Your message dated Fri, 16 Aug 2024 20:47:28 +0000
with message-id <[email protected]>
and subject line Bug#1069768: fixed in dropbear 2020.81-3+deb11u2
has caused the Debian Bug report #1069768,
regarding The 'no-port-forwarding' key restriction disables server alive
message support
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1069768: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069768
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: dropbear-initramfs
Version: 2022.83-1+deb12u1
Severity: normal
X-Debbugs-Cc: [email protected]
Hi,
I have a remote server running bookworm that is configured to use
dropbear-initramfs and cryptsetup-initramfs to unlock the LUKS container. The
way I unlock it is shown below:
$ until ssh [email protected] cryptroot-unlock; do sleep 3; done
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection refused
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection refused
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection refused
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection refused
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection refused
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
Please unlock disk md2_crypt
Timeout, server hopper-boot.rocketjump.eu not responding.
Please unlock disk md2_crypt
Timeout, server hopper-boot.rocketjump.eu not responding.
Please unlock disk md2_crypt
Timeout, server hopper-boot.rocketjump.eu not responding.
Timeout, server hopper-boot.rocketjump.eu not responding.
Timeout, server hopper-boot.rocketjump.eu not responding.
Timeout, server hopper-boot.rocketjump.eu not responding.
^C^C
As you can see, while rebooting the connection is refused, as sshd is already
shutdown, but the server is reachable. Then the connection times out while it's
still doing a POST. At some point dropbear becomes reachable, as shown by the
output of "Please unlock disk md2_crypt", however the connection seems to error
out after a while, and after three attempts, dropbear becomes unresponsive. This
forces me to hard reset the server and try again until I catch it in the right
moment.
After some debugging, it turns out that ServerAliveInterval != 0 will cause the
ssh client to reset the connection, which dropbear will count as unlock attempt,
and after three tries it will fail and drop to initramfs shell, after which it's
not reachable anymore.
It would be great to prominently document that dropbear(-initramfs) does not
handle the ServerAliveInterval ssh client setting.
Greets,
Lee
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990,
'proposed-updates'), (990, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-20-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dropbear-initramfs depends on:
ii busybox 1:1.35.0-4+b3
pn dropbear-bin <none>
ii initramfs-tools 0.142
ii udev 252.23-1~deb12u1
Versions of packages dropbear-initramfs recommends:
ii cryptsetup-initramfs 2:2.6.1-4~deb12u2
dropbear-initramfs suggests no packages.
--- End Message ---
--- Begin Message ---
Source: dropbear
Source-Version: 2020.81-3+deb11u2
Done: Guilhem Moulin <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <[email protected]> (supplier of updated dropbear package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Jul 2024 15:51:42 +0200
Source: dropbear
Architecture: source
Version: 2020.81-3+deb11u2
Distribution: bullseye
Urgency: medium
Maintainer: Guilhem Moulin <[email protected]>
Changed-By: Guilhem Moulin <[email protected]>
Closes: 1069768
Changes:
dropbear (2020.81-3+deb11u2) bullseye; urgency=medium
.
* Fix noremotetcp behavior. Keepalive packets were being ignored when the
‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was
used. (Closes: #1069768)
Checksums-Sha1:
9c811cfba25144507b87fea1eef8ea706c65e42f 2594 dropbear_2020.81-3+deb11u2.dsc
20a47c0888a77f44e071ddba7d506f58f9cd7bbf 35432
dropbear_2020.81-3+deb11u2.debian.tar.xz
129ead8836cf323a8f6af652e1cea286761044df 7461
dropbear_2020.81-3+deb11u2_amd64.buildinfo
Checksums-Sha256:
bc6e48da4ceec9a39bc87d1074c36866ef75396708d8fc8a1dfe2e42b42b9fdd 2594
dropbear_2020.81-3+deb11u2.dsc
c2e929c59c89510c1ca77799d21b5715472c497a91e1689aa47feb4d6760b184 35432
dropbear_2020.81-3+deb11u2.debian.tar.xz
fc492195b39638494ea0e2eba3d3544031cca8ca5b23532c055ed7530150a054 7461
dropbear_2020.81-3+deb11u2_amd64.buildinfo
Files:
4e702f4538f86da741cbaf4c9f103608 2594 net optional
dropbear_2020.81-3+deb11u2.dsc
a7463a0ec24062a29c1cceeaf92e1eeb 35432 net optional
dropbear_2020.81-3+deb11u2.debian.tar.xz
90ec89abd2feec323b3425f4f5201b1b 7461 net optional
dropbear_2020.81-3+deb11u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmaNQOwACgkQ05pJnDwh
pVJ3WQ/+LmTXnfg42xFYn4+BiBXeXx48MwUUALsE2H8CxjZygiM90tWpL+1RvY+y
oaInnkiwCUlN0ZwtJmzKv+yhMYvy0pBsHpyFLdWA4QnNFiN5SKOJvCZxAFcDwVCi
czuZJG+csSJV8SrLhvRg9BZD1omu/qVUoFm91RHQwn9PKyYSw3+yNxiNmhlolyrO
0QHfRu5GbidFrHNzBnLrBsWD7OsyPng5McOdNNGXihZY8StotVrlUxOscd2SeNgU
q7re/0gEbPSeVM4xcEcmpWPvMnIoalxb6Z4QD3PSzMHPMm0zLQ1VwENMIzLnzoVh
G29YC6cNzYZdBE++nUD8Fw7g2wZhTuE8vz/zNyvrI+MnAuFci+wRFQrPWOfHeBw7
iL757mI9zXIt6QGMj4p61U/Yhy5LtqQOUwWTf4PghsHb7JiJAHM4t6qLHEk1hQrk
Z1y+1ZNsn6xyJwdmK+kGO9pTXDJHrOQpYXOldG7anTeAzVIYX2c0sx/qNxaAzx4z
GMqG163kqgbN0TUyH6g5ig+vjjFzO0JMASlD+eQCM2IZPHMlXfzHad+wXxw/6Qvi
qqw4AfwZXHtiZJbnRjmGsqZYVHrPBs5PgN1r23A2PtBBXdR0yxj8Yypk4I0PJfPr
Oc1/D714dZD6HXnLHMArsSkXTxID/4Szv4x32T/wuEw+n+4pH/c=
=8TwZ
-----END PGP SIGNATURE-----
pgpb0HZuRi9AM.pgp
Description: PGP signature
--- End Message ---