From rsmckown at yahoo.com Thu Apr 5 08:06:04 2007 From: rsmckown at yahoo.com (Steve McKown) Date: Wed, 4 Apr 2007 18:06:04 -0600 Subject: Patch to 0.49 -- add support for old glibc 2.1.3 Message-ID: <200704041806.04223.rsmckown@yahoo.com> A functional but slightly hackish patch to support older glibc systems that have __ss_family in struct sockaddr_storage. I'm sticking with glibc 2.1.3 because I don't want to incur the overhead to run a newer version, and haven't taken the time to migrate everything to uclibc. Thanks, Steve -------------- next part -------------- A non-text attachment was scrubbed... Name: dropbear-glibc-2.1.3.patch Type: text/x-diff Size: 6431 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070404/17c09974/attachment.bin From payload at gmail.com Fri Apr 6 00:38:09 2007 From: payload at gmail.com (Mark McDonagh) Date: Thu, 05 Apr 2007 17:38:09 +0100 Subject: Problem with dropbear ssh on FreeBSD Message-ID: Hi, Ive a small problem with dropbear running on Freebsd. Ive a small script that does the following. #!/bin/sh # test.sh # SSH=/dropbear-0.49/dbclient FILE=/tmp/mark.txt $SSH -i $IDFILE username at machine cat /etc/resolv.conf > $FILE Basically I want to get the contents of a file on a remote machine and write it to a file on the local machine. When i run the command from the command line it works however if i run the following command daemon -cf /test.sh The $FILE is created however the file is empty FreeBSD 5.4 Dropbear client v0.49 Anyone any ideas Mark ps I know i could get around this problem with scp, but thats not the answer im looking for From savan.patel21 at yahoo.com Fri Apr 6 14:43:07 2007 From: savan.patel21 at yahoo.com (hfgj ghgj) Date: Thu, 5 Apr 2007 23:43:07 -0700 (PDT) Subject: how to run dropbear with Openrg ? Message-ID: <265125.92354.qm@web58907.mail.re1.yahoo.com> I want to add dropbear in my existing Openrg linux os, interms of running on broadband router. can anyone help me on this or tell me the steps so that i can make it run. i was trying to compline dropbear inside the openrg but ,it was shown some error . thanks, --------------------------------- Looking for earth-friendly autos? Browse Top Cars by "Green Rating" at Yahoo! Autos' Green Center. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070405/c7513208/attachment.htm From savan.patel21 at yahoo.com Tue Apr 17 10:07:30 2007 From: savan.patel21 at yahoo.com (hfgj ghgj) Date: Mon, 16 Apr 2007 19:07:30 -0700 (PDT) Subject: RSA key generation problem Message-ID: <236369.49809.qm@web58906.mail.re1.yahoo.com> I am trying to create dropbear key but it is giving folowing error,, /etc/dropbear # dropbearkey -t rsa -f identity Will output 1024 bit rsa secret key to 'identity' Generating key, this may take a while... Warning: Reading the random source seems to have blocked. If you experience problems, you probably need to find a better entropy source. would anybody help me,,? --Savan --------------------------------- Ahhh...imagining that irresistible "new car" smell? Check outnew cars at Yahoo! Autos. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070416/61af01a3/attachment.htm From savan.patel21 at yahoo.com Tue Apr 17 10:17:13 2007 From: savan.patel21 at yahoo.com (hfgj ghgj) Date: Mon, 16 Apr 2007 19:17:13 -0700 (PDT) Subject: dropbear server in OPENRG, Message-ID: <974369.55323.qm@web58906.mail.re1.yahoo.com> dropbear server in OPENRG,, i have installed dropbear in openrg and now trying to conncect with tera term SSH client , but i dont know how to start the server,(Which command to start dropbear server). i am very new in linux n openrg ,would anybody help me --savan --------------------------------- Ahhh...imagining that irresistible "new car" smell? Check outnew cars at Yahoo! Autos. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070416/6e22ed40/attachment.html From rob at landley.net Wed Apr 18 15:05:13 2007 From: rob at landley.net (Rob Landley) Date: Wed, 18 Apr 2007 03:05:13 -0400 Subject: RSA key generation problem In-Reply-To: <236369.49809.qm@web58906.mail.re1.yahoo.com> References: <236369.49809.qm@web58906.mail.re1.yahoo.com> Message-ID: <200704180305.13429.rob@landley.net> On Monday 16 April 2007 10:07 pm, hfgj ghgj wrote: > I am trying to create dropbear key but it is giving folowing error,, > > > > /etc/dropbear # dropbearkey -t rsa -f identity > Will output 1024 bit rsa secret key to 'identity' > Generating key, this may take a while... > Warning: Reading the random source seems to have blocked. > If you experience problems, you probably need to find a better entropy source. > > > > would anybody help me,,? > > --Savan Either use /dev/urandom instead of /dev/random, or generate some entropy events (move the mouse, etc). This is based on an old write-up I did back at Timesys: http://lldn.timesys.com/docs/about_entropy (Laurie's tendency to take my name off stuff is part of the reason I don't work there anymore...) Rob -- Penguicon 5.0 Apr 20-22, Linux Expo/SF Convention. Bruce Schneier, Christine Peterson, Steve Jackson, Randy Milholland, Elizabeth Bear, Charlie Stross... From rob at landley.net Wed Apr 18 15:07:41 2007 From: rob at landley.net (Rob Landley) Date: Wed, 18 Apr 2007 03:07:41 -0400 Subject: dropbear server in OPENRG, In-Reply-To: <974369.55323.qm@web58906.mail.re1.yahoo.com> References: <974369.55323.qm@web58906.mail.re1.yahoo.com> Message-ID: <200704180307.41733.rob@landley.net> On Monday 16 April 2007 10:17 pm, hfgj ghgj wrote: > dropbear server in OPENRG,, > > > > i have installed dropbear in openrg and now trying to conncect with tera term SSH client , but i dont know how to start the server,(Which command to start dropbear server). It's "dropbear". If you're having trouble starting it, try "dropbear -F -E". The -F means don't daemonize (thus the server handles only one request, then exits), so it stays running in the foreground. The -E says write the log output to stderr rather than the system log, so you can see it output from the program. That way if it's having trouble, it'll tell you why. Rob -- Penguicon 5.0 Apr 20-22, Linux Expo/SF Convention. Bruce Schneier, Christine Peterson, Steve Jackson, Randy Milholland, Elizabeth Bear, Charlie Stross... From esw103 at yahoo.com Thu Apr 19 08:40:56 2007 From: esw103 at yahoo.com (Edward Wang) Date: Thu, 19 Apr 2007 00:40:56 +0000 (UTC) Subject: Need Help with Dropbear Export Questions Message-ID: I am currently in the process of trying to obtain clearance to export some custom computers out of the U.S. The computers have Dropbear, and the lawyers have questions about Dropbear encryption that I can't answer. Unfortunately, I can not find any documentation online with the answers either. I'd appreciate it if anyone can give the answers or can point me to where I can find the answers. Here are the questions the lawyers have about Dropbear: 1. Describe the symmetric and asymmetric encryption algorithms and key lengths and how the algorithms are used (e.g., 56-bit DES, 168-bit DES, 128-bit RC4, 448-bit Blowfish, etc.). Specify which encryption modes are supported (e.g., cipher feedback mode or cipher block chaining mode). For any asymmetric algorithms, please specify whether the security of the algorithm is based upon any of the following: (a) factorization of integers in excess of 512 bits (e.g., RSA); (b) computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or (c) discrete logarithms in a group other than mentioned above in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve). 2. State the key management algorithms, including modulus sizes, that are supported (e.g., 512-bit RSA, 1024-bit Diffie-Hellman, etc.). (I'm sure the answers will be useful to anyone trying to obtain export clearance for something that uses Dropbear.) Thanks, Edward Wang From rob at landley.net Thu Apr 19 10:29:01 2007 From: rob at landley.net (Rob Landley) Date: Wed, 18 Apr 2007 22:29:01 -0400 Subject: Need Help with Dropbear Export Questions In-Reply-To: References: Message-ID: <200704182229.01473.rob@landley.net> On Wednesday 18 April 2007 8:40 pm, Edward Wang wrote: > I am currently in the process of trying to obtain clearance to export some > custom computers out of the U.S. The computers have Dropbear, and the lawyers > have questions about Dropbear encryption that I can't answer. Unfortunately, > I can not find any documentation online with the answers either. It works like SSH, there are RFCs on this. If you type "ssh rfc" into google the first half-dozen hits are all relevant. Rob -- Penguicon 5.0 Apr 20-22, Linux Expo/SF Convention. Bruce Schneier, Christine Peterson, Steve Jackson, Randy Milholland, Elizabeth Bear, Charlie Stross... From matt at ucc.asn.au Thu Apr 19 10:51:15 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 19 Apr 2007 10:51:15 +0800 Subject: Need Help with Dropbear Export Questions In-Reply-To: References: Message-ID: <20070419025115.GG22943@ucc.gu.uwa.edu.au> On Thu, Apr 19, 2007 at 12:40:56AM +0000, Edward Wang wrote: > I am currently in the process of trying to obtain clearance to export some > custom computers out of the U.S. The computers have Dropbear, and the lawyers > have questions about Dropbear encryption that I can't answer. Unfortunately, > I can not find any documentation online with the answers either. I'd > appreciate it if anyone can give the answers or can point me to where I can > find the answers. The SSH2 specification at http://www.ietf.org/rfc/rfc4253.txt is probably a reasonable start. See inline for a list more specific to Dropbear. Hmm, I need to get some glossy marketing pamphlets to print :) > 1. Describe the symmetric and asymmetric encryption > algorithms and key lengths and how the algorithms are used > (e.g., 56-bit DES, 168-bit DES, 128-bit RC4, 448-bit > Blowfish, etc.). Specify which encryption modes are > supported (e.g., cipher feedback mode or cipher block > chaining mode). For any asymmetric algorithms, please > specify whether the security of the algorithm is based > upon any of the following: (a) factorization of integers > in excess of 512 bits (e.g., RSA); (b) computation of > discrete logarithms in a multiplicative group of a finite > field of size greater than 512 bits (e.g., Diffie-Hellman > over Z/pZ); or (c) discrete logarithms in a group other > than mentioned above in excess of 112 bits (e.g., > Diffie-Hellman over an elliptic curve). Symmetric algos all in cipher block chaining (CBC) mode: 168-bit 3DES 256- or 128-bit AES 128-bit Blowfish 128- or 256-bit Twofish Asymmetric algos: Diffie-Hellman, computing discrete logarithms (1024-bit) (RSA and DSS are used but not for encryption) > 2. State the key management algorithms, including > modulus sizes, that are supported (e.g., 512-bit RSA, > 1024-bit Diffie-Hellman, etc.). Diffie-Hellman 1024-bit Signing only: RSA 512- to 4096-bit DSA 512- to 4096-bit Hopefully that's of use, good luck. Matt From robert.hunger at gmail.com Fri Apr 20 19:56:34 2007 From: robert.hunger at gmail.com (Robert Hunger) Date: Fri, 20 Apr 2007 13:56:34 +0200 Subject: possibility to disable sftp without editing options.h Message-ID: <20070420115634.GA32497@speedy.dnsalias.net> Hi all. When using scp from putty (pscp.exe), I always had to explicitly give the option "-scp" otherwise the transfer failed with: """ sh: /usr/libexec/sftp-server: not found unable to initialise SFTP: could not connect """ I think it would be nice to be able to disable sftp support without editing "options.h" (similar to (EN|DIS)ABLE_X11FWD) In the appended patch I added a check for DISABLE_SFTPSERVER. Disabling sftp support is then possible via: CFLAGS="-DDISABLE_SFTPSERVER" Cheers, Robert -------------- next part -------------- Index: dropbear/options.h =================================================================== --- dropbear/options.h (revision 3891) +++ dropbear/options.h (working copy) @@ -197,10 +197,14 @@ /* if you want to enable running an sftp server (such as the one included with * OpenSSH), set the path below. If the path isn't defined, sftp will not * be enabled */ +#ifndef DISABLE_SFTPSERVER + #ifndef SFTPSERVER_PATH #define SFTPSERVER_PATH "/usr/libexec/sftp-server" #endif +#endif + /* This is used by the scp binary when used as a client binary. If you're * not using the Dropbear client, you'll need to change it */ #define _PATH_SSH_PROGRAM "/usr/bin/dbclient" From conofrei at plantcml.com Sun Apr 22 22:24:53 2007 From: conofrei at plantcml.com (Calin Onofrei) Date: Sun, 22 Apr 2007 10:24:53 -0400 Subject: Limit concurrent connections Message-ID: I have changed into options.h MAX_UNAUTH_CLIENTS 1 then comment out "m_close(svr_ses.childpipe)" call near the bottom of svr-auth.c. It's working fine but when I close the only client connection I have, I cannot open another one, unless I restart dropbear server. Is any solution possible? Thank you, Calin. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070422/7ea45cab/attachment.htm From matt at ucc.asn.au Sun Apr 22 22:43:34 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Sun, 22 Apr 2007 22:43:34 +0800 Subject: Limit concurrent connections In-Reply-To: References: Message-ID: <20070422144334.GV22943@ucc.gu.uwa.edu.au> On Sun, Apr 22, 2007 at 10:24:53AM -0400, Calin Onofrei wrote: > I have changed into options.h MAX_UNAUTH_CLIENTS 1 then comment out > "m_close(svr_ses.childpipe)" call near the bottom of > svr-auth.c. It's working fine but when I close the only client > connection I have, I cannot open another one, unless I restart dropbear > server. Is any solution possible? It works for me here (Mac OS X 10.4.9) if I make those changes. What operating system are you using? I wonder if perhaps it's not closing the childpipe socket upon exit. Does moving the m_close call to svr_dropbear_exit() make it work? Cheers, Matt From conofrei at plantcml.com Mon Apr 23 19:54:40 2007 From: conofrei at plantcml.com (Calin Onofrei) Date: Mon, 23 Apr 2007 07:54:40 -0400 Subject: Limit concurrent connections In-Reply-To: <20070422144334.GV22943@ucc.gu.uwa.edu.au> References: <20070422144334.GV22943@ucc.gu.uwa.edu.au> Message-ID: Thank you Matt. Dropbear server is running onto arm-linux (Cirrus EP9302)and the client is PuTTY (Windows OS). Cheers, Calin -----Original Message----- From: Matt Johnston [mailto:matt at ucc.asn.au] Sent: Sunday, April 22, 2007 10:44 AM To: Calin Onofrei Cc: dropbear at ucc.gu.uwa.edu.au Subject: Re: Limit concurrent connections On Sun, Apr 22, 2007 at 10:24:53AM -0400, Calin Onofrei wrote: > I have changed into options.h MAX_UNAUTH_CLIENTS 1 then comment out > "m_close(svr_ses.childpipe)" call near the bottom of svr-auth.c. It's > working fine but when I close the only client connection I have, I > cannot open another one, unless I restart dropbear server. Is any > solution possible? It works for me here (Mac OS X 10.4.9) if I make those changes. What operating system are you using? I wonder if perhaps it's not closing the childpipe socket upon exit. Does moving the m_close call to svr_dropbear_exit() make it work? Cheers, Matt From ppc64 at storix.com Fri May 4 03:56:46 2007 From: ppc64 at storix.com (David Huffman) Date: Thu, 03 May 2007 12:56:46 -0700 Subject: Compilation on Solaris 10 Message-ID: <463A3E7E.9080600@storix.com> I am unable to compile dropbear-0.48.1 on Solaris 10 sparc. Configure runs fine with these options: # ./configure --disable-zlib --disable-shadow --disable-lastlog --disable-utmp -disable-utmpx --disable-wtmp --disable-wtmpx --disable-pututline --disable-pututxline (We use this same configure arguments for AIX, Linux x86, Linux PPC, Linux ia64, and HPUX ia64) Then I make using gmake; # /usr/sfw/bin/gmake PROGRAMS="dropbear dbclient dropbearkey" After a lot of output removing .o files, here is the tail end of the output: gmake[1]: Entering directory `/stmaster62/source/solaris/dropbear-0.48.1/libtomcrypt' cc -I. -I./libtomcrypt/src/headers/ -g -I/usr/local/include -DDROPBEAR_SERVER -DDROPBEAR_CLIENT -c -I./src/headers/ -I./../ -DENCRYPT_ONLY -c src/ciphers/aes/aes.c -o src/ciphers/aes/aes_enc.o "./src/headers/tomcrypt_cipher.h", line 625: warning: syntax error: empty declaration "./src/headers/tomcrypt_hash.h", line 282: warning: syntax error: empty declaration "./src/headers/tomcrypt_prng.h", line 61: zero-sized struct/union "./src/headers/tomcrypt_prng.h", line 181: warning: syntax error: empty declaration cc: acomp failed for src/ciphers/aes/aes.c gmake[1]: *** [src/ciphers/aes/aes_enc.o] Error 2 gmake[1]: Leaving directory `/stmaster62/source/solaris/dropbear-0.48.1/libtomcrypt' gmake: *** [libtomcrypt/libtomcrypt.a] Error 2 Anyone run into this problem or can guide me through what I may be doing incorrectly? Thanks in advance, David Huffman Storix, Inc. From matt at ucc.asn.au Fri May 4 12:14:21 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Fri, 4 May 2007 12:14:21 +0800 Subject: Compilation on Solaris 10 In-Reply-To: <463A3E7E.9080600@storix.com> References: <463A3E7E.9080600@storix.com> Message-ID: <20070504041421.GF27607@ucc.gu.uwa.edu.au> On Thu, May 03, 2007 at 12:56:46PM -0700, David Huffman wrote: > I am unable to compile dropbear-0.48.1 on Solaris 10 sparc. ... > gmake[1]: Entering directory > `/stmaster62/source/solaris/dropbear-0.48.1/libtomcrypt' > cc -I. -I./libtomcrypt/src/headers/ -g -I/usr/local/include > -DDROPBEAR_SERVER -DDROPBEAR_CLIENT -c -I./src/headers/ -I./../ > -DENCRYPT_ONLY -c src/ciphers/aes/aes.c -o src/ciphers/aes/aes_enc.o > "./src/headers/tomcrypt_cipher.h", line 625: warning: syntax error: > empty declaration > "./src/headers/tomcrypt_hash.h", line 282: warning: syntax error: empty > declaration > "./src/headers/tomcrypt_prng.h", line 61: zero-sized struct/union > "./src/headers/tomcrypt_prng.h", line 181: warning: syntax error: empty > declaration > cc: acomp failed for src/ciphers/aes/aes.c > gmake[1]: *** [src/ciphers/aes/aes_enc.o] Error 2 > gmake[1]: Leaving directory > `/stmaster62/source/solaris/dropbear-0.48.1/libtomcrypt' > gmake: *** [libtomcrypt/libtomcrypt.a] Error 2 > > Anyone run into this problem or can guide me through what I may be doing > incorrectly? I'm not sure what the "empty declaration" warnings are, but they look harmless. The "line 61: zero-sized struct/union" is referring to there being an empty struct in tomcrypt_prng.h:61, since all the elements are #defined out. I _think_ the syntax is legal (though not 100% sure), but you can work around it by adding "int dummy;" or something like that just below the "typedef union Prng_state" line. It should be fixed in 0.49. Cheers, Matt From antony at pavlenko.net Fri May 4 16:52:54 2007 From: antony at pavlenko.net (Antony Pavlenko) Date: Fri, 04 May 2007 12:52:54 +0400 Subject: execute set of commands with dbclient Message-ID: Hello, I'd like to use dropbear clieant for remote execution of set of commands. Anf read this commands from external file. But now i confused with sending commands. As i understand it's ok to do it in send_chansess_shell_req function (as it is done for "command"). But i couldn't understand how to write command. Now i'm trying so : start_channel_request(channel, "exec"); buf_putstring(ses.writepayload, buffer, strlen(buffer)); encrypt_packet(); where buffer is char array with command, but it isn't work. What's wrong? Can anybody help me? with respect, --- Antony Pavlenko From ppc64 at storix.com Sat May 5 00:58:59 2007 From: ppc64 at storix.com (David Huffman) Date: Fri, 04 May 2007 09:58:59 -0700 Subject: Compilation on Solaris 10 In-Reply-To: <20070504041421.GF27607@ucc.gu.uwa.edu.au> References: <463A3E7E.9080600@storix.com> <20070504041421.GF27607@ucc.gu.uwa.edu.au> Message-ID: <463B6653.4080406@storix.com> Thanks Matt, That worked. There was one other place where I got the same type of error. I added int dummy to runopts.h as well. So total I added int dummy; to: tomcrypt_prng.h line 49 runopts.h line 35 Hope this helps others as well. David Huffman Storix, Inc. Matt Johnston wrote: > On Thu, May 03, 2007 at 12:56:46PM -0700, David Huffman wrote: > >> I am unable to compile dropbear-0.48.1 on Solaris 10 sparc. >> > ... > >> gmake[1]: Entering directory >> `/stmaster62/source/solaris/dropbear-0.48.1/libtomcrypt' >> cc -I. -I./libtomcrypt/src/headers/ -g -I/usr/local/include >> -DDROPBEAR_SERVER -DDROPBEAR_CLIENT -c -I./src/headers/ -I./../ >> -DENCRYPT_ONLY -c src/ciphers/aes/aes.c -o src/ciphers/aes/aes_enc.o >> "./src/headers/tomcrypt_cipher.h", line 625: warning: syntax error: >> empty declaration >> "./src/headers/tomcrypt_hash.h", line 282: warning: syntax error: empty >> declaration >> "./src/headers/tomcrypt_prng.h", line 61: zero-sized struct/union >> "./src/headers/tomcrypt_prng.h", line 181: warning: syntax error: empty >> declaration >> cc: acomp failed for src/ciphers/aes/aes.c >> gmake[1]: *** [src/ciphers/aes/aes_enc.o] Error 2 >> gmake[1]: Leaving directory >> `/stmaster62/source/solaris/dropbear-0.48.1/libtomcrypt' >> gmake: *** [libtomcrypt/libtomcrypt.a] Error 2 >> >> Anyone run into this problem or can guide me through what I may be doing >> incorrectly? >> > > I'm not sure what the "empty declaration" warnings are, but > they look harmless. The "line 61: zero-sized struct/union" > is referring to there being an empty struct in > tomcrypt_prng.h:61, since all the elements are #defined out. > I _think_ the syntax is legal (though not 100% sure), but you > can work around it by adding "int dummy;" or something like > that just below the "typedef union Prng_state" line. > > It should be fixed in 0.49. > > Cheers, > Matt > From vtmrao at hotmail.com Tue May 22 05:10:41 2007 From: vtmrao at hotmail.com (Mohan V) Date: Mon, 21 May 2007 17:10:41 -0400 Subject: Using Dropbear for RTOS which is not POSIX complaint? Message-ID: Hi, We have a proprietary RTOS which is *not* POSIX complaint. We want to port SSH server and SCP client onto our platform. How difficult it would be, to port Dropbear into our platform? We would like to integrate our CLI with the SSH. Any recommendations on using Dropbear for our platform? Appreciate sharing of your experiences. --- Thanks, John _________________________________________________________________ Like the way Microsoft Office Outlook works? You?ll love Windows Live Hotmail. http://imagine-windowslive.com/hotmail/?locale=en-us&ocid=TXT_TAGHM_migration_HM_mini_outlook_0507 From rob at landley.net Wed May 23 00:26:54 2007 From: rob at landley.net (Rob Landley) Date: Tue, 22 May 2007 12:26:54 -0400 Subject: Using Dropbear for RTOS which is not POSIX complaint? In-Reply-To: References: Message-ID: <200705221226.54663.rob@landley.net> On Monday 21 May 2007 5:10 pm, Mohan V wrote: > > Hi, > We have a proprietary RTOS which is *not* POSIX complaint. This is the point at which you lost my interest. :) Rob From matt at ucc.asn.au Wed May 23 11:06:56 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 23 May 2007 11:06:56 +0800 Subject: Using Dropbear for RTOS which is not POSIX complaint? In-Reply-To: References: Message-ID: <20070523030656.GF23380@ucc.gu.uwa.edu.au> On Mon, May 21, 2007 at 05:10:41PM -0400, Mohan V wrote: > > Hi, > We have a proprietary RTOS which is *not* POSIX complaint. We want to port > SSH server and SCP client onto our platform. How difficult it would be, to > port Dropbear into our platform? We would like to integrate our CLI with > the SSH. > > Any recommendations on using Dropbear for our platform? Appreciate sharing > of your experiences. I know that it has been ported to AMX and VxWorks, there are probably some others I haven't heard about or can't remember. I don't think either of those two released any source. There's a GPL-licensed port of the client to the PSP by Ludovic Jacomme as well. Basically porting would require modifying the read()/write()/select() type code in the *channel and *session files and altering svr-chansession to talk to your own CLI with appropriate line buffering. PTY support can be awkward, but just talking straight to your own CLI is probably fairly easy. You'd also have to change the server auth code since that relies on /etc/passwd and Unix semantics. I'm not sure about scp.c -- it's a straight copy from OpenSSH (which in turn is a patched BSD rcp). Cheers, Matt From chrisv at cyberswitching.com Thu May 31 04:37:55 2007 From: chrisv at cyberswitching.com (Chris Verges) Date: Wed, 30 May 2007 13:37:55 -0700 Subject: User-defined DSS and RSA keys Message-ID: <36AC13A947445A4AA6551F1BD8319FA83BE249@mail01.chreynolds.local> I'm creating an embedded system that will be using Dropbear as its SSH daemon. Several other programs that are on the system will also be using SSL keys to encrypt their traffic. In the interest of reducing the memory footprint, I'd like to generate one key pair and configure all of my daemons to use the same pair. When I was looking at the auto-generated DSS and RSA keys that Dropbear produces, they don't follow the same file format as what openssl generates. Is there some conversion step that needs to take place? Thanks for the help! Chris -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070530/9c69ff88/attachment.htm From matt at ucc.asn.au Thu May 31 16:38:25 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 31 May 2007 16:38:25 +0800 Subject: User-defined DSS and RSA keys In-Reply-To: <36AC13A947445A4AA6551F1BD8319FA83BE249@mail01.chreynolds.local> References: <36AC13A947445A4AA6551F1BD8319FA83BE249@mail01.chreynolds.local> Message-ID: <20070531083825.GR13645@ucc.gu.uwa.edu.au> On Wed, May 30, 2007 at 01:37:55PM -0700, Chris Verges wrote: > I'm creating an embedded system that will be using Dropbear as its SSH daemon. Several other programs that are on the system will also be using SSL keys to encrypt their traffic. In the interest of reducing the memory footprint, I'd like to generate one key pair and configure all of my daemons to use the same pair. > > When I was looking at the auto-generated DSS and RSA keys that Dropbear produces, they don't follow the same file format as what openssl generates. Is there some conversion step that needs to take place? You should be able to convert a key using the "dropbearconvert" program, eg "dropbearconvert openssh dropbear openssl.key dropbear.key" or similar. The format used by Dropbear is fairly similar to that defined by the SSH spec (section 6.6 of rfc4253), but with the private parts appended. See below. OpenSSH (and also one of the modes of OpenSSL) uses PEM format keys. (That's what I think is happening anyway). There isn't any support to directly load keys PEM format keys, though it probably wouldn't be that hard to include the keyimport.c routines (which come from PuTTY) into the main Dropbear binary. The resulting increase in memory use is likely to be much more than the size of a private key though. Cheers, Matt File formats (as per SSH RFC notation): string "ssh-rsa" mpint e mpint n mpint d (private) mpint p (private, not required, old keys don't have it) mpint q (private, not required, old keys don't have it) string "ssh-dss" mpint p mpint q mpint g mpint y mpint x (private part) > > Thanks for the help! > Chris From miroslaw.dach at psi.ch Tue Jun 19 22:19:48 2007 From: miroslaw.dach at psi.ch (Miroslaw Dach) Date: Tue, 19 Jun 2007 16:19:48 +0200 (CEST) Subject: Dropbear on ppc405 In-Reply-To: Message-ID: Dear All, I am new user of dropbear. I have compiled it successfully for ppc405 with option multi. I have tried to start the server on my embedded target board. First I have logged in as user root: After I did: ./dropbearkey -t dss -f dropbear_dss_host_key the dropbear_dss_host_key file was created in the most top / directory. I have typed ./dropbear to start the ssh daemon On the host computer I have typed : ssh testuser at 129.128.7.50 ssh: connect to host 129.128.7.50 port 22: Connection refused Does somebody has some idea what is wrong? I would like to add that on the target ppc405 I use the busybox based rootfile system. I appreciate any comment on that to solve my problem to run the dropbear ssh daemon. Best Regards Mirek On Tue, 19 Jun 2007 dropbear-request at ucc.asn.au wrote: > Welcome to the Dropbear at ucc.asn.au mailing list! > > To post to this list, send your email to: > > dropbear at ucc.asn.au > > General information about the mailing list is at: > > http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear > > If you ever want to unsubscribe or change your options (eg, switch to > or from digest mode, change your password, etc.), visit your > subscription page at: > > http://lists.ucc.gu.uwa.edu.au/mailman/options/dropbear/miroslaw.dach%40psi.ch > > > You can also make such adjustments via email by sending a message to: > > Dropbear-request at ucc.asn.au > > with the word `help' in the subject or body (don't include the > quotes), and you will get back a message with instructions. > > You must know your password to change your options (including changing > the password, itself) or to unsubscribe. It is: > > wnyk7wnyk7 > > Normally, Mailman will remind you of your ucc.asn.au mailing list > passwords once every month, although you can disable this if you > prefer. This reminder will also include instructions on how to > unsubscribe or change your account options. There is also a button on > your options page that will email your current password to you. > -- ============================================================================= Miroslaw Dach (Miroslaw.Dach at psi.ch) - SLS/Controls Group PSI - Paul Scherrer Institut CH-5232 Villigen ============================================================================= From seven at 7labs.de Tue Jun 19 23:12:56 2007 From: seven at 7labs.de (Sebastian Haag) Date: Tue, 19 Jun 2007 17:12:56 +0200 Subject: Dropbear on ppc405 In-Reply-To: References: Message-ID: <200706191712.56160.seven@7labs.de> nice password ;-) btt: did u check the filepermissions of the keyfile? Am Dienstag, 19. Juni 2007 16:19 schrieb Miroslaw Dach: > Dear All, > > I am new user of dropbear. I have compiled it successfully for > ppc405 with option multi. > > I have tried to start the server on my embedded target board. > > First I have logged in as user root: > After I did: > ./dropbearkey -t dss -f dropbear_dss_host_key > > the dropbear_dss_host_key file was created in the most top / directory. > > I have typed ./dropbear to start the ssh daemon > > On the host computer I have typed : > > ssh testuser at 129.128.7.50 > > ssh: connect to host 129.128.7.50 port 22: Connection refused > > Does somebody has some idea what is wrong? > > I would like to add that on the target ppc405 I use the busybox > based rootfile system. > > I appreciate any comment on that to solve my problem to run the dropbear > ssh daemon. > > Best Regards > > Mirek > From matt at ucc.asn.au Wed Jun 20 10:09:22 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 20 Jun 2007 10:09:22 +0800 Subject: Dropbear on ppc405 In-Reply-To: References: Message-ID: <20070620020922.GZ13645@ucc.gu.uwa.edu.au> On Tue, Jun 19, 2007 at 04:19:48PM +0200, Miroslaw Dach wrote: > Dear All, > > I am new user of dropbear. I have compiled it successfully for > ppc405 with option multi. > > I have tried to start the server on my embedded target board. > > First I have logged in as user root: > After I did: > ./dropbearkey -t dss -f dropbear_dss_host_key > > the dropbear_dss_host_key file was created in the most top / directory. > > I have typed ./dropbear to start the ssh daemon > > On the host computer I have typed : > > ssh testuser at 129.128.7.50 > > ssh: connect to host 129.128.7.50 port 22: Connection refused Is there anything in /var/log/auth.log on the server? (or "logread" or something similar perhaps). Alternatively, run "./dropbear -F -E" and see what the output is. Cheers, Matt From miroslaw.dach at psi.ch Wed Jun 20 16:39:18 2007 From: miroslaw.dach at psi.ch (Miroslaw Dach) Date: Wed, 20 Jun 2007 10:39:18 +0200 (CEST) Subject: Dropbear on ppc405 In-Reply-To: <20070620020922.GZ13645@ucc.gu.uwa.edu.au> Message-ID: Thank you for your hint. When I have started the dropbear with option -F -E I have got the message that the /etc/dropbear/dropbear_dss_host_key is missing and /etc/dropbear/dropbear_rsa_host_key is missing. I have moved /dropbear_dss_host_key to /etc/dropbear/ Next time when I have started the dropbear with -F -E I have got the message: failed reading /etc/dropbear/dropbear_rsa_host_key disabling RSA Not forking Event so I was able to use the ssh client on the host computer. I am wandering what is the meaning of : Not forking? second time when I have started the dropbear I have got: failed reading /etc/dropbear/dropbear_rsa_host_key disabling RSA Warning: Reading the random source seems to have blocked. If you experience problems, you probably need to find a better entropy source. Is it somehow possible to run dropbear as a daemon or via inetd? Best Regards Mirek On Wed, 20 Jun 2007, Matt Johnston wrote: > On Tue, Jun 19, 2007 at 04:19:48PM +0200, Miroslaw Dach wrote: > > Dear All, > > > > I am new user of dropbear. I have compiled it successfully for > > ppc405 with option multi. > > > > I have tried to start the server on my embedded target board. > > > > First I have logged in as user root: > > After I did: > > ./dropbearkey -t dss -f dropbear_dss_host_key > > > > the dropbear_dss_host_key file was created in the most top / directory. > > > > I have typed ./dropbear to start the ssh daemon > > > > On the host computer I have typed : > > > > ssh testuser at 129.128.7.50 > > > > ssh: connect to host 129.128.7.50 port 22: Connection refused > > Is there anything in /var/log/auth.log on the server? (or > "logread" or something similar perhaps). Alternatively, run > "./dropbear -F -E" and see what the output is. > > Cheers, > Matt > -- ============================================================================= Miroslaw Dach (Miroslaw.Dach at psi.ch) - SLS/Controls Group PSI - Paul Scherrer Institut CH-5232 Villigen ============================================================================= From matt at ucc.asn.au Thu Jun 21 14:36:41 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 21 Jun 2007 14:36:41 +0800 Subject: Dropbear on ppc405 In-Reply-To: References: <20070620020922.GZ13645@ucc.gu.uwa.edu.au> Message-ID: <20070621063641.GQ13645@ucc.gu.uwa.edu.au> On Wed, Jun 20, 2007 at 10:39:18AM +0200, Miroslaw Dach wrote: > I am wandering what is the meaning of : Not forking? It's just an informational message that it isn't going to be backgrounded (ie, the -F flag). I'll make that message clearer. > second time when I have started the dropbear I have got: > > failed reading /etc/dropbear/dropbear_rsa_host_key disabling RSA > Warning: Reading the random source seems to have blocked. > If you experience problems, you probably need to find a better entropy > source. The problem is that your system doesn't have enough entropy to run. You can make it use /dev/urandom (which won't block) instead of /dev/random by changing options.h. I'm considering making /dev/urandom the default, however this could mask a security issue in embedded systems. If the random number generator is initialised to the same state at every startup in every device produced, then it could be feasible for an attacker to defeat SSH's cryptographic security. /dev/random is usually overkill, but it does provide a guarantee that the system has sufficient entropy. Ideally the kernel would provide a '/dev/brandom' that blocks initially, but behaves the same as urandom (not depleting entropy counts) once sufficient entropy has been gathered. See http://lxr.linux.no/source/drivers/char/random.c for some comments on storing entropy between reboots. > Is it somehow possible to run dropbear as a daemon or via inetd? You can run it as a daemon by default, the -E -F flags are just for debugging. You can also run it with -i via inetd. Cheers, Matt From miroslaw.dach at psi.ch Thu Jun 21 23:08:13 2007 From: miroslaw.dach at psi.ch (Miroslaw Dach) Date: Thu, 21 Jun 2007 17:08:13 +0200 (CEST) Subject: Dropbear on ppc405 In-Reply-To: <20070621063641.GQ13645@ucc.gu.uwa.edu.au> Message-ID: Hi Matt, Thank you for the detailed e-mail. I have done as you have suggested. I have modified in options.h the /dev/random to /dev/urandom. Now I do not get anymore the message referring to the entropy problem. I am even able now to run dropbear from inetd. This is just great. I do not however understand why I get this message below: Not forking? Thank you very much for your help and explanation. Best Regards Mirek On Thu, 21 Jun 2007, Matt Johnston wrote: > On Wed, Jun 20, 2007 at 10:39:18AM +0200, Miroslaw Dach wrote: > > I am wandering what is the meaning of : Not forking? > > It's just an informational message that it isn't going to be > backgrounded (ie, the -F flag). I'll make that message > clearer. > > > second time when I have started the dropbear I have got: > > > > failed reading /etc/dropbear/dropbear_rsa_host_key disabling RSA > > Warning: Reading the random source seems to have blocked. > > If you experience problems, you probably need to find a better entropy > > source. > > The problem is that your system doesn't have enough entropy > to run. You can make it use /dev/urandom (which won't block) > instead of /dev/random by changing options.h. > > I'm considering making /dev/urandom the default, however > this could mask a security issue in embedded systems. If the > random number generator is initialised to the same state at > every startup in every device produced, then it could be > feasible for an attacker to defeat SSH's cryptographic > security. /dev/random is usually overkill, but it does > provide a guarantee that the system has sufficient entropy. > Ideally the kernel would provide a '/dev/brandom' that > blocks initially, but behaves the same as urandom (not > depleting entropy counts) once sufficient entropy has been > gathered. > > See http://lxr.linux.no/source/drivers/char/random.c for > some comments on storing entropy between reboots. > > > Is it somehow possible to run dropbear as a daemon or via inetd? > > You can run it as a daemon by default, the -E -F flags are > just for debugging. You can also run it with -i via inetd. > > Cheers, > Matt > -- ============================================================================= Miroslaw Dach (Miroslaw.Dach at psi.ch) - SLS/Controls Group PSI - Paul Scherrer Institut CH-5232 Villigen ============================================================================= From hjk at linutronix.de Fri Jun 22 03:41:07 2007 From: hjk at linutronix.de (=?iso-8859-1?q?Hans-J=FCrgen_Koch?=) Date: Thu, 21 Jun 2007 21:41:07 +0200 Subject: problem with dropbear, pty??, and busybox Message-ID: <200706212141.07966.hjk@linutronix.de> I'm trying to use dropbear-0.49 on an ARM board (PXA270) running Linux 2.6.21.5. I'm using busybox-1.6.0 (don't know if that's related). The dropbear daemon starts without complaining. If I try to login with ssh from an other computer, authentication (password) works, but then dropbear hangs and spits out this error: failed to open any /dev/pty?? devices no pty was allocated, couldn't execute It's true, I don't have any /dev/pty devices. I used ./configure --disable-syslog --disable-openpty --disable-utmp --disable-utmpx to avoid them. I'm new to dropbear, can somebody tell me what this is all about and what I should do? Thanks, Hans From rob at landley.net Fri Jun 22 05:48:29 2007 From: rob at landley.net (Rob Landley) Date: Thu, 21 Jun 2007 17:48:29 -0400 Subject: Dropbear on ppc405 In-Reply-To: <20070621063641.GQ13645@ucc.gu.uwa.edu.au> References: <20070620020922.GZ13645@ucc.gu.uwa.edu.au> <20070621063641.GQ13645@ucc.gu.uwa.edu.au> Message-ID: <200706211748.30389.rob@landley.net> On Thursday 21 June 2007 02:36:41 Matt Johnston wrote: > On Wed, Jun 20, 2007 at 10:39:18AM +0200, Miroslaw Dach wrote: > > I am wandering what is the meaning of : Not forking? > > It's just an informational message that it isn't going to be > backgrounded (ie, the -F flag). I'll make that message > clearer. > > > second time when I have started the dropbear I have got: > > > > failed reading /etc/dropbear/dropbear_rsa_host_key disabling RSA > > Warning: Reading the random source seems to have blocked. > > If you experience problems, you probably need to find a better entropy > > source. > > The problem is that your system doesn't have enough entropy > to run. You can make it use /dev/urandom (which won't block) > instead of /dev/random by changing options.h. > > I'm considering making /dev/urandom the default, however > this could mask a security issue in embedded systems. If the > random number generator is initialised to the same state at > every startup in every device produced, then it could be > feasible for an attacker to defeat SSH's cryptographic > security. /dev/random is usually overkill, but it does > provide a guarantee that the system has sufficient entropy. > Ideally the kernel would provide a '/dev/brandom' that > blocks initially, but behaves the same as urandom (not > depleting entropy counts) once sufficient entropy has been > gathered. You can fake that in userspace. You can do a non-blocking read from /dev/random to detect whether or not there's any entropy in there, and you can write it back if you get any so as not to deplete the pool. Or simply do your very first (blocking) read from /dev/random and then do subsequent reads from /dev/urandom if that's the behavior you want. > See http://lxr.linux.no/source/drivers/char/random.c for > some comments on storing entropy between reboots. On shutdown: dd if=/dev/urandom of=/tmp/.random bs=512 count=1 On startup: cat /tmp/.random > /dev/urandom rm /tmp/.random > > Is it somehow possible to run dropbear as a daemon or via inetd? > > You can run it as a daemon by default, the -E -F flags are > just for debugging. You can also run it with -i via inetd. > > Cheers, > Matt Rob -- "One of my most productive days was throwing away 1000 lines of code." - Ken Thompson. From matt at ucc.asn.au Fri Jun 22 14:08:49 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Fri, 22 Jun 2007 14:08:49 +0800 Subject: problem with dropbear, pty??, and busybox In-Reply-To: <200706212141.07966.hjk@linutronix.de> References: <200706212141.07966.hjk@linutronix.de> Message-ID: <20070622060849.GD13645@ucc.gu.uwa.edu.au> On Thu, Jun 21, 2007 at 09:41:07PM +0200, Hans-J?rgen Koch wrote: > I'm trying to use dropbear-0.49 on an ARM board (PXA270) running > Linux 2.6.21.5. > I'm using busybox-1.6.0 (don't know if that's related). > > The dropbear daemon starts without complaining. If I try to login with ssh > from an other computer, authentication (password) works, but then dropbear > hangs and spits out this error: > > failed to open any /dev/pty?? devices > no pty was allocated, couldn't execute > > It's true, I don't have any /dev/pty devices. I used > > ./configure --disable-syslog --disable-openpty --disable-utmp --disable-utmpx > to avoid them. You need some sort of PTY support to run any sort of virtual terminal (ie, a normal SSH login). I have got no idea what sort of Linux distro you're using, but often they'll take care of it for you. You will have to create the appropriate PTY devices in /dev for it to work. If you make sure /dev/ptmx and /dev/tty devices exist (use mknod or the makedev script that come with your distro (or buildroot??)) and then mount devpts at /dev/pts, you should be able to use normal openpty() support. You'll want to get rid of the --disable-openpty configure argument. Alternatively you can manually create /dev/[pt]ty[pqrstuwxyzPQRST][0123456789abcdef] nodes as appropriate and keep the --disable-openpty configure argument. That will try opening each of those devices sequentially until one succeeds. Cheers, Matt From hjk at linutronix.de Fri Jun 22 18:02:24 2007 From: hjk at linutronix.de (=?iso-8859-1?q?Hans-J=FCrgen_Koch?=) Date: Fri, 22 Jun 2007 12:02:24 +0200 Subject: problem with dropbear, pty??, and busybox In-Reply-To: <20070622060849.GD13645@ucc.gu.uwa.edu.au> References: <200706212141.07966.hjk@linutronix.de> <20070622060849.GD13645@ucc.gu.uwa.edu.au> Message-ID: <200706221202.24825.hjk@linutronix.de> Am Freitag 22 Juni 2007 08:08 schrieb Matt Johnston: > On Thu, Jun 21, 2007 at 09:41:07PM +0200, Hans-J?rgen Koch wrote: > > I'm trying to use dropbear-0.49 on an ARM board (PXA270) running > > Linux 2.6.21.5. > > I'm using busybox-1.6.0 (don't know if that's related). > > > > The dropbear daemon starts without complaining. If I try to login with ssh > > from an other computer, authentication (password) works, but then dropbear > > hangs and spits out this error: > > > > failed to open any /dev/pty?? devices > > no pty was allocated, couldn't execute > > > > It's true, I don't have any /dev/pty devices. I used > > > > ./configure --disable-syslog --disable-openpty --disable-utmp --disable-utmpx > > to avoid them. > > You need some sort of PTY support to run any sort of > virtual terminal (ie, a normal SSH login). I have got no > idea what sort of Linux distro you're using, but often > they'll take care of it for you. It's not a real distro, I compiled a minimal root file system using busybox plus the files that come with the scratchbox ARM toolchain. I haven't installed udev yet, that's why I only have the /dev files I created myself. > > You will have to create the appropriate PTY devices in /dev > for it to work. If you make sure /dev/ptmx and /dev/tty > devices exist (use mknod or the makedev script that come > with your distro (or buildroot??)) and then mount devpts at > /dev/pts, you should be able to use normal openpty() > support. You'll want to get rid of the --disable-openpty > configure argument. I created /dev/ptmx manually (I already had /dev/tty), added devpts to my fstab, and compiled dropbear without --disable-openpty. That made it work, thanks for that hint! > > Alternatively you can manually create > /dev/[pt]ty[pqrstuwxyzPQRST][0123456789abcdef] > nodes as appropriate and keep the --disable-openpty > configure argument. That will try opening each of > those devices sequentially until one succeeds. Didn't try that one. Thanks a lot for your help! Cheers, Hans From rob at landley.net Sat Jun 23 05:04:38 2007 From: rob at landley.net (Rob Landley) Date: Fri, 22 Jun 2007 17:04:38 -0400 Subject: problem with dropbear, pty??, and busybox In-Reply-To: <200706221202.24825.hjk@linutronix.de> References: <200706212141.07966.hjk@linutronix.de> <20070622060849.GD13645@ucc.gu.uwa.edu.au> <200706221202.24825.hjk@linutronix.de> Message-ID: <200706221704.39279.rob@landley.net> On Friday 22 June 2007 06:02:24 Hans-J?rgen Koch wrote: > Am Freitag 22 Juni 2007 08:08 schrieb Matt Johnston: > > On Thu, Jun 21, 2007 at 09:41:07PM +0200, Hans-J?rgen Koch wrote: > > > I'm trying to use dropbear-0.49 on an ARM board (PXA270) running > > > Linux 2.6.21.5. > > > I'm using busybox-1.6.0 (don't know if that's related). > > > > > > The dropbear daemon starts without complaining. If I try to login with > > > ssh from an other computer, authentication (password) works, but then > > > dropbear hangs and spits out this error: > > > > > > failed to open any /dev/pty?? devices > > > no pty was allocated, couldn't execute > > > > > > It's true, I don't have any /dev/pty devices. I used > > > > > > ./configure --disable-syslog --disable-openpty --disable-utmp > > > --disable-utmpx to avoid them. > > > > You need some sort of PTY support to run any sort of > > virtual terminal (ie, a normal SSH login). I have got no > > idea what sort of Linux distro you're using, but often > > they'll take care of it for you. > > It's not a real distro, I compiled a minimal root file system > using busybox plus the files that come with the scratchbox > ARM toolchain. I haven't installed udev yet, that's why I > only have the /dev files I created myself. mkdir /sys mount -t sysfs /sys /sys mdev -s Note that mdev is a busybox command, and very simple udev replacement. http://busybox.net/downloads/BusyBox.html#item_mdev However, for ptys you should probably be using unix 98 pty support, which dynamically allocates them: mkdir /dev/pts mount -t devpts /dev/pts /dev/pts Rob -- "One of my most productive days was throwing away 1000 lines of code." - Ken Thompson.