Hi Peter, This should be fixed in https://secure.ucc.asn.au/hg/dropbear/rev/0dc3103a5900 <https://secure.ucc.asn.au/hg/dropbear/rev/0dc3103a5900>
Dropbear was advertising both the existing ecdsa size as well as the default size (for -R), but then the client chose the default size which didn't match the key that had been loaded. Now it only advertises a single size - first preference existing size, otherwise the default if no key exists. Thanks for letting me know and debugging. Cheers, Matt > On Mon 5/3/2018, at 4:02 pm, Peter Krefting <pe...@softwolves.pp.se> wrote: > > Matt Johnston: > >> Yes it should. I can't immediately reproduce it here, what >> flags are you giving to Dropbear? Is >> /mnt/nv/dropbear_ecdsa_host_key specified with -r or as a >> default config path, and are there other keyfiles? > > The daemon is started with "dropbear -R", and the keyfiles are specified at > compile-time, using localoptions.h. The full file is included below. > >> ssh -vvv will print the full set of negotiated algorithms, >> you could send that to me (off-list if you want). > > I have included the output below > >> The relevant revision for that changelog note is >> https://secure.ucc.asn.au/hg/dropbear/rev/016b86f03e21 >> you could try reverting that to confirm. > > That does not seem to fix the issue, it aborts in the same location, so it > seems something else is going on here. > > > ===[ localoptions.h ]=== > /* Put host keys in non-volatile storage */ > #define DSS_PRIV_FILENAME "/mnt/nv/dropbear_dss_host_key" > #define RSA_PRIV_FILENAME "/mnt/nv/dropbear_rsa_host_key" > #define ECDSA_PRIV_FILENAME "/mnt/nv/dropbear_ecdsa_host_key" > > /* Disable inetd mode */ > #define INETD_MODE 0 > > /* Disable X11 forwarding as we do not have any X11. */ > #define DROPBEAR_X11FWD 0 > > /* Disable port forwarding and proxying and agent forwarding. */ > #define DROPBEAR_CLI_LOCALTCPFWD 0 > #define DROPBEAR_CLI_REMOTETCPFWD 0 > #define DROPBEAR_SVR_LOCALTCPFWD 0 > #define DROPBEAR_SVR_REMOTETCPFWD 0 > #define DROPBEAR_SVR_AGENTFWD 0 > #define DROPBEAR_CLI_AGENTFWD 0 > #define DROPBEAR_CLI_PROXYCMD 0 > #define DROPBEAR_CLI_NETCAT 0 > > /* Disable Twofish to save about 10 kilobytes. */ > #define DROPBEAR_TWOFISH256 0 > #define DROPBEAR_TWOFISH128 0 > > /* Disable /etc/motd support since nothing else on the target uses it. */ > #define DO_MOTD 0 > > /* Put client keys in non-volatile storage */ > #define DROPBEAR_DEFAULT_CLI_AUTHKEY "/mnt/nv/id_dropbear" > > /* Disable sftp support (as we do not have a binary for sftp installed). */ > #define DROPBEAR_SFTPSERVER 0 > > /* Patch it to use the same default PATH as the telnet daemon. This will > * fix scripts that assume certain tools are in the path. */ > #define DEFAULT_PATH > "/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin" > ===[ end localoptions.h ]=== > > ===[ output from ssh -vvvv ]=== > $ ssh -vvvv root@10.0.30.175 > OpenSSH_7.4p1 Debian-10+deb9u2, OpenSSL 1.0.2l 25 May 2017 > debug1: Reading configuration data /home/peter/.ssh/config > debug1: /home/peter/.ssh/config line 54: Applying options for 10.0.30.175 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 19: Applying options for * > debug2: resolving "10.0.30.175" port 22 > debug2: ssh_connect_direct: needpriv 0 > debug1: Connecting to 10.0.30.175 [10.0.30.175] port 22. > debug1: Connection established. > debug1: identity file /home/peter/.ssh/id_rsa type 1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/peter/.ssh/id_rsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/peter/.ssh/id_dsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/peter/.ssh/id_dsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/peter/.ssh/id_ecdsa type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/peter/.ssh/id_ecdsa-cert type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/peter/.ssh/id_ed25519 type -1 > debug1: key_load_public: No such file or directory > debug1: identity file /home/peter/.ssh/id_ed25519-cert type -1 > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u2 > debug1: Remote protocol version 2.0, remote software version dropbear_2018.76 > debug1: no match: dropbear_2018.76 > debug2: fd 3 setting O_NONBLOCK > debug1: Authenticating to 10.0.30.175:22 as 'root' > debug3: hostkeys_foreach: reading file "/home/peter/.ssh/known_hosts" > debug3: record_hostkey: found key type ECDSA in file > /home/peter/.ssh/known_hosts:126 > debug3: load_hostkeys: loaded 1 keys from 10.0.30.175 > debug3: order_hostkeyalgs: prefer hostkeyalgs: > ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 > debug3: send packet: type 20 > debug1: SSH2_MSG_KEXINIT sent > debug3: receive packet: type 20 > debug1: SSH2_MSG_KEXINIT received > debug2: local client KEXINIT proposal > debug2: KEX algorithms: > curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c > debug2: host key algorithms: > ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa > debug2: ciphers ctos: > chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc > debug2: ciphers stoc: > chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc > debug2: MACs ctos: > umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: MACs stoc: > umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1 > debug2: compression ctos: none,z...@openssh.com,zlib > debug2: compression stoc: none,z...@openssh.com,zlib > debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 > debug2: reserved 0 debug2: peer server KEXINIT proposal > debug2: KEX algorithms: > curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,kexgue...@matt.ucc.asn.au > debug2: host key algorithms: > ecdsa-sha2-nistp256,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss > debug2: ciphers ctos: > aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,3des-ctr,3des-cbc > debug2: ciphers stoc: > aes128-ctr,aes256-ctr,aes128-cbc,aes256-cbc,3des-ctr,3des-cbc > debug2: MACs ctos: hmac-sha1-96,hmac-sha1,hmac-sha2-256 > debug2: MACs stoc: hmac-sha1-96,hmac-sha1,hmac-sha2-256 > debug2: compression ctos: z...@openssh.com,none > debug2: compression stoc: z...@openssh.com,none > debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 > debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 > debug1: kex: host key algorithm: ecdsa-sha2-nistp256 > debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 > compression: none > debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 > compression: none > debug3: send packet: type 30 > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY > Connection closed by 10.0.30.175 port 22 > ===[ end output from ssh -vvvv ]=== > > -- > \\// Peter - http://www.softwolves.pp.se/
