From matt at ucc.asn.au Fri Oct 4 22:38:50 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Fri, 4 Oct 2013 22:38:50 +0800 Subject: Dropbear 2013.59 Message-ID: <20131004143850.GH4394@ucc.gu.uwa.edu.au> Hi all, Dropbear 2013.59 has been released. It fixes a number of bugs, including two security issues affecting prior releases. - The Dropbear server could be made to consume large amounts of memory because decompressed packet sizes weren't checked. Depending on the OS and hardware this might be a denial of service. - Valid users could be identified due to timing variations. As usual you can download it from https://matt.ucc.asn.au/dropbear/dropbear.html Cheers, Matt 2013.59 - Friday 4 October 2013 - Fix crash from -J command Thanks to Llu?s Batlle i Rossell and Arnaud Mouiche for patches - Avoid reading too much from /proc/net/rt_cache since that causes system slowness. - Improve EOF handling for half-closed connections Thanks to Catalin Patulea - Send a banner message to report PAM error messages intended for the user Patch from Martin Donnelly - Limit the size of decompressed payloads, avoids memory exhaustion denial of service Thanks to Logan Lamb for reporting and investigating it - Avoid disclosing existence of valid users through inconsistent delays Thanks to Logan Lamb for reporting - Update config.guess and config.sub for newer architectures - Avoid segfault in server for locked accounts - "make install" now installs manpages dropbearkey.8 has been renamed to dropbearkey.1 manpage added for dropbearconvert - Get rid of one second delay when running non-interactive commands Releases are signed by PGP key matt at ucc.asn.au 4C647FBC D11E 5F8D 2C38 523F 57F1 2166 8CF9 F8B0 4C64 7FBC From pmeerw at pmeerw.net Fri Oct 4 23:05:00 2013 From: pmeerw at pmeerw.net (Peter Meerwald) Date: Fri, 4 Oct 2013 17:05:00 +0200 (CEST) Subject: Dropbear 2013.59 In-Reply-To: <20131004143850.GH4394@ucc.gu.uwa.edu.au> References: <20131004143850.GH4394@ucc.gu.uwa.edu.au> Message-ID: Hi, > - "make install" now installs manpages > dropbearkey.8 has been renamed to dropbearkey.1 > manpage added for dropbearconvert this does not work when building with MULTI=1, i.e. make -n install install -d /bin install dropbearmulti /bin install -d /usr/local/share/man/man1 install -m 644 dropbearmulti.1 /usr/local/share/man/man1/dropbearmulti.1 but there is no dropbearmulti.1, and install fails regards, p. -- Peter Meerwald +43-664-2444418 (mobile) From srn at coolheads.com Sat Oct 5 00:31:24 2013 From: srn at coolheads.com (Steve Newcomb) Date: Fri, 04 Oct 2013 12:31:24 -0400 Subject: autossh incompatibility with dropbear -y Message-ID: <524EED5C.7010302@coolheads.com> I'm using OpenWRT. My router, whose IP address changes unpredictably, makes its ssh-listening port available on another host running at a stable IP address, using autossh/dropbear to create a reverse channel. Sometimes the host's key changes from time to time, which can stop the autossh process at a prompt (to nobody) to decide what to do about the change. Ordinary OpenSSH has a StrictHostKeyChecking option which can be used to bypass the so-called "ask" prompt and just make the connection regardless. By reading the source, I learned that Dropbear's ssh client evidently has a similar feature, the "-y" invocation option. But I can't pass the -y to it via autossh because autossh doesn't approve of it. Dropbear's ssh client also does not offer a config file utility, AFAIK. Dropbear evidently ignores all -o options, too; they wind up in a bit bucket called something like "dummy". Does anybody know the answer, short of editing/recompiling autossh so it won't be so persnickety and just get out of the way? Steve Newcomb From cat at vv.carleton.ca Sat Oct 5 09:02:58 2013 From: cat at vv.carleton.ca (Catalin Patulea) Date: Fri, 4 Oct 2013 21:02:58 -0400 Subject: autossh incompatibility with dropbear -y In-Reply-To: <524EED5C.7010302@coolheads.com> References: <524EED5C.7010302@coolheads.com> Message-ID: You could always write a small wrapper script that adds whatever command-line arguments you need, and pass *that* to autossh. #!/bin/sh exec path/to/dropbear -y "$@" On Fri, Oct 4, 2013 at 12:31 PM, Steve Newcomb wrote: > I'm using OpenWRT. My router, whose IP address changes unpredictably, > makes its ssh-listening port available on another host running at a > stable IP address, using autossh/dropbear to create a reverse channel. > > Sometimes the host's key changes from time to time, which can stop the > autossh process at a prompt (to nobody) to decide what to do about the > change. > > Ordinary OpenSSH has a StrictHostKeyChecking option which can be used to > bypass the so-called "ask" prompt and just make the connection regardless. > > By reading the source, I learned that Dropbear's ssh client evidently > has a similar feature, the "-y" invocation option. But I can't pass the > -y to it via autossh because autossh doesn't approve of it. Dropbear's > ssh client also does not offer a config file utility, AFAIK. > Dropbear evidently ignores all -o options, too; they wind up in a bit > bucket called something like "dummy". > > Does anybody know the answer, short of editing/recompiling autossh so it > won't be so persnickety and just get out of the way? > > Steve Newcomb From srn at coolheads.com Sun Oct 6 23:16:23 2013 From: srn at coolheads.com (Steve Newcomb) Date: Sun, 06 Oct 2013 11:16:23 -0400 Subject: autossh incompatibility with dropbear -y In-Reply-To: References: <524EED5C.7010302@coolheads.com> Message-ID: <52517EC7.906@coolheads.com> SOLVED, I think. The answer, apparently, is to make the path to the wrapper script suggested by Catalin Patulea (see below) the value of the exported environment variable AUTOSSH_PATH prior to calling autossh. On 10/04/2013 09:02 PM, Catalin Patulea wrote: > You could always write a small wrapper script that adds whatever > command-line arguments you need, and pass *that* to autossh. > > #!/bin/sh > exec path/to/dropbear -y "$@" > > On Fri, Oct 4, 2013 at 12:31 PM, Steve Newcomb wrote: >> I'm using OpenWRT. My router, whose IP address changes unpredictably, >> makes its ssh-listening port available on another host running at a >> stable IP address, using autossh/dropbear to create a reverse channel. >> >> Sometimes the host's key changes from time to time, which can stop the >> autossh process at a prompt (to nobody) to decide what to do about the >> change. >> >> Ordinary OpenSSH has a StrictHostKeyChecking option which can be used to >> bypass the so-called "ask" prompt and just make the connection regardless. >> >> By reading the source, I learned that Dropbear's ssh client evidently >> has a similar feature, the "-y" invocation option. But I can't pass the >> -y to it via autossh because autossh doesn't approve of it. Dropbear's >> ssh client also does not offer a config file utility, AFAIK. >> Dropbear evidently ignores all -o options, too; they wind up in a bit >> bucket called something like "dummy". >> >> Does anybody know the answer, short of editing/recompiling autossh so it >> won't be so persnickety and just get out of the way? >> >> Steve Newcomb From cat at vv.carleton.ca Mon Oct 7 03:49:01 2013 From: cat at vv.carleton.ca (Catalin Patulea) Date: Sun, 6 Oct 2013 15:49:01 -0400 Subject: Dropbear 2013.59 In-Reply-To: <20131004143850.GH4394@ucc.gu.uwa.edu.au> References: <20131004143850.GH4394@ucc.gu.uwa.edu.au> Message-ID: Are there any mirrors of Dropbear releases? OpenWRT used to use http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/ but it seems that mirror is now defunct. On Fri, Oct 4, 2013 at 10:38 AM, Matt Johnston wrote: > Hi all, > > Dropbear 2013.59 has been released. It fixes a number of > bugs, including two security issues affecting prior > releases. > > - The Dropbear server could be made to consume large amounts > of memory because decompressed packet sizes weren't checked. > Depending on the OS and hardware this might be a denial of > service. > > - Valid users could be identified due to timing variations. > > As usual you can download it from > https://matt.ucc.asn.au/dropbear/dropbear.html > > > Cheers, > Matt > > 2013.59 - Friday 4 October 2013 > > - Fix crash from -J command > Thanks to Llu?s Batlle i Rossell and Arnaud Mouiche for patches > > - Avoid reading too much from /proc/net/rt_cache since that causes > system slowness. > > - Improve EOF handling for half-closed connections > Thanks to Catalin Patulea > > - Send a banner message to report PAM error messages intended for the user > Patch from Martin Donnelly > > - Limit the size of decompressed payloads, avoids memory exhaustion denial > of service > Thanks to Logan Lamb for reporting and investigating it > > - Avoid disclosing existence of valid users through inconsistent delays > Thanks to Logan Lamb for reporting > > - Update config.guess and config.sub for newer architectures > > - Avoid segfault in server for locked accounts > > - "make install" now installs manpages > dropbearkey.8 has been renamed to dropbearkey.1 > manpage added for dropbearconvert > > - Get rid of one second delay when running non-interactive commands > > Releases are signed by PGP key matt at ucc.asn.au 4C647FBC > D11E 5F8D 2C38 523F 57F1 2166 8CF9 F8B0 4C64 7FBC From developer at it-offshore.co.uk Mon Oct 7 07:16:56 2013 From: developer at it-offshore.co.uk (IT Developer) Date: Mon, 07 Oct 2013 00:16:56 +0100 Subject: Dropbear 2013.59 In-Reply-To: References: <20131004143850.GH4394@ucc.gu.uwa.edu.au> Message-ID: <5251EF68.7010803@it-offshore.co.uk> Latest Debian Packages are here: gpg --keyserver subkeys.pgp.net --recv-keys 92B84A1E gpg -a --export 92B84A1E | apt-key add - & add to /etc/apt/sources.list: deb http://cdn.content-network.net/mirror/apt.balocco.name wheezy main php ssh www deb-src http://cdn.content-network.net/mirror/apt.balocco.name wheezy main php ssh www If you use Fail2Ban with Dropbear instructions here to run Fail2Ban as a non root user: https://coderwall.com/p/haj28a My comment on that page to fix the Dropbear filter will only apply to the official debs - the fix is included in the above packages. Also change /etc/fail2ban/jail.local logpath & filter settings for dropbear: [dropbear] enabled = true port = 2222 filter = dropbear logpath = /var/log/auth.log maxretry = 3 Stuart. On 10/06/2013 08:49 PM, Catalin Patulea wrote: > Are there any mirrors of Dropbear releases? OpenWRT used to use > http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/ > but it seems that mirror is now defunct. > > On Fri, Oct 4, 2013 at 10:38 AM, Matt Johnston wrote: >> Hi all, >> >> Dropbear 2013.59 has been released. It fixes a number of >> bugs, including two security issues affecting prior >> releases. >> >> - The Dropbear server could be made to consume large amounts >> of memory because decompressed packet sizes weren't checked. >> Depending on the OS and hardware this might be a denial of >> service. >> >> - Valid users could be identified due to timing variations. >> >> As usual you can download it from >> https://matt.ucc.asn.au/dropbear/dropbear.html >> >> >> Cheers, >> Matt >> >> 2013.59 - Friday 4 October 2013 >> >> - Fix crash from -J command >> Thanks to Llu?s Batlle i Rossell and Arnaud Mouiche for patches >> >> - Avoid reading too much from /proc/net/rt_cache since that causes >> system slowness. >> >> - Improve EOF handling for half-closed connections >> Thanks to Catalin Patulea >> >> - Send a banner message to report PAM error messages intended for the user >> Patch from Martin Donnelly >> >> - Limit the size of decompressed payloads, avoids memory exhaustion denial >> of service >> Thanks to Logan Lamb for reporting and investigating it >> >> - Avoid disclosing existence of valid users through inconsistent delays >> Thanks to Logan Lamb for reporting >> >> - Update config.guess and config.sub for newer architectures >> >> - Avoid segfault in server for locked accounts >> >> - "make install" now installs manpages >> dropbearkey.8 has been renamed to dropbearkey.1 >> manpage added for dropbearconvert >> >> - Get rid of one second delay when running non-interactive commands >> >> Releases are signed by PGP key matt at ucc.asn.au 4C647FBC >> D11E 5F8D 2C38 523F 57F1 2166 8CF9 F8B0 4C64 7FBC -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20131007/a7d781ca/attachment.htm From post at lespocky.de Wed Oct 9 16:48:39 2013 From: post at lespocky.de (Alexander Dahl) Date: Wed, 09 Oct 2013 10:48:39 +0200 Subject: Dropbear 2013.59 In-Reply-To: <20131004143850.GH4394@ucc.gu.uwa.edu.au> References: <20131004143850.GH4394@ucc.gu.uwa.edu.au> Message-ID: <2fdb27a42909c893af11b38de50b4e90@idefix.lespocky.dyndns.org> Hei hei, because of the security fixes I tried upgrading the dropbear package in ptxdist and this fails. Let me explain how. Am 2013-10-04 16:38, schrieb Matt Johnston: > - "make install" now installs manpages > dropbearkey.8 has been renamed to dropbearkey.1 > manpage added for dropbearconvert ptxdist compiles dropbear with `make all scp` and installs with `make install inst_scp`. Usually we use a cross compiler for ARMv5 but I can reproduce this behaviour when compiling on Debian Wheezy (amd64), too. See: The failing stage is the install stage, see the output from my Debian machine: % LANG=C DESTDIR=~/compiled/dropbear-2013.59 make install inst_scp install -d /home/adahl/compiled/dropbear-2013.59/sbin install dropbear /home/adahl/compiled/dropbear-2013.59/sbin install -d /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man8 install -m 644 dropbear.8 /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man8/dropbear.8 install -d /home/adahl/compiled/dropbear-2013.59/bin install dbclient /home/adahl/compiled/dropbear-2013.59/bin install -d /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1 install -m 644 dbclient.1 /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1/dbclient.1 install -d /home/adahl/compiled/dropbear-2013.59/bin install dropbearkey /home/adahl/compiled/dropbear-2013.59/bin install -d /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1 install -m 644 dropbearkey.1 /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1/dropbearkey.1 install -d /home/adahl/compiled/dropbear-2013.59/bin install dropbearconvert /home/adahl/compiled/dropbear-2013.59/bin install -d /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1 install -m 644 dropbearconvert.1 /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1/dropbearconvert.1 install -d /home/adahl/compiled/dropbear-2013.59/bin install scp /home/adahl/compiled/dropbear-2013.59/bin install -d /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1 install -m 644 scp.1 /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1/scp.1 install: cannot stat `scp.1': No such file or directory make: *** [inst_scp] Error 1 2013.58 works so I guess this behaviour was accidently introduced between 2013.58 and 2013.59. I'm not familiar with autotools, so could you give me a hint how to fix this? Greets Alex -- ?With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.? (Jean-Luc Picard, quoting Judge Aaron Satie) *** GnuPG-FP: 02C8 A590 7FE5 CA5F 3601 D1D5 8FBA 7744 CC87 10D0 *** From matt at ucc.asn.au Wed Oct 9 22:40:06 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 9 Oct 2013 22:40:06 +0800 Subject: Dropbear 2013.59 In-Reply-To: <2fdb27a42909c893af11b38de50b4e90@idefix.lespocky.dyndns.org> References: <20131004143850.GH4394@ucc.gu.uwa.edu.au> <2fdb27a42909c893af11b38de50b4e90@idefix.lespocky.dyndns.org> Message-ID: <20131009144006.GO4394@ucc.gu.uwa.edu.au> Hi all, There are a few problems with the Makefile in 2013.59. - @exec_prefix@ wasn't set but configure refers to that in when substituting @bindir@ (!). This caused installation to go to /bin and /sbin rather than the prefix. - Installation fails if there isn't a manpage for targets such as scp and dropbearmulti I think these should be fixed now, could anyone with problems grab the Makefile.in below, run configure again, and check that it fixes things. I'll make a new release in a few days with this fix - please contact me if there are other things broken. https://secure.ucc.asn.au/hg/dropbear/raw-file/93e04b9ff676/Makefile.in Cheers, Matt On Wed, Oct 09, 2013 at 10:48:39AM +0200, Alexander Dahl wrote: > Hei hei, > > because of the security fixes I tried upgrading the dropbear package in > ptxdist and this fails. Let me explain how. > > Am 2013-10-04 16:38, schrieb Matt Johnston: > > - "make install" now installs manpages > > dropbearkey.8 has been renamed to dropbearkey.1 > > manpage added for dropbearconvert > > ptxdist compiles dropbear with `make all scp` and installs with `make > install inst_scp`. Usually we use a cross compiler for ARMv5 but I can > reproduce this behaviour when compiling on Debian Wheezy (amd64), too. > See: > > The failing stage is the install stage, see the output from my Debian > machine: > > % LANG=C DESTDIR=~/compiled/dropbear-2013.59 make install inst_scp > install -d /home/adahl/compiled/dropbear-2013.59/sbin > install dropbear /home/adahl/compiled/dropbear-2013.59/sbin > install -d > /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man8 > install -m 644 dropbear.8 > /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man8/dropbear.8 > install -d /home/adahl/compiled/dropbear-2013.59/bin > install dbclient /home/adahl/compiled/dropbear-2013.59/bin > install -d > /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1 > install -m 644 dbclient.1 > /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1/dbclient.1 > install -d /home/adahl/compiled/dropbear-2013.59/bin > install dropbearkey /home/adahl/compiled/dropbear-2013.59/bin > install -d > /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1 > install -m 644 dropbearkey.1 > /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1/dropbearkey.1 > install -d /home/adahl/compiled/dropbear-2013.59/bin > install dropbearconvert /home/adahl/compiled/dropbear-2013.59/bin > install -d > /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1 > install -m 644 dropbearconvert.1 > /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1/dropbearconvert.1 > install -d /home/adahl/compiled/dropbear-2013.59/bin > install scp /home/adahl/compiled/dropbear-2013.59/bin > install -d > /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1 > install -m 644 scp.1 > /home/adahl/compiled/dropbear-2013.59/usr/local/share/man/man1/scp.1 > install: cannot stat `scp.1': No such file or directory > make: *** [inst_scp] Error 1 > > 2013.58 works so I guess this behaviour was accidently introduced > between 2013.58 and 2013.59. I'm not familiar with autotools, so could > you give me a hint how to fix this? > > Greets > Alex > > -- > ?With the first link, the chain is forged. The first speech censured, > the first thought forbidden, the first freedom denied, chains us all > irrevocably.? (Jean-Luc Picard, quoting Judge Aaron Satie) > *** GnuPG-FP: 02C8 A590 7FE5 CA5F 3601 D1D5 8FBA 7744 CC87 10D0 *** From post at lespocky.de Thu Oct 10 19:30:00 2013 From: post at lespocky.de (Alexander Dahl) Date: Thu, 10 Oct 2013 13:30:00 +0200 Subject: Dropbear 2013.59 In-Reply-To: <20131009144006.GO4394@ucc.gu.uwa.edu.au> References: <20131004143850.GH4394@ucc.gu.uwa.edu.au> <2fdb27a42909c893af11b38de50b4e90@idefix.lespocky.dyndns.org> <20131009144006.GO4394@ucc.gu.uwa.edu.au> Message-ID: Hei hei, Am 2013-10-09 16:40, schrieb Matt Johnston: > I think these should be fixed now, could anyone with > problems grab the Makefile.in below, run configure again, > and check that it fixes things. I'll make a new release in a > few days with this fix - please contact me if there are > other things broken. I checked current tip and build on Debian is fine. I also imported changesets 4a788a3162a1 and 93e04b9ff676 on top of 2013.59 in my ptxdist BSP and this also works. Thanks and greets. Alex -- ?With the first link, the chain is forged. The first speech censured, the first thought forbidden, the first freedom denied, chains us all irrevocably.? (Jean-Luc Picard, quoting Judge Aaron Satie) *** GnuPG-FP: 02C8 A590 7FE5 CA5F 3601 D1D5 8FBA 7744 CC87 10D0 *** From vapier at gentoo.org Sun Oct 13 04:37:15 2013 From: vapier at gentoo.org (Mike Frysinger) Date: Sat, 12 Oct 2013 16:37:15 -0400 Subject: fix bundled libtom configure flag Message-ID: <201310121637.15874.vapier@gentoo.org> the current flag treats --disable-bundled-libtom like enable. this patch fixes it. -mike diff -r 93e04b9ff676 configure.ac --- a/configure.ac Wed Oct 09 22:24:39 2013 +0800 +++ b/configure.ac Sat Oct 12 16:36:07 2013 -0400 @@ -365,9 +365,15 @@ AC_CHECK_FUNCS(logout updwtmp logwtmp) AC_ARG_ENABLE(bundled-libtom, [ --enable-bundled-libtom Use bundled libtomcrypt/libtommath even if a system version exists], - [ - BUNDLED_LIBTOM=1 - AC_MSG_NOTICE(Forcing bundled libtom*) + [ + if test "x$enableval" = "xyes"; then + BUNDLED_LIBTOM=1 + AC_MSG_NOTICE(Forcing bundled libtom*) + else + BUNDLED_LIBTOM=0 + AC_CHECK_LIB(tomcrypt, register_cipher, , BUNDLED_LIBTOM=1) + AC_CHECK_LIB(tommath, mp_exptmod, , BUNDLED_LIBTOM=1) + fi ], [ BUNDLED_LIBTOM=0 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20131012/0b5e3770/attachment.sig From matt at ucc.asn.au Sun Oct 13 23:04:19 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Sun, 13 Oct 2013 23:04:19 +0800 Subject: Dropbear 2013.59 In-Reply-To: References: <20131004143850.GH4394@ucc.gu.uwa.edu.au> Message-ID: <20131013150419.GU4394@ucc.gu.uwa.edu.au> On Sun, Oct 06, 2013 at 03:49:01PM -0400, Catalin Patulea wrote: > Are there any mirrors of Dropbear releases? OpenWRT used to use > http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/ > but it seems that mirror is now defunct. I've set up a mirror at https://dropbear.nl/mirror/ It's hosted on a Raspberry Pi in the Netherlands by https://pcextreme.nl with http://raspberrycolocation.com Cheers, Matt From cat at vv.carleton.ca Tue Oct 15 05:31:30 2013 From: cat at vv.carleton.ca (Catalin Patulea) Date: Mon, 14 Oct 2013 17:31:30 -0400 Subject: [PATCH] dropbear: add dropbear.nl mirror, provided by dropbear maintainer Message-ID: <1381786290-3912-1-git-send-email-cat@vv.carleton.ca> Signed-off-by: Catalin Patulea --- package/network/services/dropbear/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package/network/services/dropbear/Makefile b/package/network/services/dropbear/Makefile index f025c4d..02be761 100644 --- a/package/network/services/dropbear/Makefile +++ b/package/network/services/dropbear/Makefile @@ -13,7 +13,8 @@ PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:= \ - http://matt.ucc.asn.au/dropbear/releases/ + http://matt.ucc.asn.au/dropbear/releases/ \ + https://dropbear.nl/mirror/releases/ PKG_MD5SUM:=6c1e6c2c297f4034488ffc95e8b7e6e9 PKG_LICENSE:=MIT -- 1.7.9.5 From matt at ucc.asn.au Tue Oct 15 22:59:12 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Tue, 15 Oct 2013 22:59:12 +0800 Subject: fix bundled libtom configure flag In-Reply-To: <201310121637.15874.vapier@gentoo.org> References: <201310121637.15874.vapier@gentoo.org> Message-ID: <20131015145912.GV4394@ucc.gu.uwa.edu.au> On Sat, Oct 12, 2013 at 04:37:15PM -0400, Mike Frysinger wrote: > the current flag treats --disable-bundled-libtom like enable. this patch fixes it. I've committed this modified. If it can't find system libraries with --disable-bundled-libtom it fails rather than silently falling back to bundled. https://secure.ucc.asn.au/hg/dropbear/rev/4cf61252dfc3 Cheers, Matt From matt at ucc.asn.au Wed Oct 16 22:51:45 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 16 Oct 2013 22:51:45 +0800 Subject: Dropbear 2013.60 Message-ID: <20131016145144.GW4394@ucc.gu.uwa.edu.au> Hi all, Dropbear 2013.60 is released fixing a few bugs from 2013.59, mainly related to "make install". Download as usual from https://matt.ucc.asn.au/dropbear/dropbear.html or the new mirror https://dropbear.nl/mirror/ Cheers, Matt 2013.60 - Wednesday 16 October 2013 - Fix "make install" so that it doesn't always install to /bin and /sbin - Fix "make install MULTI=1", installing manpages failed - Fix "make install" when scp is included since it has no manpage - Make --disable-bundled-libtom work Releases are signed by PGP key matt at ucc.asn.au 4C647FBC D11E 5F8D 2C38 523F 57F1 2166 8CF9 F8B0 4C64 7FBC From rob at landley.net Sun Oct 20 04:56:06 2013 From: rob at landley.net (Rob Landley) Date: Sat, 19 Oct 2013 15:56:06 -0500 Subject: Dropbear 2013.59 In-Reply-To: (from cat@vv.carleton.ca on Sun Oct 6 14:49:01 2013) Message-ID: <1382216166.1974.214@driftwood> A: Sigh. Probably. Q: But mixing the two styles is worse? A: Because it's confusing. Q: Why not top post? I just updated the prebuilt binaries (statically linked against uClibc) at http://landley.net/aboriginal/downloads/binaries/extras to include the new dropbear version. The source I build from is mirrored at http://landley.net/aboriginal/mirror (it's not a complete list because I haven't always built every version), but it's something... Rob P.S. Since this is a security thing, if you want to reproduce these binaries from source use the appropriate architecture's system image from http://landley.net/aboriginal/bin and the static-tools build control image from http://landley.net/aboriginal/control-images/downloads/binaries and go: tar xvjf system-image-mips.tar.bz2 cd system-image-mips ./native-build.sh static-tools.hdc That should all work under qemu 1.6.1. (You may have to loopback mount the resulting hdb.img to get the binaries out after it exits, because it expects the toybox ftp command on the host to automatically upload it out through the virtual network, which isn't exactly widely deployed.) (If you want to speed up the build process you can distccd on the host and extract the appropriate cross-compiler tarball into that system-image directory, the native-build script will autodetect them and use distcc to call out to the cross compiler.) If you want to rebuild the system image and build control images from source, you want the http://landley.net/hg/aboriginal and http://landley.net/hg/control-images repositories, respectively. There's documentation about both at http://landley.net/aboriginal/about.html and http://landley.net/aboriginal/control-images respectively. If you want to do the "diverse double compiling" thing described at http://www.dwheeler.com/trusting-trust I can only point you at http://elcc.org/blog and suggest giving them a hand. On 10/06/2013 02:49:01 PM, Catalin Patulea wrote: > Are there any mirrors of Dropbear releases? OpenWRT used to use > http://www.mirrors.wiretapped.net/security/cryptography/apps/ssh/dropbear/ > but it seems that mirror is now defunct. > > On Fri, Oct 4, 2013 at 10:38 AM, Matt Johnston > wrote: > > Hi all, > > > > Dropbear 2013.59 has been released. It fixes a number of > > bugs, including two security issues affecting prior > > releases. > > > > - The Dropbear server could be made to consume large amounts > > of memory because decompressed packet sizes weren't checked. > > Depending on the OS and hardware this might be a denial of > > service. > > > > - Valid users could be identified due to timing variations. > > > > As usual you can download it from > > https://matt.ucc.asn.au/dropbear/dropbear.html > > > > > > Cheers, > > Matt > > > > 2013.59 - Friday 4 October 2013 > > > > - Fix crash from -J command > > Thanks to Llu?s Batlle i Rossell and Arnaud Mouiche for patches > > > > - Avoid reading too much from /proc/net/rt_cache since that causes > > system slowness. > > > > - Improve EOF handling for half-closed connections > > Thanks to Catalin Patulea > > > > - Send a banner message to report PAM error messages intended for > the user > > Patch from Martin Donnelly > > > > - Limit the size of decompressed payloads, avoids memory exhaustion > denial > > of service > > Thanks to Logan Lamb for reporting and investigating it > > > > - Avoid disclosing existence of valid users through inconsistent > delays > > Thanks to Logan Lamb for reporting > > > > - Update config.guess and config.sub for newer architectures > > > > - Avoid segfault in server for locked accounts > > > > - "make install" now installs manpages > > dropbearkey.8 has been renamed to dropbearkey.1 > > manpage added for dropbearconvert > > > > - Get rid of one second delay when running non-interactive commands > > > > Releases are signed by PGP key matt at ucc.asn.au 4C647FBC > > D11E 5F8D 2C38 523F 57F1 2166 8CF9 F8B0 4C64 7FBC > From daniel.cegielka at gmail.com Sun Oct 20 05:04:39 2013 From: daniel.cegielka at gmail.com (=?ISO-8859-2?Q?Daniel_Cegie=B3ka?=) Date: Sat, 19 Oct 2013 23:04:39 +0200 Subject: Dropbear 2013.59 In-Reply-To: <1382216166.1974.214@driftwood> References: <1382216166.1974.214@driftwood> Message-ID: 2013/10/19 Rob Landley : > If you want to do the "diverse double compiling" thing described at > http://www.dwheeler.com/trusting-trust I can only point you at > http://elcc.org/blog and suggest giving them a hand. hmm.. ll? :) http://ellcc.org/blog/ Daniel From dave.taht at gmail.com Tue Oct 22 11:06:28 2013 From: dave.taht at gmail.com (Dave Taht) Date: Mon, 21 Oct 2013 20:06:28 -0700 Subject: [mosh-devel] mosh-server vs dropbear vs openwrt In-Reply-To: References: Message-ID: OK, well... On Mon, Oct 21, 2013 at 8:02 PM, Anders Kaseorg wrote: > On Mon, 21 Oct 2013, Dave Taht wrote: >> Mon Oct 21 21:18:04 2013 authpriv.err dropbear[2995]: >> ioctl(TIOCSCTTY): Input/output error >> Mon Oct 21 21:18:04 2013 authpriv.err dropbear[2995]: /dev/pts/1: No >> such file or directory >> Mon Oct 21 21:18:04 2013 authpriv.err dropbear[2995]: open /dev/tty >> failed - could not set controlling tty: No such device or address >> Mon Oct 21 21:18:05 2013 authpriv.info dropbear[2994]: Exit (root): >> Disconnect received > > Yes, there seems to be a problem with dropbear not liking ?ssh -n -tt? (or > ?ssh -tt https://github.com/keithw/mosh/issues/464 . Not sure if that patch is the right thing, but for sure ssh -n -tt doesn't work to my dropbear instance. > Anders -- Dave T?ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html From bhavanamanohar at gmail.com Fri Nov 8 17:39:42 2013 From: bhavanamanohar at gmail.com (shm) Date: Fri, 8 Nov 2013 09:39:42 +0000 (UTC) Subject: exit before auth: error Message-ID: Hi, I am using dropbear to establish passwordless connection between two embedded linux targets connected via Gigabit Ethernet. I created the host key in both nodes using dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key I started dropbear in both nodes by dropbear -s -g command When I try to login from one node (192.168.10.6) to other (192.168.10.7) using dbclient -i /etc/dropbear/dropbear_rsa_host_key root at 192.168.10.7 I get the following messages in 192.168.10.6 ?Host '192.168.10.7' is not in the trusted hosts file. (fingerprint md5 e8:64:8c:b4:6a:13:11:8e:e0:71:c2:a3:11:62:40:9b) Do you want to continue connecting? (y/n) dbclient: connection to root at 192.168.10.7:22 exited: Didn't validate host key? and the following messages in 192.168.10.7 ?[1189] Jan 01 02:55:05 Not backgrounding [1194] Jan 01 02:55:09 Child connection from 192.168.10.6:51022 [1194] Jan 01 02:55:09 exit before auth: error reading: Connection reset by peer? When I try to login back from node (192.168.10.7) to other (192.168.10.6) using dbclient -i /etc/dropbear/dropbear_rsa_host_key 192.168.10.6 I get the following messages in 192.168.10.7 ?dbclient: connection to root at 192.168.10.6:22 exited: No auth methods could be used.? and the following messages in 192.168.10.6 ?sh-3.2# [1229] Jan 01 02:57:24 Child connection from 192.168.10.7:55984 [1229] Jan 01 02:57:24 exit before auth (user 'root', 0 fails): Exited normally? I am new to this. Could anyone please help me to solve this ? From bodo at bodo-m.de Fri Nov 8 18:52:58 2013 From: bodo at bodo-m.de (bodo at bodo-m.de) Date: Fri, 08 Nov 2013 11:52:58 +0100 Subject: exit before auth: error In-Reply-To: References: Message-ID: <20131108115258.Horde.TpO6930FDMUVvcIcWjANxg2@webmail.df.eu> Zitat von shm : > When I try to login from one node (192.168.10.6) to other > (192.168.10.7) using > > dbclient -i /etc/dropbear/dropbear_rsa_host_key root at 192.168.10.7 > > I get the following messages in 192.168.10.6 > ?Host '192.168.10.7' is not in the trusted hosts file. > (fingerprint md5 e8:64:8c:b4:6a:13:11:8e:e0:71:c2:a3:11:62:40:9b) > Do you want to continue connecting? (y/n) dbclient: connection to > root at 192.168.10.7:22 exited: Didn't validate host key? Did you run this command interactively or from a script? Did you type 'y'? > I am new to this. Could anyone please help me to solve this ? Host 192.168.10.6 does not yet know the host key of 192.168.10.7. When you connect to this host for the first time you have to confirm that it is really the host you want to connect to. This will save the host key. The next time it should not ask again as long as the host key does not change. Bodo From bhavanamanohar at gmail.com Mon Nov 11 14:10:58 2013 From: bhavanamanohar at gmail.com (shm) Date: Mon, 11 Nov 2013 06:10:58 +0000 (UTC) Subject: exit before auth: error References: <20131108115258.Horde.TpO6930FDMUVvcIcWjANxg2@webmail.df.eu> Message-ID: > Command was run interactively. I couldn't type 'y' because connection exited before that. "Do you want to continue connecting? (y/n) dbclient: connection to > > root 192.168.10.7:22 exited: Didn't validate host key? From bodo at bodo-m.de Mon Nov 11 17:20:16 2013 From: bodo at bodo-m.de (Bodo Meissner) Date: Mon, 11 Nov 2013 10:20:16 +0100 Subject: exit before auth: error In-Reply-To: References: <20131108115258.Horde.TpO6930FDMUVvcIcWjANxg2@webmail.df.eu> Message-ID: <5280A150.10205@bodo-m.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11.11.2013 07:10, shm wrote: > Command was run interactively. I couldn't type 'y' because connection exited before that. > >>> "Do you want to continue connecting? (y/n) dbclient: connection to root 192.168.10.7:22 exited: Didn't validate host key? The output and behavior looks as if the command was not run from a terminal. The program might have received EOF when trying to read the answer. If that's not the case I don't know what else could be wrong here. Bodo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlKAoVAACgkQnMz9fgzDSqf/dQCfeWQCw5AnHYnV6sMdNTk0PumD H3kAnj5FbklTu8fhbxqbnrPNPdzmNO+k =hT+w -----END PGP SIGNATURE----- From matt at ucc.asn.au Thu Nov 14 22:40:59 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Thu, 14 Nov 2013 22:40:59 +0800 Subject: Dropbear test version 2013.61test with ECC Message-ID: <20131114144059.GE1927@ucc.gu.uwa.edu.au> Hi all, Dropbear now has support for ECC which is significantly faster at setting up connections on slow platforms. Since it's a large patch I'm making a test release first. I've also added a "-R" mode to automatically generate hostkeys on first connection - this is recommended on embedded platforms which may take a while after boot before a good /dev/urandom seed has been derived. Download from https://matt.ucc.asn.au/dropbear/testing/dropbear-2013.61test.tar.bz2 Cheers, Matt 2013.61test - Thursday 14 November 2013 - ECC (elliptic curve) support. Supports ECDSA hostkeys (requires new keys to be generated) and ECDH for setting up encryption keys (no intervention required). This is significantly faster. - curve25519-sha256 at libssh.org support for setting up encryption keys. This is another elliptic curve mode with less potential of NSA interference in algorithm parameters. curve25519-donna code thanks to Adam Langley - -R option to automatically generate hostkeys. This is recommended for embedded platforms since it allows the system random number device /dev/urandom a longer startup time to generate a secure seed before the hostkey is required. - Compile fixes for old vendor compilers like Tru64 from Daniel Richard G. From daniel.cegielka at gmail.com Fri Nov 15 00:22:13 2013 From: daniel.cegielka at gmail.com (=?ISO-8859-2?Q?Daniel_Cegie=B3ka?=) Date: Thu, 14 Nov 2013 17:22:13 +0100 Subject: Dropbear test version 2013.61test with ECC In-Reply-To: <20131114144059.GE1927@ucc.gu.uwa.edu.au> References: <20131114144059.GE1927@ucc.gu.uwa.edu.au> Message-ID: Thank you Matt! Thank you Adam! :) btw. can we use qhasm version as an option for x86 (curve25519)? you're faster than openssh guys (kexc25519 files): http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ Daniel From roytam at gmail.com Fri Nov 15 17:17:38 2013 From: roytam at gmail.com (Roy Tam) Date: Fri, 15 Nov 2013 17:17:38 +0800 Subject: Dropbear test version 2013.61test with ECC In-Reply-To: <20131114144059.GE1927@ucc.gu.uwa.edu.au> References: <20131114144059.GE1927@ucc.gu.uwa.edu.au> Message-ID: 2013/11/14 Matt Johnston : > Hi all, > > Dropbear now has support for ECC which is significantly > faster at setting up connections on slow platforms. Since > it's a large patch I'm making a test release first. > > I've also added a "-R" mode to automatically generate > hostkeys on first connection - this is recommended on > embedded platforms which may take a while after boot before > a good /dev/urandom seed has been derived. > > Download from > https://matt.ucc.asn.au/dropbear/testing/dropbear-2013.61test.tar.bz2 > > Cheers, > Matt > > 2013.61test - Thursday 14 November 2013 > > - ECC (elliptic curve) support. Supports ECDSA hostkeys (requires new keys to > be generated) and ECDH for setting up encryption keys (no intervention > required). This is significantly faster. > > - curve25519-sha256 at libssh.org support for setting up encryption keys. This is > another elliptic curve mode with less potential of NSA interference in > algorithm parameters. curve25519-donna code thanks to Adam Langley > > - -R option to automatically generate hostkeys. This is recommended for > embedded platforms since it allows the system random number device > /dev/urandom a longer startup time to generate a secure seed before the > hostkey is required. > > - Compile fixes for old vendor compilers like Tru64 from Daniel Richard G. dropbear on FreeBSD is broken? gcc -I./libtomcrypt/src/headers/ -I. -I. -Os -W -Wall -DDROPBEAR_SERVER -DDROPBEAR_CLIENT -c -o loginrec.o loginrec.c loginrec.c:475: warning: 'struct utmp' declared inside parameter list loginrec.c:475: warning: its scope is only this definition or declaration, which is probably not what you want loginrec.c: In function 'set_utmp_time': loginrec.c:475: warning: unused parameter 'li' loginrec.c:475: warning: unused parameter 'ut' loginrec.c: At top level: loginrec.c:489: warning: 'struct utmp' declared inside parameter list loginrec.c: In function 'construct_utmp': loginrec.c:494: error: dereferencing pointer to incomplete type loginrec.c:519: warning: passing argument 2 of 'set_utmp_time' from incompatible pointer type loginrec.c:521: error: dereferencing pointer to incomplete type loginrec.c:521: error: dereferencing pointer to incomplete type loginrec.c:537: error: dereferencing pointer to incomplete type loginrec.c:537: error: dereferencing pointer to incomplete type loginrec.c:537: error: dereferencing pointer to incomplete type loginrec.c: At top level: loginrec.c:902: warning: 'struct utmp' declared inside parameter list loginrec.c: In function 'wtmp_write': loginrec.c:913: error: dereferencing pointer to incomplete type loginrec.c:913: error: dereferencing pointer to incomplete type loginrec.c:902: warning: unused parameter 'li' loginrec.c: In function 'wtmp_perform_login': loginrec.c:926: error: storage size of 'ut' isn't known loginrec.c:926: warning: unused variable 'ut' loginrec.c: In function 'wtmp_perform_logout': loginrec.c:936: error: storage size of 'ut' isn't known loginrec.c:936: warning: unused variable 'ut' loginrec.c: At top level: loginrec.c:976: warning: 'struct utmp' declared inside parameter list loginrec.c: In function 'wtmp_islogin': loginrec.c:978: error: dereferencing pointer to incomplete type loginrec.c:979: error: dereferencing pointer to incomplete type loginrec.c:979: error: dereferencing pointer to incomplete type loginrec.c: In function 'wtmp_get_entry': loginrec.c:994: error: storage size of 'ut' isn't known loginrec.c:1013: error: invalid application of 'sizeof' to incomplete type 'struct utmp' loginrec.c:1046: error: invalid application of 'sizeof' to incomplete type 'struct utmp' loginrec.c:994: warning: unused variable 'ut' loginrec.c: At top level: loginrec.c:1282: warning: 'struct lastlog' declared inside parameter list loginrec.c: In function 'lastlog_construct': loginrec.c:1285: error: dereferencing pointer to incomplete type loginrec.c:1287: error: dereferencing pointer to incomplete type loginrec.c:1287: error: dereferencing pointer to incomplete type loginrec.c:1288: error: dereferencing pointer to incomplete type loginrec.c:1289: error: dereferencing pointer to incomplete type loginrec.c:1289: error: dereferencing pointer to incomplete type loginrec.c:1290: error: dereferencing pointer to incomplete type loginrec.c: In function 'lastlog_openseek': loginrec.c:1344: error: invalid application of 'sizeof' to incomplete type 'struct lastlog' loginrec.c: In function 'lastlog_perform_login': loginrec.c:1359: error: storage size of 'last' isn't known loginrec.c:1359: warning: unused variable 'last' gmake: *** [loginrec.o] Error 1 configure line: ./configure --prefix=/usr/local From roytam at gmail.com Fri Nov 15 17:21:35 2013 From: roytam at gmail.com (Roy Tam) Date: Fri, 15 Nov 2013 17:21:35 +0800 Subject: Dropbear test version 2013.61test with ECC In-Reply-To: References: <20131114144059.GE1927@ucc.gu.uwa.edu.au> Message-ID: 2013/11/15 Roy Tam : > 2013/11/14 Matt Johnston : >> Hi all, >> >> Dropbear now has support for ECC which is significantly >> faster at setting up connections on slow platforms. Since >> it's a large patch I'm making a test release first. >> >> I've also added a "-R" mode to automatically generate >> hostkeys on first connection - this is recommended on >> embedded platforms which may take a while after boot before >> a good /dev/urandom seed has been derived. >> >> Download from >> https://matt.ucc.asn.au/dropbear/testing/dropbear-2013.61test.tar.bz2 >> >> Cheers, >> Matt >> >> 2013.61test - Thursday 14 November 2013 >> >> - ECC (elliptic curve) support. Supports ECDSA hostkeys (requires new keys to >> be generated) and ECDH for setting up encryption keys (no intervention >> required). This is significantly faster. >> >> - curve25519-sha256 at libssh.org support for setting up encryption keys. This is >> another elliptic curve mode with less potential of NSA interference in >> algorithm parameters. curve25519-donna code thanks to Adam Langley >> >> - -R option to automatically generate hostkeys. This is recommended for >> embedded platforms since it allows the system random number device >> /dev/urandom a longer startup time to generate a secure seed before the >> hostkey is required. >> >> - Compile fixes for old vendor compilers like Tru64 from Daniel Richard G. > > dropbear on FreeBSD is broken? > > configure line: ./configure --prefix=/usr/local Forget to mention that the FreeBSD version I'm using is 9.2-RELEASE. From cickumqt at gmail.com Fri Nov 15 19:29:15 2013 From: cickumqt at gmail.com (Christopher Meng) Date: Fri, 15 Nov 2013 19:29:15 +0800 Subject: Dropbear test version 2013.61test with ECC In-Reply-To: References: <20131114144059.GE1927@ucc.gu.uwa.edu.au> Message-ID: Feedback: configure && make successfully on Fedora Rawhide. *Have not test the ECC function* But lots of compiler warnings here, I will see if I have time to attach some fixes. Cheers. From ninuje at gmail.com Sun Nov 17 02:36:37 2013 From: ninuje at gmail.com (NiLuJe) Date: Sat, 16 Nov 2013 18:36:37 +0000 (UTC) Subject: Dropbear test version 2013.61test with ECC References: <20131114144059.GE1927@ucc.gu.uwa.edu.au> Message-ID: Hi, Just ran a quick test on a Kindle (armv7-a/cortex-a8), it seems to work fine, and, provided both sides handle ecdh, indeed gets rid of the slow kex 'bug' that has plagued some slow devices for a while, so, thanks :). A few notes: * libtomcrypt has to be built w/ -DLTM_DESC for ECC support (I'm using external libtom* libs). * I had to patch the configure script to detect libtommath before libtomcrypt so that the LIBS var was built in the right order to please recent binutils versions (libtomcrypt depends on libtommath, so -ltommath has to come *after* -ltomcrypt). diff -NuarpBZ dropbear-2013.61test-ori/configure.ac dropbear-2013.61test/configure.ac --- dropbear-2013.61test-ori/configure.ac 2013-11-16 16:40:51.904116642 +0100 +++ dropbear-2013.61test/configure.ac 2013-11-16 16:42:46.796680288 +0100 @@ -371,16 +371,16 @@ AC_ARG_ENABLE(bundled-libtom, AC_MSG_NOTICE(Forcing bundled libtom*) else BUNDLED_LIBTOM=0 - AC_CHECK_LIB(tomcrypt, register_cipher, , - [AC_MSG_ERROR([Missing system libtomcrypt and --disable-bundled-libtom was specified])] ) AC_CHECK_LIB(tommath, mp_exptmod, , [AC_MSG_ERROR([Missing system libtomcrypt and --disable-bundled-libtom was specified])] ) + AC_CHECK_LIB(tomcrypt, register_cipher, , + [AC_MSG_ERROR([Missing system libtomcrypt and --disable-bundled-libtom was specified])] ) fi ], [ BUNDLED_LIBTOM=0 - AC_CHECK_LIB(tomcrypt, register_cipher, , BUNDLED_LIBTOM=1) AC_CHECK_LIB(tommath, mp_exptmod, , BUNDLED_LIBTOM=1) + AC_CHECK_LIB(tomcrypt, register_cipher, , BUNDLED_LIBTOM=1) ] ) * Didn't really look further than that, but dropbearconvert dropbear -> openssh on a fresh ecdsa key generated by dropbearkey dies with a "*** glibc detected *** dropbearconvert: free(): corrupted unsorted chunks: 0x000530b0 ***" (take this one with a grain of salt, that's on a Kindle 5 [eglibc 2.12], so there may be some weirdness involved). From matt at ucc.asn.au Sun Nov 17 10:54:13 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Sun, 17 Nov 2013 10:54:13 +0800 Subject: Dropbear test version 2013.61test with ECC In-Reply-To: References: <20131114144059.GE1927@ucc.gu.uwa.edu.au> Message-ID: <26e5a835-49e5-4986-880a-f6126f69651a@email.android.com> NiLuJe wrote: >* libtomcrypt has to be built w/ -DLTM_DESC for ECC support (I'm using >external libtom* libs). Yes, I guess people can always force bundled libtom*. I think Debian builds libtomcrypt with LTM_DESC but doesn't set the macro in tomcrypt_custom, which is why I set it separately. > > >* I had to patch the configure script to detect libtommath before >libtomcrypt so that the LIBS var was built in the right order to please >recent binutils versions (libtomcrypt depends on libtommath, so >-ltommath >has to come *after* -ltomcrypt). Thanks, I updated the makefile for that but missed configure's tests. >* Didn't really look further than that, but dropbearconvert dropbear -> >openssh on a fresh ecdsa key generated by dropbearkey dies with a "*** >glibc >detected *** dropbearconvert: free(): corrupted unsorted chunks: >0x000530b0 >***" (take this one with a grain of salt, that's on a Kindle 5 [eglibc >2.12], so there may be some weirdness involved). Sounds like a Dropbear bug, I'll investigate. Thanks, Matt From ninuje at gmail.com Sun Nov 17 21:21:14 2013 From: ninuje at gmail.com (NiLuJe) Date: Sun, 17 Nov 2013 13:21:14 +0000 (UTC) Subject: Dropbear test version 2013.61test with ECC References: <20131114144059.GE1927@ucc.gu.uwa.edu.au> <26e5a835-49e5-4986-880a-f6126f69651a@email.android.com> Message-ID: Matt Johnston ucc.asn.au> writes: > Yes, I guess people can always force bundled libtom*. I think Debian builds libtomcrypt with LTM_DESC but > doesn't set the macro in tomcrypt_custom, which is why I set it separately. Ha, thanks for clarifying that, I had seen the define in sysoptions.h, but didn't quite get the comment. After looking at tomcrypt again, it makes sense now ;). Maybe it could be framed in an ifndef, in case people actually *do* tweak tomcrypt_custom.h properly? (That's of course for external libtom*, I assume the bundled libtom* stuff is built properly ;)). > Sounds like a Dropbear bug, I'll investigate. Great, thanks :). > Thanks, > Matt Happy to help! From bhavanamanohar at gmail.com Mon Nov 18 23:41:04 2013 From: bhavanamanohar at gmail.com (shm) Date: Mon, 18 Nov 2013 15:41:04 +0000 (UTC) Subject: dropbear: no auth methods could be used Message-ID: I have created passwordless ssh connection between two nodes of an embedded target using dropbear. Dropbear is enabled "dropbear -s -g -E" And I am able to login from one node(192.168.10.6) to the other node(192.168.10.5). "dbclient -i /etc/dropbear/dropbear_rsa_host_key root at 192.168.10.5" i'm trying to use OpenMPI to run a program in two nodes . When i launch an MPI program with mpirun from masternode(192.168.10.6), i retrieve the error: "192.168.10.5: Connection exited, no auth methods could be used A daemon (pid 1214) died unexpectedly with status 1 while attempting to launch so we are aborting. This may be because the daemon was unable to find all the needed shared libraries on the remote node. You may set your LD_LIBRARY_PATH to have the location of the shared libraries on the remote nodes and this will automatically be forwarded to the remote nodes." I have set LD_LIBRARY_PATH, but still doesn't work. The problem occurs when running mpirun. passwordless connection using dropbear was succesfull still Why is it showing "no auth methods could be used".? Could you please help me? Thanks in advance From matt at ucc.asn.au Tue Nov 19 20:56:26 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Tue, 19 Nov 2013 20:56:26 +0800 Subject: dropbear: no auth methods could be used In-Reply-To: References: Message-ID: <20131119125626.GB30127@ucc.gu.uwa.edu.au> On Mon, Nov 18, 2013 at 03:41:04PM +0000, shm wrote: > I have created passwordless ssh connection between two nodes of an embedded > target using dropbear. > Dropbear is enabled "dropbear -s -g -E" ... > "192.168.10.5: Connection exited, no auth methods could be used This means that the server rejected all the authentication methods the client tried. Since password authentication is disabled it means that the public key wasn't accepted (for that user). The error message could be clearer - I'll improve that. The rest of the error message is MPI responding to dropbear failing, I think? Cheers, Matt > A daemon (pid 1214) died unexpectedly with status 1 while attempting > to launch so we are aborting. > > This may be because the daemon was unable to find all the needed > shared libraries on the remote node. You may set your LD_LIBRARY_PATH > to have the location of the shared libraries on the remote nodes and > this will automatically be forwarded to the remote nodes." > > I have set LD_LIBRARY_PATH, but still doesn't work. > The problem occurs when running mpirun. > passwordless connection using dropbear was succesfull still Why is it showing > "no auth methods could be used".? > Could you please help me? Thanks in advance > From cat at vv.carleton.ca Sat Nov 23 17:52:02 2013 From: cat at vv.carleton.ca (Catalin Patulea) Date: Sat, 23 Nov 2013 04:52:02 -0500 Subject: TOS byte for bulk transfers Message-ID: I noticed that dropbear sets IPTOS_LOWDELAY on all sockets: https://secure.ucc.asn.au/hg/dropbear/file/14342451d3df/dbutil.c#l190 This is great for interactive sessions, but not ideal for bulk transfer sessions like scp or sftp. Many networks ignore the TOS byte, but on my local network I respect it because I trust my devices and wish to prioritize some of them (SIP phone). The problem that I ran into was that an sftp upload slowed all the rest of my Internet traffic to a crawl because it was prioritized. Ideally I would like dropbear to not set that TOS byte for bulk transfers. The definition of "bulk transfer" seems a bit hard to pin down. Would any "subsystem" request cause the connection to be considered bulk? That covers sftp but what about scp. Would bulk sessions also disable TCP_NODELAY? What about sshfs mounts (sftp subsystem) where file operations may happen as a result of interactive user actions (low latency is desirable)? Is this the right place to solve this problem? Should I be fixing this at the network layer in some way? From dave.taht at gmail.com Sun Nov 24 05:26:13 2013 From: dave.taht at gmail.com (Dave Taht) Date: Sat, 23 Nov 2013 13:26:13 -0800 Subject: TOS byte for bulk transfers In-Reply-To: References: Message-ID: On Sat, Nov 23, 2013 at 1:52 AM, Catalin Patulea wrote: > I noticed that dropbear sets IPTOS_LOWDELAY on all sockets: > https://secure.ucc.asn.au/hg/dropbear/file/14342451d3df/dbutil.c#l190 > > This is great for interactive sessions, but not ideal for bulk > transfer sessions like scp or sftp. Many networks ignore the TOS byte, > but on my local network I respect it because I trust my devices and > wish to prioritize some of them (SIP phone). > > The problem that I ran into was that an sftp upload slowed all the > rest of my Internet traffic to a crawl because it was prioritized. > Ideally I would like dropbear to not set that TOS byte for bulk > transfers. See "Bufferbloat". > The definition of "bulk transfer" seems a bit hard to pin down. Would > any "subsystem" request cause the connection to be considered bulk? > That covers sftp but what about scp. Would bulk sessions also disable > TCP_NODELAY? What about sshfs mounts (sftp subsystem) where file > operations may happen as a result of interactive user actions (low > latency is desirable)? > > Is this the right place to solve this problem? Should I be fixing this > at the network layer in some way? Few bottleneck gateways (without a shaper in place that respects classification), do anything about the TOS bits. Certainly signalling "intent" when doing a bulk transfer via ssh would be nice. Other ways to optimize stuff at the gateway can be had by (for example) enabling cerowrt, openwrt, dd-wrt or gargoyle's qos/aqm systems, which try to provide a level of fairness between flows (and also respect classification in some cases). If you have a linux box of any sort at the gateway, the same source code applies... While obsolete (don't use it!) , wondershaper was the root of all these systems a decade ago, and is a lot easier to study and understand than these successors. -- Dave T?ht From cat at vv.carleton.ca Sun Nov 24 07:23:12 2013 From: cat at vv.carleton.ca (Catalin Patulea) Date: Sat, 23 Nov 2013 18:23:12 -0500 Subject: TOS byte for bulk transfers In-Reply-To: References: Message-ID: On Sat, Nov 23, 2013 at 4:26 PM, Dave Taht wrote: > While obsolete (don't use it!) , wondershaper was the root of all > these systems a decade ago, and is a lot easier to study and > understand than these successors. Thanks for the pointers. Indeed, I use a simplified variant of wondershaper at my gateway. TBF at the root to take control of the queue, PRIO to respect the TOS byte, then FIFO in the low latency band (I want it to starve anything else - which is exactly what happened), fq_codel in the rest. In a sense, my gateway worked exactly as intended - it's just that the application layer was giving it mixed signals. I guess the direction I'm trying to go is patching dropbear in some way to cooperate better with this sort of shaping. In a way, I'm asking, "Matt, what kind of patch would you accept here?" Another idea that occurred to me offline (I swear, I only later checked what OpenSSH does) would be to key off things like PTY requests. Most likely those sessions are interactive, while others that request a subsystem or no PTY are probably bulk. In fact this is one of the main things OpenSSH does. There's two sides to the story, so let me start client first: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/clientloop.c?rev=1.256 In client_session2_setup(): -> packet_set_interactive(want_tty, ...) http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/ssh.c?rev=1.393 In ssh_session(): -> packet_set_interactive(interactive /* = request_pty_succeeded || x11_forwarding */,) In ssh_session2_setup() -> packet_set_interactive(interactive /* = similar logic as ssh_session */) and now server: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/session.c?rev=1.268 In do_exec_no_pty(): -> packet_set_interactive(s->display != NULL, ...); // Haven't verified where s->display comes from, but I get it amounts to "x11 forwarding is enabled". In do_exec_pty(): -> packet_set_interactive(1, ...); packet_set_interactive just ends up doing setsockopt. So there is precedent for doing a bit of cleverness at the application layer to help the network layer. For myself, just keying off pty requests would have been enough to trigger the correct whole-system behaviour. Matt, would you accept a patch that keys the TOS setting off PTY requests? From matt at ucc.asn.au Sun Nov 24 10:11:36 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Sun, 24 Nov 2013 10:11:36 +0800 Subject: TOS byte for bulk transfers In-Reply-To: References: Message-ID: <81a73391-5a41-4252-acd6-9b7fd2682ffb@email.android.com> Catalin Patulea wrote: >Matt, would you accept a patch that keys the TOS setting off > PTY requests? Yes, I've been meaning to look at that. I'm not sure if it should disable TCP_NODELAY at the same time. I know sshfs (which doesn't use a PTY) should have nodelay set. There are probably other optimisations possible now that Dropbear is using writev() anyway - only write out all replies after processing all requests, for example. Cheers, Matt From cat at vv.carleton.ca Sun Nov 24 14:58:56 2013 From: cat at vv.carleton.ca (Catalin Patulea) Date: Sun, 24 Nov 2013 01:58:56 -0500 Subject: TOS byte for bulk transfers In-Reply-To: <81a73391-5a41-4252-acd6-9b7fd2682ffb@email.android.com> References: <81a73391-5a41-4252-acd6-9b7fd2682ffb@email.android.com> Message-ID: On Sat, Nov 23, 2013 at 9:11 PM, Matt Johnston wrote: > Catalin Patulea wrote: >>Matt, would you accept a patch that keys the TOS setting off >> PTY requests? > Yes, I've been meaning to look at that. Heads up, client and server TCP port forwards use the same utility function, connect_remote, so changes in this area will also affect those connections. It seems sensible to me that they be downgraded to default TOS (00), what do you think? From matt at ucc.asn.au Mon Nov 25 22:48:28 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Mon, 25 Nov 2013 22:48:28 +0800 Subject: Dropbear test version 2013.61test with ECC In-Reply-To: References: <20131114144059.GE1927@ucc.gu.uwa.edu.au> Message-ID: <20131125144828.GI30127@ucc.gu.uwa.edu.au> On Thu, Nov 14, 2013 at 05:22:13PM +0100, Daniel Cegie?ka wrote: > Thank you Matt! Thank you Adam! :) > > btw. can we use qhasm version as an option for x86 (curve25519)? Hi Daniel, Is x86 performance an issue with the current code? Binary size might be a reason to use the asm version, though probably on other CPUs? Generally I'd prefer to keep it portable and relatively readable. Cheers, Matt From cat at vv.carleton.ca Tue Nov 26 13:15:02 2013 From: cat at vv.carleton.ca (Catalin Patulea) Date: Tue, 26 Nov 2013 00:15:02 -0500 Subject: [PATCH] Fix TRACEs of cli_send_netcat_request Message-ID: <1385442902-13446-1-git-send-email-cat@vv.carleton.ca> Signed-off-by: Catalin Patulea --- cli-chansession.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cli-chansession.c b/cli-chansession.c index ed80453..0ee3e85 100644 --- a/cli-chansession.c +++ b/cli-chansession.c @@ -398,6 +398,7 @@ void cli_send_netcat_request() { const unsigned char* source_host = "127.0.0.1"; const int source_port = 22; + TRACE(("enter cli_send_netcat_request")) cli_opts.wantpty = 0; if (send_msg_channel_open_init(STDIN_FILENO, &cli_chan_netcat) @@ -414,7 +415,7 @@ void cli_send_netcat_request() { buf_putint(ses.writepayload, source_port); encrypt_packet(); - TRACE(("leave cli_send_chansess_request")) + TRACE(("leave cli_send_netcat_request")) } #endif -- 1.8.4.1 From cat at vv.carleton.ca Mon Dec 2 03:39:16 2013 From: cat at vv.carleton.ca (Catalin Patulea) Date: Sun, 1 Dec 2013 14:39:16 -0500 Subject: TOS byte for bulk transfers In-Reply-To: References: <81a73391-5a41-4252-acd6-9b7fd2682ffb@email.android.com> Message-ID: On Sun, Nov 24, 2013 at 1:58 AM, Catalin Patulea wrote: > Heads up, client and server TCP port forwards use the same utility > function, connect_remote, so changes in this area will also affect > those connections. > > It seems sensible to me that they be downgraded to default TOS (00), > what do you think? ping From cat at vv.carleton.ca Mon Dec 2 17:54:25 2013 From: cat at vv.carleton.ca (Catalin Patulea) Date: Mon, 2 Dec 2013 01:54:25 -0800 Subject: [PATCH] Set IPTOS_LOWDELAY on PTY sessions only Message-ID: <1385978065-15018-1-git-send-email-cat@vv.carleton.ca> Signed-off-by: Catalin Patulea --- cli-chansession.c | 1 + dbutil.c | 29 +++++++++++++++++++++-------- dbutil.h | 2 ++ includes.h | 4 ++++ svr-chansession.c | 2 ++ 5 files changed, 30 insertions(+), 8 deletions(-) diff --git a/cli-chansession.c b/cli-chansession.c index 0ee3e85..b99e073 100644 --- a/cli-chansession.c +++ b/cli-chansession.c @@ -369,6 +369,7 @@ static int cli_initchansess(struct Channel *channel) { if (cli_opts.wantpty) { send_chansess_pty_req(channel); + set_sock_priority(ses.sock_out); } send_chansess_shell_req(channel); diff --git a/dbutil.c b/dbutil.c index ce88731..4f15027 100644 --- a/dbutil.c +++ b/dbutil.c @@ -177,28 +177,41 @@ void dropbear_trace2(const char* format, ...) { } #endif /* DEBUG_TRACE */ -static void set_sock_priority(int sock) { - +void set_sock_nodelay(int sock) { int val; /* disable nagle */ val = 1; setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); +} + +void set_sock_priority(int sock) { + + int val, rc; /* set the TOS bit for either ipv4 or ipv6 */ #ifdef IPTOS_LOWDELAY val = IPTOS_LOWDELAY; #if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) - setsockopt(sock, IPPROTO_IPV6, IPV6_TCLASS, (void*)&val, sizeof(val)); + rc = setsockopt(sock, IPPROTO_IPV6, IPV6_TCLASS, (void*)&val, sizeof(val)); + if (rc < 0) + dropbear_log(LOG_WARNING, "Couldn't set IPV6_TCLASS (%s)", + strerror(errno)); #endif - setsockopt(sock, IPPROTO_IP, IP_TOS, (void*)&val, sizeof(val)); + rc = setsockopt(sock, IPPROTO_IP, IP_TOS, (void*)&val, sizeof(val)); + if (rc < 0) + dropbear_log(LOG_WARNING, "Couldn't set IP_TOS (%s)", + strerror(errno)); #endif #ifdef SO_PRIORITY /* linux specific, sets QoS class. * 6 looks to be optimal for interactive traffic (see tc-prio(8) ). */ - val = 6; - setsockopt(sock, SOL_SOCKET, SO_PRIORITY, (void*) &val, sizeof(val)); + val = TC_PRIO_INTERACTIVE; + rc = setsockopt(sock, SOL_SOCKET, SO_PRIORITY, (void*) &val, sizeof(val)); + if (rc < 0) + dropbear_log(LOG_WARNING, "Couldn't set SO_PRIORITY (%s)", + strerror(errno)); #endif } @@ -290,7 +303,7 @@ int dropbear_listen(const char* address, const char* port, } #endif - set_sock_priority(sock); + set_sock_nodelay(sock); if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { err = errno; @@ -429,7 +442,7 @@ int connect_remote(const char* remotehost, const char* remoteport, TRACE(("Error connecting: %s", strerror(err))) } else { /* Success */ - set_sock_priority(sock); + set_sock_nodelay(sock); } freeaddrinfo(res0); diff --git a/dbutil.h b/dbutil.h index 7c7435c..7665845 100644 --- a/dbutil.h +++ b/dbutil.h @@ -66,6 +66,8 @@ void get_socket_address(int fd, char **local_host, char **local_port, char **remote_host, char **remote_port, int host_lookup); void getaddrstring(struct sockaddr_storage* addr, char **ret_host, char **ret_port, int host_lookup); +void set_sock_nodelay(int sock); +void set_sock_priority(int sock); int dropbear_listen(const char* address, const char* port, int *socks, unsigned int sockcount, char **errstring, int *maxfd); int spawn_command(void(*exec_fn)(void *user_data), void *exec_data, diff --git a/includes.h b/includes.h index 62a8d73..bae82f5 100644 --- a/includes.h +++ b/includes.h @@ -156,6 +156,10 @@ typedef unsigned int u_int32_t; typedef u_int32_t uint32_t; #endif /* HAVE_UINT32_T */ +#ifdef SO_PRIORITY +#include +#endif + #include "fake-rfc2553.h" #ifndef LOG_AUTHPRIV diff --git a/svr-chansession.c b/svr-chansession.c index b585a9a..b912eaf 100644 --- a/svr-chansession.c +++ b/svr-chansession.c @@ -580,6 +580,8 @@ static int sessionpty(struct ChanSess * chansess) { /* Read the terminal modes */ get_termmodes(chansess); + set_sock_priority(ses.sock_out); + TRACE(("leave sessionpty")) return DROPBEAR_SUCCESS; } -- 1.8.4.1 From matt at ucc.asn.au Tue Dec 3 00:12:24 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Tue, 3 Dec 2013 00:12:24 +0800 Subject: [PATCH] Set IPTOS_LOWDELAY on PTY sessions only In-Reply-To: <1385978065-15018-1-git-send-email-cat@vv.carleton.ca> References: <1385978065-15018-1-git-send-email-cat@vv.carleton.ca> Message-ID: <20131202161224.GK30127@ucc.gu.uwa.edu.au> Hi Catalin, Thank you for the patch, I've committed it. I've made a change so that it will start off in lowdelay mode for a pty client or any server - the initial connection involves lots of roundtrips, so delays matter there. It's dropping down to BULK if it ends up having a non-pty shell. The only remaining question I can see is whether it needs special handling for the SSH socket in a situation without a shell, just used for tcp forwarding. Default TOS is probably better than BULK, but I'll leave it for now. I disabled the printing errors when setsockopt() failed since it can validly fail if a ipv4 socket is passed to the ipv6 call (or I assume vice versa), at least on OS X. Cheers, Matt On Mon, Dec 02, 2013 at 01:54:25AM -0800, Catalin Patulea wrote: > Signed-off-by: Catalin Patulea > --- > cli-chansession.c | 1 + > dbutil.c | 29 +++++++++++++++++++++-------- > dbutil.h | 2 ++ > includes.h | 4 ++++ > svr-chansession.c | 2 ++ > 5 files changed, 30 insertions(+), 8 deletions(-) > > diff --git a/cli-chansession.c b/cli-chansession.c > index 0ee3e85..b99e073 100644 > --- a/cli-chansession.c > +++ b/cli-chansession.c > @@ -369,6 +369,7 @@ static int cli_initchansess(struct Channel *channel) { > > if (cli_opts.wantpty) { > send_chansess_pty_req(channel); > + set_sock_priority(ses.sock_out); > } > > send_chansess_shell_req(channel); > diff --git a/dbutil.c b/dbutil.c > index ce88731..4f15027 100644 > --- a/dbutil.c > +++ b/dbutil.c > @@ -177,28 +177,41 @@ void dropbear_trace2(const char* format, ...) { > } > #endif /* DEBUG_TRACE */ > > -static void set_sock_priority(int sock) { > - > +void set_sock_nodelay(int sock) { > int val; > > /* disable nagle */ > val = 1; > setsockopt(sock, IPPROTO_TCP, TCP_NODELAY, (void*)&val, sizeof(val)); > +} > + > +void set_sock_priority(int sock) { > + > + int val, rc; > > /* set the TOS bit for either ipv4 or ipv6 */ > #ifdef IPTOS_LOWDELAY > val = IPTOS_LOWDELAY; > #if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) > - setsockopt(sock, IPPROTO_IPV6, IPV6_TCLASS, (void*)&val, sizeof(val)); > + rc = setsockopt(sock, IPPROTO_IPV6, IPV6_TCLASS, (void*)&val, sizeof(val)); > + if (rc < 0) > + dropbear_log(LOG_WARNING, "Couldn't set IPV6_TCLASS (%s)", > + strerror(errno)); > #endif > - setsockopt(sock, IPPROTO_IP, IP_TOS, (void*)&val, sizeof(val)); > + rc = setsockopt(sock, IPPROTO_IP, IP_TOS, (void*)&val, sizeof(val)); > + if (rc < 0) > + dropbear_log(LOG_WARNING, "Couldn't set IP_TOS (%s)", > + strerror(errno)); > #endif > > #ifdef SO_PRIORITY > /* linux specific, sets QoS class. > * 6 looks to be optimal for interactive traffic (see tc-prio(8) ). */ > - val = 6; > - setsockopt(sock, SOL_SOCKET, SO_PRIORITY, (void*) &val, sizeof(val)); > + val = TC_PRIO_INTERACTIVE; > + rc = setsockopt(sock, SOL_SOCKET, SO_PRIORITY, (void*) &val, sizeof(val)); > + if (rc < 0) > + dropbear_log(LOG_WARNING, "Couldn't set SO_PRIORITY (%s)", > + strerror(errno)); > #endif > > } > @@ -290,7 +303,7 @@ int dropbear_listen(const char* address, const char* port, > } > #endif > > - set_sock_priority(sock); > + set_sock_nodelay(sock); > > if (bind(sock, res->ai_addr, res->ai_addrlen) < 0) { > err = errno; > @@ -429,7 +442,7 @@ int connect_remote(const char* remotehost, const char* remoteport, > TRACE(("Error connecting: %s", strerror(err))) > } else { > /* Success */ > - set_sock_priority(sock); > + set_sock_nodelay(sock); > } > > freeaddrinfo(res0); > diff --git a/dbutil.h b/dbutil.h > index 7c7435c..7665845 100644 > --- a/dbutil.h > +++ b/dbutil.h > @@ -66,6 +66,8 @@ void get_socket_address(int fd, char **local_host, char **local_port, > char **remote_host, char **remote_port, int host_lookup); > void getaddrstring(struct sockaddr_storage* addr, > char **ret_host, char **ret_port, int host_lookup); > +void set_sock_nodelay(int sock); > +void set_sock_priority(int sock); > int dropbear_listen(const char* address, const char* port, > int *socks, unsigned int sockcount, char **errstring, int *maxfd); > int spawn_command(void(*exec_fn)(void *user_data), void *exec_data, > diff --git a/includes.h b/includes.h > index 62a8d73..bae82f5 100644 > --- a/includes.h > +++ b/includes.h > @@ -156,6 +156,10 @@ typedef unsigned int u_int32_t; > typedef u_int32_t uint32_t; > #endif /* HAVE_UINT32_T */ > > +#ifdef SO_PRIORITY > +#include > +#endif > + > #include "fake-rfc2553.h" > > #ifndef LOG_AUTHPRIV > diff --git a/svr-chansession.c b/svr-chansession.c > index b585a9a..b912eaf 100644 > --- a/svr-chansession.c > +++ b/svr-chansession.c > @@ -580,6 +580,8 @@ static int sessionpty(struct ChanSess * chansess) { > /* Read the terminal modes */ > get_termmodes(chansess); > > + set_sock_priority(ses.sock_out); > + > TRACE(("leave sessionpty")) > return DROPBEAR_SUCCESS; > } > -- > 1.8.4.1 > From matt at ucc.asn.au Tue Dec 3 22:04:56 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Tue, 3 Dec 2013 22:04:56 +0800 Subject: Dropbear 2013.62 released Message-ID: <20131203140456.GL30127@ucc.gu.uwa.edu.au> Hi, I've put up Dropbear 2013.62. It has only a few changes since the 2013.61test release. The major features of 2013.61test are ECC support (significantly faster connections) and generating hostkeys automatically. Downloads as usual at https://matt.ucc.asn.au/dropbear/dropbear.html or https://dropbear.nl/mirror/dropbear.html Cheers, Matt 2013.62 - Tuesday 3 December 2013 - Disable "interactive" QoS connection options when a connection doesn't have a PTY (eg scp, rsync). Thanks to Catalin Patulea for the patch. - Log when a hostkey is generated with -R, fix some bugs in handling server hostkey commandline options - Fix crash in Dropbearconvert and 521 bit key, reported by NiLuJe - Update config.guess and config.sub again 2013.61test - Thursday 14 November 2013 - ECC (elliptic curve) support. Supports ECDSA hostkeys (requires new keys to be generated) and ECDH for setting up encryption keys (no intervention required). This is significantly faster. - curve25519-sha256 at libssh.org support for setting up encryption keys. This is another elliptic curve mode with less potential of NSA interference in algorithm parameters. curve25519-donna code thanks to Adam Langley - -R option to automatically generate hostkeys. This is recommended for embedded platforms since it allows the system random number device /dev/urandom a longer startup time to generate a secure seed before the hostkey is required. - Compile fixes for old vendor compilers like Tru64 from Daniel Richard G. - Make authorized_keys handling more robust, don't exit encountering malformed lines. Thanks to Lorin Hochstein and Mark Stillwell From sdaoden at gmail.com Fri Dec 6 02:15:09 2013 From: sdaoden at gmail.com (Steffen Daode Nurpmeso) Date: Thu, 05 Dec 2013 19:15:09 +0100 Subject: -Y that proxies over a socket, =?UTF-8?Q?=C3=A1?= la -J 'nc HOST PORT' Message-ID: <20131205181509.bZkRZR8vjcm9DvMfVnQ+VwS1@dietcurd.local> Hello, first of all -- thanks for Dropbear. It made me get rid of all remaining rlogin(1) use cases, because it's so small and inexpensive! One problem i had with plain, user mode network stack qemu(1) hostfwd= VMs, however, which yet ended up as, e.g., $ dbclient -J 'nc HOST PORT' steffen at crux3 The patch dbear-Y.diff implements a simple replacements of the arguments of connect_remote(), so that the above ends up without intermediate nc(1) proxy: $ dbclient -Y [HOST:]PORT steffen at crux3 Well, i really don't want to miss it again.. dbear-a2i-trail.diff checks that there is no trailing garbage in the argument to m_str_to_uint(), which silently hit me when i (stupid) tested -Y with hexadecimal port numbers. Greetings to Beautiful Australia and ciao, --steffen -------------- next part -------------- A non-text attachment was scrubbed... Name: dbear-Y.diff Type: text/x-diff Size: 4826 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20131205/35a250ef/attachment.diff -------------- next part -------------- A non-text attachment was scrubbed... Name: dbear-a2i-trail.diff Type: text/x-diff Size: 857 bytes Desc: not available Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20131205/35a250ef/attachment-0001.diff From vapier at gentoo.org Mon Dec 9 08:59:02 2013 From: vapier at gentoo.org (Mike Frysinger) Date: Sun, 8 Dec 2013 19:59:02 -0500 Subject: fix bundled libtom configure flag In-Reply-To: <201310121637.15874.vapier@gentoo.org> References: <201310121637.15874.vapier@gentoo.org> Message-ID: <201312081959.03158.vapier@gentoo.org> On Saturday 12 October 2013 16:37:15 Mike Frysinger wrote: > the current flag treats --disable-bundled-libtom like enable. this patch > fixes it. ping -mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20131208/501916c6/attachment.sig From vapier at gentoo.org Mon Dec 9 09:11:14 2013 From: vapier at gentoo.org (Mike Frysinger) Date: Sun, 8 Dec 2013 20:11:14 -0500 Subject: [patch] fix constant relinking when using multi builds Message-ID: <201312082011.15610.vapier@gentoo.org> turn dropbearmulti into a real target so we don't constantly re-link it otherwise make has no idea what "multibinary" is and so always re-links it -mike --- a/Makefile.in +++ b/Makefile.in @@ -175,10 +175,10 @@ ifeq ($(MULTI),1) CFLAGS+=$(addprefix -DDBMULTI_, $(PROGRAMS)) -DDROPBEAR_MULTI endif -dropbearmulti: multilink +dropbearmulti$(EXEEXT): $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile + $(CC) $(LDFLAGS) -o $@ $(MULTIOBJS) $(LIBS) -multibinary: $(HEADERS) $(MULTIOBJS) $(LIBTOM_DEPS) Makefile - $(CC) $(LDFLAGS) -o dropbearmulti$(EXEEXT) $(MULTIOBJS) $(LIBS) +multibinary: dropbearmulti$(EXEEXT) multilink: multibinary $(addprefix link, $(PROGRAMS)) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20131208/b7d2e39a/attachment.sig From vapier at gentoo.org Mon Dec 9 09:11:45 2013 From: vapier at gentoo.org (Mike Frysinger) Date: Sun, 8 Dec 2013 20:11:45 -0500 Subject: fix bundled libtom configure flag In-Reply-To: <201312081959.03158.vapier@gentoo.org> References: <201310121637.15874.vapier@gentoo.org> <201312081959.03158.vapier@gentoo.org> Message-ID: <201312082011.46579.vapier@gentoo.org> On Sunday 08 December 2013 19:59:02 Mike Frysinger wrote: > On Saturday 12 October 2013 16:37:15 Mike Frysinger wrote: > > the current flag treats --disable-bundled-libtom like enable. this patch > > fixes it. > > ping nm, ignore me. looks like it got fixed in a diff way in latest hg. -mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20131208/d2148aa8/attachment.sig From vapier at gentoo.org Mon Dec 9 09:21:50 2013 From: vapier at gentoo.org (Mike Frysinger) Date: Sun, 8 Dec 2013 20:21:50 -0500 Subject: [patch] fix multi install (wrt scp.1) Message-ID: <201312082021.51272.vapier@gentoo.org> a change was made to the Makefile.in so install wouldn't fail when trying to install scp.1. but that fix wasn't also made to the multiscp install target. -mike --- a/Makefile.in +++ b/Makefile.in @@ -136,7 +136,7 @@ insmulti%: dropbearmulti -rm -f $(DESTDIR)$(bindir)/$*$(EXEEXT) -ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT) $(INSTALL) -d $(DESTDIR)$(mandir)/man1 - $(INSTALL) -m 644 $*.1 $(DESTDIR)$(mandir)/man1/$*.1 + if test -e $*.1; then $(INSTALL) -m 644 $*.1 $(DESTDIR)$(mandir)/man1/$*.1; fi # dropbear should go in sbin, so it needs a seperate rule inst_dropbear: dropbear -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20131208/5900d185/attachment.sig From vapier at gentoo.org Mon Dec 9 09:26:43 2013 From: vapier at gentoo.org (Mike Frysinger) Date: Sun, 8 Dec 2013 20:26:43 -0500 Subject: [patch] simplify install links Message-ID: <201312082026.43920.vapier@gentoo.org> there's no need to do `rm; ln` when `ln -f` will do the same thing also, for softlinks in the bindir, just use relative ones rather than absolute -mike --- a/Makefile.in Tue Dec 03 22:00:38 2013 +0800 +++ b/Makefile.in Sun Dec 08 20:25:54 2013 -0500 @@ -126,15 +126,13 @@ install: $(addprefix inst_, $(TARGETS)) insmultidropbear: dropbearmulti $(INSTALL) -d $(DESTDIR)$(sbindir) - -rm -f $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) - -ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) + -ln -sf $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) $(INSTALL) -d $(DESTDIR)$(mandir)/man8 $(INSTALL) -m 644 dropbear.8 $(DESTDIR)$(mandir)/man8/dropbear.8 insmulti%: dropbearmulti $(INSTALL) -d $(DESTDIR)$(bindir) - -rm -f $(DESTDIR)$(bindir)/$*$(EXEEXT) - -ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT) + -ln -sf dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT) $(INSTALL) -d $(DESTDIR)$(mandir)/man1 $(INSTALL) -m 644 $*.1 $(DESTDIR)$(mandir)/man1/$*.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20131208/2b6bc7e5/attachment.sig From matt at ucc.asn.au Mon Dec 9 19:01:05 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Mon, 09 Dec 2013 19:01:05 +0800 Subject: =?UTF-8?Q?Re=3A_-Y_that_proxies_over_a_s?= =?UTF-8?Q?ocket=2C_=C3=A1_la_-J_=27nc_HOST_PORT=27?= In-Reply-To: <20131205181509.bZkRZR8vjcm9DvMfVnQ+VwS1@dietcurd.local> References: <20131205181509.bZkRZR8vjcm9DvMfVnQ+VwS1@dietcurd.local> Message-ID: <66f43a10-5b48-4379-af70-da7ca80439ee@email.android.com> Steffen Daode Nurpmeso wrote: > $ dbclient -Y [HOST:]PORT steffen at crux3 > Hi, Thanks for the patch. To clarify, is the reason for using this so that "crux3" is used to lookup the known_hosts key? Cheers, Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20131209/896b73a4/attachment.htm From sdaoden at gmail.com Mon Dec 9 19:56:25 2013 From: sdaoden at gmail.com (Steffen Daode Nurpmeso) Date: Mon, 09 Dec 2013 12:56:25 +0100 Subject: -Y that proxies over a socket, =?UTF-8?Q?=C3=A1?= la -J 'nc HOST PORT' In-Reply-To: <66f43a10-5b48-4379-af70-da7ca80439ee@email.android.com> References: <20131205181509.bZkRZR8vjcm9DvMfVnQ+VwS1@dietcurd.local> <66f43a10-5b48-4379-af70-da7ca80439ee@email.android.com> Message-ID: <20131209115625.ZDxmiKKsBZmgGLcSdLIMaLiJ@dietcurd.local> Hello, Matt Johnston wrote: |Steffen Daode Nurpmeso wrote: |> $ dbclient -Y [HOST:]PORT steffen at crux3 | |Hi, | |Thanks for the patch. To clarify, is the reason for using \ |this so that "crux3" is used to lookup the known_hosts key? oh no, it's just old ssh habit -- 'dbclient -Y PORT crux3' works just fine. There is a typo in the documentation part of the patch, 'be shall be' can also be reduced to 'shall be' i think... Ciao! |Cheers, |Matt --steffen From matt at ucc.asn.au Wed Dec 11 21:55:54 2013 From: matt at ucc.asn.au (Matt Johnston) Date: Wed, 11 Dec 2013 21:55:54 +0800 Subject: [patch] simplify install links In-Reply-To: <201312082026.43920.vapier@gentoo.org> References: <201312082026.43920.vapier@gentoo.org> Message-ID: <20131211135554.GO30127@ucc.gu.uwa.edu.au> On Sun, Dec 08, 2013 at 08:26:43PM -0500, Mike Frysinger wrote: > there's no need to do `rm; ln` when `ln -f` will do the same thing It's not always the same, I dislike "ln -f". For example: ln -s /tmp foo ln -sf /etc/hosts foo cat foo > also, for softlinks in the bindir, just use relative ones rather than absolute I'm not convinced this is worth doing - the "dropbear" binary will need an absolute path, so they may as well be consistent. I've applied the other patches, thanks! Cheers, Matt > --- a/Makefile.in Tue Dec 03 22:00:38 2013 +0800 > +++ b/Makefile.in Sun Dec 08 20:25:54 2013 -0500 > @@ -126,15 +126,13 @@ install: $(addprefix inst_, $(TARGETS)) > > insmultidropbear: dropbearmulti > $(INSTALL) -d $(DESTDIR)$(sbindir) > - -rm -f $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) > - -ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) > + -ln -sf $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(sbindir)/dropbear$(EXEEXT) > $(INSTALL) -d $(DESTDIR)$(mandir)/man8 > $(INSTALL) -m 644 dropbear.8 $(DESTDIR)$(mandir)/man8/dropbear.8 > > insmulti%: dropbearmulti > $(INSTALL) -d $(DESTDIR)$(bindir) > - -rm -f $(DESTDIR)$(bindir)/$*$(EXEEXT) > - -ln -s $(bindir)/dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT) > + -ln -sf dropbearmulti$(EXEEXT) $(DESTDIR)$(bindir)/$*$(EXEEXT) > $(INSTALL) -d $(DESTDIR)$(mandir)/man1 > $(INSTALL) -m 644 $*.1 $(DESTDIR)$(mandir)/man1/$*.1 > From vapier at gentoo.org Thu Dec 12 03:13:24 2013 From: vapier at gentoo.org (Mike Frysinger) Date: Wed, 11 Dec 2013 14:13:24 -0500 Subject: [patch] simplify install links In-Reply-To: <20131211135554.GO30127@ucc.gu.uwa.edu.au> References: <201312082026.43920.vapier@gentoo.org> <20131211135554.GO30127@ucc.gu.uwa.edu.au> Message-ID: <201312111413.26042.vapier@gentoo.org> On Wednesday 11 December 2013 08:55:54 Matt Johnston wrote: > On Sun, Dec 08, 2013 at 08:26:43PM -0500, Mike Frysinger wrote: > > there's no need to do `rm; ln` when `ln -f` will do the same thing > > It's not always the same, I dislike "ln -f". For example: > > ln -s /tmp foo > ln -sf /etc/hosts foo > cat foo GNU/coreutils' ln has the -T flag specifically for this purpose, but it means you won't be portable. seems weird though that someone would be doing something dumb like: ln -s /tmp /usr/bin/dropbear -mike -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. Url : http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20131211/107c40f7/attachment.sig From roytam at gmail.com Sun Dec 15 15:49:47 2013 From: roytam at gmail.com (Roy Tam) Date: Sun, 15 Dec 2013 15:49:47 +0800 Subject: ChaCha20-Poly1305 in dropbear? Message-ID: Hello list, I read this slashdot entry: http://it.slashdot.org/story/13/12/11/173213/openssh-has-a-new-cipher-chacha20-poly1305-from-dj-bernstein and I wonder if dropbear will have follow up regarding this? Ciao, Roy