Control: reassign -1 dropbear-bin 2022.83-1+deb12u1 Control: retitle -1: The 'no-agent-forwarding' key restriction disables server alive message support Control: tag -1 upstream
On Wed, 24 Apr 2024 at 18:38:26 +0200, Guilhem Moulin wrote:
> On Wed, 24 Apr 2024 at 17:10:57 +0200, Guilhem Moulin wrote:
>>> It should be trivially reproducible by running `ssh -o ServerAliveCountMax=3
>>> -o ServerAliveInterval=1 root@yourdropbearserver`. The client should then
>>> disconnect after 3 seconds.
>>
>> Seems to work as expected for me:
>>
>> $ ssh -oLogLevel=DEBUG3 \
>> -oServerAliveCountMax=3 -oServerAliveInterval=1 \
>> -oUserKnownHostsFile=/tmp/known_hosts \
>> -i /tmp/test.key \
>> -l user -p 10022 127.0.0.1 sleep 300
>> […]
>
> No wait, this works in the main system but indeed at initramfs stage the
> client doesn't get responses to its alive probes.
The above was misleading, turns out this was not due to the initramfs
per se, but because its authorized_keys file had the following
restrictions (which were set in my test environment per cryptsetup-initramfs'
recommendations):
no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="/bin/cryptroot-unlock"
Lee, I assume you have the ‘no-port-forwarding’ restriction too? It
appears to disable server alive message support for some reason. This
is reproducible at initramfs stage as well as in the main system.
--
Guilhem.
signature.asc
Description: PGP signature
