Re: Dropbear server exit when idle?

2018-03-08 Thread Fabrizio Bertocci 
I don't think you should have this functionality in Dropbear. This is
specific to your use case.
You can still do it with a bash script. At boot the script can check the
/var/log/secure file to see if there is any activity on dropbear (poll the
file size every few seconds)... Reset the internal timer whenever the file
size change between poll cycles, then kill dropbear after your 10 minutes
of inactivity.

Regards,
Fabrizio

On Thu, Mar 8, 2018 at 9:41 AM, Dave Haynes 
wrote:

> We have a small range of embedded linux devices used in security systems.
> We are undertaking a gradual process to harden the default security, and
> one of our first tasks has been replace the legacy telnet server with
> dropbear for diagnostic access.
>
> We have compiled dropbear and have it running well, set up to only allow
> one session using a patch found on this list.
>
> We are now considering if it would be worthwhile/useful to modify dropbear
> to exit after a period with no active connections. So dropbear runs at
> boot, but exits after (say) 10 minutes with no login. The devices can be
> remotely rebooted via other means, so there are no access issues for
> authorised users.
>
> Does anyone see any reason this wouldn't be a useful approach? Anyone
> patched anything similar before we start hacking about, or any pointers
> where to start?
>
> (We could give the system a task to terminate dropbear, but it would seem
> neater to produce a self contained solution.)
>
> --
> Dave Haynes
> RF Design Consultant - Wireless Solutions Ltd.
>
>

Dropbear server exit when idle?

2018-03-08 Thread Dave Haynes 
We have a small range of embedded linux devices used in security 
systems. We are undertaking a gradual process to harden the default 
security, and one of our first tasks has been replace the legacy telnet 
server with dropbear for diagnostic access.


We have compiled dropbear and have it running well, set up to only allow 
one session using a patch found on this list.


We are now considering if it would be worthwhile/useful to modify 
dropbear to exit after a period with no active connections. So dropbear 
runs at boot, but exits after (say) 10 minutes with no login. The 
devices can be remotely rebooted via other means, so there are no access 
issues for authorised users.


Does anyone see any reason this wouldn't be a useful approach? Anyone 
patched anything similar before we start hacking about, or any pointers 
where to start?


(We could give the system a task to terminate dropbear, but it would 
seem neater to produce a self contained solution.)


--
Dave Haynes
RF Design Consultant - Wireless Solutions Ltd.

Re: Dropbear 2018.76

2018-03-08 Thread Matt Johnston 
Hi Peter,

This should be fixed in https://secure.ucc.asn.au/hg/dropbear/rev/0dc3103a5900 


Dropbear was advertising both the existing ecdsa size as well as the default 
size (for -R), 
but then the client chose the default size which didn't match the key that had 
been loaded.
Now it only advertises a single size - first preference existing size, 
otherwise the default if no 
key exists.
Thanks for letting me know and debugging.

Cheers,
Matt


> On Mon 5/3/2018, at 4:02 pm, Peter Krefting  wrote:
> 
> Matt Johnston:
> 
>> Yes it should. I can't immediately reproduce it here, what
>> flags are you giving to Dropbear? Is
>> /mnt/nv/dropbear_ecdsa_host_key specified with -r or as a
>> default config path, and are there other keyfiles?
> 
> The daemon is started with "dropbear -R", and the keyfiles are specified at 
> compile-time, using localoptions.h. The full file is included below.
> 
>> ssh -vvv will print the full set of negotiated algorithms,
>> you could send that to me (off-list if you want).
> 
> I have included the output below
> 
>> The relevant revision for that changelog note is
>> https://secure.ucc.asn.au/hg/dropbear/rev/016b86f03e21
>> you could try reverting that to confirm.
> 
> That does not seem to fix the issue, it aborts in the same location, so it 
> seems something else is going on here.
> 
> 
> ===[ localoptions.h ]===
> /* Put host keys in non-volatile storage */
> #define DSS_PRIV_FILENAME "/mnt/nv/dropbear_dss_host_key"
> #define RSA_PRIV_FILENAME "/mnt/nv/dropbear_rsa_host_key"
> #define ECDSA_PRIV_FILENAME "/mnt/nv/dropbear_ecdsa_host_key"
> 
> /* Disable inetd mode */
> #define INETD_MODE 0
> 
> /* Disable X11 forwarding as we do not have any X11. */
> #define DROPBEAR_X11FWD 0
> 
> /* Disable port forwarding and proxying and agent forwarding. */
> #define DROPBEAR_CLI_LOCALTCPFWD 0
> #define DROPBEAR_CLI_REMOTETCPFWD 0
> #define DROPBEAR_SVR_LOCALTCPFWD 0
> #define DROPBEAR_SVR_REMOTETCPFWD 0
> #define DROPBEAR_SVR_AGENTFWD 0
> #define DROPBEAR_CLI_AGENTFWD 0
> #define DROPBEAR_CLI_PROXYCMD 0
> #define DROPBEAR_CLI_NETCAT 0
> 
> /* Disable Twofish to save about 10 kilobytes. */
> #define DROPBEAR_TWOFISH256 0
> #define DROPBEAR_TWOFISH128 0
> 
> /* Disable /etc/motd support since nothing else on the target uses it. */
> #define DO_MOTD 0
> 
> /* Put client keys in non-volatile storage */
> #define DROPBEAR_DEFAULT_CLI_AUTHKEY "/mnt/nv/id_dropbear"
> 
> /* Disable sftp support (as we do not have a binary for sftp installed). */
> #define DROPBEAR_SFTPSERVER 0
> 
> /* Patch it to use the same default PATH as the telnet daemon. This will
> * fix scripts that assume certain tools are in the path. */
> #define DEFAULT_PATH 
> "/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin"
> ===[ end localoptions.h ]===
> 
> ===[ output from ssh - ]===
> $ ssh - root@10.0.30.175
> OpenSSH_7.4p1 Debian-10+deb9u2, OpenSSL 1.0.2l  25 May 2017
> debug1: Reading configuration data /home/peter/.ssh/config
> debug1: /home/peter/.ssh/config line 54: Applying options for 10.0.30.175
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug2: resolving "10.0.30.175" port 22
> debug2: ssh_connect_direct: needpriv 0
> debug1: Connecting to 10.0.30.175 [10.0.30.175] port 22.
> debug1: Connection established.
> debug1: identity file /home/peter/.ssh/id_rsa type 1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/peter/.ssh/id_rsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/peter/.ssh/id_dsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/peter/.ssh/id_dsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/peter/.ssh/id_ecdsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/peter/.ssh/id_ecdsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/peter/.ssh/id_ed25519 type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/peter/.ssh/id_ed25519-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u2
> debug1: Remote protocol version 2.0, remote software version dropbear_2018.76
> debug1: no match: dropbear_2018.76
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to 10.0.30.175:22 as 'root'
> debug3: hostkeys_foreach: reading file "/home/peter/.ssh/known_hosts"
> debug3: record_hostkey: found key type ECDSA in file 
> /home/peter/.ssh/known_hosts:126
> debug3: load_hostkeys: loaded 1 keys from 10.0.30.175
> debug3: order_hostkeyalgs: prefer hostkeyalgs: 
>