Re: dbclient half-close?

at 9:31 PM, Matt Johnston m...@ucc.asn.au wrote: Hi Catalin, Thanks for looking at that - the last patch looks sensible, I'll give it a good test. There are a lot of subtle scenarios in channel closing (and variations between OSes). Cheers, Matt Catalin Patulea c...@vv.carleton.ca

Re: implementing e...@openssh.com

On Wed, Jul 24, 2013 at 09:21:43PM -0400, Catalin Patulea wrote: e...@openssh.com is an extension that allows EPIPE to propagate through SSH sessions. For example: ... I have a draft implementation of this in dropbear (attached), but there is one significant issue: In cli-session.c, stdin,

Dropbear 2013.59

Hi all, Dropbear 2013.59 has been released. It fixes a number of bugs, including two security issues affecting prior releases. - The Dropbear server could be made to consume large amounts of memory because decompressed packet sizes weren't checked. Depending on the OS and hardware this might be

Re: fix bundled libtom configure flag

On Sat, Oct 12, 2013 at 04:37:15PM -0400, Mike Frysinger wrote: the current flag treats --disable-bundled-libtom like enable. this patch fixes it. I've committed this modified. If it can't find system libraries with --disable-bundled-libtom it fails rather than silently falling back to

Dropbear 2013.60

Hi all, Dropbear 2013.60 is released fixing a few bugs from 2013.59, mainly related to make install. Download as usual from https://matt.ucc.asn.au/dropbear/dropbear.html or the new mirror https://dropbear.nl/mirror/ Cheers, Matt 2013.60 - Wednesday 16 October 2013 - Fix make install so that

Dropbear test version 2013.61test with ECC

Hi all, Dropbear now has support for ECC which is significantly faster at setting up connections on slow platforms. Since it's a large patch I'm making a test release first. I've also added a -R mode to automatically generate hostkeys on first connection - this is recommended on embedded

Re: Dropbear test version 2013.61test with ECC

NiLuJe nin...@gmail.com wrote: * libtomcrypt has to be built w/ -DLTM_DESC for ECC support (I'm using external libtom* libs). Yes, I guess people can always force bundled libtom*. I think Debian builds libtomcrypt with LTM_DESC but doesn't set the macro in tomcrypt_custom, which is why I set

Re: TOS byte for bulk transfers

Catalin Patulea c...@vv.carleton.ca wrote: Matt, would you accept a patch that keys the TOS setting off PTY requests? Yes, I've been meaning to look at that. I'm not sure if it should disable TCP_NODELAY at the same time. I know sshfs (which doesn't use a PTY) should have nodelay set.

Re: [PATCH] Set IPTOS_LOWDELAY on PTY sessions only

Hi Catalin, Thank you for the patch, I've committed it. I've made a change so that it will start off in lowdelay mode for a pty client or any server - the initial connection involves lots of roundtrips, so delays matter there. It's dropping down to BULK if it ends up having a non-pty shell. The

Dropbear 2013.62 released

Hi, I've put up Dropbear 2013.62. It has only a few changes since the 2013.61test release. The major features of 2013.61test are ECC support (significantly faster connections) and generating hostkeys automatically. Downloads as usual at https://matt.ucc.asn.au/dropbear/dropbear.html or

Re: [patch] simplify install links

On Sun, Dec 08, 2013 at 08:26:43PM -0500, Mike Frysinger wrote: there's no need to do `rm; ln` when `ln -f` will do the same thing It's not always the same, I dislike ln -f. For example: ln -s /tmp foo ln -sf /etc/hosts foo cat foo also, for softlinks in the bindir, just use relative ones

Re: Bug in rekeying

Hi, Thanks for the report. I think this should be fixed in https://secure.ucc.asn.au/hg/dropbear/rev/19ce21bd198a I think there has probably been a timing dependent bug there for a long time, but it was exposed more easily in 2013.57. Cheers, Matt On Mon, Jan 20, 2014 at 09:53:18PM +0100,

Re: Interactive QoS with `scp'

Hi, # ssh with command (implies no-pty) -- uses IPTOS_THROUGHPUT == OK! ssh 14.64.1.4 date tos 0x8 # scp -- Still uses IPTOS_LOWDELAY! i.e. NOT OK(?) scp /tmp/file.dat 14.64.1.4:/tmp/ tos 0x10 That's strange. scp should just be calling dbclient localhost scp -t destination - the same as

Re: 2013.62 broken, 2013.60 ok

On Sat, Feb 15, 2014 at 03:34:28PM -0600, Steve Dover wrote: compile failure of dbutil.c, various typedefs missing. unknown type name '___u64' (and 32,16,8) I've diffed the entire tree, and can find no obvious changes between 60 and 62 that lead to this breakage. This is basic ... But,

Re: 2013.62 broken, 2013.60 ok - PATCH

Hi Steve, Thanks for tracking that down, I've committed it as https://secure.ucc.asn.au/hg/dropbear/rev/5d3e917bb7a6 I guess it's some unique combination of toolchain, library, or Linux brokenness! Alternatively maybe Dropbear should have been including linux/types.h all along. Cheers, Matt On

Dropbear 2014.63

Hi all, Dropbear 2014.63 is released containing mostly accumulated bug fixes. Some are for regressions in the past couple of releases so it's recommended for everyone. As usual the URL is https://matt.ucc.asn.au/dropbear/dropbear.html or mirrored at https://dropbear.nl/mirror/ Cheers, Matt

Re: SFTP Client support required for dropbear v0.48

Hi, Dropbear doesn't come with a SFTP server. You might be able to build the OpenSSH sftp-server to use, have a look through the mailing list archives. Cheers, Matt On Thu, May 22, 2014 at 08:14:20PM +0530, pratik singh wrote: Hi all, I am running the default dropbear (version 0.48) found

Re: SFTP Client support required for dropbear v0.48

instead of sftp-server. It would be great if I can get any help for the same. Thanks Pratik On Fri, May 23, 2014 at 4:55 PM, Matt Johnston m...@ucc.asn.au wrote: Hi, Dropbear doesn't come with a SFTP server. You might be able to build the OpenSSH sftp-server to use, have a look

Re: Dropbear and crypt() implementation

Hi Martin, How does your operating system authenticate users? crypt() is kind of specific to how many unix-style systems store passwords in /etc/passwd or /etc/shadow. You could modify your svr-authpasswd.c to compare the hash of password with your stored hashed password, or something similar.

Re: Cross-compile for AM335x

Hi, Sounds like something is wrong with the compiler. Take a look at config.log, towards the bottom it'll have the commandline and code that failed. Do you mean to set --target=arm perhaps? Cheers, Matt On Thu, Jun 26, 2014 at 10:53:38AM -0400, Nicolas Luna wrote: Hi, I'm trying to

Re: TOS byte on port forwarding-only connections

On Fri, Jul 04, 2014 at 02:59:09AM -0400, Catalin Patulea wrote: 'ssh -Lx:x:x cat' is a workaround, albeit ugly. Ideally I would like 'ssh -N -Lx:x:x' to also trigger IPTOS_BULK. I think for that I could start the connection at LOWDELAY, then reduce to BULK until the first pty session, then

Re: Small build without ECDSA gives errors

Hi Bruno, This is fixed for the next release, you can get the change from https://secure.ucc.asn.au/hg/dropbear/rev/25692c60479e Cheers, Matt On 10 July 2014 12:02:18 am AWST, Bruno Vernay brunover...@gmail.com wrote: Hi, I try to build a small Dropbear server (dropbear-2014.63) From

Re: TOS byte on port forwarding-only connections

Hi Catalin, Yes, that's what I was thinking of. I can implement it. Cheers, Matt On 14 July 2014 2:56:17 am AWST, Catalin Patulea c...@vv.carleton.ca wrote: On Tue, Jul 8, 2014 at 9:44 AM, Matt Johnston m...@ucc.asn.au wrote: I'm not really sure how to resolve it though. Maybe as a tradeoff

Re: TOS byte on port forwarding-only connections

On 14 July 2014 2:56:17 am AWST, Catalin Patulea c...@vv.carleton.ca wrote: Ok, so if I'm understanding correctly, the invariant would be something like: if (connecting || ptys) tos = LOWDELAY; else if (tcp_forwards) tos = 0; else tos = BULK; I've implemented this in

Re: Dropbear 2014.64

Hi, Thanks for tracking that down, I'll see what's going on with channel closing. Would you be able to send a strace of the clock_gettime issue? I avoided clock_gettime() from glibc since that pulls in librt. I'm curious how it's failing. Dropbear should probably just check the second

Re: Dropbear 2014.64

I plan to release 2013.65 early next week to fix those regressions. If anyone has seen other problems please let me know. Cheers, Matt On 27 July 2014 11:41:56 pm AWST, Matt Johnston m...@ucc.asn.au wrote: Hi all, Dropbear 2014.64 is released with changes as follows. As usual get it from

Re: [PATCH] use xauth in /usr/bin

Thanks, I've committed it. On Fri, Aug 01, 2014 at 06:15:01AM -0400, Mike Frysinger wrote: # HG changeset patch # User Mike Frysinger vap...@gentoo.org # Date 1406888059 14400 # Fri Aug 01 06:14:19 2014 -0400 # Node ID 89a637587a611c0bf3802ff5005bc1f7fe63eec6 # Parent

Re: Dropbear 2014.64

On Fri, Aug 01, 2014 at 06:10:46AM -0400, Mike Frysinger wrote: fwiw, glibc-2.19 has moved clock_gettime to libc Ah, good to know. At some point I'll add a test for clock_gettime() in configure, though want a bit more testing first. Cheers, Matt

Re: Regarding dbclient failure

Hi Pratik, It looks like it is failing when it tries to read the 'y/n' response from /dev/tty. Can you check that is set up correctly on the system? Running 'strace -o logfile dbclient...' might have some clues if you send me it. You can skip the hostkey confirmation with '-y' but that means

Re: Regarding dbclient failure

Hi Pratik, It looks like it is failing when it tries to read the 'y/n' response from /dev/tty. Can you check that is set up correctly on the system? Running 'strace -o logfile dbclient...' might have some clues if you send me it. You can skip the hostkey confirmation with '-y' but that means

Dropbear 2014.65

Hi, Here's Dropbear 2014.65. It mainly fixes regressions in 2014.64, with a couple of other minor improvements. https://matt.ucc.asn.au/dropbear/dropbear.html https://dropbear.nl/mirror/ Cheers, Matt 2014.65 - Friday 8 August 2014 - Fix 2014.64 regression, server session hang on exit with scp

Re: Regarding dbclient failure

On Tue, Aug 12, 2014 at 07:19:45PM +0530, pratik singh wrote: Hi Matt, Thanks for your valuable suggestion. Unfortunately my system doesn't have strace utility support. I tried dbclient with -y option but again its failing again with write error:broken pipe. Hi Pratik, It seems like ttys

Re: dbclient failed : Server Timeout

On Thu, Aug 21, 2014 at 11:31:43PM +0530, pratik singh wrote: This issue can be resolve if I can reduce the time taken by dbclient. Currently its taking more than 5 minutes. Please share your inputs to reduce this time taken by dbclient. How can I achieve this? Appreciate your reply. Hi

Re: Write error : dbclient

Hi Pratik, I'm assuming that it is the session timeout that's causing the disconnection. The log on the OpenSSH server should confirm that. I think the only real solution would be to improve the speed of libtommath on that device. Running a profiler to determine the slowest parts would be the

Re: Dropbear cli-session

Hi Paul, Which SSH implementation are you using on the client side? If you're using Dropbear then -B netcat mode will do what I think you want. It's entirely client-side using standard TCP forwarding from the spec, it just connects the SSH client's input to that TCP forwarded channel. Another

Re: Write error : dbclient

the speed of calculations in function mp_exptmod() only? Appreciate your response. Thanks Pratik On Wed, Sep 24, 2014 at 8:02 PM, Matt Johnston m...@ucc.asn.au wrote: Hi Pratik, I'm assuming that it is the session timeout that's causing the disconnection. The log on the OpenSSH

Re: use dropbear ssh client over specific interface?

On Sat 18/10/2014, at 4:09 pm, Alexander Dahl p...@lespocky.de wrote: say I have a machine with multiple network interfaces, and maybe policy based routing. Is it possible to let the ssh client use a specific network interface for an outgoing connection? I could not tell from `man 8

Re: IPv4 and IPv6 support

Hi Michael, I just checked now, it works for me on Linux 3.13 and OSX 10.10. What platform are you running on? What do you see for the commands below? Output from strace looking where it calls bind() might be informative too. I can't really think of anything Dropbear would be doing that would

Re: [PATCH] gensignkey: ensure host keys are flushed to disk

On Tue, Oct 28, 2014 at 02:11:26PM +0100, Peter Korsgaard wrote: Otherwise we can end up with an empty host key, breaking logins. E.G.: Run dropbear -R and pull power before the host key is writting to disk. After reboot we have: Hi Peter, Thanks for the patch, I've applied it with

Re: Dropbear cli-session

sure that it was calling a function very similar to newtcpdirect(). Is there something that I do wrong or missing? On 28 September 2014 09:33, Matt Johnston m...@ucc.asn.au wrote: If you want to run it all within Dropbear itself I'd modify sessioncommand() which handles subsystem

Re: Server refused to start a shell/command (Buildroot - RPi)

...@procountsoftware.co.uk wrote: df shows /dev having about 90MB in size and 0% used. I think /dev type is set to tmpfs in buildroot(?). It appears to be r/w. Original email: - From: Matt Johnston m...@ucc.asn.au Date: Wed, 14 Jan 2015 21:14:43 +0800 To: dropbear@ucc.asn.au, dropb

Re: Server refused to start a shell/command (Buildroot - RPi)

. Original email: - From: Matt Johnston m...@ucc.asn.au Date: Wed, 14 Jan 2015 21:14:43 +0800 To: dropbear@ucc.asn.au, dropb...@procountsoftware.co.uk Subject: Re: Server refused to start a shell/command (Buildroot - RPi) My guess would be that /dev is full. Running “dfâ

Re: Smallest footprint in 2015

Hi Alexandre, What platform are you building on? Some platforms seem to end up with larger code than x86 - not entirely sure if it’s the architecture or compiler issues. Compiler flags can also make a big difference, were you using the suggested ones? I know -flto makes a difference with

Dropbear 2015.67

Hi all, Dropbear 2015.67 is released, changes listed below - mostly small improvements. https://matt.ucc.asn.au/dropbear/dropbear.html https://dropbear.nl/mirror/ Cheers, Matt 2015.67 - Wednesday 28 January 2015 - Call fsync() after generating private keys to ensure they aren't lost if a

Re: Server refused to start a shell/command (Buildroot - RPi)

Hi, If you run “dropbear -F -E” (kill the existing server process first) then it will run in the foreground and print logging. That should suggest what’s going wrong. Alternatively it might already be logging to somewhere in /var/log depending if syslog is running. Cheers, Matt On Tue

Re: [dropbear] Prefer stronger algorithms in algorithm negotiation. (#9)

(CCing the dropbear list - hopefully crossposting isn't too awkward) I'll merge this pull request, though if anyone has comments please let me know. Comments inline below. Matt On Thu, Jan 08, 2015 at 04:46:48AM -0800, fedor-brunner wrote: https://github.com/mkj/dropbear/pull/9 -- Commit

Re: Server refused to start a shell/command (Buildroot - RPi)

initramfs. Thanks, Kevin On 2015-01-13 13:35, Matt Johnston wrote: Hi, If you run “dropbear -F -E” (kill the existing server process first) then it will run in the foreground and print logging. That should suggest what’s going wrong. Alternatively it might already be logging to somewhere

Re: dropbearconvert crashes converting 8192-bit RSA OpenSSH host key to dropbear format

Hi Stephen, Looks like a bug, I've only tested with 4096 bit keys. Probably just MAX_PRIVKEY_SIZE etc needs increasing in options.h, and some buffer sizes in keyimport.c Where did a 8192 bit key come from, out of interest? CHeers, Matt On Sun, Feb 08, 2015 at 09:08:17PM -0800, Stephen Kent

Re: [PATCH] gensignkey: ensure host keys are flushed to disk

On Fri, Jan 02, 2015 at 10:13:13AM +0100, Peter Korsgaard wrote: No problem. Matt, how will we fix it? Unconditionally use O_RDONLY or some kind of fallback? Matt, what do you say? It would be good to get this fixed. Host key generation is basically completely broken by this. I've

Re: [PATCH] Handle invalid agent keys by skipping rather than exiting.

Thanks, I've applied this now. Matt

Re: dbclient reports integrity errors with GitHub

It sounds like something's going wrong with the cryptographic key setup. The packet size is the first thing decrypted so if they key is wrong the size will be wrong. I'll investigate what's going on, sounds like its easy to reproduce. Cheers, Matt On 22 April 2015 11:16:36 pm AWST, Steven

Re: Dropbear for lwIP

On Thu, Apr 09, 2015 at 06:50:01AM +0200, Karl Karpfen wrote: Hi, is it already possible to use Dropbear with the embedded TCP/IP stack lwIP? Hi Karl, I haven't heard of anyone doing that. Cheers, Matt

Re: Harden dropbear memory allocator

Hi Logan, Thanks for looking at that - certainly something to be wary of. I've actually removed netio.c's malloc altogether a couple of weeks ago though had neglected to push it until now https://secure.ucc.asn.au/hg/dropbear/rev/cc6116cc0b5c (my github mirror isn't updated, the machine that does

Re: scp of sysfs file repeats data

I see what you mean. I'll update scp to OpenSSH's latest - there are a few changes to be merged. Cheers, Matt On Tue, Jun 23, 2015 at 09:11:35AM +0200, Peter Korsgaard wrote: Craig == Craig McQueen craig.mcqu...@innerrange.com writes: I tried doing scp of a sysfs attribute. I found that

Re: server limits commands to MAX_CMD_LEN

Hi Szabolcs, 4k sounds like an OK limit, I'll increase that. Handling larger limits like shells (200k+?) would be harder - Dropbear expects SSH packets to be under 32kB. Cheers, Matt On Wed, Jul 01, 2015 at 06:32:36PM +0200, Szabolcs Nagy wrote: some of my long ssh commands failed with exec

Re: Detached tarball signatures vs. clearsigned checksum files

On Mon, Jun 29, 2015 at 03:51:54PM +0200, Guilhem Moulin wrote: That's great, thanks! While I'm at it, please also consider excluding mercurial dotfiles from the tarballs: Do they cause a problem? At least hg_archival.txt is kind of useful to see which hg revision made the tarball. (Not sure

Re: Detached tarball signatures vs. clearsigned checksum files

7EF2 EE2E 07A2 6762 8CA9 4493 1494 F29C 6773 uid Dropbear SSH Release Signing m...@ucc.asn.au It's signed by the old key and my new personal key pub 4096R/C20BBAAC 2015-06-29 Key fingerprint = 1F1A F0BB EC7C F375 9FFA 1191 F498 3012 C20B BAAC uid Matt

Re: svr_getopts should either support bundling or fail if bundling is used

> On Thu 22/10/2015, at 8:24 am, Guilhem Moulin wrote: > >>> By the way, out of curiosity, is there a reason why you're not using >>> getopt()? It's POSIX after all, and you're already using it for scp. >> >> I think I looked into it a long time ago and it resulted in a

Re: [PATCH] Fix minor manpage formatting issues.

Thanks, I've applied these. Matt > On Sun 25/10/2015, at 2:39 am, Guilhem Moulin wrote: > > Hi, > > We've also got the two attached patches in the Debian package. Please > consider applying them upstream. (Actually both dropbear(8) and > dropbearconvert(1) mention the

Re: Dropbear SSH integrity error

On Thu, Nov 12, 2015 at 10:28:27AM +0100, Zbynek Michl wrote: > Hello, > > I have a problem with SSH connection from my Ubiquiti AirOS device to > a Mikrotik router. > I use AirOS v5.5.11 (Dropbear SSH client v2013.58) and Mikrotik's > RouterOS version 6.33 (also older versions have the same

Re: [PATCH] Enable bundling in svr-runopts's svr_getopts.

> On Wed, 28 Oct 2015 at 21:47:24 +0800, Matt Johnston wrote: >> I've changed the code to just print a warning for the time being. I'm >> intending for the next release to be soon with small bugfixes. Using getopt >> would probably be good though would require checking avail

Re: -I (0 is never, default 0, in seconds)

Hi Salatiel, The -I timeout only recognises data traffic in shells/commands/TCP forwards. Would the Dropbear server's -K option work instead for you? Cheers, Matt On Sun, Sep 27, 2015 at 08:57:56PM -0300, Salatiel Filho wrote: > Hi, shouldn't an openssh -o ServerAliveInterval=30 be enough to

Re: Syslog logging in client

> On Wed 2/12/2015, at 3:10 am, Konstantin Tokarev wrote: > Implemented here: > https://github.com/mkj/dropbear/pull/18 > > However, I didn't add command line option. I thought it may be better to use > -o, but it has 2 issues currently: > > * -o patch was not approved yet >

Dropbear 2015.71

Hi all, Dropbear 2015.71 is available with fixes for a few recent problems. - Fix "bad buf_incrpos" when data is transferred, broke in 2015.69 - Fix crash on exit when -p address:port is used, broke in 2015.68 - Fix building with only ENABLE_CLI_REMOTETCPFWD given, patch from Konstantin

Re: Single-address space, no processes?

Hi Sebastian, Dropbear probably won't fit without some modifications, though likely wouldn't be that hard to get working with only a single connection at a time. There's a global state variable, and may be a few other assumptions that the vforked child is going to exec() (like uClinux). Recent

Re: Single-address space, no processes?

Hi Sebastian, I'd be interesting in merging changes upstream, I think it would be of interest to a few people. It would need to be under a similar license to the current code. Currently the session state is kept in ses, svr_ses, and cli_ses global variables (all structs defined in session.h).

Re: Prepending 'exec' to proxy command automatically

On Wed, Dec 16, 2015 at 04:32:03PM +0300, Konstantin Tokarev wrote: > 08.12.2015, 21:00, "Konstantin Tokarev" : > > If dbclient is given proxy command which does not start with exec, shell > > process is lingering alongside proxy command process. However, I've found > > that

Re: [PATCH 00/16] Improvements, mainly to user name handling and scp.

Hi Michael, I think the general change of these patches makes sense (avoiding failure when a local user doesn't exist) but it needs to be more minimal. scp comes straight from OpenSSH with some small changes for uClinux etc. I've tried to avoid additional changes since it really needs updating to

Dropbear 2015.69

Hi all, It's the third Dropbear release this year, 2015.69. The most important change is a fix for TCP forwarding that broke in 2015.68 and affected a few people. As usual downloads at https://matt.ucc.asn.au/dropbear/dropbear.html and https://dropbear.nl/mirror/ Cheers, Matt 2015.69 - 25

Re: Dropbear 2015.70 scp upload errors

> On Mon 30/11/2015, at 6:29 am, Anthony Sherwin > wrote: > > I have cross compiled dropbear to my embedded product from 2015.68 to 2015.70 > and am getting the following error: > dropbear[2528]: Exit (user): Bad buf_incrpos Hi Anthony, This should be

Re: Force dbclient to exit if remote forwarding request failed

> On Mon 30/11/2015, at 7:24 pm, Konstantin Tokarev wrote: > dbclient: Remote TCP forward request failed (port 3320 -> localhost:22) > > ... > 1. Is there any way to force dbclient to exit in this case? > 2. If not, would it be reasonable feature to have in dbclient? Hi

Re: Syslog logging in client

> On Mon 30/11/2015, at 8:38 pm, Konstantin Tokarev wrote: > > Hi all, > > I think it would be useful to have syslog loggin in client when it is running > in background (e.g., when -f option is used, or, like in my case, it is > started from init system to create tunnel). >

Re: 2015.69 and password authentication

I'll sort out a new release to fix this later today. Cheers, Matt On 26 November 2015 4:57:16 pm AWST, Peter Meerwald-Stadler wrote: > >> Upgrading from 2015.68 to 2015.69 on the embedded platform at >$DAYJOB, >> password authentication does no longer work. This seems to be

Dropbear 2015.70 fixes password authentication

Hi, Dropbear 2015.70 released now fixes password server authentication on Linux. It's a bit of an embarassing mistake, apologies for that. Commenting out the test in options.h is a fine workaround. Cheers, Matt On Thu, Nov 26, 2015 at 05:37:25PM +0800, Matt Johnston wrote: > I'll sort

Re: [PATCH] Enable bundling for dbclient.

Hi, Thanks for the patch, I've applied it slight changes. I had to re-add the undocumented support for extra arguments after the hostname - that's in the manpage now. Cheers, Matt On Wed, Nov 11, 2015 at 07:02:36PM +0100, Guilhem Moulin wrote: > --- > cli-runopts.c | 202 >

Re: Keepalive timeout with dropbear client

Hi David, Dropbear since 2015.68 always sets the socket non-blocking [1], so I think that change should be safe on older versions. The only risk I can think of is if it gets in some state where it might spin with 100% CPU. Cheers, Matt [1]

Re: Running Dropbear Without Root Permissions

My guess is that the problem is related to /etc/shadow. If the crypted password there isn't readable then it will use the entry from /etc/passwd - I guess that's something like '!!' which would signify a locked account. For testing you can always hardcode a password crypt in debug.h Cheers, Matt

Re: ED25519 key support?

Hi Stephen, I may eventually, though it isn't high on the priority list. What's your use for ed25519 keys rather than other ecdsa? Cheers, Matt > On Sun 26/6/2016, at 7:24 am, Stephen Kent wrote: > > Are there any plans to add support for ED25519 user and host keys in

Dropbear 2016.72

Hi all, Dropbear SSH 2016.72 is released. This has a single change, a security fix. If X11 forwarding is enabled a user could bypass any "command=" restrictions in authorized_keys and run any command as their own user (or perform other operations allowed by the "xauth" binary such as writing

Re: a bug detected in dropbear v071

Hi Thomas, Hui's analysis look right, I'll try and test it myself later this week. (Sorry, replied privately). Cheers, Matt On 25 April 2016 11:15:58 pm AWST, Thomas De Schampheleire wrote: >ZHANG Hui P alcatel-sbell.com.cn> writes: > >> >> >> >> Hi: >>    

Re: a bug detected in dropbear v071

Hi, I think this problem should be solved by the commit https://secure.ucc.asn.au/hg/dropbear/rev/432b0a030fd6 Thank you for the detailed report. Cheers, Matt > On Wed 20/4/2016, at 2:44 pm, ZHANG Hui P

Re: Can't SSH from Windows

Hi Rob, It sounds like LEAF have disabled the group14-sha1 algorithm which was the only compatible algorithm. Sha1 isn't too insecure in this context, at least at present. Matt On 29 April 2016 3:06:46 am AWST, Rob Ogle wrote: >I just installed the latest version of uclibc

Re: a bug detected in dropbear v071

is commit? > thanks. > > From: Matt Johnston [mailto:m...@ucc.asn.au] > Sent: 2016年4月29日 23:18 > To: ZHANG Hui P > Cc: dropbear@ucc.asn.au > Subject: Re: a bug detected in dropbear v071 > > Hi, > > I think this problem should be solved by the commit > https://s

Re: a bug detected in dropbear v071

On Wed 11/5/2016, at 11:55 pm, Thomas De Schampheleire wrote: >> >> I expect the next release will be in perhaps a month's >> time - it could be longer though. > > Is there a certain strategy with respect to timing of releases? Could > you describe it? > > It seems

Re: dropbear with external libtommath/libtomcrypt

Hi Peter, External libraries are fine - Debian has used them for a while. The only security-important change is https://secure.ucc.asn.au/hg/dropbear/rev/a55b97f5a485 which I assume is already in buildroot. I've made a few small changes to clear memory or avoid memory allocations - those could

Re: Building with Musl

Hi Andrew, I suspect Dropbear itself needs fixing, your workaround sounds fine for now. The configure script should probably just test for HAVE_LINUX_TYPES_H or similar and the required #defines. I'll look at it. Cheers, Matt #ifdef SO_PRIORITY #include #include #endif > On Tue

Dropbear 2016.74, security updates

Hi all, Dropbear 2016.74 is released. This includes fixes for a few security issues. Further details will be published by Beyond Security in a week or so, I will update CVE numbers when available. Downloads are at https://matt.ucc.asn.au/dropbear/dropbear.html I strongly advise upgrading any

Re: Multiple authorized_keys files??

Hi Cody, It doesn't have that option at the moment. What other files would you use? Cheers, Matt On Thu, Feb 09, 2017 at 11:08:16AM -0500, Cody Scott wrote: > I wondering if it is possible to have multiple authorized_keys files. By > default Dropbear uses ~/.ssh/authorized_keys > > Is it

Re: SEGV in Dropbear v2016.74 when connect with HostKeyAlgorithms=ssh-dss or HostKeyAlgorithms=ssh-dss

Hi Konstantin, Would you be able to run Dropbear under inetd and see if that helps? uClinux generally requires that - though it's not obvious to me how it could cause this crash. Is there any chance of getting a backtrace where it is crashing? The RSA and DSS crashes are at different spots, so

Re: Port forwarding for certain users only

Hi Peter, Currently I don't think that's possible, sorry. There are restrictions for public keys auth but not password users. Matt > On Wed. 23/11/2016, at 10:55 pm, Peter Krefting > wrote: > > Hi! > > Is there a way to restrict port forwarding to certain users

Re: RSA default key size of 2048 bits too large for low-spec systems

Hi Brent, I'll see about improving the visibility of the default key sizes in options.h and also dropbearkey's printout. I changed to 2048 because 1024 is likely to become breakable within the next few years, it's best to have secure defaults if systems are going to remain un-updated for that

Dropbear 2017.75

Hi all, Dropbear 2017.75 is released. This has a couple of security fixes and a couple of bug fixes since 2016.74. https://matt.ucc.asn.au/dropbear/dropbear.html I'm intending to make another release in the next couple of weeks including the various pending fixes in the Mercurial tree and pull

Re: Restrictions for password logins

On Fri, May 19, 2017 at 07:42:21AM +, Henrik Uggla wrote: > Hi! > > > How can I set restrictions, like those given in authorized_keys, to all > password logins? Hi Henrik, You can't set all of those restrictions like command= though you can disable TCP forwarding at compile time in

Re: Dropbear 2017.75

On Fri, May 19, 2017 at 02:37:28PM +0200, Guilhem Moulin wrote: > Hi Matt, > > On Thu, 18 May 2017 at 23:02:09 +0800, Matt Johnston wrote: > > Dropbear 2017.75 is released. This has a couple of security > > fixes and a couple of bug fixes since 2016.74. > > FYI https

Re: OpenWrt/LEDE: dropbear & MIPS & gcc 7.1.0

Hi Syrone, Updating libtom makes sense, it's on the todo list. I'm curious if it's a bug in old libtommath or new gcc. In my experience differences between optimisation levels are more often problems with the compiler, but could be either. If you could get a backtrace of a stuck "dbclient"

Re: proof-of-concept ed25519 crypto and other additions implemented

Hi Péter, Thank you for the work. I think most of these look useful and could be merged. I'll have a closer look over them in the next week or so with some more detailed comments. A few comments for now: - I'm tending to avoid "make CONFIGVAR=1", I think all of yours can be in options.h

Re: ssh disconnects due to corrupt packet (dropbear compiled with DEBUG_TRACE)

Hi, It looks like you're running in from inetd and the TRACE output is ending up getting sent over the network socket. The length 1414676803 is 'TRAC' converted to ascii. I guess dropbear is running with "-E", or what is the configuration? That won't work, you'll need to log to syslog instead

Re: ssh login stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY"

Hi Hari, Can you get a backtrace of the stuck dropbear process in 2) ? That might suggest what's going wrong. Cheers, Matt > On Mon 23/10/2017, at 7:12 pm, Hariharasubramanian Ramasubramanian > wrote: > > ssh login gets stuck at "expecting SSH2_MSG_KEX_ECDH_REPLY" at

Re: Dropbear Tunnels

Hi John, The reason it's not supported is that noone has implemented it yet. I don't have plans to, but if someone wants to send an implementation it could be added. Are you interested in client or server? Cheers, Matt > On Sat 19/5/2018, at 12:19 am, John wrote: > >

Re: OpenSSH drop-in replacement

Hi Martin, Dropbear should be able to do 1, it will send the PAM_TEXT_INFO as a SSH banner. SSH clients may display that before asking for a username though, I haven't tested. Dropbear can't change usernames though. Cheers, Matt > On Wed 13/6/2018, at 4:21 pm, Martin van Es wrote: > > Hi, >

<    1   2   3   >