Great, thanks for looking into this. Thanks, Adrian
On 10/06/13, at 12:52 PM, Aris Adamantiadis <[email protected]> wrote: > Hi Adrian, > > A little advance on this issue. Matt Johnston (Dropbear's author) wrote > me and showed me I was wrong, which I was :) > The problem we have here is that both the banner and the kexinit packet > are in the same TCP segment. We fixed this a while ago (for another > related bug) in 0.6 but we missed the backport to v0.5. > I dont' think we are going to release 0.5.6 very soon. So in the > meanwhile I pushed the fix on git, you have the option of getting either > the v0-5 branch, the v0-6 branch or master. > > Kind regards, > > Aris > > Le 27/09/13 16:30, Aris Adamantiadis a écrit : >> Hi, >> >> I have looked at the problem. We detect the end of banner well but are >> expecting a SSH_KEXINIT packet in order to start the key exchange. We >> optimistically bet on the fact that the other side is sending this >> packet right away. Unfortunately dropbear does exactly the same (for a >> server, why ?), so we are both wrong. >> Unfortunately a fix to this issue will be a little intrusive and will >> take time (we need to rewrite part of the key exchange mechanism) so I >> cannot make any promise on a deadline. >> >> Aris >> >> Le 25/09/13 14:54, Aris Adamantiadis a écrit : >>> Thanks, >>> >>> It looks like libssh cannot detect the end of banner. I'll install >>> dropbear to test myself and also have a look at the rfc to see if we're >>> doing something wrong. >>> >>> Aris >>> >>> Le 25/09/13 14:26, Adrian Baerlocher a écrit : >>>> I've attached the pcap file below. I'm running Dropbear directly on the >>>> same host (I've also tried connecting remote). I'm able to connect using >>>> OpenSSH without any problems. It seems to get stuck after sending the >>>> libssh 'banner'. Eventually the request times out and is closed. >>>> >>>> Thanks, >>>> Adrian >>>> >>>> >>>> >>>> >>>> >>>> On 09/24/13, at 5:28 PM, Aris Adamantiadis <[email protected]> wrote: >>>> >>>>> Hi Adrian, >>>>> >>>>> A pcap capture taken with tcpdump -s0 or wireshark would be usefull to >>>>> begin. I suspect Dropbear is shy and expects libssh to make the first >>>>> move and send the first packet of some kind. >>>>> >>>>> Aris >>>>> Le 24/09/13 21:56, Adrian Baerlocher a écrit : >>>>>> No luck, I'm afraid. In fact, it appears Dropbear ignores the log >>>>>> message priority. I will try creating a pcap file next. >>>>>> >>>>>> Thanks, >>>>>> Adrian >>>>>> >>>>>> >>>>>> On 09/24/13, at 1:45 PM, Dustin Oprea <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>>> If this is from syslog, syslog might not be configured to allow all >>>>>>> logging. That being said, try running the server directly (not as a >>>>>>> service). It looks like both the server and the client send errors to >>>>>>> STDERR. The server log routine (in svr-session.c): >>>>>>> >>>>>>> if (!svr_opts.usingsyslog || havetrace) >>>>>>> { >>>>>>> struct tm * local_tm = NULL; >>>>>>> timesec = time(NULL); >>>>>>> local_tm = localtime(×ec); >>>>>>> if (local_tm == NULL >>>>>>> || strftime(datestr, sizeof(datestr), "%b %d %H:%M:%S", >>>>>>> local_tm) == 0) >>>>>>> { >>>>>>> /* upon failure, just print the epoch-seconds time. */ >>>>>>> snprintf(datestr, sizeof(datestr), "%d", (int)timesec); >>>>>>> } >>>>>>> fprintf(stderr, "[%d] %s %s\n", getpid(), datestr, printbuf); >>>>>>> } >>>>>>> >>>>>>> It looks like error, warning, info, and debug logging all go into >>>>>>> STDERR. In this case, it looks like a majority of the messages are >>>>>>> LOG_INFOs. >>>>>>> >>>>>>> >>>>>>> >>>>>>> Dustin >>>>>>> >>>>>>> On Tue, Sep 24, 2013 at 12:06 PM, Adrian Baerlocher >>>>>>> <[email protected] <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> Logging from the server doesn't provide much help (the disconnect >>>>>>> occurs from client timeout): >>>>>>> >>>>>>> dropbear[37646]: Child connection from 127.0.0.1:56535 >>>>>>> <http://127.0.0.1:56535/> >>>>>>> dropbear[37646]: Exit before auth: Disconnect received >>>>>>> >>>>>>> I'll try creating a pcap file next. >>>>>>> >>>>>>> Thanks, >>>>>>> Adrian >>>>>>> >>>>>>> >>>>>>> On 09/24/13, at 11:49 AM, Andreas Schneider <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>>> On Tuesday 24 September 2013 10:04:27 Adrian Baerlocher wrote: >>>>>>>>> Does anyone know of any compatibility issues with Dropbear >>>>>>>>> (dropbear_2013.58)? I'm seeing libssh (0.5.5) time out after >>>>>>> exchanging >>>>>>>>> banners. I'm able to connect via OpenSSH, however. >>>>>>>> >>>>>>>> Could you turn on debugging on the server and find out what's >>>>>>> going wrong? If >>>>>>>> this doesn't give any hint then probably creating a pcap file >>>>>>> will help. >>>>>>>> >>>>>>>> http://git.libssh.org/projects/libssh.git/tree/include/libssh/pcap.h >>>>>>>> >>>>>>>> >>>>>>>> -- andreas >>>>>>>> >>>>>>>> -- >>>>>>>> Andreas Schneider GPG-ID: F33E3FC6 >>>>>>>> www.cryptomilk.org <http://www.cryptomilk.org/> >>>>>>> [email protected] <mailto:[email protected]> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>> >>> >> >> > >
