 @@ group1 in Dropbear server too */
 
 /* The command to invoke for xauth when using X11 forwarding.
  * "-q" for quiet */
diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
deleted file mode 100644
index a20781d31d..0000000000
--- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch
+++ /dev/null
@@ -1,28 +0,0 @@
-From c8a0c8e87b772576f3a431c3b4cacaf5aa001dcc Mon Sep 17 00:00:00 2001
-From: Joseph Reynolds <joseph.reynolds1@ibm.com>
-Date: Thu, 20 Jun 2019 16:29:15 -0500
-Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
-This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
-in the dropbear ssh server and client since they're considered weak ciphers
-and we want to support the stong algorithms.
-Upstream-Status: Inappropriate [configuration]
-Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
---
- src/default_options.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/src/default_options.h b/src/default_options.h
-index 12768d1..2b07497 100644
--- a/src/default_options.h
-+++ b/src/default_options.h
-@@ -197,7 +197,7 @@ IMPORTANT: Some options will require "make clean" after changes */
-  * Small systems should generally include either curve25519 or ecdh for performance.
-  * curve25519 is less widely supported but is faster
-  */
-#define DROPBEAR_DH_GROUP14_SHA1 1
-+#define DROPBEAR_DH_GROUP14_SHA1 0
- #define DROPBEAR_DH_GROUP14_SHA256 1
- #define DROPBEAR_DH_GROUP16 0
- #define DROPBEAR_CURVE25519 1
diff --git a/meta/recipes-core/dropbear/dropbear_2024.86.bb b/meta/recipes-core/dropbear/dropbear_2025.88.bb
index 38faaebc2a..f203763b17 100644
--- a/meta/recipes-core/dropbear/dropbear_2024.86.bb
+++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb
@@ -19,11 +19,11 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
           file://dropbear@.service \
           file://dropbear.socket \
           file://dropbear.default \
+           file://0001-Fix-proxycmd-without-netcat.patch \
           ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
-           ${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
           "
-SRC_URI[sha256sum] = "e78936dffc395f2e0db099321d6be659190966b99712b55c530dd0a1822e0a5e"
+SRC_URI[sha256sum] = "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4"
 MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/"
 PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
@@ -48,10 +48,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
 BINCOMMANDS = "dbclient ssh scp"
 EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
-PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
+PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
 PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}"
 PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
-PACKAGECONFIG[disable-weak-ciphers] = ""
 PACKAGECONFIG[enable-x11-forwarding] = ""
 # This option appends to CFLAGS and LDFLAGS from OE

diff --git a/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch new file mode 100644 index 0000000000..967b66322f --- /dev/null +++ b/meta/recipes-core/dropbear/dropbear/0001-Fix-proxycmd-without-netcat.patch
@@ -0,0 +1,74 @@
		1	From 5cc0127000db5f7567b54d0495fb91a8e452fe09 Mon Sep 17 00:00:00 2001
		2	From: Konstantin Demin <rockdrilla@gmail.com>
		3	Date: Fri, 9 May 2025 22:39:35 +0300
		4	Subject: [PATCH] Fix proxycmd without netcat
		5
		6	fixes e5a0ef27c2 "Execute multihop commands directly, no shell"
		7
		8	Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
		9
		10	Upstream-Status: Backport [https://github.com/mkj/dropbear/commit/5cc0127000db5f7567b54d0495fb91a8e452fe09]
		11	Signed-off-by: Peter Marko <peter.marko@siemens.com>
		12	---
		13	src/cli-main.c \| 12 +++++++++++-
		14	1 file changed, 11 insertions(+), 1 deletion(-)
		15
		16	diff --git a/src/cli-main.c b/src/cli-main.c
		17	index 2fafa88..0a052a3 100644
		18	--- a/src/cli-main.c
		19	+++ b/src/cli-main.c
		20	@@ -77,7 +77,11 @@ int main(int argc, char ** argv) {
		21	}
		22
		23	#if DROPBEAR_CLI_PROXYCMD
		24	- if (cli_opts.proxycmd \|\| cli_opts.proxyexec) {
		25	+ if (cli_opts.proxycmd
		26	+#if DROPBEAR_CLI_MULTIHOP
		27	+ \|\| cli_opts.proxyexec
		28	+#endif
		29	+ ) {
		30	cli_proxy_cmd(&sock_in, &sock_out, &proxy_cmd_pid);
		31	if (signal(SIGINT, kill_proxy_sighandler) == SIG_ERR \|\|
		32	signal(SIGTERM, kill_proxy_sighandler) == SIG_ERR \|\|
		33	@@ -110,11 +114,13 @@ static void shell_proxy_cmd(const void *user_data_cmd) {
		34	dropbear_exit("Failed to run '%s'\n", cmd);
		35	}
		36
		37	+#if DROPBEAR_CLI_MULTIHOP
		38	static void exec_proxy_cmd(const void *unused) {
		39	(void)unused;
		40	run_command(cli_opts.proxyexec[0], cli_opts.proxyexec, ses.maxfd);
		41	dropbear_exit("Failed to run '%s'\n", cli_opts.proxyexec[0]);
		42	}
		43	+#endif
		44
		45	static void cli_proxy_cmd(int sock_in, int sock_out, pid_t *pid_out) {
		46	char * cmd_arg = NULL;
		47	@@ -145,9 +151,11 @@ static void cli_proxy_cmd(int sock_in, int sock_out, pid_t *pid_out) {
		48	cmd_arg = m_malloc(shell_cmdlen);
		49	snprintf(cmd_arg, shell_cmdlen, "exec %s", cli_opts.proxycmd);
		50	exec_fn = shell_proxy_cmd;
		51	+#if DROPBEAR_CLI_MULTIHOP
		52	} else {
		53	/* No shell */
		54	exec_fn = exec_proxy_cmd;
		55	+#endif
		56	}
		57
		58	ret = spawn_command(exec_fn, cmd_arg, sock_out, sock_in, NULL, pid_out);
		59	@@ -159,6 +167,7 @@ static void cli_proxy_cmd(int sock_in, int sock_out, pid_t *pid_out) {
		60	cleanup:
		61	m_free(cli_opts.proxycmd);
		62	m_free(cmd_arg);
		63	+#if DROPBEAR_CLI_MULTIHOP
		64	if (cli_opts.proxyexec) {
		65	char **a = NULL;
		66	for (a = cli_opts.proxyexec; *a; a++) {
		67	@@ -166,6 +175,7 @@ cleanup:
		68	}
		69	m_free(cli_opts.proxyexec);
		70	}
		71	+#endif
		72	}
		73
		74	static void kill_proxy_sighandler(int UNUSED(signo)) {


diff --git a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch index 9c1dd3f606..0687e5dab1 100644 --- a/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch +++ b/meta/recipes-core/dropbear/dropbear/0001-urandom-xauth-changes-to-options.h.patch
@@ -12,7 +12,7 @@ diff --git a/src/default_options.h b/src/default_options.h
12	index 6e970bb..ccc8b47 100644	12	index 6e970bb..ccc8b47 100644
13	--- a/src/default_options.h	13	--- a/src/default_options.h
14	+++ b/src/default_options.h	14	+++ b/src/default_options.h
15	@@ -311,7 +311,7 @@ group1 in Dropbear server too */	15	@@ -317,7 +317,7 @@ group1 in Dropbear server too */
16		16
17	/* The command to invoke for xauth when using X11 forwarding.	17	/* The command to invoke for xauth when using X11 forwarding.
18	* "-q" for quiet */	18	* "-q" for quiet */


diff --git a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch b/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch deleted file mode 100644 index a20781d31d..0000000000 --- a/meta/recipes-core/dropbear/dropbear/dropbear-disable-weak-ciphers.patch +++ /dev/null
@@ -1,28 +0,0 @@
1	From c8a0c8e87b772576f3a431c3b4cacaf5aa001dcc Mon Sep 17 00:00:00 2001
2	From: Joseph Reynolds <joseph.reynolds1@ibm.com>
3	Date: Thu, 20 Jun 2019 16:29:15 -0500
4	Subject: [PATCH] dropbear: new feature: disable-weak-ciphers
5
6	This feature disables all CBC, SHA1, and diffie-hellman group1 ciphers
7	in the dropbear ssh server and client since they're considered weak ciphers
8	and we want to support the stong algorithms.
9
10	Upstream-Status: Inappropriate [configuration]
11	Signed-off-by: Joseph Reynolds <joseph.reynolds1@ibm.com>
12	---
13	src/default_options.h \| 2 +-
14	1 file changed, 1 insertion(+), 1 deletion(-)
15
16	diff --git a/src/default_options.h b/src/default_options.h
17	index 12768d1..2b07497 100644
18	--- a/src/default_options.h
19	+++ b/src/default_options.h
20	@@ -197,7 +197,7 @@ IMPORTANT: Some options will require "make clean" after changes */
21	* Small systems should generally include either curve25519 or ecdh for performance.
22	* curve25519 is less widely supported but is faster
23	*/
24	-#define DROPBEAR_DH_GROUP14_SHA1 1
25	+#define DROPBEAR_DH_GROUP14_SHA1 0
26	#define DROPBEAR_DH_GROUP14_SHA256 1
27	#define DROPBEAR_DH_GROUP16 0
28	#define DROPBEAR_CURVE25519 1


diff --git a/meta/recipes-core/dropbear/dropbear_2024.86.bb b/meta/recipes-core/dropbear/dropbear_2025.88.bb index 38faaebc2a..f203763b17 100644 --- a/meta/recipes-core/dropbear/dropbear_2024.86.bb +++ b/meta/recipes-core/dropbear/dropbear_2025.88.bb
@@ -19,11 +19,11 @@ SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
19	file://dropbear@.service \	19	file://dropbear@.service \
20	file://dropbear.socket \	20	file://dropbear.socket \
21	file://dropbear.default \	21	file://dropbear.default \
		22	file://0001-Fix-proxycmd-without-netcat.patch \
22	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \	23	${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
23	${@bb.utils.contains('PACKAGECONFIG', 'disable-weak-ciphers', 'file://dropbear-disable-weak-ciphers.patch', '', d)} \
24	"	24	"
25		25
26	SRC_URI[sha256sum] = "e78936dffc395f2e0db099321d6be659190966b99712b55c530dd0a1822e0a5e"	26	SRC_URI[sha256sum] = "783f50ea27b17c16da89578fafdb6decfa44bb8f6590e5698a4e4d3672dc53d4"
27	MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/"	27	MIRRORS += "http://matt.ucc.asn.au/dropbear/releases/ https://dropbear.nl/mirror/releases/"
28		28
29	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \	29	PAM_SRC_URI = "file://0005-dropbear-enable-pam.patch \
@@ -48,10 +48,9 @@ SBINCOMMANDS = "dropbear dropbearkey dropbearconvert"
48	BINCOMMANDS = "dbclient ssh scp"	48	BINCOMMANDS = "dbclient ssh scp"
49	EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'	49	EXTRA_OEMAKE = 'MULTI=1 SCPPROGRESS=1 PROGRAMS="${SBINCOMMANDS} ${BINCOMMANDS}"'
50		50
51	PACKAGECONFIG ?= "disable-weak-ciphers ${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"	51	PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
52	PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}"	52	PACKAGECONFIG[pam] = "--enable-pam,--disable-pam,libpam,${PAM_PLUGINS}"
53	PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"	53	PACKAGECONFIG[system-libtom] = "--disable-bundled-libtom,--enable-bundled-libtom,libtommath libtomcrypt"
54	PACKAGECONFIG[disable-weak-ciphers] = ""
55	PACKAGECONFIG[enable-x11-forwarding] = ""	54	PACKAGECONFIG[enable-x11-forwarding] = ""
56		55
57	# This option appends to CFLAGS and LDFLAGS from OE	56	# This option appends to CFLAGS and LDFLAGS from OE