From dbextern at gmx.de Thu Jan 3 19:10:51 2013 From: dbextern at gmx.de (dbextern at gmx.de) Date: Thu, 03 Jan 2013 12:10:51 +0100 Subject: Issues after Update from 0.52 to 2012.55; login time; password auth Message-ID: <20130103111051.212500@gmx.net> Hello! I'm using dropbear on an embedded System with uCLinux. It works great. And first I want to thank all of you for the work you put in it. After reading about the security fix I updated the dropbear from a (very stable and fast) 0.52 to the new 2012.55. After the update two things changed. The login time increased a lot. From next to nothing to about 7s (on a 600MHz CPU). I read that this is a common problem, and that my 7s are still quite good. I'm just surprised about he increase. Secondly the dropbear does not allow password login anymore (the server only gives back "pubkey" as available option). The according defines in the options.h are still active though. And the dropbear is started without -s. I'm out of ideas what to try to enable it again. When I just replace the dropbear executable with the 0.52 version it works again. Any thoughts and advide is highly appreciated. Tank you in advance. Gr??e Sebastian From matt at ucc.asn.au Thu Jan 3 19:51:02 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 3 Jan 2013 19:51:02 +0800 Subject: Issues after Update from 0.52 to 2012.55; login time; password auth In-Reply-To: <20130103111051.212500@gmx.net> References: <20130103111051.212500@gmx.net> Message-ID: <20130103115102.GR4419@ucc.gu.uwa.edu.au> Hi, 7 seconds seems slow. Where said that it's a common problem? I get around 1 second to SSH to a raspberry pi (700mhz "ARMv6"). Was it built with the same compiler and compile options? Leaving optimisation off could make that difference. I can't see how it wouldn't ask for a password unless there's -g or -s on the commandline. Does "ssh -v" show just "Authentications that can continue: publickey", not "publickey,password" ? Cheers, Matt On Thu, Jan 03, 2013 at 12:10:51PM +0100, dbextern at gmx.de wrote: > Hello! > > I'm using dropbear on an embedded System with uCLinux. It works great. And first I want to thank all of you for the work you put in it. > > After reading about the security fix I updated the dropbear from a (very stable and fast) 0.52 to the new 2012.55. > > After the update two things changed. The login time increased a lot. From next to nothing to about 7s (on a 600MHz CPU). I read that this is a common problem, and that my 7s are still quite good. I'm just surprised about he increase. > > Secondly the dropbear does not allow password login anymore (the server only gives back "pubkey" as available option). The according defines in the options.h are still active though. And the dropbear is started without -s. I'm out of ideas what to try to enable it again. When I just replace the dropbear executable with the 0.52 version it works again. > > Any thoughts and advide is highly appreciated. Tank you in advance. > > Gr??e > Sebastian > From dbextern at gmx.de Thu Jan 3 21:58:00 2013 From: dbextern at gmx.de (dbextern at gmx.de) Date: Thu, 03 Jan 2013 14:58:00 +0100 Subject: No subject Message-ID: <20130103135800.40470@gmx.net> Hi Matt, thank you for the quick response. # 7 seconds seems slow. Where said that it's a common problem? # I get around 1 second to SSH to a raspberry pi (700mhz "ARMv6"). # Was it built with the same compiler and compile options? # Leaving optimisation off could make that difference. I found a few posts on the mailing list about that topic. (for example: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2011q1/001098.html or http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/2011q3/001149.html) The CPU is at 100% during the login. Both versions have been compiled with the same external setup. When the dropbear is the only process running the time is reduced to ~3s which is still a lot slower than the V0.52 (that does it in less than 1s). Were Options added between those versions that could have an impact? Did maybe the libtommath/crypt change? # I can't see how it wouldn't ask for a password unless # there's -g or -s on the commandline. Does "ssh -v" show just # "Authentications that can continue: publickey", not # "publickey,password" ? The server gives a "Authentications that can continue: publickey". It is started without any options. Gr??e Sebastian - Sebastian Fett, R&D T +49-7191-9669-0, F +49-7191-950000, Sebastian.Fett at dbaudio.com, www.dbaudio.com d&b audiotechnik GmbH, Eugen-Adolff-Stra?e 134, 71522 Backnang, Germany Gesch?ftsf?hrer: Frank Bothe, Markus Strohmeier Finanzen: Kay Lange; Marketing: Simon Johnston Sitz: Backnang; Amtsgericht Stuttgart, HRB 725789 Von: Matt Johnston An: dbextern at gmx.de, Kopie: dropbear at ucc.asn.au Datum: 03.01.2013 12:51 Betreff: Re: Issues after Update from 0.52 to 2012.55; login time; password auth Hi, 7 seconds seems slow. Where said that it's a common problem? I get around 1 second to SSH to a raspberry pi (700mhz "ARMv6"). Was it built with the same compiler and compile options? Leaving optimisation off could make that difference. I can't see how it wouldn't ask for a password unless there's -g or -s on the commandline. Does "ssh -v" show just "Authentications that can continue: publickey", not "publickey,password" ? Cheers, Matt On Thu, Jan 03, 2013 at 12:10:51PM +0100, dbextern at gmx.de wrote: > Hello! > > I'm using dropbear on an embedded System with uCLinux. It works great. And first I want to thank all of you for the work you put in it. > > After reading about the security fix I updated the dropbear from a (very stable and fast) 0.52 to the new 2012.55. > > After the update two things changed. The login time increased a lot. From next to nothing to about 7s (on a 600MHz CPU). I read that this is a common problem, and that my 7s are still quite good. I'm just surprised about he increase. > > Secondly the dropbear does not allow password login anymore (the server only gives back "pubkey" as available option). The according defines in the options.h are still active though. And the dropbear is started without -s. I'm out of ideas what to try to enable it again. When I just replace the dropbear executable with the 0.52 version it works again. > > Any thoughts and advide is highly appreciated. Tank you in advance. > > Gr??e > Sebastian > From fbianchi at arte.unipi.it Tue Jan 8 20:37:10 2013 From: fbianchi at arte.unipi.it (Federico Bianchi) Date: Tue, 8 Jan 2013 13:37:10 +0100 (CET) Subject: Dropbear/SFTP In-Reply-To: <20130108130618.4991dff7@skate> References: <002401cded96$e8b13fa0$ba13bee0$@co.uk> <20130108130618.4991dff7@skate> Message-ID: I faced the very same problem some time ago. When working from scratch, you can either build the SFTP subsystem from OpenSSH without installing the rest (it has very few dependencies from the main package) or work with rjk-sftpserver from http://www.greenend.org.uk/rjk/sftpserver/ - but YMMV, and I don't think there are any premade solutions. Best regards Federico Bianchi Sistema Informatico Dipartimentale - C/O polo 4 Universita` di Pisa - I-56126 Pisa (Italy) tel. (+39) 050 2215026 - fax (+39) 050 2215030 e-mail: =================================================== !DISCLAIMER!: my e-mail reflects _my_own_ opinions! =================================================== On Tue, 8 Jan 2013, Thomas Petazzoni wrote: > Dear Ted Wood, > > On Tue, 8 Jan 2013 11:54:25 -0000, Ted Wood wrote: >> I am attempting to remotely debug application code on my i586 system from >> Eclipse. >> >> I can login using SSH, however it stops saying that there is no SFTP server >> running on my target. >> >> I've tried installing open-ssh, I presume I need to initaiate the SFTP >> server somehow, but I'm not sure how. > > The subject of your e-mail suggests you've tried using Dropbear. > However, as you've probably noticed, Dropbear doesn't implement the > SFTP protocol, so it is not possible to use Dropbear as a SFTP server. > > For now, the only option in Buildroot to get a SFTP server is to use > OpenSSH. Just enable the package, disable Dropbear, and do a full > rebuild of your Buildroot configuration. The Buildroot OpenSSH package > automatically installs an init script that will start OpenSSH at boot > time. Nothing special should be necessary. > > If you're interested, notice that we are currently developing a Eclipse > plugin for Buildroot, which will help to build, remote execute and > remote debug applications in the context of Buildroot. The > documentation has not yet been fully written, but if you're interested, > please let me know so that we can give you the initial starting points. > We are very interested in getting some user feedback about those > developments. > > Best regards, > > Thomas > -- > Thomas Petazzoni, Free Electrons > Kernel, drivers, real-time and embedded Linux > development, consulting, training and support. > http://free-electrons.com > _______________________________________________ > buildroot mailing list > buildroot at busybox.net > http://lists.busybox.net/mailman/listinfo/buildroot > From paul.eggleton at linux.intel.com Thu Feb 21 00:51:14 2013 From: paul.eggleton at linux.intel.com (Paul Eggleton) Date: Wed, 20 Feb 2013 16:51:14 +0000 Subject: RFC: PATCH: Allow configuring "allow blank password option" at runtime Message-ID: <2020531.yIFax0RUHj@helios> Hi there, Attached is a patch we've developed for dropbear within the Yocto Project to avoid the need to rebuild dropbear when we wish to disable the ability to log into accounts that have a blank password set. It removes the compile-time option and adds a -B command-line option which enables the functionality. We'd really like to see this (or something like it) upstream. If an alternative implementation would be preferred please let me know. Cheers, Paul -- Paul Eggleton Intel Open Source Technology Centre -------------- next part -------------- A non-text attachment was scrubbed... Name: nopw-option-hg.patch Type: text/x-patch Size: 2972 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20130220/2ff4a537/attachment.bin From matt at ucc.asn.au Fri Feb 22 23:56:30 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Fri, 22 Feb 2013 23:56:30 +0800 Subject: RFC: PATCH: Allow configuring "allow blank password option" at runtime In-Reply-To: <2020531.yIFax0RUHj@helios> References: <2020531.yIFax0RUHj@helios> Message-ID: <20130222155630.GA9963@ucc.gu.uwa.edu.au> Hi Paul, Thanks for that, I've committed it for the next release. Cheers, Matt On Wed, Feb 20, 2013 at 04:51:14PM +0000, Paul Eggleton wrote: > Hi there, > > Attached is a patch we've developed for dropbear within the Yocto Project to > avoid the need to rebuild dropbear when we wish to disable the ability to log > into accounts that have a blank password set. It removes the compile-time > option and adds a -B command-line option which enables the functionality. > > We'd really like to see this (or something like it) upstream. If an > alternative implementation would be preferred please let me know. > > Cheers, > Paul > > -- > > Paul Eggleton > Intel Open Source Technology Centre > # HG changeset patch > # User Paul Eggleton > # Date 1360684377 0 > # Node ID 92aea57140965ca60e40f99d485c14f0425afd90 > # Parent 63f8d6c469cf51624c9a48dbac1f2ae9b4cd82b6 > Allow configuring "allow blank password option" at runtime > > Changes this from a compile-time switch to a command-line option. > > Signed-off-by: Paul Eggleton > > diff -r 63f8d6c469cf -r 92aea5714096 options.h > --- a/options.h Thu May 17 00:26:12 2012 +0800 > +++ b/options.h Tue Feb 12 15:52:57 2013 +0000 > @@ -180,11 +180,6 @@ > #define ENABLE_SVR_PUBKEY_OPTIONS > #endif > > -/* Define this to allow logging in to accounts that have no password specified. > - * Public key logins are allowed for blank-password accounts regardless of this > - * setting. */ > -/* #define ALLOW_BLANK_PASSWORD */ > - > #define ENABLE_CLI_PASSWORD_AUTH > #define ENABLE_CLI_PUBKEY_AUTH > #define ENABLE_CLI_INTERACT_AUTH > diff -r 63f8d6c469cf -r 92aea5714096 runopts.h > --- a/runopts.h Thu May 17 00:26:12 2012 +0800 > +++ b/runopts.h Tue Feb 12 15:52:57 2013 +0000 > @@ -89,6 +89,7 @@ > > int noauthpass; > int norootpass; > + int allowblankpass; > > #ifdef ENABLE_SVR_REMOTETCPFWD > int noremotetcp; > diff -r 63f8d6c469cf -r 92aea5714096 svr-auth.c > --- a/svr-auth.c Thu May 17 00:26:12 2012 +0800 > +++ b/svr-auth.c Tue Feb 12 15:52:57 2013 +0000 > @@ -154,8 +154,8 @@ > strncmp(methodname, AUTH_METHOD_NONE, > AUTH_METHOD_NONE_LEN) == 0) { > TRACE(("recv_msg_userauth_request: 'none' request")) > -#ifdef ALLOW_BLANK_PASSWORD > - if (!svr_opts.noauthpass > + if (svr_opts.allowblankpass > + && !svr_opts.noauthpass > && !(svr_opts.norootpass && ses.authstate.pw_uid == 0) > && ses.authstate.pw_passwd[0] == '\0') > { > @@ -167,7 +167,6 @@ > goto out; > } > else > -#endif > { > send_msg_userauth_failure(0, 0); > goto out; > diff -r 63f8d6c469cf -r 92aea5714096 svr-authpasswd.c > --- a/svr-authpasswd.c Thu May 17 00:26:12 2012 +0800 > +++ b/svr-authpasswd.c Tue Feb 12 15:52:57 2013 +0000 > @@ -29,6 +29,7 @@ > #include "buffer.h" > #include "dbutil.h" > #include "auth.h" > +#include "runopts.h" > > #ifdef ENABLE_SVR_PASSWORD_AUTH > > diff -r 63f8d6c469cf -r 92aea5714096 svr-runopts.c > --- a/svr-runopts.c Thu May 17 00:26:12 2012 +0800 > +++ b/svr-runopts.c Tue Feb 12 15:52:57 2013 +0000 > @@ -63,6 +63,7 @@ > #if defined(ENABLE_SVR_PASSWORD_AUTH) || defined(ENABLE_SVR_PAM_AUTH) > "-s Disable password logins\n" > "-g Disable password logins for root\n" > + "-B Allow blank password logins\n" > #endif > #ifdef ENABLE_SVR_LOCALTCPFWD > "-j Disable local port forwarding\n" > @@ -115,6 +116,7 @@ > svr_opts.norootlogin = 0; > svr_opts.noauthpass = 0; > svr_opts.norootpass = 0; > + svr_opts.allowblankpass = 0; > svr_opts.inetdmode = 0; > svr_opts.portcount = 0; > svr_opts.hostkey = NULL; > @@ -234,6 +236,9 @@ > case 'g': > svr_opts.norootpass = 1; > break; > + case 'B': > + svr_opts.allowblankpass = 1; > + break; > #endif > case 'h': > printhelp(argv[0]); From alexis-externe.davoux at erdfdistribution.fr Fri Mar 1 00:39:27 2013 From: alexis-externe.davoux at erdfdistribution.fr (Alexis-externe DAVOUX) Date: Thu, 28 Feb 2013 17:39:27 +0100 Subject: Problem with Dropbear/dbclient as SFTP client Message-ID: Hi, I have some trouble with dropbear used as SFTP client. I've set up a SFTP server on my machine, which works fine. I've tested the connection to the server with Filezilla client. I've tried connecting to the SFTP server with dropbear using the command: dbclient -s user at host sftp I can authenticate successfully, and I get the welcome message, but after that I can't do anything: it seems that dbclient is waiting for some command but nothing seems to work. I've tried entering 'ls', 'cd /test', 'get test.txt', 'pwd',... but nothing happens when I validate with enter. How can I use dbclient as SFTP client ? What is the correct syntax ? Thanks in advance, Best regards, Alexis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20130228/3649c0a7/attachment.htm From jay at peepo.com Fri Mar 1 19:40:51 2013 From: jay at peepo.com (Jonathan Chetwynd) Date: Fri, 01 Mar 2013 11:40:51 +0000 Subject: using dbclient in bash script issue Message-ID: <513093C3.7030105@peepo.com> Matt, great stuff! using in Kindle, works fine... could you please comment? with the latest patched screen, $ dbclient -i /mnt/us/id_rsa me at remoteIP -t "screen -x myscreen -X stuff 'cmd'`echo -ne '\015'`" the command is processed on the remote box similarly in a bash script, using ssh on RPi, not Kindle #!/bin/bash ssh me at remoteIP -t "screen -x myscreen -X stuff 'cmd'`echo -ne '\015'`" exit but #!/bin/bash dbclient -i /mnt/us/id_rsa me at remoteIP -t "screen -x myscreen -X stuff 'cmd'`echo -ne '\015'`" exit opens screen, but does not send command. what am I missing? kind regards Jonathan -- Jonathan Chetwynd http://www.gnote.org Eyetracking in HTML5 From matt at ucc.asn.au Fri Mar 1 20:46:39 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Fri, 1 Mar 2013 20:46:39 +0800 Subject: Problem with Dropbear/dbclient as SFTP client In-Reply-To: References: Message-ID: <20130301124639.GK9963@ucc.gu.uwa.edu.au> Hi, Dropbear doesn't have its own sftp client, but you can use it with the OpenSSH sftp client: sftp -S dbclient user at host Cheers, Matt On Thu, Feb 28, 2013 at 05:39:27PM +0100, Alexis-externe DAVOUX wrote: > Hi, > > I have some trouble with dropbear used as SFTP client. > > I've set up a SFTP server on my machine, which works fine. I've tested the > connection to the server with Filezilla client. > I've tried connecting to the SFTP server with dropbear using the command: > > dbclient -s user at host sftp > > I can authenticate successfully, and I get the welcome message, but after > that I can't do anything: it seems that dbclient is waiting for some > command but nothing seems to work. I've tried entering 'ls', 'cd /test', > 'get test.txt', 'pwd',... but nothing happens when I validate with enter. > > How can I use dbclient as SFTP client ? What is the correct syntax ? > > Thanks in advance, > Best regards, > > Alexis From jay at peepo.com Fri Mar 1 21:23:33 2013 From: jay at peepo.com (Jonathan Chetwynd) Date: Fri, 01 Mar 2013 13:23:33 +0000 Subject: using dbclient in bash script issue In-Reply-To: <513093C3.7030105@peepo.com> References: <513093C3.7030105@peepo.com> Message-ID: <5130ABD5.9030505@peepo.com> wfm... oops looking into this further apologies for spam ~:" On 01/03/13 11:40, Jonathan Chetwynd wrote: > Matt, > > great stuff! using in Kindle, works fine... > > could you please comment? > > with the latest patched screen, > > $ dbclient -i /mnt/us/id_rsa me at remoteIP -t "screen -x myscreen -X > stuff 'cmd'`echo -ne '\015'`" > > the command is processed on the remote box > > similarly in a bash script, using ssh on RPi, not Kindle > > #!/bin/bash > ssh me at remoteIP -t "screen -x myscreen -X stuff 'cmd'`echo -ne '\015'`" > > exit > > but > > #!/bin/bash > dbclient -i /mnt/us/id_rsa me at remoteIP -t "screen -x myscreen -X > stuff 'cmd'`echo -ne '\015'`" > > exit > > opens screen, but does not send command. > > what am I missing? > > kind regards > > Jonathan > -- Jonathan Chetwynd http://www.gnote.org Eyetracking in HTML5 From alexis-externe.davoux at erdfdistribution.fr Fri Mar 1 21:47:05 2013 From: alexis-externe.davoux at erdfdistribution.fr (Alexis-externe DAVOUX) Date: Fri, 1 Mar 2013 14:47:05 +0100 Subject: Problem with Dropbear/dbclient as SFTP client In-Reply-To: <20130301124639.GK9963@ucc.gu.uwa.edu.au> References: <20130301124639.GK9963@ucc.gu.uwa.edu.au> Message-ID: Hi Matt, Thanks for your quick answer. If I understand correctly, the dbclient establishes the underlying SSH connection with the SFTP server, but does not implement a whole SFTP client. So I have to use a separate sftp client (such as sftp from OpenSSH), which can rely on Dropbear to establish the SSH connection with the server. OK, this is clearer now, thanks. I think that a mention of this on your website or in the Readme file could be useful. Best regards, Alexis De : matt at ucc.asn.au A : alexis-externe.davoux at erdfdistribution.fr Cc : dropbear at ucc.asn.au Date : 01/03/2013 13:46 Objet : Re: Problem with Dropbear/dbclient as SFTP client Hi, Dropbear doesn't have its own sftp client, but you can use it with the OpenSSH sftp client: sftp -S dbclient user at host Cheers, Matt On Thu, Feb 28, 2013 at 05:39:27PM +0100, Alexis-externe DAVOUX wrote: > Hi, > > I have some trouble with dropbear used as SFTP client. > > I've set up a SFTP server on my machine, which works fine. I've tested the > connection to the server with Filezilla client. > I've tried connecting to the SFTP server with dropbear using the command: > > dbclient -s user at host sftp > > I can authenticate successfully, and I get the welcome message, but after > that I can't do anything: it seems that dbclient is waiting for some > command but nothing seems to work. I've tried entering 'ls', 'cd /test', > 'get test.txt', 'pwd',... but nothing happens when I validate with enter. > > How can I use dbclient as SFTP client ? What is the correct syntax ? > > Thanks in advance, > Best regards, > > Alexis -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20130301/673cdf67/attachment.htm From matt at ucc.asn.au Sun Mar 3 11:48:18 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Sun, 3 Mar 2013 11:48:18 +0800 Subject: Problem with Dropbear/dbclient as SFTP client In-Reply-To: References: <20130301124639.GK9963@ucc.gu.uwa.edu.au> Message-ID: <20130303034818.GL9963@ucc.gu.uwa.edu.au> On Fri, Mar 01, 2013 at 02:47:05PM +0100, Alexis-externe DAVOUX wrote: > Hi Matt, > > Thanks for your quick answer. > If I understand correctly, the dbclient establishes the underlying SSH > connection with the SFTP server, but does not implement a whole SFTP > client. > So I have to use a separate sftp client (such as sftp from OpenSSH), which > can rely on Dropbear to establish the SSH connection with the server. Yes, that's right. > OK, this is clearer now, thanks. I think that a mention of this on your > website or in the Readme file could be useful. That's a good point, I've mentioned it in the manpage now. Cheers, Matt From matt at ucc.asn.au Thu Mar 21 23:40:46 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 21 Mar 2013 23:40:46 +0800 Subject: Dropbear 2013.56 released Message-ID: <20130321154046.GA31979@ucc.gu.uwa.edu.au> Hi all, Dropbear 2013.56 is now released, with a mix of features and bug fixes. Download as usual at https://matt.ucc.asn.au/dropbear/dropbear.html I've also set up a github mirror of the Dropbear mercurial repository at https://github.com/mkj/dropbear . It'll be read-only but might be of use to the various forks. Cheers, Matt 2013.56 - Thursday 21 March 2013 - Allow specifying cipher (-c) and MAC (-m) lists for dbclient - Allow using 'none' cipher or MAC (off by default, use options.h). Encryption is used during authentication then disabled, similar to OpenSSH HPN mode - Allow a user in immediately if the account has a blank password and blank passwords are enabled - Include a few extra sources of entropy from /proc on Linux, hash private keys as well. Dropbear will also write gathered entropy back into /dev/urandom - Added hmac-sha2-256 and hmac-sha2-512 support (off by default, use options.h) - Don't sent bad address "localhost" for -R forward connections, reported by Denis Bider - Add "-B" runtime option to allow blank passwords - Allow using IPv6 bracket notation for addresses in server "-p" option, from Ben Jencks - A few improvements for Android from Reimar D?ffinger - Fix memory leak for TCP forwarded connections to hosts that timed out, reported by Norbert Bencz?r. Appears to be a very long-standing bug. - Fix "make clean" for out of tree builds - Fix compilation when ENABLE_{SVR,CLI}_AGENTFWD are unset From rob at landley.net Fri Mar 22 12:33:36 2013 From: rob at landley.net (Rob Landley) Date: Thu, 21 Mar 2013 23:33:36 -0500 Subject: Dropbear 2013.56 released In-Reply-To: <20130321154046.GA31979@ucc.gu.uwa.edu.au> (from matt@ucc.asn.au on Thu Mar 21 10:40:46 2013) References: <20130321154046.GA31979@ucc.gu.uwa.edu.au> Message-ID: <1363926816.15703.55@driftwood> On 03/21/2013 10:40:46 AM, Matt Johnston wrote: > Hi all, > > Dropbear 2013.56 is now released, with a mix of features and > bug fixes. Download as usual at > https://matt.ucc.asn.au/dropbear/dropbear.html > > I've also set up a github mirror of the Dropbear mercurial > repository at https://github.com/mkj/dropbear . It'll be > read-only but might be of use to the various forks. What are you using to mirror it? Rob From matt at ucc.asn.au Fri Mar 22 13:38:40 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Fri, 22 Mar 2013 13:38:40 +0800 Subject: Dropbear 2013.56 released In-Reply-To: <1363926816.15703.55@driftwood> References: <20130321154046.GA31979@ucc.gu.uwa.edu.au> <1363926816.15703.55@driftwood> Message-ID: Hg-Git, http://hg-git.github.com/ Matt Rob Landley wrote: >On 03/21/2013 10:40:46 AM, Matt Johnston wrote: >> Hi all, >> >> Dropbear 2013.56 is now released, with a mix of features and >> bug fixes. Download as usual at >> https://matt.ucc.asn.au/dropbear/dropbear.html >> >> I've also set up a github mirror of the Dropbear mercurial >> repository at https://github.com/mkj/dropbear . It'll be >> read-only but might be of use to the various forks. > >What are you using to mirror it? > >Rob -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20130322/64156bcc/attachment.htm From vapier at gentoo.org Sat Mar 23 15:06:09 2013 From: vapier at gentoo.org (Mike Frysinger) Date: Sat, 23 Mar 2013 03:06:09 -0400 Subject: [PATCH] use AC_USE_SYSTEM_EXTENSIONS instead Message-ID: <07c3eff1abdaf1417333.1364022369@localhost> # HG changeset patch # User Mike Frysinger # Date 1364022293 14400 # Node ID 07c3eff1abdaf14173330e3b17657ad46474064c # Parent 63f8d6c469cf51624c9a48dbac1f2ae9b4cd82b6 use AC_USE_SYSTEM_EXTENSIONS instead The current scp code uses vasprintf which is a GNU extension, but doesn't define _GNU_SOURCE for it. Instead of getting into that mess though, use the autoconf AC_USE_SYSTEM_EXTENSIONS macro to automatically enable all the extra fun stuff for us. diff -r 63f8d6c469cf -r 07c3eff1abda configure.in --- a/configure.in Thu May 17 00:26:12 2012 +0800 +++ b/configure.in Sat Mar 23 03:04:53 2013 -0400 @@ -24,7 +24,7 @@ fi # large file support is useful for scp -AC_SYS_LARGEFILE +AC_USE_SYSTEM_EXTENSIONS # Host specific options # this isn't a definitive list of hosts, they are just added as required From vapier at gentoo.org Sat Mar 23 15:07:59 2013 From: vapier at gentoo.org (Mike Frysinger) Date: Sat, 23 Mar 2013 03:07:59 -0400 Subject: [PATCH] rename configure.in -> configure.ac Message-ID: <43d1ef763b32a83d3bbd.1364022479@localhost> # HG changeset patch # User Mike Frysinger # Date 1364022466 14400 # Node ID 43d1ef763b32a83d3bbd52720a754c9d5231a122 # Parent 07c3eff1abdaf14173330e3b17657ad46474064c rename configure.in -> configure.ac Latest autotools warn now if the file is named configure.in diff -r 07c3eff1abda -r 43d1ef763b32 configure.ac --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/configure.ac Sat Mar 23 03:07:46 2013 -0400 @@ -0,0 +1,702 @@ +# -*- Autoconf -*- +# Process this file with autoconf and autoheader to produce a configure script. + +# This Autoconf file was cobbled from various locations. In particular, a bunch +# of the platform checks have been taken straight from OpenSSH's configure.ac +# Huge thanks to them for dealing with the horrible platform-specifics :) + +AC_PREREQ(2.50) +AC_INIT(buffer.c) + +OLDCFLAGS=$CFLAGS +# Checks for programs. +AC_PROG_CC +AC_PROG_MAKE_SET + +if test -z "$LD" ; then + LD=$CC +fi +AC_SUBST(LD) + +if test -z "$OLDCFLAGS" && test "$GCC" = "yes"; then + AC_MSG_NOTICE(No \$CFLAGS set... using "-Os -W -Wall" for GCC) + CFLAGS="-Os -W -Wall" +fi + +# large file support is useful for scp +AC_USE_SYSTEM_EXTENSIONS + +# Host specific options +# this isn't a definitive list of hosts, they are just added as required +AC_CANONICAL_HOST + +case "$host" in + +*-*-linux*) + no_ptmx_check=1 + ;; + +*-*-solaris*) + CFLAGS="$CFLAGS -I/usr/local/include" + LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" + conf_lastlog_location="/var/adm/lastlog" + AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) + sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'` + if test "$sol2ver" -ge 8; then + AC_MSG_RESULT(yes) + AC_DEFINE(DISABLE_UTMP,,Disable utmp) + AC_DEFINE(DISABLE_WTMP,,Disable wtmp) + else + AC_MSG_RESULT(no) + fi + AC_CHECK_LIB(socket, socket, LIBS="$LIBS -lsocket") + AC_CHECK_LIB(nsl, yp_match, LIBS="$LIBS -lnsl") + ;; + +*-*-aix*) + AC_DEFINE(AIX,,Using AIX) + # OpenSSH thinks it's broken. If it isn't, let me know. + AC_DEFINE(BROKEN_GETADDRINFO,,Broken getaddrinfo) + ;; + +*-*-hpux*) + LIBS="$LIBS -lsec" + # It's probably broken. + AC_DEFINE(BROKEN_GETADDRINFO,,Broken getaddrinfo) + ;; +*-dec-osf*) + AC_DEFINE(BROKEN_GETADDRINFO,,Broken getaddrinfo) + ;; +esac + +AC_CHECK_TOOL(AR, ar, :) +AC_CHECK_TOOL(RANLIB, ranlib, :) +AC_CHECK_TOOL(STRIP, strip, :) +AC_CHECK_TOOL(INSTALL, install, :) + +dnl Can't use login() or logout() with uclibc +AC_CHECK_DECL(__UCLIBC__, + [ + no_loginfunc_check=1 + AC_MSG_NOTICE([Using uClibc - login() and logout() probably don't work, so we won't use them.]) + ],,,) + +# Checks for libraries. +AC_CHECK_LIB(crypt, crypt, CRYPTLIB="-lcrypt") +AC_SUBST(CRYPTLIB) + +# Check if zlib is needed +AC_ARG_WITH(zlib, + [ --with-zlib=PATH Use zlib in PATH], + [ + # option is given + if test -d "$withval/lib"; then + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + ] +) + +AC_ARG_ENABLE(zlib, + [ --disable-zlib Don't include zlib support], + [ + if test "x$enableval" = "xno"; then + AC_DEFINE(DISABLE_ZLIB,, Use zlib) + AC_MSG_NOTICE(Disabling zlib) + else + AC_CHECK_LIB(z, deflate, , AC_MSG_ERROR([*** zlib missing - install first or check config.log ***])) + AC_MSG_NOTICE(Enabling zlib) + fi + ], + [ + # if not disabled, check for zlib + AC_CHECK_LIB(z, deflate, , AC_MSG_ERROR([*** zlib missing - install first or check config.log ***])) + AC_MSG_NOTICE(Enabling zlib) + ] +) + +# Check if pam is needed +AC_ARG_WITH(pam, + [ --with-pam=PATH Use pam in PATH], + [ + # option is given + if test -d "$withval/lib"; then + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval} ${LDFLAGS}" + fi + if test -d "$withval/include"; then + CPPFLAGS="-I${withval}/include ${CPPFLAGS}" + else + CPPFLAGS="-I${withval} ${CPPFLAGS}" + fi + ] +) + + +AC_ARG_ENABLE(pam, + [ --enable-pam Try to include PAM support], + [ + if test "x$enableval" = "xyes"; then + AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***])) + AC_MSG_NOTICE(Enabling PAM) + AC_CHECK_FUNCS(pam_fail_delay) + else + AC_DEFINE(DISABLE_PAM,, Use PAM) + AC_MSG_NOTICE(Disabling PAM) + fi + ], + [ + # disable it by default + AC_DEFINE(DISABLE_PAM,, Use PAM) + AC_MSG_NOTICE(Disabling PAM) + ] +) + +AC_ARG_ENABLE(openpty, + [ --disable-openpty Don't use openpty, use alternative method], + [ + if test "x$enableval" = "xno"; then + AC_MSG_NOTICE(Not using openpty) + else + AC_MSG_NOTICE(Using openpty if available) + AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)]) + fi + ], + [ + AC_MSG_NOTICE(Using openpty if available) + AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY)]) + ] +) + + +AC_ARG_ENABLE(syslog, + [ --disable-syslog Don't include syslog support], + [ + if test "x$enableval" = "xno"; then + AC_DEFINE(DISABLE_SYSLOG,, Using syslog) + AC_MSG_NOTICE(Disabling syslog) + else + AC_MSG_NOTICE(Enabling syslog) + fi + ], + [ + AC_MSG_NOTICE(Enabling syslog) + ] +) + +AC_ARG_ENABLE(shadow, + [ --disable-shadow Don't use shadow passwords (if available)], + [ + if test "x$enableval" = "xno"; then + AC_MSG_NOTICE(Not using shadow passwords) + else + AC_CHECK_HEADERS([shadow.h]) + AC_MSG_NOTICE(Using shadow passwords if available) + fi + ], + [ + AC_CHECK_HEADERS([shadow.h]) + AC_MSG_NOTICE(Using shadow passwords if available) + ] +) + + +# Checks for header files. +AC_HEADER_STDC +AC_HEADER_SYS_WAIT +AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h pam/pam_appl.h netinet/in_systm.h]) + +# Checks for typedefs, structures, and compiler characteristics. +AC_C_CONST +AC_TYPE_UID_T +AC_TYPE_MODE_T +AC_TYPE_PID_T +AC_TYPE_SIZE_T +AC_HEADER_TIME + +AC_CHECK_TYPES([uint16_t, u_int16_t, struct sockaddr_storage]) +AC_CHECK_TYPE([socklen_t], ,[ + AC_MSG_CHECKING([for socklen_t equivalent]) + AC_CACHE_VAL([curl_cv_socklen_t_equiv], + [ + # Systems have either "struct sockaddr *" or + # "void *" as the second argument to getpeername + curl_cv_socklen_t_equiv= + for arg2 in "struct sockaddr" void; do + for t in int size_t unsigned long "unsigned long"; do + AC_TRY_COMPILE([ + #include + #include + + int getpeername (int, $arg2 *, $t *); + ],[ + $t len; + getpeername(0,0,&len); + ],[ + curl_cv_socklen_t_equiv="$t" + break + ]) + done + done + + if test "x$curl_cv_socklen_t_equiv" = x; then + AC_MSG_ERROR([Cannot find a type to use in place of socklen_t]) + fi + ]) + AC_MSG_RESULT($curl_cv_socklen_t_equiv) + AC_DEFINE_UNQUOTED(socklen_t, $curl_cv_socklen_t_equiv, + [type to use in place of socklen_t if not defined])], + [#include + #include ]) + +# for the fake-rfc2553 stuff - straight from OpenSSH + +AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_storage s; ], + [ ac_cv_have_struct_sockaddr_storage="yes" ], + [ ac_cv_have_struct_sockaddr_storage="no" ] + ) +]) +if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE) +fi + +AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct sockaddr_in6 s; s.sin6_family = 0; ], + [ ac_cv_have_struct_sockaddr_in6="yes" ], + [ ac_cv_have_struct_sockaddr_in6="no" ] + ) +]) +if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6,,Have struct sockaddr_in6) +fi + +AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [ + AC_TRY_COMPILE( + [ +#include +#include + ], + [ struct in6_addr s; s.s6_addr[0] = 0; ], + [ ac_cv_have_struct_in6_addr="yes" ], + [ ac_cv_have_struct_in6_addr="no" ] + ) +]) +if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_IN6_ADDR,,Have struct in6_addr) +fi + +AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [ + AC_TRY_COMPILE( + [ +#include +#include +#include + ], + [ struct addrinfo s; s.ai_flags = AI_PASSIVE; ], + [ ac_cv_have_struct_addrinfo="yes" ], + [ ac_cv_have_struct_addrinfo="no" ] + ) +]) +if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then + AC_DEFINE(HAVE_STRUCT_ADDRINFO,,Have struct addrinfo) +fi + + +# IRIX has a const char return value for gai_strerror() +AC_CHECK_FUNCS(gai_strerror,[ + AC_DEFINE(HAVE_GAI_STRERROR) + AC_TRY_COMPILE([ +#include +#include +#include + +const char *gai_strerror(int);],[ +char *str; + +str = gai_strerror(0);],[ + AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1, + [Define if gai_strerror() returns const char *])])]) + +# for loginrec.c + +AC_CHECK_MEMBERS([struct utmp.ut_host, struct utmp.ut_pid, struct utmp.ut_type, struct utmp.ut_tv, struct utmp.ut_id, struct utmp.ut_addr, struct utmp.ut_addr_v6, struct utmp.ut_exit, struct utmp.ut_time],,,[ +#include +#if HAVE_UTMP_H +#include +#endif +]) + +AC_CHECK_MEMBERS([struct utmpx.ut_host, struct utmpx.ut_syslen, struct utmpx.ut_type, struct utmpx.ut_id, struct utmpx.ut_addr, struct utmpx.ut_addr_v6, struct utmpx.ut_time, struct utmpx.ut_tv],,,[ +#include +#include +#if HAVE_UTMPX_H +#include +#endif +]) + +AC_CHECK_MEMBERS([struct sockaddr_storage.ss_family],,,[ +#include +#include +]) + +AC_CHECK_FUNCS(endutent getutent getutid getutline pututline setutent) +AC_CHECK_FUNCS(utmpname) +AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline ) +AC_CHECK_FUNCS(setutxent utmpxname) +AC_CHECK_FUNCS(logout updwtmp logwtmp) + +AC_ARG_ENABLE(bundled-libtom, + [ --enable-bundled-libtom Use bundled libtomcrypt/libtommath even if a system version exists], + [ + BUNDLED_LIBTOM=1 + AC_MSG_NOTICE(Forcing bundled libtom*) + ], + [ + BUNDLED_LIBTOM=0 + AC_CHECK_LIB(tomcrypt, register_cipher, , BUNDLED_LIBTOM=1) + AC_CHECK_LIB(tommath, mp_exptmod, , BUNDLED_LIBTOM=1) + ] +) + +if test $BUNDLED_LIBTOM = 1 ; then + AC_DEFINE(BUNDLED_LIBTOM,,Use bundled libtom) +fi + +AC_SUBST(BUNDLED_LIBTOM) + +dnl Added from OpenSSH 3.6.1p2's configure.ac + +dnl allow user to disable some login recording features +AC_ARG_ENABLE(lastlog, + [ --disable-lastlog Disable use of lastlog even if detected [no]], + [ AC_DEFINE(DISABLE_LASTLOG,,Disable use of lastlog()) ] +) +AC_ARG_ENABLE(utmp, + [ --disable-utmp Disable use of utmp even if detected [no]], + [ AC_DEFINE(DISABLE_UTMP,,Disable use of utmp) ] +) +AC_ARG_ENABLE(utmpx, + [ --disable-utmpx Disable use of utmpx even if detected [no]], + [ AC_DEFINE(DISABLE_UTMPX,,Disable use of utmpx) ] +) +AC_ARG_ENABLE(wtmp, + [ --disable-wtmp Disable use of wtmp even if detected [no]], + [ AC_DEFINE(DISABLE_WTMP,,Disable use of wtmp) ] +) +AC_ARG_ENABLE(wtmpx, + [ --disable-wtmpx Disable use of wtmpx even if detected [no]], + [ AC_DEFINE(DISABLE_WTMPX,,Disable use of wtmpx) ] +) +AC_ARG_ENABLE(loginfunc, + [ --disable-loginfunc Disable use of login() etc. [no]], + [ no_loginfunc_check=1 + AC_MSG_NOTICE(Not using login() etc) ] +) +AC_ARG_ENABLE(pututline, + [ --disable-pututline Disable use of pututline() etc. ([uw]tmp) [no]], + [ AC_DEFINE(DISABLE_PUTUTLINE,,Disable use of pututline()) ] +) +AC_ARG_ENABLE(pututxline, + [ --disable-pututxline Disable use of pututxline() etc. ([uw]tmpx) [no]], + [ AC_DEFINE(DISABLE_PUTUTXLINE,,Disable use of pututxline()) ] +) +AC_ARG_WITH(lastlog, + [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], + [ + if test "x$withval" = "xno" ; then + AC_DEFINE(DISABLE_LASTLOG) + else + conf_lastlog_location=$withval + fi + ] +) + +if test -z "$no_loginfunc_check"; then + dnl Checks for libutil functions (login(), logout() etc, not openpty() ) + AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN,,Have login() function)]) + AC_CHECK_FUNCS(logout updwtmp logwtmp) +fi + +dnl lastlog, [uw]tmpx? detection +dnl NOTE: set the paths in the platform section to avoid the +dnl need for command-line parameters +dnl lastlog and [uw]tmp are subject to a file search if all else fails + +dnl lastlog detection +dnl NOTE: the code itself will detect if lastlog is a directory +AC_MSG_CHECKING([if your system defines LASTLOG_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif +#ifdef HAVE_LOGIN_H +# include +#endif + ], + [ char *lastlog = LASTLOG_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ + AC_MSG_RESULT(no) + AC_MSG_CHECKING([if your system defines _PATH_LASTLOG]) + AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_LASTLOG_H +# include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *lastlog = _PATH_LASTLOG; ], + [ AC_MSG_RESULT(yes) ], + [ + AC_MSG_RESULT(no) + system_lastlog_path=no + ]) + ] +) + +if test -z "$conf_lastlog_location"; then + if test x"$system_lastlog_path" = x"no" ; then + for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do + if (test -d "$f" || test -f "$f") ; then + conf_lastlog_location=$f + fi + done + if test -z "$conf_lastlog_location"; then + AC_MSG_WARN([** Cannot find lastlog **]) + dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx + fi + fi +fi + +if test -n "$conf_lastlog_location"; then + AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location", lastlog file location) +fi + +dnl utmp detection +AC_MSG_CHECKING([if your system defines UTMP_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *utmp = UTMP_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_utmp_path=no ] +) +if test -z "$conf_utmp_location"; then + if test x"$system_utmp_path" = x"no" ; then + for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do + if test -f $f ; then + conf_utmp_location=$f + fi + done + if test -z "$conf_utmp_location"; then + AC_DEFINE(DISABLE_UTMP) + fi + fi +fi +if test -n "$conf_utmp_location"; then + AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location", utmp file location) +fi + +dnl wtmp detection +AC_MSG_CHECKING([if your system defines WTMP_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *wtmp = WTMP_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_wtmp_path=no ] +) +if test -z "$conf_wtmp_location"; then + if test x"$system_wtmp_path" = x"no" ; then + for f in /usr/adm/wtmp /var/log/wtmp; do + if test -f $f ; then + conf_wtmp_location=$f + fi + done + if test -z "$conf_wtmp_location"; then + AC_DEFINE(DISABLE_WTMP) + fi + fi +fi +if test -n "$conf_wtmp_location"; then + AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location", wtmp file location) +fi + + +dnl utmpx detection - I don't know any system so perverse as to require +dnl utmpx, but not define UTMPX_FILE (ditto wtmpx.) No doubt it's out +dnl there, though. +AC_MSG_CHECKING([if your system defines UTMPX_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *utmpx = UTMPX_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_utmpx_path=no ] +) +if test -z "$conf_utmpx_location"; then + if test x"$system_utmpx_path" = x"no" ; then + AC_DEFINE(DISABLE_UTMPX) + fi +else + AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location", utmpx file location) +fi + +dnl wtmpx detection +AC_MSG_CHECKING([if your system defines WTMPX_FILE]) +AC_TRY_COMPILE([ +#include +#include +#ifdef HAVE_UTMPX_H +#include +#endif +#ifdef HAVE_PATHS_H +# include +#endif + ], + [ char *wtmpx = WTMPX_FILE; ], + [ AC_MSG_RESULT(yes) ], + [ AC_MSG_RESULT(no) + system_wtmpx_path=no ] +) +if test -z "$conf_wtmpx_location"; then + if test x"$system_wtmpx_path" = x"no" ; then + AC_DEFINE(DISABLE_WTMPX) + fi +else + AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location", wtmpx file location) +fi + +# Checks for library functions. +AC_PROG_GCC_TRADITIONAL +AC_FUNC_MEMCMP +AC_FUNC_SELECT_ARGTYPES +AC_TYPE_SIGNAL +AC_CHECK_FUNCS([dup2 getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork]) + +AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) + +# Solaris needs ptmx +if test -z "$no_ptmx_check" ; then + if test x"$cross_compiling" = x"no" ; then + AC_CHECK_FILE("/dev/ptmx", AC_DEFINE(USE_DEV_PTMX,,Use /dev/ptmx)) + else + AC_MSG_NOTICE([Not checking for /dev/ptmx, we're cross-compiling]) + fi +fi + +if test -z "$no_ptc_check" ; then + if test x"$cross_compiling" = x"no" ; then + AC_CHECK_FILE("/dev/ptc", AC_DEFINE(HAVE_DEV_PTS_AND_PTC,,Use /dev/ptc & /dev/pts)) + else + AC_MSG_NOTICE([Not checking for /dev/ptc & /dev/pts since we're cross-compiling]) + fi +fi + +AC_EXEEXT + +# XXX there must be a nicer way to do this +AS_MKDIR_P(libtomcrypt/src/ciphers/aes) +AS_MKDIR_P(libtomcrypt/src/ciphers/safer) +AS_MKDIR_P(libtomcrypt/src/ciphers/twofish) +AS_MKDIR_P(libtomcrypt/src/encauth/ccm) +AS_MKDIR_P(libtomcrypt/src/encauth/eax) +AS_MKDIR_P(libtomcrypt/src/encauth/gcm) +AS_MKDIR_P(libtomcrypt/src/encauth/ocb) +AS_MKDIR_P(libtomcrypt/src/hashes) +AS_MKDIR_P(libtomcrypt/src/hashes/chc) +AS_MKDIR_P(libtomcrypt/src/hashes/helper) +AS_MKDIR_P(libtomcrypt/src/hashes/sha2) +AS_MKDIR_P(libtomcrypt/src/hashes/whirl) +AS_MKDIR_P(libtomcrypt/src/mac/hmac) +AS_MKDIR_P(libtomcrypt/src/mac/omac) +AS_MKDIR_P(libtomcrypt/src/mac/pelican) +AS_MKDIR_P(libtomcrypt/src/mac/pmac) +AS_MKDIR_P(libtomcrypt/src/mac/f9) +AS_MKDIR_P(libtomcrypt/src/mac/xcbc) +AS_MKDIR_P(libtomcrypt/src/math/fp) +AS_MKDIR_P(libtomcrypt/src/misc/base64) +AS_MKDIR_P(libtomcrypt/src/misc/crypt) +AS_MKDIR_P(libtomcrypt/src/misc/mpi) +AS_MKDIR_P(libtomcrypt/src/misc/pkcs5) +AS_MKDIR_P(libtomcrypt/src/modes/cbc) +AS_MKDIR_P(libtomcrypt/src/modes/cfb) +AS_MKDIR_P(libtomcrypt/src/modes/ctr) +AS_MKDIR_P(libtomcrypt/src/modes/ecb) +AS_MKDIR_P(libtomcrypt/src/modes/ofb) +AS_MKDIR_P(libtomcrypt/src/modes/f8) +AS_MKDIR_P(libtomcrypt/src/modes/lrw) +AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/bit) +AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/choice) +AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/ia5) +AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/integer) +AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/object_identifier) +AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/octet) +AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/printable_string) +AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/sequence) +AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/short_integer) +AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/utctime) +AS_MKDIR_P(libtomcrypt/src/pk/dh) +AS_MKDIR_P(libtomcrypt/src/pk/dsa) +AS_MKDIR_P(libtomcrypt/src/pk/ecc) +AS_MKDIR_P(libtomcrypt/src/pk/pkcs1) +AS_MKDIR_P(libtomcrypt/src/pk/rsa) +AS_MKDIR_P(libtomcrypt/src/prng) +AC_CONFIG_HEADER(config.h) +AC_OUTPUT(Makefile) +AC_OUTPUT(libtomcrypt/Makefile) +AC_OUTPUT(libtommath/Makefile) + +AC_MSG_NOTICE() +if test $BUNDLED_LIBTOM = 1 ; then +AC_MSG_NOTICE(Using bundled libtomcrypt and libtommath) +else +AC_MSG_NOTICE(Using system libtomcrypt and libtommath) +fi + +AC_MSG_NOTICE() +AC_MSG_NOTICE(Now edit options.h to choose features.) diff -r 07c3eff1abda -r 43d1ef763b32 configure.in --- a/configure.in Sat Mar 23 03:04:53 2013 -0400 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,702 +0,0 @@ -# -*- Autoconf -*- -# Process this file with autoconf and autoheader to produce a configure script. - -# This Autoconf file was cobbled from various locations. In particular, a bunch -# of the platform checks have been taken straight from OpenSSH's configure.ac -# Huge thanks to them for dealing with the horrible platform-specifics :) - -AC_PREREQ(2.50) -AC_INIT(buffer.c) - -OLDCFLAGS=$CFLAGS -# Checks for programs. -AC_PROG_CC -AC_PROG_MAKE_SET - -if test -z "$LD" ; then - LD=$CC -fi -AC_SUBST(LD) - -if test -z "$OLDCFLAGS" && test "$GCC" = "yes"; then - AC_MSG_NOTICE(No \$CFLAGS set... using "-Os -W -Wall" for GCC) - CFLAGS="-Os -W -Wall" -fi - -# large file support is useful for scp -AC_USE_SYSTEM_EXTENSIONS - -# Host specific options -# this isn't a definitive list of hosts, they are just added as required -AC_CANONICAL_HOST - -case "$host" in - -*-*-linux*) - no_ptmx_check=1 - ;; - -*-*-solaris*) - CFLAGS="$CFLAGS -I/usr/local/include" - LDFLAGS="$LDFLAGS -L/usr/local/lib -R/usr/local/lib" - conf_lastlog_location="/var/adm/lastlog" - AC_MSG_CHECKING(for obsolete utmp and wtmp in solaris2.x) - sol2ver=`echo "$host"| sed -e 's/.*[[0-9]]\.//'` - if test "$sol2ver" -ge 8; then - AC_MSG_RESULT(yes) - AC_DEFINE(DISABLE_UTMP,,Disable utmp) - AC_DEFINE(DISABLE_WTMP,,Disable wtmp) - else - AC_MSG_RESULT(no) - fi - AC_CHECK_LIB(socket, socket, LIBS="$LIBS -lsocket") - AC_CHECK_LIB(nsl, yp_match, LIBS="$LIBS -lnsl") - ;; - -*-*-aix*) - AC_DEFINE(AIX,,Using AIX) - # OpenSSH thinks it's broken. If it isn't, let me know. - AC_DEFINE(BROKEN_GETADDRINFO,,Broken getaddrinfo) - ;; - -*-*-hpux*) - LIBS="$LIBS -lsec" - # It's probably broken. - AC_DEFINE(BROKEN_GETADDRINFO,,Broken getaddrinfo) - ;; -*-dec-osf*) - AC_DEFINE(BROKEN_GETADDRINFO,,Broken getaddrinfo) - ;; -esac - -AC_CHECK_TOOL(AR, ar, :) -AC_CHECK_TOOL(RANLIB, ranlib, :) -AC_CHECK_TOOL(STRIP, strip, :) -AC_CHECK_TOOL(INSTALL, install, :) - -dnl Can't use login() or logout() with uclibc -AC_CHECK_DECL(__UCLIBC__, - [ - no_loginfunc_check=1 - AC_MSG_NOTICE([Using uClibc - login() and logout() probably don't work, so we won't use them.]) - ],,,) - -# Checks for libraries. -AC_CHECK_LIB(crypt, crypt, CRYPTLIB="-lcrypt") -AC_SUBST(CRYPTLIB) - -# Check if zlib is needed -AC_ARG_WITH(zlib, - [ --with-zlib=PATH Use zlib in PATH], - [ - # option is given - if test -d "$withval/lib"; then - LDFLAGS="-L${withval}/lib ${LDFLAGS}" - else - LDFLAGS="-L${withval} ${LDFLAGS}" - fi - if test -d "$withval/include"; then - CPPFLAGS="-I${withval}/include ${CPPFLAGS}" - else - CPPFLAGS="-I${withval} ${CPPFLAGS}" - fi - ] -) - -AC_ARG_ENABLE(zlib, - [ --disable-zlib Don't include zlib support], - [ - if test "x$enableval" = "xno"; then - AC_DEFINE(DISABLE_ZLIB,, Use zlib) - AC_MSG_NOTICE(Disabling zlib) - else - AC_CHECK_LIB(z, deflate, , AC_MSG_ERROR([*** zlib missing - install first or check config.log ***])) - AC_MSG_NOTICE(Enabling zlib) - fi - ], - [ - # if not disabled, check for zlib - AC_CHECK_LIB(z, deflate, , AC_MSG_ERROR([*** zlib missing - install first or check config.log ***])) - AC_MSG_NOTICE(Enabling zlib) - ] -) - -# Check if pam is needed -AC_ARG_WITH(pam, - [ --with-pam=PATH Use pam in PATH], - [ - # option is given - if test -d "$withval/lib"; then - LDFLAGS="-L${withval}/lib ${LDFLAGS}" - else - LDFLAGS="-L${withval} ${LDFLAGS}" - fi - if test -d "$withval/include"; then - CPPFLAGS="-I${withval}/include ${CPPFLAGS}" - else - CPPFLAGS="-I${withval} ${CPPFLAGS}" - fi - ] -) - - -AC_ARG_ENABLE(pam, - [ --enable-pam Try to include PAM support], - [ - if test "x$enableval" = "xyes"; then - AC_CHECK_LIB(pam, pam_authenticate, , AC_MSG_ERROR([*** PAM missing - install first or check config.log ***])) - AC_MSG_NOTICE(Enabling PAM) - AC_CHECK_FUNCS(pam_fail_delay) - else - AC_DEFINE(DISABLE_PAM,, Use PAM) - AC_MSG_NOTICE(Disabling PAM) - fi - ], - [ - # disable it by default - AC_DEFINE(DISABLE_PAM,, Use PAM) - AC_MSG_NOTICE(Disabling PAM) - ] -) - -AC_ARG_ENABLE(openpty, - [ --disable-openpty Don't use openpty, use alternative method], - [ - if test "x$enableval" = "xno"; then - AC_MSG_NOTICE(Not using openpty) - else - AC_MSG_NOTICE(Using openpty if available) - AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY,,Have openpty() function)]) - fi - ], - [ - AC_MSG_NOTICE(Using openpty if available) - AC_SEARCH_LIBS(openpty, util, [AC_DEFINE(HAVE_OPENPTY)]) - ] -) - - -AC_ARG_ENABLE(syslog, - [ --disable-syslog Don't include syslog support], - [ - if test "x$enableval" = "xno"; then - AC_DEFINE(DISABLE_SYSLOG,, Using syslog) - AC_MSG_NOTICE(Disabling syslog) - else - AC_MSG_NOTICE(Enabling syslog) - fi - ], - [ - AC_MSG_NOTICE(Enabling syslog) - ] -) - -AC_ARG_ENABLE(shadow, - [ --disable-shadow Don't use shadow passwords (if available)], - [ - if test "x$enableval" = "xno"; then - AC_MSG_NOTICE(Not using shadow passwords) - else - AC_CHECK_HEADERS([shadow.h]) - AC_MSG_NOTICE(Using shadow passwords if available) - fi - ], - [ - AC_CHECK_HEADERS([shadow.h]) - AC_MSG_NOTICE(Using shadow passwords if available) - ] -) - - -# Checks for header files. -AC_HEADER_STDC -AC_HEADER_SYS_WAIT -AC_CHECK_HEADERS([fcntl.h limits.h netinet/in.h netinet/tcp.h stdlib.h string.h sys/socket.h sys/time.h termios.h unistd.h crypt.h pty.h ioctl.h libutil.h libgen.h inttypes.h stropts.h utmp.h utmpx.h lastlog.h paths.h util.h netdb.h security/pam_appl.h pam/pam_appl.h netinet/in_systm.h]) - -# Checks for typedefs, structures, and compiler characteristics. -AC_C_CONST -AC_TYPE_UID_T -AC_TYPE_MODE_T -AC_TYPE_PID_T -AC_TYPE_SIZE_T -AC_HEADER_TIME - -AC_CHECK_TYPES([uint16_t, u_int16_t, struct sockaddr_storage]) -AC_CHECK_TYPE([socklen_t], ,[ - AC_MSG_CHECKING([for socklen_t equivalent]) - AC_CACHE_VAL([curl_cv_socklen_t_equiv], - [ - # Systems have either "struct sockaddr *" or - # "void *" as the second argument to getpeername - curl_cv_socklen_t_equiv= - for arg2 in "struct sockaddr" void; do - for t in int size_t unsigned long "unsigned long"; do - AC_TRY_COMPILE([ - #include - #include - - int getpeername (int, $arg2 *, $t *); - ],[ - $t len; - getpeername(0,0,&len); - ],[ - curl_cv_socklen_t_equiv="$t" - break - ]) - done - done - - if test "x$curl_cv_socklen_t_equiv" = x; then - AC_MSG_ERROR([Cannot find a type to use in place of socklen_t]) - fi - ]) - AC_MSG_RESULT($curl_cv_socklen_t_equiv) - AC_DEFINE_UNQUOTED(socklen_t, $curl_cv_socklen_t_equiv, - [type to use in place of socklen_t if not defined])], - [#include - #include ]) - -# for the fake-rfc2553 stuff - straight from OpenSSH - -AC_CACHE_CHECK([for struct sockaddr_storage], ac_cv_have_struct_sockaddr_storage, [ - AC_TRY_COMPILE( - [ -#include -#include - ], - [ struct sockaddr_storage s; ], - [ ac_cv_have_struct_sockaddr_storage="yes" ], - [ ac_cv_have_struct_sockaddr_storage="no" ] - ) -]) -if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then - AC_DEFINE(HAVE_STRUCT_SOCKADDR_STORAGE) -fi - -AC_CACHE_CHECK([for struct sockaddr_in6], ac_cv_have_struct_sockaddr_in6, [ - AC_TRY_COMPILE( - [ -#include -#include - ], - [ struct sockaddr_in6 s; s.sin6_family = 0; ], - [ ac_cv_have_struct_sockaddr_in6="yes" ], - [ ac_cv_have_struct_sockaddr_in6="no" ] - ) -]) -if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then - AC_DEFINE(HAVE_STRUCT_SOCKADDR_IN6,,Have struct sockaddr_in6) -fi - -AC_CACHE_CHECK([for struct in6_addr], ac_cv_have_struct_in6_addr, [ - AC_TRY_COMPILE( - [ -#include -#include - ], - [ struct in6_addr s; s.s6_addr[0] = 0; ], - [ ac_cv_have_struct_in6_addr="yes" ], - [ ac_cv_have_struct_in6_addr="no" ] - ) -]) -if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then - AC_DEFINE(HAVE_STRUCT_IN6_ADDR,,Have struct in6_addr) -fi - -AC_CACHE_CHECK([for struct addrinfo], ac_cv_have_struct_addrinfo, [ - AC_TRY_COMPILE( - [ -#include -#include -#include - ], - [ struct addrinfo s; s.ai_flags = AI_PASSIVE; ], - [ ac_cv_have_struct_addrinfo="yes" ], - [ ac_cv_have_struct_addrinfo="no" ] - ) -]) -if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then - AC_DEFINE(HAVE_STRUCT_ADDRINFO,,Have struct addrinfo) -fi - - -# IRIX has a const char return value for gai_strerror() -AC_CHECK_FUNCS(gai_strerror,[ - AC_DEFINE(HAVE_GAI_STRERROR) - AC_TRY_COMPILE([ -#include -#include -#include - -const char *gai_strerror(int);],[ -char *str; - -str = gai_strerror(0);],[ - AC_DEFINE(HAVE_CONST_GAI_STRERROR_PROTO, 1, - [Define if gai_strerror() returns const char *])])]) - -# for loginrec.c - -AC_CHECK_MEMBERS([struct utmp.ut_host, struct utmp.ut_pid, struct utmp.ut_type, struct utmp.ut_tv, struct utmp.ut_id, struct utmp.ut_addr, struct utmp.ut_addr_v6, struct utmp.ut_exit, struct utmp.ut_time],,,[ -#include -#if HAVE_UTMP_H -#include -#endif -]) - -AC_CHECK_MEMBERS([struct utmpx.ut_host, struct utmpx.ut_syslen, struct utmpx.ut_type, struct utmpx.ut_id, struct utmpx.ut_addr, struct utmpx.ut_addr_v6, struct utmpx.ut_time, struct utmpx.ut_tv],,,[ -#include -#include -#if HAVE_UTMPX_H -#include -#endif -]) - -AC_CHECK_MEMBERS([struct sockaddr_storage.ss_family],,,[ -#include -#include -]) - -AC_CHECK_FUNCS(endutent getutent getutid getutline pututline setutent) -AC_CHECK_FUNCS(utmpname) -AC_CHECK_FUNCS(endutxent getutxent getutxid getutxline pututxline ) -AC_CHECK_FUNCS(setutxent utmpxname) -AC_CHECK_FUNCS(logout updwtmp logwtmp) - -AC_ARG_ENABLE(bundled-libtom, - [ --enable-bundled-libtom Use bundled libtomcrypt/libtommath even if a system version exists], - [ - BUNDLED_LIBTOM=1 - AC_MSG_NOTICE(Forcing bundled libtom*) - ], - [ - BUNDLED_LIBTOM=0 - AC_CHECK_LIB(tomcrypt, register_cipher, , BUNDLED_LIBTOM=1) - AC_CHECK_LIB(tommath, mp_exptmod, , BUNDLED_LIBTOM=1) - ] -) - -if test $BUNDLED_LIBTOM = 1 ; then - AC_DEFINE(BUNDLED_LIBTOM,,Use bundled libtom) -fi - -AC_SUBST(BUNDLED_LIBTOM) - -dnl Added from OpenSSH 3.6.1p2's configure.ac - -dnl allow user to disable some login recording features -AC_ARG_ENABLE(lastlog, - [ --disable-lastlog Disable use of lastlog even if detected [no]], - [ AC_DEFINE(DISABLE_LASTLOG,,Disable use of lastlog()) ] -) -AC_ARG_ENABLE(utmp, - [ --disable-utmp Disable use of utmp even if detected [no]], - [ AC_DEFINE(DISABLE_UTMP,,Disable use of utmp) ] -) -AC_ARG_ENABLE(utmpx, - [ --disable-utmpx Disable use of utmpx even if detected [no]], - [ AC_DEFINE(DISABLE_UTMPX,,Disable use of utmpx) ] -) -AC_ARG_ENABLE(wtmp, - [ --disable-wtmp Disable use of wtmp even if detected [no]], - [ AC_DEFINE(DISABLE_WTMP,,Disable use of wtmp) ] -) -AC_ARG_ENABLE(wtmpx, - [ --disable-wtmpx Disable use of wtmpx even if detected [no]], - [ AC_DEFINE(DISABLE_WTMPX,,Disable use of wtmpx) ] -) -AC_ARG_ENABLE(loginfunc, - [ --disable-loginfunc Disable use of login() etc. [no]], - [ no_loginfunc_check=1 - AC_MSG_NOTICE(Not using login() etc) ] -) -AC_ARG_ENABLE(pututline, - [ --disable-pututline Disable use of pututline() etc. ([uw]tmp) [no]], - [ AC_DEFINE(DISABLE_PUTUTLINE,,Disable use of pututline()) ] -) -AC_ARG_ENABLE(pututxline, - [ --disable-pututxline Disable use of pututxline() etc. ([uw]tmpx) [no]], - [ AC_DEFINE(DISABLE_PUTUTXLINE,,Disable use of pututxline()) ] -) -AC_ARG_WITH(lastlog, - [ --with-lastlog=FILE|DIR specify lastlog location [common locations]], - [ - if test "x$withval" = "xno" ; then - AC_DEFINE(DISABLE_LASTLOG) - else - conf_lastlog_location=$withval - fi - ] -) - -if test -z "$no_loginfunc_check"; then - dnl Checks for libutil functions (login(), logout() etc, not openpty() ) - AC_SEARCH_LIBS(login, util bsd, [AC_DEFINE(HAVE_LOGIN,,Have login() function)]) - AC_CHECK_FUNCS(logout updwtmp logwtmp) -fi - -dnl lastlog, [uw]tmpx? detection -dnl NOTE: set the paths in the platform section to avoid the -dnl need for command-line parameters -dnl lastlog and [uw]tmp are subject to a file search if all else fails - -dnl lastlog detection -dnl NOTE: the code itself will detect if lastlog is a directory -AC_MSG_CHECKING([if your system defines LASTLOG_FILE]) -AC_TRY_COMPILE([ -#include -#include -#ifdef HAVE_LASTLOG_H -# include -#endif -#ifdef HAVE_PATHS_H -# include -#endif -#ifdef HAVE_LOGIN_H -# include -#endif - ], - [ char *lastlog = LASTLOG_FILE; ], - [ AC_MSG_RESULT(yes) ], - [ - AC_MSG_RESULT(no) - AC_MSG_CHECKING([if your system defines _PATH_LASTLOG]) - AC_TRY_COMPILE([ -#include -#include -#ifdef HAVE_LASTLOG_H -# include -#endif -#ifdef HAVE_PATHS_H -# include -#endif - ], - [ char *lastlog = _PATH_LASTLOG; ], - [ AC_MSG_RESULT(yes) ], - [ - AC_MSG_RESULT(no) - system_lastlog_path=no - ]) - ] -) - -if test -z "$conf_lastlog_location"; then - if test x"$system_lastlog_path" = x"no" ; then - for f in /var/log/lastlog /usr/adm/lastlog /var/adm/lastlog /etc/security/lastlog ; do - if (test -d "$f" || test -f "$f") ; then - conf_lastlog_location=$f - fi - done - if test -z "$conf_lastlog_location"; then - AC_MSG_WARN([** Cannot find lastlog **]) - dnl Don't define DISABLE_LASTLOG - that means we don't try wtmp/wtmpx - fi - fi -fi - -if test -n "$conf_lastlog_location"; then - AC_DEFINE_UNQUOTED(CONF_LASTLOG_FILE, "$conf_lastlog_location", lastlog file location) -fi - -dnl utmp detection -AC_MSG_CHECKING([if your system defines UTMP_FILE]) -AC_TRY_COMPILE([ -#include -#include -#ifdef HAVE_PATHS_H -# include -#endif - ], - [ char *utmp = UTMP_FILE; ], - [ AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) - system_utmp_path=no ] -) -if test -z "$conf_utmp_location"; then - if test x"$system_utmp_path" = x"no" ; then - for f in /etc/utmp /usr/adm/utmp /var/run/utmp; do - if test -f $f ; then - conf_utmp_location=$f - fi - done - if test -z "$conf_utmp_location"; then - AC_DEFINE(DISABLE_UTMP) - fi - fi -fi -if test -n "$conf_utmp_location"; then - AC_DEFINE_UNQUOTED(CONF_UTMP_FILE, "$conf_utmp_location", utmp file location) -fi - -dnl wtmp detection -AC_MSG_CHECKING([if your system defines WTMP_FILE]) -AC_TRY_COMPILE([ -#include -#include -#ifdef HAVE_PATHS_H -# include -#endif - ], - [ char *wtmp = WTMP_FILE; ], - [ AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) - system_wtmp_path=no ] -) -if test -z "$conf_wtmp_location"; then - if test x"$system_wtmp_path" = x"no" ; then - for f in /usr/adm/wtmp /var/log/wtmp; do - if test -f $f ; then - conf_wtmp_location=$f - fi - done - if test -z "$conf_wtmp_location"; then - AC_DEFINE(DISABLE_WTMP) - fi - fi -fi -if test -n "$conf_wtmp_location"; then - AC_DEFINE_UNQUOTED(CONF_WTMP_FILE, "$conf_wtmp_location", wtmp file location) -fi - - -dnl utmpx detection - I don't know any system so perverse as to require -dnl utmpx, but not define UTMPX_FILE (ditto wtmpx.) No doubt it's out -dnl there, though. -AC_MSG_CHECKING([if your system defines UTMPX_FILE]) -AC_TRY_COMPILE([ -#include -#include -#ifdef HAVE_UTMPX_H -#include -#endif -#ifdef HAVE_PATHS_H -# include -#endif - ], - [ char *utmpx = UTMPX_FILE; ], - [ AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) - system_utmpx_path=no ] -) -if test -z "$conf_utmpx_location"; then - if test x"$system_utmpx_path" = x"no" ; then - AC_DEFINE(DISABLE_UTMPX) - fi -else - AC_DEFINE_UNQUOTED(CONF_UTMPX_FILE, "$conf_utmpx_location", utmpx file location) -fi - -dnl wtmpx detection -AC_MSG_CHECKING([if your system defines WTMPX_FILE]) -AC_TRY_COMPILE([ -#include -#include -#ifdef HAVE_UTMPX_H -#include -#endif -#ifdef HAVE_PATHS_H -# include -#endif - ], - [ char *wtmpx = WTMPX_FILE; ], - [ AC_MSG_RESULT(yes) ], - [ AC_MSG_RESULT(no) - system_wtmpx_path=no ] -) -if test -z "$conf_wtmpx_location"; then - if test x"$system_wtmpx_path" = x"no" ; then - AC_DEFINE(DISABLE_WTMPX) - fi -else - AC_DEFINE_UNQUOTED(CONF_WTMPX_FILE, "$conf_wtmpx_location", wtmpx file location) -fi - -# Checks for library functions. -AC_PROG_GCC_TRADITIONAL -AC_FUNC_MEMCMP -AC_FUNC_SELECT_ARGTYPES -AC_TYPE_SIGNAL -AC_CHECK_FUNCS([dup2 getspnam getusershell memset putenv select socket strdup clearenv strlcpy strlcat daemon basename _getpty getaddrinfo freeaddrinfo getnameinfo fork]) - -AC_SEARCH_LIBS(basename, gen, AC_DEFINE(HAVE_BASENAME)) - -# Solaris needs ptmx -if test -z "$no_ptmx_check" ; then - if test x"$cross_compiling" = x"no" ; then - AC_CHECK_FILE("/dev/ptmx", AC_DEFINE(USE_DEV_PTMX,,Use /dev/ptmx)) - else - AC_MSG_NOTICE([Not checking for /dev/ptmx, we're cross-compiling]) - fi -fi - -if test -z "$no_ptc_check" ; then - if test x"$cross_compiling" = x"no" ; then - AC_CHECK_FILE("/dev/ptc", AC_DEFINE(HAVE_DEV_PTS_AND_PTC,,Use /dev/ptc & /dev/pts)) - else - AC_MSG_NOTICE([Not checking for /dev/ptc & /dev/pts since we're cross-compiling]) - fi -fi - -AC_EXEEXT - -# XXX there must be a nicer way to do this -AS_MKDIR_P(libtomcrypt/src/ciphers/aes) -AS_MKDIR_P(libtomcrypt/src/ciphers/safer) -AS_MKDIR_P(libtomcrypt/src/ciphers/twofish) -AS_MKDIR_P(libtomcrypt/src/encauth/ccm) -AS_MKDIR_P(libtomcrypt/src/encauth/eax) -AS_MKDIR_P(libtomcrypt/src/encauth/gcm) -AS_MKDIR_P(libtomcrypt/src/encauth/ocb) -AS_MKDIR_P(libtomcrypt/src/hashes) -AS_MKDIR_P(libtomcrypt/src/hashes/chc) -AS_MKDIR_P(libtomcrypt/src/hashes/helper) -AS_MKDIR_P(libtomcrypt/src/hashes/sha2) -AS_MKDIR_P(libtomcrypt/src/hashes/whirl) -AS_MKDIR_P(libtomcrypt/src/mac/hmac) -AS_MKDIR_P(libtomcrypt/src/mac/omac) -AS_MKDIR_P(libtomcrypt/src/mac/pelican) -AS_MKDIR_P(libtomcrypt/src/mac/pmac) -AS_MKDIR_P(libtomcrypt/src/mac/f9) -AS_MKDIR_P(libtomcrypt/src/mac/xcbc) -AS_MKDIR_P(libtomcrypt/src/math/fp) -AS_MKDIR_P(libtomcrypt/src/misc/base64) -AS_MKDIR_P(libtomcrypt/src/misc/crypt) -AS_MKDIR_P(libtomcrypt/src/misc/mpi) -AS_MKDIR_P(libtomcrypt/src/misc/pkcs5) -AS_MKDIR_P(libtomcrypt/src/modes/cbc) -AS_MKDIR_P(libtomcrypt/src/modes/cfb) -AS_MKDIR_P(libtomcrypt/src/modes/ctr) -AS_MKDIR_P(libtomcrypt/src/modes/ecb) -AS_MKDIR_P(libtomcrypt/src/modes/ofb) -AS_MKDIR_P(libtomcrypt/src/modes/f8) -AS_MKDIR_P(libtomcrypt/src/modes/lrw) -AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/bit) -AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/choice) -AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/ia5) -AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/integer) -AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/object_identifier) -AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/octet) -AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/printable_string) -AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/sequence) -AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/short_integer) -AS_MKDIR_P(libtomcrypt/src/pk/asn1/der/utctime) -AS_MKDIR_P(libtomcrypt/src/pk/dh) -AS_MKDIR_P(libtomcrypt/src/pk/dsa) -AS_MKDIR_P(libtomcrypt/src/pk/ecc) -AS_MKDIR_P(libtomcrypt/src/pk/pkcs1) -AS_MKDIR_P(libtomcrypt/src/pk/rsa) -AS_MKDIR_P(libtomcrypt/src/prng) -AC_CONFIG_HEADER(config.h) -AC_OUTPUT(Makefile) -AC_OUTPUT(libtomcrypt/Makefile) -AC_OUTPUT(libtommath/Makefile) - -AC_MSG_NOTICE() -if test $BUNDLED_LIBTOM = 1 ; then -AC_MSG_NOTICE(Using bundled libtomcrypt and libtommath) -else -AC_MSG_NOTICE(Using system libtomcrypt and libtommath) -fi - -AC_MSG_NOTICE() -AC_MSG_NOTICE(Now edit options.h to choose features.) From mattias.walstrom at westermo.se Wed Mar 27 23:24:27 2013 From: mattias.walstrom at westermo.se (=?ISO-8859-1?Q?Mattias_Walstr=F6m?=) Date: Wed, 27 Mar 2013 16:24:27 +0100 Subject: Timeout dead connections Message-ID: <51530F2B.1060907@westermo.se> Hi! I am running dropbear 2013.56, connecting to the server with a PC but not performing a clean close (I pulled my ethernet cable), this caused dropbear to never drop its connection. Looking at the utmp entries, I could see that the connection never got dropped, the utmp entries was kept forever, and running with debug indicates that also. Tried to use -K to send keepalive, but it just keeps sending keepalives to the peer, even it is no longer there, and not possible to reach. Shouldn't the connection be dropped if the keepalive does not reach its destination? I know there is the -I option, but that does not really do what I want, I want the connection to be tear down when the peer is unreachable, not when the user has been idle for a while. Regards Mattias From matt at ucc.asn.au Wed Mar 27 23:37:15 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 27 Mar 2013 23:37:15 +0800 Subject: Timeout dead connections Message-ID: <20130327153715.GC28516@ucc.gu.uwa.edu.au> Hi, At the very least if there is traffic on the connection (which -K will ensure) then TCP should timeout and the connection should eventually (a minute or so?) close. Can you get a packet capture with tcpdump? Cheers, Matt On Wed, Mar 27, 2013 at 04:24:27PM +0100, Mattias Walstr?m wrote: > Hi! > I am running dropbear 2013.56, connecting to the server with a PC but > not performing a clean close (I pulled my ethernet cable), this caused > dropbear to never drop its connection. > > Looking at the utmp entries, I could see that the connection never got dropped, > the utmp entries was kept forever, and running with debug indicates that also. > Tried to use -K to send keepalive, but it just keeps sending keepalives to the peer, > even it is no longer there, and not possible to reach. Shouldn't > the connection be dropped if the keepalive does not reach its destination? > > I know there is the -I option, but that does not really do what I want, > I want the connection to be tear down when the peer is unreachable, not > when the user has been idle for a while. > > Regards > Mattias From fabriziobertocci at gmail.com Wed Mar 27 23:41:40 2013 From: fabriziobertocci at gmail.com (Fabrizio Bertocci) Date: Wed, 27 Mar 2013 11:41:40 -0400 Subject: Timeout dead connections In-Reply-To: <51530F2B.1060907@westermo.se> References: <51530F2B.1060907@westermo.se> Message-ID: I remember reporting this problem and sending a patch long time ago (for version 0.52). The problem with the keep-alive (if I remember correctly) was that every time dropbear was sending the keep-alive message, it was also resetting the timeout counter... so dropbear or dbclient never detect the dropped connection. Here is an extract from my old email sent on 9/29/2010: Hope this help, Regards, Fabrizio ____________________________________________________________________________________ First Issue: When keep-alive messages are sent, they reset the idle timeout counter. (-I counter). I would expect that SENT messages (in particular keep-alive packets) do not affect the idle timeout... This is in function write_packet() (file packet.c) When a message is written, it stores the current time in both the registers for the last packet transmitted *AND* last packet (for the idle timeout): ses.last_trx_packet_time = time(NULL); ses.last_packet_time = time(NULL); (beside that, this cause two system calls, to read the time, when only one would be needed... just optimizing :) ) This is a little unexpected because I would think that the idle timeout works only on received packets, not about sent packets. Basically if I start dropbear with -I and -K options, the idle timeout will never kick in... because the keepalive will always reset the timer even if the connection is dead. I'm proposing to simply remove the line: ses.last_packet_time = time(NULL); So the idle timeout does not get reset when any packet is sent. Watch out: after this change, the semantic of the argument -I is different than before, as it only consider received packets... but at least it makes more sense. Here is a scenario WITHOUT this modification: 1. Start the server with: dropbear -K 15 -I 20 [...] 2. Start the client with dbclient -K 15 [...] 3. On my device, start a program that sends data over one tunneled port Everything works fine, connection is up and data is exchanging. Now... 4. Unplug my embedded device (the one running dbclient) -> The server does not detect the connection is down. Any attempt to access a tunneled port cause the caller to hang. now, after this change, with the same scenario, after I unplug my box, the server detects it after 20 seconds and closes the connection. Second Issue: When a keepalive message is received, the idle timeout timer (for received packets) is NOT updated. I'm referring here to the function 'process_packet()' in file 'process-packet.c'. Here the timer update: ses.last_packet_time = time(NULL); is performed AFTER the first switch where we check for SSH_MSG_IGNORE, SSH_MSG_DEBUG, SSH_MSG_UNIMPLEMENTED, and SSH_MSG_DISCONNECT. So, in few words: although a keep-alive message (that is a message of type SSH_MSG_IGNORE) is correctly ignored, but the timer is not reset. Here is what happen: 1. Start my server again with dropbear -I 20 [...] 2. Start my client with dropbear -K 15 [...] (this time I'm not starting my application to send data over a tunneled port) Without doing anything, the server will close the connection after 20 seconds. No matter if the client have sent the keep-alivemessages... After moving that statement: ses.last_packet_time = time(NULL); BEFORE the first switch(), now a keep-alive message cause the idle timer to reset, and the previous test case works as expected (server does't disconnect). So, in conclusion, as you see, these two small changes are critical for my situation, and I believe they could also benefit others with similar needs. ____________________________________________________________________________________ On Wed, Mar 27, 2013 at 11:24 AM, Mattias Walstr?m < mattias.walstrom at westermo.se> wrote: > Hi! > I am running dropbear 2013.56, connecting to the server with a PC but > not performing a clean close (I pulled my ethernet cable), this caused > dropbear to never drop its connection. > > Looking at the utmp entries, I could see that the connection never got > dropped, > the utmp entries was kept forever, and running with debug indicates that > also. > Tried to use -K to send keepalive, but it just keeps sending keepalives > to the peer, > even it is no longer there, and not possible to reach. Shouldn't > the connection be dropped if the keepalive does not reach its destination? > > I know there is the -I option, but that does not really do what I want, > I want the connection to be tear down when the peer is unreachable, not > when the user has been idle for a while. > > Regards > Mattias > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20130327/c9d21de1/attachment.htm From matt at ucc.asn.au Wed Mar 27 23:47:51 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 27 Mar 2013 23:47:51 +0800 Subject: Timeout dead connections In-Reply-To: References: <51530F2B.1060907@westermo.se> Message-ID: <20130327154751.GD28516@ucc.gu.uwa.edu.au> I thought those were fixed in 0.53 or perhaps 2011.54: 2011.54 - Tuesday 8 November 2011 - Fixed case where "-K 1" keepalive for dbclient would cause a SSH_MSG_IGNORE packet to be sent 0.53 - Thurs 24 February 2011 - Make -K (keepalive) and -I (idle timeout) work together sensibly in the client. The idle timeout is no longer reset by SSH_MSG_IGNORE packets. If the network cable has been pulled out, shouldn't the OS send a TCP RST packet eventually after some traffic and close the connection? Cheers, Matt On Wed, Mar 27, 2013 at 11:41:40AM -0400, Fabrizio Bertocci wrote: > I remember reporting this problem and sending a patch long time ago (for > version 0.52). > > The problem with the keep-alive (if I remember correctly) was that every > time dropbear was sending the keep-alive message, it was also resetting the > timeout counter... so dropbear or dbclient never detect the dropped > connection. > Here is an extract from my old email sent on 9/29/2010: > > Hope this help, > Regards, > Fabrizio > > ____________________________________________________________________________________ > > First Issue: When keep-alive messages are sent, they reset the idle timeout > counter. (-I counter). > I would expect that SENT messages (in particular keep-alive packets) do not > affect the idle timeout... > This is in function write_packet() (file packet.c) > When a message is written, it stores the current time in both the registers > for the last packet transmitted *AND* last packet (for the idle timeout): > ses.last_trx_packet_time = time(NULL); > ses.last_packet_time = time(NULL); > > (beside that, this cause two system calls, to read the time, when only one > would be needed... just optimizing :) ) > This is a little unexpected because I would think that the idle timeout > works only on received packets, not about sent packets. > Basically if I start dropbear with -I and -K options, the idle timeout will > never kick in... because the keepalive will always reset the timer even if > the connection is dead. > > I'm proposing to simply remove the line: > ses.last_packet_time = time(NULL); > So the idle timeout does not get reset when any packet is sent. > > Watch out: after this change, the semantic of the argument -I is different > than before, as it only consider received packets... but at least it makes > more sense. > Here is a scenario WITHOUT this modification: > 1. Start the server with: dropbear -K 15 -I 20 [...] > 2. Start the client with dbclient -K 15 [...] > 3. On my device, start a program that sends data over one tunneled port > Everything works fine, connection is up and data is exchanging. > Now... > 4. Unplug my embedded device (the one running dbclient) > -> The server does not detect the connection is down. Any attempt to access > a tunneled port cause the caller to hang. > > now, after this change, with the same scenario, after I unplug my box, the > server detects it after 20 seconds and closes the connection. > > > Second Issue: When a keepalive message is received, the idle timeout timer > (for received packets) is NOT updated. > I'm referring here to the function 'process_packet()' in file > 'process-packet.c'. > Here the timer update: > ses.last_packet_time = time(NULL); > is performed AFTER the first switch where we check for SSH_MSG_IGNORE, > SSH_MSG_DEBUG, SSH_MSG_UNIMPLEMENTED, and SSH_MSG_DISCONNECT. > So, in few words: although a keep-alive message (that is a message of type > SSH_MSG_IGNORE) is correctly ignored, but the timer is not reset. > > Here is what happen: > 1. Start my server again with dropbear -I 20 [...] > 2. Start my client with dropbear -K 15 [...] > (this time I'm not starting my application to send data over a tunneled > port) > > Without doing anything, the server will close the connection after 20 > seconds. No matter if the client have sent the keep-alivemessages... > > After moving that statement: > ses.last_packet_time = time(NULL); > BEFORE the first switch(), now a keep-alive message cause the idle timer to > reset, and the previous test case works as expected (server does't > disconnect). > > So, in conclusion, as you see, these two small changes are critical for my > situation, and I believe they could also benefit others with similar needs. > > ____________________________________________________________________________________ > > > > > > > > > > On Wed, Mar 27, 2013 at 11:24 AM, Mattias Walstr?m < > mattias.walstrom at westermo.se> wrote: > > > Hi! > > I am running dropbear 2013.56, connecting to the server with a PC but > > not performing a clean close (I pulled my ethernet cable), this caused > > dropbear to never drop its connection. > > > > Looking at the utmp entries, I could see that the connection never got > > dropped, > > the utmp entries was kept forever, and running with debug indicates that > > also. > > Tried to use -K to send keepalive, but it just keeps sending keepalives > > to the peer, > > even it is no longer there, and not possible to reach. Shouldn't > > the connection be dropped if the keepalive does not reach its destination? > > > > I know there is the -I option, but that does not really do what I want, > > I want the connection to be tear down when the peer is unreachable, not > > when the user has been idle for a while. > > > > Regards > > Mattias > > From cat at vv.carleton.ca Wed Mar 27 23:52:59 2013 From: cat at vv.carleton.ca (Catalin Patulea) Date: Wed, 27 Mar 2013 11:52:59 -0400 Subject: Timeout dead connections In-Reply-To: <20130327154751.GD28516@ucc.gu.uwa.edu.au> References: <51530F2B.1060907@westermo.se> <20130327154751.GD28516@ucc.gu.uwa.edu.au> Message-ID: On Wed, Mar 27, 2013 at 11:47 AM, Matt Johnston wrote: > If the network cable has been pulled out, shouldn't the OS send a TCP RST > packet eventually after some traffic and close the connection? That tends to be an application-level concern. You could imagine that a protocol can tolerate a day-long network outage if it has nothing to send. TCP keepalive has a single system-wide timeout interval so it's really not appropriate in most cases. This is why SSH, IRC, etc. implement their own keepalive mechanisms, so they can enforce whatever semantics/intervals are appropriate for the protocol/circumstance. From fabriziobertocci at gmail.com Wed Mar 27 23:53:36 2013 From: fabriziobertocci at gmail.com (Fabrizio Bertocci) Date: Wed, 27 Mar 2013 11:53:36 -0400 Subject: Timeout dead connections In-Reply-To: <20130327154751.GD28516@ucc.gu.uwa.edu.au> References: <51530F2B.1060907@westermo.se> <20130327154751.GD28516@ucc.gu.uwa.edu.au> Message-ID: Yep, you're right Matt... the latest version contains those fixes... (the truth is that I'm still working with my patched 0.52 that is rock solid for my usage)... Regards, Fabrizio On Wed, Mar 27, 2013 at 11:47 AM, Matt Johnston wrote: > I thought those were fixed in 0.53 or perhaps 2011.54: > > 2011.54 - Tuesday 8 November 2011 > - Fixed case where "-K 1" keepalive for dbclient would cause a > SSH_MSG_IGNORE > packet to be sent > 0.53 - Thurs 24 February 2011 > - Make -K (keepalive) and -I (idle timeout) work together sensibly in the > client. > The idle timeout is no longer reset by SSH_MSG_IGNORE packets. > > If the network cable has been pulled out, shouldn't the OS send a TCP RST > packet eventually after some traffic and close the connection? > > Cheers, > Matt > > > On Wed, Mar 27, 2013 at 11:41:40AM -0400, Fabrizio Bertocci wrote: > > I remember reporting this problem and sending a patch long time ago (for > > version 0.52). > > > > The problem with the keep-alive (if I remember correctly) was that every > > time dropbear was sending the keep-alive message, it was also resetting > the > > timeout counter... so dropbear or dbclient never detect the dropped > > connection. > > Here is an extract from my old email sent on 9/29/2010: > > > > Hope this help, > > Regards, > > Fabrizio > > > > > ____________________________________________________________________________________ > > > > First Issue: When keep-alive messages are sent, they reset the idle > timeout > > counter. (-I counter). > > I would expect that SENT messages (in particular keep-alive packets) do > not > > affect the idle timeout... > > This is in function write_packet() (file packet.c) > > When a message is written, it stores the current time in both the > registers > > for the last packet transmitted *AND* last packet (for the idle timeout): > > ses.last_trx_packet_time = time(NULL); > > ses.last_packet_time = time(NULL); > > > > (beside that, this cause two system calls, to read the time, when only > one > > would be needed... just optimizing :) ) > > This is a little unexpected because I would think that the idle timeout > > works only on received packets, not about sent packets. > > Basically if I start dropbear with -I and -K options, the idle timeout > will > > never kick in... because the keepalive will always reset the timer even > if > > the connection is dead. > > > > I'm proposing to simply remove the line: > > ses.last_packet_time = time(NULL); > > So the idle timeout does not get reset when any packet is sent. > > > > Watch out: after this change, the semantic of the argument -I is > different > > than before, as it only consider received packets... but at least it > makes > > more sense. > > Here is a scenario WITHOUT this modification: > > 1. Start the server with: dropbear -K 15 -I 20 [...] > > 2. Start the client with dbclient -K 15 [...] > > 3. On my device, start a program that sends data over one tunneled port > > Everything works fine, connection is up and data is exchanging. > > Now... > > 4. Unplug my embedded device (the one running dbclient) > > -> The server does not detect the connection is down. Any attempt to > access > > a tunneled port cause the caller to hang. > > > > now, after this change, with the same scenario, after I unplug my box, > the > > server detects it after 20 seconds and closes the connection. > > > > > > Second Issue: When a keepalive message is received, the idle timeout > timer > > (for received packets) is NOT updated. > > I'm referring here to the function 'process_packet()' in file > > 'process-packet.c'. > > Here the timer update: > > ses.last_packet_time = time(NULL); > > is performed AFTER the first switch where we check for SSH_MSG_IGNORE, > > SSH_MSG_DEBUG, SSH_MSG_UNIMPLEMENTED, and SSH_MSG_DISCONNECT. > > So, in few words: although a keep-alive message (that is a message of > type > > SSH_MSG_IGNORE) is correctly ignored, but the timer is not reset. > > > > Here is what happen: > > 1. Start my server again with dropbear -I 20 [...] > > 2. Start my client with dropbear -K 15 [...] > > (this time I'm not starting my application to send data over a tunneled > > port) > > > > Without doing anything, the server will close the connection after 20 > > seconds. No matter if the client have sent the keep-alivemessages... > > > > After moving that statement: > > ses.last_packet_time = time(NULL); > > BEFORE the first switch(), now a keep-alive message cause the idle timer > to > > reset, and the previous test case works as expected (server does't > > disconnect). > > > > So, in conclusion, as you see, these two small changes are critical for > my > > situation, and I believe they could also benefit others with similar > needs. > > > > > ____________________________________________________________________________________ > > > > > > > > > > > > > > > > > > > > On Wed, Mar 27, 2013 at 11:24 AM, Mattias Walstr?m < > > mattias.walstrom at westermo.se> wrote: > > > > > Hi! > > > I am running dropbear 2013.56, connecting to the server with a PC but > > > not performing a clean close (I pulled my ethernet cable), this caused > > > dropbear to never drop its connection. > > > > > > Looking at the utmp entries, I could see that the connection never got > > > dropped, > > > the utmp entries was kept forever, and running with debug indicates > that > > > also. > > > Tried to use -K to send keepalive, but it just keeps sending > keepalives > > > to the peer, > > > even it is no longer there, and not possible to reach. Shouldn't > > > the connection be dropped if the keepalive does not reach its > destination? > > > > > > I know there is the -I option, but that does not really do what I want, > > > I want the connection to be tear down when the peer is unreachable, not > > > when the user has been idle for a while. > > > > > > Regards > > > Mattias > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20130327/d49d56f7/attachment.htm From mattias.walstrom at westermo.se Thu Mar 28 16:56:02 2013 From: mattias.walstrom at westermo.se (=?ISO-8859-1?Q?Mattias_Walstr=F6m?=) Date: Thu, 28 Mar 2013 09:56:02 +0100 Subject: Timeout dead connections In-Reply-To: <20130327154751.GD28516@ucc.gu.uwa.edu.au> References: <51530F2B.1060907@westermo.se> <20130327154751.GD28516@ucc.gu.uwa.edu.au> Message-ID: <515405A2.2010707@westermo.se> Thanks for your responses, all your suggestions imply that you should do something in the client (set keepalive on client end), but shouldn't the server itself be able to decide if a client is dead (can't OpenSSH do this?). If I do the -K 15 -I 20 on the server end only, this will close the connection when the OpenSSH client has not sent any characters in 20s. I expected the keepalive to be two way, that the server got responses on these packages as well, is that not the case? Regards Mattias On 2013-03-27 16:47, Matt Johnston wrote: > I thought those were fixed in 0.53 or perhaps 2011.54: > > 2011.54 - Tuesday 8 November 2011 > - Fixed case where "-K 1" keepalive for dbclient would cause a SSH_MSG_IGNORE > packet to be sent > 0.53 - Thurs 24 February 2011 > - Make -K (keepalive) and -I (idle timeout) work together sensibly in the client. > The idle timeout is no longer reset by SSH_MSG_IGNORE packets. > > If the network cable has been pulled out, shouldn't the OS send a TCP RST > packet eventually after some traffic and close the connection? > > Cheers, > Matt > > > On Wed, Mar 27, 2013 at 11:41:40AM -0400, Fabrizio Bertocci wrote: >> I remember reporting this problem and sending a patch long time ago (for >> version 0.52). >> >> The problem with the keep-alive (if I remember correctly) was that every >> time dropbear was sending the keep-alive message, it was also resetting the >> timeout counter... so dropbear or dbclient never detect the dropped >> connection. >> Here is an extract from my old email sent on 9/29/2010: >> >> Hope this help, >> Regards, >> Fabrizio >> >> ____________________________________________________________________________________ >> >> First Issue: When keep-alive messages are sent, they reset the idle timeout >> counter. (-I counter). >> I would expect that SENT messages (in particular keep-alive packets) do not >> affect the idle timeout... >> This is in function write_packet() (file packet.c) >> When a message is written, it stores the current time in both the registers >> for the last packet transmitted *AND* last packet (for the idle timeout): >> ses.last_trx_packet_time = time(NULL); >> ses.last_packet_time = time(NULL); >> >> (beside that, this cause two system calls, to read the time, when only one >> would be needed... just optimizing :) ) >> This is a little unexpected because I would think that the idle timeout >> works only on received packets, not about sent packets. >> Basically if I start dropbear with -I and -K options, the idle timeout will >> never kick in... because the keepalive will always reset the timer even if >> the connection is dead. >> >> I'm proposing to simply remove the line: >> ses.last_packet_time = time(NULL); >> So the idle timeout does not get reset when any packet is sent. >> >> Watch out: after this change, the semantic of the argument -I is different >> than before, as it only consider received packets... but at least it makes >> more sense. >> Here is a scenario WITHOUT this modification: >> 1. Start the server with: dropbear -K 15 -I 20 [...] >> 2. Start the client with dbclient -K 15 [...] >> 3. On my device, start a program that sends data over one tunneled port >> Everything works fine, connection is up and data is exchanging. >> Now... >> 4. Unplug my embedded device (the one running dbclient) >> -> The server does not detect the connection is down. Any attempt to access >> a tunneled port cause the caller to hang. >> >> now, after this change, with the same scenario, after I unplug my box, the >> server detects it after 20 seconds and closes the connection. >> >> >> Second Issue: When a keepalive message is received, the idle timeout timer >> (for received packets) is NOT updated. >> I'm referring here to the function 'process_packet()' in file >> 'process-packet.c'. >> Here the timer update: >> ses.last_packet_time = time(NULL); >> is performed AFTER the first switch where we check for SSH_MSG_IGNORE, >> SSH_MSG_DEBUG, SSH_MSG_UNIMPLEMENTED, and SSH_MSG_DISCONNECT. >> So, in few words: although a keep-alive message (that is a message of type >> SSH_MSG_IGNORE) is correctly ignored, but the timer is not reset. >> >> Here is what happen: >> 1. Start my server again with dropbear -I 20 [...] >> 2. Start my client with dropbear -K 15 [...] >> (this time I'm not starting my application to send data over a tunneled >> port) >> >> Without doing anything, the server will close the connection after 20 >> seconds. No matter if the client have sent the keep-alivemessages... >> >> After moving that statement: >> ses.last_packet_time = time(NULL); >> BEFORE the first switch(), now a keep-alive message cause the idle timer to >> reset, and the previous test case works as expected (server does't >> disconnect). >> >> So, in conclusion, as you see, these two small changes are critical for my >> situation, and I believe they could also benefit others with similar needs. >> >> ____________________________________________________________________________________ >> >> >> >> >> >> >> >> >> >> On Wed, Mar 27, 2013 at 11:24 AM, Mattias Walstr?m < >> mattias.walstrom at westermo.se> wrote: >> >>> Hi! >>> I am running dropbear 2013.56, connecting to the server with a PC but >>> not performing a clean close (I pulled my ethernet cable), this caused >>> dropbear to never drop its connection. >>> >>> Looking at the utmp entries, I could see that the connection never got >>> dropped, >>> the utmp entries was kept forever, and running with debug indicates that >>> also. >>> Tried to use -K to send keepalive, but it just keeps sending keepalives >>> to the peer, >>> even it is no longer there, and not possible to reach. Shouldn't >>> the connection be dropped if the keepalive does not reach its destination? >>> >>> I know there is the -I option, but that does not really do what I want, >>> I want the connection to be tear down when the peer is unreachable, not >>> when the user has been idle for a while. >>> >>> Regards >>> Mattias >>> From matt at ucc.asn.au Thu Mar 28 19:24:55 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 28 Mar 2013 19:24:55 +0800 Subject: Timeout dead connections In-Reply-To: <515405A2.2010707@westermo.se> References: <51530F2B.1060907@westermo.se> <20130327154751.GD28516@ucc.gu.uwa.edu.au> <515405A2.2010707@westermo.se> Message-ID: <20130328112455.GG28516@ucc.gu.uwa.edu.au> I think that -K on the server should be enough. On the server can you run "tcpdump -i eth0 -w cap1.cap port 22", get a ssh session going, pull out the cable, wait 10 minutes, then send me the capture? Could you also check that the Dropbear process for the connection is still running after the connection should have been finished. It's possible that the process is exiting but the session cleanup code isn't working correctly. The whole debug log might give me an idea what's going on. Cheers, Matt On Thu, Mar 28, 2013 at 09:56:02AM +0100, Mattias Walstr?m wrote: > Thanks for your responses, all your suggestions imply that you should do something > in the client (set keepalive on client end), but shouldn't the server itself be able to > decide if a client is dead (can't OpenSSH do this?). > > If I do the -K 15 -I 20 on the server end only, this will close the connection when > the OpenSSH client has not sent any characters in 20s. I expected the keepalive to be > two way, that the server got responses on these packages as well, is that not the case? > > Regards > Mattias > >>On Wed, Mar 27, 2013 at 11:24 AM, Mattias Walstr?m < > >>mattias.walstrom at westermo.se> wrote: > >> > >>>Hi! > >>>I am running dropbear 2013.56, connecting to the server with a PC but > >>>not performing a clean close (I pulled my ethernet cable), this caused > >>>dropbear to never drop its connection. > >>> > >>>Looking at the utmp entries, I could see that the connection never got > >>>dropped, > >>>the utmp entries was kept forever, and running with debug indicates that > >>>also. > >>> Tried to use -K to send keepalive, but it just keeps sending keepalives > >>>to the peer, > >>>even it is no longer there, and not possible to reach. Shouldn't > >>>the connection be dropped if the keepalive does not reach its destination? > >>> > >>>I know there is the -I option, but that does not really do what I want, > >>>I want the connection to be tear down when the peer is unreachable, not > >>>when the user has been idle for a while. > >>> > >>>Regards > >>> Mattias > >>> > From frank.van.uffelen at gmail.com Fri Mar 29 00:51:58 2013 From: frank.van.uffelen at gmail.com (Frank Van Uffelen) Date: Thu, 28 Mar 2013 17:51:58 +0100 Subject: scp issue in 0.56 Message-ID: Hello, I think I've found a problem in the scp implementation in 0.56: lines 233-235 of scp.c say: #ifdef USE_VFORK arg_setup(host, remuser, cmd); #endif and IMO it should be #ifndef USE_VFORK arg_setup(host, remuser, cmd); #endif which would correspond to the logic in previous releases. As it is now, dbclient will complain and show its help because arg_setup is never executed on systems using a regular fork() call. Do you agree? Best regards, Frank Van Uffelen -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20130328/0bc14a21/attachment.htm From matt at ucc.asn.au Sun Mar 31 23:33:07 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Sun, 31 Mar 2013 23:33:07 +0800 Subject: scp issue in 0.56 In-Reply-To: References: Message-ID: <20130331153307.GI28516@ucc.gu.uwa.edu.au> Hi, Thanks for pointing that out, I'll fix it in the next release. Cheers, Matt On Thu, Mar 28, 2013 at 05:51:58PM +0100, Frank Van Uffelen wrote: > Hello, I think I've found a problem in the scp implementation in 0.56: > lines 233-235 of scp.c say: > > #ifdef USE_VFORK > arg_setup(host, remuser, cmd); > #endif > > and IMO it should be > > #ifndef USE_VFORK > arg_setup(host, remuser, cmd); > #endif > > which would correspond to the logic in previous releases. As it is now, > dbclient will complain and show its help because arg_setup is never > executed on systems using a regular fork() call. > > Do you agree? > > Best regards, > > > Frank Van Uffelen