Jesse Molina | 4 Jul 12:57 2014

Getting dbclient to time out when network goes down with reverse proxy usage


I am doing this:

ssh -K 3 -I 60 -i keyfile -N -R 2222:localhost:22 user <at> host

I am intending a dropbear ssh client to set up a reverse proxy 
connection to a server, so I am using -N and -R.

I am also using -K and -I so that the connection sends keepalives and 
will timeout if the network is disrupted.

My problem is that the above results in the session dying 60 seconds 
after setup is finished because the idle timeout is being hit.  I am not 
sure how -I is metering inbound traffic, but it's apparently not picking 
up anything.

Note that I have "ClientAliveInterval 15" set on the sshd_config server 
side. I would expect dropbear to count this traffic towards -I.

Without -I above, it took my device 18 minutes to figure out that I had 
pulled the network out from under it by shutting down the interface. 
That isn't acceptable.

Can dropbear do this, or do I need to use openssh?  I get the feeling 
after reading what I have read that dropbear is too simple to figure out 
when the server has gone away in most situations.

(Continue reading)

Catalin Patulea | 4 Jul 08:59 2014

TOS byte on port forwarding-only connections

Going back to February 2013:

Matt, at the time you had called out a potential issue with
connections doing only port forwarding staying on IPTOS_LOWDELAY. Now
I'm actually running into that issue.

'ssh -Lx:x:x cat' is a workaround, albeit ugly. Ideally I would like
'ssh -N -Lx:x:x' to also trigger IPTOS_BULK.

I think for that I could start the connection at LOWDELAY, then reduce
to BULK until the first pty session, then set LOWDELAY again. If the
client deletes the pty session but keeps the connection, it will stay
at LOWDELAY - we probably want it to reduce to BULK in that case.

How about a cleaner approach, where we keep a "refcount on lowdelay",
updated when pty channels are created/removed. When the refcount
transitions from 0->1, set LOWDELAY, 1->0, set BULK. I don't think
it's all that much extra code and it will really do the right thing in
many situations.

How would you feel about a patch for that?


Nicolas Luna | 26 Jun 16:53 2014

Cross-compile for AM335x


I'm trying to cross-compile for ARM Cortex-A8 (AM335x) and I have a weird error. It looks like the toolchain is not supported.

What I executed:
./configure --prefix=/home/build-tools/dropbear-build/ CC=arm-linux-gnueabihf-gcc --host=arm -disable-zlib

What I received from configure script:
checking for arm-gcc... arm-linux-gcc
checking whether the C compiler works... no
configure: error: C compiler cannot create executables

The version of my toolchain (PSP 6.0 from TI)
#: arm-linux-gnueabihf-gcc -v
gcc version 4.7.3 20130226 (prerelease) (crosstool-NG linaro-1.13.1-4.7-2013.03-20130313 - Linaro GCC 2013.03)

Any ideas ? 


Alexey Kotlyarov | 20 Jun 10:58 2014

[PATCH] Accept pre-configured environment variables

Read /etc/dropbear/environment for environment variables to add to new client
  chansession.h     |  4 ++++
  dbutil.c          |  8 +++----
  options.h         |  9 ++++++++
  svr-chansession.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
  4 files changed, 79 insertions(+), 4 deletions(-)

diff --git a/chansession.h b/chansession.h
index ef252ea..ac68f3c 100644
--- a/chansession.h
+++ b/chansession.h
 <at>  <at>  -83,6 +83,10  <at>  <at>  struct ChildPid {

  void addnewvar(const char* param, const char* var);

+void addextravars();
  void cli_send_chansess_request();
  void cli_tty_cleanup();
  void cli_chansess_winchange();
diff --git a/dbutil.c b/dbutil.c
index 145bc33..e723488 100644
--- a/dbutil.c
+++ b/dbutil.c
 <at>  <at>  -781,11 +781,11  <at>  <at>  int buf_readfile(buffer* buf, const char* filename) {
  	return ret;

-/* get a line from the file into buffer in the style expected for an
- * authkeys file.
+/* get a line from the file into buffer.
   * Will return DROPBEAR_SUCCESS if data is read, or DROPBEAR_FAILURE on EOF.*/
-/* Only used for ~/.ssh/known_hosts and ~/.ssh/authorized_keys */
+/* Only used for ~/.ssh/known_hosts, ~/.ssh/authorized_keys and
+ * /etc/dropbear/environment */
  int buf_getline(buffer * line, FILE * authfile) {

  	int c = EOF;
diff --git a/options.h b/options.h
index 44d6d23..4ff63ba 100644
--- a/options.h
+++ b/options.h
 <at>  <at>  -30,6 +30,11  <at>  <at> 
  #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"

+/* Environment file path */
+#define EXTRA_ENV_FILENAME "/etc/dropbear/environment"
  /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
   * on chosen ports and keeps accepting connections. This is the default.
 <at>  <at>  -207,6 +212,10  <at>  <at>  much traffic. */

+/* Whether to read extra environment from
+ * /etc/dropbear/environment */
  /* This variable can be used to set a password for client
   * authentication on the commandline. Beware of platforms
   * that don't protect environment variables of processes etc. Also
diff --git a/svr-chansession.c b/svr-chansession.c
index 63e56a8..aead1d7 100644
--- a/svr-chansession.c
+++ b/svr-chansession.c
 <at>  <at>  -939,6 +939,10  <at>  <at>  static void execchild(void *user_data) {

+	addextravars();
  	/* change directory */
  	if (chdir(ses.authstate.pw_dir) < 0) {
  		dropbear_exit("Error changing directory");
 <at>  <at>  -1010,3 +1014,61  <at>  <at>  void addnewvar(const char* param, const char* var) {
  		dropbear_exit("environ error");
+/* add custom environment variables */
+void addextravars() {
+	FILE * extraenv = NULL;
+	buffer * buf = NULL;
+	char * name_value = NULL;
+	char* value_pos = NULL;
+	char* name = NULL;
+	char* value = NULL;
+	extraenv = fopen(EXTRA_ENV_FILENAME, "r");
+	if (extraenv == NULL) {
+		goto out;
+	}
+	do {
+		if (buf) {
+			buf_free(buf);
+			buf = NULL;
+		}
+		if (name_value) {
+			m_free(name_value);
+		}
+		buf = buf_new(1000);
+		if (buf_getline(buf, extraenv) == DROPBEAR_FAILURE) {
+			break;
+		}
+		name_value = m_malloc(buf->len + 1);
+		memcpy(name_value, buf_getptr(buf, buf->len), buf->len);
+		name_value[buf->len] = '\0';
+		value_pos = strchr(name_value, '=');
+		if (value_pos == NULL) {
+			continue;
+		}
+		*value_pos = '\0';
+		name = name_value;
+		value = value_pos + 1;
+		addnewvar(name, value);
+	} while (1);
+	if (extraenv) {
+		fclose(extraenv);
+	}
+	if (buf) {
+		buf_free(buf);
+	}
+	if (name_value) {
+		m_free(name_value);
+	}


Fredrik Fornwall | 16 Jun 12:24 2014

[PATCH] Replace obsolete S_IWRITE with S_IWUSR in scp.c

S_IWRITE is obsolete and should, judging from the same change in other
projects, be safe to replace with S_IWUSR. This fixes compilation on
diff -r 68723d66dec6 scp.c
--- a/scp.c	Tue May 20 21:21:02 2014 +0800
+++ b/scp.c	Mon Jun 16 12:21:59 2014 +0200
 <at>  <at>  -992,7 +992,7  <at>  <at> 
 		omode = mode;
-		mode |= S_IWRITE;
+		mode |= S_IWUSR;
 		if ((ofd = open(np, O_WRONLY|O_CREAT, mode)) < 0) {
 bad:			run_err("%s: %s", np, strerror(errno));
Utkarsh Kumar | 11 Jun 14:03 2014

SSH problem with dropbear on microblaze


I am using the default dropbear version 0.48 with uClinux-dist distribution on microblaze processor. While trying to ssh its taking 60 seconds per session i.e. if only one ssh session is opened it takes 60 seconds to connect but if 2 sessions are opened simultaneously, it takes 120 seconds for the 2nd session. same way for n session it take n*60 seconds for the nth session to connect.

Request you to help me achieve the followings:
1. How to reduce the time to connect ssh (currently its taking 60 seconds)
2. How to reduce the time for the subsequent sessions, if opened simultaneously.

Please find the logs below:

#ssh -v

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to [] port 22.
debug1: Connection established.
debug1: identity file /homes/utkarsh/.ssh/identity type -1
debug1: identity file /homes/utkarsh/.ssh/id_rsa type -1
debug1: identity file /homes/utkarsh/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version dropbear_0.48
debug1: no match: dropbear_0.48
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
============== long pause here... about 40+ seconds

debug1: Host '' is known and matches the DSA host key.
debug1: Found key in /homes/utkarsh/.ssh/known_hosts:5
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentication succeeded (none).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8

Appreciate you reply.

pratik singh | 4 Jun 09:49 2014

Need SCP Client support with dropbear V0.48

Hi All,I am running the default dropbear (version 0.48) found in the uClinux-dist distribution with my microblaze as the processor. I want to use scp with dropbear. Please let me know how can i achieve this? Appreciate your reply.
Thanks & Regards
Pratik Singh
Martin Osterloh | 28 May 22:16 2014

Dropbear and crypt() implementation

Hi All,

I am in the process of porting dropbear to my own operating system (x86 64 architecture). So far, I am happy with the progress. 

However, I just discovered that svr-authpasswd.c uses crypt(). I am using newlib as a  general C library. I am not being provided with crypt() unfortunately. Is there any general consensus what people do in this case? So far I am just returning "send_msg_userauth_success()" which is .... well not that great. 

Any input would be greatly appreciated!



ronny.meeus | 19 May 08:22 2014

[PATCH] Limit size of the iovect passed to writev in packet.c

The writev allows only a limited number of entries to be present in the
iovector. This number depends on the OS. If more entries are passed, the
writev operation fails and the connection is closed.

This patch limits the size of the vector to the maximum number accepted
by the OS. On some operating systems IOV_MAX is not defined, if this is
the case UIO_MAXIOV is being used as the maximum value.

In the problematic scenario the Linux box, running dropbear, has a slow
uplink. If an ssh is done to the box and a command is executed that
generates a lot of small fragments (for example a 'find .' in the root),
a lot of small interactions are seen between dropbear and the shell process.
The observation was that the amount of entries pending in the queue could
go up to 7500. Since all entries present in the queue will be passed to
writev an error will be returned since Linux only accepts 1024 entries to
be present in the vector. The result is that the connection is being closed.

Signed-off-by: Ronny Meeus <ronny.meeus <at>>

diff --git a/packet.c b/packet.c
--- a/packet.c
+++ b/packet.c
 <at>  <at>  -64,13 +64,24  <at>  <at>  void write_packet() {
 	struct iovec *iov = NULL;
 	int i;
 	struct Link *l;
+	int iov_max_count;
 	TRACE2(("enter write_packet"))

-	iov = m_malloc(sizeof(*iov) * ses.writequeue.count);
+#ifndef IOV_MAX
+	/* Make sure the size of the iov is below the maximum allowed by the OS. */
+	iov_max_count = ses.writequeue.count;
+	if (iov_max_count > IOV_MAX)
+		iov_max_count = IOV_MAX;
+	iov = m_malloc(sizeof(*iov) * iov_max_count);
 	for (l = ses.writequeue.head, i = 0; l; l = l->link, i++)
 		writebuf = (buffer*)l->item;
 <at>  <at>  -83,7 +94,7  <at>  <at>  void write_packet() {
 		iov[i].iov_base = buf_getptr(writebuf, len);
 		iov[i].iov_len = len;
-	written = writev(ses.sock_out, iov, ses.writequeue.count);
+	written = writev(ses.sock_out, iov, iov_max_count);
 	if (written < 0) {
 		if (errno == EINTR) {

ronny.meeus | 19 May 08:20 2014

[PATCH] Print errno information in write_packet

This patch put the error information into the log output to have a better view
on the reason of a packet write failure.

Signed-off-by: Ronny Meeus <ronny.meeus <at>>

diff --git a/packet.c b/packet.c
--- a/packet.c
+++ b/packet.c
 <at>  <at>  -90,7 +90,7  <at>  <at>  void write_packet() {
 			TRACE2(("leave write_packet: EINTR"))
 		} else {
-			dropbear_exit("Error writing");
+			dropbear_exit("Error writing %s", strerror(errno));

 <at>  <at>  -131,7 +131,7  <at>  <at>  void write_packet() {
 			TRACE2(("leave writepacket: EINTR"))
 		} else {
-			dropbear_exit("Error writing");
+			dropbear_exit("Error writing %s", strerror(errno));
 	all_ignore = (packet_type == SSH_MSG_IGNORE);

Logan Anderson | 29 Apr 11:03 2014

Dropbear requiring passphrase


I added drop bear to an initramfs I am building for PXE. No matter what I do, dropbear appears to require an ssh passphrase and I really don't know how to handle this. It doesn't ask me for a passphrase when I create the key.

It appears to ask for the passphrase when I use ssh but it simply asks for a password when I use dbclient. What am I doing wrong?

Any direction would be welcome.