From 614c1b3e6fcec0a66a42e1900330f67de4c7ff65 Mon Sep 17 00:00:00 2001 From: r00t Date: Mon, 16 Oct 2017 03:25:47 -0400 Subject: [PATCH] update to remain compatible with https://lists.archlinux.org/pipermail/arch-releng/2017-October/003796.html --- bdisk/bsync.py | 4 ++-- bdisk/build.py | 9 +++++++-- docs/manual/user/advanced/SSH.adoc | 4 ++-- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/bdisk/bsync.py b/bdisk/bsync.py index 1f6573b..42e62a5 100755 --- a/bdisk/bsync.py +++ b/bdisk/bsync.py @@ -32,7 +32,7 @@ def http(conf): datetime.datetime.now(), httpdir)) for a in arch: - for i in ('md5', 'sfs', 'sha256'): + for i in ('md5', 'sfs', 'sha256', 'sha512'): httpfiles['{0}/{1}/airootfs.{2}'.format(bdisk['name'], a, i)] = '{0}/{1}/airootfs.{2}'.format(bdisk['name'], a, i) httpfiles['VERSION_INFO.txt'] = 'VERSION_INFO.txt' if 'x86_64' in arch: @@ -81,7 +81,7 @@ def tftp(conf): datetime.datetime.now(), tftpdir)) for a in arch: - for i in ('md5', 'sfs', 'sha256'): + for i in ('md5', 'sfs', 'sha256', 'sha512'): tftpfiles['{0}/{1}/airootfs.{2}'.format(bdisk['name'], a, i)] = '{0}/{1}/airootfs.{2}'.format(bdisk['name'], a, i) tftpfiles['VERSION_INFO.txt'] = 'VERSION_INFO.txt' if 'x86_64' in arch: diff --git a/bdisk/build.py b/bdisk/build.py index 72c8b93..17d50e5 100755 --- a/bdisk/build.py +++ b/bdisk/build.py @@ -21,6 +21,7 @@ def genImg(conf): basedir = build['basedir'] prepdir = build['prepdir'] hashes = {} + hashes['sha512'] = {} hashes['sha256'] = {} hashes['md5'] = {} squashfses = [] @@ -52,9 +53,10 @@ def genImg(conf): humanize.naturalsize( os.path.getsize(squashimg)))) # Generate the checksum files - print("{0}: [BUILD] Generating SHA256, MD5 checksums ({1})...".format( - datetime.datetime.now(), + print("{0}: [BUILD] Generating SHA512 SHA256, MD5 checksums ({1})...".format( + datetime.datetime.now(), squashimg)) + hashes['sha512'][a] = hashlib.sha512() hashes['sha256'][a] = hashlib.sha256() hashes['md5'][a] = hashlib.md5() with open(squashimg, 'rb') as f: @@ -63,8 +65,11 @@ def genImg(conf): if not stream: break # NOTE: these items are hashlib objects, NOT strings! + hashes['sha512'][a].update(stream) hashes['sha256'][a].update(stream) hashes['md5'][a].update(stream) + with open(airoot + 'airootfs.sha512', 'w+') as f: + f.write("{0} airootfs.sfs\n".format(hashes['sha512'][a].hexdigest())) with open(airoot + 'airootfs.sha256', 'w+') as f: f.write("{0} airootfs.sfs\n".format(hashes['sha256'][a].hexdigest())) with open(airoot + 'airootfs.md5', 'w+') as f: diff --git a/docs/manual/user/advanced/SSH.adoc b/docs/manual/user/advanced/SSH.adoc index a599be0..57b0e01 100644 --- a/docs/manual/user/advanced/SSH.adoc +++ b/docs/manual/user/advanced/SSH.adoc @@ -17,7 +17,7 @@ First, create a file: `/overlay/etc/ssh/sshd_config` using the followin Subsystem sftp /usr/lib/ssh/sftp-server KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com We'll also want to implement a more secure `ssh_config` file to avoid possible leaks. The following is `/overlay/etc/ssh/ssh_config`: @@ -28,7 +28,7 @@ We'll also want to implement a more secure `ssh_config` file to avoid possible l PubkeyAuthentication yes HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr - MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160,umac-128@openssh.com + MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com We'll want to create our own moduli. This can take a long time, but only needs to be done once -- it doesn't need to be done for every build. The following commands should be run in `/overlay/etc/ssh/`: