Re: Dropbear difficulties due to outdated version?

2022-06-24 Thread Konstantin Tokarev 



> Sometime during the interval after I set that up, key-pair authentication
> has stopped working again. So I've had to re-enable username/password
> authentication. I'm now trying to determine why it happened that the
> key-pair authentication stopped working and am hoping I can somehow
> re-enable it.

You can debug most of connection issue by using ssh -v. In this case most
likely culprit is that your key pair was generated using outdated algorithms
which are disabled in modern OpenSSH (most likely "ssh-rsa" which was default
for a long time). If this is actually the case, you can try to generate new key 
pair
with modern algorithms supported by both OpenSSH and your version of Dropbear
(I guess it should be ecdsa, as ed25519 would require newer Dropbear).

-- Regards,
Konstantin

Re: How to get dbclient?

2019-03-14 Thread Konstantin Tokarev 



14.03.2019, 17:09, "Gilles" :
> The INSTALL file in dropbear-2018.76 says
>
> - Compile:
>
>   make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp"
>
> Should there be a dropbear.c file and a dbclient.c file? I do not see them.
>
> I am looking for the dbclient program.

Entry point of dblcient is in cli-main.c, other files starting with "cli-*" are 
also
specific to dbclient

>
> Thanks to Matt for all his nice work.
>
> ~ Gilles

-- 
Regards,
Konstantin

Re: dbclient can't connect to cisco

2018-11-14 Thread Konstantin Tokarev 



14.11.2018, 18:16, "Matt Johnston" :
> Hi Nik,
>
>>  dbclient sends "SSH-2.0-dropbear_2018.76\r\n" and kexinit
>>  cisco sends "SSH-2.0-Cisco-1.25\r\n"
>>  then cisco waits "ip ssh time-out" seconds and then closes the TCP socket.
>>
>>  my conjecture is that cisco empties its receive buffer after sendind the 
>> identification string and then waits for the lost kexinit.
>>  To prove my idea I added a sleep() after the first write_packet(), and 
>> dbclient was able to connect to cisco (ios 12.4 and 15.1).
>
> Yes, it seems some Cisco SSH versions are buggy. Older IOS is possibly OK (I 
> did a bit of investigation about a year ago when someone reported similar).
>
> I'm not keen on changing dbclient, the current implementation saves a network 
> roundtrip. It's perfectly reasonable according to the spec. If you have Cisco 
> support could you report it to them?

Note that OpenSSH enables a couple of workarounds for Cisco-1.*

https://github.com/openssh/openssh-portable/blob/master/compat.c#L88

>
> Cheers,
> Matt
>
> rfc4253:
> 5.2. New Client, Old Server
>
>    Since the new client MAY immediately send additional data after its
>    identification string (before receiving the server's identification
>    string), ...

-- 
Regards,
Konstantin

Re: Dropbear 2018.76

2018-03-02 Thread Konstantin Tokarev 


02.03.2018, 00:18, "Steffen Nurpmeso" :
> Hello Matt.
>
> Matt Johnston  wrote:
>  |> On Wed 28/2/2018, at 12:59 am, Steffen Nurpmeso  \
>  |> wrote:
>  |> And yes, i am still using such grumpy networks with VMs, so please
>  |> let me post the "git am" mailbox that adds support for proxy-over-
>  |> localhost.
>  ...
>  |Thanks for the patch, though I'm not sure it's worth adding this as \
>  |a special case - can't the same thing be
>  |achieved with dbclient -J "nc localhost port" ?
>
> Yes i think so, but this requires context switching or
> at least quite some I/O that is useless. Some boxes
> also do not have nc(1) by default. And all that just because of
> a little name switch (that is impossible without this patch).
>
>  |Adding proxycommand as a -o option might be worthwhile though, so it \
>  |can pass to scp.
>
> ok?? Ok, so how about "-o ProxyLocalhost=PORT"?

There is no such option in openssh

> Find that attached at your will.
> Ciao,
>
> --steffen
> |
> |Der Kragenbaer, The moon bear,
> |der holt sich munter he cheerfully and one by one
> |einen nach dem anderen runter wa.ks himself off
> |(By Robert Gernhardt)

-- 
Regards,
Konstantin

Re: Dropbear 2018.76

2018-02-27 Thread Konstantin Tokarev 


27.02.2018, 17:54, "Matt Johnston" :
> Hi all,
>
> Dropbear 2018.76 is released. As well as the usual
> improvements and bugfixes this release simplifies
> local configuration options.
> You will probably need to adjust your build configuration.
>
> Rather than modifying options.h, local options are now
> placed in localoptions.h where they will override defaults.
> The header file default_options.h lists the available
> options similar to the old options.h - it should be left
> unmodified.
>
> There are a few other deprecations/changes to take note of.
>
> Cheers,
> Matt
>
> https://matt.ucc.asn.au/dropbear/dropbear.html
> https://dropbear.nl/mirror/dropbear.html
>
> 2018.76 - 27 February 2018
>
> = = = Configuration/compatibility changes
>   IMPORTANT
>   Custom configuration is now specified in local_options.h rather than 
> options.h
>   Available options and defaults can be seen in default_options.h
>
>   To migrate your configuration, compare your customised options.h against the
>   upstream options.h from your relevant version. Any customised options should
>   be put in localoptions.h
>
> - "configure --enable-static" should now be used instead of "make STATIC=1"
>   This will avoid 'hardened build' flags that conflict with static binaries
>
> - Set 'hardened build' flags by default if supported by the compiler.
>   These can be disabled with configure --disable-harden if needed.
>   -Wl,-pie
>   -Wl,-z,now -Wl,-z,relro
>   -fstack-protector-strong
>   -D_FORTIFY_SOURCE=2
>   # spectre v2 mitigation
>   -mfunction-return=thunk
>   -mindirect-branch=thunk
>
>   Spectre patch from Loganaden Velvindron
>
> - "dropbear -r" option for hostkeys no longer attempts to load the default
>   hostkey paths as well. If desired these can be specified manually.
>   Patch from CamVan Nguyen
>
> - group1-sha1 key exchange is disabled in the server by default since
>   the fixed 1024-bit group may be susceptible to attacks
>
> - twofish ciphers are now disabled in the default configuration
>
> - Default generated ECDSA key size is now 256 (rather than 521)
>   for better interoperability
>
> - Minimum RSA key length has been increased to 1024 bits
>
> = = = Other features and fixes
>
> - Add runtime -T max_auth_tries option from Kevin Darbyshire-Bryant
>
> - Add 'dbclient -J ' to allow dbclient to connect over an existing socket.
>   See dbclient manpage for a socat example. Patch from Harald Becker

Wouldn't it be better to support -o ProxyUseFdPass like in OpenSSH?

>
> - Add "-c forced_command" option. Patch from Jeremy Kerr
>
> - Restricted group -G option added with patch from stellarpower
>
> - Support server-chosen TCP forwarding ports, patch from houseofkodai
>
> - Allow choosing outgoing address for dbclient with -b 
> [bind_address][:bind_port]
>   Patch from houseofkodai
>
> - Makefile will now rebuild object files when header files are modified
>
> - Add group14-256 and group16 key exchange options
>
> - curve25519-sha256 also supported without @libssh.org suffix
>
> - Update bundled libtomcrypt to 1.18.1, libtommath to 1.0.1
>   This fixes building with some recent versions of clang
>
> - Set PAM_RHOST which is needed by modules such as pam_abl
>
> - Improvements to DSS and RSA public key validation, found by OSS-Fuzz.
>
> - Don't exit when an authorized_keys file has malformed entries. Found by 
> OSS-Fuzz
>
> - Fix null-pointer crash with malformed ECDSA or DSS keys. Found by OSS-Fuzz
>
> - Numerous code cleanups and small issues fixed by Francois Perrad
>
> - Test for pkt_sched.h rather than SO_PRIORITY which was problematic with 
> some musl
>   platforms. Reported by Oliver Schneider and Andrew Bainbridge
>
> - Fix some platform portability problems, from Ben Gardner
>
> - Add EXEEXT filename suffix for building dropbearmulti, from William Foster
>
> - Support --enable- properly for configure, from Stefan Hauser
>
> - configure have_openpty result can be cached, from Eric Bénard
>
> - handle platforms that return close() < -1 on failure, from Marco Wenzel
>
> - Build and configuration cleanups from Michael Witten
>
> - Fix libtomcrypt/libtommath linking order, from Andre McCurdy
>
> - Fix old Linux platforms that have SYS_clock_gettime but not CLOCK_MONOTONIC
>
> - Update curve25519-donna implementation to current version

-- 
Regards,
Konstantin

Re: Dropbear 2016.72

2016-03-11 Thread Konstantin Tokarev 


10.03.2016, 15:59, "Matt Johnston" :
> Hi all,
>
> Dropbear SSH 2016.72 is released. This has a single change, a
> security fix. If X11 forwarding is enabled a user could
> bypass any "command=" restrictions in authorized_keys and run
> any command as their own user (or perform other operations
> allowed by the "xauth" binary such as writing files). It
> does not affect systems where command= restrictions are not
> used.
>
> As usual downloads are at https://matt.ucc.asn.au/dropbear/dropbear.html
>
> The patch is https://secure.ucc.asn.au/hg/dropbear/rev/a3e8389e01ff

Hi Matt,

Are you planning to make a release from master?

Thanks!

-- 
Regards,
Konstantin

Re: [PATCH 00/16] Improvements, mainly to user name handling and scp.

2015-12-23 Thread Konstantin Tokarev 


08.12.2015, 01:48, "Michael Witten" :
> User names have hitherto been handled neither consistently nor well; this
> series alleviates at least some of the issues.
>
> Fear not the long patch series!
>
> Most commits involve a fairly small number of changes; while I could have
> consolidated these changes into fewer commits, I think the series as a whole
> provides a better narration for what's going.
>
> Besides a few small improvements along the way, the main thrust is:
>
>   * Removing user-name handling from `scp' (in favor of using the
> handling that is already present in `dropbear'/`dbclient').
>
>   * Lazily looking up the current user's name.
>
>   * Removing unused code.
>
> Overall, 7 files were changed, with 37 insertions(+) and 158 deletions(-):
>
>   cli-main.c | 2 +-
>   cli-runopts.c | 32 ++
>   common-session.c | 1 +
>   runopts.h | 2 +-
>   scp.c | 125 ++-
>   scpmisc.c | 31 +-
>   scpmisc.h | 2 -


As can be seen from copyright header and git log, scp.c is a copy of 
corresponding file from OpenSSH (currently 4.3p2) with a few local changes. It 
might be a better idea to synchronize with upstream than to diverge it more.

Just my 2 cents.

>
> This is the series:
>
>   [01] scp: Insert comma into stderr message
>   [02] scp: Have `fatal()' append a newline to the message
>   [03] scp: only pass `-v' when DEBUG_TRACE is set
>   [04] scp: `-l%s' -> `-l %s'
>   [05] scp: const/static correctness improvements
>   [06] scp: Introduce `get_user_name()'
>   [07] scp: Use "unknown" when the user name cannot be retrieved
>   [08] scp: style: simplify code by using a tertiary operator
>   [09] scp: Use `get_user_name()' more often
>   [10] scp: Simplify code now that the user name is never `NULL'
>   [11] scp: Remove parsing of `[user@]host'
>   [12] scp: Remove unused functions
>   [13] scp: Remove `replacearg()'
>   [14] runopts: Mark `*cli_runopts.own_user' as `const'
>   [15] runopts: There's no reason to make a duplicate of "unknown"
>   [16] runopts: Re-introduce the `get_user_name()' function from `scp' 
> development
>
> Lastly, for convenience in reviewing the changes, here is the overall patch:
>
> --- a/cli-main.c
> +++ b/cli-main.c
> @@ -135,7 +135,7 @@
>  static void cli_proxy_cmd(int *sock_in, int *sock_out) {
>  int ret;
>
> - fill_passwd(cli_opts.own_user);
> + fill_passwd(get_user_name());
>
>  ret = spawn_command(exec_proxy_cmd, cli_opts.proxycmd,
>  sock_out, sock_in, NULL, NULL);
> --- a/cli-runopts.c
> +++ b/cli-runopts.c
> @@ -36,7 +36,6 @@
>  static void printhelp();
>  static void parse_hostname(const char* orighostarg);
>  static void parse_multihop_hostname(const char* orighostarg, const char* 
> argv0);
> -static void fill_own_user();
>  #ifdef ENABLE_CLI_PUBKEY_AUTH
>  static void loadidentityfile(const char* filename, int warnfail);
>  #endif
> @@ -102,6 +101,17 @@
>
>  }
>
> +const char *get_user_name() {
> + static const char *user_name = NULL;
> +
> + if (user_name == NULL) {
> + struct passwd *pwd = getpwuid(getuid());
> + user_name = pwd ? m_strdup(pwd->pw_name) : "unknown";
> + }
> +
> + return user_name;
> +}
> +
>  void cli_getopts(int argc, char ** argv) {
>  unsigned int i, j;
>  char ** next = 0;
> @@ -175,8 +185,6 @@
>  opts.keepalive_secs = DEFAULT_KEEPALIVE;
>  opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT;
>
> - fill_own_user();
> -
>  for (i = 1; i < (unsigned int)argc; i++) {
>  /* Handle non-flag arguments such as hostname or commands 
> for the remote host */
>  if (argv[i][0] != '-')
> @@ -640,7 +648,7 @@
>  }
>
>  if (cli_opts.username == NULL) {
> - cli_opts.username = m_strdup(cli_opts.own_user);
> + cli_opts.username = m_strdup(get_user_name());
>  }
>
>  port = strchr(cli_opts.remotehost, '^');
> @@ -695,22 +703,6 @@
>  }
>  #endif
>
> -static void fill_own_user() {
> - uid_t uid;
> - struct passwd *pw = NULL;
> -
> - uid = getuid();
> -
> - pw = getpwuid(uid);
> - if (pw && pw->pw_name != NULL) {
> - cli_opts.own_user = m_strdup(pw->pw_name);
> - } else {
> - dropbear_log(LOG_INFO, "Warning: failed to identify current user. Trying 
> anyway.");
> - cli_opts.own_user = m_strdup("unknown");
> - }
> -
> -}
> -
>  #ifdef ENABLE_CLI_ANYTCPFWD
>  /* Turn a "[listenaddr:]listenport:remoteaddr:remoteport" string into into a 
> forwarding
>   * set, and add it to the forwarding list */
> --- a/common-session.c
> +++ b/common-session.c
> @@ -581,6 +581,7 @@
>  return ses.authstate.pw_shell;
>  }
>  }
> +
>  void fill_passwd(const char* username) {
>  struct passwd *pw = NULL;
>  if (ses.authstate.pw_name)
> --- a/runopts.h
> +++ b/runopts.h
> @@ -127,7 +127,6 @@
>  char *remotehost;
>  char *remoteport;
>
> - char *own_user;
>  char *username;
>
>   

Re: Prepending 'exec' to proxy command automatically

2015-12-18 Thread Konstantin Tokarev 


18.12.2015, 16:24, "Matt Johnston" <m...@ucc.asn.au>:
> On Wed, Dec 16, 2015 at 04:32:03PM +0300, Konstantin Tokarev wrote:
>>  08.12.2015, 21:00, "Konstantin Tokarev" <annu...@yandex.ru>:
>>  > If dbclient is given proxy command which does not start with exec, shell 
>> process is lingering alongside proxy command process. However, I've found 
>> that OpenSSH client (ProxyCommand option) prepends exec automatically.
>>  >
>>  > I think it would be convenient if dbclient added exec by default, but 
>> this will break if someone is already using explicit exec in -J argument. 
>> Note that OpenSSH client also breaks with exec.
>>  >
>>  > So options are:
>>  >
>>  > 1. Just prepend exec to all proxy commands and make too clever people fix 
>> their scripts.
>>  > 2. Check if proxy command starts with exec, if not, prepend it.
>>  > 3. Add separate -o ProxyCommand option prepending exec (it also should 
>> substitute %h, %p, and %r to be compatible with OpenSSH). Leave -J as is for 
>> compatibility but mark it as deprecated.
>>  >
>>  > What is the best way?
>
> Sorry, missed this mail originally. I think 1 is best, I've
> pushed that as
> https://secure.ucc.asn.au/hg/dropbear/rev/f7d565054e5f

Why not use asprintf? I see scpmisc.c already uses vasprintf.


> Interestingly bash and zsh seem to avoid the lingering shell
> themselves without "exec". dash works for testing.

I'm using busybox shell (and I guess it's the most popular shell choice among 
dropbear users ;)

-- 
Regards,
Konstantin

Re: Prepending 'exec' to proxy command automatically

2015-12-16 Thread Konstantin Tokarev 


08.12.2015, 21:00, "Konstantin Tokarev" <annu...@yandex.ru>:
> If dbclient is given proxy command which does not start with exec, shell 
> process is lingering alongside proxy command process. However, I've found 
> that OpenSSH client (ProxyCommand option) prepends exec automatically.
>
> I think it would be convenient if dbclient added exec by default, but this 
> will break if someone is already using explicit exec in -J argument. Note 
> that OpenSSH client also breaks with exec.
>
> So options are:
>
> 1. Just prepend exec to all proxy commands and make too clever people fix 
> their scripts.
> 2. Check if proxy command starts with exec, if not, prepend it.
> 3. Add separate -o ProxyCommand option prepending exec (it also should 
> substitute %h, %p, and %r to be compatible with OpenSSH). Leave -J as is for 
> compatibility but mark it as deprecated.
>
> What is the best way?

Matt, what do you think?

-- 
Regards,
Konstantin

Prepending 'exec' to proxy command automatically

2015-12-08 Thread Konstantin Tokarev 
If dbclient is given proxy command which does not start with exec, shell 
process is lingering alongside proxy command process. However, I've found that 
OpenSSH client (ProxyCommand option) prepends exec automatically.

I think it would be convenient if dbclient added exec by default, but this will 
break if someone is already using explicit exec in -J argument. Note that 
OpenSSH client also breaks with exec.

So options are:

1. Just prepend exec to all proxy commands and make too clever people fix their 
scripts.
2. Check if proxy command starts with exec, if not, prepend it.
3. Add separate -o ProxyCommand option prepending exec (it also should 
substitute %h, %p, and %r to be compatible with OpenSSH). Leave -J as is for 
compatibility but mark it as deprecated.

What is the best way?

-- 
Regards,
Konstantin

Feature request: disable X11 forwarding and SFTP via configure options

2015-12-04 Thread Konstantin Tokarev 
I believe that most of dropbear users run it on embedded systems, where these 
features are rarely needed, so it would be convenient not have to patch this 
things out of options.h

-- 
Regards,
Konstantin

Re: Syslog logging in client

2015-12-01 Thread Konstantin Tokarev 


30.11.2015, 16:19, "Matt Johnston" <m...@ucc.asn.au>:
>>  On Mon 30/11/2015, at 8:38 pm, Konstantin Tokarev <annu...@yandex.ru> wrote:
>>
>>  Hi all,
>>
>>  I think it would be useful to have syslog loggin in client when it is 
>> running in background (e.g., when -f option is used, or, like in my case, it 
>> is started from init system to create tunnel).
>>
>>  Would such contribution be welcome?
>
> That sounds useful. Another related thing I've been meaning to add is "-P 
> pidfile" for dbclient -f, so the client can be killed. (I'm not suggesting 
> you work on that, just as a thought).

Implemented here:
https://github.com/mkj/dropbear/pull/18

However, I didn't add command line option. I thought it may be better to use 
-o, but it has 2 issues currently:

* -o patch was not approved yet
* There's no corresponding OpenSSH option, so it may require 
"vendor-prefixing", like DropbearUseSyslog or DbclientUseSyslog

-- 
Regards,
Konstantin

Re: Force dbclient to exit if remote forwarding request failed

2015-11-30 Thread Konstantin Tokarev 


30.11.2015, 16:58, "Matt Johnston" <m...@ucc.asn.au>:
> On Mon, Nov 30, 2015 at 04:21:29PM +0300, Konstantin Tokarev wrote:
>>  >>  I'd like to see that as a feature - I was thinking about it a few days 
>> ago. I'd keep it under a command line flag for backwards compatibility. 
>> Failing to bind "-L" forward ports would also be handled similarly.
>>  >>
>>  > Could you propose command line option name? I guess the main problem is 
>> to avoid collision with OpenSSH client options.
>>  Maybe its time to add -o and use OpenSSH-compatible -o 
>> ExitOnForwardFailure=yes?
>
> That does seem like it might the best option. As long as
> people don't expect all the OpenSSH -o names to start
> getting implemented! :)

Implemented in https://github.com/mkj/dropbear/pull/16

1. I'm not sure if "extended options" is the right term, as well as if help 
texts are written properly.
2. Should -o handling itself be opt-in feature?
3. Should netcat-like forwarding be affected by ExitOnForwardFailure? If so, 
where its failure should be handled?

-- 
Regards,
Konstantin

Syslog logging in client

2015-11-30 Thread Konstantin Tokarev 
Hi all,

I think it would be useful to have syslog loggin in client when it is running 
in background (e.g., when -f option is used, or, like in my case, it is started 
from init system to create tunnel).

Would such contribution be welcome?

-- 
Regards,
Konstantin

Re: Dropbear 2015.70 scp upload errors

2015-11-30 Thread Konstantin Tokarev 


30.11.2015, 15:36, "Matt Johnston" :
>> On Mon 30/11/2015, at 6:29 am, Anthony Sherwin 
>>  wrote:
>>
>> I have cross compiled dropbear to my embedded product from 2015.68 to 
>> 2015.70 and am getting the following error:
>>
>> dropbear[2528]: Exit (user): Bad buf_incrpos
> Hi Anthony,
>
> This should be fixed by the latest change 
> https://secure.ucc.asn.au/hg/dropbear/rev/af940cefdba1
> Looks like I'll have to sort out another release shortly.

BTW, could you look into https://github.com/mkj/dropbear/pull/15? It's trivial 
and it would be nice to see it in release.


-- 
Regards,
Konstantin

Re: Force dbclient to exit if remote forwarding request failed

2015-11-30 Thread Konstantin Tokarev 


30.11.2015, 15:39, "Matt Johnston" <m...@ucc.asn.au>:
>>  On Mon 30/11/2015, at 7:24 pm, Konstantin Tokarev <annu...@yandex.ru> wrote:
>>  dbclient: Remote TCP forward request failed (port 3320 -> localhost:22)
>>
>>  ...
>>  1. Is there any way to force dbclient to exit in this case?
>>  2. If not, would it be reasonable feature to have in dbclient?
>
> Hi Konstantin,
>
> I can't think of a good way to force exit apart from grepping the command 
> output for the error message.
>
> I'd like to see that as a feature - I was thinking about it a few days ago. 
> I'd keep it under a command line flag for backwards compatibility. Failing to 
> bind "-L" forward ports would also be handled similarly.
>
> I'll put it on the todo list, or patches accepted.

Could you propose command line option name? I guess the main problem is to 
avoid collision with OpenSSH client options.

-- 
Regards,
Konstantin