Sebastian Haag | 13 May 00:44 2006
Picon

"premature exit: string too long"

Hi,

I´m using dropbear 0.48.1 and have a little problem with the public/private 
keys.

I generated the public and private keys with dropbearkey and copied the public 
key to "/etc/dropbear/dropbear_rsa_host_key" (on the SERVER, where 'dropbear' 
is running/should run). This file is readable and writeable only to user 
root. The content is: ssh-rsa 
AAAAB3NzaC1yc2EAAAADAQABAAAAgwChT3x47P43i1yc5KrUodYJYlKl7efDqt9x6fF/doazGT3t3hcC/rBpKzIqRUFFrER54rIMnt4ngPQ1J0NsOlpg4sRnIV5V4D4kFDinBZax5Fg4vUJQ2vh2LBioXTRDYr5gaDQfMS7X6pXJ5NiDTE5k8GddBiRPR/INm1scSo/q0qZz
(without any linebreaks or anything else)

Do I have to append username <at> host or anything else?

When i want to start dropbear (with 'dropbear'), i get the following message: 
"premature exit: string too long".

I think i missunderstood something essential in public-key-authentication. Is 
there a howto where to put which key when using dropbear?

I found something like that:
"To create a new RSA key to store in  /.ssh/id_rsa.db, you can use the 
following command: 

  dropbearkey -t rsa -f ~/.ssh/id\_rsa.db

The public key part of the new key will be printed to the screen. You can put 
it into the  /.ssh/authorized_keys file on all machines where you want to be 
able to login using your new private key stored in  /.ssh/id_rsa.db"

(Continue reading)

Matt Johnston | 13 May 06:42 2006
Picon
Picon

Re: "premature exit: string too long"

On Sat, May 13, 2006 at 12:44:07AM +0200, Sebastian Haag wrote:
> Hi,
> 
> I´m using dropbear 0.48.1 and have a little problem with the public/private 
> keys.
> 
> I generated the public and private keys with dropbearkey and copied the public 
> key to "/etc/dropbear/dropbear_rsa_host_key" (on the SERVER, where 'dropbear' 
> is running/should run). This file is readable and writeable only to user 
> root. 

> When i want to start dropbear (with 'dropbear'), i get the following message: 
> "premature exit: string too long".

The /etc/dropbear/dropbear_rsa_host_key file is the server's
_private_ key, used for all sessions (even password authed)
so that the client knows that it's talking to the same
server each time. This is independent of using public keys for
user auth. If you generate a key using dropbearkey and copy
the private key part to dropbear_rsa_host_key, it should
work fine.

If you then want to use public key authentication, on the
client you have to generate a key, then paste the public
part into ~/.ssh/authorized_keys on the server. If you're
using dbclient then you'd generate it with dropbearkey and
specify it with "dbclient -i ~/.ssh/id_rsa.db", otherwise
you'd use the client-specific key generator - dbclient for
OpenSSH, PuTTYgen for putty, etc.

(Continue reading)

Sebastian Haag | 14 May 16:06 2006
Picon

Re: "premature exit: string too long"

Thank you very much for your help.

Sorry, but I didn´t get it running... now I get "no auth methods could be 
used". When I start dbclient with option "-i", it says "Ignoring unknown 
argument...".

My system/what i did:

server (dropbear) -> 192.168.0.20:
+ dropbear started as root (dropbear -v -F 
-r /etc/dropbear/dropbear_rsa_host_key) [see trace (1)]
+ -rw-------    1 root root  427 ... dropbear_rsa_host_key
+ /root/.ssh/authorized_keys contains public key of client:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgwCG ... 7ITwqih9hTB9ItPfgtggvclIVlMzVJ= 
root <at> 192.168.0.23
It doesn´t make any difference if I append user <at> host or not.
+ -rw-------   1 root root 232 ... authorized_keys

client (dbclient) -> 192.168.0.23
+ generated new keys on client
+ private key in id_rsa.db / public key appended to authorized_keys on the 
server
+ under user root: dbclient -v -l root 192.168.0.20  [see trace (2)]
(+ 'dbclient -i id_rsa.db -v -l root 192.168.0.20' results in 
WARNING: Ignoring unknown argument `-i`)
+ on serverside i get the appended trace (3)

I don´t know whats wrong, but could it be that this problem occurs cause I 
compiled dropbear and dbclient statically against uclibc? (btw I use the 
original version of options.h).
(Continue reading)

Matt Johnston | 14 May 17:10 2006
Picon
Picon

Re: "premature exit: string too long"

On Sun, May 14, 2006 at 04:06:59PM +0200, Sebastian Haag wrote:
> Thank you very much for your help.
> 
> Sorry, but I didn´t get it running... now I get "no auth methods could be 
> used". When I start dbclient with option "-i", it says "Ignoring unknown 
> argument...".

> I don´t know whats wrong, but could it be that this problem occurs cause I 
> compiled dropbear and dbclient statically against uclibc? (btw I use the 
> original version of options.h).

dbclient not recognising the -i option (and the server not
allowing password auth) really sounds like a modified
options.h. Perhaps "make clean", ensure it's the standard
options.h, then make it again?

Let me know how that goes, if that doesn't help we can debug
it further.

Matt

Sebastian Haag | 14 May 18:04 2006
Picon

Re: "premature exit: string too long"

so, I downloaded a fresh copy of dropbear, compiled it and ... you were right!

I dont´t know how but I guess I mixed up my options.h-files.

thank you very much for your time and your useful hints.

Sebastian

Am Sonntag, 14. Mai 2006 17:10 schrieb Matt Johnston:
> On Sun, May 14, 2006 at 04:06:59PM +0200, Sebastian Haag wrote:
> > Thank you very much for your help.
> >
> > Sorry, but I didn´t get it running... now I get "no auth methods could be
> > used". When I start dbclient with option "-i", it says "Ignoring unknown
> > argument...".
> >
> > I don´t know whats wrong, but could it be that this problem occurs cause
> > I compiled dropbear and dbclient statically against uclibc? (btw I use
> > the original version of options.h).
>
> dbclient not recognising the -i option (and the server not
> allowing password auth) really sounds like a modified
> options.h. Perhaps "make clean", ensure it's the standard
> options.h, then make it again?
>
> Let me know how that goes, if that doesn't help we can debug
> it further.
>
> Matt

(Continue reading)

Sebastian Haag | 16 May 15:34 2006
Picon

exit after auth (root): couldn't change user as non-root

Hi,

next problem:

I´m using pubkey auth which works fine. But after auth I get the following
message on the client: "exit after auth (root): couldn't  change user as
non-root".

dbclient and dropbear are startet by user "root". dropbear runs in an embedded
system, emulated by qemu. I testet the whole thing on 2 "real" machines
(running suse linux) and it worked. So I guess something´s wrong with my
rootfilesystem on the emulated embedded system. E.g. there is no command
'su'...

When and why does the prog try to change the user? And why isn´t that operation
performed as 'root' (server and client are both started as 'root')?

Probably I made a mistake in my user configuration (on the server), so I
appended the files below:

/etc/passwd
root:x:0:0:root:/root:/bin/sh
httpd:x:1001:1001:webuser:/usr/httpd:/bin/sh

/etc/group
root:x:0:
httpd:x:1001:

Got someone else this message before?

(Continue reading)

Sebastian Haag | 16 May 22:36 2006
Picon

Re: exit after auth (root): couldn't change user as non-root

Am Dienstag, 16. Mai 2006 17:33 schrieb Matt Johnston:
> That's quite strange. The code in question is:
>
>     if (getuid() == 0) {
>         if ((setgid(ses.authstate.pw->pw_gid) < 0) ||
>             (initgroups(ses.authstate.pw->pw_name,
>                         ses.authstate.pw->pw_gid) < 0)) {
>             dropbear_exit("error changing user group");
>         }
>         if (setuid(ses.authstate.pw->pw_uid) < 0) {
>             dropbear_exit("error changing user");
>         }
>     } else {
>         if (getuid() != ses.authstate.pw->pw_uid) {
>             dropbear_exit("couldn't change user as non-root");
>         }
>     }
>
> so getuid() must not be 0, ie it's not root. That doesn't
> depend on the config files at all as far as I know - it's
> asking it straight from the kernel.
>
> You could change the exit message to
> dropbear_exit("couldn't change user as non-root user %d", getuid());
> and see what it prints - perhaps the emulated environment
> can't emulate root?
>
> Matt

I changed the exit message and got as return value -1. Thats funny cause 
(Continue reading)

Rob Landley | 18 May 21:35 2006
Picon

Re: exit after auth (root): couldn't change user as non-root

On Tuesday 16 May 2006 4:36 pm, Sebastian Haag wrote:
> I changed the exit message and got as return value -1. Thats funny cause
> getuid() shouldn´t return error codes... ;-)
>
> So I checked my kernel config and found under "General setup" the option
> "Enable 16 bit UID calls", activated it and getuid() now works properly.

Upgrade your uClibc.  I believe the current one (0.9.28) doesn't make obsolete 
syscalls anymore.

Rob
--

-- 
Never bet against the cheap plastic solution.


Gmane