Mario Gartner | 29 Jan 11:37 2014
Picon

Interactive QoS with `scp'

Hi!

I experimented with dropbear 2013.62 and its new QoS handling according to the changelog.
While I see the changed behavior when using non-pty ssh connections, I still get the "interactive" TOS in
sent IP packets when using `scp'.
My assumption was that scp should be considered bulk/no-pty. Did I miss something?

Here are some command examples and the resulting TOS captured with tcpdump.

# normal ssh --> uses IPTOS_LOWDELAY == OK!
ssh 14.64.1.4
tos 0x10

# option -T for no-pty --> uses IPTOS_THROUGHPUT == OK!
ssh -T 14.64.1.4
tos 0x8

# ssh with command (implies no-pty) --> uses IPTOS_THROUGHPUT == OK!
ssh 14.64.1.4 "date"
tos 0x8

# scp --> Still uses IPTOS_LOWDELAY! i.e. NOT OK(?)
scp /tmp/file.dat 14.64.1.4:/tmp/
tos 0x10

[The TOS of the initial packets during connection establishment was 0 and then changed to the mentioned
values, which is OK and expected]

One more thing:
Using TOS is actually obsoleted. "Modern" implementations should use the DS Field and DSCP classes as
(Continue reading)

Bruno Thomsen | 28 Jan 15:18 2014
Picon

Elliptic Curve host key and -R argument bug

Hi,

I have observed some strange dropbear behavior with the -R argument (Create hostkeys as required) and
Elliptic Curve host keys.
The result is an extremely large temporary host key file (multiple megabytes).

SSH client: Google Chrome extension: Secure Shell 0.8.25

1) Connect to dropbear running without arguments and a single host key (ecdsa-sha2-nistp521) in /etc/dropbear/dropbear_ecdsa_host_key
2) Stop dropbear
3) Remove old host key and generate a single new host key (ecdsa-sha2-nistp256) in /etc/dropbear/dropbear_ecdsa_host_key
4) Start dropbear with -R argument
5) Reconnect to dropbear and it generate an extremely large host key (process never ends).

Result:
root <at> target:~ ll /etc/dropbear/
total 54508
dr--------    2 root     root          1024 Jan 28 13:38 .
drwxrwxr-x   19 root     root          1024 Jan 28 12:09 ..
-r--------    1 root     root           140 Jan 28 13:35 dropbear_ecdsa_host_key
-rw-------    1 root     root      55593054 Jan 28 13:39 dropbear_ecdsa_host_key.tmp377
root <at> target:~ ll /etc/dropbear/
total 66001
dr--------    2 root     root          1024 Jan 28 13:38 .
drwxrwxr-x   19 root     root          1024 Jan 28 12:09 ..
-r--------    1 root     root           140 Jan 28 13:35 dropbear_ecdsa_host_key
-rw-------    1 root     root      67316589 Jan 28 13:40 dropbear_ecdsa_host_key.tmp377
root <at> target:~ ll /etc/dropbear/
total 70657
dr--------    2 root     root          1024 Jan 28 13:38 .
(Continue reading)

Gui Iribarren | 28 Jan 14:13 2014
Picon

[REGRESSION] ssh link-local addresses fails with "Servname not supported for ai_socktype"

Hello,
I bumped into an... interesting... regression introduced by

http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2013q2/001390.html

which breaks the possibility to connect to ipv6 link-local addresses, 
since '%' is actually the separator for the interface identifier.

symptom is:
# ssh fe80::f8d1:11ff:fea0:fc%wlan0
ssh: Exited: Error resolving 'fe80::f8d1:11ff:fea0:fc' port 'wlan0'.
Servname not supported for ai_socktype

and jow
https://lists.openwrt.org/pipermail/openwrt-devel/2014-January/023526.html
kindly pointed me to this mailing list.

given it was introduced by a one-liner, maybe another one-liner could 
fix it?

Signed-off-by: Gui Iribarren <gui <at> altermundi.net>

---

diff --git a/cli-runopts.c b/cli-runopts.c
index 8ffd997..acf738e 100644
--- a/cli-runopts.c
+++ b/cli-runopts.c
 <at>  <at>  -620,7 +620,7  <at>  <at>  static void parse_hostname(const char* orighostarg) {
                 cli_opts.username = m_strdup(cli_opts.own_user);
(Continue reading)

Erik Ahlén | 23 Jan 15:18 2014

[PATCH] Save errno in signal handler

# HG changeset patch
# User Erik Ahlén <erik.ahlen <at> avaloninnovation.com>
# Date 1390486572 -3600
# Node ID ea7299f800ce161f93ee8ad684a340c643620f26
# Parent  dd0bd9231fc2444d1bd0113ebeab1129a48045a8
Save errno in child signal handler as it can interfere with select.

diff -r dd0bd9231fc2 -r ea7299f800ce svr-main.c
--- a/svr-main.c        Fri Jan 17 21:42:32 2014 +0800
+++ b/svr-main.c        Thu Jan 23 15:16:12 2014 +0100
 <at>  <at>  -336,6 +336,7  <at>  <at> 
 /* catch + reap zombie children */
 static void sigchld_handler(int UNUSED(unused)) {
        struct sigaction sa_chld;
+       int old_errno = errno;

        while(waitpid(-1, NULL, WNOHANG) > 0);

 <at>  <at>  -344,6 +345,8  <at>  <at> 
        if (sigaction(SIGCHLD, &sa_chld, NULL) < 0) {
                dropbear_exit("signal() error");
        }
+
+       errno = old_errno;
 }

 /* catch any segvs */

Oliver Metz | 20 Jan 21:53 2014

Bug in rekeying

Hi,

we see a bug when the rekey limit is reached. Dropbear is run on a embedded mips device. For testing purposes
we changed the define in sysoptions.h to:
#define KEX_REKEY_DATA (1<<21)

This gives the following log:
...
TRACE (5619) 1389521630.365826: send_msg_channel_data: len 16375 fd 0
TRACE (5619) 1389521630.372597: leave send_msg_channel_data
TRACE (5619) 1389521630.373003: send normal readfd
TRACE (5619) 1389521630.373316: enter send_msg_channel_data
TRACE (5619) 1389521630.373707: enter send_msg_channel_data isextended 0 fd 0
TRACE (5619) 1389521630.374120: maxlen 16375
TRACE (5619) 1389521630.374595: send_msg_channel_data: len 16375 fd 0
TRACE (5619) 1389521630.381393: leave send_msg_channel_data
TRACE (5619) 1389521630.381798: rekeying after timeout or max data reached
TRACE (5619) 1389521630.382441: send_msg_kexdh_init()
TRACE (5619) 1389521630.391507: DATAALLOWED=0
TRACE (5619) 1389521630.391861: -> KEXINIT
TRACE (5619) 1389521630.392163: maybe_empty_reply_queue - no data allowed
TRACE (5619) 1389521630.769376: empty queue dequeing
TRACE (5619) 1389521630.769747: maybe_empty_reply_queue - no data allowed
TRACE (5619) 1389521631.234696: process_packet: packet type = 93, len 9
TRACE (5619) 1389521631.235255: enter session_cleanup
TRACE (5619) 1389521631.235565: enter cli_tty_cleanup
TRACE (5619) 1389521631.235865: leave cli_tty_cleanup: not in raw mode
TRACE (5619) 1389521631.236376: enter chancleanup
TRACE (5619) 1389521631.236683: channel 0 closing
TRACE (5619) 1389521631.237056: enter remove_channel
(Continue reading)

connectnet@web.de | 13 Jan 17:05 2014
Picon

Dropbear Portforwarding question

Hi!
I have a ssh connection from my mobile phone to my homeserver like ssh -i  
my_key 4444:localhost:2222 name <at> homeserver.com
Dopbear is listening at mobile phone at 2222 with command #dropear -a -p  
2222 and works.
So I would like to initiate a Socks 5 Proxy connection from my firefox at  
homeserver to the mobile phone like
"ssh -i mykey -p 4444 root <at> localhost -D 55555 N" and setting in firefox  
the network connection to socks5 127.0.0.1 port 55555.

But it doesnt works. Could you help me please to find out how fix this?

Greetings,
connectnet

Roy Tam | 15 Dec 08:49 2013
Picon
Gravatar

ChaCha20-Poly1305 in dropbear?

Hello list,

I read this slashdot entry:
http://it.slashdot.org/story/13/12/11/173213/openssh-has-a-new-cipher-chacha20-poly1305-from-dj-bernstein

and I wonder if dropbear will have follow up regarding this?

Ciao,
Roy

Mike Frysinger | 9 Dec 02:26 2013
Picon
Gravatar

[patch] simplify install links

there's no need to do `rm; ln` when `ln -f` will do the same thing

also, for softlinks in the bindir, just use relative ones rather than absolute
-mike

--- a/Makefile.in	Tue Dec 03 22:00:38 2013 +0800
+++ b/Makefile.in	Sun Dec 08 20:25:54 2013 -0500
 <at>  <at>  -126,15 +126,13  <at>  <at>  install: $(addprefix inst_, $(TARGETS))

 insmultidropbear: dropbearmulti
 	$(INSTALL) -d $(DESTDIR)$(sbindir)
-	-rm -f $(DESTDIR)$(sbindir)/dropbear$(EXEEXT)
-	-ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) 
+	-ln -sf $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(sbindir)/dropbear$(EXEEXT)
 	$(INSTALL) -d $(DESTDIR)$(mandir)/man8
 	$(INSTALL) -m 644 dropbear.8  $(DESTDIR)$(mandir)/man8/dropbear.8

 insmulti%: dropbearmulti
 	$(INSTALL) -d $(DESTDIR)$(bindir)
-	-rm -f $(DESTDIR)$(bindir)/$*$(EXEEXT) 
-	-ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT) 
+	-ln -sf dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT)
 	$(INSTALL) -d $(DESTDIR)$(mandir)/man1
 	$(INSTALL) -m 644 $*.1  $(DESTDIR)$(mandir)/man1/$*.1

Mike Frysinger | 9 Dec 02:21 2013
Picon
Gravatar

[patch] fix multi install (wrt scp.1)

a change was made to the Makefile.in so install wouldn't fail when trying to
install scp.1.  but that fix wasn't also made to the multiscp install target.
-mike

--- a/Makefile.in
+++ b/Makefile.in
 <at>  <at>  -136,7 +136,7  <at>  <at>  insmulti%: dropbearmulti
 	-rm -f $(DESTDIR)$(bindir)/$*$(EXEEXT) 
 	-ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT) 
 	$(INSTALL) -d $(DESTDIR)$(mandir)/man1
-	$(INSTALL) -m 644 $*.1  $(DESTDIR)$(mandir)/man1/$*.1
+	if test -e $*.1; then $(INSTALL) -m 644 $*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi

 # dropbear should go in sbin, so it needs a seperate rule
 inst_dropbear: dropbear
Mike Frysinger | 9 Dec 02:11 2013
Picon
Gravatar

[patch] fix constant relinking when using multi builds

turn dropbearmulti into a real target so we don't constantly re-link it

otherwise make has no idea what "multibinary" is and so always re-links it
-mike

--- a/Makefile.in
+++ b/Makefile.in
 <at>  <at>  -175,10 +175,10  <at>  <at>  ifeq ($(MULTI),1)
 	CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI
 endif

-dropbearmulti: multilink 
+dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile
+	$(CC) $(LDFLAGS) -o $ <at>  $(MULTIOBJS) $(LIBS)

-multibinary: $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile
-	$(CC) $(LDFLAGS) -o dropbearmulti$(EXEEXT) $(MULTIOBJS) $(LIBS)
+multibinary: dropbearmulti$(EXEEXT)

 multilink: multibinary $(addprefix link, $(PROGRAMS))

Steffen Daode Nurpmeso | 5 Dec 19:15 2013
Picon

-Y that proxies over a socket, á la -J 'nc HOST PORT'

Hello,
first of all -- thanks for Dropbear.
It made me get rid of all remaining rlogin(1) use cases, because
it's so small and inexpensive!

One problem i had with plain, user mode network stack qemu(1)
hostfwd= VMs, however, which yet ended up as, e.g.,

  $ dbclient -J 'nc HOST PORT' steffen <at> crux3

The patch dbear-Y.diff implements a simple replacements of the
arguments of connect_remote(), so that the above ends up without
intermediate nc(1) proxy:

  $ dbclient -Y [HOST:]PORT steffen <at> crux3

Well, i really don't want to miss it again..
dbear-a2i-trail.diff checks that there is no trailing garbage in
the argument to m_str_to_uint(), which silently hit me when
i (stupid) tested -Y with hexadecimal port numbers.
Greetings to Beautiful Australia and ciao,

--steffen
Attachment (dbear-Y.diff): text/x-diff, 4916 bytes
Attachment (dbear-a2i-trail.diff): text/x-diff, 893 bytes

Gmane