Mattias Walström | 27 Mar 16:24 2013
Picon

Timeout dead connections

Hi!
I am running dropbear 2013.56, connecting to the server with a PC but
not performing a clean close (I pulled my ethernet cable), this caused
dropbear to never drop its connection.

Looking at the utmp entries, I could see that the connection never got dropped,
the utmp entries was kept forever, and running with debug indicates that also.

Tried to use -K to send keepalive, but it just keeps sending keepalives to the peer,
even it is no longer there, and not possible to reach. Shouldn't
the connection be dropped if the keepalive does not reach its destination?

I know there is the -I option, but that does not really do what I want,
I want the connection to be tear down when the peer is unreachable, not
when the user has been idle for a while.

Regards
  Mattias

Mike Frysinger | 23 Mar 08:07 2013
Picon

[PATCH] rename configure.in -> configure.ac

# HG changeset patch
# User Mike Frysinger <vapier <at> gentoo.org>
# Date 1364022466 14400
# Node ID 43d1ef763b32a83d3bbd52720a754c9d5231a122
# Parent  07c3eff1abdaf14173330e3b17657ad46474064c
rename configure.in -> configure.ac

Latest autotools warn now if the file is named configure.in

diff -r 07c3eff1abda -r 43d1ef763b32 configure.ac
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/configure.ac	Sat Mar 23 03:07:46 2013 -0400
 <at>  <at>  -0,0 +1,702  <at>  <at> 
+#                                               -*- Autoconf -*-
+# Process this file with autoconf and autoheader to produce a configure script.
+
+# This Autoconf file was cobbled from various locations. In particular, a bunch
+# of the platform checks have been taken straight from OpenSSH's configure.ac
+# Huge thanks to them for dealing with the horrible platform-specifics :)
+
+AC_PREREQ(2.50)
+AC_INIT(buffer.c)
+
+OLDCFLAGS=$CFLAGS
+# Checks for programs.
+AC_PROG_CC
+AC_PROG_MAKE_SET
+
+if test -z "$LD" ; then
+	LD=$CC
(Continue reading)

Mike Frysinger | 23 Mar 08:06 2013
Picon

[PATCH] use AC_USE_SYSTEM_EXTENSIONS instead

# HG changeset patch
# User Mike Frysinger <vapier <at> gentoo.org>
# Date 1364022293 14400
# Node ID 07c3eff1abdaf14173330e3b17657ad46474064c
# Parent  63f8d6c469cf51624c9a48dbac1f2ae9b4cd82b6
use AC_USE_SYSTEM_EXTENSIONS instead

The current scp code uses vasprintf which is a GNU extension, but doesn't
define _GNU_SOURCE for it.  Instead of getting into that mess though, use
the autoconf AC_USE_SYSTEM_EXTENSIONS macro to automatically enable all
the extra fun stuff for us.

diff -r 63f8d6c469cf -r 07c3eff1abda configure.in
--- a/configure.in	Thu May 17 00:26:12 2012 +0800
+++ b/configure.in	Sat Mar 23 03:04:53 2013 -0400
 <at>  <at>  -24,7 +24,7  <at>  <at> 
 fi

 # large file support is useful for scp
-AC_SYS_LARGEFILE
+AC_USE_SYSTEM_EXTENSIONS

 # Host specific options
 # this isn't a definitive list of hosts, they are just added as required

Matt Johnston | 21 Mar 16:40 2013
Picon
Picon

Dropbear 2013.56 released

Hi all,

Dropbear 2013.56 is now released, with a mix of features and
bug fixes. Download as usual at
https://matt.ucc.asn.au/dropbear/dropbear.html

I've also set up a github mirror of the Dropbear mercurial
repository at https://github.com/mkj/dropbear . It'll be
read-only but might be of use to the various forks.

Cheers,
Matt

2013.56 - Thursday 21 March 2013

- Allow specifying cipher (-c) and MAC (-m) lists for dbclient

- Allow using 'none' cipher or MAC (off by default, use options.h). Encryption
  is used during authentication then disabled, similar to OpenSSH HPN mode

- Allow a user in immediately if the account has a blank password and blank
  passwords are enabled

- Include a few extra sources of entropy from /proc on Linux, hash private keys
  as well. Dropbear will also write gathered entropy back into /dev/urandom

- Added hmac-sha2-256 and hmac-sha2-512 support (off by default, use options.h)

- Don't sent bad address "localhost" for -R forward connections, 
  reported by Denis Bider
(Continue reading)

Jonathan Chetwynd | 1 Mar 12:40 2013

using dbclient in bash script issue

Matt,

great stuff! using in Kindle, works fine...

could you please comment?

with the latest patched screen,

$ dbclient -i /mnt/us/id_rsa me <at> remoteIP -t "screen -x myscreen -X stuff 
'cmd'`echo -ne '\015'`"

  the command is processed on the remote box

similarly in a bash script, using ssh on RPi, not Kindle

#!/bin/bash
ssh me <at> remoteIP -t "screen -x myscreen -X stuff 'cmd'`echo -ne '\015'`"

exit

but

#!/bin/bash
dbclient -i /mnt/us/id_rsa  me <at> remoteIP -t "screen -x myscreen -X stuff 
'cmd'`echo -ne '\015'`"

exit

opens screen, but does not send command.

(Continue reading)

Alexis-externe DAVOUX | 28 Feb 17:39 2013
Picon

Problem with Dropbear/dbclient as SFTP client

Hi,

I have some trouble with dropbear used as SFTP client.

I've set up a SFTP server on my machine, which works fine. I've tested the connection to the server with Filezilla client.
I've tried connecting to the SFTP server with dropbear using the command:

dbclient -s user <at> host sftp

I can authenticate successfully, and I get the welcome message, but after that I can't do anything: it seems that dbclient is waiting for some command but nothing seems to work. I've tried entering 'ls', 'cd /test', 'get test.txt', 'pwd',... but nothing happens when I validate with enter.

How can I use dbclient as SFTP client ? What is the correct syntax ?

Thanks in advance,
Best regards,

Alexis
Paul Eggleton | 20 Feb 17:51 2013
Picon

RFC: PATCH: Allow configuring "allow blank password option" at runtime

Hi there,

Attached is a patch we've developed for dropbear within the Yocto Project to 
avoid the need to rebuild dropbear when we wish to disable the ability to log 
into accounts that have a blank password set. It removes the compile-time 
option and adds a -B command-line option which enables the functionality.

We'd really like to see this (or something like it) upstream. If an 
alternative implementation would be preferred please let me know.

Cheers,
Paul

--

-- 

Paul Eggleton
Intel Open Source Technology Centre	
Attachment (nopw-option-hg.patch): text/x-patch, 2972 bytes
dbextern | 3 Jan 14:58 2013
Picon
Picon

(unknown)

Hi Matt, 

thank you for the quick response.

# 7 seconds seems slow. Where said that it's a common problem?
# I get around 1 second to SSH to a raspberry pi (700mhz "ARMv6").
# Was it built with the same compiler and compile options?
# Leaving optimisation off could make that difference.

I found a few posts on the mailing list about that topic. 
(for example: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2011q1/001098.html
or http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2011q3/001149.html)
The CPU is at 100% during the login. 
Both versions have been compiled with the same external setup. 
When the dropbear is the only process running the time is reduced to ~3s which is still a lot slower than the
V0.52 (that does it in less than 1s).
Were Options added between those versions that could have an impact? Did maybe the libtommath/crypt
change? 

# I can't see how it wouldn't ask for a password unless
# there's -g or -s on the commandline. Does "ssh -v" show just
# "Authentications that can continue: publickey", not
# "publickey,password" ?

The server gives a 
"Authentications that can continue: publickey".
It is started without any options. 

Grüße
Sebastian

-

Sebastian Fett, R&D
T +49-7191-9669-0, F +49-7191-950000, Sebastian.Fett <at> dbaudio.com, www.dbaudio.com

d&b audiotechnik GmbH, Eugen-Adolff-Straße 134, 71522 Backnang, Germany
Geschäftsführer: Frank Bothe, Markus Strohmeier
Finanzen: Kay Lange; Marketing: Simon Johnston
Sitz: Backnang; Amtsgericht Stuttgart, HRB 725789

Von:	Matt Johnston <matt <at> ucc.asn.au>
An:	dbextern <at> gmx.de, 
Kopie:	dropbear <at> ucc.asn.au
Datum:	03.01.2013 12:51
Betreff:	Re: Issues after Update from 0.52 to 2012.55; login time; password auth

Hi,

7 seconds seems slow. Where said that it's a common problem?
I get around 1 second to SSH to a raspberry pi (700mhz "ARMv6").
Was it built with the same compiler and compile options?
Leaving optimisation off could make that difference.

I can't see how it wouldn't ask for a password unless
there's -g or -s on the commandline. Does "ssh -v" show just
"Authentications that can continue: publickey", not
"publickey,password" ?

Cheers,
Matt

On Thu, Jan 03, 2013 at 12:10:51PM +0100, dbextern <at> gmx.de wrote:
> Hello!
> 
> I'm using dropbear on an embedded System with uCLinux. It works great. And first I want to thank all of you
for the work you put in it.
> 
> After reading about the security fix I updated the dropbear from a (very stable and fast) 0.52 to the new 2012.55.
> 
> After the update two things changed. The login time increased a lot. From next to nothing to about 7s (on a
600MHz CPU). I read that this is a common problem, and that my 7s are still quite good. I'm just surprised
about he increase. 
> 
> Secondly the dropbear does not allow password login anymore (the server only gives back "pubkey" as
available option). The according defines in the options.h are still active though. And the dropbear is
started without -s. I'm out of ideas what to try to enable it again. When I just replace the dropbear
executable with the 0.52 version it works again.
> 
> Any thoughts and advide is highly appreciated. Tank you in advance.
> 
> Grüße
> Sebastian
> 

dbextern | 3 Jan 12:10 2013
Picon
Picon

Issues after Update from 0.52 to 2012.55; login time; password auth

Hello!

I'm using dropbear on an embedded System with uCLinux. It works great. And first I want to thank all of you for
the work you put in it.

After reading about the security fix I updated the dropbear from a (very stable and fast) 0.52 to the new 2012.55.

After the update two things changed. The login time increased a lot. From next to nothing to about 7s (on a
600MHz CPU). I read that this is a common problem, and that my 7s are still quite good. I'm just surprised
about he increase. 

Secondly the dropbear does not allow password login anymore (the server only gives back "pubkey" as
available option). The according defines in the options.h are still active though. And the dropbear is
started without -s. I'm out of ideas what to try to enable it again. When I just replace the dropbear
executable with the 0.52 version it works again.

Any thoughts and advide is highly appreciated. Tank you in advance.

Grüße
Sebastian

Artur Artamonov | 19 Dec 08:55 2012
Picon

Support of noexistent user login for alternative auth.

This patch adds support of non existent users.
Authentication goes trought PAM.
There is used default user and default shell under with
everything would be lunched.

There was problem same as in mentioned:
http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2012q3/001304.html

Ben Jencks | 11 Dec 06:11 2012
Picon

[PATCH] IPv6 bracket notation for listen addresses in -p

Updates parsing of the -p option to handle [2001:dba::]:22 style IPv6
addresses. This allows binding to specific IPv6 addresses, rather than
having to bind to all addresses in order to get any IPv6 support. For
example, you can now listen on IPv6 only with -p [::]:22.

This has been done before at [1], but I thought that patch
was kind of ugly so I wrote my own.

Please CC me on responses as I'm not subscribed to the list.

[1]
https://lists.openwrt.org/pipermail/openwrt-devel/2009-May/004299.html

diff -ur dropbear-2012.55.orig/svr-runopts.c dropbear-2012.55/svr-runopts.c
--- dropbear-2012.55.orig/svr-runopts.c	2012-02-23 08:47:06.000000000 -0500
+++ dropbear-2012.55/svr-runopts.c	2012-12-10 23:17:28.496729985 -0500
 <at>  <at>  -324,8 +324,23  <at>  <at> 
 		/* We don't free it, it becomes part of the runopt state */
 		myspec = m_strdup(spec);

-		/* search for ':', that separates address and port */
-		svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':');
+		if (myspec[0] == '[') {
+			myspec++;
+			svr_opts.ports[svr_opts.portcount] = strchr(myspec, ']');
+			if (svr_opts.ports[svr_opts.portcount] == NULL) {
+				/* Unmatched [ -> exit */
+				dropbear_exit("Bad listen address");
+			}
+			svr_opts.ports[svr_opts.portcount][0] = '\0'; 
+			svr_opts.ports[svr_opts.portcount]++;
+			if (svr_opts.ports[svr_opts.portcount][0] != ':') {
+				/* Missing port -> exit */
+				dropbear_exit("Missing port");
+			}
+		} else {
+			/* search for ':', that separates address and port */
+			svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':');
+		}

 		if (svr_opts.ports[svr_opts.portcount] == NULL) {
 			/* no ':' -> the whole string specifies just a port */


Gmane