From prz at net4u.ch Tue Jul 3 03:15:43 2007 From: prz at net4u.ch (Tony p.) Date: Mon, 2 Jul 2007 19:15:43 +0000 (UTC) Subject: Cannot get dropbear to open shell on uClibC 586 inux, kernel 2.6 Message-ID: Same kind of problems, everything going dandy (got a small pty test in c written to make sure that /dev/pts is all dandy) and I get right after authentication dropbear closing connection on me. Same thing if I patch up to use mtx (I know, it's Sun code), if I use ptys classic or openpty. What gives ? thanks. tony root at 192.168.1.28's password: debug3: packet_send2: adding 64 (len 55 padlen 9 extra_pad 64) debug2: we sent a password packet, wait for reply debug1: Authentication succeeded (password). debug1: channel 0: new [client-session] debug3: ssh_session2_open: channel_new: 0 debug2: channel 0: send open debug1: Entering interactive session. debug2: callback start debug2: x11_get_proto: /usr/bin/xauth list :0.0 2>/dev/null debug1: Requesting X11 forwarding with authentication spoofing. debug2: channel 0: request x11-req confirm 0 debug2: client_session2_setup: id 0 debug1: Sending command: echo hello debug2: channel 0: request exec confirm 0 debug2: fd 3 setting TCP_NODELAY debug2: callback done debug2: channel 0: open confirm rwindow 8000 rmax 8000 debug2: channel 0: rcvd eof debug2: channel 0: output open -> drain debug2: channel 0: obuf empty debug2: channel 0: close_write debug2: channel 0: output drain -> closed debug1: client_input_channel_req: channel 0 rtype exit-status reply 0 debug2: channel 0: rcvd close debug2: channel 0: close_read debug2: channel 0: input open -> closed debug3: channel 0: will not send data after close debug2: channel 0: almost dead debug2: channel 0: gc: notify user From matt at ucc.asn.au Tue Jul 3 10:18:57 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Tue, 3 Jul 2007 10:18:57 +0800 Subject: Cannot get dropbear to open shell on uClibC 586 inux, kernel 2.6 In-Reply-To: References: Message-ID: <20070703021857.GE13645@ucc.gu.uwa.edu.au> On Mon, Jul 02, 2007 at 07:15:43PM +0000, Tony p. wrote: > Same kind of problems, everything going dandy (got a small pty test in c written > to make sure that /dev/pts is all dandy) and I get right after authentication > dropbear closing connection on me. Same thing if I patch up to use mtx (I know, > it's Sun code), if I use ptys classic or openpty. What gives ? thanks. tony What does the server's log say? Look in /var/log/auth.log perhaps or run with "dropbear -F -E" to run in the foreground. If you run "ssh hostname uptime" does it work? Matt From prz at net4u.ch Thu Jul 5 04:28:08 2007 From: prz at net4u.ch (prz) Date: Wed, 04 Jul 2007 22:28:08 +0200 Subject: Cannot get dropbear to open shell on uClibC 586 inux, kernel 2.6 In-Reply-To: <20070703021857.GE13645@ucc.gu.uwa.edu.au> References: <20070703021857.GE13645@ucc.gu.uwa.edu.au> Message-ID: <468C02D8.2060505@net4u.ch> Matt Johnston wrote: > On Mon, Jul 02, 2007 at 07:15:43PM +0000, Tony p. wrote: > >> Same kind of problems, everything going dandy (got a small pty test in c written >> to make sure that /dev/pts is all dandy) and I get right after authentication >> dropbear closing connection on me. Same thing if I patch up to use mtx (I know, >> it's Sun code), if I use ptys classic or openpty. What gives ? thanks. tony >> > > What does the server's log say? Look in /var/log/auth.log > perhaps or run with "dropbear -F -E" to run in the > foreground. Hey Matt, thanks for help, did that and it started all of a sudden to show the 'cannot change group' before exit message. Didn't do it to the log before!. > If you run "ssh hostname uptime" does it work? > yepp, it started to throw 'cannot change group' all of a sudden and from there it was easy I had /etc/passwd but I didn't have /etc/groups If your code would have thrown that into the message log, it would be an easy debugging. thanks much -- tony From rsantos at grupopie.com Mon Jul 9 21:39:14 2007 From: rsantos at grupopie.com (Rui Santos) Date: Mon, 09 Jul 2007 14:39:14 +0100 Subject: Cannot get fish protocol to work with minimal system Message-ID: <46923A82.2050206@grupopie.com> Hy, I'm trying to get dropbear to wotk on a minimal system. Everything is working except the Konqueror fish:// protocol. I can ssh to dropbear, make keys with dropbearkey and I'm able to scp to and from that machine... I also installed it on my PC, a openSUSE10.2 full system, started it and it all works... It just doesn't work on the minimal system machine that I'm trying to set up... I believe something is missing from my setup but, I was unable to find out what it is... Can anyone give a few hints on what could be missing ? Thanks in advance, Rui Santos From rsantos at grupopie.com Mon Jul 9 22:41:35 2007 From: rsantos at grupopie.com (Rui Santos) Date: Mon, 09 Jul 2007 15:41:35 +0100 Subject: Cannot get fish protocol to work with minimal system [SOLVED] In-Reply-To: <46923A82.2050206@grupopie.com> References: <46923A82.2050206@grupopie.com> Message-ID: <4692491F.7040001@grupopie.com> Rui Santos wrote: > Hy, > > I'm trying to get dropbear to wotk on a minimal system. Everything > is working except the Konqueror fish:// protocol. I can ssh to dropbear, > make keys with dropbearkey and I'm able to scp to and from that machine... > > I also installed it on my PC, a openSUSE10.2 full system, started it > and it all works... It just doesn't work on the minimal system machine > that I'm trying to set up... I believe something is missing from my > setup but, I was unable to find out what it is... Can anyone give a few > hints on what could be missing ? > I found out why... The ls from busybox didn't had the -L option compiled within it. I turned all ls options on and it worked like a charm. Just an advice for anyone having problems with dropbear. Use strace ( with the -f option) - It really helps. > Thanks in advance, > Rui Santos > > > > > -- Cumprimentos *Rui Santos* Dep. Testes *GrupoPIE Portugal, S.A.* Tel: +351 252 290 600 Fax: +351 252 290 601 Email: rsantos at grupopie.com Web: www.grupopie.com /WinREST /EVERYWHERE From Alexander at Kriegisch.name Fri Jul 27 01:05:07 2007 From: Alexander at Kriegisch.name (Alexander Kriegisch) Date: Thu, 26 Jul 2007 19:05:07 +0200 Subject: Use OPIE without PAM Message-ID: <46A8D443.1020103@Kriegisch.name> I am looking for a cheap way of using OPIE (One-time Passwords In Everything) with dropbear on my WLAN/DSL router (mipsel platform). That is, I would like to use it without PAM (Pluggable Authentication Modules) but rather by delegating user/pw login to opielogin. It works like this with my BusyBox telnetd. Neither am I a Dropbear expert nor do I know how user/pw authentication is done in dropbear - obviously not by delegating to /bin/login. Can anybody provide a patch for Dropbear so it uses opielogin directly? Getting PAM up and running on my box is harder than I thought because of issues which would be off-topic here, and saving flash and RAM space is also important, so I would prefer a cheap solution. Any ideas are welcome. Regards -- Alexander Kriegisch From rsantos at grupopie.com Tue Jul 31 18:46:42 2007 From: rsantos at grupopie.com (Rui Santos) Date: Tue, 31 Jul 2007 11:46:42 +0100 Subject: Change server timeout connection Message-ID: <46AF1312.2030503@grupopie.com> Hi, When I try to edit a file using KDE fish, I have to login every ~5 minutes in order to save the changes. I haven't found any way to setup a different timeout value. Is the any way to accomplish that ? Thanks in advance, Rui Santos From matt at ucc.asn.au Tue Jul 31 21:01:01 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Tue, 31 Jul 2007 21:01:01 +0800 Subject: Use OPIE without PAM In-Reply-To: <46A8D443.1020103@Kriegisch.name> References: <46A8D443.1020103@Kriegisch.name> Message-ID: <20070731130100.GD8198@ucc.gu.uwa.edu.au> On Thu, Jul 26, 2007 at 07:05:07PM +0200, Alexander Kriegisch wrote: > I am looking for a cheap way of using OPIE (One-time Passwords In > Everything) with dropbear on my WLAN/DSL router (mipsel platform). That > is, I would like to use it without PAM (Pluggable Authentication > Modules) but rather by delegating user/pw login to opielogin. It works > like this with my BusyBox telnetd. Neither am I a Dropbear expert nor do > I know how user/pw authentication is done in dropbear - obviously not by > delegating to /bin/login. Can anybody provide a patch for Dropbear so it > uses opielogin directly? Getting PAM up and running on my box is harder > than I thought because of issues which would be off-topic here, and > saving flash and RAM space is also important, so I would prefer a cheap > solution. The problem I see with opielogin is that it doesn't let Dropbear know whether auth has succeeded or not. The only real way of using opielogin is to make SSH's own authentication allow any valid user to log in with any (or no) password, then run opielogin for a shell. TCP/agent/X11 forwarding wouldn't be possible either. I'm kind of wary of this solution since it doesn't seem that secure. It might be better to use libopie to handle authentication, then run a shell as normal. I couldn't find any docs on libopie though - is it still maintained? It's a shame there isn't a nice lightweight network auth solution for Unixes - PAM is kind of crufty and ill-suited. Matt From matt at ucc.asn.au Tue Jul 31 21:05:39 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Tue, 31 Jul 2007 21:05:39 +0800 Subject: Change server timeout connection In-Reply-To: <46AF1312.2030503@grupopie.com> References: <46AF1312.2030503@grupopie.com> Message-ID: <20070731130539.GE8198@ucc.gu.uwa.edu.au> On Tue, Jul 31, 2007 at 11:46:42AM +0100, Rui Santos wrote: > Hi, > > When I try to edit a file using KDE fish, I have to login every ~5 > minutes in order to save the changes. > I haven't found any way to setup a different timeout value. Is the > any way to accomplish that ? The timeout isn't from Dropbear - I can't really say where it would be coming from, it might be a firewall or router or something like that. Assuming KDE fish uses OpenSSH's client, you might be able to use its "ServerAliveInterval" or "TCPKeepAlive" options. I'll look at adding keepalives to Dropbear for a future release though - a few people have requested it. Matt From Alexander at Kriegisch.name Tue Jul 31 21:16:52 2007 From: Alexander at Kriegisch.name (Alexander Kriegisch) Date: Tue, 31 Jul 2007 15:16:52 +0200 Subject: Use OPIE without PAM In-Reply-To: <20070731130100.GD8198@ucc.gu.uwa.edu.au> References: <46A8D443.1020103@Kriegisch.name> <20070731130100.GD8198@ucc.gu.uwa.edu.au> Message-ID: <46AF3644.4030108@Kriegisch.name> Thanks for your comments, Matt. I think you are right, opielogin might not be a good idea. I do not know about any docs concerning libopie, though. I just found a this article describing how to use OPIE with sshd and PAM: http://www.heise-security.co.uk/articles/88570. It contains links to the tools mentioned there. Does that help in any way? Regards -- Alexander Kriegisch > The problem I see with opielogin is that it doesn't let > Dropbear know whether auth has succeeded or not. The only > real way of using opielogin is to make SSH's own > authentication allow any valid user to log in with any (or > no) password, then run opielogin for a shell. TCP/agent/X11 > forwarding wouldn't be possible either. I'm kind of wary of > this solution since it doesn't seem that secure. > > It might be better to use libopie to handle authentication, > then run a shell as normal. I couldn't find any docs on > libopie though - is it still maintained? > > It's a shame there isn't a nice lightweight network auth > solution for Unixes - PAM is kind of crufty and ill-suited. From rsantos at grupopie.com Tue Jul 31 23:38:32 2007 From: rsantos at grupopie.com (Rui Santos) Date: Tue, 31 Jul 2007 16:38:32 +0100 Subject: Change server timeout connection In-Reply-To: <20070731130539.GE8198@ucc.gu.uwa.edu.au> References: <46AF1312.2030503@grupopie.com> <20070731130539.GE8198@ucc.gu.uwa.edu.au> Message-ID: <46AF5778.9000208@grupopie.com> Matt Johnston wrote: > On Tue, Jul 31, 2007 at 11:46:42AM +0100, Rui Santos wrote: > >> Hi, >> >> When I try to edit a file using KDE fish, I have to login every ~5 >> minutes in order to save the changes. >> I haven't found any way to setup a different timeout value. Is the >> any way to accomplish that ? >> > > The timeout isn't from Dropbear - I can't really say where > it would be coming from, it might be a firewall or router or > something like that. Assuming KDE fish uses OpenSSH's > client, you might be able to use its "ServerAliveInterval" > or "TCPKeepAlive" options. > Thanks for the tip. > I'll look at adding keepalives to Dropbear for a future > release though - a few people have requested it. > Thanks :) > Matt > Rui > > > -- Cumprimentos *Rui Santos* Dep. Testes *GrupoPIE Portugal, S.A.* Tel: +351 252 290 600 Fax: +351 252 290 601 Email: rsantos at grupopie.com Web: www.grupopie.com /WinREST /EVERYWHERE From saarge at gmail.com Fri Aug 3 23:48:49 2007 From: saarge at gmail.com (Serge Blais) Date: Fri, 03 Aug 2007 11:48:49 -0400 Subject: Adding LDFLAGS options break configure check for openpty. Message-ID: <46B34E61.4050005@gmail.com> I was able to cross build and run the original 0.49 package just fine. I want to add my own authentication scheme that I put in a library. So here is an extract from the build script: LDFLAGS="-L$MY_LIB_DIR -lmyown" ./configure \ --target=powerpc-linux \ --host=powerpc-linux \ --build=i386-pc-linux-gnu \ --prefix="/usr" \ --disable-shadow \ --disable-lastlog \ --disable-utmp \ --disable-utmpx \ --disable-wtmp \ --disable-wtmpx \ --disable-pututline \ --disable-pututxline \ --disable-nls \ --disable-zlib The only thing new from the original build was the LDFLAGS line... >From conf.log,here is the failing test that worked fine before adding the LDFLAGS: configure:4448: powerpc-linux-gcc -o conftest -D_REENTRANT -Os -fomit-frame-pointer -pipe -mcpu=860 conftest.c -lutil -lcrypt -L/home/sblais/dev/trunk/lib -lmyown >&5 /tmp/ccbdxThZ.o: In function `main': conftest.c:(.text+0xc): undefined reference to `openpty' collect2: ld returned 1 exit status configure:4454: $? = 1 configure: failed program was: | /* confdefs.h. */ | | #define PACKAGE_NAME "" | #define PACKAGE_TARNAME "" | #define PACKAGE_VERSION "" | #define PACKAGE_STRING "" | #define PACKAGE_BUGREPORT "" | #define _FILE_OFFSET_BITS 64 | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 | #define HAVE_STRING_H 1 | #define HAVE_MEMORY_H 1 | #define HAVE_STRINGS_H 1 | #define HAVE_INTTYPES_H 1 | #define HAVE_STDINT_H 1 | #define HAVE_UNISTD_H 1 | #define DISABLE_ZLIB | #define DISABLE_PAM | /* end confdefs.h. */ | | /* Override any gcc2 internal prototype to avoid an error. */ | #ifdef __cplusplus | extern "C" | #endif | /* We use char because int might match the return type of a gcc2 | builtin and then its argument prototype would still apply. */ | char openpty (); | int | main () | { | openpty (); | ; | return 0; | } configure:4482: result: no Note from this output that I tried changing the configure script to force LDFLAGS to be included at the end of the compile line instead of somewhere in the middle. So it would seem that using -L confuses the cross compiler somehow. Any ideas? From vapier at gentoo.org Fri Aug 3 23:58:56 2007 From: vapier at gentoo.org (Mike Frysinger) Date: Fri, 3 Aug 2007 11:58:56 -0400 Subject: Adding LDFLAGS options break configure check for openpty. In-Reply-To: <46B34E61.4050005@gmail.com> References: <46B34E61.4050005@gmail.com> Message-ID: <200708031158.57154.vapier@gentoo.org> On Friday 03 August 2007, Serge Blais wrote: > Any ideas? you'd have to post the config.log in full in order to get any sort of reasonable research -mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 827 bytes Desc: This is a digitally signed message part. Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070803/a2a05a90/attachment.pgp From vapier at gentoo.org Sat Aug 4 12:40:24 2007 From: vapier at gentoo.org (Mike Frysinger) Date: Sat, 4 Aug 2007 00:40:24 -0400 Subject: Adding LDFLAGS options break configure check for openpty. In-Reply-To: <46B34E61.4050005@gmail.com> References: <46B34E61.4050005@gmail.com> Message-ID: <200708040040.24818.vapier@gentoo.org> On Friday 03 August 2007, Serge Blais wrote: > configure:4448: powerpc-linux-gcc -o conftest -D_REENTRANT -Os > -fomit-frame-pointer -pipe -mcpu=860 conftest.c -lutil > -lcrypt -L/home/sblais/dev/trunk/lib -lmyown >&5 > /tmp/ccbdxThZ.o: In function `main': > conftest.c:(.text+0xc): undefined reference to `openpty' > collect2: ld returned 1 exit status > configure:4454: $? = 1 run the same test and see why it fails: echo 'int main(){return openpty();}' > test.c powerpc-linux-gcc test.c -lutil powerpc-linux-gcc test.c -lutil -L/home/sblais/dev/trunk/lib -lmyown -Wl,--verbose -mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 827 bytes Desc: This is a digitally signed message part. Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070804/bec8cc76/attachment.pgp From saarge at gmail.com Tue Aug 7 03:39:10 2007 From: saarge at gmail.com (Serge Blais) Date: Mon, 6 Aug 2007 15:39:10 -0400 Subject: Adding LDFLAGS options break configure check for openpty. In-Reply-To: <200708040040.24818.vapier@gentoo.org> References: <46B34E61.4050005@gmail.com> <200708040040.24818.vapier@gentoo.org> Message-ID: Thanks Mike! As you might have suspected, the problem was a library name clash. The extended search list using -L picked up a local copy of libutil.a that we created a few weeks ago and was not aware of :-( I renamed it to something else and all is fine. I am making sure to tell others on the project to respect our naming convention! On 8/4/07, Mike Frysinger wrote: > > On Friday 03 August 2007, Serge Blais wrote: > > configure:4448: powerpc-linux-gcc -o conftest -D_REENTRANT -Os > > -fomit-frame-pointer -pipe -mcpu=860 conftest.c -lutil > > -lcrypt -L/home/sblais/dev/trunk/lib -lmyown >&5 > > /tmp/ccbdxThZ.o: In function `main': > > conftest.c:(.text+0xc): undefined reference to `openpty' > > collect2: ld returned 1 exit status > > configure:4454: $? = 1 > > run the same test and see why it fails: > echo 'int main(){return openpty();}' > test.c > powerpc-linux-gcc test.c -lutil > powerpc-linux-gcc > test.c -lutil -L/home/sblais/dev/trunk/lib -lmyown -Wl,--verbose > -mike > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070806/6defe8d3/attachment.htm From peppe.cavallaro at gmail.com Wed Aug 8 14:25:00 2007 From: peppe.cavallaro at gmail.com (Giuseppe Cavallaro) Date: Wed, 8 Aug 2007 08:25:00 +0200 Subject: dropbear authentication Message-ID: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> Hi All, ho can I login as root user with an empty password? Do I need to hack the code or I have to configure dropbear in "special" way? Welcome advice, Regards, Giuseppe -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070808/85abb698/attachment.htm From tefyxcegmkow at spammotel.com Wed Aug 8 14:53:40 2007 From: tefyxcegmkow at spammotel.com (wimpunk) Date: Wed, 08 Aug 2007 08:53:40 +0200 Subject: dropbear authentication In-Reply-To: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> References: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> Message-ID: Giuseppe Cavallaro wrote: > Hi All, > ho can I login as root user with an empty password? > Do I need to hack the code or I have to configure dropbear in "special" way? > > Welcome advice, > > Regards, > Giuseppe As far as I know, you can if you use keys to get in. If there's another solution, I'm pretty interested. From matt at ucc.asn.au Wed Aug 8 15:29:11 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 8 Aug 2007 15:29:11 +0800 Subject: dropbear authentication In-Reply-To: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> References: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> Message-ID: <20070808072911.GI8198@ucc.gu.uwa.edu.au> On Wed, Aug 08, 2007 at 08:25:00AM +0200, Giuseppe Cavallaro wrote: > Hi All, > ho can I login as root user with an empty password? > Do I need to hack the code or I have to configure dropbear in "special" way? It already should work. As a test, I set up the root user on an Ubuntu 7.04 system to have an entry in /etc/shadow of root:R7gIX4dJJcCFw:13612:0:99999:7::: and it worked fine. "R7gIX4dJJcCFw" is just the crypt of an empty password - the Linux password utility wouldn't let me set it manually. You still have to press enter in your client to log in - Dropbear 0.50's dbclient will provide the ability to set DROPBEAR_PASSWORD="" and avoid that. I assume you're running this on a closed network or something -- otherwise it'd be a tad insecure. Matt From peppe.cavallaro at gmail.com Wed Aug 8 15:53:12 2007 From: peppe.cavallaro at gmail.com (Giuseppe Cavallaro) Date: Wed, 8 Aug 2007 09:53:12 +0200 Subject: dropbear authentication In-Reply-To: <20070808072911.GI8198@ucc.gu.uwa.edu.au> References: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> <20070808072911.GI8198@ucc.gu.uwa.edu.au> Message-ID: <1b6030080708080053k3f3de94dyf7482ffe6bb5bc5d@mail.gmail.com> Hi On 08/08/2007, Matt Johnston wrote: > > On Wed, Aug 08, 2007 at 08:25:00AM +0200, Giuseppe Cavallaro wrote: > > Hi All, > > ho can I login as root user with an empty password? > > Do I need to hack the code or I have to configure dropbear in "special" > way? > > It already should work. > > As a test, I set up the root user on an Ubuntu 7.04 system > to have an entry in /etc/shadow of > root:R7gIX4dJJcCFw:13612:0:99999:7::: > and it worked fine. "R7gIX4dJJcCFw" is just the crypt of an > empty password - the Linux password utility wouldn't let me > set it manually. Thanks, it works like a charm! You still have to press enter in your client to log in - > Dropbear 0.50's dbclient will provide the ability to set > DROPBEAR_PASSWORD="" and avoid that. I assume you're running this on a closed network or > something -- otherwise it'd be a tad insecure. I'm using dropbear 0.49 on an embedded system based on uClibc with a private network (p2p). ---- Just another question: Is it possible to totally skip authentication phase with dropbear? I mean, using telnet or ssh (but configuring the latter) I'm able to login without entering password and login. In this case my root entry in passwd is root::0:0 ... Thanks a lot Ciao Giuseppe > Matt > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070808/a863e321/attachment.htm From peppe.cavallaro at gmail.com Wed Aug 8 16:07:37 2007 From: peppe.cavallaro at gmail.com (Giuseppe Cavallaro) Date: Wed, 8 Aug 2007 10:07:37 +0200 Subject: dropbear authentication In-Reply-To: <1b6030080708080053k3f3de94dyf7482ffe6bb5bc5d@mail.gmail.com> References: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> <20070808072911.GI8198@ucc.gu.uwa.edu.au> <1b6030080708080053k3f3de94dyf7482ffe6bb5bc5d@mail.gmail.com> Message-ID: <1b6030080708080107q310b5f6aj57028c8aafd5cee9@mail.gmail.com> Sorry, maybe, I was not clear enough in my previous post. So below an example: [root at host]# telnet -l root 164.130.129.174 <<< target IP Addr Trying 164.130.129.174... Connected to SH_target (164.130.129.174). Escape character is '^]'. Last login: Sun Jul 22 10:05:47 from 10.52.139.42 Linux cavagiu 2.6.17.14_sh4_uclibc #1 Tue Jul 31 21:54:50 CEST 2007 sh4 unknown unknown GNU/Linux root at target:~# > ---- > Just another question: > > Is it possible to totally skip authentication phase with dropbear? > I mean, using telnet or ssh (but configuring the latter) I'm able to login > without entering password and login. > In this case my root entry in passwd is root::0:0 ... > > Thanks a lot > Ciao > Giuseppe > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070808/fcf2cf80/attachment.htm From matt at ucc.asn.au Wed Aug 8 16:12:50 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 8 Aug 2007 16:12:50 +0800 Subject: dropbear authentication In-Reply-To: <1b6030080708080053k3f3de94dyf7482ffe6bb5bc5d@mail.gmail.com> References: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> <20070808072911.GI8198@ucc.gu.uwa.edu.au> <1b6030080708080053k3f3de94dyf7482ffe6bb5bc5d@mail.gmail.com> Message-ID: <20070808081250.GJ8198@ucc.gu.uwa.edu.au> On Wed, Aug 08, 2007 at 09:53:12AM +0200, Giuseppe Cavallaro wrote: > Just another question: > > Is it possible to totally skip authentication phase with dropbear? > I mean, using telnet or ssh (but configuring the latter) I'm able to login > without entering password and login. > In this case my root entry in passwd is root::0:0 ... There's a hardcoded check in checkusername() that won't allow an empty password crypt since that's a common misconfiguration. If the user has an OK entry in /etc/passwd though, you can make Dropbear skip auth fairly easily, see the patch below. Matt --- svr-auth.c dbd28ab1fff172ca3f2e4cb756ec53b74b48b6b3 +++ svr-auth.c 70235853e723eb3b7557be219aace2406ed45bb1 @@ -124,15 +124,6 @@ void recv_msg_userauth_request() { dropbear_exit("unknown service in auth"); } - /* user wants to know what methods are supported */ - if (methodlen == AUTH_METHOD_NONE_LEN && - strncmp(methodname, AUTH_METHOD_NONE, - AUTH_METHOD_NONE_LEN) == 0) { - TRACE(("recv_msg_userauth_request: 'none' request")) - send_msg_userauth_failure(0, 0); - goto out; - } - /* check username is good before continuing */ if (checkusername(username, userlen) == DROPBEAR_FAILURE) { /* username is invalid/no shell/etc - send failure */ @@ -141,45 +132,8 @@ void recv_msg_userauth_request() { goto out; } -#ifdef ENABLE_SVR_PASSWORD_AUTH - if (!svr_opts.noauthpass && - !(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) { - /* user wants to try password auth */ - if (methodlen == AUTH_METHOD_PASSWORD_LEN && - strncmp(methodname, AUTH_METHOD_PASSWORD, - AUTH_METHOD_PASSWORD_LEN) == 0) { - svr_auth_password(); - goto out; - } - } -#endif + send_msg_userauth_success(); -#ifdef ENABLE_SVR_PAM_AUTH - if (!svr_opts.noauthpass && - !(svr_opts.norootpass && ses.authstate.pw->pw_uid == 0) ) { - /* user wants to try password auth */ - if (methodlen == AUTH_METHOD_PASSWORD_LEN && - strncmp(methodname, AUTH_METHOD_PASSWORD, - AUTH_METHOD_PASSWORD_LEN) == 0) { - svr_auth_pam(); - goto out; - } - } -#endif - -#ifdef ENABLE_SVR_PUBKEY_AUTH - /* user wants to try pubkey auth */ - if (methodlen == AUTH_METHOD_PUBKEY_LEN && - strncmp(methodname, AUTH_METHOD_PUBKEY, - AUTH_METHOD_PUBKEY_LEN) == 0) { - svr_auth_pubkey(); - goto out; - } -#endif - - /* nothing matched, we just fail */ - send_msg_userauth_failure(0, 1); - out: m_free(username); From peppe.cavallaro at gmail.com Wed Aug 8 17:17:22 2007 From: peppe.cavallaro at gmail.com (Giuseppe Cavallaro) Date: Wed, 8 Aug 2007 11:17:22 +0200 Subject: dropbear authentication In-Reply-To: <20070808081250.GJ8198@ucc.gu.uwa.edu.au> References: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> <20070808072911.GI8198@ucc.gu.uwa.edu.au> <1b6030080708080053k3f3de94dyf7482ffe6bb5bc5d@mail.gmail.com> <20070808081250.GJ8198@ucc.gu.uwa.edu.au> Message-ID: <1b6030080708080217n2de7400dv700b1cc8ed4e7d42@mail.gmail.com> Hi Matt, It works fine if I set root:R7gIX4dJJcCFw:... in passwd file. So I'd like to have the same scenario but using root::... in passwd. Is it possible? Thanks a lot for your excellent support, Giuseppe > > There's a hardcoded check in checkusername() that won't > allow an empty password crypt since that's a common > misconfiguration. If the user has an OK entry in /etc/passwd > though, you can make Dropbear skip auth fairly easily, see > the patch below. > > Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070808/c661c66b/attachment-0001.htm From peppe.cavallaro at gmail.com Wed Aug 8 17:32:37 2007 From: peppe.cavallaro at gmail.com (Giuseppe Cavallaro) Date: Wed, 8 Aug 2007 11:32:37 +0200 Subject: dropbear authentication In-Reply-To: <1b6030080708080217n2de7400dv700b1cc8ed4e7d42@mail.gmail.com> References: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> <20070808072911.GI8198@ucc.gu.uwa.edu.au> <1b6030080708080053k3f3de94dyf7482ffe6bb5bc5d@mail.gmail.com> <20070808081250.GJ8198@ucc.gu.uwa.edu.au> <1b6030080708080217n2de7400dv700b1cc8ed4e7d42@mail.gmail.com> Message-ID: <1b6030080708080232i14544c71ya19570444049aeaa@mail.gmail.com> I can do that if in the checkusername I comment the following check. I'm not sure if it's a better way; I wonder if it's worth using an extra option (i.e. permit_empty_passwd) like ssh does. /* check for an empty password */ #if 0 if (ses.authstate.pw->pw_passwd[0] == '\0') { TRACE(("leave checkusername: empty pword")) dropbear_log(LOG_WARNING, "user '%s' has blank password, rejected", ses.authstate.printableuser); send_msg_userauth_failure(0, 1); return DROPBEAR_FAILURE; } #endif TRACE(("shell is %s", ses.authstate.pw->pw_shell)) On 08/08/2007, Giuseppe Cavallaro wrote: > > Hi Matt, > It works fine if I set root:R7gIX4dJJcCFw:... in passwd file. > So I'd like to have the same scenario but using root::... in passwd. > Is it possible? > > Thanks a lot for your excellent support, > Giuseppe > > > > > > There's a hardcoded check in checkusername() that won't > > allow an empty password crypt since that's a common > > misconfiguration. If the user has an OK entry in /etc/passwd > > though, you can make Dropbear skip auth fairly easily, see > > the patch below. > > > > Matt > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070808/d761626c/attachment.htm From matt at ucc.asn.au Wed Aug 8 17:37:17 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 8 Aug 2007 17:37:17 +0800 Subject: dropbear authentication In-Reply-To: <1b6030080708080232i14544c71ya19570444049aeaa@mail.gmail.com> References: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> <20070808072911.GI8198@ucc.gu.uwa.edu.au> <1b6030080708080053k3f3de94dyf7482ffe6bb5bc5d@mail.gmail.com> <20070808081250.GJ8198@ucc.gu.uwa.edu.au> <1b6030080708080217n2de7400dv700b1cc8ed4e7d42@mail.gmail.com> <1b6030080708080232i14544c71ya19570444049aeaa@mail.gmail.com> Message-ID: <20070808093717.GQ8198@ucc.gu.uwa.edu.au> On Wed, Aug 08, 2007 at 11:32:37AM +0200, Giuseppe Cavallaro wrote: > I can do that if in the checkusername I comment the following check. > I'm not sure if it's a better way; I wonder if it's worth using an extra > option (i.e. permit_empty_passwd) > like ssh does. Yep, that should work fine. I don't think it's really worth making it a runtime option, though maybe I'll make it a compile-time option settable in options.h Or people can find it here in the mailing list archives :) Cheers, Matt From peppe.cavallaro at gmail.com Wed Aug 8 17:49:31 2007 From: peppe.cavallaro at gmail.com (Giuseppe Cavallaro) Date: Wed, 8 Aug 2007 11:49:31 +0200 Subject: dropbear authentication In-Reply-To: <20070808093717.GQ8198@ucc.gu.uwa.edu.au> References: <1b6030080708072325x485f718cw3726aadc7969e8d2@mail.gmail.com> <20070808072911.GI8198@ucc.gu.uwa.edu.au> <1b6030080708080053k3f3de94dyf7482ffe6bb5bc5d@mail.gmail.com> <20070808081250.GJ8198@ucc.gu.uwa.edu.au> <1b6030080708080217n2de7400dv700b1cc8ed4e7d42@mail.gmail.com> <1b6030080708080232i14544c71ya19570444049aeaa@mail.gmail.com> <20070808093717.GQ8198@ucc.gu.uwa.edu.au> Message-ID: <1b6030080708080249u4fbac7b0k3a1b3b2ab74e875a@mail.gmail.com> Sound good!! Also in attachment the patch file I'm applying on dropbear-0.49. Thanks Giuseppe On 08/08/2007, Matt Johnston wrote: > > On Wed, Aug 08, 2007 at 11:32:37AM +0200, Giuseppe Cavallaro wrote: > > I can do that if in the checkusername I comment the following check. > > I'm not sure if it's a better way; I wonder if it's worth using an extra > > option (i.e. permit_empty_passwd) > > like ssh does. > > Yep, that should work fine. > > I don't think it's really worth making it a runtime option, > though maybe I'll make it a compile-time option settable in > options.h > > Or people can find it here in the mailing list archives :) > > Cheers, > Matt > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070808/c3f1482c/attachment.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: dropbear_noauth.patch Type: application/octet-stream Size: 1870 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070808/c3f1482c/attachment.obj From matt at ucc.asn.au Thu Aug 9 00:08:58 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 9 Aug 2007 00:08:58 +0800 Subject: Dropbear 0.50 release Message-ID: <20070808160858.GR8198@ucc.gu.uwa.edu.au> Hi. Dropbear 0.50 is released. It has a few small features and a few bugfixes. The most significant improvement is probably the network performance. Cheers, Matt 0.50 - Wed 8 August 2007 - Add DROPBEAR_PASSWORD environment variable to specify a dbclient password - Use /dev/urandom by default, since that's what everyone does anyway - Correct vfork() use for uClinux in scp (thanks to Alex Landau) - Exit with an exit code of 1 if dropbear can't bind to any ports (thanks to Nicolai Ehemann) - Improve network performance and add a -W argument for adjusting the tradeoff between network performance and memory consumption. - Fix a problem where reply packets could be sent during key exchange, in violation of the SSH spec. This could manifest itself with connections being terminated after 8 hours with new TCP-forward connections being established. - Add -K argument, ensuring that data is transmitted over the connection at least every N seconds. - dropbearkey will no longer generate DSS keys of sizes other than 1024 bits, as required by the DSS specification. (Other sizes are still accepted for use to provide backwards compatibility). From CTuffli at dspg.com Tue Aug 21 01:03:48 2007 From: CTuffli at dspg.com (Chuck Tuffli) Date: Mon, 20 Aug 2007 10:03:48 -0700 Subject: long delay when connecting Message-ID: Hi - I'm running into a little bit of a usability problem with dropbear 0.50. The OpenSSH client can connect to the dropbear server running on an embedded ARM platform ( Linux 2.6.17, uLibC, busybox v1.2.0 ), but it takes between 50 seconds and a minute to connect. It doesn't look like a CPU problem as the dropbear process sits at 0% CPU utilization for the majority of this time. Running dropbear in the foreground displays the following # dropbear -E -F -s [365] Aug 20 09:45:13 Failed reading '/etc/dropbear/dropbear_dss_host_key', disa bling DSS [365] Aug 20 09:45:13 Not backgrounding [366] Aug 20 09:45:28 Child connection from 10.2.3.2:51284 [366] Aug 20 09:46:12 pubkey auth succeeded for 'root' with key md5 from 10.2.3.2:51284 The client side displays the following > ssh -v root at 10.2.3.232 OpenSSH_4.2p1 FreeBSD-20050903, OpenSSL 0.9.7e-p1 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to 10.2.3.232 [10.2.3.232] port 22. debug1: Connection established. debug1: identity file /home/ctuffli/.ssh/identity type -1 debug1: identity file /home/ctuffli/.ssh/id_rsa type 1 debug1: identity file /home/ctuffli/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version dropbear_0.50 debug1: no match: dropbear_0.50 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.2p1 FreeBSD-20050903 debug1: SSH2_MSG_KEXINIT sent ... debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Entering interactive session. Has anyone seen this problem before? Ideas? Thanks! ---chuck From jose.otero.nj at gmail.com Tue Aug 21 01:22:38 2007 From: jose.otero.nj at gmail.com (Jose Otero) Date: Mon, 20 Aug 2007 13:22:38 -0400 Subject: long delay when connecting Message-ID: <46c9cd8d.392b360a.1b67.ffffc99c@mx.google.com> I'm not using that particular version, but did notice a similar problem. In my case is was the call to getaddrhostname(). It couldn't find the host name and timed out in 50 secs to 1 min. Hope this helps. Jose -----Original Message----- From: "Chuck Tuffli" To: dropbear at ucc.asn.au Sent: 8/20/07 1:03 PM Subject: long delay when connecting Hi - I'm running into a little bit of a usability problem with dropbear 0.50. The OpenSSH client can connect to the dropbear server running on an embedded ARM platform ( Linux 2.6.17, uLibC, busybox v1.2.0 ), but it takes between 50 seconds and a minute to connect. It doesn't look like a CPU problem as the dropbear process sits at 0% CPU utilization for the majority of this time. Running dropbear in the foreground displays the following # dropbear -E -F -s [365] Aug 20 09:45:13 Failed reading '/etc/dropbear/dropbear_dss_host_key', disa bling DSS [365] Aug 20 09:45:13 Not backgrounding [366] Aug 20 09:45:28 Child connection from 10.2.3.2:51284 [366] Aug 20 09:46:12 pubkey auth succeeded for 'root' with key md5 from 10.2.3.2:51284 The client side displays the following > ssh -v root at 10.2.3.232 OpenSSH_4.2p1 FreeBSD-20050903, OpenSSL 0.9.7e-p1 25 Oct 2004 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to 10.2.3.232 [10.2.3.232] port 22. debug1: Connection established. debug1: identity file /home/ctuffli/.ssh/identity type -1 debug1: identity file /home/ctuffli/.ssh/id_rsa type 1 debug1: identity file /home/ctuffli/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version dropbear_0.50 debug1: no match: dropbear_0.50 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_4.2p1 FreeBSD-20050903 debug1: SSH2_MSG_KEXINIT sent ... debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Entering interactive session. Has anyone seen this problem before? Ideas? Thanks! ---chuck From CTuffli at dspg.com Tue Aug 21 07:16:14 2007 From: CTuffli at dspg.com (Chuck Tuffli) Date: Mon, 20 Aug 2007 16:16:14 -0700 Subject: long delay when connecting In-Reply-To: <46c9cd8d.392b360a.1b67.ffffc99c@mx.google.com> References: <46c9cd8d.392b360a.1b67.ffffc99c@mx.google.com> Message-ID: > -----Original Message----- > From: Jose Otero [mailto:jose.otero.nj at gmail.com] > Sent: Monday, August 20, 2007 10:23 AM > To: Chuck Tuffli; dropbear at ucc.asn.au > Subject: RE: long delay when connecting > > I'm not using that particular version, but did notice a > similar problem. In my case is was the call to > getaddrhostname(). It couldn't find the host name and timed > out in 50 secs to 1 min. Hope this helps. That was it exactly. Adding a couple of entries to /etc/hosts fixed this problem. Thanks! ---chuck From ktirf at altlinux.org Thu Aug 23 03:44:05 2007 From: ktirf at altlinux.org (Alexey Rusakov) Date: Wed, 22 Aug 2007 23:44:05 +0400 Subject: Compiling with GCC 2.95 Message-ID: <20070822234405.70ae0b11@mission> Hi everybody, I know it's a bit outdated :) compiler, but this happens in the world of embedded software. I tried to compile Dropbear for SigmaDesigns SoC chip, and almost succeeded, except one place. The patch for this place is attached. -- Alexey "Ktirf" Rusakov GNOME Project, ALT Linux Team RusHD, Moscow, Russia -------------- next part -------------- A non-text attachment was scrubbed... Name: dropbear-0.50-fix-gcc2.95.patch Type: text/x-patch Size: 675 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070822/76a54389/attachment.bin From c.kurrat at googlemail.com Sun Aug 26 18:46:50 2007 From: c.kurrat at googlemail.com (Christoph Kurrat) Date: Sun, 26 Aug 2007 12:46:50 +0200 Subject: .ssh/environment equivalent in dropbear Message-ID: <70a5a67b0708260346y4b0b474l49dd54592688ea4c@mail.gmail.com> Hi, I'm using dropbear-0.50 on an AVM Router. Since I've got rw-access only on /var/tmp, the dropbearmulti is located there. Everything works fine, except scp on Linux. After logging in I get the error: sh: scp: not found I've found out that scp uses ssh in non-login mode, and for this reason, $PATH is not set correctly and therefore scp is not found. Google told me, that with openssh I would have to put the PATH variable into .ssh/environmemt and to set PermitUserEnvironment=yes to set $PATH. Is there a possibility to set the PATH variable with dropbear? Thanks, Christoph From matt at ucc.asn.au Sun Aug 26 19:30:48 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Sun, 26 Aug 2007 19:30:48 +0800 Subject: .ssh/environment equivalent in dropbear In-Reply-To: <70a5a67b0708260346y4b0b474l49dd54592688ea4c@mail.gmail.com> References: <70a5a67b0708260346y4b0b474l49dd54592688ea4c@mail.gmail.com> Message-ID: <20070826113048.GA31303@ucc.gu.uwa.edu.au> On Sun, Aug 26, 2007 at 12:46:50PM +0200, Christoph Kurrat wrote: > Hi, > > I'm using dropbear-0.50 on an AVM Router. > Since I've got rw-access only on /var/tmp, the dropbearmulti is located there. > Everything works fine, except scp on Linux. > After logging in I get the error: > > sh: scp: not found > > I've found out that scp uses ssh in non-login mode, and for this > reason, $PATH is not set correctly and therefore scp is not found. > > Google told me, that with openssh I would have to put the PATH > variable into .ssh/environmemt and to set PermitUserEnvironment=yes to > set $PATH. > > Is there a possibility to set the PATH variable with dropbear? Not in Dropbear itself. You might be able to edit a dotfile for your shell to set environment variables? (I know .zshenv works for zsh, though not sure about BusyBox shells) Matt From cristian.ionescu-idbohrn at axis.com Sun Aug 26 20:22:26 2007 From: cristian.ionescu-idbohrn at axis.com (Cristian Ionescu-Idbohrn) Date: Sun, 26 Aug 2007 14:22:26 +0200 (CEST) Subject: .ssh/environment equivalent in dropbear In-Reply-To: <20070826113048.GA31303@ucc.gu.uwa.edu.au> References: <70a5a67b0708260346y4b0b474l49dd54592688ea4c@mail.gmail.com> <20070826113048.GA31303@ucc.gu.uwa.edu.au> Message-ID: <0708261419580.9465@somehost> On Sun, 26 Aug 2007, Matt Johnston wrote: > Not in Dropbear itself. You might be able to edit a dotfile > for your shell to set environment variables? (I know .zshenv > works for zsh, though not sure about BusyBox shells) /etc/profile? Cheers, -- Cristian From c.kurrat at googlemail.com Sun Aug 26 21:29:26 2007 From: c.kurrat at googlemail.com (Christoph Kurrat) Date: Sun, 26 Aug 2007 15:29:26 +0200 Subject: .ssh/environment equivalent in dropbear In-Reply-To: <0708261419580.9465@somehost> References: <70a5a67b0708260346y4b0b474l49dd54592688ea4c@mail.gmail.com> <20070826113048.GA31303@ucc.gu.uwa.edu.au> <0708261419580.9465@somehost> Message-ID: <70a5a67b0708260629y344dc623l155a821be4af5771@mail.gmail.com> 2007/8/26, Cristian Ionescu-Idbohrn : > > On Sun, 26 Aug 2007, Matt Johnston wrote: > > > Not in Dropbear itself. You might be able to edit a dotfile > > for your shell to set environment variables? (I know .zshenv > > works for zsh, though not sure about BusyBox shells) > > /etc/profile? > > > Cheers, > > -- > Cristian > > > Thanks for the answers. I already use the /etc/profile to set the PATH, but I think, /etc/profile is only used on login, isn't it? The busybox uses ash, but an .ash* file does not exist. If I create the .ashrc and export ENV=/var/tmp/.ashrc it works, but to export ENV, I again need the /etc/profile. This works, but only with ssh, not with scp, due to the missing login. I found this sentence at http://www.busybox.net/lists/busybox/2005-February/013688.html "Environment variables set in a shell script will not have any effect to any parent process." I think this is my problem, because the $PATH in an ssh session seems to be a different one than the $PATH I get executing echo $PATH without logging in. ssh root at fritz.box 'echo $PATH' : /usr/local/bin:/usr/bin:/sbin:/bin echo $PATH inside the session : /sbin:/bin:/usr/sbin:/usr/bin:/var/tmp In the link it is said that changing the boot-arguments would help, but this is not practicable since I only change scripts after the machine has booted. I thought it would be easily possible to change a line in the code to add the correct path to scp on the router. If so, could you tell me the file where I have to search? Christoph -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070826/6f710436/attachment.htm From matt at ucc.asn.au Sun Aug 26 21:34:59 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Sun, 26 Aug 2007 21:34:59 +0800 Subject: .ssh/environment equivalent in dropbear In-Reply-To: <70a5a67b0708260629y344dc623l155a821be4af5771@mail.gmail.com> References: <70a5a67b0708260346y4b0b474l49dd54592688ea4c@mail.gmail.com> <20070826113048.GA31303@ucc.gu.uwa.edu.au> <0708261419580.9465@somehost> <70a5a67b0708260629y344dc623l155a821be4af5771@mail.gmail.com> Message-ID: <20070826133459.GB31303@ucc.gu.uwa.edu.au> On Sun, Aug 26, 2007 at 03:29:26PM +0200, Christoph Kurrat wrote: > I already use the /etc/profile to set the PATH, but I think, /etc/profile is > only used on login, isn't it? > > The busybox uses ash, but an .ash* file does not exist. > If I create the .ashrc and export ENV=/var/tmp/.ashrc it works, but to > export ENV, I again need the /etc/profile. > This works, but only with ssh, not with scp, due to the missing login. > I thought it would be easily possible to change a line in the code to add > the correct path to scp on the router. > If so, could you tell me the file where I have to search? Ah right. If you add an extra line like addnewvar("PATH", "/bin:/usr/bin:/var/tmp"); to svr-chansession.c below the "/* set env vars */" then it should work. Cheers, Matt From c.kurrat at googlemail.com Sun Aug 26 22:11:18 2007 From: c.kurrat at googlemail.com (Christoph Kurrat) Date: Sun, 26 Aug 2007 16:11:18 +0200 Subject: .ssh/environment equivalent in dropbear In-Reply-To: <20070826133459.GB31303@ucc.gu.uwa.edu.au> References: <70a5a67b0708260346y4b0b474l49dd54592688ea4c@mail.gmail.com> <20070826113048.GA31303@ucc.gu.uwa.edu.au> <0708261419580.9465@somehost> <70a5a67b0708260629y344dc623l155a821be4af5771@mail.gmail.com> <20070826133459.GB31303@ucc.gu.uwa.edu.au> Message-ID: <70a5a67b0708260711t24b0fdc0v1fe8f8c8ea9c0a14@mail.gmail.com> Now it works. I added PATH and LD_LIBRARY_PATH. Thanks a lot, Matt Christoph -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070826/078e68b8/attachment.htm From mikaelo at gmail.com Mon Aug 27 03:01:10 2007 From: mikaelo at gmail.com (Mikael Ostensson) Date: Sun, 26 Aug 2007 15:01:10 -0400 Subject: .ssh/environment equivalent in dropbear In-Reply-To: <70a5a67b0708260711t24b0fdc0v1fe8f8c8ea9c0a14@mail.gmail.com> References: <70a5a67b0708260346y4b0b474l49dd54592688ea4c@mail.gmail.com> <20070826113048.GA31303@ucc.gu.uwa.edu.au> <0708261419580.9465@somehost> <70a5a67b0708260629y344dc623l155a821be4af5771@mail.gmail.com> <20070826133459.GB31303@ucc.gu.uwa.edu.au> <70a5a67b0708260711t24b0fdc0v1fe8f8c8ea9c0a14@mail.gmail.com> Message-ID: I had to sym link scp to the dbscp for scp to work. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070826/b8d5d201/attachment.htm From rob at landley.net Mon Aug 27 14:21:35 2007 From: rob at landley.net (Rob Landley) Date: Mon, 27 Aug 2007 01:21:35 -0500 Subject: .ssh/environment equivalent in dropbear In-Reply-To: <70a5a67b0708260629y344dc623l155a821be4af5771@mail.gmail.com> References: <70a5a67b0708260346y4b0b474l49dd54592688ea4c@mail.gmail.com> <0708261419580.9465@somehost> <70a5a67b0708260629y344dc623l155a821be4af5771@mail.gmail.com> Message-ID: <200708270121.35984.rob@landley.net> On Sunday 26 August 2007 8:29:26 am Christoph Kurrat wrote: > The busybox uses ash, but an .ash* file does not exist. > If I create the .ashrc and export ENV=/var/tmp/.ashrc it works, but to > export ENV, I again need the /etc/profile. Um... What? I _think_ you just said "If I put it in ~/.ashrc it works". In which case: happy to hear it. In which case where does the need for /etc/profile come in? > This works, but only with ssh, not with scp, due to the missing login. > > I found this sentence at > http://www.busybox.net/lists/busybox/2005-February/013688.html > > "Environment variables set in a shell script will not have any effect to > any parent process." Except it's child processes you're worrying about here, not parent processes. That limitation has nothing to do with shells, it has to do with the way unix processes work. When you exec a process you pass in a new environment to it along with the command line arguments. A parent can pass its existing environment variables to a child (it's not _obligated_ to, but generally does), but the parent can't modify the child's environment _after_ exec, and the child can't modify the parent's environment either. They're separate processes, they can't reach in and fiddle with each other's internals. So if the shell sources a chunk of shell script before running a child process, it can pass exported variables on to that child process. > I think this is my problem, because the $PATH in an ssh session seems to be > a different one than the $PATH I get executing echo $PATH without logging > in. If $PATH is blank I believe ash sets it to _PATH_STDPATH out of /usr/include/paths.h which is "/usr/bin:/bin:/usr/sbin:/sbin". Rob -- "One of my most productive days was throwing away 1000 lines of code." - Ken Thompson. From c.kurrat at googlemail.com Mon Aug 27 19:16:10 2007 From: c.kurrat at googlemail.com (Christoph Kurrat) Date: Mon, 27 Aug 2007 13:16:10 +0200 Subject: .ssh/environment equivalent in dropbear In-Reply-To: <200708270121.35984.rob@landley.net> References: <70a5a67b0708260346y4b0b474l49dd54592688ea4c@mail.gmail.com> <0708261419580.9465@somehost> <70a5a67b0708260629y344dc623l155a821be4af5771@mail.gmail.com> <200708270121.35984.rob@landley.net> Message-ID: <70a5a67b0708270416m269276eck79098052220dc904@mail.gmail.com> 2007/8/27, Rob Landley : > On Sunday 26 August 2007 8:29:26 am Christoph Kurrat wrote: > > > The busybox uses ash, but an .ash* file does not exist. > > If I create the .ashrc and export ENV=/var/tmp/.ashrc it works, but to > > export ENV, I again need the /etc/profile. > > Um... What? I _think_ you just said "If I put it in ~/.ashrc it works". In > which case: happy to hear it. In which case where does the need > for /etc/profile come in? > If I put it into ~/.ashrc end export ENV=/var/tmp/.ashrc it works, if this export is inside /etc/profile. I need /etc/profile, because an export inside the dropbear-start-script does not influence the environment in an SSH session. > > This works, but only with ssh, not with scp, due to the missing login. > > > > I found this sentence at > > http://www.busybox.net/lists/busybox/2005-February/013688.html > > > > "Environment variables set in a shell script will not have any effect to > > any parent process." > > Except it's child processes you're worrying about here, not parent processes. > I thought, the SSH sessions would fork from a parent process of the dropbear-start-script. > That limitation has nothing to do with shells, it has to do with the way unix > processes work. When you exec a process you pass in a new environment to it > along with the command line arguments. A parent can pass its existing > environment variables to a child (it's not _obligated_ to, but generally > does), but the parent can't modify the child's environment _after_ exec, and > the child can't modify the parent's environment either. They're separate > processes, they can't reach in and fiddle with each other's internals. > > So if the shell sources a chunk of shell script before running a child > process, it can pass exported variables on to that child process. > Thanks for that explanation, these details were new to me. > > I think this is my problem, because the $PATH in an ssh session seems to be > > a different one than the $PATH I get executing echo $PATH without logging > > in. > > If $PATH is blank I believe ash sets it to _PATH_STDPATH out > of /usr/include/paths.h which is "/usr/bin:/bin:/usr/sbin:/sbin". > OK, so before login, the PATH was blank. Is that a regular behavior? Anyway, with the PATH set inside of dropbear, it works. Christoph From rob at landley.net Tue Aug 28 12:12:53 2007 From: rob at landley.net (Rob Landley) Date: Mon, 27 Aug 2007 23:12:53 -0500 Subject: .ssh/environment equivalent in dropbear In-Reply-To: <70a5a67b0708270416m269276eck79098052220dc904@mail.gmail.com> References: <70a5a67b0708260346y4b0b474l49dd54592688ea4c@mail.gmail.com> <200708270121.35984.rob@landley.net> <70a5a67b0708270416m269276eck79098052220dc904@mail.gmail.com> Message-ID: <200708272312.53717.rob@landley.net> On Monday 27 August 2007 6:16:10 am Christoph Kurrat wrote: > 2007/8/27, Rob Landley : > > On Sunday 26 August 2007 8:29:26 am Christoph Kurrat wrote: > > > The busybox uses ash, but an .ash* file does not exist. > > > If I create the .ashrc and export ENV=/var/tmp/.ashrc it works, but to > > > export ENV, I again need the /etc/profile. > > > > Um... What? I _think_ you just said "If I put it in ~/.ashrc it works". > > In which case: happy to hear it. In which case where does the need for > > /etc/profile come in? > > If I put it into ~/.ashrc end export ENV=/var/tmp/.ashrc it works, if > this export is inside /etc/profile. > I need /etc/profile, because an export inside the > dropbear-start-script does not influence the environment in an SSH > session. Ok, so your shell is reading /etc/profile, not .ashrc. You can make it read .ashrc: from /etc/profile. Check. > > Except it's child processes you're worrying about here, not parent > > processes. > > I thought, the SSH sessions would fork from a parent process of the > dropbear-start-script. SSH sessions fork from the dropbear daemon and exec a shell with a command line. That shell is the "parent" here, it runs your command as a child of that shell (unless you feed it "exec" as the command to run). One shell instance is spawned per connection, last I checked. ssh (including dropbear as far as I know) washes all sessions through whatever you have listed as your shell in /etc/passwd. I once made a gatekeeper program that allowed a very restricted set of functionality (only looking in one directory for executables, and not allowing "/" to be in the name of the executable). > > If $PATH is blank I believe ash sets it to _PATH_STDPATH out > > of /usr/include/paths.h which is "/usr/bin:/bin:/usr/sbin:/sbin". > > OK, so before login, the PATH was blank. > Is that a regular behavior? I'm guessing dropbear is passing an empty environment to its child processes, for security reasons. > Anyway, with the PATH set inside of dropbear, it works. > > Christoph Cool. Rob -- "One of my most productive days was throwing away 1000 lines of code." - Ken Thompson. From roberto.foglietta at gmail.com Tue Aug 28 17:48:55 2007 From: roberto.foglietta at gmail.com (Roberto A. Foglietta) Date: Tue, 28 Aug 2007 11:48:55 +0200 Subject: strange scp behavior Message-ID: Hi to all folks, scp works but dbclient used as sco don't, I tried to figure out why... ...but what I found make me fool. it seems to me dbclient try to resolve the first parameter even when the host is a second one. However fails in both where OpenSSH scp works pretty well. Thanks foglietr at eemd2364170:~/Desktop/dropbear-0.50$ strace ./dbclient pippo foglietr at gexs22:/tmp 2>&1 | grep pippo execve("./dbclient", ["./dbclient", "pippo", "foglietr at gexs22:/tmp"], [/* 37 vars */]) = 0 send(3, "R4\1\0\0\1\0\0\0\0\0\0\5pippo\2it\2eu\10ericsso"..., 41, MSG_NOSIGNAL) = 41 recvfrom(3, "R4\201\203\0\1\0\0\0\1\0\0\5pippo\2it\2eu\10ericsso"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("141.137.127.1")}, [16]) = 109 foglietr at eemd2364170:~/Desktop/dropbear-0.49/_install/bin$ strace ./dbclient dbclient foglietr at gexs22:/tmp 2>&1 | grep dbclient execve("./dbclient", ["./dbclient", "dbclient", "foglietr at gexs22:/tmp"], [/* 37 vars */]) = 0 send(3, "#t\1\0\0\1\0\0\0\0\0\0\10dbclient\2it\2eu\10eric"..., 44, MSG_NOSIGNAL) = 44 recvfrom(3, "#t\201\203\0\1\0\0\0\1\0\0\10dbclient\2it\2eu\10eric"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("141.137.127.1")}, [16]) = 112 write(2, "./dbclient: exited: Error resolv"..., 63./dbclient: exited: Error resolving: Name or service not known foglietr at eemd2364170:~/Desktop/dropbear-0.48.1/_install/bin$ strace ./dbclient dbclient foglietr at gexs22:/tmp 2>&1 | grep dbclient execve("./dbclient", ["./dbclient", "dbclient", "foglietr at gexs22:/tmp"], [/* 37 vars */]) = 0 send(3, "&k\1\0\0\1\0\0\0\0\0\0\10dbclient\2it\2eu\10eric"..., 44, MSG_NOSIGNAL) = 44 recvfrom(3, "&k\201\203\0\1\0\0\0\1\0\0\10dbclient\2it\2eu\10eric"..., 1024, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("141.137.127.1")}, [16]) = 112 write(2, "./dbclient: exited: Error resolv"..., 63./dbclient: exited: Error resolving: Name or service not known Cheers, -- /roberto From matt at ucc.asn.au Thu Aug 30 19:01:09 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 30 Aug 2007 19:01:09 +0800 Subject: strange scp behavior In-Reply-To: References: Message-ID: <20070830110109.GV31303@ucc.gu.uwa.edu.au> On Tue, Aug 28, 2007 at 11:48:55AM +0200, Roberto A. Foglietta wrote: > Hi to all folks, > > scp works but dbclient used as sco don't, I tried to figure out why... > ...but what I found make me fool. it seems to me dbclient try to > resolve the first parameter even when the host is a second one. > However fails in both where OpenSSH scp works pretty well. Thanks > > foglietr at eemd2364170:~/Desktop/dropbear-0.49/_install/bin$ strace > ./dbclient dbclient foglietr at gexs22:/tmp 2>&1 | grep dbclient Running that doesn't make any sense. The second argument of "dbclient" is always a hostname - dbclient is a ssh program, not a scp program. If you want to scp a file, run 'scp', not 'dbclient'. Note that scp will itself run a ssh client (such as dbclient or OpenSSH's 'ssh'). You can use its '-S' argument to specify which ssh client. If you've compiled dbclient and scp as a single binary with dropbearmulti, you can "ln -s dropbearmulti scp" and run that. Cheers, Matt From roberto.foglietta at gmail.com Thu Aug 30 23:34:03 2007 From: roberto.foglietta at gmail.com (Roberto A. Foglietta) Date: Thu, 30 Aug 2007 17:34:03 +0200 Subject: strange scp behavior In-Reply-To: <20070830110109.GV31303@ucc.gu.uwa.edu.au> References: <20070830110109.GV31303@ucc.gu.uwa.edu.au> Message-ID: 2007/8/30, Matt Johnston : > On Tue, Aug 28, 2007 at 11:48:55AM +0200, Roberto A. Foglietta wrote: > > Hi to all folks, > > > > scp works but dbclient used as sco don't, I tried to figure out why... > > ...but what I found make me fool. it seems to me dbclient try to > > resolve the first parameter even when the host is a second one. > > However fails in both where OpenSSH scp works pretty well. Thanks > > > > foglietr at eemd2364170:~/Desktop/dropbear-0.49/_install/bin$ strace > > ./dbclient dbclient foglietr at gexs22:/tmp 2>&1 | grep dbclient > > Running that doesn't make any sense. The second argument of > "dbclient" is always a hostname - dbclient is a ssh program, > not a scp program. > > If you want to scp a file, run 'scp', not 'dbclient'. Note > that scp will itself run a ssh client (such as dbclient or > OpenSSH's 'ssh'). You can use its '-S' argument to specify > which ssh client. > > If you've compiled dbclient and scp as a single binary with > dropbearmulti, you can "ln -s dropbearmulti scp" and run > that. Thanks very much for your answer. This Makefile.in should work better when installing MULTI=1. Cheers, -- /roberto -------------- next part -------------- A non-text attachment was scrubbed... Name: Makefile.in Type: application/octet-stream Size: 6193 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070830/e287c069/attachment.obj From roberto.foglietta at gmail.com Fri Aug 31 01:06:03 2007 From: roberto.foglietta at gmail.com (Roberto A. Foglietta) Date: Thu, 30 Aug 2007 19:06:03 +0200 Subject: strange scp behavior In-Reply-To: References: <20070830110109.GV31303@ucc.gu.uwa.edu.au> Message-ID: 2007/8/30, Roberto A. Foglietta : > 2007/8/30, Matt Johnston : > > On Tue, Aug 28, 2007 at 11:48:55AM +0200, Roberto A. Foglietta wrote: [cut] > > Thanks very much for your answer. > This Makefile.in should work better when installing MULTI=1. > this solve some buggy path, sorry for the 2nd mail. Cheers, -- /roberto -------------- next part -------------- A non-text attachment was scrubbed... Name: Makefile.in Type: application/octet-stream Size: 6368 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070830/dc322fd9/attachment.obj From Sainfeld at broadcom.com Fri Sep 7 06:51:04 2007 From: Sainfeld at broadcom.com (Jean Pierre Sainfeld) Date: Thu, 6 Sep 2007 15:51:04 -0700 Subject: Aiee, segfault! You should probably report this as a bug to the developer Message-ID: <64E64D67EE8E5F43AF4CBD435E879D040D6BFB80@NT-SJCA-0752.brcm.ad.broadcom.com> Hi, I would be thankful if somebody could help me with this issue. The conditions of the test are as follows: 1) the test is done on the host or the target ( X86, ARM9 ) respectively. It is done only on one side. i.e to the localhost. 2) code is dropbear 0.50 configured ./configure -prefix=/opt CFLAGS=-DDEBUG_TRACE 3) the standard host keys for rsa and dss are created using dropbearkey as specified. 4) the command entered at the shell prompt are a) #./dropbear -v -E -p 500 b) #./dbclient -v -p 500 root at localhost lsmod I get A segfault message ( see below) the same set of command on a X86 box ( centos 4.0 ) does work fine Could you give me some pointers on how to fix this ? Regards Jean-Pierre Sainfeld =========================================================== # ./dropbear -v -E -p 500 TRACE: enter loadhostkeys TRACE: enter buf_get_priv_key TRACE: enter rsa_key_free TRACE: leave rsa_key_free: key == NULL TRACE: enter buf_get_rsa_priv_key TRACE: enter buf_get_rsa_pub_key TRACE: leave buf_get_rsa_pub_key: success TRACE: leave buf_get_rsa_priv_key TRACE: leave buf_get_priv_key TRACE: enter buf_get_priv_key TRACE: enter dsa_key_free TRACE: enter dsa_key_free: key == NULL TRACE: enter buf_get_dss_pub_key TRACE: leave buf_get_dss_pub_key: success TRACE: leave buf_get_priv_key TRACE: leave loadhostkeys TRACE: listensockets: 1 to try TRACE: listening on ':500' TRACE: enter dropbear_listen TRACE: dropbear_listen: all interfaces TRACE: socket() failed TRACE: leave dropbear_listen: success, 1 socks bound # ./dbl     cd ../bin # ls ash egrep login rmdir busybox false ls sed cat fgrep mkdir sfts chmod grep mknod sh cp ip more sleep date ipaddr mount su dbclient ipcalc mv sync dd iplink netstat touch df iproute ping true dropbearconvert iptunnel ps umount dropbearkey kill pwd uname echo ln rm vi # ./dbclient -v -p 500 root at localhost lsmod TRACE: non-flag arg: 'root at localhost' TRACE: non-flag arg: 'lsmod' TRACE: user='root' host='localhost' port='500' TRACE: enter connect_remote TRACE: leave connect_remote: sock 3 TRACE: enter session_init TRACE: setnonblocking: 4 TRACE: leave setnonblocking TRACE: setnonblocking: 5 TRACE: leave setnonblocking TRACE: kexinitialise() TRACE: leave session_init TRACE: enter ident_readln TRACE: leave ident_readln: return 22 TRACE: remoteident: SSH-2.0-dropbear_0.50 TRACE: enter encrypt_packet() TRACE: encrypt_packet type is 20 TRACE: enter writemac TRACE: leave writemac TRACE: enter enqueue TRACE: leave enqueue TRACE: leave encrypt_packet() TRACE: DATAALLOWED=0 TRACE: -> KEXINIT TRACE: enter write_packet TRACE: empty queue dequeing TRACE: leave write_packet TRACE: enter read_packet TRACE: enter decrypt_packet TRACE: leave decrypt_packet TRACE: leave read_packet TRACE: enter process_packet TRACE: process_packet: packet type = 20 TRACE: <- KEXINIT TRACE: enter recv_msg_kexinit TRACE: cli_buf_match_algo: diffie-hellman-group1-sha1 TRACE: kex algo diffie-hellman-group1-sha1 TRACE: cli_buf_match_algo: ssh-rsa,ssh-dss TRACE: hostkey algo ssh-rsa TRACE: cli_buf_match_algo: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc ,blowfish-cbc TRACE: enc c2s is aes128-cbc TRACE: cli_buf_match_algo: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc ,blowfish-cbc TRACE: enc s2c is aes128-cbc TRACE: cli_buf_match_algo: hmac-sha1-96,hmac-sha1,hmac-md5 TRACE: hash c2s is hmac-sha1-96 TRACE: cli_buf_match_algo: hmac-sha1-96,hmac-sha1,hmac-md5 TRACE: hash s2c is hmac-sha1-96 TRACE: cli_buf_match_algo: none TRACE: hash c2s is none TRACE: cli_buf_match_algo: none TRACE: hash s2c is none TRACE: leave recv_msg_kexinit TRACE: leave process_packet TRACE: maybe_empty_reply_queue - no data allowed TRACE: enter cli_sessionloop TRACE: enter send_msg_kexdh_reply TRACE: enter buf_putmpint TRACE: leave buf_putmpint TRACE: enter encrypt_packet() TRACE: encrypt_packet type is 30 TRACE: enter writemac TRACE: leave writemac TRACE: enter enqueue TRACE: leave enqueue TRACE: leave encrypt_packet() TRACE: leave cli_sessionloop: done with KEXINIT_RCVD TRACE: enter write_packet TRACE: empty queue dequeing TRACE: leave write_packet TRACE: maybe_empty_reply_queue - no data allowed TRACE: enter cli_sessionloop TRACE: leave cli_sessionloop: kex_state != KEX_NOTHING TRACE: enter read_packet TRACE: enter decrypt_packet TRACE: leave decrypt_packet TRACE: leave read_packet TRACE: enter process_packet TRACE: process_packet: packet type = 31 TRACE: enter recv_msg_kexdh_reply TRACE: type is 1 TRACE: enter buf_getline TRACE: leave buf_getline: failure TRACE: failed reading line: prob EOF Host 'localhost' is not in the trusted hosts file. (fingerprint md5 e6:21:4c:27:07:6a:bf:a7:54:41:ff:cb:7b:bf:0c:7f) Do you want to continue connecting? (y/n) y TRACE: keybloblen 89, len 4482 TRACE: enter buf_get_pub_key TRACE: enter rsa_key_free TRACE: leave rsa_key_free: key == NULL TRACE: enter buf_get_rsa_pub_key TRACE: leave buf_get_rsa_pub_key: success TRACE: leave buf_get_pub_key TRACE: enter buf_put_pub_key TRACE: enter buf_put_rsa_pub_key TRACE: enter buf_putmpint TRACE: leave buf_putmpint TRACE: enter buf_putmpint TRACE: leave buf_putmpint TRACE: leave buf_put_rsa_pub_key TRACE: leave buf_put_pub_key TRACE: enter buf_putmpint TRACE: leave buf_putmpint TRACE: enter buf_putmpint TRACE: leave buf_putmpint TRACE: enter buf_putmpint TRACE: leave buf_putmpint TRACE: enter buf_verify TRACE: enter buf_rsa_verify TRACE: success! TRACE: leave buf_rsa_verify: ret 0 TRACE: enter sign_key_free TRACE: enter dsa_key_free TRACE: enter dsa_key_free: key == NULL TRACE: enter rsa_key_free TRACE: leave rsa_key_free TRACE: leave sign_key_free TRACE: enter send_msg_newkeys TRACE: enter encrypt_packet() TRACE: encrypt_packet type is 21 TRACE: enter writemac TRACE: leave writemac TRACE: enter enqueue TRACE: leave enqueue TRACE: leave encrypt_packet() TRACE: SENTNEWKEYS=1 TRACE: -> MSG_NEWKEYS TRACE: leave send_msg_newkeys TRACE: leave recv_msg_kexdh_init TRACE: leave process_packet TRACE: maybe_empty_reply_queue - no data allowed TRACE: enter cli_sessionloop TRACE: leave cli_sessionloop: kex_state != KEX_NOTHING TRACE: enter write_packet TRACE: empty queue dequeing TRACE: leave write_packet TRACE: enter read_packet TRACE: enter decrypt_packet TRACE: leave decrypt_packet TRACE: leave read_packet TRACE: enter process_packet TRACE: process_packet: packet type = 21 TRACE: <- MSG_NEWKEYS TRACE: enter recv_msg_newkeys TRACE: while SENTNEWKEYS=1 TRACE: enter gen_new_keys TRACE: enter buf_putmpint TRACE: leave buf_putmpint TRACE: leave gen_new_keys TRACE: kexinitialise() TRACE: -> DATAALLOWED=1 TRACE: leave recv_msg_newkeys TRACE: leave process_packet TRACE: enter cli_sessionloop TRACE: enter send_msg_service_request: servicename='ssh-userauth' TRACE: enter encrypt_packet() TRACE: encrypt_packet type is 5 TRACE: enter writemac TRACE: leave writemac TRACE: enter enqueue TRACE: leave enqueue TRACE: leave encrypt_packet() TRACE: leave send_msg_service_request TRACE: leave cli_sessionloop: sent userauth service req TRACE: enter write_packet TRACE: empty queue dequeing TRACE: leave write_packet TRACE: enter cli_sessionloop TRACE: leave cli_sessionloop: fell out TRACE: enter read_packet TRACE: enter decrypt_packet TRACE: leave decrypt_packet TRACE: leave read_packet TRACE: enter process_packet TRACE: process_packet: packet type = 6 TRACE: enter recv_msg_service_accept TRACE: leave recv_msg_service_accept: done ssh-userauth TRACE: leave process_packet TRACE: enter cli_sessionloop TRACE: enter cli_auth_getmethods TRACE: enter encrypt_packet() TRACE: encrypt_packet type is 50 TRACE: enter writemac TRACE: leave writemac TRACE: enter enqueue TRACE: leave enqueue TRACE: leave encrypt_packet() TRACE: leave cli_auth_getmethods TRACE: leave cli_sessionloop: sent userauth methods req TRACE: enter write_packet TRACE: empty queue dequeing TRACE: leave write_packet TRACE: enter cli_sessionloop TRACE: leave cli_sessionloop: fell out TRACE: enter read_packet TRACE: enter decrypt_packet TRACE: leave decrypt_packet TRACE: leave read_packet TRACE: enter process_packet TRACE: process_packet: packet type = 51 TRACE: <- MSG_USERAUTH_FAILURE TRACE: enter recv_msg_userauth_failure TRACE: Methods (len 18): 'publickey,password' TRACE: auth method 'publickey' TRACE: auth method 'password' TRACE: leave recv_msg_userauth_failure TRACE: leave process_packet TRACE: enter cli_sessionloop TRACE: enter cli_auth_try TRACE: enter cli_auth_pubkey TRACE: leave cli_auth_pubkey-failure TRACE: enter cli_auth_password root at localhost's password: TRACE: enter encrypt_packet() TRACE: encrypt_packet type is 50 TRACE: enter writemac TRACE: leave writemac TRACE: enter enqueue TRACE: leave enqueue TRACE: leave encrypt_packet() TRACE: leave cli_auth_password TRACE: cli_auth_try lastauthtype 4 TRACE: leave cli_auth_try TRACE: leave cli_sessionloop: cli_auth_try TRACE: enter write_packet TRACE: empty queue dequeing TRACE: leave write_packet TRACE: enter cli_sessionloop TRACE: leave cli_sessionloop: fell out TRACE: enter read_packet TRACE: enter decrypt_packet TRACE: leave decrypt_packet TRACE: leave read_packet TRACE: enter process_packet TRACE: process_packet: packet type = 52 TRACE: received msg_userauth_success TRACE: leave process_packet TRACE: enter cli_sessionloop TRACE: enter setup_localtcp TRACE: cli_opts.localfwds == NULL TRACE: leave setup_localtcp TRACE: enter setup_remotetcp TRACE: cli_opts.remotefwds == NULL TRACE: leave setup_remotetcp TRACE: enter cli_send_chansess_request TRACE: enter send_msg_channel_open_init() TRACE: enter newchannel TRACE: leave newchannel TRACE: setnonblocking: 0 TRACE: leave setnonblocking TRACE: leave send_msg_channel_open_init() TRACE: enter encrypt_packet() TRACE: encrypt_packet type is 90 TRACE: enter writemac TRACE: leave writemac TRACE: enter enqueue TRACE: leave enqueue TRACE: leave encrypt_packet() TRACE: leave cli_send_chansess_request TRACE: leave cli_sessionloop: running TRACE: enter write_packet TRACE: empty queue dequeing TRACE: leave write_packet TRACE: check_close: writefd 0, readfd 0, errfd -1, sent_close 0, recv_close 0 TRACE: writebuf size 0 extrabuf size 0 TRACE: enter cli_sessionloop TRACE: enter read_packet TRACE: enter decrypt_packet TRACE: leave decrypt_packet TRACE: leave read_packet TRACE: enter process_packet TRACE: process_packet: packet type = 91 TRACE: enter recv_msg_channel_open_confirmation TRACE: new chan remote 0 local 0 TRACE: setnonblocking: 1 TRACE: leave setnonblocking TRACE: setnonblocking: 0 TRACE: leave setnonblocking TRACE: setnonblocking: 2 TRACE: leave setnonblocking TRACE: enter send_chansess_shell_req TRACE: enter encrypt_packet() TRACE: encrypt_packet type is 98 TRACE: enter writemac TRACE: leave writemac TRACE: enter enqueue TRACE: leave enqueue TRACE: leave encrypt_packet() TRACE: leave send_chansess_shell_req TRACE: leave recv_msg_channel_open_confirmation TRACE: leave process_packet TRACE: check_close: writefd 1, readfd 0, errfd 2, sent_close 0, recv_close 0 TRACE: writebuf size 0 extrabuf size 0 TRACE: enter cli_sessionloop TRACE: enter write_packet TRACE: empty queue dequeing TRACE: leave write_packet TRACE: check_close: writefd 1, readfd 0, errfd 2, sent_close 0, recv_close 0 TRACE: writebuf size 0 extrabuf size 0 TRACE: enter cli_sessionloop TRACE: enter read_packet TRACE: enter decrypt_packet TRACE: leave decrypt_packet TRACE: leave read_packet TRACE: enter process_packet TRACE: process_packet: packet type = 95 TRACE: enter recv_msg_channel_extended_data TRACE: enter recv_msg_channel_data TRACE: length 232 TRACE: leave recv_msg_channel_data TRACE: leave recv_msg_channel_extended_data TRACE: leave process_packet TRACE: check_close: writefd 1, readfd 0, errfd 2, sent_close 0, recv_close 0 TRACE: writebuf size 0 extrabuf size 232 TRACE: enter cli_sessionloop TRACE: enter writechannel fd 2 TRACE: enter sign_key_free TRACE: enter dsa_key_free TRACE: leave dsa_key_free TRACE: enter rsa_key_free TRACE: leave rsa_key_free TRACE: leave sign_key_free Aiee, segfault! You should probably report this as a bug to the developer TRACE: writechannel wrote 232 TRACE: leave writechannel TRACE: check_close: writefd 1, readfd 0, errfd 2, sent_close 0, recv_close 0 TRACE: writebuf size 0 extrabuf size 0 TRACE: enter cli_sessionloop TRACE: enter read_packet TRACE: enter decrypt_packet TRACE: leave decrypt_packet TRACE: leave read_packet TRACE: enter process_packet TRACE: process_packet: packet type = 96 TRACE: enter recv_msg_channel_eof TRACE: check_close: writefd 1, readfd 0, errfd 2, sent_close 0, recv_close 0 TRACE: writebuf size 0 extrabuf size 0 TRACE: CLOSE some fd 1 TRACE: leave recv_msg_channel_eof TRACE: leave process_packet TRACE: check_close: writefd -1, readfd 0, errfd 2, sent_close 0, recv_close 0 TRACE: writebuf size 0 extrabuf size 0 TRACE: CLOSE some fd -1 TRACE: enter cli_sessionloop TRACE: enter read_packet TRACE: enter decrypt_packet TRACE: leave decrypt_packet TRACE: leave read_packet TRACE: enter process_packet TRACE: process_packet: packet type = 98 TRACE: enter recv_msg_channel_request TRACE: enter cli_chansessreq TRACE: got exit-status of '1' TRACE: leave recv_msg_channel_request TRACE: leave process_packet TRACE: check_close: writefd -1, readfd 0, errfd 2, sent_close 0, recv_close 0 TRACE: writebuf size 0 extrabuf size 0 TRACE: CLOSE some fd -1 TRACE: enter cli_sessionloop TRACE: enter read_packet TRACE: enter decrypt_packet TRACE: leave decrypt_packet TRACE: leave read_packet TRACE: enter process_packet TRACE: process_packet: packet type = 97 TRACE: enter recv_msg_channel_close TRACE: check_close: writefd -1, readfd 0, errfd 2, sent_close 0, recv_close 1 TRACE: writebuf size 0 extrabuf size 0 TRACE: Sending MSG_CHANNEL_CLOSE in response to same. TRACE: enter send_msg_channel_close TRACE: enter cli_tty_cleanup TRACE: leave cli_tty_cleanup: not in raw mode TRACE: enter encrypt_packet() TRACE: encrypt_packet type is 97 TRACE: enter writemac TRACE: leave writemac TRACE: enter enqueue TRACE: leave enqueue TRACE: leave encrypt_packet() TRACE: CLOSE some fd 0 TRACE: CLOSE some fd 2 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070906/c2ea0a19/attachment-0001.htm From micha at neli.hopto.org Sun Sep 9 04:35:24 2007 From: micha at neli.hopto.org (Micha Nelissen) Date: Sat, 08 Sep 2007 22:35:24 +0200 Subject: Non-interactive commands Message-ID: Hi, The following doesn't work: $ echo 'echo hello' | ssh host /bin/sh If host is running dropbear. OTOH, if host is running OpenSSH, I get 'hello' echoed back to me. I found the following mail, but no follow-up, so I'm asking (again, I suppose). http://osdir.com/ml/network.ssh.dropbear/2005-08/msg00002.html Thanks in advance, Micha From matt at ucc.asn.au Sun Sep 9 12:06:57 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Sun, 9 Sep 2007 12:06:57 +0800 Subject: Non-interactive commands In-Reply-To: References: Message-ID: <20070909040656.GD31303@ucc.gu.uwa.edu.au> On Sat, Sep 08, 2007 at 10:35:24PM +0200, Micha Nelissen wrote: > Hi, > > The following doesn't work: > > $ echo 'echo hello' | ssh host /bin/sh > > If host is running dropbear. OTOH, if host is running OpenSSH, I get > 'hello' echoed back to me. Which version of Dropbear is the server running? 0.49 should have fixed quite a few issues like this (I can't reproduce it here). Cheers, Matt From micha at neli.hopto.org Sun Sep 9 14:15:59 2007 From: micha at neli.hopto.org (Micha Nelissen) Date: Sun, 09 Sep 2007 08:15:59 +0200 Subject: Non-interactive commands In-Reply-To: <20070909040656.GD31303@ucc.gu.uwa.edu.au> References: <20070909040656.GD31303@ucc.gu.uwa.edu.au> Message-ID: <46E38F9F.3000505@neli.hopto.org> Matt Johnston wrote: > Which version of Dropbear is the server running? 0.49 should > have fixed quite a few issues like this (I can't reproduce > it here). I've built it using uclibc buildroot (svn rev 19783). # dropbear --help Unknown argument --help Dropbear sshd v0.50 Regards, Micha From rob at landley.net Sun Sep 9 15:33:30 2007 From: rob at landley.net (Rob Landley) Date: Sun, 9 Sep 2007 02:33:30 -0500 Subject: Non-interactive commands In-Reply-To: References: Message-ID: <200709090233.30536.rob@landley.net> On Saturday 08 September 2007 3:35:24 pm Micha Nelissen wrote: > Hi, > > The following doesn't work: > > $ echo 'echo hello' | ssh host /bin/sh > > If host is running dropbear. OTOH, if host is running OpenSSH, I get > 'hello' echoed back to me. This sounds like a manifestation of using close() instead of shutdown(). See "man 2 shutdown", it's this weird little piece of filehandle trivia that closes one direction of a bidirectional connection. When stdin runs out of data, we need to close the outgoing half of the network socket so the other end can get EOF. (Some programs block waiting to read all data before they produce any output.) But we can't close the _incoming_ half of the network socket or we won't get any data back. When "echo" exits, it closes its stdout so the ssh process gets EOF on stdin, and should pass that along through the network. But it has to wait for the other end to send all its data back before exiting. Hence shutdown(). I implemented this in netcat a longish time ago, the busybox netcat should get this right (circa 1.2.2 anyway, no idea what it looks like these days)... I thought dropbear was already getting this right, though. Rob -- "One of my most productive days was throwing away 1000 lines of code." - Ken Thompson. From micha at neli.hopto.org Sun Sep 9 20:35:34 2007 From: micha at neli.hopto.org (Micha Nelissen) Date: Sun, 09 Sep 2007 14:35:34 +0200 Subject: Non-interactive commands In-Reply-To: <200709090233.30536.rob@landley.net> References: <200709090233.30536.rob@landley.net> Message-ID: <46E3E896.7010501@neli.hopto.org> Rob Landley wrote: > When "echo" exits, it closes its stdout so the ssh process gets EOF on stdin, > and should pass that along through the network. But it has to wait for the > other end to send all its data back before exiting. Hence shutdown(). I Are you suggesting the local 'ssh' (which is OpenSSH btw) isn't working properly? How do you explain that it works when a host is running an openssh server then? Micha From matt at ucc.asn.au Sun Sep 9 23:48:54 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Sun, 9 Sep 2007 23:48:54 +0800 Subject: Aiee, segfault! You should probably report this as a bug to the developer In-Reply-To: <64E64D67EE8E5F43AF4CBD435E879D040D6BFB80@NT-SJCA-0752.brcm.ad.broadcom.com> References: <64E64D67EE8E5F43AF4CBD435E879D040D6BFB80@NT-SJCA-0752.brcm.ad.broadcom.com> Message-ID: <20070909154854.GL31303@ucc.gu.uwa.edu.au> On Thu, Sep 06, 2007 at 03:51:04PM -0700, Jean Pierre Sainfeld wrote: > Hi, > I would be thankful if somebody could help me with this issue. > The conditions of the test are as follows: > 1) the test is done on the host or the target ( X86, ARM9 ) > respectively. It is done only on one side. > i.e to the localhost. > 2) code is dropbear 0.50 configured ./configure -prefix=/opt > CFLAGS=-DDEBUG_TRACE > 3) the standard host keys for rsa and dss are created using dropbearkey > as specified. > 4) the command entered at the shell prompt are > a) #./dropbear -v -E -p 500 > b) #./dbclient -v -p 500 root at localhost lsmod I can't quite tell from the logs - is it the client or the server that is segfaulting? I'm guessing the server? If you redirect the output of each command to a separate logfile it might be clearer ("./dropbear -v -E -p 500 > logfile 2>&1"). Are you running uClinux by any chance? If so you'll have to run dropbear out of inetd (give it the -i option) rather than standalone. Cheers, Matt From rob at landley.net Mon Sep 10 09:34:29 2007 From: rob at landley.net (Rob Landley) Date: Sun, 9 Sep 2007 20:34:29 -0500 Subject: Non-interactive commands In-Reply-To: <46E3E896.7010501@neli.hopto.org> References: <200709090233.30536.rob@landley.net> <46E3E896.7010501@neli.hopto.org> Message-ID: <200709092034.29888.rob@landley.net> On Sunday 09 September 2007 7:35:34 am Micha Nelissen wrote: > Rob Landley wrote: > > When "echo" exits, it closes its stdout so the ssh process gets EOF on > > stdin, and should pass that along through the network. But it has to > > wait for the other end to send all its data back before exiting. Hence > > shutdown(). I > > Are you suggesting the local 'ssh' (which is OpenSSH btw) isn't working > properly? How do you explain that it works when a host is running an > openssh server then? I hadn't caught that it was the server at the far end (rather than the local one) having the problem. In that case it sounds like the server is closing the connection when it gets EOF from the socket, which doesn't seem likely. *shrug* Dunno. Rob -- "One of my most productive days was throwing away 1000 lines of code." - Ken Thompson. From oliver.hanka at gi-de.com Fri Sep 14 23:11:46 2007 From: oliver.hanka at gi-de.com (oliver.hanka at gi-de.com) Date: Fri, 14 Sep 2007 17:11:46 +0200 Subject: Two questions regarding Diffie-Hellman key exchange Message-ID: Hello, I am currently working on my master-thesis, which involves implementing the SSH protocol on a smart-card. Therefore I am using dropbear as a non cpu and memory intensiv blueprint. I am currently stucked with two questions regarding the Diffie-Hellman key exchange (SSH_MSG_KEXDH_INIT message). First of all, can you point me to a document where the prime number p (128Byte) is defined? Unfortunatly the RFC 4253 (SSH Transport Layer) doesn't give a hint. The next question I am puzzled with: How come the result (e) of the client side 'e = g^x mod p' calculation is a 133 Byte value? At least, that's what it looks like when I sniff the packet with wireshark (formaly ethereal). From my understanding, a modulo calculation with a 128 byte value should produce a result equal or less than 128 byte. Am I wrong? Are there additional bytes added to e, which the RFC 4253 doesn't mention? (the message is described in section 8, RFC 4252, jan 2006) It would be really nice, if someone could help me out with those questions. Thanks in advance and have a nice weekend! Mit freundlichen Gr?ssen / Best regards Oliver Hanka -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070914/d88d8a3d/attachment.htm From matt at ucc.asn.au Fri Sep 14 23:21:37 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Fri, 14 Sep 2007 23:21:37 +0800 Subject: Two questions regarding Diffie-Hellman key exchange In-Reply-To: References: Message-ID: <20070914152137.GC31303@ucc.gu.uwa.edu.au> On Fri, Sep 14, 2007 at 05:11:46PM +0200, oliver.hanka at gi-de.com wrote: > Hello, > > I am currently working on my master-thesis, which involves implementing > the SSH protocol on a smart-card. Therefore I am using dropbear as a non > cpu and memory intensiv blueprint. > > I am currently stucked with two questions regarding the Diffie-Hellman key > exchange (SSH_MSG_KEXDH_INIT message). First of all, can you point me to a > document where the prime number p (128Byte) is defined? Unfortunatly the > RFC 4253 (SSH Transport Layer) doesn't give a hint. Take a look at section 6.2 of RFC 2409. The naming is a bit of a shambles - I'm not sure why diffie-hellman-group1-sha1 actually refers to "Second Oakley Group". > The next question I am puzzled with: How come the result (e) of the client > side 'e = g^x mod p' calculation is a 133 Byte value? At least, that's > what it looks like when I sniff the packet with wireshark (formaly > ethereal). From my understanding, a modulo calculation with a 128 byte > value should produce a result equal or less than 128 byte. Am I wrong? > Are there additional bytes added to e, which the RFC 4253 doesn't mention? > (the message is described in section 8, RFC 4252, jan 2006) Have a look at section 5, rfc4251. mpints have a 4 byte lengthh, then may be padded by a byte if their most significant bit is set. Cheers, Matt From rob at landley.net Mon Sep 17 15:49:35 2007 From: rob at landley.net (Rob Landley) Date: Mon, 17 Sep 2007 02:49:35 -0500 Subject: stunnel support? Message-ID: <200709170249.35576.rob@landley.net> Is anyone here familiar with ssl enough to at least guess how much work it would be to add stunnel support to dropbear? I tried to read the RFC(s) on this last year, but never did manage to get a clear picture of what was required... Rob -- "One of my most productive days was throwing away 1000 lines of code." - Ken Thompson. From oliver.hanka at gi-de.com Mon Sep 17 16:09:44 2007 From: oliver.hanka at gi-de.com (oliver.hanka at gi-de.com) Date: Mon, 17 Sep 2007 10:09:44 +0200 Subject: Antwort: Re: Two questions regarding Diffie-Hellman key exchange In-Reply-To: <20070914152137.GC31303@ucc.gu.uwa.edu.au> Message-ID: Thank you very much! Exactly what I was looking for. Hav a nice day. Oliver Matt Johnston 14.09.2007 17:21 An oliver.hanka at gi-de.com Kopie dropbear at ucc.asn.au Thema Re: Two questions regarding Diffie-Hellman key exchange On Fri, Sep 14, 2007 at 05:11:46PM +0200, oliver.hanka at gi-de.com wrote: > Hello, > > I am currently working on my master-thesis, which involves implementing > the SSH protocol on a smart-card. Therefore I am using dropbear as a non > cpu and memory intensiv blueprint. > > I am currently stucked with two questions regarding the Diffie-Hellman key > exchange (SSH_MSG_KEXDH_INIT message). First of all, can you point me to a > document where the prime number p (128Byte) is defined? Unfortunatly the > RFC 4253 (SSH Transport Layer) doesn't give a hint. Take a look at section 6.2 of RFC 2409. The naming is a bit of a shambles - I'm not sure why diffie-hellman-group1-sha1 actually refers to "Second Oakley Group". > The next question I am puzzled with: How come the result (e) of the client > side 'e = g^x mod p' calculation is a 133 Byte value? At least, that's > what it looks like when I sniff the packet with wireshark (formaly > ethereal). From my understanding, a modulo calculation with a 128 byte > value should produce a result equal or less than 128 byte. Am I wrong? > Are there additional bytes added to e, which the RFC 4253 doesn't mention? > (the message is described in section 8, RFC 4252, jan 2006) Have a look at section 5, rfc4251. mpints have a 4 byte lengthh, then may be padded by a byte if their most significant bit is set. Cheers, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070917/c51e4332/attachment.htm From kaloz at openwrt.org Mon Sep 17 16:16:42 2007 From: kaloz at openwrt.org (Imre Kaloz) Date: Mon, 17 Sep 2007 10:16:42 +0200 Subject: stunnel support? In-Reply-To: <200709170249.35576.rob@landley.net> References: <200709170249.35576.rob@landley.net> Message-ID: On Mon, 17 Sep 2007 09:49:35 +0200, Rob Landley wrote: > Is anyone here familiar with ssl enough to at least guess how much work > it > would be to add stunnel support to dropbear? > > I tried to read the RFC(s) on this last year, but never did manage to > get a > clear picture of what was required... > > Rob Well, it's not dropbear, but I guess your main problem is the openssl dependency. So take a look at xrelayd (http://forum.openwrt.org/viewtopic.php?id=12338) and/or matrixtunnel (http://forum.openwrt.org/viewtopic.php?id=5588). Cheers, Imre From roberto.foglietta at gmail.com Mon Sep 17 16:25:49 2007 From: roberto.foglietta at gmail.com (Roberto A. Foglietta) Date: Mon, 17 Sep 2007 10:25:49 +0200 Subject: sftp client for dropbear Message-ID: Hi to all folks, do you know a sftp client which could work with dropbear? I tried which one comes with OpenSSH but does not work. In case there is not any sftp client for dropbear do you think adapting openssh one it could be a lot of work or just a different ssh syntax adapt? Cheers, -- /roberto From matt at ucc.asn.au Mon Sep 17 20:08:13 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Mon, 17 Sep 2007 20:08:13 +0800 Subject: sftp client for dropbear In-Reply-To: References: Message-ID: <20070917120812.GC31581@ucc.gu.uwa.edu.au> On Mon, Sep 17, 2007 at 10:25:49AM +0200, Roberto A. Foglietta wrote: > Hi to all folks, > > do you know a sftp client which could work with dropbear? > I tried which one comes with OpenSSH but does not work. > > In case there is not any sftp client for dropbear do you think > adapting openssh one it could be a lot of work or just a different ssh > syntax adapt? How does it not work? Have you tried the instructions from http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2007q1/000502.html ? (see the followup posts too) Cheers, Matt From roberto.foglietta at gmail.com Mon Sep 17 20:52:58 2007 From: roberto.foglietta at gmail.com (Roberto A. Foglietta) Date: Mon, 17 Sep 2007 14:52:58 +0200 Subject: sftp client for dropbear In-Reply-To: <20070917120812.GC31581@ucc.gu.uwa.edu.au> References: <20070917120812.GC31581@ucc.gu.uwa.edu.au> Message-ID: 2007/9/17, Matt Johnston : > On Mon, Sep 17, 2007 at 10:25:49AM +0200, Roberto A. Foglietta wrote: > > Hi to all folks, > > > > do you know a sftp client which could work with dropbear? > > I tried which one comes with OpenSSH but does not work. > > > > In case there is not any sftp client for dropbear do you think > > adapting openssh one it could be a lot of work or just a different ssh > > syntax adapt? > > How does it not work? Have you tried the instructions from > http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2007q1/000502.html ? > (see the followup posts too) Yes, but... I was talking about sftp client not server! Have I missed something about that thread? Cheers, -- /roberto From matt at ucc.asn.au Mon Sep 17 22:06:55 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Mon, 17 Sep 2007 22:06:55 +0800 Subject: sftp client for dropbear In-Reply-To: References: <20070917120812.GC31581@ucc.gu.uwa.edu.au> Message-ID: <20070917140655.GD31581@ucc.gu.uwa.edu.au> On Mon, Sep 17, 2007 at 02:52:58PM +0200, Roberto A. Foglietta wrote: > 2007/9/17, Matt Johnston : > > On Mon, Sep 17, 2007 at 10:25:49AM +0200, Roberto A. Foglietta wrote: > > > Hi to all folks, > > > > > > do you know a sftp client which could work with dropbear? > > > I tried which one comes with OpenSSH but does not work. > > > > > > In case there is not any sftp client for dropbear do you think > > > adapting openssh one it could be a lot of work or just a different ssh > > > syntax adapt? > > > > How does it not work? Have you tried the instructions from > > http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2007q1/000502.html ? > > (see the followup posts too) > > Yes, but... I was talking about sftp client not server! > Have I missed something about that thread? Oops sorry, misread the mail. I can get the OpenSSH sftp client to work with dbclient on a Linux system with sftp -s /usr/lib/openssh/sftp-server -S /usr/bin/dbclient remotehost though for some reason it seems not to work on Mac OS X here - I'll try figure what's happening. Does that work for you (with paths changed appropriately)? I assume the sftp client will compile with similar settings to sftp-server. Cheers, Matt From rob at landley.net Tue Sep 18 01:39:26 2007 From: rob at landley.net (Rob Landley) Date: Mon, 17 Sep 2007 12:39:26 -0500 Subject: stunnel support? In-Reply-To: References: <200709170249.35576.rob@landley.net> Message-ID: <200709171239.26313.rob@landley.net> On Monday 17 September 2007 3:16:42 am Imre Kaloz wrote: > On Mon, 17 Sep 2007 09:49:35 +0200, Rob Landley wrote: > > Is anyone here familiar with ssl enough to at least guess how much work > > it > > would be to add stunnel support to dropbear? > > > > I tried to read the RFC(s) on this last year, but never did manage to > > get a > > clear picture of what was required... > > > > Rob > > Well, it's not dropbear, but I guess your main problem is the openssl > dependency. So take a look at xrelayd > (http://forum.openwrt.org/viewtopic.php?id=12338) and/or matrixtunnel > (http://forum.openwrt.org/viewtopic.php?id=5588). Does either of these projects have an actual web page rather than a forum post? I'd prefer to use a project that actually exists. Rob -- "One of my most productive days was throwing away 1000 lines of code." - Ken Thompson. From kaloz at openwrt.org Tue Sep 18 01:48:03 2007 From: kaloz at openwrt.org (Imre Kaloz) Date: Mon, 17 Sep 2007 19:48:03 +0200 Subject: stunnel support? In-Reply-To: <200709171239.26313.rob@landley.net> References: <200709170249.35576.rob@landley.net> <200709171239.26313.rob@landley.net> Message-ID: On Mon, 17 Sep 2007 19:39:26 +0200, Rob Landley wrote: > On Monday 17 September 2007 3:16:42 am Imre Kaloz wrote: >> On Mon, 17 Sep 2007 09:49:35 +0200, Rob Landley wrote: >> > Is anyone here familiar with ssl enough to at least guess how much >> work >> > it >> > would be to add stunnel support to dropbear? >> > >> > I tried to read the RFC(s) on this last year, but never did manage to >> > get a >> > clear picture of what was required... >> > >> > Rob >> >> Well, it's not dropbear, but I guess your main problem is the openssl >> dependency. So take a look at xrelayd >> (http://forum.openwrt.org/viewtopic.php?id=12338) and/or matrixtunnel >> (http://forum.openwrt.org/viewtopic.php?id=5588). > > Does either of these projects have an actual web page rather than a forum > post? I'd prefer to use a project that actually exists. > > Rob Both the stunnel matrixssl port (matrixtunnel) and xrelayd was done by the same developer, Lorenz Schori . As far as I know matrixtunnel was an experiment, xrelayd is a new project.. Probably you should contact him and ask about the future of these projects. Imre From Eduard.Braun2 at gmx.de Tue Sep 18 01:48:54 2007 From: Eduard.Braun2 at gmx.de (Patrick) Date: Mon, 17 Sep 2007 17:48:54 +0000 (UTC) Subject: Autoban Feature Message-ID: Hi, Since I regularly have bruteforce-attacks on my SSH-Server, I would appreciate an autoban-feature in Dropbear which bans an IP after a certain amount of failed login-attempts. There could for example be a setting like "ban an IP after x failed logins for y Minutes (or 0 for infinite)" Thanks in advance, Patrick From cristian.ionescu-idbohrn at axis.com Tue Sep 18 03:21:25 2007 From: cristian.ionescu-idbohrn at axis.com (Cristian Ionescu-Idbohrn) Date: Mon, 17 Sep 2007 21:21:25 +0200 (CEST) Subject: stunnel support? In-Reply-To: <200709171239.26313.rob@landley.net> References: <200709170249.35576.rob@landley.net> <200709171239.26313.rob@landley.net> Message-ID: <0709172115480.11796@somehost> On Mon, 17 Sep 2007, Rob Landley wrote: > Does either of these projects have an actual web page rather than a forum > post? I'd prefer to use a project that actually exists. http://www.xyssl.org/ http://znerol.ch/files/ xrelayd is some 130k statically built against xyssl. Cheers, -- Cristian From rob at landley.net Tue Sep 18 04:18:39 2007 From: rob at landley.net (Rob Landley) Date: Mon, 17 Sep 2007 15:18:39 -0500 Subject: Autoban Feature In-Reply-To: References: Message-ID: <200709171518.39614.rob@landley.net> On Monday 17 September 2007 12:48:54 pm Patrick wrote: > Hi, > > Since I regularly have bruteforce-attacks on my SSH-Server, > I would appreciate an autoban-feature in Dropbear > which bans an IP after a certain amount of failed login-attempts. > > There could for example be a setting like > "ban an IP after x failed logins for y Minutes (or 0 for infinite)" You can do most of that at the iptables level. Count syn packets to see the number of connection attempts. (Admittedly this counts successful login attempts too, but if you're triggering on 20 login attempts in a minute...) Rob -- "One of my most productive days was throwing away 1000 lines of code." - Ken Thompson. From roberto.foglietta at gmail.com Tue Sep 18 16:17:19 2007 From: roberto.foglietta at gmail.com (Roberto A. Foglietta) Date: Tue, 18 Sep 2007 10:17:19 +0200 Subject: sftp client for dropbear In-Reply-To: <20070917140655.GD31581@ucc.gu.uwa.edu.au> References: <20070917120812.GC31581@ucc.gu.uwa.edu.au> <20070917140655.GD31581@ucc.gu.uwa.edu.au> Message-ID: 2007/9/17, Matt Johnston : > On Mon, Sep 17, 2007 at 02:52:58PM +0200, Roberto A. Foglietta wrote: > > 2007/9/17, Matt Johnston : > > > On Mon, Sep 17, 2007 at 10:25:49AM +0200, Roberto A. Foglietta wrote: > > > > Hi to all folks, > > > > > > > > do you know a sftp client which could work with dropbear? > > > > I tried which one comes with OpenSSH but does not work. > > > > > > > > In case there is not any sftp client for dropbear do you think > > > > adapting openssh one it could be a lot of work or just a different ssh > > > > syntax adapt? > > > > > > How does it not work? Have you tried the instructions from > > > http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2007q1/000502.html ? > > > (see the followup posts too) > > > > Yes, but... I was talking about sftp client not server! > > Have I missed something about that thread? > > Oops sorry, misread the mail. > > I can get the OpenSSH sftp client to work with dbclient on a > Linux system with > sftp -s /usr/lib/openssh/sftp-server -S /usr/bin/dbclient remotehost > though for some reason it seems not to work on Mac OS X > here - I'll try figure what's happening. Does that work for > you (with paths changed appropriately)? I assume the sftp > client will compile with similar settings to sftp-server. > sftp client was cross-compiled for a PPC board while sftp-server is running onto an Ubuntu Linux / x86 arch. \ After login sftp gets out immediately, however if I specify a batch file it works. Finally I found very annoying having to tell to sftp command where is the remote sftp-server binary! ~ # sftp -S /usr/bin/dbclient -s /usr/lib/openssh/sftp-server foglietr at 172.16.119.6 Connecting to 172.16.119.6... WARNING: Ignoring unknown argument '-oForwardX11 no' WARNING: Ignoring unknown argument '-oForwardAgent no' WARNING: Ignoring unknown argument '-oPermitLocalCommand no' WARNING: Ignoring unknown argument '-oClearAllForwardings yes' WARNING: Ignoring unknown argument '-oProtocol 2' foglietr at 172.16.119.6's password: foglietr at 172.16.119.6's password: foglietr at 172.16.119.6's password: xset: unable to open display "" xset: unable to open display "" sftp> ~ # ~ # cat pippo ls ls ~ # sftp -b pippo -S /usr/bin/dbclient -s /usr/lib/openssh/sftp-server foglietr at 172.16.119.6 WARNING: Ignoring unknown argument '-oForwardX11 no' WARNING: Ignoring unknown argument '-oForwardAgent no' WARNING: Ignoring unknown argument '-oPermitLocalCommand no' WARNING: Ignoring unknown argument '-oClearAllForwardings yes' WARNING: Ignoring unknown argument '-obatchmode yes' WARNING: Ignoring unknown argument '-oProtocol 2' foglietr at 172.16.119.6's password: xset: unable to open display "" xset: unable to open display "" sftp> ls [... ls print out ...] sftp> ls [... ls print out ...] sftp> ~ # thanks, -- /roberto From roberto.foglietta at gmail.com Tue Sep 18 18:25:51 2007 From: roberto.foglietta at gmail.com (Roberto A. Foglietta) Date: Tue, 18 Sep 2007 12:25:51 +0200 Subject: sftp client for dropbear In-Reply-To: References: <20070917120812.GC31581@ucc.gu.uwa.edu.au> <20070917140655.GD31581@ucc.gu.uwa.edu.au> Message-ID: 2007/9/18, Roberto A. Foglietta : > 2007/9/17, Matt Johnston : > > On Mon, Sep 17, 2007 at 02:52:58PM +0200, Roberto A. Foglietta wrote: > > > 2007/9/17, Matt Johnston : > > > > On Mon, Sep 17, 2007 at 10:25:49AM +0200, Roberto A. Foglietta wrote: > > > > > Hi to all folks, > > > > > > > > > > do you know a sftp client which could work with dropbear? > > > > > I tried which one comes with OpenSSH but does not work. > > > > > > > > > > In case there is not any sftp client for dropbear do you think > > > > > adapting openssh one it could be a lot of work or just a different ssh > > > > > syntax adapt? > > > > > > > > How does it not work? Have you tried the instructions from > > > > http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2007q1/000502.html ? > > > > (see the followup posts too) > > > > > > Yes, but... I was talking about sftp client not server! > > > Have I missed something about that thread? > > > > Oops sorry, misread the mail. > > > > I can get the OpenSSH sftp client to work with dbclient on a > > Linux system with > > sftp -s /usr/lib/openssh/sftp-server -S /usr/bin/dbclient remotehost > > though for some reason it seems not to work on Mac OS X > > here - I'll try figure what's happening. Does that work for > > you (with paths changed appropriately)? I assume the sftp > > client will compile with similar settings to sftp-server. > > > > sftp client was cross-compiled for a PPC board while sftp-server is > running onto an Ubuntu Linux / x86 arch. \ > > After login sftp gets out immediately, however if I specify a batch > file it works. > Finally I found very annoying having to tell to sftp command where is > the remote sftp-server binary! > > ~ # sftp -S /usr/bin/dbclient -s /usr/lib/openssh/sftp-server > foglietr at 172.16.119.6 > Connecting to 172.16.119.6... > WARNING: Ignoring unknown argument '-oForwardX11 no' > WARNING: Ignoring unknown argument '-oForwardAgent no' > WARNING: Ignoring unknown argument '-oPermitLocalCommand no' > WARNING: Ignoring unknown argument '-oClearAllForwardings yes' > WARNING: Ignoring unknown argument '-oProtocol 2' > foglietr at 172.16.119.6's password: > foglietr at 172.16.119.6's password: > foglietr at 172.16.119.6's password: > xset: unable to open display "" > xset: unable to open display "" > sftp> > ~ # The amazing thing is.... 2>/dev/null resolve the issue! sftp -s /usr/lib/openssh/sftp-server -S /usr/bin/dbclient foglietr at 172.16.119.6 2>/dev/null It does not make any sense for me. Anyway sftp.err.1 is a strace log in console without any 2>redirection while sftp.err.2 is the log saved on file. With the help of diff I see in the first case reading fd=0 whould returns EAGAIN and quit. Do you think could be a bug of openssh project or dropbear? Cheers, -- /roberto From roberto.foglietta at gmail.com Tue Sep 18 18:28:04 2007 From: roberto.foglietta at gmail.com (Roberto A. Foglietta) Date: Tue, 18 Sep 2007 12:28:04 +0200 Subject: sftp client for dropbear In-Reply-To: References: <20070917120812.GC31581@ucc.gu.uwa.edu.au> <20070917140655.GD31581@ucc.gu.uwa.edu.au> Message-ID: I forgot the logs, sorry :-) -- /roberto -------------- next part -------------- A non-text attachment was scrubbed... Name: sftp.err.1.gz Type: application/x-gzip Size: 1747 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070918/ef8dd845/attachment.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: sftp.err.2.gz Type: application/x-gzip Size: 1772 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070918/ef8dd845/attachment-0001.bin From roberto.foglietta at gmail.com Tue Sep 18 20:33:09 2007 From: roberto.foglietta at gmail.com (Roberto A. Foglietta) Date: Tue, 18 Sep 2007 14:33:09 +0200 Subject: sftp client for dropbear In-Reply-To: References: <20070917120812.GC31581@ucc.gu.uwa.edu.au> <20070917140655.GD31581@ucc.gu.uwa.edu.au> Message-ID: 2007/9/18, Roberto A. Foglietta : > > sftp client was cross-compiled for a PPC board while sftp-server is > running onto an Ubuntu Linux / x86 arch. > > After login sftp gets out immediately, however if I specify a batch > file it works. 2007/9/18, Roberto A. Foglietta : > The amazing thing is.... 2>/dev/null resolve the issue! openssh bug open and patch submited https://bugzilla.mindrot.org/show_bug.cgi?id=1365 sorry for having post (so much) on your list! Cheers, -- /roberto From roberto.foglietta at gmail.com Wed Sep 19 17:30:27 2007 From: roberto.foglietta at gmail.com (Roberto A. Foglietta) Date: Wed, 19 Sep 2007 11:30:27 +0200 Subject: PATCH: sftp subsystem request via ssh Message-ID: Hi to all folks, I develop this patch in order to avoid -s usage when sftp -s /remote/path/sftp-server -S /local/path/dbclient now if -s is not specified a subsystem request would be sent Cheers, -- /roberto -------------- next part -------------- A non-text attachment was scrubbed... Name: sftp_subsystem_request.patch Type: text/x-patch Size: 423 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070919/7be5c38e/attachment.bin From laurentp at cse-semaphore.com Wed Sep 19 21:18:47 2007 From: laurentp at cse-semaphore.com (Laurent Pinchart) Date: Wed, 19 Sep 2007 15:18:47 +0200 Subject: Dropbear server 0.50 stops listening to socket when started without stdin Message-ID: <200709191518.47149.laurentp@cse-semaphore.com> Hi, The 2007-07-19 commit ("Patch from Nicolai Ehemann to try binding before going to the background, so that if it exits early (because something's already listening etc) then it will return an exitcode of 1.") breaks Dropbear when started from init (busybox 1.6.1) with no console. When no console is configured, init starts dropbear with stdin (fd 0) closed. The socket opened by listensockets() will then be assigned fd 0. The later call to daemon() will reassign fd 0, 1 and 2 to /dev/null, making dropbreak stop listening to the network. I reverted the patch as temporary workaround. I'm not sure what a proper solution would be. Please CC me when answering this e-mail. Best regards, -- Laurent Pinchart CSE Semaphore Belgium Chauss?e de Bruxelles, 732A B-1410 Waterloo Belgium T +32 (2) 387 42 59 F +32 (2) 387 42 75 From oliver.hanka at gi-de.com Thu Sep 20 17:12:12 2007 From: oliver.hanka at gi-de.com (oliver.hanka at gi-de.com) Date: Thu, 20 Sep 2007 11:12:12 +0200 Subject: Packet sequence_number for MAC In-Reply-To: <20070914152137.GC31303@ucc.gu.uwa.edu.au> Message-ID: Hello, I am sorry to bother you again. I am having a new question concerning the SSH protocol and hoping you can help me out once more. It's about the packet sequence_number needed for the MAC calculation (RFC 4253, Section 6.4). It says, the number is 'incremented after every packet'. Does it mean one counter for received AND transmitted packets or are there two seperate counters for rx and tx each? Thanks in advance! Mit freundlichen Gr?ssen / Best regards Oliver Hanka -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20070920/67079a32/attachment.htm From matt at ucc.asn.au Thu Sep 20 20:41:59 2007 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 20 Sep 2007 20:41:59 +0800 Subject: Dropbear server 0.50 stops listening to socket when started without stdin In-Reply-To: <200709191518.47149.laurentp@cse-semaphore.com> References: <200709191518.47149.laurentp@cse-semaphore.com> Message-ID: <20070920124159.GJ3413@ucc.gu.uwa.edu.au> On Wed, Sep 19, 2007 at 03:18:47PM +0200, Laurent Pinchart wrote: > Hi, > > The 2007-07-19 commit ("Patch from Nicolai Ehemann to try binding before going > to the background, so that if it exits early (because something's already > listening etc) then it will return an exitcode of 1.") breaks Dropbear when > started from init (busybox 1.6.1) with no console. > > When no console is configured, init starts dropbear with stdin (fd 0) closed. > The socket opened by listensockets() will then be assigned fd 0. The later > call to daemon() will reassign fd 0, 1 and 2 to /dev/null, making dropbreak > stop listening to the network. > > I reverted the patch as temporary workaround. I'm not sure what a proper > solution would be. Aha, right. I'm heading away for a few weeks, will have a closer look after that. Sounds plausible that it broke something though. Cheers, Matt