From salatiel.filho at gmail.com Sun Oct 2 11:00:01 2016 From: salatiel.filho at gmail.com (Salatiel Filho) Date: Sun, 2 Oct 2016 00:00:01 -0300 Subject: reverse server should also timeout when -K is set Message-ID: Hi matt, would it be possible to you make the server also times out when it looses connection with the client that requested a reverse tunnel ? Current version: Dropbear 2016.74 Scenario: 1 ) Client 1 connects to the server passing -K 5 option and -R 7777:localhost:22 , after this, if i go to server and type ssh localhost:7777, i will get a reverse ssh connection to the client. ( works as expected ) 2 ) Server disconnects and reconnects using a new public ip. 3) Client 1 will time out after 5 seconds 4) client 1 try to recreate the tunnel connecting to the new ip address. It will fail because there is already a 7777 address bound to dropbear by the old connection. It would be nice if the previous connection timed out on the server too. []'s Salatiel From peter at softwolves.pp.se Wed Nov 23 22:55:05 2016 From: peter at softwolves.pp.se (Peter Krefting) Date: Wed, 23 Nov 2016 15:55:05 +0100 (CET) Subject: Port forwarding for certain users only Message-ID: Hi! Is there a way to restrict port forwarding to certain users only? On an embedded device, I have a user that opens a settings menu when logging in (with username + password), and I do not wish that user to allow port forwarding. The UID for the login is 0 because it needs to be able to change stuff on the system, but there is a "root" account with a regular shell that preferrably should be able to forward ports. -- \\// Peter - http://www.softwolves.pp.se/ From matt at ucc.asn.au Mon Nov 28 22:56:44 2016 From: matt at ucc.asn.au (Matt Johnston) Date: Mon, 28 Nov 2016 22:56:44 +0800 Subject: Port forwarding for certain users only In-Reply-To: References: Message-ID: Hi Peter, Currently I don't think that's possible, sorry. There are restrictions for public keys auth but not password users. Matt > On Wed. 23/11/2016, at 10:55 pm, Peter Krefting wrote: > > Hi! > > Is there a way to restrict port forwarding to certain users only? > > On an embedded device, I have a user that opens a settings menu when logging in (with username + password), and I do not wish that user to allow port forwarding. The UID for the login is 0 because it needs to be able to change stuff on the system, but there is a "root" account with a regular shell that preferrably should be able to forward ports. > > -- > \\// Peter - http://www.softwolves.pp.se/ From wpdster at gmail.com Fri Dec 2 23:51:15 2016 From: wpdster at gmail.com (Patrick Doyle) Date: Fri, 2 Dec 2016 10:51:15 -0500 Subject: Does dropbear support certificate based authentication? Message-ID: i.e. similar to the TrustedUserCAKeys option for OpenSSH. --wpd From matt at ucc.asn.au Fri Dec 2 23:58:34 2016 From: matt at ucc.asn.au (Matt Johnston) Date: Fri, 2 Dec 2016 23:58:34 +0800 Subject: Does dropbear support certificate based authentication? In-Reply-To: References: Message-ID: <532AEB46-4FEE-48FD-BEBF-C7AE0CB0D674@ucc.asn.au> Hi Patrick, Dropbear doesn't have any certificate support. Cheers, Matt > On Fri. 2/12/2016, at 11:51 pm, Patrick Doyle wrote: > > i.e. similar to the TrustedUserCAKeys option for OpenSSH. > > --wpd -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20161202/ceff82a2/attachment.htm From wpdster at gmail.com Sat Dec 3 00:05:27 2016 From: wpdster at gmail.com (Patrick Doyle) Date: Fri, 2 Dec 2016 11:05:27 -0500 Subject: Does dropbear support certificate based authentication? In-Reply-To: <532AEB46-4FEE-48FD-BEBF-C7AE0CB0D674@ucc.asn.au> References: <532AEB46-4FEE-48FD-BEBF-C7AE0CB0D674@ucc.asn.au> Message-ID: Darn. OK. Thanks. And thanks for dropbear! --wpd On Fri, Dec 2, 2016 at 10:58 AM, Matt Johnston wrote: > Hi Patrick, > > Dropbear doesn't have any certificate support. > > Cheers, > Matt > > On Fri. 2/12/2016, at 11:51 pm, Patrick Doyle wrote: > > i.e. similar to the TrustedUserCAKeys option for OpenSSH. > > --wpd > > From naveen.mamindlapalli at gmail.com Mon Dec 5 15:10:49 2016 From: naveen.mamindlapalli at gmail.com (Naveen Mamindlapalli) Date: Mon, 5 Dec 2016 12:40:49 +0530 Subject: Dropbear 2016.71 issue with Bitvise ssh client v7.15 Message-ID: Hi All, I am running Dropbear v2016.74 SSH server from inetd on uClinux OS running on ARM cortex M3 processor. When I connected to the SSH server using Bitvise ssh client v7.15 with option "open SFTP" enabled (by default) in addition to "Open Terminal" option (by default), the client successfully connected to the server. The terminal program (custom CLI, not linux shell) is accessible. I am not doing any sftp transfers during the session. After disconnecting the ssh session, I am not able to reconnect again from Bitvise ssh client. When I debugged further I found that there is a process "cli -c /usr/libexec/sftp-server" still running in the background on uClinux Os. Workaround: I tried following two options to workaround this issue. 1. kill cli process manually before reconnecting the client again. This works fine. 2. disable "Open SFTP" option in Bitvise ssh client. This also works fine & no background sftp process is getting created. I wanted to know why Dropbear ssh server is not terminating all child processes when the connection is terminated from bitvise ssh client. Is this a known issue? Thanks and Regards, Naveen From matt at ucc.asn.au Mon Dec 5 21:42:00 2016 From: matt at ucc.asn.au (Matt Johnston) Date: Mon, 5 Dec 2016 21:42:00 +0800 Subject: Dropbear 2016.71 issue with Bitvise ssh client v7.15 In-Reply-To: References: Message-ID: Hi Naveen, Which sftp-server are you using? Dropbear doesn't ship its own. It would have expected that it would exit when the SSH session exits, because its pipe will be closed. Do you know what is preventing the second connection - is memory constrained so only one sftp-server process can run? Cheers Matt > On Mon. 5/12/2016, at 3:10 pm, Naveen Mamindlapalli wrote: > > Hi All, > > I am running Dropbear v2016.74 SSH server from inetd on uClinux OS > running on ARM cortex M3 processor. When I connected to the SSH server > using Bitvise ssh client v7.15 with option "open SFTP" enabled (by > default) in addition to "Open Terminal" option (by default), the > client successfully connected to the server. The terminal program > (custom CLI, not linux shell) is accessible. I am not doing any sftp > transfers during the session. > > After disconnecting the ssh session, I am not able to reconnect again > from Bitvise ssh client. When I debugged further I found that there is > a process "cli -c /usr/libexec/sftp-server" still running in the > background on uClinux Os. > > Workaround: > I tried following two options to workaround this issue. > > 1. kill cli process manually before reconnecting the client again. > This works fine. > 2. disable "Open SFTP" option in Bitvise ssh client. This also works > fine & no background sftp process is getting created. > > I wanted to know why Dropbear ssh server is not terminating all child > processes when the connection is terminated from bitvise ssh client. > Is this a known issue? > > Thanks and Regards, > Naveen