Matt Johnston | 3 Dec 15:04 2013

Dropbear 2013.62 released


I've put up Dropbear 2013.62. It has only a few changes
since the 2013.61test release. The major features of 2013.61test 
are ECC support (significantly faster connections) and
generating hostkeys automatically.

Downloads as usual at or


2013.62 - Tuesday 3 December 2013

- Disable "interactive" QoS connection options when a connection doesn't
  have a PTY (eg scp, rsync). Thanks to Catalin Patulea for the patch.

- Log when a hostkey is generated with -R, fix some bugs in handling server
  hostkey commandline options

- Fix crash in Dropbearconvert and 521 bit key, reported by NiLuJe

- Update config.guess and config.sub again

2013.61test - Thursday 14 November 2013

- ECC (elliptic curve) support. Supports ECDSA hostkeys (requires new keys to
  be generated) and ECDH for setting up encryption keys (no intervention
(Continue reading)

Catalin Patulea | 2 Dec 10:54 2013

[PATCH] Set IPTOS_LOWDELAY on PTY sessions only

Signed-off-by: Catalin Patulea <cat <at>>
 cli-chansession.c |  1 +
 dbutil.c          | 29 +++++++++++++++++++++--------
 dbutil.h          |  2 ++
 includes.h        |  4 ++++
 svr-chansession.c |  2 ++
 5 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/cli-chansession.c b/cli-chansession.c
index 0ee3e85..b99e073 100644
--- a/cli-chansession.c
+++ b/cli-chansession.c
 <at>  <at>  -369,6 +369,7  <at>  <at>  static int cli_initchansess(struct Channel *channel) {

 	if (cli_opts.wantpty) {
+		set_sock_priority(ses.sock_out);

diff --git a/dbutil.c b/dbutil.c
index ce88731..4f15027 100644
--- a/dbutil.c
+++ b/dbutil.c
 <at>  <at>  -177,28 +177,41  <at>  <at>  void dropbear_trace2(const char* format, ...) {
 #endif /* DEBUG_TRACE */

-static void set_sock_priority(int sock) {
(Continue reading)

Catalin Patulea | 26 Nov 06:15 2013

[PATCH] Fix TRACEs of cli_send_netcat_request

Signed-off-by: Catalin Patulea <cat <at>>
 cli-chansession.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cli-chansession.c b/cli-chansession.c
index ed80453..0ee3e85 100644
--- a/cli-chansession.c
+++ b/cli-chansession.c
 <at>  <at>  -398,6 +398,7  <at>  <at>  void cli_send_netcat_request() {
 	const unsigned char* source_host = "";
 	const int source_port = 22;

+	TRACE(("enter cli_send_netcat_request"))
 	cli_opts.wantpty = 0;

 	if (send_msg_channel_open_init(STDIN_FILENO, &cli_chan_netcat) 
 <at>  <at>  -414,7 +415,7  <at>  <at>  void cli_send_netcat_request() {
 	buf_putint(ses.writepayload, source_port);

-	TRACE(("leave cli_send_chansess_request"))
+	TRACE(("leave cli_send_netcat_request"))



(Continue reading)

Catalin Patulea | 23 Nov 10:52 2013

TOS byte for bulk transfers

I noticed that dropbear sets IPTOS_LOWDELAY on all sockets:

This is great for interactive sessions, but not ideal for bulk
transfer sessions like scp or sftp. Many networks ignore the TOS byte,
but on my local network I respect it because I trust my devices and
wish to prioritize some of them (SIP phone).

The problem that I ran into was that an sftp upload slowed all the
rest of my Internet traffic to a crawl because it was prioritized.
Ideally I would like dropbear to not set that TOS byte for bulk

The definition of "bulk transfer" seems a bit hard to pin down. Would
any "subsystem" request cause the connection to be considered bulk?
That covers sftp but what about scp. Would bulk sessions also disable
TCP_NODELAY? What about sshfs mounts (sftp subsystem) where file
operations may happen as a result of interactive user actions (low
latency is desirable)?

Is this the right place to solve this problem? Should I be fixing this
at the network layer in some way?

shm | 18 Nov 16:41 2013

dropbear: no auth methods could be used

I have created passwordless ssh connection between two nodes of an embedded 
target using dropbear. 
Dropbear is enabled "dropbear -s -g -E"

And I am able to login from one node( to the other 
"dbclient -i /etc/dropbear/dropbear_rsa_host_key root <at>"

i'm trying to use OpenMPI  to run a program in two nodes . When i launch an 
MPI  program with mpirun from masternode(, i retrieve the error:

" Connection exited, no auth methods could be used

A daemon (pid 1214) died unexpectedly with status 1 while attempting
to launch so we are aborting.

This may be because the daemon was unable to find all the needed
shared libraries on the remote node. You may set your LD_LIBRARY_PATH
to have the location of the shared libraries on the remote nodes and
this will automatically be forwarded to the remote nodes."

I have set LD_LIBRARY_PATH, but still doesn't work.
The problem occurs when running mpirun.
passwordless connection using dropbear was succesfull still Why is it showing 
"no auth methods could be used".?
Could you please help me? Thanks in advance

Matt Johnston | 14 Nov 15:40 2013

Dropbear test version 2013.61test with ECC

Hi all,

Dropbear now has support for ECC which is significantly
faster at setting up connections on slow platforms. Since
it's a large patch I'm making a test release first.

I've also added a "-R" mode to automatically generate
hostkeys on first connection - this is recommended on
embedded platforms which may take a while after boot before
a good /dev/urandom seed has been derived.

Download from


2013.61test - Thursday 14 November 2013

- ECC (elliptic curve) support. Supports ECDSA hostkeys (requires new keys to
  be generated) and ECDH for setting up encryption keys (no intervention
  required). This is significantly faster.

- curve25519-sha256 <at> support for setting up encryption keys. This is
  another elliptic curve mode with less potential of NSA interference in
  algorithm parameters. curve25519-donna code thanks to Adam Langley

- -R option to automatically generate hostkeys. This is recommended for
  embedded platforms since it allows the system random number device
  /dev/urandom a longer startup time to generate a secure seed before the
(Continue reading)

shm | 8 Nov 10:39 2013

exit before auth: error

I am using dropbear to establish passwordless  connection between two
embedded linux targets connected via Gigabit Ethernet. I created the host
key in both nodes using

	dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key

I started dropbear in both nodes by 
	dropbear -s -g command

 When I try to login from one node ( to other ( using

	dbclient -i /etc/dropbear/dropbear_rsa_host_key root <at>

I get the following messages in
“Host '' is not in the trusted hosts file.
(fingerprint md5 e8:64:8c:b4:6a:13:11:8e:e0:71:c2:a3:11:62:40:9b)
Do you want to continue connecting? (y/n) dbclient: connection to
root <at> exited: Didn't validate host key”

and the following messages in
“[1189] Jan 01 02:55:05 Not backgrounding
[1194] Jan 01 02:55:09 Child connection from
[1194] Jan 01 02:55:09 exit before auth: error reading: Connection reset by

When I try to login back  from node ( to other ( using

dbclient -i /etc/dropbear/dropbear_rsa_host_key

(Continue reading)

Matt Johnston | 16 Oct 16:51 2013

Dropbear 2013.60

Hi all,

Dropbear 2013.60 is released fixing a few bugs from 2013.59,
mainly related to "make install". Download as usual from
or the new mirror


2013.60 - Wednesday 16 October 2013

- Fix "make install" so that it doesn't always install to /bin and /sbin

- Fix "make install MULTI=1", installing manpages failed

- Fix "make install" when scp is included since it has no manpage

- Make --disable-bundled-libtom work

Releases are signed by PGP key matt <at> 4C647FBC                                                    
     D11E 5F8D 2C38 523F 57F1  2166 8CF9 F8B0 4C64 7FBC                  

Catalin Patulea | 14 Oct 23:31 2013

[PATCH] dropbear: add mirror, provided by dropbear maintainer

Signed-off-by: Catalin Patulea <cat <at>>
 package/network/services/dropbear/Makefile |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index f025c4d..02be761 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
 <at>  <at>  -13,7 +13,8  <at>  <at>  PKG_RELEASE:=1

+ \


Mike Frysinger | 12 Oct 22:37 2013

fix bundled libtom configure flag

the current flag treats --disable-bundled-libtom like enable.  this patch fixes it.

diff -r 93e04b9ff676
--- a/	Wed Oct 09 22:24:39 2013 +0800
+++ b/	Sat Oct 12 16:36:07 2013 -0400
 <at>  <at>  -365,9 +365,15  <at>  <at>  AC_CHECK_FUNCS(logout updwtmp logwtmp)

 	[  --enable-bundled-libtom       Use bundled libtomcrypt/libtommath even if a system version exists],
-	[ 
-		AC_MSG_NOTICE(Forcing bundled libtom*)
+	[
+		if test "x$enableval" = "xyes"; then
+			AC_MSG_NOTICE(Forcing bundled libtom*)
+		else
+			AC_CHECK_LIB(tomcrypt, register_cipher, , BUNDLED_LIBTOM=1)
+			AC_CHECK_LIB(tommath, mp_exptmod, , BUNDLED_LIBTOM=1)
+		fi
Steve Newcomb | 4 Oct 18:31 2013

autossh incompatibility with dropbear -y

I'm using OpenWRT.  My router, whose IP address changes unpredictably,
makes its ssh-listening port available on another host running at a
stable IP address, using autossh/dropbear to create a reverse channel.

Sometimes the host's key changes from time to time, which can stop the
autossh process at a prompt (to nobody) to decide what to do about the

Ordinary OpenSSH has a StrictHostKeyChecking option which can be used to
bypass the so-called "ask" prompt and just make the connection regardless.

By reading the source, I learned that Dropbear's ssh client evidently
has a similar feature, the "-y" invocation option.  But I can't pass the
-y to it via autossh because autossh doesn't approve of it.  Dropbear's
ssh client also does not offer a config file utility, AFAIK.
Dropbear evidently ignores all -o options, too; they wind up in a bit
bucket called something like "dummy".

Does anybody know the answer, short of editing/recompiling autossh so it
won't be so persnickety and just get out of the way?

Steve Newcomb