Joel Johnson | 5 Jan 17:44 2012
Picon

Dropbear pubkey regression

(Posted as an unsubscribed user but didn't get moderated through, 
reposting after subscribing, I apologize for potential duplicates).

I'm using dropbear via OpenWrt and have recently updated from version 
0.52 to version 0.53.1. I'm having an issue where previously my 
authorized_keys via SSH worked fine issuing a command, but under the 
newer versions it doesn't. I took a quick glance at the diff between the 
tags for 0.52 and 0.53.1, and don't see any thing that stands out 
(mainly looked at svr-chansession.c and svr-authpubkeyoptions.c).

The behavior I'm seeing is when using an authorized_keys entry with any 
of the no-port-forwarding,no-pty,no-X11-forwarding,no-agent-forwarding 
options set, a command specified by the SSH client is not executed, but 
blocks indefinitely. The SSH_ORIGINAL_COMMAND is correctly set, and in 
fact can be used as a workaround (by setting 
command="$SSH_ORIGINAL_COMMAND" in the auth_keys entry), but the command 
requested by the client is never executed in 0.53.1 whether using 
ptycommand() or noptycommand(), when it was correctly executed in 0.52.

Is direct invocation of commands known to be broken, intentionally 
disabled (should at least return and provide an error message)?

This was tested with 0.53.1 and not with 2011.54, but nothing seems to 
stand out that this has been fixed since 0.53.1.

As a point of reference with the full details, the OpenWrt ticket I 
opened is https://dev.openwrt.org/ticket/10676.

Thanks,
Joel
(Continue reading)

sl Bay | 6 Jan 15:30 2012
Picon

Dropbear pubkey regression

Hi Joel Johnson

Maybe the same problem I had recently (see my posts: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2011q4/001202.html).

Before version 0.53.1, the pubkeys in the format "pubkey encoding==commentkey" or "pubkey encoding=
commentkey" were accepted (eg. key generated with these formats by PuTTYgen if PuTTYgen version<0.61).

I was able to reuse my old keys by removing the "=" between the encoding of the pubkey and commentary, the
format : "pubkey encoding commentkey" (with space between pubkey and comment)

Andreas Zoeller | 8 Jan 10:46 2012
Picon

Initiate a reverse tunnel connection from a remote OpenWRT device

I  try to establish a reverse ssh tunnel. Until now with no success.

The system i want to access is a Edimax BR6104KP with OpenWRT trunk and dropbear and a Huawei E220 G3-modem. I have acess to the internet.

My homesystem is using a AVM Fritzbox 7270 which is also running dropbbear as server with "./dropbear -a -E"
From the BR6104KP i can establish a ssh-connection to the Fritzbox with  "ssh -l root -R 7722:localhost:22 mydomain.org"
I have now access from the BR6104KP to the Fritzbox and can execute commands on the Fritzbox's commandline.

But the purpose is to have a reverse tunnel from the Fritzbox at home to the BR6104KP which will installed at a remote location. So i establish the connection with " ssh -l root -f -N -g -R 7722:localhost:80 mydomain.org", i get the password-request and the connection disappears in the background.
When i try now to establish this reverse channel from the Fritzbox  to the BR6104KP with "./ssh -p 7722 localhost" i get the following :

# ./ssh  -p 7722 localhost
./ssh: Connection to root <at> localhost:7722 exited: Remote closed the connection
#

Any idea what is the problem ?
Is it possible to run such a reverse ssh tunnel with dropbear (version 2011.54) as client and server ?
Or do i need openssh on the server (Fritzbox) ?
Do i need an additional serverdemon who handles port 22 ? I have also tried to forward port 23 (telnetd is running on the BR6104KP) but with same result.
Is it possible to forward several ports (e.g. 80 and 22) ?

best regards

A. Zoeller

Matt Johnston | 9 Jan 11:31 2012
Picon
Picon

Re: Initiate a reverse tunnel connection from a remote OpenWRT device

It looks like you're trying to listen on port 7722 for both
the port 22 and port 80 cases? I think anything that works
in OpenSSH should work in Dropbear 2011.54 (at least for
ipv4). 0.53(.1) had bugs with -R forwarding.

Cheers, Matt

On Sun, Jan 08, 2012 at 09:46:14AM +0000, Andreas Zoeller wrote:
> I  try to establish a reverse ssh tunnel. Until now with no success.
> 
> The
>  system i want to access is a Edimax BR6104KP with OpenWRT trunk and 
> dropbear and a Huawei E220 G3-modem. I have acess to the internet.
> 
> My homesystem is using a AVM Fritzbox 7270 which is also running dropbbear as server with "./dropbear -a -E"
> From the BR6104KP i can establish a ssh-connection to the Fritzbox with  "ssh -l root -R
7722:localhost:22 mydomain.org" 
> I have now access from the BR6104KP to the Fritzbox and can execute commands on the Fritzbox's commandline.
> 
> But
>  the purpose is to have a reverse tunnel from the Fritzbox at home to 
> the BR6104KP which will installed at a remote location. So i establish the connection with " ssh -l root -f
-N -g -R 7722:localhost:80 mydomain.org", i get the password-request and the connection disappears in
the background.
> 
> When i try now 
> to establish this reverse channel from the Fritzbox  to the BR6104KP 
> with "./ssh -p 7722 localhost" i get the following :
> 
> # ./ssh  -p 7722 localhost
> ./ssh: Connection to root <at> localhost:7722 exited: Remote closed the connection
> #
> 
> Any idea what is the problem ?
> Is it possible to run such a reverse ssh tunnel with dropbear (version 2011.54) as client and server ?
> Or do i need openssh on the server (Fritzbox) ?
> Do i need an additional serverdemon who handles port 22 ? I have also tried to forward port 23 (telnetd is
running on the BR6104KP) but with same result.
> 
> Is it possible to forward several ports (e.g. 80 and 22) ?
> 
> best regards
> 
> A. Zoeller

Chandan Tiwari | 10 Jan 12:21 2012
Picon

Query regarding dropbear

Hi….

 

I’ve installed dropbear 0.53.1 on my linux machine and I tried to request for remote port forwarding  by assigning the port to listen as 0 using the command :

dbclient  –R 0:<ip address>:22 user <at> <ip address> but it gave the error message that it is unable to start port forwarding at port no 0 , I also looked in the source code of Dropbear from which I found that it is not supported with dropbear but in RFC 4254,section 7, page 16 it is mentioned that if we assign 0 as port no then the ssh server should assign the next available port to the client.

Please tell me that whether it is mandatory to support this type of port forwarding by assigning the port as 0.

 Please reply as soon as possible.

 

Thanks and Regards,

 

Chandan Tiwari

NEC HCL ST.

Noida,India

 

DISCLAIMER: ----------------------------------------------------------------------------------------------------------------------- The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. It shall not attach any liability on the originator or NECHCL or its affiliates. Any views or opinions presented in this email are solely those of the author and may not necessarily reflect the opinions of NECHCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of the author of this e-mail is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. . -----------------------------------------------------------------------------------------------------------------------
Matt Johnston | 10 Jan 15:04 2012
Picon
Picon

Re: Query regarding dropbear

That should work in 2011.54

Cheers,
Matt

On Tue, Jan 10, 2012 at 04:51:25PM +0530, Chandan Tiwari wrote:
> Hi....
> 
>  
> 
> I've installed dropbear 0.53.1 on my linux machine and I tried to
> request for remote port forwarding  by assigning the port to listen as 0
> using the command : 
> 
> dbclient  -R 0:<ip address>:22 user <at> <ip address> but it gave the error
> message that it is unable to start port forwarding at port no 0 , I also
> looked in the source code of Dropbear from which I found that it is not
> supported with dropbear but in RFC 4254,section 7, page 16 it is
> mentioned that if we assign 0 as port no then the ssh server should
> assign the next available port to the client.
> 
> Please tell me that whether it is mandatory to support this type of port
> forwarding by assigning the port as 0. 
> 
>  Please reply as soon as possible.
> 
>  
> 
> Thanks and Regards,
> 
>  
> 
> Chandan Tiwari
> 
> NEC HCL ST.
> 
> Noida,India
> 
>  
> 
> 
> 
> 
> DISCLAIMER: 
>
----------------------------------------------------------------------------------------------------------------------- 
> The contents of this e-mail and any attachment(s) are confidential and
> intended 
> for the named recipient(s) only.  
> It shall not attach any liability on the originator or NECHCL or its 
> affiliates. Any views or opinions presented in  
> this email are solely those of the author and may not necessarily reflect the 
> opinions of NECHCL or its affiliates.  
> Any form of reproduction, dissemination, copying, disclosure, modification, 
> distribution and / or publication of  
> this message without the prior written consent of the author of this e-mail is 
> strictly prohibited. If you have  
> received this email in error please delete it and notify the sender 
> immediately. . 
> -----------------------------------------------------------------------------------------------------------------------


Gmane