[REGRESSION] dbclient hangs forever when using agent forwarding since 2014.63

Gui Iribarren gui at altermundi.net
Thu May 7 06:58:04 AWST 2015


I reported this a while back:
https://www.mail-archive.com/dropbear%40ucc.asn.au/msg01287.html

and finally got the time to do a git bisect over a clone of
https://github.com/mkj/dropbear
which yielded:

61cecbb3371839a824ff536338471d4b888aacf6 is the first bad commit
commit 61cecbb3371839a824ff536338471d4b888aacf6
Author: Matt Johnston <matt at ucc.asn.au>
Date:   Fri Jan 17 21:39:27 2014 +0800

    DROPBEAR_CLI_AUTH_IMMEDIATE fixed, now enabled by default


in a nutshell...

using dropbear before that commit, i can happily use the ssh client
(dbclient) in my openwrt router, to connect to a remote host, using a
pubkey located in my laptop, through ssh agent forwarding

i.e.
[debian7]-->[openwrtA]-->[openwrtB]

my pubkey is in debian7,
dbclient 2013.62 is in openwrtA

and i can ssh from debian7 into openwrtA, then do another ssh from
openwrtA to openwrtB, without issues. The agent connection is forwarded
correctly from debian7 to openwrtB by openwrtA's dbclient 2013.62 for
auth purposes.

since commit 61cecbb33, this no longer works as expected. dbclient hangs
forever when trying to connect.

i'm about to try "hotfix" it in my openwrt build, disabling
CLI_IMMEDIATE_AUTH as suggested in:

/* Send a real auth request immediately after sending a query for the
available methods.
 * It saves a network round trip at login.
 * If problems are encountered it can be disabled here. */
 #define CLI_IMMEDIATE_AUTH

but, what would be the side-effects of disabling this? (or: what's the
idea behind CLI_IMMEDIATE_AUTH?)
maybe it was not "fixed" enough at the time it was committed / enabled
by default? ;)

(as it stands now, the regression is still present in latest release)

thanks a lot for any pointers,
with much respect for all your work,
cheers!

gui


=================================================================

successful log, using dbclient compiled from git aee1309c9:

gui at debian7:~ $ ssh openwrtA -vv -A

[...]

BusyBox v1.22.1 (2015-04-26 16:13:38 ART) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root at openwrtA:~# ssh openwrtB
debug1: client_input_channel_open: ctype auth-agent at openssh.com rchan 1
win 24576 max 32768
debug2: fd 9 setting O_NONBLOCK
debug1: channel 3: new [authentication agent connection]
debug1: confirm auth-agent at openssh.com
debug2: channel 3: rcvd eof
debug2: channel 3: output open -> drain
debug2: channel 3: obuf empty
debug2: channel 3: close_write
debug2: channel 3: output drain -> closed
debug1: channel 3: FORCE input drain
debug2: channel 3: ibuf empty
debug2: channel 3: send eof
debug2: channel 3: input drain -> closed
debug2: channel 3: rcvd close
debug2: channel 3: send close
debug2: channel 3: is dead
debug2: channel 3: garbage collecting
debug1: channel 3: free: authentication agent connection, nchannels 4


BusyBox v1.22.1 (2015-04-26 16:13:38 ART) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root at openwrtB:~#


============================================================

unsuccessful log, using dbclient compiled from git 61cecbb33:

gui at debian7:~ $ ssh openwrtA -vv -A

[...]

BusyBox v1.22.1 (2015-04-26 16:13:38 ART) built-in shell (ash)
Enter 'help' for a list of built-in commands.

root at openwrtA:~# ssh openwrtB
debug1: client_input_channel_open: ctype auth-agent at openssh.com rchan 1
win 24576 max 32768
debug2: fd 9 setting O_NONBLOCK
debug1: channel 3: new [authentication agent connection]
debug1: confirm auth-agent at openssh.com

[hangs forever]

============================================================


More information about the Dropbear mailing list