Loganaden Velvindron | 7 Dec 20:53 2012
Picon

diff to backoff a little running out of fds

Based on similar work done by OpenBSD for sshd,

I came up with this:
The idea is to prevent spinning when out of file descriptors by
backing off for a while.

Suggestions ?

diff -r 63f8d6c469cf svr-main.c
--- a/svr-main.c	Thu May 17 00:26:12 2012 +0800
+++ b/svr-main.c	Sat Dec 08 03:48:40 2012 +0400
 <at>  <at>  -226,9 +226,10  <at>  <at> 
 			remoteaddrlen = sizeof(remoteaddr);
 			childsock = accept(listensocks[i],
 					(struct sockaddr*)&remoteaddr, &remoteaddrlen);
-
 			if (childsock < 0) {
 				/* accept failed */
+				if(errno == EMFILE || errno == ENFILE)
+					usleep(100*1000);
 				continue;
 			}

--

-- 
Brightest day,
Blackest night,
No bug shall escape my sight,
And those who worship evil's mind,
be wary of my powers,
puffy lantern's light !
(Continue reading)

Artur Artamonov | 7 Dec 07:32 2012
Picon

PAM environment variable exporting to usershell

Here is patch that exports PAM environmental variables to user lunched
shell. This allows send some info to shell
that is authentificated trought dropbear

diff -upN a/auth.h b/auth.h
--- a/auth.h	2012-02-23 15:47:05.000000000 +0200
+++ b/auth.h	2012-12-05 13:01:58.161786510 +0200
 <at>  <at>  -76,6 +76,10  <at>  <at>  void cli_auth_interactive();
 char* getpass_or_cancel(char* prompt);
 void cli_auth_pubkey_cleanup();

+#ifdef ENABLE_SVR_PAM_AUTH
+extern char **pam_env_list;
+#endif
+

 #define MAX_USERNAME_LEN 25 /* arbitrary for the moment */

diff -upN a/svr-authpam.c b/svr-authpam.c
--- a/svr-authpam.c	2012-02-23 15:47:06.000000000 +0200
+++ b/svr-authpam.c	2012-12-05 13:04:24.415780751 +0200
 <at>  <at>  -44,6 +44,8  <at>  <at>  struct UserDataS {
 	char* passwd;
 };

+char **pam_env_list=NULL;
+
 /* PAM conversation function - for now we only handle one message */
 int 
 pamConvFunc(int num_msg, 
(Continue reading)

Paul Horn | 18 Nov 01:29 2012

initramfs ip network overrides /etc/network settings

I have a question on networking and initramfs interaction. I already
posted this on the Ubuntu forums, but wondered if someone on this list
might have more familiarity with the underpinnings of dropbear and
initramfs. I'm decent with Linux but this is new territory for me.

Installing Ubuntu 12.10 server, 64 bit, on some new hardware. Working on
using dropbear / ssh to remotely unlock LUKS volumes at boot, generally
following the outline posted by hacksr at
http://hacksr.blogspot.com/2012/05/ssh-unlock-with-fully-encrypted-ubuntu.html.

The install is very basic at this point: an SSH server, apt-get
update/upgrade complete, and a static IP address set for eth0 in
/etc/network/interfaces. It boots quickly prior to installing dropbear.

After installing dropbear, initramfs starts networking on bootup. By
default, it uses DHCP. It is also possible to set a static IP. That much
I have working, and can remotely ssh in when the server starts and is
waiting for the luks passphrase. Thanks to the second script at the
above how-to, I can also enter the unlock passphrase in the dropbear
session and start the server.

What I can't figure out, and haven't found a post anywhere that
addresses this, is that once this process completes and the server
continues to boot, the network remains somehow under "control" of
initramfs. Boot process stops for several minutes "waiting for network
configuration" in spite of the static IP settings for both initramfs and
/etc/network/interfaces. Once it finally starts, any settings in
/etc/network/interfaces are ignored. If the IP addresses don't match, I
end up with the one in initramfs. If initramfs uses dhcp, I get that
address once the server fully boots.
(Continue reading)

Salatiel Filho | 8 Nov 11:17 2012
Picon

Support to port number in known hosts

Would it be possible to add support to port numbers in known_hosts
lines created by dbclient just like openssh ?
I ask this because if i have multiples ssh servers behind the same
fqdn in different ports ( port forwarding to different servers)
dbclient will complain about bad key every time i try to connect at a
different port in the same fqdn.

Thanks!

[]'s
Salatiel

chinna obireddy | 25 Sep 10:39 2012
Picon

Dropbear calling my own command-line parser than /bin/sh

Dear All,


As per the thread http://thread.gmane.org/gmane.network.ssh.dropbear/68/focus=75 I was successfully made changes to launch CLI application with dropbear ssh.

But Putty(SSH client) is still asking for Login name, though this is not going to be used It looks weird for user asking user name twice. Since the CLI application has it's own authentication method.

Suggest me how can I completely ignore Authentication packets in the server side.

--Reddy.
lb | 12 Sep 20:15 2012
Picon

Dropbear client & server errors on Android

Hi,

I successfully compiled the Dropbear client for Android, but when I try to
connect to an address it gives me the following error:
"Exited: Error resolving '<the address>'  port '<port>'. Name or service not
known"
When I try to connect using IP address - all works fine.
Is there any way to make Dropbear use some external nameserver, like 8.8.8.8? Or
any other solution you can think of?

As for the server: I fiddled with it a lot, applied different patches, overcame
numerous error messages, but the message I can't overcome now is:
"Exit before auth (user '<user>', 0 fails): Exited normally"
What can be the problem at this stage? (I'm using pubkey auth)

Thanks a lot,
Leonid.

Tobias Dussa (SCC | 30 Aug 12:39 2012

How to read from stdin with dbclient

Hi,

I'm trying to ship something to a script on a remote machine via SSH
and catch its output.

As an example, let's say that user foo on machine bar has "cat"
defined as her shell.  Thus, after connecting to bar as foo, anything
that is sent to bar is sent back.

Theoretically, piping something into the ssh command should result in
that something being thrown back.  This does indeed work as expected
when using openssh's ssh client, like this:
  echo baz | ssh -qi IDENTITY foo <at> bar

Trying the same with dbclient yields "Failed reading termmodes" for
this command:
  echo baz | dbclient -i DB_IDENTITY foo <at> bar

This points to the fact that no pty is available, which is correct, of
course, and can be prevented by using the -T switch, which tells
dbclient not to allocate a pty:
  echo baz | dbclient -T -i DB_IDENTITIY foo <at> bar

However, this is where things go wrong.  The "baz" string does still
indeed arrive at the remote server and is processed by foo's shell,
but is not printed by dbclient.  This is unfortunate as I really need
to capture the output.

So, the obvious question is, how can I get to the output?

THX & Cheers,
Toby.
-- 
E Pluribus Unix

----

Karlsruhe Institute of Technology (KIT)
Steinbuch Centre for Computing (SCC)
KIT-CERT

Tobias Dussa
CERT Manager, CA Manager

Zirkel 2
Building 20.21
76131 Karlsruhe, Germany

Phone: +49 721 608-42479
Fax: +49 721 608-9-42479
Email: tobias.dussa <at> kit.edu
Web: http://www.kit.edu/

KIT – University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association
Attachment (smime.p7s): application/x-pkcs7-signature, 7438 bytes
Leonid Bloch | 27 Aug 17:05 2012
Picon

DropBear on Android

Hello,

Has anyone successfully compiled and tested the latest Dropbear on Android?
If so, can you please share your modifications?

After few changes that seemed reasonable to me, I still get various error messages, and nothing works:
I've tried logging in with a random user, as well as the user that belongs to my terminal emulator app, then the error of the server was:
"Login attempt for nonexistent user from <my IP>"
When I patched further, in the spirit of what is written here: http://roycormier.net/2010/11/02/cross-compiling-dropbear-sshd-for-android
I got something about "shell is missing for the user <any user I try>"

When tried to run dbclient, the error was:
"dbclient: Exited: Unknown own user"

The error in scp was:
"unknown user 10118"

I'd appreciate any ideas or instructions.


Best regards,
Leonid.
Freddie Chopin | 31 Jul 13:07 2012
Picon

Dropbear on bare-metal ARM Cortex-M3?

Hi!

I was wondering whether it's possible (in a reasonable amount of time) to port
Dropbear to bare-metal platform - one without an OS (like Linux), but with RTOS
(FreeRTOS) that provides tasks, queues and synchronization (semaphores +
mutexes) + LwIP TCP/IP stack?

I would require a very minimal implementation of SSH server, without all
possible encryption options (the code/RAM footprint has to be low) and without
all possible features - ideally only simpliest SSH server that can pass received
strings to other parts of code and transfer strings from code via SSH to
connected client. Of course I'm talking only about command-line interface.

If Dropbear is not a good option for such task, do you have any other
recommendations?

Thx in advance for your help!

4\/3!!

FCh

Maris, Rob | 23 Jul 15:10 2012
Picon

Re: forwarding problems

Thanks for instant answering,

I was still aware of SO_REUSEADDR in dbutil.c, but could not quickly  
determine whether this also applies to forwarding channels. In any case,  
reconnect goes OK when the embedded system gets a reboot prior to poweroff  
(as could be expected).

In the problem case, the host netstat shows up
tcp        0      0 localhost.localdo:51225 localhost.localdo:10526  
CLOSE_WAIT

BTW: I'm using 0.52 on a blackfin platform.

Regarding strace: Must be prepared. Is not yet built into the root file  
system. I'll return later to it.

Rob

Note: I also noticed
     http://comments.gmane.org/gmane.network.ssh.dropbear/962
before, and the suggestions in that thread will probably be realised after  
the current problem has been solved.

Am 23.07.2012, 14:32 Uhr, schrieb Matt Johnston <matt <at> ucc.asn.au>:

> Hi,
>
> Dropbear already does SO_REUSEADDR for all listening
> sockets, see
> https://secure.ucc.asn.au/hg/dropbear/file/983a817f8e41/dbutil.c#l254
>
> Can you run strace on dbclient to see what's failing? Does
> the server log anything?
>
> Cheers,
> Matt
>
> On Mon, Jul 23, 2012 at 02:13:05PM +0200, Maris, Rob wrote:
>> Use case:
>> - embedded system running dbclient with server connection that
>> includes a port forwarding.
>> - system is powered off, and powered on again
>> - upon next boot, the following message is given:
>> dbclient: Remote TCP forward request failed (port 10526 -> 127.0.0.1:22)
>>
>> I'd believe that doing a SO_REUSEADDR via setsockopt() would resolve
>> this issue.
>> However, I'm not sure and where to implement this (in cli_tcpfwd.c?)
>>
>> Thanks for any suggestions.
>>
>> Rob

Maris, Rob | 23 Jul 14:13 2012
Picon

forwarding problems

Use case:
- embedded system running dbclient with server connection that includes a  
port forwarding.
- system is powered off, and powered on again
- upon next boot, the following message is given:
dbclient: Remote TCP forward request failed (port 10526 -> 127.0.0.1:22)

I'd believe that doing a SO_REUSEADDR via setsockopt() would resolve this  
issue.
However, I'm not sure and where to implement this (in cli_tcpfwd.c?)

Thanks for any suggestions.

Rob


Gmane