Paul Eggleton | 20 Feb 17:51 2013

RFC: PATCH: Allow configuring "allow blank password option" at runtime

Hi there,

Attached is a patch we've developed for dropbear within the Yocto Project to 
avoid the need to rebuild dropbear when we wish to disable the ability to log 
into accounts that have a blank password set. It removes the compile-time 
option and adds a -B command-line option which enables the functionality.

We'd really like to see this (or something like it) upstream. If an 
alternative implementation would be preferred please let me know.




Paul Eggleton
Intel Open Source Technology Centre	
Attachment (nopw-option-hg.patch): text/x-patch, 2972 bytes
dbextern | 3 Jan 14:58 2013


Hi Matt, 

thank you for the quick response.

# 7 seconds seems slow. Where said that it's a common problem?
# I get around 1 second to SSH to a raspberry pi (700mhz "ARMv6").
# Was it built with the same compiler and compile options?
# Leaving optimisation off could make that difference.

I found a few posts on the mailing list about that topic. 
(for example:
The CPU is at 100% during the login. 
Both versions have been compiled with the same external setup. 
When the dropbear is the only process running the time is reduced to ~3s which is still a lot slower than the
V0.52 (that does it in less than 1s).
Were Options added between those versions that could have an impact? Did maybe the libtommath/crypt

# I can't see how it wouldn't ask for a password unless
# there's -g or -s on the commandline. Does "ssh -v" show just
# "Authentications that can continue: publickey", not
# "publickey,password" ?

The server gives a 
"Authentications that can continue: publickey".
It is started without any options. 

(Continue reading)

dbextern | 3 Jan 12:10 2013

Issues after Update from 0.52 to 2012.55; login time; password auth


I'm using dropbear on an embedded System with uCLinux. It works great. And first I want to thank all of you for
the work you put in it.

After reading about the security fix I updated the dropbear from a (very stable and fast) 0.52 to the new 2012.55.

After the update two things changed. The login time increased a lot. From next to nothing to about 7s (on a
600MHz CPU). I read that this is a common problem, and that my 7s are still quite good. I'm just surprised
about he increase. 

Secondly the dropbear does not allow password login anymore (the server only gives back "pubkey" as
available option). The according defines in the options.h are still active though. And the dropbear is
started without -s. I'm out of ideas what to try to enable it again. When I just replace the dropbear
executable with the 0.52 version it works again.

Any thoughts and advide is highly appreciated. Tank you in advance.


Artur Artamonov | 19 Dec 08:55 2012

Support of noexistent user login for alternative auth.

This patch adds support of non existent users.
Authentication goes trought PAM.
There is used default user and default shell under with
everything would be lunched.

There was problem same as in mentioned:

Ben Jencks | 11 Dec 06:11 2012

[PATCH] IPv6 bracket notation for listen addresses in -p

Updates parsing of the -p option to handle [2001:dba::]:22 style IPv6
addresses. This allows binding to specific IPv6 addresses, rather than
having to bind to all addresses in order to get any IPv6 support. For
example, you can now listen on IPv6 only with -p [::]:22.

This has been done before at [1], but I thought that patch
was kind of ugly so I wrote my own.

Please CC me on responses as I'm not subscribed to the list.


diff -ur dropbear-2012.55.orig/svr-runopts.c dropbear-2012.55/svr-runopts.c
--- dropbear-2012.55.orig/svr-runopts.c	2012-02-23 08:47:06.000000000 -0500
+++ dropbear-2012.55/svr-runopts.c	2012-12-10 23:17:28.496729985 -0500
 <at>  <at>  -324,8 +324,23  <at>  <at> 
 		/* We don't free it, it becomes part of the runopt state */
 		myspec = m_strdup(spec);

-		/* search for ':', that separates address and port */
-		svr_opts.ports[svr_opts.portcount] = strchr(myspec, ':');
+		if (myspec[0] == '[') {
+			myspec++;
+			svr_opts.ports[svr_opts.portcount] = strchr(myspec, ']');
+			if (svr_opts.ports[svr_opts.portcount] == NULL) {
+				/* Unmatched [ -> exit */
+				dropbear_exit("Bad listen address");
+			}
+			svr_opts.ports[svr_opts.portcount][0] = '\0'; 
(Continue reading)

Loganaden Velvindron | 7 Dec 20:53 2012

diff to backoff a little running out of fds

Based on similar work done by OpenBSD for sshd,

I came up with this:
The idea is to prevent spinning when out of file descriptors by
backing off for a while.

Suggestions ?

diff -r 63f8d6c469cf svr-main.c
--- a/svr-main.c	Thu May 17 00:26:12 2012 +0800
+++ b/svr-main.c	Sat Dec 08 03:48:40 2012 +0400
 <at>  <at>  -226,9 +226,10  <at>  <at> 
 			remoteaddrlen = sizeof(remoteaddr);
 			childsock = accept(listensocks[i],
 					(struct sockaddr*)&remoteaddr, &remoteaddrlen);
 			if (childsock < 0) {
 				/* accept failed */
+				if(errno == EMFILE || errno == ENFILE)
+					usleep(100*1000);


Brightest day,
Blackest night,
No bug shall escape my sight,
And those who worship evil's mind,
be wary of my powers,
puffy lantern's light !
(Continue reading)

Artur Artamonov | 7 Dec 07:32 2012

PAM environment variable exporting to usershell

Here is patch that exports PAM environmental variables to user lunched
shell. This allows send some info to shell
that is authentificated trought dropbear

diff -upN a/auth.h b/auth.h
--- a/auth.h	2012-02-23 15:47:05.000000000 +0200
+++ b/auth.h	2012-12-05 13:01:58.161786510 +0200
 <at>  <at>  -76,6 +76,10  <at>  <at>  void cli_auth_interactive();
 char* getpass_or_cancel(char* prompt);
 void cli_auth_pubkey_cleanup();

+extern char **pam_env_list;

 #define MAX_USERNAME_LEN 25 /* arbitrary for the moment */

diff -upN a/svr-authpam.c b/svr-authpam.c
--- a/svr-authpam.c	2012-02-23 15:47:06.000000000 +0200
+++ b/svr-authpam.c	2012-12-05 13:04:24.415780751 +0200
 <at>  <at>  -44,6 +44,8  <at>  <at>  struct UserDataS {
 	char* passwd;

+char **pam_env_list=NULL;
 /* PAM conversation function - for now we only handle one message */
 pamConvFunc(int num_msg, 
(Continue reading)

Paul Horn | 18 Nov 01:29 2012

initramfs ip network overrides /etc/network settings

I have a question on networking and initramfs interaction. I already
posted this on the Ubuntu forums, but wondered if someone on this list
might have more familiarity with the underpinnings of dropbear and
initramfs. I'm decent with Linux but this is new territory for me.

Installing Ubuntu 12.10 server, 64 bit, on some new hardware. Working on
using dropbear / ssh to remotely unlock LUKS volumes at boot, generally
following the outline posted by hacksr at

The install is very basic at this point: an SSH server, apt-get
update/upgrade complete, and a static IP address set for eth0 in
/etc/network/interfaces. It boots quickly prior to installing dropbear.

After installing dropbear, initramfs starts networking on bootup. By
default, it uses DHCP. It is also possible to set a static IP. That much
I have working, and can remotely ssh in when the server starts and is
waiting for the luks passphrase. Thanks to the second script at the
above how-to, I can also enter the unlock passphrase in the dropbear
session and start the server.

What I can't figure out, and haven't found a post anywhere that
addresses this, is that once this process completes and the server
continues to boot, the network remains somehow under "control" of
initramfs. Boot process stops for several minutes "waiting for network
configuration" in spite of the static IP settings for both initramfs and
/etc/network/interfaces. Once it finally starts, any settings in
/etc/network/interfaces are ignored. If the IP addresses don't match, I
end up with the one in initramfs. If initramfs uses dhcp, I get that
address once the server fully boots.
(Continue reading)

Salatiel Filho | 8 Nov 11:17 2012

Support to port number in known hosts

Would it be possible to add support to port numbers in known_hosts
lines created by dbclient just like openssh ?
I ask this because if i have multiples ssh servers behind the same
fqdn in different ports ( port forwarding to different servers)
dbclient will complain about bad key every time i try to connect at a
different port in the same fqdn.



chinna obireddy | 25 Sep 10:39 2012

Dropbear calling my own command-line parser than /bin/sh

Dear All,

As per the thread I was successfully made changes to launch CLI application with dropbear ssh.

But Putty(SSH client) is still asking for Login name, though this is not going to be used It looks weird for user asking user name twice. Since the CLI application has it's own authentication method.

Suggest me how can I completely ignore Authentication packets in the server side.

lb | 12 Sep 20:15 2012

Dropbear client & server errors on Android


I successfully compiled the Dropbear client for Android, but when I try to
connect to an address it gives me the following error:
"Exited: Error resolving '<the address>'  port '<port>'. Name or service not
When I try to connect using IP address - all works fine.
Is there any way to make Dropbear use some external nameserver, like Or
any other solution you can think of?

As for the server: I fiddled with it a lot, applied different patches, overcame
numerous error messages, but the message I can't overcome now is:
"Exit before auth (user '<user>', 0 fails): Exited normally"
What can be the problem at this stage? (I'm using pubkey auth)

Thanks a lot,