pratik singh | 21 Aug 20:01 2014
Picon

dbclient failed : Server Timeout

I am using Dropbear 0.48 with uClinux-dist. Currently dropbear server is working fine but while trying to run dbclient it throws write error. Some of the traces are:

TRACE: leave process_packet
TRACE: enter cli_sessionloop
TRACE: enter send_msg_service_request: servicename='ssh-userauth'
TRACE: enter encrypt_packet()
TRACE: encrypt_packet type is 5

TRACE: enter writemac
TRACE: leave writemac
TRACE: enter enqueue
TRACE: leave enqueue
TRACE: leave encrypt_packet()
TRACE: leave send_msg_service_request
TRACE: leave cli_sessionloop: sent userauth service req
TRACE: enter write_packet

TRACE: enter cli_tty_cleanup
TRACE: leave cli_tty_cleanup: not in raw mode
TRACE: enter session_cleanup
TRACE: enter chancleanup
TRACE: leave chancleanup
TRACE: leave session_cleanup
dbclient: connection to pratik <at> 10.10.10.1:22 exited: error writing
--------------------------------------------------------------------------------------------------------------
* Attached the detailed logs.

I have tried the following:
1) Run dbclient with -K option but still getting the same write error
2) Run dbclient with -y option but still getting the same write error

On further debugging I have found that this write comes because server (in this case Openssh) is getting timeout.

Its working fine between client & server both having dropbear, with dropbear server's "AUTH_TIMEOUT" greater than 300. 

This issue can be  resolve if I can reduce the time taken by dbclient. Currently its taking more than 5 minutes. 

Please share your inputs to reduce this time taken by dbclient. How can I achieve this? Appreciate your reply.


--
Thanks & Regards
Pratik Singh

# dbclient -v -y -i dropbear_dss_host_key pratik <at> 10.10.10.1
TRACE: enter buf_get_priv_key
TRACE: enter dsa_key_free
TRACE: enter dsa_key_free: key == NULL
TRACE: enter buf_get_dss_pub_key
TRACE: leave buf_get_dss_pub_key: success
TRACE: leave buf_get_priv_key
TRACE: non-flag arg: 'pratik <at> 10.10.10.1'
TRACE: user='pratiks' host='10.10.10.1' port='22'
TRACE: enter connect_remote
TRACE: leave connect_remote: sock 4
TRACE: leave buf_getline: success
TRACE: checkpubkey: base64_decode success
TRACE: good matching key
TRACE: enter buf_get_pub_key
TRACE: enter dsa_key_free
TRACE: enter dsa_key_free: key == NULL
TRACE: enter buf_get_dss_pub_key
TRACE: leave buf_get_dss_pub_key: success
TRACE: leave buf_get_pub_key
 
 
TRACE: enter buf_put_pub_key

TRACE: enter buf_putmpint
TRACE: leave buf_putmpint
TRACE: enter buf_putmpint
TRACE: leave buf_putmpint
TRACE: enter buf_putmpint
TRACE: leave buf_putmpint
TRACE: enter buf_putmpint
TRACE: leave buf_putmpint
TRACE: leave buf_put_pub_key

TRACE: enter buf_putmpint
TRACE: leave buf_putmpint
TRACE: enter buf_putmpint
TRACE: leave buf_putmpint
TRACE: enter buf_putmpint
TRACE: leave buf_putmpint
TRACE: enter buf_verify
TRACE: enter buf_dss_verify
 
 
 
TRACE: enter sign_key_free
TRACE: enter dsa_key_free
TRACE: leave dsa_key_free
TRACE: leave sign_key_free
TRACE: enter send_msg_newkeys
TRACE: enter encrypt_packet()
TRACE: encrypt_packet type is 21

TRACE: enter writemac
TRACE: leave writemac
TRACE: enter enqueue
TRACE: leave enqueue
TRACE: leave encrypt_packet()
TRACE: SENTNEWKEYS=1
TRACE: -> MSG_NEWKEYS
TRACE: leave send_msg_newkeys
TRACE: leave recv_msg_kexdh_init

TRACE: leave process_packet
TRACE: enter cli_sessionloop
TRACE: leave cli_sessionloop: kex_state != KEX_NOTHING
TRACE: enter write_packet
TRACE: empty queue dequeing
TRACE: leave write_packet
TRACE: enter read_packet
TRACE: enter decrypt_packet
TRACE: leave decrypt_packet
TRACE: leave read_packet
TRACE: enter process_packet
TRACE: process_packet: packet type = 21
TRACE: <- MSG_NEWKEYS
TRACE: enter recv_msg_newkeys
TRACE: while SENTNEWKEYS=1
TRACE: enter gen_new_keys

TRACE: enter buf_putmpint
TRACE: leave buf_putmpint
TRACE: leave gen_new_keys
TRACE: kexinitialise()
TRACE:  -> DATAALLOWED=1
TRACE: leave recv_msg_newkeys

TRACE: leave process_packet
TRACE: enter cli_sessionloop
TRACE: enter send_msg_service_request: servicename='ssh-userauth'
TRACE: enter encrypt_packet()
TRACE: encrypt_packet type is 5

TRACE: enter writemac
TRACE: leave writemac
TRACE: enter enqueue
TRACE: leave enqueue
TRACE: leave encrypt_packet()
TRACE: leave send_msg_service_request
TRACE: leave cli_sessionloop: sent userauth service req
TRACE: enter write_packet

TRACE: enter cli_tty_cleanup
TRACE: leave cli_tty_cleanup: not in raw mode
TRACE: enter session_cleanup
TRACE: enter chancleanup
TRACE: leave chancleanup
TRACE: leave session_cleanup
dbclient: connection to pratik <at> 10.10.10.1:22 exited: error writing
DELOGET, Emmanuel | 20 Aug 15:25 2014

Failure to use dropbear with PAM

Hello, 

I admit the mail subject is a bit alarmist. I'm able to use dropbear with PAM if I only need to check for local
accounts. 

Yet in my use case I have to authenticate users whose login/password information is stored in a distant
database. Everytime I try to log in with such a user, dropear answers me that the user is unknown - and that's
true : the user is unknown, because the whole point is to not have him/her in /etc/passwd but on a distant
database. 

That's where things break : dropbear seems to assume that the user must be known on the system where it runs -
that's one of the purpose of checkusername() in svr-auth.c. If the user is not found in /etc/passwd then
it's not a valid user and login fails. 

Yet that's still a very important use case (as I see it) : there is a large number of network-based
authentication scheme (including, in my very case, TACACS+) where the username/password is not known on
the ssh server. PAM allows this, yet dropbear seems to think it's not a good idea. I agree that it comes with
some challenges - what's the user shell, credentials... ? So I won't even think to force you to come with a
solution right now. I believe it's a point to consider, not that it's a fix to have right now.

However, I'm kinda stuck in this case and I have to come with a solution quite fast. I tried to not call
checkusername() when PAM is enabled but it looks like it's a Bad Idea (tm) (with it's corresponding
segfault, of course). I guess it's because checkusername() does a whole lot that just checking - and as I
see it, it also initialize a few data here and there. 

Do you have any idea on how I could overcome this situation ? I just need to fully trust PAM when it comes to
autentication (I'll still need to implement some kind of user mapping after that but it will be easier if
I'm able to pass through the authentication process). 

Best regards, 

-- Emmanuel Deloget

Matt Johnston | 8 Aug 16:02 2014
Picon
Picon
Gravatar

Dropbear 2014.65

Hi,

Here's Dropbear 2014.65. It mainly fixes regressions in
2014.64, with a couple of other minor improvements.

https://matt.ucc.asn.au/dropbear/dropbear.html
https://dropbear.nl/mirror/

Cheers,
Matt

2014.65 - Friday 8 August 2014

- Fix 2014.64 regression, server session hang on exit with scp (and probably
  others), thanks to NiLuJe for tracking it down

- Fix 2014.64 regression, clock_gettime() error handling which broke on older
  Linux kernels, reported by NiLuJe

- Fix 2014.64 regression, writev() could occassionally fail with EAGAIN which
  wasn't caught

- Avoid error message when trying to set QoS on proxycommand or multihop pipes

- Use /usr/bin/xauth, thanks to Mike Frysinger

- Don't exit the client if the local user entry can't be found, thanks to iquaba

Releases signed with PGP key
4C647FBC Matthew Johnston <matt <at> ucc.asn.au>
D11E 5F8D 2C38 523F 57F1  2166 8CF9 F8B0 4C64 7FBC

pratik singh | 7 Aug 16:47 2014
Picon

Regarding dbclient failure

Hi,

I am using Dropbear 0.48 with uClinux-dist. Currently server is working fine but while trying to run dbclient its throwing following error:

--------------------------------------------------------------------------------------------------------------------------------------------
#dbclient -i dss_key pratik <at> 10.10.10.1

TRACE: enter session_init
TRACE: kexinitialise()
TRACE: leave session_init
TRACE: enter ident_readln
TRACE: leave ident_readln: return 20
TRACE: remoteident: SSH-2.0-OpenSSH_4.3
TRACE: enter encrypt_packet()
TRACE: encrypt_packet type is 20
TRACE: enter writemac
TRACE: leave writemac
TRACE: enter enqueue
TRACE: leave enqueue
TRACE: leave encrypt_packet()
TRACE: DATAALLOWED=0
TRACE: -> KEXINIT
TRACE: enter write_packet
TRACE: empty queue dequeing
TRACE: leave write_packet
TRACE: enter read_packet
TRACE: enter decrypt_packet
TRACE: leave decrypt_packet
TRACE: leave read_packet
TRACE: enter process_packet
TRACE: process_packet: packet type = 20
TRACE: <- KEXINIT
TRACE: enter recv_msg_kexinit
TRACE: cli_buf_match_algo: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
TRACE: kex algo diffie-hellman-group1-sha1
TRACE: cli_buf_match_algo: ssh-rsa,ssh-dss
TRACE: hostkey algo ssh-dss
TRACE: cli_buf_match_algo: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc <at> lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
TRACE: enc c2s is  aes128-cbc
TRACE: cli_buf_match_algo: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc <at> lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
TRACE: enc s2c is  aes128-cbc
TRACE: cli_buf_match_algo: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 <at> openssh.com,hmac-sha1-96,hmac-md5-96
TRACE: hash c2s is  hmac-sha1-96
TRACE: cli_buf_match_algo: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160 <at> openssh.com,hmac-sha1-96,hmac-md5-96
TRACE: hash s2c is  hmac-sha1-96
TRACE: cli_buf_match_algo: none,zlib <at> openssh.com
TRACE: hash c2s is  none
TRACE: cli_buf_match_algo: none,zlib <at> openssh.com
TRACE: hash s2c is  none
TRACE: leave recv_msg_kexinit
TRACE: leave process_packet
TRACE: enter cli_sessionloop
TRACE: enter send_msg_kexdh_reply
 
 
TRACE: enter buf_putmpint
TRACE: leave buf_putmpint
TRACE: enter encrypt_packet()
TRACE: encrypt_packet type is 30
TRACE: enter writemac
TRACE: leave writemac
TRACE: enter enqueue
TRACE: leave enqueue
TRACE: leave encrypt_packet()
TRACE: leave cli_sessionloop: done with KEXINIT_RCVD
TRACE: enter write_packet
TRACE: empty queue dequeing
TRACE: leave write_packet
TRACE: enter cli_sessionloop
TRACE: leave cli_sessionloop: kex_state != KEX_NOTHING
TRACE: enter read_packet
TRACE: enter decrypt_packet
TRACE: leave decrypt_packet
TRACE: leave read_packet
TRACE: enter process_packet
TRACE: process_packet: packet type = 31
TRACE: enter recv_msg_kexdh_reply
TRACE: type is 2
TRACE: enter buf_getline
TRACE: leave buf_getline: failure
TRACE: failed reading line: prob EOF
 
Host '10.10.10.1' is not in the trusted hosts file.
(fingerprint md5 aa:c4:3e:32:ac:42:5b:21:0e:86:7d:b2:21:db:fb:1c)
Do you want to continue connecting? (y/n)
TRACE: enter cli_tty_cleanup
TRACE: leave cli_tty_cleanup: not in raw mode
TRACE: enter session_cleanup
TRACE: enter chancleanup
TRACE: leave chancleanup
TRACE: leave session_cleanup
dbclient: connection to pratik <at> 10.10.10.1:22 exited: Didn't validate host key
---------------------------------------------------------------------------------------------------------------------------------

Any suggestions on this would be a great help.
 
--
Thanks & Regards
Pratik Singh
Mike Frysinger | 1 Aug 12:15 2014
Picon
Gravatar

[PATCH] use xauth in /usr/bin

# HG changeset patch
# User Mike Frysinger <vapier <at> gentoo.org>
# Date 1406888059 14400
#      Fri Aug 01 06:14:19 2014 -0400
# Node ID 89a637587a611c0bf3802ff5005bc1f7fe63eec6
# Parent  36eacc322e00924e511810c519bf5a3f05898cdd
use xauth in /usr/bin

Since the x.org rework, X has been installed into standard paths and not
its own random prefixes.  I think it's time we update the default paths
accordingly.

diff -r 36eacc322e00 -r 89a637587a61 options.h
--- a/options.h	Mon Jul 28 23:23:49 2014 +0800
+++ b/options.h	Fri Aug 01 06:14:19 2014 -0400
 <at>  <at>  -264,7 +264,7  <at>  <at> 
 /* The command to invoke for xauth when using X11 forwarding.
  * "-q" for quiet */
 #ifndef XAUTH_COMMAND
-#define XAUTH_COMMAND "/usr/bin/X11/xauth -q"
+#define XAUTH_COMMAND "/usr/bin/xauth -q"
 #endif

 /* if you want to enable running an sftp server (such as the one included with

Matt Johnston | 27 Jul 17:41 2014
Picon
Picon
Gravatar

Dropbear 2014.64

Hi all,

Dropbear 2014.64 is released with changes as follows. 
As usual get it from
https://matt.ucc.asn.au/dropbear/dropbear.html or 
https://dropbear.nl/mirror/

Cheers,
Matt

2014.64 - Sunday 27 July 2014

- Fix compiling with ECDSA and DSS disabled

- Don't exit abruptly if too many outgoing packets are queued for writev(). Patch
  thanks to Ronny Meeus

- The -K keepalive option now behaves more like OpenSSH's "ServerAliveInterval". 
  If no response is received after 3 keepalives then the session is terminated. This
  will close connections faster than waiting for a TCP timeout.

- Rework TCP priority setting. New settings are
	if (connecting || ptys || x11) tos = LOWDELAY
	else if (tcp_forwards) tos = 0
	else tos = BULK
  Thanks to Catalin Patulea for the suggestion.

- Improve handling of many concurrent new TCP forwarded connections, should now
  be able to handle as many as MAX_CHANNELS. Thanks to Eduardo Silva for reporting
  and investigating it.

- Make sure that exit messages from the client are printed, regression in 2013.57

- Use monotonic clock where available, timeouts won't be affected by system time
  changes

- Add -V for version

pratik singh | 25 Jul 12:21 2014
Picon

Does Dropbear support SCP server?

Hi,

I am running the default dropbear (version 0.48) found in the uClinux-dist distribution with my microblaze as the processor.  It has SCP client support.

Does it support SCP server also? If Yes, what are all the changes required?

Appreciate your reply.

--
Thanks & Regards
Pratik Singh
Robert | 21 Jul 12:46 2014
Picon

Dropbear for Android Error "Permission denied (publickey)"

Hello,

I'm trying to compile a static dropbear for ARM Android according to the set of instructions below
https://github.com/iMilnb/docs/blob/master/dropbear%2Bsftp-android.md
and the binary has compiled okay but I keep getting the error "Permission denied (publickey)" from the client when trying to connect. I have tried compiling with both the latest dropbear release and the one used in the instructions (2013.58) to no avail. I've tried the usual solution of putting the client's pubkey in the server's 'authorized_keys' file which hasn't worked. It's worth noting only key authentication access works, I've disabled password authentication. I've attached the stdout for server and client too,

Regards,

Rob




Client Stdout:
OpenSSH_5.9p1 Debian-5ubuntu1.4, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.11 [192.168.1.11] port 22.
debug1: Connection established.
debug1: identity file /home/robert/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/robert/.ssh/id_rsa-cert type -1
debug1: identity file /home/robert/.ssh/id_dsa type -1
debug1: identity file /home/robert/.ssh/id_dsa-cert type -1
debug1: identity file /home/robert/.ssh/id_ecdsa type -1
debug1: identity file /home/robert/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version dropbear_2013.58
debug1: no match: dropbear_2013.58
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: RSA ***********************
debug1: Host '192.168.1.11' is known and matches the RSA host key.
debug1: Found key in /home/robert/.ssh/known_hosts:10
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/robert/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/robert/.ssh/id_dsa
debug1: Trying private key: /home/robert/.ssh/id_ecdsa
debug1: No more authentication methods to try.
Permission denied (publickey).

Server Stdout:
[14495] Jul 20 17:20:25 Not backgrounding
[14503] Jul 20 17:20:38 Child connection from 192.168.1.8:39840
[14503] Jul 20 17:20:38 Login attempt for nonexistent user from 192.168.1.8:39840
[14503] Jul 20 17:20:39 Login attempt for nonexistent user from 192.168.1.8:39840
[14503] Jul 20 17:20:39 Exit before auth: Exited normally
Bruno Vernay | 9 Jul 18:02 2014
Picon

Small build without ECDSA gives errors

Hi,

I try to build a small Dropbear server (dropbear-2014.63)

>From option.h, I commented out DROPBEAR_ECDSA and DROPBEAR_DSS and
other things ...

make clean
./configure --disable-syslog --disable-shadow --disable-lastlog
--disable-zlib  --prefix=/mnt/rwfs/dropbear
--host=arm-fsl-linux-gnueabi  --build=i686-pc-linux-gnu     ARCH=arm
CROSS_COMPILE=arm-none-linux-gnueabi-   CC=arm-fsl-linux-gnueabi-gcc
LDFLAGS=-Wl,--gc-sections  CFLAGS="-ffunction-sections
-fdata-sections"
make PROGRAMS="dropbear"

...
and I get this error:

arm-fsl-linux-gnueabi-gcc -ffunction-sections -fdata-sections
-I./libtomcrypt/src/headers/ -I. -I.
-I/opt/freescale/usr/local/gcc-4.4.4-glibc-2.11.1-multilib-1.0/arm-fsl-linux-gnueabi/arm-fsl
                  -linux-gnueabi/multi-libs/usr/include
-ffunction-sections -fdata-sections -DDROPBEAR_SERVER
-I/opt/freescale/usr/local/gcc-4.4.4-glibc-2.11.1-multilib-1.0/arm-fsl-linux-gnueabi/arm-fsl-linux-
                  gnueabi/multi-libs/usr/include  -c -o signkey.o
signkey.c
signkey.c: In function 'signkey_key_ptr':
signkey.c:110: error: 'DROPBEAR_SIGNKEY_ECDSA_NISTP256' undeclared
(first use in this function)
signkey.c:110: error: (Each undeclared identifier is reported only once
signkey.c:110: error: for each function it appears in.)
signkey.c:111: error: 'sign_key' has no member named 'ecckey256'
signkey.c:114: error: 'DROPBEAR_SIGNKEY_ECDSA_NISTP384' undeclared
(first use in this function)
signkey.c:115: error: 'sign_key' has no member named 'ecckey384'
signkey.c:118: error: 'DROPBEAR_SIGNKEY_ECDSA_NISTP521' undeclared
(first use in this function)
signkey.c:119: error: 'sign_key' has no member named 'ecckey521'
make: *** [signkey.o] Error 1

Any idea ??

--

-- 
Bruno

Jesse Molina | 4 Jul 12:57 2014
Picon

Getting dbclient to time out when network goes down with reverse proxy usage


Hello

I am doing this:

ssh -K 3 -I 60 -i keyfile -N -R 2222:localhost:22 user <at> host

I am intending a dropbear ssh client to set up a reverse proxy 
connection to a server, so I am using -N and -R.

I am also using -K and -I so that the connection sends keepalives and 
will timeout if the network is disrupted.

My problem is that the above results in the session dying 60 seconds 
after setup is finished because the idle timeout is being hit.  I am not 
sure how -I is metering inbound traffic, but it's apparently not picking 
up anything.

Note that I have "ClientAliveInterval 15" set on the sshd_config server 
side. I would expect dropbear to count this traffic towards -I.

Without -I above, it took my device 18 minutes to figure out that I had 
pulled the network out from under it by shutting down the interface. 
That isn't acceptable.

Can dropbear do this, or do I need to use openssh?  I get the feeling 
after reading what I have read that dropbear is too simple to figure out 
when the server has gone away in most situations.

Relevant:

https://www.mail-archive.com/dropbear <at> ucc.asn.au/msg00978.html

https://www.mail-archive.com/dropbear <at> ucc.asn.au/msg00648.html

https://www.mail-archive.com/dropbear <at> ucc.asn.au/msg00402.html

Thanks in advance.

Catalin Patulea | 4 Jul 08:59 2014
Picon
Picon

TOS byte on port forwarding-only connections

Going back to February 2013:
https://secure.ucc.asn.au/hg/dropbear/rev/80af450dae76
https://secure.ucc.asn.au/hg/dropbear/rev/aa689d140928

Matt, at the time you had called out a potential issue with
connections doing only port forwarding staying on IPTOS_LOWDELAY. Now
I'm actually running into that issue.

'ssh -Lx:x:x cat' is a workaround, albeit ugly. Ideally I would like
'ssh -N -Lx:x:x' to also trigger IPTOS_BULK.

I think for that I could start the connection at LOWDELAY, then reduce
to BULK until the first pty session, then set LOWDELAY again. If the
client deletes the pty session but keeps the connection, it will stay
at LOWDELAY - we probably want it to reduce to BULK in that case.

How about a cleaner approach, where we keep a "refcount on lowdelay",
updated when pty channels are created/removed. When the refcount
transitions from 0->1, set LOWDELAY, 1->0, set BULK. I don't think
it's all that much extra code and it will really do the right thing in
many situations.

How would you feel about a patch for that?

Catalin


Gmane