Dropbear 2024.85

Hi all, Dropbear 2024.85 is released. It fixes a couple of build regressions in 2024.84. There is no need to upgrade if 2024.84 built OK for your configuration. https://matt.ucc.asn.au/dropbear/releases/dropbear-2024.85.tar.bz2 Cheers, Matt 2024.85 - 25 April 2024 This release fixes build

Re: [oss-security] backdoor in upstream xz/liblzma leading to ssh server compromise

On 2024-04-17 10:25 am, Jacob Bachmeyer wrote: see that particular slowdown? (Not the backdoor initialization making sshd take longer to start up---a running sshd taking longer to reject a session for a nonexistent account, unless Andres Freund forgot to tell us that he was running sshd from

Re: [PATCH] Fix compile when disabling SHA-1

Thanks, I've applied it. Matt On 2024-04-05 3:37 pm, Peter Krefting wrote: Fixes compile when disabling SHA-1 with #define DROPBEAR_SHA1_HMAC 0 #define DROPBEAR_RSA_SHA1 0 #define DROPBEAR_DH_GROUP14_SHA1 0 while keeping SHA-256 enabled. Should also fix the opposite, but that is not a

Dropbear 2024.84

Hi all, Dropbear 2024.84 is released. It has a few new features and various fixes, contributed by numerous people over the past year+. Download it from https://matt.ucc.asn.au/dropbear/releases/dropbear-2024.84.tar.bz2 or https://mirror.dropbear.nl/mirror/releases/dropbear-2024.84.tar.bz2 The

Re: Compiling Dropbear with Tru64 on DEC Alpha

Hi Mark, I haven't used tru64 for a while, but if you send a log I can have a look. Cheers, Matt On 2024-03-18 5:49 pm, Mark Butt wrote: > Hello, > > I have a DEC AlphaServer 4100 with Tru64 5.1B-6. This is a small side > project that I am working on. When searching for a compatible

Bug#1044936: dropbear: Fails to build source after successful build

On 2023-08-14 12:56 am, Lucas Nussbaum wrote: This package fails to build a source package after a successful build (dpkg-buildpackage ; dpkg-buildpackage -S). dh clean dh_auto_clean make -j8 distclean make[1]: Entering directory '/<>' dpkg-source: info: local changes

Re: [MOPO] FA: THIS WEEK HERITAGE has DETOUR, DR. JEKYLL & MR. HYDE, FASTER PUSSYCAT, & More- 364 lots

score and sold them > to Bob Coleman - Rest his soul, one of the great old-school Hollywood poster > dealers. Robbie bought a boat with the money and named it Forbidden Planet. > Those were the days. Enjoy! > >> On Mar 29, 2023, at 10:03 AM, Matt Johnston wrote: >> >

Re: [MOPO] FA: THIS WEEK HERITAGE has DETOUR, DR. JEKYLL & MR. HYDE, FASTER PUSSYCAT, & More- 364 lots

For color reference… This is an unused example I bought from Alan Alder many many years ago. He said it had only been unfolded once for his picture. I unfolded it a 2nd time for these photos and it’s been in a flat file since. My photo setup was designed to get a true and honest representation

Re: [Openembedded-architecture] [OE-core] Y2038 proposal

On Wed, 2022-11-30 at 09:07 +0100, Alexander Kanavin wrote: > > > > On Tue, 29 Nov 2022 at 16:45, Stephen Jolley > > > > wrote: > > > > > > > > We’d welcome a proposal/series on how to move forward with > > > > > > > > the Y2038 work for 32 bit platforms. > > > > > > > > I have the following

Re: [OE-core] Y2038 proposal

On Wed, 2022-11-30 at 09:07 +0100, Alexander Kanavin wrote: > > > > On Tue, 29 Nov 2022 at 16:45, Stephen Jolley > > > > wrote: > > > > > > > > We’d welcome a proposal/series on how to move forward with > > > > > > > > the Y2038 work for 32 bit platforms. > > > > > > > > I have the following

Re: Only do connection if I already know the destination?

On 2022-11-21 11:05 pm, M Rubon wrote: I have an automated remote script that connects to a set of known servers. I never want be prompted to add a new host key if the server is missing from .ssh/known_hosts. If the key is missing, the client should just immediately exit. Dropbear seems to

Re: [PATCH RFC 2/3] hw/i2c: add mctp core

i2c6 1 0x1d Hi Klaus, Thanks for the MCTP model, it's useful here. I needed the following patch to be able to call SetupEndpoint again when a device has already been assigned an EID. That tries a Set Endpoint ID/ Get Endpoint ID, addressed to EID 0. Cheers, Matt --- >From cb7ad91474367f8e47bdaf03a

Re: [PATCH RFC 2/3] hw/i2c: add mctp core

i2c6 1 0x1d Hi Klaus, Thanks for the MCTP model, it's useful here. I needed the following patch to be able to call SetupEndpoint again when a device has already been assigned an EID. That tries a Set Endpoint ID/ Get Endpoint ID, addressed to EID 0. Cheers, Matt --- >From cb7ad91474367f8e47bdaf03a

Re: Authenticating to dropbear using ecdsa-sha2-nistp256

On 2022-11-11 11:50 am, Rogan Dawes wrote: > I was under the impression that the ssh protocol included a handshake step > where supported algorithms were exchanged, and keys that do not match are > eliminated? For public key auth the client sends each public key it has to offer, the server

Re: Authenticating to dropbear using ecdsa-sha2-nistp256

On Tue, Nov 08, 2022 at 04:57:40PM +0200, Rogan Dawes wrote: > I have created an SSH private key in my M1 Mac's Secure Enclave, and am > using it to SSH to various targets. Those using OpenSSH work fine, and I am > prompted to unlock the SE. However, those using dropbear do not work, > giving me

Re: [PATCH] powerpc/microwatt: Add litesd

On Thu, 2022-09-29 at 11:55 +0930, Joel Stanley wrote: > This is the register layout of the litesd peripheral for the fusesoc > based Microwatt SoC. The register layout looks right, but the upstream litemmc driver also now needs the property clocks = <_clk>; (and associated sys_clk node).

Re: [OE-core][PATCH] dropbear: Enable x11 forwarding

On Thu, 2022-07-21 at 09:12 +, Ross Burton wrote: > > On 20 Jul 2022, at 20:44, Daniel Gomez via lists.openembedded.org > > wrote: > > + > > file://0008-default_options-Enable-x11-forwarding.patch', '', d)}” > > This should be a PACKAGECONFIG instead of a forced on/off based

Re: listening service without MMU?

On 2022-06-24 11:26 am, johnea wrote: I've run across a number of other references since that timeframe that indicate that dropbear can run on no-MMU platforms using uClibc. Searching hasn't really led to a conclusive answer. So, could you please confirm: Can dropbear run as a listening

Re: Dropbear difficulties due to outdated version?

On 2022-06-25 7:49 am, James Miller wrote: I set up a small low-resource VPS a few years ago to use mainly as a light-use xmpp server. I got Dropbear operating there so I could admin it. Dropbear seemed a good choice since system resources were so anemic. I recall it being quite challenging to

Re: Error forwarding unix domain socket

Sorry for the late reply. Dropbear doesn't currently support unix domain socket forwarding. Cheers, Matt On 2022-06-07 3:57 pm, Heiko Thiery wrote: Hi, Does anyone know if it is possible to do a ssh forwarding on unix domain sockets when using dropbear? When I try I get the following error:

[Touch-packages] [Bug 1979032] [NEW] cpu_freq returns current value in GHz but min/max (fixed in 5.9.1)

Public bug reported: Can python-psutil be updated to 5.9.1? It fixes incorrect cpu_freq which affects s-tui. https://github.com/giampaolo/psutil/issues/2049 https://github.com/amanusk/s-tui/issues/186#issuecomment-1100639705 Thanks ** Affects: python-psutil (Ubuntu) Importance: Undecided

Re: unexpected restriction on the number of concurrent SSH logins

Thanks for the report. This was a regression in the re-exec changes, I've pushed a fix to https://github.com/mkj/dropbear/commit/544f28a05165eb97e18cc03fc8990da842ec3a94 The childpipe file descriptor is used to notify the parent listener that auth has completed, but I'd missed that the inetd

Re: I can't access the dropbear mailing list archives

Hi Matt, The server had a missing mount, archives are working again now. (A few recent messages didn't make the archives, I'll forward/reply them in). Thanks for letting me know. Cheers, Matt On 2022-06-08 6:12 am, Matthias Lang wrote: Hi, According to

Dropbear 2022.82

t only have characters a-z A-Z 0-9 .,_-+@) Patch from Hans Harder, modified by Matt Johnston - Let dbclient multihop mode be used with '-J'. Patch from Hans Harder - Allow home-directory relative paths ~/path for various settings and command line options. *_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PAT

Re: [Cake] [PATCH net] sch_cake: diffserv8 CS1 should be bulk

On Thu, 2022-01-27 at 17:00 +0100, Sebastian Moeller wrote: > > > > The documentation doesn't match the code though. > > Since I did not see your original mail, only Toke's response, which > documentation is wrong here? Ah, I had missed that the docs were updated already on 6 Jan 2022.

Re: [Cake] [PATCH net] sch_cake: diffserv8 CS1 should be bulk

On Tue, 2022-01-25 at 12:54 +0100, Sebastian Moeller wrote: > > LE(1) is tin 0 the lowest > CS1(8) is 1 slightly above LE > CS0/BE(0) is 2 > AF1x (10, 12, 14) are all in tin 1 as is CS1 ... > Just as documented in the code: > > *Bog Standard (CS0 etc.) > *

[Cake] [PATCH net] sch_cake: diffserv8 CS1 should be bulk

The CS1 priority (index 0x08) was changed from 0 to 1 when LE (index 0x01) was added. This looks unintentional, it doesn't match the docs and CS1 shouldn't be the same tin as AF1x Signed-off-by: Matt Johnston Fixes: b8392808eb3f ("sch_cake: add RFC 8622 LE PHB support to CAKE diffserv han

Re: Dropbear's usage of 'first_kex_packet_follows' may fail on broken SSH implementations

On Wed, Jan 19, 2022 at 04:23:29PM +0100, Thomas De Schampheleire wrote: > I recently encountered connection issues when using dropbear as client > (2020.81) > to certain SSH implementations. In both cases, the issue was related to the > host > key verification. It took me a while to find the

[Bug 1947392] [NEW] __icmp_send panic, perhaps fixed upstream

Public bug reported: I've hit this panic a few times today on focal, 5.4.0-84-generic with wireguard-dkms 1.0.20201112-1~20.04.1 __stack_chk_fail __icmp_send wg_xmit (see panic.jpg for the rest of it) It looks a lot like https://www.spinics.net/lists/netdev/msg723248.html fixed in

Re: [OE-core] [PATCH] openssh: openssh-dev shouldn't depend on openssh

On Wed, 2021-09-29 at 09:40 -0500, Mark Hatle wrote: > > If your root filesystem does NOT have openssh in it, then we need to answer > the > question why was the -dev version added? > > You mention above it's "any built package", but that should not be the case. > It > should be for any

Re: [OE-core] [PATCH] openssh: openssh-dev shouldn't depend on openssh

On Wed, 2021-09-29 at 09:24 +0100, Richard Purdie wrote: > > +RDEPENDS:${PN}-dev = "" > > At that point what is the point of the -dev package? I think you could make > this argument about a lot of the -dev packages and I'm not sure I'd want to > see every recipe doing this. > > What are you

[OE-core] [PATCH] openssh: openssh-dev shouldn't depend on openssh

. Signed-off-by: Matt Johnston --- meta/recipes-connectivity/openssh/openssh_8.7p1.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-connectivity/openssh/openssh_8.7p1.bb b/meta/recipes-connectivity/openssh/openssh_8.7p1.bb index 07cd6b74cd..3ebdd62de3 100644 --- a/meta

[oe] openssh-dev package and populate_sdk conflicts

Hi OE list, Recently OpenBMC merged a change to install openssh-sftp-server package alongside dropbear sshd [1]. That caused a conflict in "populate_sdk" which installs all available -dev packages [2]. 'openssh-dev' pulls in an 'openssh' -> 'openssh-sshd' dependency which conflicts with

Re: Password authentication fails

Hi Dan, MacOS uses PAM for password auth. As well as --enable-pam for configure it needs #define DROPBEAR_SVR_PASSWORD_AUTH 0 #define DROPBEAR_SVR_PAM_AUTH 1 in localoptions.h at build time. Not sure that Homebrew sets the localoptions.h

Re: Dropbear 2019.77

On Tue 29/6/2021, at 9:47 pm, roy...@gmail.com wrote: > >> That itself wouldn't be a problem if we could just crypt all incoming >> password attempts before checking a username's existence - the problem is >> that the password crypt algorithm can vary per user, so the time will vary >> too. We

Re: Dropbear 2019.77

Hi Roy, On Tue 29/6/2021, at 7:18 pm, roy...@gmail.com wrote: > >> - Make failure delay more consistent to avoid revealing valid usernames, set >> server password >> limit of 100 characters. Problem reported by usd responsible disclosure team > > What is the technical reason of limiting

Re: restrict access

On Thu, May 20, 2021 at 02:29:20PM +, Walter Harms wrote: > Thx for the fast response, > for the background: little system, far-far-away land, but some script-kiddie > is filling the log ... > so no iptables or other fancy stuff. Seems i have to change that, somehow. > > @matt: > in case i

Re: restrict access

Hi Walter, Dropbear doesn't have IP restrictions built in. You could use iptables/nftables, or tcpwrappers etc if you're running Dropbear in inetd mode. Cheers, Matt On Thu, May 20, 2021 at 01:23:28PM +, Walter Harms wrote: > Hello List, > actually i expected this would be a FAQ but i can

Re: [PATCH] Introduce extra delay before closing unauthenticated sessions

On Wed 20/1/2021, at 8:15 pm, Thomas De Schampheleire wrote: > >> # HG changeset patch >> Introduce extra delay before closing unauthenticated sessions > > Any comments on this patch? > Hi Thomas, Sorry for the delay getting back to you. I've applied the patch, it seems like it could be

Re: Does Dropbear know what a ~/.ssh/config file is?

ake hostname, port and identity details like openssh? > > Cheers, > > Flex > > On Mon, 4 Jan 2021, 05:41 Matt Johnston, <mailto:m...@ucc.asn.au>> wrote: > Sounds like your problem is with android not Dropbear :) > > On 4 January 2021 4:57:30 am AWST, Ruben Safir <

Re: Does Dropbear know what a ~/.ssh/config file is?

Sounds like your problem is with android not Dropbear :) On 4 January 2021 4:57:30 am AWST, Ruben Safir wrote: >dropbear is a waste of time and it doesn't even work. > >I don't know why it is Fing Hard for the table with android can't have >an openssh daman running so we can tranfer files on and

Re: Address binding question

Hi Emil, That syntax should work. In my shell here (zsh) I have to put "[127.0.0.1]:22" in quotes, could that be the problem? What commandline do you see if you look at "ps aux"? Cheers, Matt > On Tue 22/12/2020, at 9:13 am, Emil Christopher Solli Melar > wrote: > > Hello! I use Dropbear

Re: MIN_RSA_KEYLEN compare goes wrong

Hi Hans, Sorry I missed replying to this message a while ago. What program created the key? As far as I can tell the test is correct, the top bit might be unset? Cheers, Matt On Thu, Aug 27, 2020 at 07:36:26AM +0200, Hans Harder wrote: > HI, > > I noticed that I got warnings that the RSA key

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

Forcing diffie-hellman-group1-sha1 shouldn't usually be necessary. The only case would be for servers prior to 2018.76 that compiled with all other default options disabled. Cheers, Matt > On Fri 23/10/2020, at 9:00 pm, Tang Jiye wrote: > > Hi Walter, > > What if I want to use ecdh and

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

Hi Piotr, Dropbear 2020.79 had some changes to the code that parses algorithms, it now is more strict about its MAX_PROPOSED_ALGO = 20 limit. Not intentionally, but as a side-effect. sshj advertises 30 different ciphers. I've increased the limit to 50 in

Re: Cannot Connect to Dropbear Server of Openwrt in QEMU

Hi, Given in tcpdump there was no response at all (not even a rejection), my guess is there is a firewall on the OpenWrt host that drops all port 22 packets. Are firewall rules listed if you go "iptables -vnL" , or in a config file? Cheers, Matt > On Tue 20/10/2020, at 1:50 pm, 许大仙 wrote: >

Re: Dropbear Compilation on IRIX 6.5 broken again (2020.80)

Hi Kazuo, It's a gnu extension, equivalent to chansess->original_command = chansess->cmd ? chansess->cmd : m_strdup(""); I've pushed a fix now, I prefer a plain "if" statement. Cheers, Matt > On Thu 8/10/2020, at 8:59 am, Kazuo Kuroi wrote: > > Hi folks, > > MIPSPro 7.4.4m on IRIX doesn't

[Bug 1889757] [NEW] zfs root with ext3 /boot fails to create grub menu entries

Public bug reported: 10_linux was changed to exit early if / is zfs. That doesn't work if /boot is a ext4 filesystem which should be detected by the rest of 10_linux. The result is that grub doesn't create any entries for any kernels and the system isn't bootable, manual intervention is

Re: [PATCH] dropbear: make rsa-sha2-256 pubkeys usable again

names - it's possible there are bugs, but I can't reproduce it yet. Thanks, Matt > On Fri 17/7/2020, at 4:38 pm, Petr Štetiar wrote: > > Matt Johnston [2020-07-16 21:24:43]: > > Hi, > >> I can't reproduce a problem authenticating to a Dropbear 2020.80 server with

Re: "Bad public key options" (Was: Dropbear 2020.79)

> On Tue 16/6/2020, at 9:58 am, Guilhem Moulin wrote: >> - […] x11 forwarding are now disabled by default. > > I have no opinion about disabling this at compile-time, however the > current implementation locks out (“Bad public key options”) users with > ‘no-X11-forwarding’ in their

Re: Dropbear 2020.79

... > > thx > Hans > > On Mon, Jun 15, 2020 at 5:53 PM Matt Johnston <mailto:m...@ucc.asn.au>> wrote: > Hi all, > > Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko > for adding ed25519 and chacha20-poly1305 support which have > been

Dropbear 2020.79

Hi all, Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko for adding ed25519 and chacha20-poly1305 support which have been wanted for a while. This release also supports rsa-sha2 signatures which will be required by OpenSSH in the near future - rsa with sha1 will be

Bug#962132: dropbear-initramfs should be Suggests not Recommends

Package: dropbear Version: 2019.78-2 Severity: normal The dropbear package currently has Recommends: dropbear-initramfs so installing dropbear pulls in 30MB of other initramfs-related packages not needed for a container. "Suggests" would seem more appropriate going by the policy manual "The

Re: scp command exemple

Hi Bruno, That syntax should work. What platform is it? Have you tried typing it manually in case there were strange unicode characters copy/pasted? Cheers, Matt > On Tue 12/5/2020, at 6:26 pm, bruno wrote: > > Hello, anyone has an exemple of scp dropbear use ? > > it seems that : > > scp

Re: dbclient v2019.78: proxyJump

Hi Adrian, With dropbear you should be able to list the hosts comma separated dbclient -i /mydir/id_rsa username1@server1,username2@server2 Does that work? It should do something equivalent to the first one though, unless I've missed something. Cheers, Matt > On Sun 3/5/2020, at 11:38 pm,

Re: bug: stdio pipe is root owned so reopening it fails

Hi Szabolcs, Ah, that's a bit nasty. I guess the difference is that OpenSSH runs the daemon as the user, while Dropbear runs as root. The procfs manpage mentions the problem. http://man7.org/linux/man-pages/man5/proc.5.html Note that for file descriptors referring to inodes

Re: [PATCH 0 of 1] Fix build

> On Thu 26/3/2020, at 6:45 pm, Alexander Dahl wrote: > > Gentle ping on this patch. Hi Alex, Sorry for the delay, it's merged now. Cheers, Matt

Re: SSH key exchange fails 30-70% of the time on Netgear X4S R7800

the SIMD registers aren't being >> preserved/restored properly somewhere, probably during a context switch, >> specifically s16–s31 (d8–d15, q4–q7), which AAPCS says must be preserved and >> which I see being used in the disassembly of fast_s_mp_sqr(). I'lll write >>

Re: SSH key exchange fails 30-70% of the time on Netgear X4S R7800

Hi, The first thing I'd try would be to build with -O0 compilation flags to rule out compiler optimisations doing something strange. Cheers, Matt > On Thu 19/3/2020, at 3:42 pm, Horshack ‪‬ wrote: > > Update - I cloned and built the dbclient source so I could enable the debug > tracing

Re: Hiding dropbear output on boot up

Hi Tania, I think you could probably add "> /dev/null 2> /dev/null" after one of the ipconfig commands in /usr/share/initramfs-tools/scripts/functions, though I'm not too familiar with how they all fit together. (Or if it's dhclient for ipv6 printing the output, get rid of the "-v" for

Re: Timeout settings

Hi Daniel, -K is equivalent to the OpenSSH ClientAliveInterval. The server will send traffic to check that the connection is open. -I will disconnect if there is no traffic for a certain time interval. It won't try to send any traffic over the connection, it just passively looks at what

Re: [PATCH] Add Ed25519 keys support

Thank you Vladislav, I've merged this now via github, https://secure.ucc.asn.au/hg/dropbear/rev/d32bcb5c557d It's a nice clean and thorough implementation. Cheers, Matt > On Fri 6/3/2020, at 10:45 pm, Vladislav Grishenko > wrote: > > Hello, > > Initially inspired by Péter Szabó work

Re: android access

Hi Ruben, Not sure about that particular android program but Filezilla usually works as an alright sftp program. Cheers, Matt > On Sun 8/3/2020, at 2:42 am, Ruben Safir wrote: > > Hello > > Hello - I am sure this has been asked but I couldn't find an answer with > a web search.. > > can

Re: dropbear and new host keys?

> On Fri 13/12/2019, at 2:14 am, Joakim Tjernlund > wrote: > > On Thu, 2019-12-12 at 18:34 +0100, Hans Harder wrote: >> >>> The bigger issue here is why not reread keys at every new session? That >>> seems to like the right thing to do in any case? >> >> Performance... I don't _think_

Re: dropbear and new host keys?

Hi Joakim, The server needs to be stopped and restarted. If this is for new keys at first-boot you could look at the -R option. Cheers, Matt On Wed, Dec 11, 2019 at 03:38:36PM +, Joakim Tjernlund wrote: > Is there a way to tell a running dropbear server to reread host keys if the > keys

Re: Dropbear processes getting into uninterruptible I/O process "D" state

ng these pipes that are kept open to be there > forever in that state. Any other suggestions may help. > > > Thanks for your help again, > Binny > > From: Matt Johnston mailto:m...@ucc.asn.au>> > Sent: Wednesday, October 9, 2019 6:56 PM > To: Jeshan, Binny

Re: Configuration Issues

Hi Kenny, I don't think I've seen that problem before. Does Dropbear log anything in /var/log/auth.log or similar? Or if logging isn't set up on the system, if you run dropbear -F -E it will log to the console. The clock shouldn't make any difference. Cheers, Matt > On Thu 20/6/2019, at

[MOPO] Rare Star Wars posters wanted

Hi! I’m looking for the following Star Wars posters: 1. 1982 all-text, mustard yellow UK quad poster announcing trailer for “Revenge of the Jedi” 2. Return of the Jedi 6-sheet 3. Original trilogy Israeli posters 4. Original trilogy Hong Kong posters Thanks! -Matt Visit the MoPo

Re: Forward a UNIX Socket

Hi Sergey, Dropbear doesn't support it - it would be fine to add, it just didn't exist in OpenSSH when I implemented the other Dropbear forwarding. I might add it in future though no guarantees - patches gladly accepted! The SSH agent fowarding code is probably very similar already. Cheers,

Re: Dropbear 2018.76 when behaving as client sending sha1 as mac

problem with sha1 as a hmac? Cheers, Matt > On Thu 11/4/2019, at 12:11 pm, Chahar, Rohini > wrote: > > Hi Matt, > > Please find my responses below. > > Regards, > Rohini > > From: Matt Johnston mailto:m...@ucc.asn.au>> > Sent: 10 April 2019 18:3

Re: Dropbear 2018.76 when behaving as client sending sha1 as mac

Hi Rohini, I'm not entirely clear about the problem - is the conneciton failing or is it just selecting hmac-sha2-sha1 which you don't want? The algorithm chosen will be the first one in the client's list that is also in the server's list. When you do the "copy to the server" is it dropbear as

Dropbear 2019.78

Hi all, Dropbear 2019.78 is released. There was a regression in dbclient 2019.77, terminal modes would not be reset when the client exited. The server has no changes. Cheers, Matt 2019.78 - 27 March 2019 - Fix dbclient regression in 2019.77. After exiting the terminal would be left in a bad

Re: Dropbear 2019.77

Beware that dbclient in 2019.77 has a regression, it won't reset TTY modes on exit. That's fixed in https://secure.ucc.asn.au/hg/dropbear/rev/4b01f4826a29 Cheers, Matt On Sat, Mar 23, 2019 at 10:02:49PM +0800, Matt Johnston wrote: > Hi all, > > At long last Dropbear 2019.77 is relea

Dropbear 2019.77

Hi all, At long last Dropbear 2019.77 is released. Most changes are bug fixes, with a few small features. There are security fixes to avoid revealing the existence of valid usernames. This release also merges the fuzzing branch. In a normal build this should have no effect on operation. There

Re: Dropbear 2018.76

specified patch > <https://secure.ucc.asn.au/hg/dropbear/rev/0dc3103a5900>? > 3. Use the current repo tip? > > Thanks! > Russ > > On Fri, Mar 9, 2018 at 3:19 AM Peter Krefting > wrote: > > > Matt Johnston: > > > > > This should be fixe

Re: How to get dbclient?

Hi Gilles, The main() for each of those is in svr-main.c and cli-main.c respectively. https://secure.ucc.asn.au/hg/dropbear/file/tip/cli-main.c#l45 The Makefile is a bit convoluted so that it can also build them all into a single binary.

Re: MAX_USERNAME_LEN set too low

Hi Mike, The limit's arbitrary so 32 would be fine. Maybe even something like 100. I'll increase it for the next release. Cheers, Matt > On Fri 1/3/2019, at 8:28 am, W. Michael Petullo wrote: > > Dropbear's auth.h defines MAX_USERNAME_LEN as 25 and provides the > commentary "arbitrary for the

Re: dbclient can't connect to cisco

> On Fri 16/11/2018, at 2:26 am, Nik Soggia wrote: > > So in the end if I delay the kexinit until there is some data on the wire I > will pull the rabbit out of the cylinder. The problem is that waiting for the remote banner is still adding a round trip of delay. That's fine for a local

Re: dbclient can't connect to cisco

On Wed, Nov 14, 2018 at 06:20:59PM +0300, Konstantin Tokarev wrote: > Note that OpenSSH enables a couple of workarounds for Cisco-1.* > > https://github.com/openssh/openssh-portable/blob/master/compat.c#L88 The tricky thing is that dbclient can't do anything to work around it here. We haven't

Re: dbclient can't connect to cisco

Hi Nik, > > dbclient sends "SSH-2.0-dropbear_2018.76\r\n" and kexinit > cisco sends "SSH-2.0-Cisco-1.25\r\n" > then cisco waits "ip ssh time-out" seconds and then closes the TCP socket. > > my conjecture is that cisco empties its receive buffer after sendind the > identification string and

Re: Strange behaviour surrounding "ssh -T ..." and non-zero exit

Hi Mike, > On Sat 10/11/2018, at 12:52 am, W. Michael Petullo wrote: > > > Here is a more practical example which demonstrates the problem: > > $ echo false | dbclient -T r...@host.example.com > $ echo $? > 0 I think this should now _really_ be fixed with

Re: Strange behaviour surrounding "ssh -T ..." and non-zero exit

Hi Michael, On 2018-11-09 3:48 pm, W. Michael Petullo wrote: >> I am using Dropbear v2017.75 as found on OpenWrt. >> >> echo input | ssh -T h; echo $? >> >> Despite the error occurring, the above command line prints `0' rather >> than `1.' Since this triggers the error, I would expect the

Re: Login attempt for nonexistent user

Hi Laurent, My best guess is that it was built on lubuntu which uses glibc, but the Udoo board doesn't have the required /lib/somewhere/libnss*.so libraries - those get chosen at runtime based on /etc/nsswitch.conf. Building using a uclibc cross compiler would avoid that - how did you build

Re: [MOPO] English one sheets

The block EMI logo wasn’t used until 1976: http://www.closinglogos.com/page/EMI+Films+%28UK%29 Keep in mind the person selling the the duo-tone English 1-sheets has no relation to Studio Canal. So none of this info is “according to Studio Canal…” — it’s according some some seller on eBay.

Re: The website is down

Working again now, LACP stopped working between some switches. https://dropbear.nl/mirror/ is the geographically separate mirror. Cheers, Matt On 25 August 2018 6:02:04 pm AWST, Roy Tam wrote: >Dear Cody, > >github code mirror is still accessible: https://github.com/mkj/dropbear > >2018-08-25

Re: User enumeration in Dropbear 2018.76 and earlier

On Mon 20/8/2018, at 5:50 pm, Matthijs R. Koot wrote: > > The user enumeration issue in OpenSSH [0] also exists in Dropbear 2018.76 > and earlier; at least going back to w/v2013.58 (didn't test with earlier > versions yet). It is specifically related to this code in svr-auth.c [1]: > [0]

[MOPO] Wanted: Star Wars Polish B1 w/C3PO art by Jakub Erol

Please let me know condition and price if you have one. Thank you! -Matt Visit the MoPo Mailing List Web Site at www.filmfan.com ___ How to UNSUBSCRIBE from the MoPo Mailing List

Re: ifndef_wrapper.sh required sed with "-E" which isn't available with old sed version.

On Mon, Jul 23, 2018 at 01:08:54PM +0800, Samuel Hsu wrote: > As titled, can we use "sed -r" instead of "sed -E". Hi Samuel, Thanks, I hadn't noticed that problem. I've pushed a change to uses non-extended regexes which should work everywhere.

Re: potential bug in atomicio?

On Wed, Jul 11, 2018 at 05:26:17PM -0300, Daniel Gutson wrote: > Hi, > >considering this: > > https://github.com/mkj/dropbear/blob/d740dc548924f2faf0934e5f9a4b83d2b5d6902d/atomicio.c#L55 ... > What if res is negative less than -1, for example -2 ? Shouldn't be a check > there that res is > 0

Bug#903403: dropbear's default PATH should be different for the root user

Hi Raphael, > When you say "upstream" here, you refer to login or dropbear? > You are explaining that the distinction in the PATH set for root and > non-root already exists in login... so you agree that a similar change > ought to be done in dropbear, is that correct ? Dropbear "upstream" will

Bug#903403: dropbear's default PATH should be different for the root user

> When dropbear is used in a very restricted environment (such as in a > initrd), the default user shell is often also very restricted > and doesn't take care of setting the PATH so the user ends up > with the PATH set by dropbear. Unfortunately, dropbear always > sets "/usr/bin:/bin" as default

Re: OpenSSH drop-in replacement

Hi Martin, Dropbear should be able to do 1, it will send the PAM_TEXT_INFO as a SSH banner. SSH clients may display that before asking for a username though, I haven't tested. Dropbear can't change usernames though. Cheers, Matt > On Wed 13/6/2018, at 4:21 pm, Martin van Es wrote: > > Hi, >

Re: Dropbear incompatible with current python Twisted

The most likely cause would be that Twisted doesn't handle firstPacketFollows properly, which seems to be the case looking at https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L869 Can you add that to the Twisted bug report? Cheers, Matt > On Tue 5/6/2018, at

Re: Problem using reverse ssh tunnel (remote port forwading)

Hi Ben, Does the device log anything from Dropbear in /var/log/auth.log or similar? If you "telnet localhost 10022" does it print anything? Cheers, Matt > On Fri 25/5/2018, at 11:05 pm, Ben Kinsella > wrote: > > I have various devices on a private network behind a router, and I typically >

Re: Dropbear Tunnels

Hi John, The reason it's not supported is that noone has implemented it yet. I don't have plans to, but if someone wants to send an implementation it could be added. Are you interested in client or server? Cheers, Matt > On Sat 19/5/2018, at 12:19 am, John wrote: > >

Re: [MOPO] cinevent seller

Sure sounds like you guys are referring to Benito’s rather epic collection... http://www.benitomovieposter.com > On May 18, 2018, at 10:39 AM, Michael Greenwood > wrote: > > Is this the Spanish guy you're talking about, Alan? I

Re: [MOPO] WTB: Oedipus Rex Polish poster wanted

I don’t have one, but I can ask around with Polish collectors if you’d prefer. I imagine it will be a few hundred dollars. -Matt > On Apr 17, 2018, at 3:11 PM, Posteritati wrote: > > Hello, > > We’re looking for this Polish A1 (23x33) poster >

Re: Dropbear ssh tunneling segfault

I suspect selinux is blocking something, after dropbear forks to run the shell. Can you find where selinux keeps its logs? When you run 'su' it enters a less restrictive context than normal root, so it runs ok. I guess you need to create a selinux policy for the dropbear service - i don't have

Re: Dropbear server exit when idle?

Hi Dave, My first approach would be to run "timeout 600 dropbear -F -E". Established sessions won't be killed since they each session is a forked process. That assumes "timeout" exists on the system busybox etc. If you want to modify the code put a check after the select() in main_noinetd().

Re: Dropbear 2018.76

didn't match the key that had been loaded. Now it only advertises a single size - first preference existing size, otherwise the default if no key exists. Thanks for letting me know and debugging. Cheers, Matt > On Mon 5/3/2018, at 4:02 pm, Peter Krefting <pe...@softwolves.pp.se> w

  1   2   3   4   5   6   7   >