Alpine regreSSHion mititgation

gistfile1.txt

# switch ssh daemon from OpenSSH to dropbear
# temporary workaround

service sshd stop
rc-update del sshd
setup-sshd # select dropbear
 
 # replace ssh host keys from openssh
 # (or update ssh host keys `ssh-keyscan`)
 apk add dropbear-convert
 dropbearconvert openssh dropbear /etc/ssh/ssh_host_ed25519_key /etc/dropbear/dropbear_ed25519_host_key
 dropbearconvert openssh dropbear /etc/ssh/ssh_host_ecdsa_key /etc/dropbear/dropbear_ecdsa_host_key
 dropbearconvert openssh dropbear /etc/ssh/ssh_host_rsa_key /etc/dropbear/dropbear_rsa_host_key
 dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key /etc/dropbear/dropbear_dss_host_key
 
 # restart dropbear
 
 service dropbear restart
 

# switch back to openssh
# pull in updates
apk upgrade -a -U
# switch daemons, now manually
service dropbear stop
rc-update del dropbear
rc-update add sshd
service sshd start

Alpine also has a recent OpenSSH so the real mitigation settings (PerSourcePenalties) can be used there https://www.heise.de/hintergrund/regreSSHion-Luecke-Neues-SSH-Feature-bietet-Schutz-Proof-of-Concept-ist-keiner-9788285.html