Valliappan Muthiah | 26 Jun 08:53 2013

scp to always accept unknown remote hostkey

Hi,

We are using dropbear in our product. The version is
# dropbearmulti -v
Dropbear multi-purpose version 0.52
Make a symlink pointing at this binary with one of the following names:
'dropbear' - the Dropbear server
'dbclient' or 'ssh' - the Dropbear client
'dropbearkey' - the key generator
'dropbearconvert' - the key converter
'scp' - secure copy

I am tryin to scp files to my remote server. I would like to always accept unknown remote hostkey for my connection to server.
I did this successfully using "ssh -y" option, but i cannot use this switch when i do scp directly.

May i know if its possible to have this option in scp itself?
 
Thanks in advance.
Lluís Batlle i Rossell | 18 Jun 22:11 2013

-lcrypt as dependency in Makefile? (CRYPTLIB)

Hello,

the configure script sets up CRYPTLIB="-lcrypt".

Then, Makefile.in has something like:
dropbearobjs=$(COMMONOBJS) $(CLISVROBJS) $(SVROBJS)  <at> CRYPTLIB <at>  
dropbear: $(dropbearobjs)

How is this expected to work? I can't build dropbear due to GNU make not
finding the dependency "-lcrypt".

Regards,
Lluís.

Lluís Batlle i Rossell | 17 Jun 21:21 2013

Fixing crash on -J (proxycmd)

Hello,

since 0.53 (at least), using -J crashes on mips. With valgrind, I tracked this
down to a bad free.

Here is the patch attached that should fix it. At least, valgrind doesn't
complain. I'll test it with mips later.

Regards,
Lluís.
diff -r 5ba19d00da08 cli-runopts.c
--- a/cli-runopts.c	Sun May 26 18:43:00 2013 +0800
+++ b/cli-runopts.c	Mon Jun 17 19:19:12 2013 +0000
 <at>  <at>  -383,6 +383,13  <at>  <at> 
 		exit(EXIT_FAILURE);
 	}

+#ifdef ENABLE_CLI_PROXYCMD
+    if (cli_opts.proxycmd) {
+        /* To match the common path of m_freeing it */
+        cli_opts.proxycmd = m_strdup(cli_opts.proxycmd);
+    }
+#endif
+
 	if (cli_opts.remoteport == NULL) {
 		cli_opts.remoteport = "22";
 	}
William Welch | 24 May 23:42 2013
Picon

slow logins -- some data for comparison

Greetings,

First -- thank you for dropbear!  I have enjoyed using dropbear on various smallish systems for years now!

But I have a problem with a specific system -- admittedly it is rather slow -- only 50 BogoMips according to the linux kernel. It is a Microblaze.

I use the Buildroot system for many different routers and other small systems here.  I have compared different versions of dropbear, against openssh.

My issue is with the server mode -- sshd --  I note that on dropbear 0.52 (which I happen to run on other routers here), I can connect from my ubuntu or mac, to dropbear sshd, in about 45 seconds.  This is having disabled the RSA host key, and already generated the DSS host key.   But on more recent versions of dropbear, e.g. 2013.58, several minutes elapse without a connection.   

In contrast, switching to openssh in buildroot, and also disabling the RSA host key, connection time is 5 to 10 seconds!  Unfortunately, the openssh has a huge 'footprint' in the flash filesystem that I would rather avoid.

The issue seems to be in the key exchange ( I can watch this by doing 'ssh -v ' from my client connection).  Meanwhile, running 'top' on my Microblaze shows near 100% cpu used.  the debug message is: expecting SSH2_MSG_KEXDH_REPLY

Buildroot has the gnu cross tool chain set to 'optimize for size' in all cases.

Suggestions welcome!

thank you,

William

Christopher Meng | 20 May 08:18 2013
Picon

Re: Google Authenticator

This hinge on the configure step I think.

./configure with --enable-pam.

But I don't know your os packager's doing.
Alex | 16 May 13:54 2013
Picon

Google Authenticator

Hi,

I've a raspberry pi with dropbear ssh installed, I would to use google
authenticator to log in in my ssh session. I've installed the PAM support with:

apt-get install libpam-google-authenticator

and I already generated the code, but now how can I configure dropbear to
use the PAM module?

Thank you.

Martin Donnelly | 2 May 12:44 2013
Picon

[PATCH] Notify clients of PAM error messages

This patch adds support for relaying PAM_ERROR_MSG to clients. This
is useful when PAM_ERROR_MSG returns meaningful information, an
example of this is when pam_nologin is being used and '/etc/nologin'
contains a message for clients attempting to connect.

-Martin
diff -ubNr dropbear-2013.58.orig/auth.h dropbear-2013.58/auth.h
--- dropbear-2013.58.orig/auth.h	2013-04-18 15:58:14.000000000 +0100
+++ dropbear-2013.58/auth.h	2013-04-30 17:37:33.317480220 +0100
 <at>  <at>  -36,6 +36,7  <at>  <at> 
 void recv_msg_userauth_request();
 void send_msg_userauth_failure(int partial, int incrfail);
 void send_msg_userauth_success();
+void send_msg_userauth_banner(buffer **msg);
 void svr_auth_password();
 void svr_auth_pubkey();
 void svr_auth_pam();
diff -ubNr dropbear-2013.58.orig/common-session.c dropbear-2013.58/common-session.c
--- dropbear-2013.58.orig/common-session.c	2013-04-18 15:58:14.000000000 +0100
+++ dropbear-2013.58/common-session.c	2013-05-01 15:55:20.687368142 +0100
 <at>  <at>  -122,6 +122,8  <at>  <at> 

 	ses.allowprivport = 0;

+	ses.pam_err = NULL;
+
 	TRACE(("leave session_init"))
 }

diff -ubNr dropbear-2013.58.orig/session.h dropbear-2013.58/session.h
--- dropbear-2013.58.orig/session.h	2013-04-18 15:58:14.000000000 +0100
+++ dropbear-2013.58/session.h	2013-05-02 11:32:32.610072021 +0100
 <at>  <at>  -197,6 +197,8  <at>  <at> 
 	 * really belong here, but nowhere else fits nicely */
 	int allowprivport;

+	/* buffer for storing PAM error messages */
+	buffer * pam_err;
 };

 struct serversession {
diff -ubNr dropbear-2013.58.orig/svr-auth.c dropbear-2013.58/svr-auth.c
--- dropbear-2013.58.orig/svr-auth.c	2013-04-18 15:58:14.000000000 +0100
+++ dropbear-2013.58/svr-auth.c	2013-05-01 17:36:28.249791834 +0100
 <at>  <at>  -37,7 +37,6  <at>  <at> 

 static void authclear();
 static int checkusername(unsigned char *username, unsigned int userlen);
-static void send_msg_userauth_banner();

 /* initialise the first time for a session, resetting all parameters */
 void svr_authinitialise() {
 <at>  <at>  -82,10 +81,10  <at>  <at> 

 /* Send a banner message if specified to the client. The client might
  * ignore this, but possibly serves as a legal "no trespassing" sign */
-static void send_msg_userauth_banner() {
+void send_msg_userauth_banner(buffer **banner) {

 	TRACE(("enter send_msg_userauth_banner"))
-	if (svr_opts.banner == NULL) {
+	if ((banner == NULL) || (*banner == NULL)) {
 		TRACE(("leave send_msg_userauth_banner: banner is NULL"))
 		return;
 	}
 <at>  <at>  -93,13 +92,13  <at>  <at> 
 	CHECKCLEARTOWRITE();

 	buf_putbyte(ses.writepayload, SSH_MSG_USERAUTH_BANNER);
-	buf_putstring(ses.writepayload, buf_getptr(svr_opts.banner,
-				svr_opts.banner->len), svr_opts.banner->len);
+	buf_putstring(ses.writepayload, buf_getptr(*banner,
+				(*banner)->len), (*banner)->len);
 	buf_putstring(ses.writepayload, "en", 2);

 	encrypt_packet();
-	buf_free(svr_opts.banner);
-	svr_opts.banner = NULL;
+	buf_free(*banner);
+	*banner = NULL;

 	TRACE(("leave send_msg_userauth_banner"))
 }
 <at>  <at>  -121,7 +120,7  <at>  <at> 

 	/* send the banner if it exists, it will only exist once */
 	if (svr_opts.banner) {
-		send_msg_userauth_banner();
+		send_msg_userauth_banner(&svr_opts.banner);
 	}

 	
diff -ubNr dropbear-2013.58.orig/svr-authpam.c dropbear-2013.58/svr-authpam.c
--- dropbear-2013.58.orig/svr-authpam.c	2013-04-18 15:58:14.000000000 +0100
+++ dropbear-2013.58/svr-authpam.c	2013-05-01 15:18:38.603729862 +0100
 <at>  <at>  -142,6 +142,22  <at>  <at> 
 			(*respp) = resp;
 			break;

+		case PAM_ERROR_MSG:
+
+			if (msg_len > 0) {
+				ses.pam_err  = buf_new(msg_len + 4);
+				buf_setpos(ses.pam_err, 0);
+				buf_putbytes(ses.pam_err, "\r\n", 2);
+				buf_putbytes(ses.pam_err, (*msg)->msg, msg_len);
+				buf_putbytes(ses.pam_err, "\r\n", 2);
+				buf_setpos(ses.pam_err, 0);
+
+				send_msg_userauth_banner(&ses.pam_err);
+			}
+
+			rc = PAM_AUTH_ERR;
+			break;
+
 		default:
 			TRACE(("Unknown message type"))
 			rc = PAM_CONV_ERR;
Christopher Meng | 13 May 11:27 2013
Picon

Add support for aarch64

Hi,

As dropbear doesn't support AArch64, I hope the author can do something in order to fix it. In fact I'm the packager of dropbear, some users asked us why not support aarch64.


To fix this, you can:

1. Use at least autoconf 2.69 to reconfigure.
2. A patch at 


which updates config.guess and config.sub to recognize aarch64.

But I think the latter one is for downstream to include it into the package, for upstream, will you fix this?

Thanks!



Yours sincerely,
Christopher Meng

Always playing in Fedora Project
Yuan-Yi Chang | 3 May 08:44 2013
Picon

A solution for PAM with nonexistent user

Hi, 


After configured with --enable-pam and modified the option.h:

//#define ENABLE_SVR_PASSWORD_AUTH
#define ENABLE_SVR_PAM_AUTH

The Dropbear would be with the PAM functionality.

When I used the PAM module to pass the account login flow, but I got the message: "Login attempt for nonexistent user". I know there should be a white list for most popular applications, I still think there is another way for convenience usage on Dropbear.

There is a patch for choose a system account for nonexistent user at PAM mode (The coding style of this patch may not good enough):

$ /path/dropbear -h
...
-c username choose a system account for nonexistent user at PAM mode
...

$ cat /etc/pam.d/sshd
auth required /path/pam_myway.so
account required /path/pam_myway.so
$ /path/dropbear -p 222 -r /path/testkey -c root -E -F

If login account is nonexistent user, it would choose "root" account to use.

Best Regards, 
Yuan-Yi Chang
Ed Sutter | 29 Apr 16:48 2013

Re: Performance testing ssh (was Re: question)

Yep, thanks, I've been running with WireShark...
(running it on the same machine as the client, so no need for mirroring 
here).
>
> Ed,
>
> I would also tcpdump all the network traffic during the test... using 
> a real hub or switch with port mirroring or vswitch promiscuous mode.
>
> At least then you could eliminate any lower level issues.
>
> Good luck.
>
> --
> http://www.realthought.net/
>
> El 26/04/2013 05:02, "Ed Sutter" <ed.sutter <at> alcatel-lucent.com 
> <mailto:ed.sutter <at> alcatel-lucent.com>> escribió:
>
>     Hi,
>     I have a modified version of the dropbear ssh server running in
>     a multitasking RTOS environment that is not POSIX compliant.
>     In almost all cases it is running perfectly...
>     I run load tests on it by just using a simple expect script
>     that spawns an ssh client and sends commands and expects
>     responses (in a loop).
>     If, within that loop, I occasionally (every ~30 minutes)
>     disconnect and reconnect then I can let that run *forever*
>     (haven't fully tested that).  :-(
>
>     The problem I run into is if I just make an initial connection
>     and put the script in a loop that simply keeps issuing commands
>     and responses (I never disconnect; just maintain the initial session).
>     After some unpredictable amount of time (usually it takes an hour or
>     more); having invoked a few thousand commands, suddenly everything
>     just stops.  The server is sitting in the select of the session_loop,
>     and the client (in the expect script) is just waiting for a response.
>
>     It seems like everything is where its supposed to be, but the client
>     is not able to send any characters to the server.  It appears that the
>     connection dropped; however, I'm fairly certain that it has not.
>
>     So, I apparently broke something; hence my question...
>
>     After the client/server transactions for key exchange,
>     login/password etc..
>     are complete and basically both sides are just passing encrypted
>     data back
>     and forth, is there any other periodic responsibility (on the
>     servers' part)
>     to issue any "keep-alive" type of commands (or something similar)
>     that I
>     have not implemented?
>
>     Thanks,
>     Ed
>

Kevin Johnson | 29 Apr 16:20 2013
Picon

segfault in svr-authpasswd.c

For users with locked accounts, dropbear segfaults on password
authentication. The call to crypt() with glibc 2.17 returns NULL if
the passwd field is '!'. Strcmp() segfaults on the NULL value. Here's
a patch against 2013.58 that adds a check.

--- svr-authpasswd.c.old
+++ svr-authpasswd.c
 <at>  <at>  -66,6 +66,12  <at>  <at> 
     m_burn(password, passwordlen);
     m_free(password);

+    if (testcrypt == NULL) {
+        dropbear_log(LOG_WARNING, "Crypt against user '%s' password
failed, rejected",
+                ses.authstate.pw_name);
+        send_msg_userauth_failure(0, 1);
+        return;
+    }
     /* check for empty password */
     if (passwdcrypt[0] == '\0') {
         dropbear_log(LOG_WARNING, "User '%s' has blank password, rejected",

--
thx,
Kevin Johnson


Gmane