Dropbear 2024.85

Hi all, Dropbear 2024.85 is released. It fixes a couple of build regressions in 2024.84. There is no need to upgrade if 2024.84 built OK for your configuration. https://matt.ucc.asn.au/dropbear/releases/dropbear-2024.85.tar.bz2 Cheers, Matt 2024.85 - 25 April 2024 This release fixes build

Re: [PATCH] Fix compile when disabling SHA-1

Thanks, I've applied it. Matt On 2024-04-05 3:37 pm, Peter Krefting wrote: Fixes compile when disabling SHA-1 with #define DROPBEAR_SHA1_HMAC 0 #define DROPBEAR_RSA_SHA1 0 #define DROPBEAR_DH_GROUP14_SHA1 0 while keeping SHA-256 enabled. Should also fix the opposite, but that is not a

Dropbear 2024.84

Hi all, Dropbear 2024.84 is released. It has a few new features and various fixes, contributed by numerous people over the past year+. Download it from https://matt.ucc.asn.au/dropbear/releases/dropbear-2024.84.tar.bz2 or https://mirror.dropbear.nl/mirror/releases/dropbear-2024.84.tar.bz2 The

Re: Compiling Dropbear with Tru64 on DEC Alpha

Hi Mark, I haven't used tru64 for a while, but if you send a log I can have a look. Cheers, Matt On 2024-03-18 5:49 pm, Mark Butt wrote: > Hello, > > I have a DEC AlphaServer 4100 with Tru64 5.1B-6. This is a small side > project that I am working on. When searching for a compatible

Re: Only do connection if I already know the destination?

On 2022-11-21 11:05 pm, M Rubon wrote: I have an automated remote script that connects to a set of known servers. I never want be prompted to add a new host key if the server is missing from .ssh/known_hosts. If the key is missing, the client should just immediately exit. Dropbear seems to

Re: Authenticating to dropbear using ecdsa-sha2-nistp256

On 2022-11-11 11:50 am, Rogan Dawes wrote: > I was under the impression that the ssh protocol included a handshake step > where supported algorithms were exchanged, and keys that do not match are > eliminated? For public key auth the client sends each public key it has to offer, the server

Re: Authenticating to dropbear using ecdsa-sha2-nistp256

On Tue, Nov 08, 2022 at 04:57:40PM +0200, Rogan Dawes wrote: > I have created an SSH private key in my M1 Mac's Secure Enclave, and am > using it to SSH to various targets. Those using OpenSSH work fine, and I am > prompted to unlock the SE. However, those using dropbear do not work, > giving me

Re: listening service without MMU?

On 2022-06-24 11:26 am, johnea wrote: I've run across a number of other references since that timeframe that indicate that dropbear can run on no-MMU platforms using uClibc. Searching hasn't really led to a conclusive answer. So, could you please confirm: Can dropbear run as a listening

Re: Dropbear difficulties due to outdated version?

On 2022-06-25 7:49 am, James Miller wrote: I set up a small low-resource VPS a few years ago to use mainly as a light-use xmpp server. I got Dropbear operating there so I could admin it. Dropbear seemed a good choice since system resources were so anemic. I recall it being quite challenging to

Re: Error forwarding unix domain socket

Sorry for the late reply. Dropbear doesn't currently support unix domain socket forwarding. Cheers, Matt On 2022-06-07 3:57 pm, Heiko Thiery wrote: Hi, Does anyone know if it is possible to do a ssh forwarding on unix domain sockets when using dropbear? When I try I get the following error:

Re: unexpected restriction on the number of concurrent SSH logins

Thanks for the report. This was a regression in the re-exec changes, I've pushed a fix to https://github.com/mkj/dropbear/commit/544f28a05165eb97e18cc03fc8990da842ec3a94 The childpipe file descriptor is used to notify the parent listener that auth has completed, but I'd missed that the inetd

Re: I can't access the dropbear mailing list archives

Hi Matt, The server had a missing mount, archives are working again now. (A few recent messages didn't make the archives, I'll forward/reply them in). Thanks for letting me know. Cheers, Matt On 2022-06-08 6:12 am, Matthias Lang wrote: Hi, According to

Dropbear 2022.82

t only have characters a-z A-Z 0-9 .,_-+@) Patch from Hans Harder, modified by Matt Johnston - Let dbclient multihop mode be used with '-J'. Patch from Hans Harder - Allow home-directory relative paths ~/path for various settings and command line options. *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PAT

Re: Dropbear's usage of 'first_kex_packet_follows' may fail on broken SSH implementations

On Wed, Jan 19, 2022 at 04:23:29PM +0100, Thomas De Schampheleire wrote: > I recently encountered connection issues when using dropbear as client > (2020.81) > to certain SSH implementations. In both cases, the issue was related to the > host > key verification. It took me a while to find the

Re: Password authentication fails

Hi Dan, MacOS uses PAM for password auth. As well as --enable-pam for configure it needs #define DROPBEAR_SVR_PASSWORD_AUTH 0 #define DROPBEAR_SVR_PAM_AUTH 1 in localoptions.h at build time. Not sure that Homebrew sets the localoptions.h

Re: Dropbear 2019.77

On Tue 29/6/2021, at 9:47 pm, roy...@gmail.com wrote: > >> That itself wouldn't be a problem if we could just crypt all incoming >> password attempts before checking a username's existence - the problem is >> that the password crypt algorithm can vary per user, so the time will vary >> too. We

Re: Dropbear 2019.77

Hi Roy, On Tue 29/6/2021, at 7:18 pm, roy...@gmail.com wrote: > >> - Make failure delay more consistent to avoid revealing valid usernames, set >> server password >> limit of 100 characters. Problem reported by usd responsible disclosure team > > What is the technical reason of limiting

Re: restrict access

On Thu, May 20, 2021 at 02:29:20PM +, Walter Harms wrote: > Thx for the fast response, > for the background: little system, far-far-away land, but some script-kiddie > is filling the log ... > so no iptables or other fancy stuff. Seems i have to change that, somehow. > > @matt: > in case i

Re: restrict access

Hi Walter, Dropbear doesn't have IP restrictions built in. You could use iptables/nftables, or tcpwrappers etc if you're running Dropbear in inetd mode. Cheers, Matt On Thu, May 20, 2021 at 01:23:28PM +, Walter Harms wrote: > Hello List, > actually i expected this would be a FAQ but i can

Re: [PATCH] Introduce extra delay before closing unauthenticated sessions

On Wed 20/1/2021, at 8:15 pm, Thomas De Schampheleire wrote: > >> # HG changeset patch >> Introduce extra delay before closing unauthenticated sessions > > Any comments on this patch? > Hi Thomas, Sorry for the delay getting back to you. I've applied the patch, it seems like it could be

Re: Does Dropbear know what a ~/.ssh/config file is?

ake hostname, port and identity details like openssh? > > Cheers, > > Flex > > On Mon, 4 Jan 2021, 05:41 Matt Johnston, <mailto:m...@ucc.asn.au>> wrote: > Sounds like your problem is with android not Dropbear :) > > On 4 January 2021 4:57:30 am AWST, Ruben Safir <

Re: Does Dropbear know what a ~/.ssh/config file is?

Sounds like your problem is with android not Dropbear :) On 4 January 2021 4:57:30 am AWST, Ruben Safir wrote: >dropbear is a waste of time and it doesn't even work. > >I don't know why it is Fing Hard for the table with android can't have >an openssh daman running so we can tranfer files on and

Re: Address binding question

Hi Emil, That syntax should work. In my shell here (zsh) I have to put "[127.0.0.1]:22" in quotes, could that be the problem? What commandline do you see if you look at "ps aux"? Cheers, Matt > On Tue 22/12/2020, at 9:13 am, Emil Christopher Solli Melar > wrote: > > Hello! I use Dropbear

Re: MIN_RSA_KEYLEN compare goes wrong

Hi Hans, Sorry I missed replying to this message a while ago. What program created the key? As far as I can tell the test is correct, the top bit might be unset? Cheers, Matt On Thu, Aug 27, 2020 at 07:36:26AM +0200, Hans Harder wrote: > HI, > > I noticed that I got warnings that the RSA key

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

Forcing diffie-hellman-group1-sha1 shouldn't usually be necessary. The only case would be for servers prior to 2018.76 that compiled with all other default options disabled. Cheers, Matt > On Fri 23/10/2020, at 9:00 pm, Tang Jiye wrote: > > Hi Walter, > > What if I want to use ecdh and

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

Hi Piotr, Dropbear 2020.79 had some changes to the code that parses algorithms, it now is more strict about its MAX_PROPOSED_ALGO = 20 limit. Not intentionally, but as a side-effect. sshj advertises 30 different ciphers. I've increased the limit to 50 in

Re: Cannot Connect to Dropbear Server of Openwrt in QEMU

Hi, Given in tcpdump there was no response at all (not even a rejection), my guess is there is a firewall on the OpenWrt host that drops all port 22 packets. Are firewall rules listed if you go "iptables -vnL" , or in a config file? Cheers, Matt > On Tue 20/10/2020, at 1:50 pm, 许大仙 wrote: >

Re: Dropbear Compilation on IRIX 6.5 broken again (2020.80)

Hi Kazuo, It's a gnu extension, equivalent to chansess->original_command = chansess->cmd ? chansess->cmd : m_strdup(""); I've pushed a fix now, I prefer a plain "if" statement. Cheers, Matt > On Thu 8/10/2020, at 8:59 am, Kazuo Kuroi wrote: > > Hi folks, > > MIPSPro 7.4.4m on IRIX doesn't

Re: "Bad public key options" (Was: Dropbear 2020.79)

> On Tue 16/6/2020, at 9:58 am, Guilhem Moulin wrote: >> - […] x11 forwarding are now disabled by default. > > I have no opinion about disabling this at compile-time, however the > current implementation locks out (“Bad public key options”) users with > ‘no-X11-forwarding’ in their

Re: Dropbear 2020.79

... > > thx > Hans > > On Mon, Jun 15, 2020 at 5:53 PM Matt Johnston <mailto:m...@ucc.asn.au>> wrote: > Hi all, > > Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko > for adding ed25519 and chacha20-poly1305 support which have > been

Dropbear 2020.79

Hi all, Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko for adding ed25519 and chacha20-poly1305 support which have been wanted for a while. This release also supports rsa-sha2 signatures which will be required by OpenSSH in the near future - rsa with sha1 will be

Re: scp command exemple

Hi Bruno, That syntax should work. What platform is it? Have you tried typing it manually in case there were strange unicode characters copy/pasted? Cheers, Matt > On Tue 12/5/2020, at 6:26 pm, bruno wrote: > > Hello, anyone has an exemple of scp dropbear use ? > > it seems that : > > scp

Re: dbclient v2019.78: proxyJump

Hi Adrian, With dropbear you should be able to list the hosts comma separated dbclient -i /mydir/id_rsa username1@server1,username2@server2 Does that work? It should do something equivalent to the first one though, unless I've missed something. Cheers, Matt > On Sun 3/5/2020, at 11:38 pm,

Re: bug: stdio pipe is root owned so reopening it fails

Hi Szabolcs, Ah, that's a bit nasty. I guess the difference is that OpenSSH runs the daemon as the user, while Dropbear runs as root. The procfs manpage mentions the problem. http://man7.org/linux/man-pages/man5/proc.5.html Note that for file descriptors referring to inodes

Re: [PATCH 0 of 1] Fix build

> On Thu 26/3/2020, at 6:45 pm, Alexander Dahl wrote: > > Gentle ping on this patch. Hi Alex, Sorry for the delay, it's merged now. Cheers, Matt

Re: SSH key exchange fails 30-70% of the time on Netgear X4S R7800

the SIMD registers aren't being >> preserved/restored properly somewhere, probably during a context switch, >> specifically s16–s31 (d8–d15, q4–q7), which AAPCS says must be preserved and >> which I see being used in the disassembly of fast_s_mp_sqr(). I'lll write >>

Re: SSH key exchange fails 30-70% of the time on Netgear X4S R7800

Hi, The first thing I'd try would be to build with -O0 compilation flags to rule out compiler optimisations doing something strange. Cheers, Matt > On Thu 19/3/2020, at 3:42 pm, Horshack ‪‬ wrote: > > Update - I cloned and built the dbclient source so I could enable the debug > tracing

Re: Hiding dropbear output on boot up

Hi Tania, I think you could probably add "> /dev/null 2> /dev/null" after one of the ipconfig commands in /usr/share/initramfs-tools/scripts/functions, though I'm not too familiar with how they all fit together. (Or if it's dhclient for ipv6 printing the output, get rid of the "-v" for

Re: Timeout settings

Hi Daniel, -K is equivalent to the OpenSSH ClientAliveInterval. The server will send traffic to check that the connection is open. -I will disconnect if there is no traffic for a certain time interval. It won't try to send any traffic over the connection, it just passively looks at what

Re: [PATCH] Add Ed25519 keys support

Thank you Vladislav, I've merged this now via github, https://secure.ucc.asn.au/hg/dropbear/rev/d32bcb5c557d It's a nice clean and thorough implementation. Cheers, Matt > On Fri 6/3/2020, at 10:45 pm, Vladislav Grishenko > wrote: > > Hello, > > Initially inspired by Péter Szabó work

Re: android access

Hi Ruben, Not sure about that particular android program but Filezilla usually works as an alright sftp program. Cheers, Matt > On Sun 8/3/2020, at 2:42 am, Ruben Safir wrote: > > Hello > > Hello - I am sure this has been asked but I couldn't find an answer with > a web search.. > > can

Re: dropbear and new host keys?

> On Fri 13/12/2019, at 2:14 am, Joakim Tjernlund > wrote: > > On Thu, 2019-12-12 at 18:34 +0100, Hans Harder wrote: >> >>> The bigger issue here is why not reread keys at every new session? That >>> seems to like the right thing to do in any case? >> >> Performance... I don't _think_

Re: dropbear and new host keys?

Hi Joakim, The server needs to be stopped and restarted. If this is for new keys at first-boot you could look at the -R option. Cheers, Matt On Wed, Dec 11, 2019 at 03:38:36PM +, Joakim Tjernlund wrote: > Is there a way to tell a running dropbear server to reread host keys if the > keys

Re: Dropbear processes getting into uninterruptible I/O process "D" state

ng these pipes that are kept open to be there > forever in that state. Any other suggestions may help. > > > Thanks for your help again, > Binny > > From: Matt Johnston mailto:m...@ucc.asn.au>> > Sent: Wednesday, October 9, 2019 6:56 PM > To: Jeshan, Binny

Re: Configuration Issues

Hi Kenny, I don't think I've seen that problem before. Does Dropbear log anything in /var/log/auth.log or similar? Or if logging isn't set up on the system, if you run dropbear -F -E it will log to the console. The clock shouldn't make any difference. Cheers, Matt > On Thu 20/6/2019, at

Re: Forward a UNIX Socket

Hi Sergey, Dropbear doesn't support it - it would be fine to add, it just didn't exist in OpenSSH when I implemented the other Dropbear forwarding. I might add it in future though no guarantees - patches gladly accepted! The SSH agent fowarding code is probably very similar already. Cheers,

Re: Dropbear 2018.76 when behaving as client sending sha1 as mac

problem with sha1 as a hmac? Cheers, Matt > On Thu 11/4/2019, at 12:11 pm, Chahar, Rohini > wrote: > > Hi Matt, > > Please find my responses below. > > Regards, > Rohini > > From: Matt Johnston mailto:m...@ucc.asn.au>> > Sent: 10 April 2019 18:3

Re: Dropbear 2018.76 when behaving as client sending sha1 as mac

Hi Rohini, I'm not entirely clear about the problem - is the conneciton failing or is it just selecting hmac-sha2-sha1 which you don't want? The algorithm chosen will be the first one in the client's list that is also in the server's list. When you do the "copy to the server" is it dropbear as

Dropbear 2019.78

Hi all, Dropbear 2019.78 is released. There was a regression in dbclient 2019.77, terminal modes would not be reset when the client exited. The server has no changes. Cheers, Matt 2019.78 - 27 March 2019 - Fix dbclient regression in 2019.77. After exiting the terminal would be left in a bad

Re: Dropbear 2019.77

Beware that dbclient in 2019.77 has a regression, it won't reset TTY modes on exit. That's fixed in https://secure.ucc.asn.au/hg/dropbear/rev/4b01f4826a29 Cheers, Matt On Sat, Mar 23, 2019 at 10:02:49PM +0800, Matt Johnston wrote: > Hi all, > > At long last Dropbear 2019.77 is relea

Dropbear 2019.77

Hi all, At long last Dropbear 2019.77 is released. Most changes are bug fixes, with a few small features. There are security fixes to avoid revealing the existence of valid usernames. This release also merges the fuzzing branch. In a normal build this should have no effect on operation. There

Re: Dropbear 2018.76

specified patch > <https://secure.ucc.asn.au/hg/dropbear/rev/0dc3103a5900>? > 3. Use the current repo tip? > > Thanks! > Russ > > On Fri, Mar 9, 2018 at 3:19 AM Peter Krefting > wrote: > > > Matt Johnston: > > > > > This should be fixe

Re: How to get dbclient?

Hi Gilles, The main() for each of those is in svr-main.c and cli-main.c respectively. https://secure.ucc.asn.au/hg/dropbear/file/tip/cli-main.c#l45 The Makefile is a bit convoluted so that it can also build them all into a single binary.

Re: MAX_USERNAME_LEN set too low

Hi Mike, The limit's arbitrary so 32 would be fine. Maybe even something like 100. I'll increase it for the next release. Cheers, Matt > On Fri 1/3/2019, at 8:28 am, W. Michael Petullo wrote: > > Dropbear's auth.h defines MAX_USERNAME_LEN as 25 and provides the > commentary "arbitrary for the

Re: dbclient can't connect to cisco

> On Fri 16/11/2018, at 2:26 am, Nik Soggia wrote: > > So in the end if I delay the kexinit until there is some data on the wire I > will pull the rabbit out of the cylinder. The problem is that waiting for the remote banner is still adding a round trip of delay. That's fine for a local

Re: dbclient can't connect to cisco

On Wed, Nov 14, 2018 at 06:20:59PM +0300, Konstantin Tokarev wrote: > Note that OpenSSH enables a couple of workarounds for Cisco-1.* > > https://github.com/openssh/openssh-portable/blob/master/compat.c#L88 The tricky thing is that dbclient can't do anything to work around it here. We haven't

Re: dbclient can't connect to cisco

Hi Nik, > > dbclient sends "SSH-2.0-dropbear_2018.76\r\n" and kexinit > cisco sends "SSH-2.0-Cisco-1.25\r\n" > then cisco waits "ip ssh time-out" seconds and then closes the TCP socket. > > my conjecture is that cisco empties its receive buffer after sendind the > identification string and

Re: Strange behaviour surrounding "ssh -T ..." and non-zero exit

Hi Mike, > On Sat 10/11/2018, at 12:52 am, W. Michael Petullo wrote: > > > Here is a more practical example which demonstrates the problem: > > $ echo false | dbclient -T r...@host.example.com > $ echo $? > 0 I think this should now _really_ be fixed with

Re: Strange behaviour surrounding "ssh -T ..." and non-zero exit

Hi Michael, On 2018-11-09 3:48 pm, W. Michael Petullo wrote: >> I am using Dropbear v2017.75 as found on OpenWrt. >> >> echo input | ssh -T h; echo $? >> >> Despite the error occurring, the above command line prints `0' rather >> than `1.' Since this triggers the error, I would expect the

Re: Login attempt for nonexistent user

Hi Laurent, My best guess is that it was built on lubuntu which uses glibc, but the Udoo board doesn't have the required /lib/somewhere/libnss*.so libraries - those get chosen at runtime based on /etc/nsswitch.conf. Building using a uclibc cross compiler would avoid that - how did you build

Re: The website is down

Working again now, LACP stopped working between some switches. https://dropbear.nl/mirror/ is the geographically separate mirror. Cheers, Matt On 25 August 2018 6:02:04 pm AWST, Roy Tam wrote: >Dear Cody, > >github code mirror is still accessible: https://github.com/mkj/dropbear > >2018-08-25

Re: User enumeration in Dropbear 2018.76 and earlier

On Mon 20/8/2018, at 5:50 pm, Matthijs R. Koot wrote: > > The user enumeration issue in OpenSSH [0] also exists in Dropbear 2018.76 > and earlier; at least going back to w/v2013.58 (didn't test with earlier > versions yet). It is specifically related to this code in svr-auth.c [1]: > [0]

Re: ifndef_wrapper.sh required sed with "-E" which isn't available with old sed version.

On Mon, Jul 23, 2018 at 01:08:54PM +0800, Samuel Hsu wrote: > As titled, can we use "sed -r" instead of "sed -E". Hi Samuel, Thanks, I hadn't noticed that problem. I've pushed a change to uses non-extended regexes which should work everywhere.

Re: potential bug in atomicio?

On Wed, Jul 11, 2018 at 05:26:17PM -0300, Daniel Gutson wrote: > Hi, > >considering this: > > https://github.com/mkj/dropbear/blob/d740dc548924f2faf0934e5f9a4b83d2b5d6902d/atomicio.c#L55 ... > What if res is negative less than -1, for example -2 ? Shouldn't be a check > there that res is > 0

Re: OpenSSH drop-in replacement

Hi Martin, Dropbear should be able to do 1, it will send the PAM_TEXT_INFO as a SSH banner. SSH clients may display that before asking for a username though, I haven't tested. Dropbear can't change usernames though. Cheers, Matt > On Wed 13/6/2018, at 4:21 pm, Martin van Es wrote: > > Hi, >

Re: Dropbear incompatible with current python Twisted

The most likely cause would be that Twisted doesn't handle firstPacketFollows properly, which seems to be the case looking at https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L869 Can you add that to the Twisted bug report? Cheers, Matt > On Tue 5/6/2018, at

Re: Problem using reverse ssh tunnel (remote port forwading)

Hi Ben, Does the device log anything from Dropbear in /var/log/auth.log or similar? If you "telnet localhost 10022" does it print anything? Cheers, Matt > On Fri 25/5/2018, at 11:05 pm, Ben Kinsella > wrote: > > I have various devices on a private network behind a router, and I typically >

Re: Dropbear Tunnels

Hi John, The reason it's not supported is that noone has implemented it yet. I don't have plans to, but if someone wants to send an implementation it could be added. Are you interested in client or server? Cheers, Matt > On Sat 19/5/2018, at 12:19 am, John wrote: > >

Re: Dropbear ssh tunneling segfault

I suspect selinux is blocking something, after dropbear forks to run the shell. Can you find where selinux keeps its logs? When you run 'su' it enters a less restrictive context than normal root, so it runs ok. I guess you need to create a selinux policy for the dropbear service - i don't have

Re: Dropbear server exit when idle?

Hi Dave, My first approach would be to run "timeout 600 dropbear -F -E". Established sessions won't be killed since they each session is a forked process. That assumes "timeout" exists on the system busybox etc. If you want to modify the code put a check after the select() in main_noinetd().

Re: Dropbear 2018.76

didn't match the key that had been loaded. Now it only advertises a single size - first preference existing size, otherwise the default if no key exists. Thanks for letting me know and debugging. Cheers, Matt > On Mon 5/3/2018, at 4:02 pm, Peter Krefting <pe...@softwolves.pp.se> w

Re: Dropbear 2018.76

Hi Peter, On Thu, Mar 01, 2018 at 10:37:19AM +0100, Peter Krefting wrote: > After upgrading to 2018.76, I can no longer log in. On the dropbear end, it > complains about not being able to read the host key (/mnt/nv is the > non-volatile storage in my target HW): > > Mar 1 11:19:03 gbprobe

Re: Dropbear 2018.76

> On Wed 28/2/2018, at 12:59 am, Steffen Nurpmeso wrote: > And yes, i am still using such grumpy networks with VMs, so please > let me post the "git am" mailbox that adds support for proxy-over- > localhost. Hi Steffen, Thanks for the patch, though I'm not sure it's worth

Re: Dropbear 2018.76

> On Tue 27/2/2018, at 11:28 pm, Konstantin Tokarev wrote: >> >> - Add 'dbclient -J ' to allow dbclient to connect over an existing socket. >> See dbclient manpage for a socat example. Patch from Harald Becker > > Wouldn't it be better to support -o ProxyUseFdPass like in

Dropbear 2018.76

Hi all, Dropbear 2018.76 is released. As well as the usual improvements and bugfixes this release simplifies local configuration options. You will probably need to adjust your build configuration. Rather than modifying options.h, local options are now placed in localoptions.h where they will

Re: dropbear: "Failed loading .. " host key files warning messages

Thank you CamVan, I've applied the patch now. Cheers, Matt > On Wed 21/2/2018, at 5:54 am, Camvan T Nguyen wrote: > > In our environment, we generate an RSA host key in /var/lib/dropbear and > start the dropbear service with the following command: > > /usr/sbin/dropbear

Re: ssh login stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY"

Hi Hari, Can you get a backtrace of the stuck dropbear process in 2) ? That might suggest what's going wrong. Cheers, Matt > On Mon 23/10/2017, at 7:12 pm, Hariharasubramanian Ramasubramanian > wrote: > > ssh login gets stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" at

Re: ssh disconnects due to corrupt packet (dropbear compiled with DEBUG_TRACE)

Hi, It looks like you're running in from inetd and the TRACE output is ending up getting sent over the network socket. The length 1414676803 is 'TRAC' converted to ascii. I guess dropbear is running with "-E", or what is the configuration? That won't work, you'll need to log to syslog instead

Re: proof-of-concept ed25519 crypto and other additions implemented

Hi Péter, Thank you for the work. I think most of these look useful and could be merged. I'll have a closer look over them in the next week or so with some more detailed comments. A few comments for now: - I'm tending to avoid "make CONFIGVAR=1", I think all of yours can be in options.h

Re: RSA default key size of 2048 bits too large for low-spec systems

Hi Brent, I'll see about improving the visibility of the default key sizes in options.h and also dropbearkey's printout. I changed to 2048 because 1024 is likely to become breakable within the next few years, it's best to have secure defaults if systems are going to remain un-updated for that

Re: OpenWrt/LEDE: dropbear & MIPS & gcc 7.1.0

Hi Syrone, Updating libtom makes sense, it's on the todo list. I'm curious if it's a bug in old libtommath or new gcc. In my experience differences between optimisation levels are more often problems with the compiler, but could be either. If you could get a backtrace of a stuck "dbclient"

Re: Dropbear 2017.75

On Fri, May 19, 2017 at 02:37:28PM +0200, Guilhem Moulin wrote: > Hi Matt, > > On Thu, 18 May 2017 at 23:02:09 +0800, Matt Johnston wrote: > > Dropbear 2017.75 is released. This has a couple of security > > fixes and a couple of bug fixes since 2016.74. > > FYI https

Re: Restrictions for password logins

On Fri, May 19, 2017 at 07:42:21AM +, Henrik Uggla wrote: > Hi! > > > How can I set restrictions, like those given in authorized_keys, to all > password logins? Hi Henrik, You can't set all of those restrictions like command= though you can disable TCP forwarding at compile time in

Dropbear 2017.75

Hi all, Dropbear 2017.75 is released. This has a couple of security fixes and a couple of bug fixes since 2016.74. https://matt.ucc.asn.au/dropbear/dropbear.html I'm intending to make another release in the next couple of weeks including the various pending fixes in the Mercurial tree and pull

Re: Multiple authorized_keys files??

Hi Cody, It doesn't have that option at the moment. What other files would you use? Cheers, Matt On Thu, Feb 09, 2017 at 11:08:16AM -0500, Cody Scott wrote: > I wondering if it is possible to have multiple authorized_keys files. By > default Dropbear uses ~/.ssh/authorized_keys > > Is it

Re: SEGV in Dropbear v2016.74 when connect with HostKeyAlgorithms=ssh-dss or HostKeyAlgorithms=ssh-dss

Hi Konstantin, Would you be able to run Dropbear under inetd and see if that helps? uClinux generally requires that - though it's not obvious to me how it could cause this crash. Is there any chance of getting a backtrace where it is crashing? The RSA and DSS crashes are at different spots, so

Re: Port forwarding for certain users only

Hi Peter, Currently I don't think that's possible, sorry. There are restrictions for public keys auth but not password users. Matt > On Wed. 23/11/2016, at 10:55 pm, Peter Krefting > wrote: > > Hi! > > Is there a way to restrict port forwarding to certain users

Re: Building with Musl

Hi Andrew, I suspect Dropbear itself needs fixing, your workaround sounds fine for now. The configure script should probably just test for HAVE_LINUX_TYPES_H or similar and the required #defines. I'll look at it. Cheers, Matt #ifdef SO_PRIORITY #include #include #endif > On Tue

Dropbear 2016.74, security updates

Hi all, Dropbear 2016.74 is released. This includes fixes for a few security issues. Further details will be published by Beyond Security in a week or so, I will update CVE numbers when available. Downloads are at https://matt.ucc.asn.au/dropbear/dropbear.html I strongly advise upgrading any

Re: ED25519 key support?

Hi Stephen, I may eventually, though it isn't high on the priority list. What's your use for ed25519 keys rather than other ecdsa? Cheers, Matt > On Sun 26/6/2016, at 7:24 am, Stephen Kent wrote: > > Are there any plans to add support for ED25519 user and host keys in

Re: Running Dropbear Without Root Permissions

My guess is that the problem is related to /etc/shadow. If the crypted password there isn't readable then it will use the entry from /etc/passwd - I guess that's something like '!!' which would signify a locked account. For testing you can always hardcode a password crypt in debug.h Cheers, Matt

Re: Keepalive timeout with dropbear client

Hi David, Dropbear since 2015.68 always sets the socket non-blocking [1], so I think that change should be safe on older versions. The only risk I can think of is if it gets in some state where it might spin with 100% CPU. Cheers, Matt [1]

Re: a bug detected in dropbear v071

On Wed 11/5/2016, at 11:55 pm, Thomas De Schampheleire wrote: >> >> I expect the next release will be in perhaps a month's >> time - it could be longer though. > > Is there a certain strategy with respect to timing of releases? Could > you describe it? > > It seems

Re: a bug detected in dropbear v071

is commit? > thanks. > > From: Matt Johnston [mailto:m...@ucc.asn.au] > Sent: 2016年4月29日 23:18 > To: ZHANG Hui P > Cc: dropbear@ucc.asn.au > Subject: Re: a bug detected in dropbear v071 > > Hi, > > I think this problem should be solved by the commit > https://s

Re: a bug detected in dropbear v071

Hi, I think this problem should be solved by the commit https://secure.ucc.asn.au/hg/dropbear/rev/432b0a030fd6 Thank you for the detailed report. Cheers, Matt > On Wed 20/4/2016, at 2:44 pm, ZHANG Hui P

Re: Can't SSH from Windows

Hi Rob, It sounds like LEAF have disabled the group14-sha1 algorithm which was the only compatible algorithm. Sha1 isn't too insecure in this context, at least at present. Matt On 29 April 2016 3:06:46 am AWST, Rob Ogle wrote: >I just installed the latest version of uclibc

Re: a bug detected in dropbear v071

Hi Thomas, Hui's analysis look right, I'll try and test it myself later this week. (Sorry, replied privately). Cheers, Matt On 25 April 2016 11:15:58 pm AWST, Thomas De Schampheleire wrote: >ZHANG Hui P alcatel-sbell.com.cn> writes: > >> >> >> >> Hi: >>    

Re: dropbear with external libtommath/libtomcrypt

Hi Peter, External libraries are fine - Debian has used them for a while. The only security-important change is https://secure.ucc.asn.au/hg/dropbear/rev/a55b97f5a485 which I assume is already in buildroot. I've made a few small changes to clear memory or avoid memory allocations - those could

Dropbear 2016.72

Hi all, Dropbear SSH 2016.72 is released. This has a single change, a security fix. If X11 forwarding is enabled a user could bypass any "command=" restrictions in authorized_keys and run any command as their own user (or perform other operations allowed by the "xauth" binary such as writing

Re: Single-address space, no processes?

Hi Sebastian, I'd be interesting in merging changes upstream, I think it would be of interest to a few people. It would need to be under a similar license to the current code. Currently the session state is kept in ses, svr_ses, and cli_ses global variables (all structs defined in session.h).

  1   2   3   >