Alexis-externe DAVOUX | 28 Feb 17:39 2013
Picon

Problem with Dropbear/dbclient as SFTP client

Hi,

I have some trouble with dropbear used as SFTP client.

I've set up a SFTP server on my machine, which works fine. I've tested the connection to the server with Filezilla client.
I've tried connecting to the SFTP server with dropbear using the command:

dbclient -s user <at> host sftp

I can authenticate successfully, and I get the welcome message, but after that I can't do anything: it seems that dbclient is waiting for some command but nothing seems to work. I've tried entering 'ls', 'cd /test', 'get test.txt', 'pwd',... but nothing happens when I validate with enter.

How can I use dbclient as SFTP client ? What is the correct syntax ?

Thanks in advance,
Best regards,

Alexis
Paul Eggleton | 20 Feb 17:51 2013
Picon

RFC: PATCH: Allow configuring "allow blank password option" at runtime

Hi there,

Attached is a patch we've developed for dropbear within the Yocto Project to 
avoid the need to rebuild dropbear when we wish to disable the ability to log 
into accounts that have a blank password set. It removes the compile-time 
option and adds a -B command-line option which enables the functionality.

We'd really like to see this (or something like it) upstream. If an 
alternative implementation would be preferred please let me know.

Cheers,
Paul

--

-- 

Paul Eggleton
Intel Open Source Technology Centre	
Attachment (nopw-option-hg.patch): text/x-patch, 2972 bytes
dbextern | 3 Jan 14:58 2013
Picon
Picon

(unknown)

Hi Matt, 

thank you for the quick response.

# 7 seconds seems slow. Where said that it's a common problem?
# I get around 1 second to SSH to a raspberry pi (700mhz "ARMv6").
# Was it built with the same compiler and compile options?
# Leaving optimisation off could make that difference.

I found a few posts on the mailing list about that topic. 
(for example: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2011q1/001098.html
or http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2011q3/001149.html)
The CPU is at 100% during the login. 
Both versions have been compiled with the same external setup. 
When the dropbear is the only process running the time is reduced to ~3s which is still a lot slower than the
V0.52 (that does it in less than 1s).
Were Options added between those versions that could have an impact? Did maybe the libtommath/crypt
change? 

# I can't see how it wouldn't ask for a password unless
# there's -g or -s on the commandline. Does "ssh -v" show just
# "Authentications that can continue: publickey", not
# "publickey,password" ?

The server gives a 
"Authentications that can continue: publickey".
It is started without any options. 

Grüße
Sebastian

-

Sebastian Fett, R&D
T +49-7191-9669-0, F +49-7191-950000, Sebastian.Fett <at> dbaudio.com, www.dbaudio.com

d&b audiotechnik GmbH, Eugen-Adolff-Straße 134, 71522 Backnang, Germany
Geschäftsführer: Frank Bothe, Markus Strohmeier
Finanzen: Kay Lange; Marketing: Simon Johnston
Sitz: Backnang; Amtsgericht Stuttgart, HRB 725789

Von:	Matt Johnston <matt <at> ucc.asn.au>
An:	dbextern <at> gmx.de, 
Kopie:	dropbear <at> ucc.asn.au
Datum:	03.01.2013 12:51
Betreff:	Re: Issues after Update from 0.52 to 2012.55; login time; password auth

Hi,

7 seconds seems slow. Where said that it's a common problem?
I get around 1 second to SSH to a raspberry pi (700mhz "ARMv6").
Was it built with the same compiler and compile options?
Leaving optimisation off could make that difference.

I can't see how it wouldn't ask for a password unless
there's -g or -s on the commandline. Does "ssh -v" show just
"Authentications that can continue: publickey", not
"publickey,password" ?

Cheers,
Matt

On Thu, Jan 03, 2013 at 12:10:51PM +0100, dbextern <at> gmx.de wrote:
> Hello!
> 
> I'm using dropbear on an embedded System with uCLinux. It works great. And first I want to thank all of you
for the work you put in it.
> 
> After reading about the security fix I updated the dropbear from a (very stable and fast) 0.52 to the new 2012.55.
> 
> After the update two things changed. The login time increased a lot. From next to nothing to about 7s (on a
600MHz CPU). I read that this is a common problem, and that my 7s are still quite good. I'm just surprised
about he increase. 
> 
> Secondly the dropbear does not allow password login anymore (the server only gives back "pubkey" as
available option). The according defines in the options.h are still active though. And the dropbear is
started without -s. I'm out of ideas what to try to enable it again. When I just replace the dropbear
executable with the 0.52 version it works again.
> 
> Any thoughts and advide is highly appreciated. Tank you in advance.
> 
> Grüße
> Sebastian
> 

dbextern | 3 Jan 12:10 2013
Picon
Picon

Issues after Update from 0.52 to 2012.55; login time; password auth

Hello!

I'm using dropbear on an embedded System with uCLinux. It works great. And first I want to thank all of you for
the work you put in it.

After reading about the security fix I updated the dropbear from a (very stable and fast) 0.52 to the new 2012.55.

After the update two things changed. The login time increased a lot. From next to nothing to about 7s (on a
600MHz CPU). I read that this is a common problem, and that my 7s are still quite good. I'm just surprised
about he increase. 

Secondly the dropbear does not allow password login anymore (the server only gives back "pubkey" as
available option). The according defines in the options.h are still active though. And the dropbear is
started without -s. I'm out of ideas what to try to enable it again. When I just replace the dropbear
executable with the 0.52 version it works again.

Any thoughts and advide is highly appreciated. Tank you in advance.

Grüße
Sebastian

Artur Artamonov | 19 Dec 08:55 2012
Picon

Support of noexistent user login for alternative auth.

This patch adds support of non existent users.
Authentication goes trought PAM.
There is used default user and default shell under with
everything would be lunched.

There was problem same as in mentioned:
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2012q3/001304.html

Ben Jencks | 11 Dec 06:11 2012
Picon

[PATCH] IPv6 bracket notation for listen addresses in -p

Updates parsing of the -p option to handle [2001:dba::]:22 style IPv6
addresses. This allows binding to specific IPv6 addresses, rather than
having to bind to all addresses in order to get any IPv6 support. For
example, you can now listen on IPv6 only with -p [::]:22.

This has been done before at [1], but I thought that patch
was kind of ugly so I wrote my own.

Please CC me on responses as I'm not subscribed to the list.

[1]
https://lists.openwrt.org/pipermail/openwrt-devel/2009-May/004299.html

diff -ur dropbear-2012.55.orig/svr-runopts.c dropbear-2012.55/svr-runopts.c
--- dropbear-2012.55.orig/svr-runopts.c	2012-02-23 08:47:06.000000000 -0500
+++ dropbear-2012.55/svr-runopts.c	2012-12-10 23:17:28.496729985 -0500
 <at>  <at>  -324,8 +324,23  <at>  <at> 
 		/* We don't free it, it becomes part of the runopt state */
 		myspec = m_strdup(spec);

-		/* search for ':', that separates address and port */
-		svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':');
+		if (myspec[0] == '[') {
+			myspec++;
+			svr_opts.ports[svr_opts.portcount] = strchr(myspec, ']');
+			if (svr_opts.ports[svr_opts.portcount] == NULL) {
+				/* Unmatched [ -> exit */
+				dropbear_exit("Bad listen address");
+			}
+			svr_opts.ports[svr_opts.portcount][0] = '\0'; 
+			svr_opts.ports[svr_opts.portcount]++;
+			if (svr_opts.ports[svr_opts.portcount][0] != ':') {
+				/* Missing port -> exit */
+				dropbear_exit("Missing port");
+			}
+		} else {
+			/* search for ':', that separates address and port */
+			svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':');
+		}

 		if (svr_opts.ports[svr_opts.portcount] == NULL) {
 			/* no ':' -> the whole string specifies just a port */

Loganaden Velvindron | 7 Dec 20:53 2012
Picon

diff to backoff a little running out of fds

Based on similar work done by OpenBSD for sshd,

I came up with this:
The idea is to prevent spinning when out of file descriptors by
backing off for a while.

Suggestions ?

diff -r 63f8d6c469cf svr-main.c
--- a/svr-main.c	Thu May 17 00:26:12 2012 +0800
+++ b/svr-main.c	Sat Dec 08 03:48:40 2012 +0400
 <at>  <at>  -226,9 +226,10  <at>  <at> 
 			remoteaddrlen = sizeof(remoteaddr);
 			childsock = accept(listensocks[i],
 					(struct sockaddr*)&remoteaddr, &remoteaddrlen);
-
 			if (childsock < 0) {
 				/* accept failed */
+				if(errno == EMFILE || errno == ENFILE)
+					usleep(100*1000);
 				continue;
 			}

--

-- 
Brightest day,
Blackest night,
No bug shall escape my sight,
And those who worship evil's mind,
be wary of my powers,
puffy lantern's light !

Artur Artamonov | 7 Dec 07:32 2012
Picon

PAM environment variable exporting to usershell

Here is patch that exports PAM environmental variables to user lunched
shell. This allows send some info to shell
that is authentificated trought dropbear

diff -upN a/auth.h b/auth.h
--- a/auth.h	2012-02-23 15:47:05.000000000 +0200
+++ b/auth.h	2012-12-05 13:01:58.161786510 +0200
 <at>  <at>  -76,6 +76,10  <at>  <at>  void cli_auth_interactive();
 char* getpass_or_cancel(char* prompt);
 void cli_auth_pubkey_cleanup();

+#ifdef ENABLE_SVR_PAM_AUTH
+extern char **pam_env_list;
+#endif
+

 #define MAX_USERNAME_LEN 25 /* arbitrary for the moment */

diff -upN a/svr-authpam.c b/svr-authpam.c
--- a/svr-authpam.c	2012-02-23 15:47:06.000000000 +0200
+++ b/svr-authpam.c	2012-12-05 13:04:24.415780751 +0200
 <at>  <at>  -44,6 +44,8  <at>  <at>  struct UserDataS {
 	char* passwd;
 };

+char **pam_env_list=NULL;
+
 /* PAM conversation function - for now we only handle one message */
 int 
 pamConvFunc(int num_msg, 
 <at>  <at>  -243,6 +245,8  <at>  <at>  void svr_auth_pam() {
 			svr_ses.addrstring);
 	send_msg_userauth_success();

+	pam_env_list = pam_getenvlist( pamHandlep );
+
 cleanup:
 	if (password != NULL) {
 		m_burn(password, passwordlen);
diff -upN a/svr-chansession.c b/svr-chansession.c
--- a/svr-chansession.c	2012-02-23 15:47:06.000000000 +0200
+++ b/svr-chansession.c	2012-12-05 13:07:42.470013005 +0200
 <at>  <at>  -936,6 +936,15  <at>  <at>  static void execchild(void *user_data) {
 	}
 #endif

+#ifdef ENABLE_SVR_PAM_AUTH
+	if ( pam_env_list ) {
+		while ( *pam_env_list ) {
+			putenv( *pam_env_list );
+			pam_env_list++;
+		}
+	}
+#endif
+
 	/* change directory */
 	if (chdir(ses.authstate.pw_dir) < 0) {
 		dropbear_exit("Error changing directory");
Attachment (600-add_pamenv.patch): text/x-patch, 1451 bytes
Paul Horn | 18 Nov 01:29 2012

initramfs ip network overrides /etc/network settings

I have a question on networking and initramfs interaction. I already
posted this on the Ubuntu forums, but wondered if someone on this list
might have more familiarity with the underpinnings of dropbear and
initramfs. I'm decent with Linux but this is new territory for me.

Installing Ubuntu 12.10 server, 64 bit, on some new hardware. Working on
using dropbear / ssh to remotely unlock LUKS volumes at boot, generally
following the outline posted by hacksr at
http://hacksr.blogspot.com/2012/05/ssh-unlock-with-fully-encrypted-ubuntu.html.

The install is very basic at this point: an SSH server, apt-get
update/upgrade complete, and a static IP address set for eth0 in
/etc/network/interfaces. It boots quickly prior to installing dropbear.

After installing dropbear, initramfs starts networking on bootup. By
default, it uses DHCP. It is also possible to set a static IP. That much
I have working, and can remotely ssh in when the server starts and is
waiting for the luks passphrase. Thanks to the second script at the
above how-to, I can also enter the unlock passphrase in the dropbear
session and start the server.

What I can't figure out, and haven't found a post anywhere that
addresses this, is that once this process completes and the server
continues to boot, the network remains somehow under "control" of
initramfs. Boot process stops for several minutes "waiting for network
configuration" in spite of the static IP settings for both initramfs and
/etc/network/interfaces. Once it finally starts, any settings in
/etc/network/interfaces are ignored. If the IP addresses don't match, I
end up with the one in initramfs. If initramfs uses dhcp, I get that
address once the server fully boots.

    * "service networking restart" changes nothing.
    * "ifdown eth0" says that eth0 is not configured.
    * "ifup eth0" returns "RTNETLINK answers: File exists. Failed to
bring up eth0."
    * /run/network has only the loopback entries. There are no longer
entries for eth0 or the static network directory.

Am I missing a script in the /scripts/init-bottom or local-bottom where
dropbear shuts down? Or is this expected behavior when initramfs uses
the network at boot?

 - Paul

Salatiel Filho | 8 Nov 11:17 2012
Picon

Support to port number in known hosts

Would it be possible to add support to port numbers in known_hosts
lines created by dbclient just like openssh ?
I ask this because if i have multiples ssh servers behind the same
fqdn in different ports ( port forwarding to different servers)
dbclient will complain about bad key every time i try to connect at a
different port in the same fqdn.

Thanks!

[]'s
Salatiel

chinna obireddy | 25 Sep 10:39 2012
Picon

Dropbear calling my own command-line parser than /bin/sh

Dear All,


As per the thread http://thread.gmane.org/gmane.network.ssh.dropbear/68/focus=75 I was successfully made changes to launch CLI application with dropbear ssh.

But Putty(SSH client) is still asking for Login name, though this is not going to be used It looks weird for user asking user name twice. Since the CLI application has it's own authentication method.

Suggest me how can I completely ignore Authentication packets in the server side.

--Reddy.

Gmane