Getting dbclient to time out when network goes down with reverse proxy usage

Fabrizio Bertocci fabriziobertocci at gmail.com
Sat Jul 5 14:08:39 WST 2014


Hmm dbclient worked well for me after that patch. But I was connecting to a
dropbear server, not OpenSSL server...

I've migrated to OpenWRT with 8MB of flash too, and I ended up rewriting my
own tunnel solution based on OpenSSL. There are much smaller SSL clients
out there that can be used for free for non-commercial products, but
requires to pay for a license for commercial use. I don't remember exactly
the name of the one we looked at (that was few years ago).

Regards,
Fabrizio



On Sat, Jul 5, 2014 at 2:14 AM, Jesse Molina <jesse at opendreams.net> wrote:

>
> Fabrizio Bertocci contacted me and let me know that this seems to be a
> known issue.
>
> https://www.mail-archive.com/dropbear@ucc.asn.au/msg00701.html
>
> https://www.mail-archive.com/dropbear@ucc.asn.au/msg00980.html
>
>
>
> The work I am doing is on an OpenWRT device with 8MB of flash, so local
> space is very limited. I had to install the OpenSSL client yesterday, which
> took up nearly an additional 2MB of space, but at least it works. It would
> be nice to use dbclient instead, but it's idle timer is just straight-up
> broken when used with -N -R.
>
> This works as expected with OpenSSL client:
>
> ssh -i $SSH_KEYFILE -o "ServerAliveInterval=15" -o "ServerAliveCountMax=4"
> -N -R $SSH_PROXY_PORT:localhost:22 $SSH_USER@$SSH_HOST
>
>
>
>
> On 7/4/14, 3:57, Jesse Molina wrote:
>
>>
>> Hello
>>
>> I am doing this:
>>
>> ssh -K 3 -I 60 -i keyfile -N -R 2222:localhost:22 user at host
>>
>> I am intending a dropbear ssh client to set up a reverse proxy connection
>> to a server, so I am using -N and -R.
>>
>> I am also using -K and -I so that the connection sends keepalives and
>> will timeout if the network is disrupted.
>>
>> My problem is that the above results in the session dying 60 seconds
>> after setup is finished because the idle timeout is being hit.  I am not
>> sure how -I is metering inbound traffic, but it's apparently not picking up
>> anything.
>>
>> Note that I have "ClientAliveInterval 15" set on the sshd_config server
>> side. I would expect dropbear to count this traffic towards -I.
>>
>> Without -I above, it took my device 18 minutes to figure out that I had
>> pulled the network out from under it by shutting down the interface. That
>> isn't acceptable.
>>
>> Can dropbear do this, or do I need to use openssh?  I get the feeling
>> after reading what I have read that dropbear is too simple to figure out
>> when the server has gone away in most situations.
>>
>>
>>
>> Relevant:
>>
>> https://www.mail-archive.com/dropbear@ucc.asn.au/msg00978.html
>>
>> https://www.mail-archive.com/dropbear@ucc.asn.au/msg00648.html
>>
>> https://www.mail-archive.com/dropbear@ucc.asn.au/msg00402.html
>>
>> Thanks in advance.
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.ucc.gu.uwa.edu.au/pipermail/dropbear/attachments/20140705/cc9a9d79/attachment.htm 


More information about the Dropbear mailing list