shm | 8 Nov 10:39 2013

exit before auth: error

I am using dropbear to establish passwordless  connection between two
embedded linux targets connected via Gigabit Ethernet. I created the host
key in both nodes using

	dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key

I started dropbear in both nodes by 
	dropbear -s -g command

 When I try to login from one node ( to other ( using

	dbclient -i /etc/dropbear/dropbear_rsa_host_key root <at>

I get the following messages in
“Host '' is not in the trusted hosts file.
(fingerprint md5 e8:64:8c:b4:6a:13:11:8e:e0:71:c2:a3:11:62:40:9b)
Do you want to continue connecting? (y/n) dbclient: connection to
root <at> exited: Didn't validate host key”

and the following messages in
“[1189] Jan 01 02:55:05 Not backgrounding
[1194] Jan 01 02:55:09 Child connection from
[1194] Jan 01 02:55:09 exit before auth: error reading: Connection reset by

When I try to login back  from node ( to other ( using

dbclient -i /etc/dropbear/dropbear_rsa_host_key

(Continue reading)

Matt Johnston | 16 Oct 16:51 2013

Dropbear 2013.60

Hi all,

Dropbear 2013.60 is released fixing a few bugs from 2013.59,
mainly related to "make install". Download as usual from
or the new mirror


2013.60 - Wednesday 16 October 2013

- Fix "make install" so that it doesn't always install to /bin and /sbin

- Fix "make install MULTI=1", installing manpages failed

- Fix "make install" when scp is included since it has no manpage

- Make --disable-bundled-libtom work

Releases are signed by PGP key matt <at> 4C647FBC                                                    
     D11E 5F8D 2C38 523F 57F1  2166 8CF9 F8B0 4C64 7FBC                  

Catalin Patulea | 14 Oct 23:31 2013

[PATCH] dropbear: add mirror, provided by dropbear maintainer

Signed-off-by: Catalin Patulea <cat <at>>
 package/network/services/dropbear/Makefile |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile
index f025c4d..02be761 100644
--- a/package/network/services/dropbear/Makefile
+++ b/package/network/services/dropbear/Makefile
 <at>  <at>  -13,7 +13,8  <at>  <at>  PKG_RELEASE:=1

+ \


Mike Frysinger | 12 Oct 22:37 2013

fix bundled libtom configure flag

the current flag treats --disable-bundled-libtom like enable.  this patch fixes it.

diff -r 93e04b9ff676
--- a/	Wed Oct 09 22:24:39 2013 +0800
+++ b/	Sat Oct 12 16:36:07 2013 -0400
 <at>  <at>  -365,9 +365,15  <at>  <at>  AC_CHECK_FUNCS(logout updwtmp logwtmp)

 	[  --enable-bundled-libtom       Use bundled libtomcrypt/libtommath even if a system version exists],
-	[ 
-		AC_MSG_NOTICE(Forcing bundled libtom*)
+	[
+		if test "x$enableval" = "xyes"; then
+			AC_MSG_NOTICE(Forcing bundled libtom*)
+		else
+			AC_CHECK_LIB(tomcrypt, register_cipher, , BUNDLED_LIBTOM=1)
+			AC_CHECK_LIB(tommath, mp_exptmod, , BUNDLED_LIBTOM=1)
+		fi
Steve Newcomb | 4 Oct 18:31 2013

autossh incompatibility with dropbear -y

I'm using OpenWRT.  My router, whose IP address changes unpredictably,
makes its ssh-listening port available on another host running at a
stable IP address, using autossh/dropbear to create a reverse channel.

Sometimes the host's key changes from time to time, which can stop the
autossh process at a prompt (to nobody) to decide what to do about the

Ordinary OpenSSH has a StrictHostKeyChecking option which can be used to
bypass the so-called "ask" prompt and just make the connection regardless.

By reading the source, I learned that Dropbear's ssh client evidently
has a similar feature, the "-y" invocation option.  But I can't pass the
-y to it via autossh because autossh doesn't approve of it.  Dropbear's
ssh client also does not offer a config file utility, AFAIK.
Dropbear evidently ignores all -o options, too; they wind up in a bit
bucket called something like "dummy".

Does anybody know the answer, short of editing/recompiling autossh so it
won't be so persnickety and just get out of the way?

Steve Newcomb

Matt Johnston | 4 Oct 16:38 2013

Dropbear 2013.59

Hi all,

Dropbear 2013.59 has been released. It fixes a number of
bugs, including two security issues affecting prior

- The Dropbear server could be made to consume large amounts
of memory because decompressed packet sizes weren't checked.
Depending on the OS and hardware this might be a denial of

- Valid users could be identified due to timing variations.

As usual you can download it from


2013.59 - Friday 4 October 2013

- Fix crash from -J command 
  Thanks to Lluís Batlle i Rossell and Arnaud Mouiche for patches

- Avoid reading too much from /proc/net/rt_cache since that causes
  system slowness. 

- Improve EOF handling for half-closed connections
  Thanks to Catalin Patulea

(Continue reading)

peterpawn | 28 Aug 15:48 2013

[PATCH] ssh client can't be compiled without interactive authentication

Compiling dropbear without ENABLE_CLI_INTERACT_AUTH results in an error ...
 a needed member of "clientsession" structure from session.h isn't included.
Because I can't see a direct coherence between "no interactive
authentication" and "unencrypted connection", my proposed change is to
declare "cipher_none_after_auth" in any case (a simple #endif has to move
one line up).

--- 2013-04-18 16:58:14.000000000 +0200
+++ session.h 2013-08-28 15:32:36.000000000 +0200
 <at>  <at>  -270,9 +270,9  <at>  <at> 

info request from the server for

interactive auth.*/

        int cipher_none_after_auth; /* Set to 1 if the user requested "none"
                                                                   auth */
        sign_key *lastprivkey;

        int retval; /* What the command exit status was - we emulate it */

Thomas Vajzovic | 21 Aug 16:34 2013

dropbear ssh server with vfork and no fork


I am interested in running dropbear ssh server under uClinux on an embedded blackfin platform (using the
buildroot distribution).

This platform does not have a full MMU, so fork() is not available.

I notice that in one or two places in dropbear, fork() has been replaced with vfork() if the macro
__uClinux__ is defined.

In scp.c, there are comments about the requirement to call exec immediately in the child after vfork
returns, and this is done.

In other places some of the things that are done after vfork but before exec are quite big, eg:

* writing to stack data
* writing to global data
 * closing and dup-ing file descriptors
 * changing signal handlers
 * writing to the login record
 * malloc-ing memory
 * setting environment variables
 * setuid/setgid

In svr-chansession.c the code commented "wipe the hostkey" is not performed if vfork was used, so
presumably that bit was found to not work, but what about the rest?

Are people running the dropbear server on no-MMU systems and it just happens to work for them, or has someone
verified that it will always work?

(Continue reading)

aaron mcmanus | 30 Jul 02:55 2013


Sent from Yahoo hey ! Mail on Android

Leonid Bloch | 28 Jul 17:19 2013

Private key encryption

Since Dropbear does not support encrypted keys, I was wondering if using gpg to encrypt the key could be a solution. I mean some script like that:

KEY=$(gpg < key.gpg)
ssh -i $KEY server "some_command_to_server"

When encrypted key ("key.gpg") is generated using:
gpg -c key

So is this a secure/viable solution, or I'm totally missing something?

David Henderson | 26 Jul 17:22 2013

documentation installation

Good morning everyone!  I'm currently trying to compile and install dropbear to a staging directory for packing on a Linux distro.  The compiling and installation actually works like a charm, but the one thing that has me baffled is that the documentation isn't being installed!  I've tried searching online and looking through the source files, but can't find anything that indicates how to install the documentation!  Any help would greatly be appreciated!