Logan Anderson | 29 Apr 11:03 2014
Picon

Dropbear requiring passphrase

Guys,

I added drop bear to an initramfs I am building for PXE. No matter what I do, dropbear appears to require an ssh passphrase and I really don't know how to handle this. It doesn't ask me for a passphrase when I create the key.

It appears to ask for the passphrase when I use ssh but it simply asks for a password when I use dbclient. What am I doing wrong?

Any direction would be welcome.
Christian Engelmayer | 5 Apr 21:51 2014
Picon
Picon

[PATCH] Fix a potential memory leak in function load_openssh_key()

Fix a memory handling issue in the error path of function load_openssh_key().
When freeing the dynamically allocated struct openssh_key during cleanup, the
pointer itself is memset instead of the pointed to struct memory. Thus the
next instruction results in m_free(0).

Reported by Coverity - CID 1191536.
---
Compile tested, applies against github.com/mkj/dropbear.git
---
 keyimport.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/keyimport.c b/keyimport.c
index 3da14ad..48cc1ba 100644
--- a/keyimport.c
+++ b/keyimport.c
 <at>  <at>  -474,7 +474,7  <at>  <at>  static struct openssh_key *load_openssh_key(const char *filename)
 			memset(ret->keyblob, 0, ret->keyblob_size);
 			m_free(ret->keyblob);
 		}
-		memset(&ret, 0, sizeof(ret));
+		memset(ret, 0, sizeof(*ret));
 		m_free(ret);
 	}
 	if (fp) {
--

-- 
1.8.3.2

Christian Engelmayer | 5 Apr 20:13 2014
Picon
Picon

[PATCH] Fix a potential ressource leak in function lastlog_openseek()

Calling function lastlog_perform_login(), that currently is the only user of
lastlog_openseek(), assumes no need for ressource cleanup in case the function
returns an error. However, lastlog_openseek() leaves the already allocated
file descriptor in place in case the following lseek() fails.

Reported by Coverity - CID 1191538.
---
Compile tested, applies against github.com/mkj/dropbear.git
---
 loginrec.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/loginrec.c b/loginrec.c
index d6ec75f..00bd2dc 100644
--- a/loginrec.c
+++ b/loginrec.c
 <at>  <at>  -1344,6 +1344,7  <at>  <at>  lastlog_openseek(struct logininfo *li, int *fd, int filemode)
 		offset = (off_t) ((long)li->uid * sizeof(struct lastlog));

 		if ( lseek(*fd, offset, SEEK_SET) != offset ) {
+			close(*fd);
 			dropbear_log(LOG_WARNING, "lastlog_openseek: %s->lseek(): %s",
 			 lastlog_file, strerror(errno));
 			return 0;
--

-- 
1.8.3.2
Tim Broberg | 19 Mar 23:37 2014

Dropbear channel request race condition?

I'm sending an exec request to a session with a terminal (so I can run
sudo commands).

I send the channel request, then send eof expecting to get data, exit
status, and eof back.

Instead, dropbear server sends eof right away, then the running command
fails because his terminal has been shut down. (See the last 3 lines of
the log snippet below.)

If I don't send eof, it works fine.

I would expect dropbear to wait for the outstanding channel request to run
to completion before sending eof.

Am I making sense, or is there some problem with my use case of requesting
exec from a terminal session? If this is considered an invalid use case,
what would you suggest as an appropriate usage / workaround?

The full log is attached, and an excerpt from receipt of eof to the
failure of the command due to terminal non-existence is below.

Thanks for any help you're able to provide,
    - Tim.

TRACE (2354): enter recv_msg_channel_eof
TRACE (2354): check_close: writefd 6, readfd 6, errfd -1, sent_close 0,
recv_close 0
TRACE (2354): writebuf size 0 extrabuf size 0
TRACE (2354): sesscheckclose, pid is -1
TRACE (2354): sesscheckclose, pid is -1
TRACE (2354): CLOSE some fd 6
TRACE (2354): enter send_msg_channel_eof
TRACE (2354): enter encrypt_packet()
TRACE (2354): encrypt_packet type is 96
TRACE (2354): enter writemac
TRACE (2354): leave writemac
TRACE (2354): enter enqueue
TRACE (2354): leave enqueue
TRACE (2354): leave encrypt_packet()
TRACE (2354): leave send_msg_channel_eof
TRACE (2354): leave recv_msg_channel_eof
TRACE (2354): leave process_packet
TRACE (2354): check_close: writefd -1, readfd -1, errfd -1, sent_close 0,
recv_close 0
TRACE (2354): writebuf size 0 extrabuf size 0
TRACE (2354): sesscheckclose, pid is -1
TRACE (2354): sesscheckclose, pid is -1
TRACE (2354): CLOSE some fd -1
TRACE (2354): enter write_packet
TRACE (2354): empty queue dequeing
TRACE (2354): leave write_packet
TRACE (2354): check_close: writefd -1, readfd -1, errfd -1, sent_close 0,
recv_close 0
TRACE (2354): writebuf size 0 extrabuf size 0
TRACE (2354): sesscheckclose, pid is -1
TRACE (2354): sesscheckclose, pid is -1
TRACE (2354): CLOSE some fd -1
TRACE (2356): back to normal sigchld
[2356] Mar 19 14:13:12 ioctl(TIOCSCTTY): Input/output error
[2356] Mar 19 14:13:12 /dev/pts/1: No such file or directory
[2356] Mar 19 14:13:12 open /dev/tty failed - could not set controlling
tty: No such device or address

Attachment (dropbear_sudo.txt.gz): application/x-gzip, 4377 bytes
William Welch | 28 Feb 21:00 2014
Picon

Microblaze - slow with Dropbear 2014.63

Greetings,

I tried the new Dropbear (which is included with the new Buildroot 2014.02 yeah!) on my slow Microblaze system.  I think there is some improvement, but I wonder if I do not have the configuration optimized...  The noticeable delay is about 85 seconds, at this debug statement from the client SSH:  expecting SSH2_MSG_KEX_ECDH_REPLY

Suggestions welcome!

William



On Wed, Feb 19, 2014 at 8:28 AM, Matt Johnston <matt <at> ucc.asn.au> wrote:
Hi all,

Dropbear 2014.63 is released containing mostly accumulated
bug fixes.  Some are for regressions in the past couple of
releases so it's recommended for everyone.

As usual the URL is
https://matt.ucc.asn.au/dropbear/dropbear.html
or mirrored at
https://dropbear.nl/mirror/

Cheers,
Matt

2014.63 - Wednesday 19 February 2014

- Fix ~. to terminate a client interactive session after waking a laptop
  from sleep.

- Changed port separator syntax again, now using host^port. This is because
  IPv6 link-local addresses use %. Reported by Gui Iribarren

- Avoid constantly relinking dropbearmulti target, fix "make install"
  for multi target, thanks to Mike Frysinger

- Avoid getting stuck in a loop writing huge key files, reported by Bruno
  Thomsen

- Don't link dropbearkey or dropbearconvert to libz or libutil,
  thanks to Nicolas Boos

- Fix linking -lcrypt on systems without /usr/lib, thanks to Nicolas Boos

- Avoid crash on exit due to cleaned up keys before last packets are sent,
  debugged by Ronald Wahl

- Fix a race condition in rekeying where Dropbear would exit if it received a
  still-in-flight packet after initiating rekeying. Reported by Oliver Metz.
  This is a longstanding bug but is triggered more easily since 2013.57

- Fix README for ecdsa keys, from Catalin Patulea

- Ensure that generated RSA keys are always exactly the length
  requested. Previously Dropbear always generated N+16 or N+15 bit keys.
  Thanks to Unit 193

- Fix DROPBEAR_CLI_IMMEDIATE_AUTH mode which saves a network round trip if the
  first public key succeeds. Still not enabled by default, needs more
  compatibility testing with other implementations.

- Fix for port 0 forwarding in the client and port forwarding with Apache MINA SSHD. Thanks to

- Fix for bad system linux/pkt-sched.h header file with older Linux
  kernels, from Steve Dover

- Fix signal handlers so that errno is saved, thanks to Erik Ahlén for a patch
  and Mark Wickham for independently spotting the same problem.

Ed Sutter | 27 Feb 19:33 2014

basic shell

Hi,
I'm using dropbear in an embedded linux application pulled in with 
buildroot.
In normal situations it appears to be working fine.
For my project though, I need to run a custom shell that only provides 
the user
with VERY minimal access to the system all through builtins. When I set up a
new user to run this shell and log in from my system's serial port 
console it
works just fine; however, when I try to login as that user using ssh, I 
get...

Permission denied, please try again.

I've narrowed the problem down significantly by running the executable
(as the shell) that is  built with this code:

#include <stdio.h>
#include <stdlib.h>

#define MAX_LENGTH 1024

int main(int argc, char *argv[]) {
   char line[MAX_LENGTH];

   while (1) {
     printf("MYSHELL: ");
     if (!fgets(line, MAX_LENGTH, stdin)) break;
     printf("You typed: <%s>\n",line);
   }

   return 0;
}

Obviously this does nothing, but it *should* work from dropbear's point
of view right?  Any idea why running this as my shell fails with SSH?
Thanks,
Ed

Matt Johnston | 19 Feb 15:28 2014
Picon
Picon
Gravatar

Dropbear 2014.63

Hi all,

Dropbear 2014.63 is released containing mostly accumulated
bug fixes.  Some are for regressions in the past couple of
releases so it's recommended for everyone.

As usual the URL is
https://matt.ucc.asn.au/dropbear/dropbear.html 
or mirrored at
https://dropbear.nl/mirror/

Cheers,
Matt

2014.63 - Wednesday 19 February 2014

- Fix ~. to terminate a client interactive session after waking a laptop
  from sleep.

- Changed port separator syntax again, now using host^port. This is because
  IPv6 link-local addresses use %. Reported by Gui Iribarren

- Avoid constantly relinking dropbearmulti target, fix "make install"
  for multi target, thanks to Mike Frysinger

- Avoid getting stuck in a loop writing huge key files, reported by Bruno
  Thomsen

- Don't link dropbearkey or dropbearconvert to libz or libutil, 
  thanks to Nicolas Boos

- Fix linking -lcrypt on systems without /usr/lib, thanks to Nicolas Boos

- Avoid crash on exit due to cleaned up keys before last packets are sent,
  debugged by Ronald Wahl

- Fix a race condition in rekeying where Dropbear would exit if it received a
  still-in-flight packet after initiating rekeying. Reported by Oliver Metz.
  This is a longstanding bug but is triggered more easily since 2013.57

- Fix README for ecdsa keys, from Catalin Patulea

- Ensure that generated RSA keys are always exactly the length
  requested. Previously Dropbear always generated N+16 or N+15 bit keys.
  Thanks to Unit 193

- Fix DROPBEAR_CLI_IMMEDIATE_AUTH mode which saves a network round trip if the
  first public key succeeds. Still not enabled by default, needs more
  compatibility testing with other implementations.

- Fix for port 0 forwarding in the client and port forwarding with Apache MINA SSHD. Thanks to 

- Fix for bad system linux/pkt-sched.h header file with older Linux
  kernels, from Steve Dover

- Fix signal handlers so that errno is saved, thanks to Erik Ahlén for a patch
  and Mark Wickham for independently spotting the same problem.

Steve Dover | 15 Feb 22:34 2014
Picon

2013.62 broken, 2013.60 ok

Two toolchains involved.  My build machine is
gcc-4.8.1, binutils-2.22, uClibc-0.9.33.2
My arm machine is gcc-4.8.2, binutils and uClibc the same as build.

compile failure of dbutil.c, various typedefs missing.

unknown type name '___u64' (and 32,16,8)

I've diffed the entire tree, and can find no obvious changes
between 60 and 62 that lead to this breakage.  This is basic
./configure; make stuff, no editing of config.h or Makefile.
When I am cross-compiling I do
CC=$HARCH-gcc ./configure --prefix=/usr --host=$HARCH; make
and on native arm box, I do
./configure; make

But, in both environments, 2013.60 builds fine.

Does anyone have any clues as to where the problem may be?

Catalin Patulea | 9 Feb 21:44 2014
Picon
Picon

[PATCH] README: fix ecdsa key generation command

# HG changeset patch
# User Catalin Patulea <cat <at> vv.carleton.ca>
# Date 1391936210 18000
#      Sun Feb 09 03:56:50 2014 -0500
# Branch ecdsareadme
# Node ID 5342b5a69bfdf342f89ee5e3eb26c358669ea821
# Parent  d50c17fe57d77da37744911a9bd18d9f3fede45b
README: fix ecdsa key generation command

diff -r d50c17fe57d7 -r 5342b5a69bfd README
--- a/README	Fri Feb 07 07:57:45 2014 +0800
+++ b/README	Sun Feb 09 03:56:50 2014 -0500
 <at>  <at>  -54,7 +54,7  <at>  <at> 
 To run the server, you need to server keys, this is one-off:
 ./dropbearkey -t rsa -f dropbear_rsa_host_key
 ./dropbearkey -t dss -f dropbear_dss_host_key
-./dropbearkey -t ecdsa -f dropbear_dss_host_key
+./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key

 or alternatively convert OpenSSH keys to Dropbear:
 ./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key

Alexander Kriegisch | 3 Feb 09:25 2014
Gravatar

Server process not closed after disconnect, problems with reconnect

My setup:
  - Server (DSL/WLAN router running Dropbear sshd v2012.55)

      $ uname -mrsp
      Linux 2.6.19.2 mips unknown

      $ ps | grep dropbear | grep -v grep
       1673 root      1352 S    dropbear -i -R -a
      14826 root      1396 S    dropbear -i -R -a

  - Client

      OS: Windows XP Pro 64-bit
      SSH Client: Bitvise

As you can see, my Dropbear runs as root in inetd mode, permitting root logins (which is what I use) and
accepting connections to forwarded ports from other hosts. I need this because my connection basically
creates a few forward tunnels (client to server) to other machines behind the router as well as backward
tunnels (server to client) to a few services on the client's network. So far, so good.

The DSL router gets disconnected once every night, reconnects within seconds and gets a new IP address,
which is the usual thing in Germany for consumer-type ISP connections. What I expect to happen is that the
dropbear process goes down, but in ca. 4 out of 7 days this does not happen. The main symptom is that the
auto-reconnect for the SSH connection to the dynamic host name fails because ports on the router cannot be
bound because they are already in use. When I check with netstat I can see that indeed all the listening
ports for the reverse tunnels are still in use by the old Dropbear process which has not terminated. On a few
days a week it works, but I do not know the circumstances or race conditions which cause this behaviour. So
what I end up doing most of the time is log on to the
  router without the tunnels and kill the non-terminated Dropbear process blocking the listening ports. A
few seconds later, the full-blown SSH connection with forward and reverse tunnels automatical
 ly reconnects and everything is fine for another 24 hours.

Now this obviously is ugly and unstable. Is there a way to make Dropbear understand it should terminate when
the DSL connection is gone? Or is there at least a workaround by which I can check if the SSH process ist still
alive? I thought that maybe I could try and connect to one of the stale reverse tunnels
(localhost:someport on the router) in order to see if it is still functional, then kill the process
otherwise, but I had difficulty doing so because a wget test does not work (I only have Busybox wget which
does not have a time-out parameter).

Please ask for more information if this was too unspecific.
--

-- 
Alexander Kriegisch
http://scrum-master.de

Mario Gartner | 29 Jan 11:37 2014
Picon

Interactive QoS with `scp'

Hi!

I experimented with dropbear 2013.62 and its new QoS handling according to the changelog.
While I see the changed behavior when using non-pty ssh connections, I still get the "interactive" TOS in
sent IP packets when using `scp'.
My assumption was that scp should be considered bulk/no-pty. Did I miss something?

Here are some command examples and the resulting TOS captured with tcpdump.

# normal ssh --> uses IPTOS_LOWDELAY == OK!
ssh 14.64.1.4
tos 0x10

# option -T for no-pty --> uses IPTOS_THROUGHPUT == OK!
ssh -T 14.64.1.4
tos 0x8

# ssh with command (implies no-pty) --> uses IPTOS_THROUGHPUT == OK!
ssh 14.64.1.4 "date"
tos 0x8

# scp --> Still uses IPTOS_LOWDELAY! i.e. NOT OK(?)
scp /tmp/file.dat 14.64.1.4:/tmp/
tos 0x10

[The TOS of the initial packets during connection establishment was 0 and then changed to the mentioned
values, which is OK and expected]

One more thing:
Using TOS is actually obsoleted. "Modern" implementations should use the DS Field and DSCP classes as
described in RFC2474/RFC3260.
But as long as interactive and non-interactive connections can be identified and separated in the
network, I'm fine with that...

Mario 		 	   		  

Gmane