Hi Adrian, A little advance on this issue. Matt Johnston (Dropbear's author) wrote me and showed me I was wrong, which I was :) The problem we have here is that both the banner and the kexinit packet are in the same TCP segment. We fixed this a while ago (for another related bug) in 0.6 but we missed the backport to v0.5. I dont' think we are going to release 0.5.6 very soon. So in the meanwhile I pushed the fix on git, you have the option of getting either the v0-5 branch, the v0-6 branch or master.
Kind regards, Aris Le 27/09/13 16:30, Aris Adamantiadis a écrit : > Hi, > > I have looked at the problem. We detect the end of banner well but are > expecting a SSH_KEXINIT packet in order to start the key exchange. We > optimistically bet on the fact that the other side is sending this > packet right away. Unfortunately dropbear does exactly the same (for a > server, why ?), so we are both wrong. > Unfortunately a fix to this issue will be a little intrusive and will > take time (we need to rewrite part of the key exchange mechanism) so I > cannot make any promise on a deadline. > > Aris > > Le 25/09/13 14:54, Aris Adamantiadis a écrit : >> Thanks, >> >> It looks like libssh cannot detect the end of banner. I'll install >> dropbear to test myself and also have a look at the rfc to see if we're >> doing something wrong. >> >> Aris >> >> Le 25/09/13 14:26, Adrian Baerlocher a écrit : >>> I've attached the pcap file below. I'm running Dropbear directly on the >>> same host (I've also tried connecting remote). I'm able to connect using >>> OpenSSH without any problems. It seems to get stuck after sending the >>> libssh 'banner'. Eventually the request times out and is closed. >>> >>> Thanks, >>> Adrian >>> >>> >>> >>> >>> >>> On 09/24/13, at 5:28 PM, Aris Adamantiadis <[email protected]> wrote: >>> >>>> Hi Adrian, >>>> >>>> A pcap capture taken with tcpdump -s0 or wireshark would be usefull to >>>> begin. I suspect Dropbear is shy and expects libssh to make the first >>>> move and send the first packet of some kind. >>>> >>>> Aris >>>> Le 24/09/13 21:56, Adrian Baerlocher a écrit : >>>>> No luck, I'm afraid. In fact, it appears Dropbear ignores the log >>>>> message priority. I will try creating a pcap file next. >>>>> >>>>> Thanks, >>>>> Adrian >>>>> >>>>> >>>>> On 09/24/13, at 1:45 PM, Dustin Oprea <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>>> If this is from syslog, syslog might not be configured to allow all >>>>>> logging. That being said, try running the server directly (not as a >>>>>> service). It looks like both the server and the client send errors to >>>>>> STDERR. The server log routine (in svr-session.c): >>>>>> >>>>>> if (!svr_opts.usingsyslog || havetrace) >>>>>> { >>>>>> struct tm * local_tm = NULL; >>>>>> timesec = time(NULL); >>>>>> local_tm = localtime(×ec); >>>>>> if (local_tm == NULL >>>>>> || strftime(datestr, sizeof(datestr), "%b %d %H:%M:%S", >>>>>> local_tm) == 0) >>>>>> { >>>>>> /* upon failure, just print the epoch-seconds time. */ >>>>>> snprintf(datestr, sizeof(datestr), "%d", (int)timesec); >>>>>> } >>>>>> fprintf(stderr, "[%d] %s %s\n", getpid(), datestr, printbuf); >>>>>> } >>>>>> >>>>>> It looks like error, warning, info, and debug logging all go into >>>>>> STDERR. In this case, it looks like a majority of the messages are >>>>>> LOG_INFOs. >>>>>> >>>>>> >>>>>> >>>>>> Dustin >>>>>> >>>>>> On Tue, Sep 24, 2013 at 12:06 PM, Adrian Baerlocher >>>>>> <[email protected] <mailto:[email protected]>> wrote: >>>>>> >>>>>> Logging from the server doesn't provide much help (the disconnect >>>>>> occurs from client timeout): >>>>>> >>>>>> dropbear[37646]: Child connection from 127.0.0.1:56535 >>>>>> <http://127.0.0.1:56535/> >>>>>> dropbear[37646]: Exit before auth: Disconnect received >>>>>> >>>>>> I'll try creating a pcap file next. >>>>>> >>>>>> Thanks, >>>>>> Adrian >>>>>> >>>>>> >>>>>> On 09/24/13, at 11:49 AM, Andreas Schneider <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>>> On Tuesday 24 September 2013 10:04:27 Adrian Baerlocher wrote: >>>>>>>> Does anyone know of any compatibility issues with Dropbear >>>>>>>> (dropbear_2013.58)? I'm seeing libssh (0.5.5) time out after >>>>>> exchanging >>>>>>>> banners. I'm able to connect via OpenSSH, however. >>>>>>> >>>>>>> Could you turn on debugging on the server and find out what's >>>>>> going wrong? If >>>>>>> this doesn't give any hint then probably creating a pcap file >>>>>> will help. >>>>>>> >>>>>>> http://git.libssh.org/projects/libssh.git/tree/include/libssh/pcap.h >>>>>>> >>>>>>> >>>>>>> -- andreas >>>>>>> >>>>>>> -- >>>>>>> Andreas Schneider GPG-ID: F33E3FC6 >>>>>>> www.cryptomilk.org <http://www.cryptomilk.org/> >>>>>> [email protected] <mailto:[email protected]> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>>> >>> >> > >
