<div dir="ltr">Hello again Matt,<div><br></div><div>I finally made it worked with netcat as you suggested in earlier email. I therefore believe that I am not connecting properly in the dropbear server the RX and TX of the client and server. At what location should this be done?</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 5 November 2014 09:09, Paul Lemay <span dir="ltr"><<a href="mailto:plemay@accedian.com" target="_blank">plemay@accedian.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello Matt,<div><br></div><div>coming back to this project, I have tries the following as you suggested:</div><span class=""><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:13px">"If you want to run it all within Dropbear itself I'd modify</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">sessioncommand() which handles subsystem requests. Rather</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">than calling ptycommand() or noptycommand() make it call</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">connect_remote() - have a look at newtcpdirect() for an</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">example. Set channel->writefd and channel->readfd to the</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">returned socket, and make sure you set ses.maxfd</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">appropriately. It's an asynchronous connection, but I think</span><br style="font-family:arial,sans-serif;font-size:13px"><span style="font-family:arial,sans-serif;font-size:13px">it should work OK."</span><br></div><div><span style="font-family:arial,sans-serif;font-size:13px"><br></span></div></span><div><font face="arial, sans-serif">what happens, is that the client connects and the sequence of SSH authorization is executed properly. The Dropbear server establishes a TCP connection with myserver. All this is good, then, as part of the application protocol, myserver sends an HELLO message. The message is received by Dropbear, encoded and sent to the client application. Dropbear then receive a connection reset from the client.</font></div><div><font face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif"><div>TRACE (28333) 1415195715.978336: > connection in progress: err = 99</div><div>TRACE (28333) 1415195715.978341: leave netconfdirect: err 99 socketfd (7)</div><div>TRACE (28333) 1415195715.978347: enter send_msg_channel_failure</div><div>TRACE (28333) 1415195715.978362: leave send_msg_channel_failure</div><div>TRACE (28333) 1415195715.978367: leave chansessionrequest</div><div>TRACE (28333) 1415195715.978372: leave recv_msg_channel_request</div><div>TRACE (28333) 1415195715.978391: empty queue dequeing</div><div>TRACE (28333) 1415195715.978408: enter check_in_progress</div><div>TRACE (28333) 1415195715.978428: enter send_msg_channel_open_confirmation</div><div>TRACE (28333) 1415195715.978448: leave send_msg_channel_open_confirmation</div><div>TRACE (28333) 1415195715.978458: leave check_in_progress: success</div><div>TRACE (28333) 1415195715.978482: empty queue dequeing</div><div>TRACE (28333) 1415195715.978580: send normal readfd</div><div>TRACE (28333) 1415195715.978587: enter send_msg_channel_data</div><div>TRACE (28333) 1415195715.978590: enter send_msg_channel_data isextended 0 fd 7</div><div>TRACE (28333) 1415195715.978593: maxlen 16375</div><div>TRACE (28333) 1415195715.978598: send_msg_channel_data: len 581 fd 7</div><div>TRACE (28333) 1415195715.978624: leave send_msg_channel_data</div><div>TRACE (28333) 1415195715.978644: empty queue dequeing</div><div><b>[28333] Nov 05 08:55:15 Exit (plemay): Error reading: Connection reset by peer <---------------</b></div><div>TRACE (28333) 1415195715.978865: enter session_cleanup</div><div>TRACE (28333) 1415195715.978873: enter chancleanup</div><div>TRACE (28333) 1415195715.978877: channel 0 closing</div><div><br></div><div>The same suite of events work fine with sshd so I am sure there is probably something missing in the initialization of the session. I have defines</div><div><br></div><div><div>const struct ChanType svrchansess = {</div><div> 0, /* sepfds */</div><div> "session", /* name */</div><div> newchansess, /* inithandler */</div><div> NULL, /* checkclosehandler */</div><div> chansessionrequest, /* reqhandler */</div><div> closechansess, /* closehandler */</div><div>};</div></div><div><br></div><div>and made sure that it was calling a function very similar to newtcpdirect(). Is there something that I do wrong or missing?</div><div><br></div><div><br></div><div><br></div></font></div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On 28 September 2014 09:33, Matt Johnston <span dir="ltr"><<a href="mailto:matt@ucc.asn.au" target="_blank">matt@ucc.asn.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If you want to run it all within Dropbear itself I'd modify<br>
sessioncommand() which handles subsystem requests. Rather<br>
than calling ptycommand() or noptycommand() make it call<br>
connect_remote() - have a look at newtcpdirect() for an<br>
example. Set channel->writefd and channel->readfd to the<br>
returned socket, and make sure you set ses.maxfd<br>
appropriately. It's an asynchronous connection, but I think<br>
it should work OK.<br>
<br>
Another option would be to make a little helper script that runs<br>
'nc host port' and add another special case like that for<br>
sftp in sessioncommand().<br>
<br>
Cheers,<br>
Matt<br>
<div><div><br>
On Thu, Sep 25, 2014 at 10:27:12AM -0400, Paul Lemay wrote:<br>
> Actually Matt,<br>
><br>
> it is a NETCONF server that I am implementing but I was expecting to have a<br>
> TCP communication from dropbear! I see that you already trigger a subsystem<br>
> in such a context. Is it possible to setup a tcp communication link with<br>
> the server at this point in the code?<br>
><br>
> On Thu, Sep 25, 2014 at 6:37 AM, Paul Lemay <<a href="mailto:plemay@accedian.com" target="_blank">plemay@accedian.com</a>> wrote:<br>
><br>
> > Hello Matt,<br>
> ><br>
> > Thanks for your reply.<br>
> ><br>
> > Let me provide additional information on what I am trying to do with<br>
> > Dropbear. There are several types of client applications (i.e., some<br>
> > running their own client version of SSH others running through the Dropbear<br>
> > SSH clients apps with prot forwarding). They are all looking for secure<br>
> > services provided by a single server (i.e., MyTcpServer). In other words,<br>
> > all SSH clients connects to a single Dropbear server for services provided<br>
> > by MyTcpServer. The other connections to the Dropbear server will be<br>
> > rejected by MyTcpServer because they won't support MyTcpServer XML<br>
> > protocol. Threfore, in my simple view of things, the Dropbear server<br>
> > instance provides the secure authentication and communication. All<br>
> > decrypted communication channels are forwarded to MyTcpServer.<br>
> ><br>
> > Hope this could help in finding a good solution.<br>
> ><br>
> > Best Regards!<br>
> ><br>
> > On Wed, Sep 24, 2014 at 1:01 PM, Paul Lemay <<a href="mailto:plemay@accedian.com" target="_blank">plemay@accedian.com</a>> wrote:<br>
> ><br>
> >> Hello there,<br>
> >><br>
> >> I have a SSH client browser. It is connected to the Dropbear server. I<br>
> >> would like to know if it is possible to tailor dropbear so that, once the<br>
> >> dropbear authentication process is completed, a connection is establish to<br>
> >> my local server ready to takeover TCP communication for this browser.<br>
> >><br>
> >> I understand there is a cli-tcpfwd that seems to support this function<br>
> >> but I do not know how to use it. Are there some examples available?<br>
> >><br>
> ><br>
> ><br>
><br>
</div></div>> --<br>
><br>
><br>
> Avis de confidentialité<br>
><br>
> Les informations contenues dans le présent message et dans toute pièce qui<br>
> lui est jointe sont confidentielles et peuvent être protégées par le secret<br>
> professionnel. Ces informations sont à l’usage exclusif de son ou de ses<br>
> destinataires. Si vous recevez ce message par erreur, veuillez s’il vous<br>
> plait communiquer immédiatement avec l’expéditeur et en détruire tout<br>
> exemplaire. De plus, il vous est strictement interdit de le divulguer, de<br>
> le distribuer ou de le reproduire sans l’autorisation de l’expéditeur.<br>
> Merci.<br>
><br>
> Confidentiality notice<br>
><br>
> This e-mail message and any attachment hereto contain confidential<br>
> information which may be privileged and which is intended for the exclusive<br>
> use of its addressee(s). If you receive this message in error, please<br>
> inform sender immediately and destroy any copy thereof. Furthermore, any<br>
> disclosure, distribution or copying of this message and/or any attachment<br>
> hereto without the consent of the sender is strictly prohibited. Thank you.<br>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>
<br>
<p><font size="1"><span lang="FR-CA">Avis de confidentialité</span></font></p><p><font size="1"><span lang="FR-CA">Les
informations contenues dans le présent message et dans toute pièce qui
lui est jointe sont confidentielles et peuvent être protégées par le
secret professionnel. Ces informations sont à l’usage exclusif de son ou
de ses destinataires. Si vous recevez ce message par erreur, veuillez
s’il vous plait communiquer immédiatement avec l’expéditeur et en
détruire tout exemplaire. De plus, il vous est strictement interdit de
le divulguer, de le distribuer ou de le reproduire sans l’autorisation
de l’expéditeur. Merci.</span></font></p><font size="1">
</font><p><font size="1"><span lang="FR-CA">Confidentiality notice</span></font></p><p><font size="1">This
e-mail message and any attachment hereto contain confidential
information which may be privileged and which is intended for the
exclusive use of its addressee(s). If you receive this message in error,
please inform sender immediately and destroy any copy thereof.
Furthermore, any disclosure, distribution or copying of this message
and/or any attachment hereto without the consent of the sender is
strictly prohibited. Thank you.</font></p>