Matt Johnston | 8 Aug 16:02 2014
Picon
Picon
Gravatar

Dropbear 2014.65

Hi,

Here's Dropbear 2014.65. It mainly fixes regressions in
2014.64, with a couple of other minor improvements.

https://matt.ucc.asn.au/dropbear/dropbear.html
https://dropbear.nl/mirror/

Cheers,
Matt

2014.65 - Friday 8 August 2014

- Fix 2014.64 regression, server session hang on exit with scp (and probably
  others), thanks to NiLuJe for tracking it down

- Fix 2014.64 regression, clock_gettime() error handling which broke on older
  Linux kernels, reported by NiLuJe

- Fix 2014.64 regression, writev() could occassionally fail with EAGAIN which
  wasn't caught

- Avoid error message when trying to set QoS on proxycommand or multihop pipes

- Use /usr/bin/xauth, thanks to Mike Frysinger

- Don't exit the client if the local user entry can't be found, thanks to iquaba

Releases signed with PGP key
4C647FBC Matthew Johnston <matt <at> ucc.asn.au>
(Continue reading)

pratik singh | 7 Aug 16:47 2014
Picon

Regarding dbclient failure

Hi,

I am using Dropbear 0.48 with uClinux-dist. Currently server is working fine but while trying to run dbclient its throwing following error:

--------------------------------------------------------------------------------------------------------------------------------------------
#dbclient -i dss_key pratik <at> 10.10.10.1

TRACE: enter session_init
TRACE: kexinitialise()
TRACE: leave session_init
TRACE: enter ident_readln
TRACE: leave ident_readln: return 20
TRACE: remoteident: SSH-2.0-OpenSSH_4.3
TRACE: enter encrypt_packet()
TRACE: encrypt_packet type is 20
TRACE: enter writemac
TRACE: leave writemac
TRACE: enter enqueue
TRACE: leave enqueue
TRACE: leave encrypt_packet()
TRACE: DATAALLOWED=0
TRACE: -> KEXINIT
TRACE: enter write_packet
TRACE: empty queue dequeing
TRACE: leave write_packet
TRACE: enter read_packet
TRACE: enter decrypt_packet
TRACE: leave decrypt_packet
TRACE: leave read_packet
TRACE: enter process_packet
TRACE: process_packet: packet type = 20
TRACE: <- KEXINIT
TRACE: enter recv_msg_kexinit
TRACE: cli_buf_match_algo: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
TRACE: kex algo diffie-hellman-group1-sha1
TRACE: cli_buf_match_algo: ssh-rsa,ssh-dss
TRACE: hostkey algo ssh-dss
TRACE: cli_buf_match_algo: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc <at> lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
TRACE: enc c2s is  aes128-cbc
TRACE: cli_buf_match_algo: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc <at> lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
TRACE: enc s2c is  aes128-cbc
TRACE: cli_buf_match_algo: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 <at> openssh.com,hmac-sha1-96,hmac-md5-96
TRACE: hash c2s is  hmac-sha1-96
TRACE: cli_buf_match_algo: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 <at> openssh.com,hmac-sha1-96,hmac-md5-96
TRACE: hash s2c is  hmac-sha1-96
TRACE: cli_buf_match_algo: none,zlib <at> openssh.com
TRACE: hash c2s is  none
TRACE: cli_buf_match_algo: none,zlib <at> openssh.com
TRACE: hash s2c is  none
TRACE: leave recv_msg_kexinit
TRACE: leave process_packet
TRACE: enter cli_sessionloop
TRACE: enter send_msg_kexdh_reply
 
 
TRACE: enter buf_putmpint
TRACE: leave buf_putmpint
TRACE: enter encrypt_packet()
TRACE: encrypt_packet type is 30
TRACE: enter writemac
TRACE: leave writemac
TRACE: enter enqueue
TRACE: leave enqueue
TRACE: leave encrypt_packet()
TRACE: leave cli_sessionloop: done with KEXINIT_RCVD
TRACE: enter write_packet
TRACE: empty queue dequeing
TRACE: leave write_packet
TRACE: enter cli_sessionloop
TRACE: leave cli_sessionloop: kex_state != KEX_NOTHING
TRACE: enter read_packet
TRACE: enter decrypt_packet
TRACE: leave decrypt_packet
TRACE: leave read_packet
TRACE: enter process_packet
TRACE: process_packet: packet type = 31
TRACE: enter recv_msg_kexdh_reply
TRACE: type is 2
TRACE: enter buf_getline
TRACE: leave buf_getline: failure
TRACE: failed reading line: prob EOF
 
Host '10.10.10.1' is not in the trusted hosts file.
(fingerprint md5 aa:c4:3e:32:ac:42:5b:21:0e:86:7d:b2:21:db:fb:1c)
Do you want to continue connecting? (y/n)
TRACE: enter cli_tty_cleanup
TRACE: leave cli_tty_cleanup: not in raw mode
TRACE: enter session_cleanup
TRACE: enter chancleanup
TRACE: leave chancleanup
TRACE: leave session_cleanup
dbclient: connection to pratik <at> 10.10.10.1:22 exited: Didn't validate host key
---------------------------------------------------------------------------------------------------------------------------------

Any suggestions on this would be a great help.
 
--
Thanks & Regards
Pratik Singh
Mike Frysinger | 1 Aug 12:15 2014
Picon
Gravatar

[PATCH] use xauth in /usr/bin

# HG changeset patch
# User Mike Frysinger <vapier <at> gentoo.org>
# Date 1406888059 14400
#      Fri Aug 01 06:14:19 2014 -0400
# Node ID 89a637587a611c0bf3802ff5005bc1f7fe63eec6
# Parent  36eacc322e00924e511810c519bf5a3f05898cdd
use xauth in /usr/bin

Since the x.org rework, X has been installed into standard paths and not
its own random prefixes.  I think it's time we update the default paths
accordingly.

diff -r 36eacc322e00 -r 89a637587a61 options.h
--- a/options.h	Mon Jul 28 23:23:49 2014 +0800
+++ b/options.h	Fri Aug 01 06:14:19 2014 -0400
 <at>  <at>  -264,7 +264,7  <at>  <at> 
 /* The command to invoke for xauth when using X11 forwarding.
  * "-q" for quiet */
 #ifndef XAUTH_COMMAND
-#define XAUTH_COMMAND "/usr/bin/X11/xauth -q"
+#define XAUTH_COMMAND "/usr/bin/xauth -q"
 #endif

 /* if you want to enable running an sftp server (such as the one included with

Matt Johnston | 27 Jul 17:41 2014
Picon
Picon
Gravatar

Dropbear 2014.64

Hi all,

Dropbear 2014.64 is released with changes as follows. 
As usual get it from
https://matt.ucc.asn.au/dropbear/dropbear.html or 
https://dropbear.nl/mirror/

Cheers,
Matt

2014.64 - Sunday 27 July 2014

- Fix compiling with ECDSA and DSS disabled

- Don't exit abruptly if too many outgoing packets are queued for writev(). Patch
  thanks to Ronny Meeus

- The -K keepalive option now behaves more like OpenSSH's "ServerAliveInterval". 
  If no response is received after 3 keepalives then the session is terminated. This
  will close connections faster than waiting for a TCP timeout.

- Rework TCP priority setting. New settings are
	if (connecting || ptys || x11) tos = LOWDELAY
	else if (tcp_forwards) tos = 0
	else tos = BULK
  Thanks to Catalin Patulea for the suggestion.

- Improve handling of many concurrent new TCP forwarded connections, should now
  be able to handle as many as MAX_CHANNELS. Thanks to Eduardo Silva for reporting
  and investigating it.

- Make sure that exit messages from the client are printed, regression in 2013.57

- Use monotonic clock where available, timeouts won't be affected by system time
  changes

- Add -V for version

pratik singh | 25 Jul 12:21 2014
Picon

Does Dropbear support SCP server?

Hi,

I am running the default dropbear (version 0.48) found in the uClinux-dist distribution with my microblaze as the processor.  It has SCP client support.

Does it support SCP server also? If Yes, what are all the changes required?

Appreciate your reply.

--
Thanks & Regards
Pratik Singh
Robert | 21 Jul 12:46 2014
Picon

Dropbear for Android Error "Permission denied (publickey)"

Hello,

I'm trying to compile a static dropbear for ARM Android according to the set of instructions below
https://github.com/iMilnb/docs/blob/master/dropbear%2Bsftp-android.md
and the binary has compiled okay but I keep getting the error "Permission denied (publickey)" from the client when trying to connect. I have tried compiling with both the latest dropbear release and the one used in the instructions (2013.58) to no avail. I've tried the usual solution of putting the client's pubkey in the server's 'authorized_keys' file which hasn't worked. It's worth noting only key authentication access works, I've disabled password authentication. I've attached the stdout for server and client too,

Regards,

Rob




Client Stdout:
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.11 [192.168.1.11] port 22.
debug1: Connection established.
debug1: identity file /home/robert/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/robert/.ssh/id_rsa-cert type -1
debug1: identity file /home/robert/.ssh/id_dsa type -1
debug1: identity file /home/robert/.ssh/id_dsa-cert type -1
debug1: identity file /home/robert/.ssh/id_ecdsa type -1
debug1: identity file /home/robert/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version dropbear_2013.58
debug1: no match: dropbear_2013.58
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: RSA ***********************
debug1: Host '192.168.1.11' is known and matches the RSA host key.
debug1: Found key in /home/robert/.ssh/known_hosts:10
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/robert/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/robert/.ssh/id_dsa
debug1: Trying private key: /home/robert/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Server Stdout:
[14495] Jul 20 17:20:25 Not backgrounding
[14503] Jul 20 17:20:38 Child connection from 192.168.1.8:39840
[14503] Jul 20 17:20:38 Login attempt for nonexistent user from 192.168.1.8:39840
[14503] Jul 20 17:20:39 Login attempt for nonexistent user from 192.168.1.8:39840
[14503] Jul 20 17:20:39 Exit before auth: Exited normally
Bruno Vernay | 9 Jul 18:02 2014
Picon

Small build without ECDSA gives errors

Hi,

I try to build a small Dropbear server (dropbear-2014.63)

>From option.h, I commented out DROPBEAR_ECDSA and DROPBEAR_DSS and
other things ...

make clean
./configure --disable-syslog --disable-shadow --disable-lastlog
--disable-zlib  --prefix=/mnt/rwfs/dropbear
--host=arm-fsl-linux-gnueabi  --build=i686-pc-linux-gnu     ARCH=arm
CROSS_COMPILE=arm-none-linux-gnueabi-   CC=arm-fsl-linux-gnueabi-gcc
LDFLAGS=-Wl,--gc-sections  CFLAGS="-ffunction-sections
-fdata-sections"
make PROGRAMS="dropbear"

...
and I get this error:

arm-fsl-linux-gnueabi-gcc -ffunction-sections -fdata-sections
-I./libtomcrypt/src/headers/ -I. -I.
-I/opt/freescale/usr/local/gcc-4.4.4-glibc-2.11.1-multilib-1.0/arm-fsl-linux-gnueabi/arm-fsl
                  -linux-gnueabi/multi-libs/usr/include
-ffunction-sections -fdata-sections -DDROPBEAR_SERVER
-I/opt/freescale/usr/local/gcc-4.4.4-glibc-2.11.1-multilib-1.0/arm-fsl-linux-gnueabi/arm-fsl-linux-
                  gnueabi/multi-libs/usr/include  -c -o signkey.o
signkey.c
signkey.c: In function 'signkey_key_ptr':
signkey.c:110: error: 'DROPBEAR_SIGNKEY_ECDSA_NISTP256' undeclared
(first use in this function)
signkey.c:110: error: (Each undeclared identifier is reported only once
signkey.c:110: error: for each function it appears in.)
signkey.c:111: error: 'sign_key' has no member named 'ecckey256'
signkey.c:114: error: 'DROPBEAR_SIGNKEY_ECDSA_NISTP384' undeclared
(first use in this function)
signkey.c:115: error: 'sign_key' has no member named 'ecckey384'
signkey.c:118: error: 'DROPBEAR_SIGNKEY_ECDSA_NISTP521' undeclared
(first use in this function)
signkey.c:119: error: 'sign_key' has no member named 'ecckey521'
make: *** [signkey.o] Error 1

Any idea ??

--

-- 
Bruno

Jesse Molina | 4 Jul 12:57 2014
Picon

Getting dbclient to time out when network goes down with reverse proxy usage


Hello

I am doing this:

ssh -K 3 -I 60 -i keyfile -N -R 2222:localhost:22 user <at> host

I am intending a dropbear ssh client to set up a reverse proxy 
connection to a server, so I am using -N and -R.

I am also using -K and -I so that the connection sends keepalives and 
will timeout if the network is disrupted.

My problem is that the above results in the session dying 60 seconds 
after setup is finished because the idle timeout is being hit.  I am not 
sure how -I is metering inbound traffic, but it's apparently not picking 
up anything.

Note that I have "ClientAliveInterval 15" set on the sshd_config server 
side. I would expect dropbear to count this traffic towards -I.

Without -I above, it took my device 18 minutes to figure out that I had 
pulled the network out from under it by shutting down the interface. 
That isn't acceptable.

Can dropbear do this, or do I need to use openssh?  I get the feeling 
after reading what I have read that dropbear is too simple to figure out 
when the server has gone away in most situations.

Relevant:

https://www.mail-archive.com/dropbear <at> ucc.asn.au/msg00978.html

https://www.mail-archive.com/dropbear <at> ucc.asn.au/msg00648.html

https://www.mail-archive.com/dropbear <at> ucc.asn.au/msg00402.html

Thanks in advance.

Catalin Patulea | 4 Jul 08:59 2014
Picon
Picon

TOS byte on port forwarding-only connections

Going back to February 2013:
https://secure.ucc.asn.au/hg/dropbear/rev/80af450dae76
https://secure.ucc.asn.au/hg/dropbear/rev/aa689d140928

Matt, at the time you had called out a potential issue with
connections doing only port forwarding staying on IPTOS_LOWDELAY. Now
I'm actually running into that issue.

'ssh -Lx:x:x cat' is a workaround, albeit ugly. Ideally I would like
'ssh -N -Lx:x:x' to also trigger IPTOS_BULK.

I think for that I could start the connection at LOWDELAY, then reduce
to BULK until the first pty session, then set LOWDELAY again. If the
client deletes the pty session but keeps the connection, it will stay
at LOWDELAY - we probably want it to reduce to BULK in that case.

How about a cleaner approach, where we keep a "refcount on lowdelay",
updated when pty channels are created/removed. When the refcount
transitions from 0->1, set LOWDELAY, 1->0, set BULK. I don't think
it's all that much extra code and it will really do the right thing in
many situations.

How would you feel about a patch for that?

Catalin

Nicolas Luna | 26 Jun 16:53 2014
Picon

Cross-compile for AM335x

Hi,

I'm trying to cross-compile for ARM Cortex-A8 (AM335x) and I have a weird error. It looks like the toolchain is not supported.

What I executed:
./configure --prefix=/home/build-tools/dropbear-build/ CC=arm-linux-gnueabihf-gcc --host=arm -disable-zlib

What I received from configure script:
checking for arm-gcc... arm-linux-gcc
checking whether the C compiler works... no
configure: error: C compiler cannot create executables

The version of my toolchain (PSP 6.0 from TI)
#: arm-linux-gnueabihf-gcc -v
gcc version 4.7.3 20130226 (prerelease) (crosstool-NG linaro-1.13.1-4.7-2013.03-20130313 - Linaro GCC 2013.03)

Any ideas ? 

Regards,

Nicolas
Alexey Kotlyarov | 20 Jun 10:58 2014
Gravatar

[PATCH] Accept pre-configured environment variables

Read /etc/dropbear/environment for environment variables to add to new client
sessions.
---
  chansession.h     |  4 ++++
  dbutil.c          |  8 +++----
  options.h         |  9 ++++++++
  svr-chansession.c | 62 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
  4 files changed, 79 insertions(+), 4 deletions(-)

diff --git a/chansession.h b/chansession.h
index ef252ea..ac68f3c 100644
--- a/chansession.h
+++ b/chansession.h
 <at>  <at>  -83,6 +83,10  <at>  <at>  struct ChildPid {

  void addnewvar(const char* param, const char* var);

+#ifdef ENABLE_EXTRA_ENVIRONMENT
+void addextravars();
+#endif
+
  void cli_send_chansess_request();
  void cli_tty_cleanup();
  void cli_chansess_winchange();
diff --git a/dbutil.c b/dbutil.c
index 145bc33..e723488 100644
--- a/dbutil.c
+++ b/dbutil.c
 <at>  <at>  -781,11 +781,11  <at>  <at>  int buf_readfile(buffer* buf, const char* filename) {
  	return ret;
  }

-/* get a line from the file into buffer in the style expected for an
- * authkeys file.
+/* get a line from the file into buffer.
   * Will return DROPBEAR_SUCCESS if data is read, or DROPBEAR_FAILURE on EOF.*/
-/* Only used for ~/.ssh/known_hosts and ~/.ssh/authorized_keys */
-#if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH)
+/* Only used for ~/.ssh/known_hosts, ~/.ssh/authorized_keys and
+ * /etc/dropbear/environment */
+#if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH) || defined(ENABLE_EXTRA_ENVIRONMENT)
  int buf_getline(buffer * line, FILE * authfile) {

  	int c = EOF;
diff --git a/options.h b/options.h
index 44d6d23..4ff63ba 100644
--- a/options.h
+++ b/options.h
 <at>  <at>  -30,6 +30,11  <at>  <at> 
  #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
  #endif

+/* Environment file path */
+#ifndef EXTRA_ENV_FILENAME
+#define EXTRA_ENV_FILENAME "/etc/dropbear/environment"
+#endif
+
  /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
   * on chosen ports and keeps accepting connections. This is the default.
   *
 <at>  <at>  -207,6 +212,10  <at>  <at>  much traffic. */
  #define ENABLE_CLI_PUBKEY_AUTH
  #define ENABLE_CLI_INTERACT_AUTH

+/* Whether to read extra environment from
+ * /etc/dropbear/environment */
+#define ENABLE_EXTRA_ENVIRONMENT
+
  /* This variable can be used to set a password for client
   * authentication on the commandline. Beware of platforms
   * that don't protect environment variables of processes etc. Also
diff --git a/svr-chansession.c b/svr-chansession.c
index 63e56a8..aead1d7 100644
--- a/svr-chansession.c
+++ b/svr-chansession.c
 <at>  <at>  -939,6 +939,10  <at>  <at>  static void execchild(void *user_data) {
  	}
  #endif

+#ifdef ENABLE_EXTRA_ENVIRONMENT
+	addextravars();
+#endif
+
  	/* change directory */
  	if (chdir(ses.authstate.pw_dir) < 0) {
  		dropbear_exit("Error changing directory");
 <at>  <at>  -1010,3 +1014,61  <at>  <at>  void addnewvar(const char* param, const char* var) {
  		dropbear_exit("environ error");
  	}
  }
+
+#ifdef ENABLE_EXTRA_ENVIRONMENT
+/* add custom environment variables */
+void addextravars() {
+	FILE * extraenv = NULL;
+	buffer * buf = NULL;
+	char * name_value = NULL;
+	char* value_pos = NULL;
+	char* name = NULL;
+	char* value = NULL;
+
+	extraenv = fopen(EXTRA_ENV_FILENAME, "r");
+	if (extraenv == NULL) {
+		goto out;
+	}
+
+	do {
+		if (buf) {
+			buf_free(buf);
+			buf = NULL;
+		}
+		if (name_value) {
+			m_free(name_value);
+		}
+		buf = buf_new(1000);
+
+		if (buf_getline(buf, extraenv) == DROPBEAR_FAILURE) {
+			break;
+		}
+
+		name_value = m_malloc(buf->len + 1);
+		memcpy(name_value, buf_getptr(buf, buf->len), buf->len);
+		name_value[buf->len] = '\0';
+
+		value_pos = strchr(name_value, '=');
+		if (value_pos == NULL) {
+			continue;
+		}
+
+		*value_pos = '\0';
+		name = name_value;
+		value = value_pos + 1;
+
+		addnewvar(name, value);
+	} while (1);
+
+out:
+	if (extraenv) {
+		fclose(extraenv);
+	}
+	if (buf) {
+		buf_free(buf);
+	}
+	if (name_value) {
+		m_free(name_value);
+	}
+}
+#endif
--

-- 
1.9.3


Gmane