From lewis at freesco.info Thu Jul 10 04:12:44 2008 From: lewis at freesco.info (Lewis Baughman) Date: Wed, 09 Jul 2008 13:12:44 -0700 Subject: Vulnerability ? Message-ID: <48751BBC.9040107@freesco.info> I recently read the vulnerability alert posted and I am wondering if this includes dnsmasq with this cache poisoning or if this is just a hoax of some kind. http://www.kb.cert.org/vuls/id/800113 http://www.debian.org/security/2008/dsa-1603 http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/ Quote: Caching DNS resolvers are primarily at risk--both those that are open (a DNS resolver is open if it provides recursive name resolution for clients outside of its administrative domain), and those that are not. These caching resolvers are the most common target for attackers; *however, stub resolvers are also at risk.* Regards, Lewis From mark.richards at massmicro.com Mon Jul 14 07:27:16 2008 From: mark.richards at massmicro.com (Mark Richards) Date: Sun, 13 Jul 2008 19:27:16 -0400 Subject: anti-hang Message-ID: <487A8F54.2040709@massmicro.com> I use dropbear client, connecting to an openssh server. dbclient will provide connection services in a remote unattended client, and therefore under no circumstances can the connection hang. In testing, I found that there are instances where the client is expecting user input. For example, if the server is not in known_hosts, dbclient asks to accept the connection. In another instance, sending a bad key caused the connection attempt to hang (forever, it seemed). dropbear client has -K which is nice, but what's needed sometimes is -D ("die after"). eg: dbclient -i /path/to/key -D 30 me at ip dbclient will return an exit code after 30 seconds if nothing transpires. Is there such a feature or a way to work around? From arasv at magtech.com.au Mon Jul 21 10:05:41 2008 From: arasv at magtech.com.au (Aras Vaichas) Date: Mon, 21 Jul 2008 12:05:41 +1000 Subject: hash mismatch problem on ARM system Message-ID: <4883EEF5.1060103@magtech.com.au> Hi, I'm getting "hash mismatch" problems in my embedded ARM system when using gcc-4.2.3-glibc-2.7 and Scratchbox to compile the code. I also get "differ in signedness" warnings during compilation. If I try to ssh to the remote server: $ ssh root at 169.254.0.252 hash mismatch key_verify failed for server_host_key If I try to ssh on the remote server: /root # ssh root at localhost ssh: connection to root at localhost:22 exited: Bad hostkey signature This sounds very similar to the problem outlined in this older posting: http://www.mail-archive.com/dropbear at ucc.asn.au/msg00083.html The solution to this version of the problem was: "The avr32-linux-gcc compiler had a wrong implementation of the ror and rol functions. And the uClibc library had a bug in memcmp function." I'm using arm-linux-gcc, could it have the same problem? I tested against Dropbear 0.46 and Dropbear 0.51 and the results are the same, the problem is with my compiler/build environment. My old (working) version of Dropbear was built with gcc-3.4.4-glibc-2.3.5 and was compiled in a cross-compilation style. My new (broken) version of Dropbear was built with gcc-4.2.3-glibc-2.7 and uses the Scratchbox environment. Can someone give me some pointers as to the root source of the problem? As another test, I'm going to build and test OpenSSH to confirm if this problem is Dropbear build specific or is a real problem with my build environment. Aras ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ From arasv at magtech.com.au Mon Jul 21 14:49:58 2008 From: arasv at magtech.com.au (Aras Vaichas) Date: Mon, 21 Jul 2008 16:49:58 +1000 Subject: hash mismatch problem on ARM system In-Reply-To: <4883EEF5.1060103@magtech.com.au> References: <4883EEF5.1060103@magtech.com.au> Message-ID: <48843196.9010300@magtech.com.au> Aras Vaichas wrote: > Hi, > > I'm getting "hash mismatch" problems in my embedded ARM system when > using gcc-4.2.3-glibc-2.7 and Scratchbox to compile the code. I also > get "differ in signedness" warnings during compilation. > > If I try to ssh to the remote server: > > $ ssh root at 169.254.0.252 > hash mismatch > key_verify failed for server_host_key > > > If I try to ssh on the remote server: > > /root # ssh root at localhost > ssh: connection to root at localhost:22 exited: Bad hostkey signature > > > This sounds very similar to the problem outlined in this older posting: > > http://www.mail-archive.com/dropbear at ucc.asn.au/msg00083.html > > The solution to this version of the problem was: > > "The avr32-linux-gcc compiler had a wrong implementation of the ror and > rol functions. And the uClibc library had a bug in memcmp function." > > I'm using arm-linux-gcc, could it have the same problem? > > > I tested against Dropbear 0.46 and Dropbear 0.51 and the results are the > same, the problem is with my compiler/build environment. > > My old (working) version of Dropbear was built with > gcc-3.4.4-glibc-2.3.5 and was compiled in a cross-compilation style. > > My new (broken) version of Dropbear was built with gcc-4.2.3-glibc-2.7 > and uses the Scratchbox environment. > > > Can someone give me some pointers as to the root source of the problem? > > As another test, I'm going to build and test OpenSSH to confirm if this > problem is Dropbear build specific or is a real problem with my build > environment. > evilness ... I cross-compiled Dropbear using the Scratchbox binaries from x86 land, and it worked OK. I cross-compiled Dropbear from within Scratchbox (semi-virtual ARM land), and it worked OK. This proves it isn't the compiler's fault.. I cross-compiled by passing the makefile options as arguments to the Scratchbox command line, and it breaks. e.g. $ scratchbox make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" MULTI=1 I logged the output of each compile and noticed that there was one obvious difference between the methods: e.g.: Doing a Scratchbox cross-compile from outside of Scratchbox gcc -I. -I. -I./libtomcrypt/src/headers/ -Os -W -Wall -DDROPBEAR_CLIENT -DDBMULTI_dbclient -DDROPBEAR_MULTI -c -o listener.o listener.c Doing a Scratchbox cross-compile from inside of Scratchbox gcc -I. -I. -I./libtomcrypt/src/headers/ -Os -W -Wall -DDROPBEAR_SERVER -DDROPBEAR_CLIENT -DDBMULTI_dropbear -DDBMULTI_dbclient -DDBMULTI_dropbearkey -DDBMULTI_dropbearconvert -DDBMULTI_scp -DDROPBEAR_MULTI -c -o listener.o listener.c For some reason, passing those makefile arguments over the Scratchbox barrier just didn't work too well, and the Makefile created different results. I fixed this by encoding the Makefile arguments into the Makefile itself. PROGRAMS=dropbear dbclient dropbearkey dropbearconvert scp MULTI=1 Aras ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ From yvon.thoraval at gmail.com Mon Jul 21 15:03:06 2008 From: yvon.thoraval at gmail.com (Yvon Thoraval) Date: Mon, 21 Jul 2008 09:03:06 +0200 Subject: dropbear ssh howto Message-ID: Hey all ! i'm a newby within dropbear and have installed it over an e2831 (known as Twin-Tact). may be this isn't the place to ask for such a basic question but i'm unable to log on my mobile using ssh. i've launched the daemon and i seems to respond from the mac side and even it added a key to my ~/.ssh/known_hosts . here are some of my tentatives : $ ssh -l root -p 2222 169.254.0.2 Enter passphrase for key '/Users/yt/.ssh/id_dsa': Permission denied (publickey). $ ssh -p 2222 169.254.0.2 Connection closed by 169.254.0.2 i think i didn't understood correctly the way to genarate, transmit the keys on both sides. do you know of a tutorial for such things ? best, -- yvon -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080721/759f6d85/attachment.htm From christoph.gysin at gmail.com Tue Jul 22 18:09:34 2008 From: christoph.gysin at gmail.com (christoph.gysin at gmail.com) Date: Tue, 22 Jul 2008 12:09:34 +0200 Subject: splitting options.h Message-ID: <20080722100934.GA24880@luzifer.fr33z3.org> I'm using a custom options.h for my dropbear build. Whenever there is a new release I'd like to build it with my own configuration, so I'd usually just copy the old options.h over and compile again. Unfortunately there is a lot more than simple configuration directives in options.h... pretty much everthing below the line that says: "You shouldn't edit below here unless you know you need to" Would it be possible to split this part into a seperate header, and include options.h on it's first line? Or is there another way of doing this alltogether? Thanks, Chris From Daniel.Huebner at renesas.com Tue Jul 22 23:56:58 2008 From: Daniel.Huebner at renesas.com (Daniel Huebner) Date: Tue, 22 Jul 2008 17:56:58 +0200 Subject: Crosscompiling for Renesas SuperH SH2 Message-ID: <7EE664A76A9B66448BA0C7FE2EA7EC75041E1E42@rte-mun-ex1.RTE.ADWIN.RENESAS.COM> Hello, is it possbile to crosscompile for a uClinux on a Renesas SuperH SH2 platform? Especially SH7203? What configure parameters I have to set? Rgds Daniel -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080722/1f15d0df/attachment.htm From brandtc at psi5.com Wed Jul 23 23:12:13 2008 From: brandtc at psi5.com (Christian Brandt) Date: Wed, 23 Jul 2008 17:12:13 +0200 Subject: X11 forwarding Message-ID: <48874A4D.5010209@psi5.com> Instead of confusing everyone with x-server vs. dropbear-client I'll explain what I am actually aiming for: I run a rather embedded simpad with local X display and a dropbear client on which I want to diplay a remote application running on a full blown ubuntu server tunneled through ssh. Now if I had ssh instead of dropbear on the simpad I could run xterm by entering on the simpad: ssh -X server xterm - ssh gets a command line, sets up a tunnel and sets $DISPLAY on the ubuntu machine in a sane way. But dropbear doesn't... Dropbear seems to miss the "-X" option and offers nothing in exchange: brandtc at sword:/tmp/dropbear-0.51$ grep X11 options.h /* Enable X11 Forwarding - server only */ #define ENABLE_X11FWD /* The command to invoke for xauth when using X11 forwarding. #define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q" #ifndef ENABLE_X11FWD #define DISABLE_X11FWD defined(ENABLE_AGENTFWD) || defined(ENABLE_X11FWD) So could use X without tunneling like this: simpad:~$ xhost + simpad:~$ ssh -i ~/.ssh/id_rsa.db server server:~$ export DISPLAY=simpad:0.0 server:~$ firefox & ugly and insecure... alternatively I could write an incredible complex script which sources the simpad xauth-key, adds it to the server-xauth-keys and build his own tunnel for X11... oh the horror... I haven't done that for nearly 15 years... Any ideas? Christian Brandt From strange at nsk.no-ip.org Wed Jul 23 23:21:57 2008 From: strange at nsk.no-ip.org (Luciano Rocha) Date: Wed, 23 Jul 2008 16:21:57 +0100 Subject: X11 forwarding In-Reply-To: <48874A4D.5010209@psi5.com> References: <48874A4D.5010209@psi5.com> Message-ID: <20080723152157.GF18930@bit.office.eurotux.com> On Wed, Jul 23, 2008 at 05:12:13PM +0200, Christian Brandt wrote: > Instead of confusing everyone with x-server vs. dropbear-client I'll explain > what I am actually aiming for: > > I run a rather embedded simpad with local X display and a dropbear client on > which I want to diplay a remote application running on a full blown ubuntu > server tunneled through ssh. > > Now if I had ssh instead of dropbear on the simpad I could run xterm by > entering on the simpad: ssh -X server xterm - ssh gets a command line, sets > up a tunnel and sets $DISPLAY on the ubuntu machine in a sane way. But > dropbear doesn't... > > Dropbear seems to miss the "-X" option and offers nothing in exchange: > > brandtc at sword:/tmp/dropbear-0.51$ grep X11 options.h > /* Enable X11 Forwarding - server only */ > #define ENABLE_X11FWD > /* The command to invoke for xauth when using X11 forwarding. > #define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q" > #ifndef ENABLE_X11FWD > #define DISABLE_X11FWD > defined(ENABLE_AGENTFWD) || defined(ENABLE_X11FWD) > > So could use X without tunneling like this: > simpad:~$ xhost + > simpad:~$ ssh -i ~/.ssh/id_rsa.db server > server:~$ export DISPLAY=simpad:0.0 > server:~$ firefox & > > ugly and insecure... Well, if you have tcp connections enabled, then just copy the auth cookie, instead of leaving it open. like this: xauth list :0 | (read host type data; ssh server xauth add $(hostname):0 $type $data) You could even forward tcp connections, and just allow locally from localhost: xauth list :0 | (read host type data; ssh server -R 6010:localhost:6000 xauth add localhost:10 $type $data \; xterm) (exports and runs xterm) -- lfr 0/0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 197 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080723/48dd80d5/attachment.pgp From mmacia at gmail.com Fri Aug 8 03:49:50 2008 From: mmacia at gmail.com (Moises Macia) Date: Thu, 7 Aug 2008 19:49:50 +0000 (UTC) Subject: Error resolving Message-ID: Hi all, I'm trying to compile and run dropbear under ARM processor. I can build the executable but when I run it always return an error: ./dbclient: exited: Error resolving: Temporary failure in name resolution in my develop environment (scratchbox) and a segfault in end machine. If I compile dropbear in a standard i386 machine, works fine ... Seems that I'm doing a silly mistake, but I can't figure out what is. From rob at landley.net Fri Aug 8 07:19:05 2008 From: rob at landley.net (Rob Landley) Date: Thu, 7 Aug 2008 18:19:05 -0500 Subject: Why --disable-zlib by hand? Message-ID: <200808071819.06020.rob@landley.net> ./configure has a --disable-zlib flag, but if I just run ./configure on a system that doesn't have zlib installed it notices and then dies. Why does it do this? Apparently it _can_ run without it. It noticed it's not there. But instead of switching off support for it, the build breaks. (Without even suggesting "try --disable-zlib", which seems unnecessary since the point of ./configure is to probe for exactly that sort of thing...?) I'm confused. Rob -- "One of my most productive days was throwing away 1000 lines of code." - Ken Thompson. From rob at landley.net Fri Aug 8 09:05:08 2008 From: rob at landley.net (Rob Landley) Date: Thu, 7 Aug 2008 20:05:08 -0500 Subject: Build break on armv5l+uClibc+linux 2.6.25. Message-ID: <200808072005.08357.rob@landley.net> It did this: > gcc -I. -I. -I./libtomcrypt/src/headers/ -Os -W -Wall -DDROPBEAR_SERVER > -DDROPBEAR_CLIENT -c -o dbutil.o dbutil.c In file included from > includes.h:127, > from dbutil.c:51: > fake-rfc2553.h:52:1: warning: "_SS_PADSIZE" redefined > In file included from /tools/bin/../include/sys/socket.h:35, > from includes.h:36, > from dbutil.c:51: > /tools/bin/../include/bits/socket.h:160:1: warning: this is the location of > the previous definition In file included from includes.h:128, > from dbutil.c:52: > fake-rfc2553.h:53: error: redefinition of 'struct sockaddr_storage' > fake-rfc2553.h:67: error: redefinition of 'struct in6_addr' > fake-rfc2553.h:68: error: expected ':', ',', ';', '}' or '__attribute__' > before '.' token fake-rfc2553.h:73: error: redefinition of 'struct > sockaddr_in6' > fake-rfc2553.h:124: error: redefinition of 'struct addrinfo' > dbutil.c: In function 'set_sock_priority': > dbutil.c:162: error: 'TCP_NODELAY' undeclared (first use in this function) > dbutil.c:162: error: (Each undeclared identifier is reported only once > dbutil.c:162: error: for each function it appears in.) And so on. This is a native armv5l build (under qemu), the root filesystem has gcc 4.1.2, uClibc 0.9.29, and 2.6.25.10 kernel headers. (I can even walk you through reproducing it if you have qemu 0.9.1 and are willing to download a 20 meg system image tarball.) Is this problem sounding familiar to anyone? (I might get a chance to debug it this evening...) Rob -- "One of my most productive days was throwing away 1000 lines of code." - Ken Thompson. From cristian.ionescu-idbohrn at axis.com Tue Aug 19 01:25:19 2008 From: cristian.ionescu-idbohrn at axis.com (Cristian Ionescu-Idbohrn) Date: Mon, 18 Aug 2008 19:25:19 +0200 (CEST) Subject: link error Message-ID: <0808181855310.11780@somehost> I think I just hit a build corner case :( What I'm trying to do is to build _without_ editing options.h. I use awrapper Makefile instead, which does this: # Attempt to fix config options here, instead of editing $(NAME)/options.h CFLAGS += -UENABLE_X11FWD # both needed, else irritating warning CFLAGS += -DDISABLE_X11FWD # about not finding XAUTH_COMMAND CFLAGS += -UDROPBEAR_TWOFISH256_CBC -UDROPBEAR_TWOFISH128_CBC CFLAGS += -UDO_HOST_LOOKUP -UDO_MOTD CC="$(CC)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" \ ./configure $(HOST) \ --prefix=$(prefix)/$(PREF_X) \ --disable-zlib \ --disable-shadow \ --disable-lastlog \ --disable-pututline --disable-pututxline \ --disable-utmpx --disable-wtmpx Now, this seems to work out ok with some oldish glibc version, but linking fails with uclibc 0.9.29. ,---- | loginrec.o: In function `utmp_write_direct': | itimerspec/loginrec.c:707: undefined reference to `ttyslot' | collect2: ld returned 1 exit status | make[1]: *** [multibinary] Error 1 `---- To workaround this problem I'd use: --disable-utmp Still, it would be nice if I could avoid that. Thoughts? Cheers, -- Cristian From yvon.thoraval at gmail.com Sun Aug 31 16:54:59 2008 From: yvon.thoraval at gmail.com (Yvon Thoraval) Date: Sun, 31 Aug 2008 10:54:59 +0200 Subject: dropbear scp and double escaping when spaces in path Message-ID: Hey all, I've remote file names including spaces, like : /mnt/fat/iTunes/Blues/03_07 Why My Baby.mp3 then, i've tried to doubly escape like that : $ scp -P 2222 root at 169.254.0.2:"/mnt/fat/iTunes/Blues/03_07\ Why\ My\ Baby.mp3" . and got : scp: /mnt/fat/iTunes/Blues/03_07\: No such file or directory scp: Why\: No such file or directory scp: My\: No such file or directory scp: Baby.mp3: No such file or directory i got the same too using : $ scp -P 2222 root at 169.254.0.2:'/mnt/fat/iTunes/Blues/03_07\ Why\ My\ Baby.mp3' . what sounds strange to me is that the escape character "\" is taken as the right char and not the following space... if i escape the "\" char, no diff... it seems that due to dropbear and not to busybox because, for example, whe logged using dropbearmulti ssh, i can do : $ ls -al "/mnt/fat/iTunes/Blues/03_07\ Why\ My\ Baby.mp3" here the "\ " is correctly understood my local ssh is OpenSSH over MacOS X 10.4.11 best, -- yvon From mingching.tiew at redtone.com Wed Sep 3 14:25:59 2008 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Wed, 3 Sep 2008 14:25:59 +0800 Subject: inactivity timeout or disconnect Message-ID: <006901c90d8d$ee7366e0$8119fea9@MingChing> I am using dropbear as sshd server and dbclient as ssh client and I do reverse port forward between the client and the server ( ie it does not start shell ). That has been working. And I want to have an activitity disconnect after certain period of inactivity from the client. How can I do it ? Regards. From mingching.tiew at redtone.com Wed Sep 3 16:06:15 2008 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Wed, 3 Sep 2008 16:06:15 +0800 Subject: inactivity timeout or disconnect References: <006901c90d8d$ee7366e0$8119fea9@MingChing> Message-ID: <008701c90d9b$f0e19f60$8119fea9@MingChing> Ming-Ching Tiew wrote: > I am using dropbear as sshd server and dbclient as ssh client > and I do reverse port forward between the client and the server > ( ie it does not start shell ). That has been working. > > And I want to have an activitity disconnect after certain > period of inactivity from the client. How can I do it ? > I did some search, and I have come to conclusion that dropbear could not do it, and openssh daemon could not do it too ! I am surprised ! Anyone as a workaround ? From cristian.ionescu-idbohrn at axis.com Wed Sep 3 16:33:15 2008 From: cristian.ionescu-idbohrn at axis.com (Cristian Ionescu-Idbohrn) Date: Wed, 3 Sep 2008 10:33:15 +0200 (CEST) Subject: inactivity timeout or disconnect In-Reply-To: <008701c90d9b$f0e19f60$8119fea9@MingChing> References: <006901c90d8d$ee7366e0$8119fea9@MingChing> <008701c90d9b$f0e19f60$8119fea9@MingChing> Message-ID: <0809031029190.30594@somehost> On Wed, 3 Sep 2008, Ming-Ching Tiew wrote: > Ming-Ching Tiew wrote: > > I am using dropbear as sshd server and dbclient as ssh client > > and I do reverse port forward between the client and the server > > ( ie it does not start shell ). That has been working. > > > > And I want to have an activitity disconnect after certain > > period of inactivity from the client. How can I do it ? > > > > I did some search, and I have come to conclusion that > dropbear could not do it, and openssh daemon could > not do it too ! I am surprised ! > > Anyone as a workaround ? Take a look at the ssh_config man page and look for caseless 'alive' string. ServerAliveCountMax ServerAliveInterval TCPKeepAlive Cheers, -- Cristian From mingching.tiew at redtone.com Wed Sep 3 16:47:45 2008 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Wed, 3 Sep 2008 16:47:45 +0800 Subject: inactivity timeout or disconnect References: <006901c90d8d$ee7366e0$8119fea9@MingChing><008701c90d9b$f0e19f60$8119fea9@MingChing> <0809031029190.30594@somehost> Message-ID: <00a101c90da1$bd214620$8119fea9@MingChing> Cristian Ionescu-Idbohrn wrote: > On Wed, 3 Sep 2008, Ming-Ching Tiew wrote: > >> Ming-Ching Tiew wrote: >>> I am using dropbear as sshd server and dbclient as ssh client >>> and I do reverse port forward between the client and the server >>> ( ie it does not start shell ). That has been working. >>> >>> And I want to have an activitity disconnect after certain >>> period of inactivity from the client. How can I do it ? >>> >> >> I did some search, and I have come to conclusion that >> dropbear could not do it, and openssh daemon could >> not do it too ! I am surprised ! >> >> Anyone as a workaround ? > > Take a look at the ssh_config man page and look for caseless 'alive' > string. > > ServerAliveCountMax > ServerAliveInterval > TCPKeepAlive > They aren't the same thing as "inactivity timeout" or "idle timeout". Those parameters serves these purposes :- 1. Keep connection alive for the purpose of firewalling. 2. Disconnect if there is a stale connection due to network failure. And so on. That's more or less the same as dropbear's -K ( keepalive ) option. But on a perfect network, the keepalive will continue to allow session to be maintained even though there is no user-level activity and so it will not disconnect the session. Base on the document I read, ssh1 does have a "IdleTimeOut" parameter but unfortunately, when openssh is written, there is no more such implementation. Regards. From jose.otero.nj at gmail.com Thu Sep 4 09:06:47 2008 From: jose.otero.nj at gmail.com (jose otero) Date: Wed, 3 Sep 2008 21:06:47 -0400 Subject: inactivity timeout or disconnect In-Reply-To: <008701c90d9b$f0e19f60$8119fea9@MingChing> References: <006901c90d8d$ee7366e0$8119fea9@MingChing> <008701c90d9b$f0e19f60$8119fea9@MingChing> Message-ID: <5021a2950809031806s5251c0b0hd29be49195d53044@mail.gmail.com> I ran into the same problem (with respect to keyboard activity). You can create a timer that fires when your inactivity criteria is met. You can restart your timer when a carriage return is entered or if a single character is typed. When the timer function executes make sure you clean-up the appropriate resources (file descriptors, memory, etc). Hope this helps. On 9/3/08, Ming-Ching Tiew wrote: > > Ming-Ching Tiew wrote: > > I am using dropbear as sshd server and dbclient as ssh client > > and I do reverse port forward between the client and the server > > ( ie it does not start shell ). That has been working. > > > > And I want to have an activitity disconnect after certain > > period of inactivity from the client. How can I do it ? > > > > I did some search, and I have come to conclusion that > dropbear could not do it, and openssh daemon could > not do it too ! I am surprised ! > > Anyone as a workaround ? > > > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080903/86c57107/attachment.htm From jose.otero.nj at gmail.com Thu Sep 4 09:26:42 2008 From: jose.otero.nj at gmail.com (Jose Otero) Date: Wed, 3 Sep 2008 21:26:42 -0400 Subject: inactivity timeout or disconnect Message-ID: <48bf3949.1335640a.4839.6284@mx.google.com> I ran into the same problem. What I did was simply to create a timer that fires based on your inactivity timeout (user keyboard inactivity). The activity can be on a character or carriage return basis. If your criteria is met, restart the timer. When the timer fires, disconnect the session using the appropriate api. -----Original Message----- From: "Ming-Ching Tiew" To: dropbear at ucc.asn.au Sent: 9/3/08 4:47 AM Subject: Re: inactivity timeout or disconnect Cristian Ionescu-Idbohrn wrote: > On Wed, 3 Sep 2008, Ming-Ching Tiew wrote: > >> Ming-Ching Tiew wrote: >>> I am using dropbear as sshd server and dbclient as ssh client >>> and I do reverse port forward between the client and the server >>> ( ie it does not start shell ). That has been working. >>> >>> And I want to have an activitity disconnect after certain >>> period of inactivity from the client. How can I do it ? >>> >> >> I did some search, and I have come to conclusion that >> dropbear could not do it, and openssh daemon could >> not do it too ! I am surprised ! >> >> Anyone as a workaround ? > > Take a look at the ssh_config man page and look for caseless 'alive' > string. > > ServerAliveCountMax > ServerAliveInterval > TCPKeepAlive > They aren't the same thing as "inactivity timeout" or "idle timeout". Those parameters serves these purposes :- 1. Keep connection alive for the purpose of firewalling. 2. Disconnect if there is a stale connection due to network failure. And so on. That's more or less the same as dropbear's -K ( keepalive ) option. But on a perfect network, the keepalive will continue to allow session to be maintained even though there is no user-level activity and so it will not disconnect the session. Base on the document I read, ssh1 does have a "IdleTimeOut" parameter but unfortunately, when openssh is written, there is no more such implementation. Regards. From mingching.tiew at redtone.com Thu Sep 4 09:39:12 2008 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Thu, 4 Sep 2008 09:39:12 +0800 Subject: inactivity timeout or disconnect References: <006901c90d8d$ee7366e0$8119fea9@MingChing> <008701c90d9b$f0e19f60$8119fea9@MingChing> <5021a2950809031806s5251c0b0hd29be49195d53044@mail.gmail.com> Message-ID: <002301c90e2f$08db6ea0$8119fea9@MingChing> jose otero wrote: > I ran into the same problem (with respect to keyboard activity). You > can create a timer that fires when your inactivity criteria is met. > You can restart your timer when a carriage return is entered or if a > single character is typed. When the timer function executes make sure > you clean-up the appropriate resources (file descriptors, memory, > etc). Hope this helps. > I think most of you failed to read that this is not an interactive remote signon, this is just a reverse port forward executed in batchmode and it does not execute any shell on the server. Anyway I have got some progress by patching the dropbear source code, it does not seem to be that difficult a change. I am testing if it has any undesirable side effects. Thank you for your suggestion. Regards. From yvon.thoraval at gmail.com Sun Sep 7 01:44:42 2008 From: yvon.thoraval at gmail.com (Yvon Thoraval) Date: Sat, 6 Sep 2008 19:44:42 +0200 Subject: dropbear and spaces within path Message-ID: Hey Matt, I'm new to ssh/dropbear and i'm unable to figure out how to download from my smartphone a file, having spaces in it's path. I've tried (double escaping): $ scp -P 2222 root at 169.254.0.2:"/mnt/fat/iTunes/Blues/03_07\ Why\ My\ Baby.mp3" . getting : scp: /mnt/fat/iTunes/Blues/03_07\: No such file or directory scp: Why\: No such file or directory scp: My\: No such file or directory scp: Baby.mp3: No such file or directory and also : $ scp -P 2222 root at 169.254.0.2:'/mnt/fat/iTunes/Blues/03_07\ Why\ My\ Baby.mp3' . raises the same error. if i escape also "\" same prob why ??? best -- yvon From rob at landley.net Mon Sep 8 17:06:26 2008 From: rob at landley.net (Rob Landley) Date: Mon, 8 Sep 2008 04:06:26 -0500 Subject: inactivity timeout or disconnect In-Reply-To: <002301c90e2f$08db6ea0$8119fea9@MingChing> References: <006901c90d8d$ee7366e0$8119fea9@MingChing> <5021a2950809031806s5251c0b0hd29be49195d53044@mail.gmail.com> <002301c90e2f$08db6ea0$8119fea9@MingChing> Message-ID: <200809080406.27111.rob@landley.net> On Wednesday 03 September 2008 20:39:12 Ming-Ching Tiew wrote: > jose otero wrote: > > I ran into the same problem (with respect to keyboard activity). You > > can create a timer that fires when your inactivity criteria is met. > > You can restart your timer when a carriage return is entered or if a > > single character is typed. When the timer function executes make sure > > you clean-up the appropriate resources (file descriptors, memory, > > etc). Hope this helps. > > I think most of you failed to read that this is not an interactive remote > signon, this is just a reverse port forward executed in batchmode and > it does not execute any shell on the server. > > Anyway I have got some progress by patching the dropbear source code, > it does not seem to be that difficult a change. I am testing if it has any > undesirable side effects. Actually what I'd do is make a "timeout" command that works like cat except it drops the connection after a certain amount of activity (close stdin, close stdout, exit program), then insert it in the pipeline. No real need to modify ssh for this. Rob From mingching.tiew at redtone.com Mon Sep 8 17:26:10 2008 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Mon, 8 Sep 2008 17:26:10 +0800 Subject: inactivity timeout or disconnect References: <006901c90d8d$ee7366e0$8119fea9@MingChing> <5021a2950809031806s5251c0b0hd29be49195d53044@mail.gmail.com> <002301c90e2f$08db6ea0$8119fea9@MingChing> <200809080406.27111.rob@landley.net> Message-ID: <008f01c91194$f10bbc80$8119fea9@MingChing> Rob Landley wrote: > > Actually what I'd do is make a "timeout" command that works like cat > except it drops the connection after a certain amount of activity > (close stdin, close stdout, exit program), then insert it in the > pipeline. No real need to modify ssh for this. > I am not too clear about this, perhaps you can enlighten me. Assuming that my dbclient command is this :- dbclient -y -N -T -p 2222 \ -R 1234:localhost:5678 \ -l root w.x.y.z >/dev/null 2>&1 & And the server command is this ( for example ) :- dropbear -a -p 2222 So where do I insert the "timeout" program ? Do you mean this ? :- dbclient -y -p 2222 \ -R 1234:localhost:5678 \ -l root w.x.y.z 'timeout' & But will the 'timeout' get to intercept the traffic or activity on forwarding ports ? Regards From matt at ucc.asn.au Mon Sep 8 21:53:58 2008 From: matt at ucc.asn.au (Matt Johnston) Date: Mon, 8 Sep 2008 21:53:58 +0800 Subject: inactivity timeout or disconnect In-Reply-To: <002301c90e2f$08db6ea0$8119fea9@MingChing> References: <006901c90d8d$ee7366e0$8119fea9@MingChing> <008701c90d9b$f0e19f60$8119fea9@MingChing> <5021a2950809031806s5251c0b0hd29be49195d53044@mail.gmail.com> <002301c90e2f$08db6ea0$8119fea9@MingChing> Message-ID: <20080908135358.GB4444@ucc.gu.uwa.edu.au> On Thu, Sep 04, 2008 at 09:39:12AM +0800, Ming-Ching Tiew wrote: > I think most of you failed to read that this is not an interactive remote > signon, this is just a reverse port forward executed in batchmode and > it does not execute any shell on the server. > > Anyway I have got some progress by patching the dropbear source code, > it does not seem to be that difficult a change. I am testing if it has any > undesirable side effects. Yes, I think that the only way to accomplish this is to modify Dropbear itself (or perhaps make use of some clever iptables rules?). There is already the keepalive timeout, triggering something similar for any packet other than SSH_MSG_IGNORE or SSH_MSG_DEBUG would probably work? If you think the patch would be worth merging send it and I'll take a look. On a somewhat related note, apologies for my lack of activity on the list lately - I'll try and get back to some of the mails and patches that have been sent over the past months. Cheers, Matt From fja0568 at gmail.com Tue Sep 9 00:01:42 2008 From: fja0568 at gmail.com (Farrell Aultman) Date: Mon, 8 Sep 2008 12:01:42 -0400 Subject: inactivity timeout or disconnect In-Reply-To: <20080908135358.GB4444@ucc.gu.uwa.edu.au> References: <006901c90d8d$ee7366e0$8119fea9@MingChing> <008701c90d9b$f0e19f60$8119fea9@MingChing> <5021a2950809031806s5251c0b0hd29be49195d53044@mail.gmail.com> <002301c90e2f$08db6ea0$8119fea9@MingChing> <20080908135358.GB4444@ucc.gu.uwa.edu.au> Message-ID: <3ba466150809080901x5faa6d43n4dda1257719b6608@mail.gmail.com> I actually need to do this also. Here is what I am planning: One way to do it would be to add another command line option for the idle timeout. Another timeout (based on command line) could be added to the select(). This "case" would check to see if there has been any activity, and if not, close down the channel (or this dropbear process?). If there was activity before the "case" was selected, set a flag to indicate no activity. When there is activity on a channel, set the flag to indicate such (perhaps ignoring SSH_MSG_IGNORE or SSH_MSG_DEBUG). (Note, this implementation would actually check for 2x the inactivity specified). What was done for -K is very similiar to what needs to be done here. Farrell On Mon, Sep 8, 2008 at 9:53 AM, Matt Johnston wrote: > On Thu, Sep 04, 2008 at 09:39:12AM +0800, Ming-Ching Tiew wrote: >> I think most of you failed to read that this is not an interactive remote >> signon, this is just a reverse port forward executed in batchmode and >> it does not execute any shell on the server. >> >> Anyway I have got some progress by patching the dropbear source code, >> it does not seem to be that difficult a change. I am testing if it has any >> undesirable side effects. > Yes, I think that the only way to accomplish this is to > modify Dropbear itself (or perhaps make use of some clever > iptables rules?). There is already the keepalive timeout, > triggering something similar for any packet other than > SSH_MSG_IGNORE or SSH_MSG_DEBUG would probably work? If you > think the patch would be worth merging send it and I'll take > a look. > > On a somewhat related note, apologies for my lack of > activity on the list lately - I'll try and get back to some > of the mails and patches that have been sent over the past > months. > > Cheers, > Matt > > From fja0568 at gmail.com Tue Sep 9 00:15:23 2008 From: fja0568 at gmail.com (Farrell Aultman) Date: Mon, 8 Sep 2008 12:15:23 -0400 Subject: problem with port forwarding in 0.51 on uClinux Message-ID: <3ba466150809080915s5c8d3aa1ve353ff5a824d95a8@mail.gmail.com> Here is the script that I am using to launch dbclient: #!/bin/sh HOME=/root dbclient -i /etc/ssh/tim_dss_private_key -T \ -L 2799:192.168.54.2:2799 \ -L 22335:192.168.54.2:22335 \ tunnel at 192.168.54.4 This worked perfectly well in 0.47, but not with 0.51. In order to get it to work, I had to rollback check_close() located in common-channel.c in 0.51 to the 0.47 version. A side effect of this was that a memory leak was introduced that I couldn't track down. I ended up rolling back common-channel.c and channel.h to their 0.47 versions, and modifying them to account for the new command line that was added to adjust recwindow size. The last part of the log when turning on verbose debug was: TRACE: enter session_init TRACE: setnonblocking: 7 TRACE: enter session_cleanup TRACE: leave session_cleanup: !sessinitdone dbclient: exited: Couldn't set nonblocking BINFMT_FLAT: Loading file: /usr/bin/spawn_ssh TRACE: enter buf_get_priv_key TRACE: enter rsa_key_free TRACE: leave rsa_key_free: key == NULL TRACE: enter buf_get_rsa_priv_key TRACE: enter buf_get_rsa_pub_key TRACE: leave buf_get_rsa_pub_key: success TRACE: leave buf_get_rsa_priv_key TRACE: leave buf_get_priv_key TRACE: nextislocal true TRACE: enter addforward TRACE: leave addforward: done TRACE: nextislocal true TRACE: enter addforward TRACE: leave addforward: done TRACE: non-flag arg: 'tunnel at 192.168.54.4' TRACE: user='tunnel' host='192.168.54.4' port='22' TRACE: enter connect_remote TRACE: leave connect_remote: sock 6 TRACE: enter session_init TRACE: setnonblocking: 7 TRACE: enter session_cleanup TRACE: leave session_cleanup: !sessinitdone dbclient: exited: Couldn't set nonblocking Farrell From krafte at rockall.de Thu Sep 11 17:50:39 2008 From: krafte at rockall.de (Krafte) Date: Thu, 11 Sep 2008 11:50:39 +0200 Subject: port forward bind address Message-ID: <48C8E9EF.2000607@rockall.de> Hi, is there a way to get dropbear tcp forwarding over the ip it is bind(-p) to? From matt at ucc.asn.au Thu Sep 11 17:55:50 2008 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 11 Sep 2008 17:55:50 +0800 Subject: port forward bind address In-Reply-To: <48C8E9EF.2000607@rockall.de> References: <48C8E9EF.2000607@rockall.de> Message-ID: <5f9037f4693ab97e5486276fcdf7e855@mooneye.ucc.gu.uwa.edu.au> If you want it to listen on all IPs (including the bound one), will "dropbear -a" do what you want? Cheers, Matt On Thu, 11 Sep 2008 11:50:39 +0200, Krafte wrote: > Hi, > > is there a way to get dropbear tcp forwarding over the ip it is bind(-p) > to? From krafte at rockall.de Thu Sep 11 18:19:25 2008 From: krafte at rockall.de (Krafte) Date: Thu, 11 Sep 2008 12:19:25 +0200 Subject: port forward bind address In-Reply-To: <5f9037f4693ab97e5486276fcdf7e855@mooneye.ucc.gu.uwa.edu.au> References: <48C8E9EF.2000607@rockall.de> <5f9037f4693ab97e5486276fcdf7e855@mooneye.ucc.gu.uwa.edu.au> Message-ID: <48C8F0AD.1090104@rockall.de> Matt Johnston wrote: > If you want it to listen on all IPs (including the bound one), will > "dropbear -a" do what you want? > > Cheers, > Matt > > On Thu, 11 Sep 2008 11:50:39 +0200, Krafte wrote: >> Hi, >> >> is there a way to get dropbear tcp forwarding over the ip it is bind(-p) >> to? > An example: The server has two ips 10.10.10.1 and 10.10.10.2 On the server I run: dropbear -p 10.10.10.2:22 On the client I do: ssh -D 4040 user at 10.10.10.2 I have estimated that the traffic would be routed through 10.10.10.2 but its routed through 10.10.10.1??? thanks for help From Sajin.Valoth at Emerson.com Fri Sep 12 23:32:01 2008 From: Sajin.Valoth at Emerson.com (Sajin.Valoth at Emerson.com) Date: Fri, 12 Sep 2008 10:32:01 -0500 Subject: PuTTY compatibility: Does gen_rsa_priv_key still need to regenerate primes until modulus is a multiple-of-8-bits long ? Message-ID: <90205E1FD7918F43924C32E143310636BCDB24@etsmsg-slexm02.etsmsg.org> Hi all, With dropbear 0.48.1 running on a MIPS Au1550 platform, RSA key generation occasionally takes a very long time (multiple minutes); the problem was traced to the loop shown below in gen_rsa_priv_key() which executes many times, until a value of the modulus, n, is finally computed that is a multiple-of-8-bits long. 65 /* PuTTY doesn't like it if the modulus isn't a multiple of 8 bits, 66 * so we just generate them until we get one which is OK */ 67 getrsaprime(key->p, &pminus, key->e, size/2); 68 do { 69 getrsaprime(key->q, &qminus, key->e, size/2); 70 71 if (mp_mul(key->p, key->q, key->n) != MP_OKAY) { 72 fprintf(stderr, "rsa generation failed\n"); 73 exit(1); 74 } 75 } while (mp_count_bits(key->n) % 8 != 0); I've found a post from Matt Johnston back in 2003 that indicates why this loop was addded: http://lists.mindrot.org/pipermail/openssh-unix-dev/2003-July/018639.htm l However, using more recent versions of PuTTY (0.58 and 0.60), I don't see any problems with keys generated by dropbear where the modulus is not a multiple-of-8-bits long. So, my question is: should the loop above be deprecated since it doesn't appear to be necessary any more? Thanks, -- Sajin -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080912/10fead42/attachment.htm From matt at ucc.asn.au Sat Sep 13 01:34:55 2008 From: matt at ucc.asn.au (Matt Johnston) Date: Sat, 13 Sep 2008 01:34:55 +0800 Subject: port forward bind address In-Reply-To: <48C8F0AD.1090104@rockall.de> References: <48C8E9EF.2000607@rockall.de> <5f9037f4693ab97e5486276fcdf7e855@mooneye.ucc.gu.uwa.edu.au> <48C8F0AD.1090104@rockall.de> Message-ID: <20080912173455.GE4444@ucc.gu.uwa.edu.au> On Thu, Sep 11, 2008 at 12:19:25PM +0200, Krafte wrote: > >On Thu, 11 Sep 2008 11:50:39 +0200, Krafte wrote: > >>Hi, > >> > >>is there a way to get dropbear tcp forwarding over the ip it is bind(-p) > >>to? > > > An example: > > The server has two ips 10.10.10.1 and 10.10.10.2 > > On the server I run: dropbear -p 10.10.10.2:22 > > On the client I do: ssh -D 4040 user at 10.10.10.2 > > I have estimated that the traffic would be routed through 10.10.10.2 > but its routed through 10.10.10.1??? Ah, right. There isn't a way to get Dropbear to do that. Cheers, Matt From matt at ucc.asn.au Sat Sep 13 01:49:35 2008 From: matt at ucc.asn.au (Matt Johnston) Date: Sat, 13 Sep 2008 01:49:35 +0800 Subject: PuTTY compatibility: Does gen_rsa_priv_key still need to regenerate primes until modulus is a multiple-of-8-bits long ? In-Reply-To: <90205E1FD7918F43924C32E143310636BCDB24@etsmsg-slexm02.etsmsg.org> References: <90205E1FD7918F43924C32E143310636BCDB24@etsmsg-slexm02.etsmsg.org> Message-ID: <20080912174935.GF4444@ucc.gu.uwa.edu.au> On Fri, Sep 12, 2008 at 10:32:01AM -0500, Sajin.Valoth at Emerson.com wrote: > Hi all, > > With dropbear 0.48.1 running on a MIPS Au1550 platform, > RSA key generation occasionally takes a very long time (multiple > minutes); > the problem was traced to the loop shown below in > gen_rsa_priv_key() > which executes many times, until a value of the modulus, n, > is finally computed that is a multiple-of-8-bits long. ... > > However, using more recent versions of PuTTY (0.58 and 0.60), > I don't see any problems > with keys generated by dropbear where the modulus is not a > multiple-of-8-bits long. > > So, my question is: should the loop above be deprecated since > it doesn't appear to be necessary any more? Yes, it looks like this was fixed in PuTTY 0.54 in 2004 [1], so can be removed. Thanks for letting me know. Cheers, Matt [1] http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/rsa-non8mult-verify-fail.html From Sajin.Valoth at Emerson.com Sat Sep 13 02:05:33 2008 From: Sajin.Valoth at Emerson.com (Sajin.Valoth at Emerson.com) Date: Fri, 12 Sep 2008 13:05:33 -0500 Subject: PuTTY compatibility: Does gen_rsa_priv_key still need to regenerate primes until modulus is a multiple-of-8-bits long ? References: <90205E1FD7918F43924C32E143310636BCDB24@etsmsg-slexm02.etsmsg.org> <20080912174935.GF4444@ucc.gu.uwa.edu.au> Message-ID: <90205E1FD7918F43924C32E1433106364EA02B@etsmsg-slexm02.etsmsg.org> Matt, Thanks, that was really quick! Regards, -- Sajin -----Original Message----- From: Matt Johnston [mailto:matt at ucc.asn.au] Sent: Fri 9/12/2008 12:49 PM To: Valoth, Sajin [NETPWR/EMBED/MA] Cc: dropbear at ucc.asn.au Subject: Re: PuTTY compatibility: Does gen_rsa_priv_key still need to regenerate primes until modulus is a multiple-of-8-bits long ? On Fri, Sep 12, 2008 at 10:32:01AM -0500, Sajin.Valoth at Emerson.com wrote: > Hi all, > > With dropbear 0.48.1 running on a MIPS Au1550 platform, > RSA key generation occasionally takes a very long time (multiple > minutes); > the problem was traced to the loop shown below in > gen_rsa_priv_key() > which executes many times, until a value of the modulus, n, > is finally computed that is a multiple-of-8-bits long. ... > > However, using more recent versions of PuTTY (0.58 and 0.60), > I don't see any problems > with keys generated by dropbear where the modulus is not a > multiple-of-8-bits long. > > So, my question is: should the loop above be deprecated since > it doesn't appear to be necessary any more? Yes, it looks like this was fixed in PuTTY 0.54 in 2004 [1], so can be removed. Thanks for letting me know. Cheers, Matt [1] http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/rsa-non8mult-verify-fail.html -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080912/158eae0b/attachment.htm From fja0568 at gmail.com Sat Sep 20 05:45:34 2008 From: fja0568 at gmail.com (Farrell Aultman) Date: Fri, 19 Sep 2008 17:45:34 -0400 Subject: [PATCH] dropbear-051: idle_timeout command line option Message-ID: <3ba466150809191445haf70e50nf5bf0a47e940024b@mail.gmail.com> This adds a command line option for specifying an idle_timeout. The command line is: -I . If dropbear doesn't receive any data packets within , the dropbear process associated with that session will exit. diff -up ../../dropbear-vanilla/dropbear-0.51/cli-runopts.c ../../dropbear-idle_timeout/dropbear-0.51/cli-runopts.c --- ../../dropbear-vanilla/dropbear-0.51/cli-runopts.c 2008-03-27 09:17:14.000000000 -0400 +++ ../../dropbear-idle_timeout/dropbear-0.51/cli-runopts.c 2008-09-19 13:52:58.000000000 -0400 @@ -65,11 +65,12 @@ static void printhelp() { #endif "-W (default %d, larger may be faster, max 1MB)\n" "-K (0 is never, default %d)\n" + "-I (0 is never, default %d)\n" #ifdef DEBUG_TRACE "-v verbose\n" #endif ,DROPBEAR_VERSION, cli_opts.progname, - DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE); + DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); } @@ -91,6 +92,7 @@ void cli_getopts(int argc, char ** argv) char* recv_window_arg = NULL; char* keepalive_arg = NULL; + char* idle_timeout_arg = NULL; /* see printhelp() for options */ cli_opts.progname = argv[0]; @@ -215,6 +217,9 @@ void cli_getopts(int argc, char ** argv) case 'K': next = &keepalive_arg; break; + case 'I': + next = &idle_timeout_arg; + break; #ifdef DEBUG_TRACE case 'v': debug_trace = 1; @@ -322,7 +327,12 @@ void cli_getopts(int argc, char ** argv) dropbear_exit("Bad keepalive '%s'", keepalive_arg); } } - + if (idle_timeout_arg) { + opts.idle_timeout_secs = strtoul(idle_timeout_arg, NULL, 10); + if (opts.idle_timeout_secs == 0 && errno == EINVAL) { + dropbear_exit("Bad idle_timeout '%s'", idle_timeout_arg); + } + } } #ifdef ENABLE_CLI_PUBKEY_AUTH diff -up ../../dropbear-vanilla/dropbear-0.51/common-session.c ../../dropbear-idle_timeout/dropbear-0.51/common-session.c --- ../../dropbear-vanilla/dropbear-0.51/common-session.c 2008-03-27 09:17:14.000000000 -0400 +++ ../../dropbear-idle_timeout/dropbear-0.51/common-session.c 2008-09-19 11:24:18.000000000 -0400 @@ -63,6 +63,7 @@ void common_session_init(int sock, char* ses.connect_time = 0; ses.last_packet_time = 0; + ses.last_recv_packet_time = 0; if (pipe(ses.signal_pipe) < 0) { dropbear_exit("signal pipe failed"); @@ -397,6 +398,11 @@ static void checktimeouts() { && now - ses.last_packet_time >= opts.keepalive_secs) { send_msg_ignore(); } + + if (opts.idle_timeout_secs > 0 && ses.last_recv_packet_time > 0 + && now - ses.last_recv_packet_time >= opts.idle_timeout_secs) { + dropbear_close("Idle timeout"); + } } static long select_timeout() { @@ -409,5 +415,7 @@ static long select_timeout() { ret = MIN(AUTH_TIMEOUT, ret); if (opts.keepalive_secs > 0) ret = MIN(opts.keepalive_secs, ret); + if (opts.idle_timeout_secs > 0) + ret = MIN(opts.idle_timeout_secs, ret); return ret; } Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/debian and ../../dropbear-idle_timeout/dropbear-0.51/debian Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/libtomcrypt and ../../dropbear-idle_timeout/dropbear-0.51/libtomcrypt Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/libtommath and ../../dropbear-idle_timeout/dropbear-0.51/libtommath Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/_MTN and ../../dropbear-idle_timeout/dropbear-0.51/_MTN diff -up ../../dropbear-vanilla/dropbear-0.51/options.h ../../dropbear-idle_timeout/dropbear-0.51/options.h --- ../../dropbear-vanilla/dropbear-0.51/options.h 2008-03-27 09:34:39.000000000 -0400 +++ ../../dropbear-idle_timeout/dropbear-0.51/options.h 2008-09-19 11:26:04.000000000 -0400 @@ -235,6 +235,10 @@ etc) slower (perhaps by 50%). Recommende be overridden at runtime with -K. 0 disables keepalives */ #define DEFAULT_KEEPALIVE 0 +/* Ensure that data is received within IDLE_TIMEOUT seconds. This can +be overridden at runtime with -I. 0 disables idle timeouts */ +#define DEFAULT_IDLE_TIMEOUT 0 + /******************************************************************* * You shouldn't edit below here unless you know you need to. *******************************************************************/ Only in ../../dropbear-idle_timeout/dropbear-0.51: patch051.idle_timeout diff -up ../../dropbear-vanilla/dropbear-0.51/process-packet.c ../../dropbear-idle_timeout/dropbear-0.51/process-packet.c --- ../../dropbear-vanilla/dropbear-0.51/process-packet.c 2008-03-27 09:17:15.000000000 -0400 +++ ../../dropbear-idle_timeout/dropbear-0.51/process-packet.c 2008-09-19 11:26:58.000000000 -0400 @@ -51,6 +51,7 @@ void process_packet() { TRACE(("process_packet: packet type = %d", type)) ses.lastpacket = type; + ses.last_recv_packet_time = time(NULL); /* These packets we can receive at any time */ switch(type) { diff -up ../../dropbear-vanilla/dropbear-0.51/runopts.h ../../dropbear-idle_timeout/dropbear-0.51/runopts.h --- ../../dropbear-vanilla/dropbear-0.51/runopts.h 2008-03-27 09:17:15.000000000 -0400 +++ ../../dropbear-idle_timeout/dropbear-0.51/runopts.h 2008-09-19 11:29:17.000000000 -0400 @@ -38,6 +38,7 @@ typedef struct runopts { #endif unsigned int recv_window; time_t keepalive_secs; + time_t idle_timeout_secs; } runopts; diff -up ../../dropbear-vanilla/dropbear-0.51/session.h ../../dropbear-idle_timeout/dropbear-0.51/session.h --- ../../dropbear-vanilla/dropbear-0.51/session.h 2008-03-27 09:17:15.000000000 -0400 +++ ../../dropbear-idle_timeout/dropbear-0.51/session.h 2008-09-19 11:30:56.000000000 -0400 @@ -137,6 +137,10 @@ struct sshsession { time_t last_packet_time; /* time of the last packet transmission, for keepalive purposes */ + time_t last_recv_packet_time; /* time of the last packet received, for + idle timeout purposes */ + + /* KEX/encryption related */ struct KEXState kexstate; struct key_context *keys; diff -up ../../dropbear-vanilla/dropbear-0.51/svr-runopts.c ../../dropbear-idle_timeout/dropbear-0.51/svr-runopts.c --- ../../dropbear-vanilla/dropbear-0.51/svr-runopts.c 2008-03-27 09:17:16.000000000 -0400 +++ ../../dropbear-idle_timeout/dropbear-0.51/svr-runopts.c 2008-09-19 11:34:15.000000000 -0400 @@ -82,6 +82,7 @@ static void printhelp(const char * progn #endif "-W (default %d, larger may be faster, max 1MB)\n" "-K (0 is never, default %d)\n" + "-I (0 is never, default %d)\n" #ifdef DEBUG_TRACE "-v verbose\n" #endif @@ -93,7 +94,7 @@ static void printhelp(const char * progn RSA_PRIV_FILENAME, #endif DROPBEAR_MAX_PORTS, DROPBEAR_DEFPORT, DROPBEAR_PIDFILE, - DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE); + DEFAULT_RECV_WINDOW, DEFAULT_KEEPALIVE, DEFAULT_IDLE_TIMEOUT); } void svr_getopts(int argc, char ** argv) { @@ -103,6 +104,7 @@ void svr_getopts(int argc, char ** argv) int nextisport = 0; char* recv_window_arg = NULL; char* keepalive_arg = NULL; + char* idle_timeout_arg = NULL; /* see printhelp() for options */ svr_opts.rsakeyfile = NULL; @@ -134,7 +136,8 @@ void svr_getopts(int argc, char ** argv) svr_opts.usingsyslog = 1; #endif opts.recv_window = DEFAULT_RECV_WINDOW; - opts.keepalive_secs = DEFAULT_KEEPALIVE; + opts.keepalive_secs = DEFAULT_KEEPALIVE; + opts.idle_timeout_secs = DEFAULT_IDLE_TIMEOUT; #ifdef ENABLE_SVR_REMOTETCPFWD opts.listen_fwd_all = 0; @@ -218,6 +221,9 @@ void svr_getopts(int argc, char ** argv) case 'K': next = &keepalive_arg; break; + case 'I': + next = &idle_timeout_arg; + break; #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) case 's': svr_opts.noauthpass = 1; @@ -297,6 +303,13 @@ void svr_getopts(int argc, char ** argv) dropbear_exit("Bad keepalive '%s'", keepalive_arg); } } + + if (idle_timeout_arg) { + opts.idle_timeout_secs = strtoul(idle_timeout_arg, NULL, 10); + if (opts.idle_timeout_secs == 0 && errno == EINVAL) { + dropbear_exit("Bad idle_timeout '%s'", idle_timeout_arg); + } + } } static void addportandaddress(char* spec) { -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080919/b09eedfc/attachment.htm From fja0568 at gmail.com Sat Sep 20 05:52:07 2008 From: fja0568 at gmail.com (Farrell Aultman) Date: Fri, 19 Sep 2008 17:52:07 -0400 Subject: [PATCH] dropbear-051: Kill child (shell) process when dropbear exits Message-ID: <3ba466150809191452l3b430456j2c78d8b760114400@mail.gmail.com> Dropbear child process (shells created by client connections) would hang around after the server process has exited. This patch will kill these child processes when the dropbear server exits. Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/debian and ../../dropbear-killchild/dropbear-0.51/debian Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/libtomcrypt and ../../dropbear-killchild/dropbear-0.51/libtomcrypt Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/libtommath and ../../dropbear-killchild/dropbear-0.51/libtommath Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/_MTN and ../../dropbear-killchild/dropbear-0.51/_MTN Only in ../../dropbear-killchild/dropbear-0.51: patch051.killchild diff -up ../../dropbear-vanilla/dropbear-0.51/svr-session.c ../../dropbear-killchild/dropbear-0.51/svr-session.c --- ../../dropbear-vanilla/dropbear-0.51/svr-session.c 2008-03-27 09:17:16.000000000 -0400 +++ ../../dropbear-killchild/dropbear-0.51/svr-session.c 2008-09-19 11:06:51.000000000 -0400 @@ -117,10 +117,19 @@ void svr_session(int sock, int childpipe } +static void killchild(int pid) { + + if (pid > 1) { + kill(pid, SIGTERM); + waitpid(pid, NULL, 0); + } +} + /* failure exit - format must be <= 100 chars */ void svr_dropbear_exit(int exitcode, const char* format, va_list param) { char fmtbuf[300]; + int i; if (!sessinitdone) { /* before session init */ @@ -147,6 +156,11 @@ void svr_dropbear_exit(int exitcode, con /* must be after we've done with username etc */ common_session_cleanup(); + /* kill child processes */ + for (i = 0; i < svr_ses.childpidsize; i++) { + killchild(svr_ses.childpids[i].pid); + } + exit(exitcode); } -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080919/1b27e1cf/attachment-0001.htm From fja0568 at gmail.com Sat Sep 20 06:04:54 2008 From: fja0568 at gmail.com (Farrell Aultman) Date: Fri, 19 Sep 2008 18:04:54 -0400 Subject: [PATCH] dropbear-051: uClinux vfork Message-ID: <3ba466150809191504l5599fd02l7a2278b955dd7367@mail.gmail.com> Between dropbear-047 and dropbear-051 changes were made that accounted for the fact that uClinux needs to use vfork instead of fork. However, fork was not replaced with vfork in all places. I moved the conditional preproccessor check for uClinux into the includes.h file, so that fork is always replaced with vfork in all of the dropbear code when compiling for uClinux. A side effect is that the code is cleaner since you just call fork without wrapping it every time with a conditional preprocessor check. Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/debian and ../../dropbear-vfork/dropbear-0.51/debian diff -up ../../dropbear-vanilla/dropbear-0.51/includes.h ../../dropbear-vfork/dropbear-0.51/includes.h --- ../../dropbear-vanilla/dropbear-0.51/includes.h 2008-03-27 09:17:14.000000000 -0400 +++ ../../dropbear-vfork/dropbear-0.51/includes.h 2008-09-19 10:50:10.000000000 -0400 @@ -120,6 +120,11 @@ #include #endif +/* uClinux uses vfork */ +#ifdef __uClinux__ +#define fork vfork +#endif + #include "libtomcrypt/src/headers/tomcrypt.h" #include "libtommath/tommath.h" Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/libtomcrypt and ../../dropbear-vfork/dropbear-0.51/libtomcrypt Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/libtommath and ../../dropbear-vfork/dropbear-0.51/libtommath Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/_MTN and ../../dropbear-vfork/dropbear-0.51/_MTN Only in ../../dropbear-vfork/dropbear-0.51: patch051.vfork diff -up ../../dropbear-vanilla/dropbear-0.51/scp.c ../../dropbear-vfork/dropbear-0.51/scp.c --- ../../dropbear-vanilla/dropbear-0.51/scp.c 2008-03-27 09:17:15.000000000 -0400 +++ ../../dropbear-vfork/dropbear-0.51/scp.c 2008-09-19 10:43:08.000000000 -0400 @@ -200,11 +200,7 @@ do_cmd(char *host, char *remuser, char * #endif /* __uClinux__ */ /* Fork a child to execute the command on the remote host using ssh. */ -#ifdef __uClinux__ - do_cmd_pid = vfork(); -#else do_cmd_pid = fork(); -#endif /* __uClinux__ */ if (do_cmd_pid == 0) { /* Child. */ diff -up ../../dropbear-vanilla/dropbear-0.51/svr-chansession.c ../../dropbear-vfork/dropbear-0.51/svr-chansession.c --- ../../dropbear-vanilla/dropbear-0.51/svr-chansession.c 2008-03-27 09:17:16.000000000 -0400 +++ ../../dropbear-vfork/dropbear-0.51/svr-chansession.c 2008-09-19 10:41:42.000000000 -0400 @@ -650,11 +650,7 @@ static int noptycommand(struct Channel * if (pipe(errfds) != 0) return DROPBEAR_FAILURE; -#ifdef __uClinux__ - pid = vfork(); -#else pid = fork(); -#endif if (pid < 0) return DROPBEAR_FAILURE; @@ -754,11 +750,8 @@ static int ptycommand(struct Channel *ch return DROPBEAR_FAILURE; } -#ifdef __uClinux__ - pid = vfork(); -#else pid = fork(); -#endif + if (pid < 0) return DROPBEAR_FAILURE; -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080919/893b473b/attachment.htm From fja0568 at gmail.com Sat Sep 20 06:15:41 2008 From: fja0568 at gmail.com (Farrell Aultman) Date: Fri, 19 Sep 2008 18:15:41 -0400 Subject: [PATCH] dropbear-051: errno bug fix Message-ID: <3ba466150809191515nf569ca2oa190fe6355e6e570@mail.gmail.com> The code assumed that when strol is successful, that it will set errno to zero. This is not the case, at least under uClinux. The man page does not indicate this either. What can happen is that errno is already set to non-zero before strol is called, then strol is successful but since strol doesn't reset errno to zero, the next line thinks that strol failed. This patch also gets rid of 2 compiler warnings. diff -up ../../dropbear-vanilla/dropbear-0.51/cli-runopts.c ../../dropbear-errno/dropbear-0.51/cli-runopts.c --- ../../dropbear-vanilla/dropbear-0.51/cli-runopts.c 2008-03-27 09:17:14.000000000 -0400 +++ ../../dropbear-errno/dropbear-0.51/cli-runopts.c 2008-09-19 16:26:36.000000000 -0400 @@ -428,12 +428,14 @@ static void addforward(char* origstr, st /* Now we check the ports - note that the port ints are unsigned, * the check later only checks for >= MAX_PORT */ + errno = 0; newfwd->listenport = strtol(listenport, NULL, 10); if (errno != 0) { TRACE(("bad listenport strtol")) goto fail; } + errno = 0; newfwd->connectport = strtol(connectport, NULL, 10); if (errno != 0) { TRACE(("bad connectport strtol")) Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/debian and ../../dropbear-errno/dropbear-0.51/debian diff -up ../../dropbear-vanilla/dropbear-0.51/keyimport.c ../../dropbear-errno/dropbear-0.51/keyimport.c --- ../../dropbear-vanilla/dropbear-0.51/keyimport.c 2008-03-27 09:17:14.000000000 -0400 +++ ../../dropbear-errno/dropbear-0.51/keyimport.c 2008-09-19 16:39:08.000000000 -0400 @@ -701,7 +701,6 @@ static int openssh_write(const char *fil int nnumbers = -1, pos, len, seqlen, i; char *header = NULL, *footer = NULL; char zero[1]; - unsigned char iv[8]; int ret = 0; FILE *fp; int keytype = -1; Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/libtomcrypt and ../../dropbear-errno/dropbear-0.51/libtomcrypt Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/libtommath and ../../dropbear-errno/dropbear-0.51/libtommath Common subdirectories: ../../dropbear-vanilla/dropbear-0.51/_MTN and ../../dropbear-errno/dropbear-0.51/_MTN Only in ../../dropbear-errno/dropbear-0.51: patch051.errno diff -up ../../dropbear-vanilla/dropbear-0.51/svr-auth.c ../../dropbear-errno/dropbear-0.51/svr-auth.c --- ../../dropbear-vanilla/dropbear-0.51/svr-auth.c 2008-03-27 09:17:16.000000000 -0400 +++ ../../dropbear-errno/dropbear-0.51/svr-auth.c 2008-09-19 16:38:58.000000000 -0400 @@ -203,7 +203,7 @@ out: m_free(methodname); } -static int fill_passwd(const char* username) { +static void fill_passwd(const char* username) { struct passwd *pw = NULL; if (ses.authstate.pw_name) m_free(ses.authstate.pw_name); -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080919/4b41c528/attachment.htm From jamie at shareable.org Sat Sep 20 23:58:26 2008 From: jamie at shareable.org (Jamie Lokier) Date: Sat, 20 Sep 2008 16:58:26 +0100 Subject: [PATCH] dropbear-051: errno bug fix In-Reply-To: <3ba466150809191515nf569ca2oa190fe6355e6e570@mail.gmail.com> Message-ID: <20080920155826.GE6061@shareable.org> Farrell Aultman wrote: > The code assumed that when strol is successful, that it will set > errno to zero. This is not the case, at least under uClinux. It's not the case in general, POSIX doesn't require it to be set to zero. > The man page does not indicate this either. What can happen is that > errno is already set to non-zero before strol is called, then strol > is successful but since strol doesn't reset errno to zero, the next > line thinks that strol failed. That's right. The correct way to call strtol in general, if you're checking errno after, is to set errno to zero before. Since reading errno can be slow (in threaded programs), you might want to check if the result from strtol is LONG_MIN or LONG_MAX before checking errno. -- Jamie From jamie at shareable.org Sat Sep 20 23:59:56 2008 From: jamie at shareable.org (Jamie Lokier) Date: Sat, 20 Sep 2008 16:59:56 +0100 Subject: [PATCH] dropbear-051: uClinux vfork In-Reply-To: <3ba466150809191504l5599fd02l7a2278b955dd7367@mail.gmail.com> References: <3ba466150809191504l5599fd02l7a2278b955dd7367@mail.gmail.com> Message-ID: <20080920155956.GF6061@shareable.org> Farrell Aultman wrote: > Between dropbear-047 and dropbear-051 changes were made that > accounted for the fact that uClinux needs to use vfork instead of > fork. However, fork was not replaced with vfork in all places. I > moved the conditional preproccessor check for uClinux into the > includes.h file, so that fork is always replaced with vfork in all > of the dropbear code when compiling for uClinux. A side effect is > that the code is cleaner since you just call fork without wrapping > it every time with a conditional preprocessor check. Have you checked that it's safe to call vfork in all those places? vfork is not always a safe replacement for fork, even on uClinux where fork doesn't work. -- Jamie From fja0568 at gmail.com Mon Sep 22 02:48:34 2008 From: fja0568 at gmail.com (Farrell Aultman) Date: Sun, 21 Sep 2008 14:48:34 -0400 Subject: [PATCH] dropbear-051: errno bug fix In-Reply-To: <20080920155826.GE6061@shareable.org> References: <3ba466150809191515nf569ca2oa190fe6355e6e570@mail.gmail.com> <20080920155826.GE6061@shareable.org> Message-ID: <3ba466150809211148w78490c09mf74cce3db40c3bdb@mail.gmail.com> Thanks Jamie, I agree with everything you said. The code would be better modified as you indicate. On Sat, Sep 20, 2008 at 11:58 AM, Jamie Lokier wrote: > Farrell Aultman wrote: > > The code assumed that when strol is successful, that it will set > > errno to zero. This is not the case, at least under uClinux. > > It's not the case in general, POSIX doesn't require it to be set to zero. > > > The man page does not indicate this either. What can happen is that > > errno is already set to non-zero before strol is called, then strol > > is successful but since strol doesn't reset errno to zero, the next > > line thinks that strol failed. > > That's right. The correct way to call strtol in general, if you're > checking errno after, is to set errno to zero before. > > Since reading errno can be slow (in threaded programs), you might want > to check if the result from strtol is LONG_MIN or LONG_MAX before > checking errno. > > -- Jamie > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080921/a92855de/attachment.htm From mingching.tiew at redtone.com Mon Sep 22 09:43:53 2008 From: mingching.tiew at redtone.com (Ming-Ching Tiew) Date: Mon, 22 Sep 2008 09:43:53 +0800 Subject: [PATCH] dropbear-051: errno bug fix References: <3ba466150809191515nf569ca2oa190fe6355e6e570@mail.gmail.com><20080920155826.GE6061@shareable.org> <3ba466150809211148w78490c09mf74cce3db40c3bdb@mail.gmail.com> Message-ID: <005201c91c54$ab9662c0$8119fea9@MingChing> Farrell Aultman wrote: > Thanks Jamie, I agree with everything you said. The code would be > better modified as you indicate. > And also I wonder if the maillist accept attachment ? The patches should be sent as attachment. It will be way too much work to rework the message content as a patch. Tabs are converted to spaces and so on and so forth, it makes applying the patch a pain. Cheers. From matt at ucc.asn.au Mon Sep 22 23:11:37 2008 From: matt at ucc.asn.au (Matt Johnston) Date: Mon, 22 Sep 2008 23:11:37 +0800 Subject: [PATCH] dropbear-051: idle_timeout command line option In-Reply-To: <3ba466150809191445haf70e50nf5bf0a47e940024b@mail.gmail.com> References: <3ba466150809191445haf70e50nf5bf0a47e940024b@mail.gmail.com> Message-ID: <20080922151137.GI4444@ucc.gu.uwa.edu.au> On Fri, Sep 19, 2008 at 05:45:34PM -0400, Farrell Aultman wrote: > This adds a command line option for specifying an idle_timeout. The command > line is: > -I . If dropbear doesn't receive any data packets within , the > dropbear process > associated with that session will exit. This patch looks good, though testing here it seems that OpenSSH's client will send keepalive message that thwart the timeout. What is your use case for this patch? Would updating the last_packet time only for DATA packets make more sense? Also the time should probably be a updated when sending data packets too? Matt From matt at ucc.asn.au Mon Sep 22 23:12:39 2008 From: matt at ucc.asn.au (Matt Johnston) Date: Mon, 22 Sep 2008 23:12:39 +0800 Subject: [PATCH] dropbear-051: errno bug fix In-Reply-To: <3ba466150809191515nf569ca2oa190fe6355e6e570@mail.gmail.com> References: <3ba466150809191515nf569ca2oa190fe6355e6e570@mail.gmail.com> Message-ID: <20080922151239.GK4444@ucc.gu.uwa.edu.au> On Fri, Sep 19, 2008 at 06:15:41PM -0400, Farrell Aultman wrote: > The code assumed that when strol is successful, that it will set errno to > zero. This is not the case, at least > under uClinux. The man page does not indicate this either. What can happen > is that errno is already set to non-zero > before strol is called, then strol is successful but since strol doesn't > reset errno to zero, the next line thinks that strol failed. I've applied this now in a more general form with a new function m_str_to_int(). Funnily enough setting errno=EINVAL isn't actually defined by C99 - though most (all?) platforms seem to do that. Cheers, Matt From matt at ucc.asn.au Mon Sep 22 23:16:53 2008 From: matt at ucc.asn.au (Matt Johnston) Date: Mon, 22 Sep 2008 23:16:53 +0800 Subject: [PATCH] dropbear-051: Kill child (shell) process when dropbear exits In-Reply-To: <3ba466150809191452l3b430456j2c78d8b760114400@mail.gmail.com> References: <3ba466150809191452l3b430456j2c78d8b760114400@mail.gmail.com> Message-ID: <20080922151653.GL4444@ucc.gu.uwa.edu.au> On Fri, Sep 19, 2008 at 05:52:07PM -0400, Farrell Aultman wrote: > Dropbear child process (shells created by client connections) would hang > around after the server process > has exited. This patch will kill these child processes when the dropbear > server exits. I'm not convinced that Dropbear should be killing off these processes. Shouldn't they just notice that their stdin has gone away and then quit by themselves? If a child process is waiting to write out data (eg "ssh host "cat > /tmp/file") then might lose some bytes if killed abruptly. Matt From fja0568 at gmail.com Mon Sep 22 23:37:55 2008 From: fja0568 at gmail.com (Farrell Aultman) Date: Mon, 22 Sep 2008 11:37:55 -0400 Subject: [PATCH] dropbear-051: idle_timeout command line option In-Reply-To: <20080922151137.GI4444@ucc.gu.uwa.edu.au> References: <3ba466150809191445haf70e50nf5bf0a47e940024b@mail.gmail.com> <20080922151137.GI4444@ucc.gu.uwa.edu.au> Message-ID: <3ba466150809220837y2a272056tf65bd8aaf7492352@mail.gmail.com> I guess that I made the patch specific to my use case. I have a collection of wireless embedded devices that are running dbclient. The are installed in trucks and move in and out of radio range and talk to a central server running dropbear server. I want to keep the connection alive when they are in radio range, and allow the dropbear server process to detect when they are out of range and exit. So, in my case, the clients all send keepalive packets and the server process stays up as long as it gets it. I thought about modifying dropbear to have a compile time option that would allow reacting to only data packets. Would that be OK? "Also the time should probably be a updated when sending data packets too?" probably, in my case, clients always initiate the communication. But, it could easily be changed to do this. On Mon, Sep 22, 2008 at 11:11 AM, Matt Johnston wrote: > On Fri, Sep 19, 2008 at 05:45:34PM -0400, Farrell Aultman wrote: > > This adds a command line option for specifying an idle_timeout. The > command > > line is: > > -I . If dropbear doesn't receive any data packets within , > the > > dropbear process > > associated with that session will exit. > > This patch looks good, though testing here it seems that > OpenSSH's client will send keepalive message that thwart the > timeout. What is your use case for this patch? Would updating > the last_packet time only for DATA packets make more > sense? Also the time should probably be a updated when sending > data packets too? > > Matt > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20080922/3a1d5e78/attachment.htm From jamie at shareable.org Tue Sep 23 01:23:39 2008 From: jamie at shareable.org (Jamie Lokier) Date: Mon, 22 Sep 2008 18:23:39 +0100 Subject: [PATCH] dropbear-051: errno bug fix In-Reply-To: <20080922151239.GK4444@ucc.gu.uwa.edu.au> References: <3ba466150809191515nf569ca2oa190fe6355e6e570@mail.gmail.com> <20080922151239.GK4444@ucc.gu.uwa.edu.au> Message-ID: <20080922172338.GA19040@shareable.org> Matt Johnston wrote: > > is that errno is already set to non-zero > > before strol is called, then strol is successful but since strol doesn't > > reset errno to zero, the next line thinks that strol failed. > > I've applied this now in a more general form with a new > function m_str_to_int(). Funnily enough setting errno=EINVAL isn't > actually defined by C99 - though most (all?) platforms seem > to do that. Single Unix Specification (aka. POSIX) does though. http://www.opengroup.org/onlinepubs/000095399/functions/strtol.html The strtol() function shall not change the setting of errno if successful. Since 0, LONG_MIN or LLONG_MIN, and LONG_MAX or LLONG_MAX are returned on error and are also valid returns on success, an application wishing to check for error situations should set errno to 0, then call strtol() or strtoll(), then check errno. RETURN VALUE Upon successful completion, these functions shall return the converted value, if any. If no conversion could be performed, 0 shall be returned and errno may be set to EINVAL. If the correct value is outside the range of representable values, LONG_MIN, LONG_MAX, LLONG_MIN, or LLONG_MAX shall be returned (according to the sign of the value), and errno set to ERANGE. -- Jamie