[PATCH] wildcard host keys

2006-09-14 Thread Jamie Lokier 
I'm using dropbear on an embedded device that has to connect to a
server at an IP address that isn't known in advance, but is verifiable
with a host key.

So I added the ability to use * in the known_hosts file to match any
hostname/IP.  This is better than disabling host key checking
altogether, as I can still verify it's connecting to an authorized
server.

Someone else may find the patch useful.

-- Jamie


This allows the known_hosts file to use wildcard * to match any host.
This is used to prevent the interactive y/n question as long as the
host key is in the recognised list - essential for non-interactive setup
of tunnels, to IPs that aren't known when the /root directory is created.

--- dropbear-0.46/cli-kex.c.orig2006-08-30 03:49:40.0 +0100
+++ dropbear-0.46/cli-kex.c 2006-08-30 03:58:54.0 +0100
@@ -202,6 +202,14 @@
break;
}
 
+   /* Match * wildcard hostname. */
+   if (line-len = 2
+strncmp(* , buf_getptr(line, 2), 2) == 0) {
+   buf_incrpos(line, 2);
+   TRACE((matched wildcard host))
+   goto check_algo;
+   }
+
/* The line is too short to be sensible */
/* 30 is 'enough to hold ssh-dss plus the spaces, ie so we 
don't
 * buf_getfoo() past the end and die horribly - the base64 
parsing
@@ -225,6 +233,7 @@
continue;
}
 
+   check_algo:
if ( strncmp(buf_getptr(line, algolen), algoname, algolen) != 
0) {
TRACE((algo doesn't match))
continue;

Re: [PATCH] dropbear-051: uClinux vfork

2008-09-20 Thread Jamie Lokier 
Farrell Aultman wrote:
 Between dropbear-047 and dropbear-051 changes were made that
 accounted for the fact that uClinux needs to use vfork instead of
 fork.  However, fork was not replaced with vfork in all places.  I
 moved the conditional preproccessor check for uClinux into the
 includes.h file, so that fork is always replaced with vfork in all
 of the dropbear code when compiling for uClinux.  A side effect is
 that the code is cleaner since you just call fork without wrapping
 it every time with a conditional preprocessor check.

Have you checked that it's safe to call vfork in all those places?

vfork is not always a safe replacement for fork, even on uClinux where
fork doesn't work.

-- Jamie

Re: Configure dropbear to be fast/insecure? (need a Microblaze speed-up!)

2008-11-06 Thread Jamie Lokier 
Mike Frysinger wrote:
 if it's all private / development, why dont you just use telnet w/out login ?

Maybe because ssh command  file  file2 works while it doesn't work
with telnet?  ssh is a much more convenient and reliable interface.

-- Jamie

Re: Single-address space, no processes?

2016-01-07 Thread Jamie Lokier 
Matt Johnston wrote:
> It mightn't be necessary to pass pointers around everywhere if
> ses/svr_ses/cli_ses could be thread-local pointer variables - how widely
> supported is thread-local storage?

If you can get a "current thread id" or set one "thread-local value", you can
make thread-local variables in portable C using macros without compiler
support.

It's not as fast as compiler supported thread-local storage, but it's portable
other than function to get the id, and provided you can set the value, it's
not necessarily slow.

Best,
-- Jamie

Re: bug: stdio pipe is root owned so reopening it fails

2020-05-01 Thread Jamie Lokier 
Hi Matt,

Matt Johnston wrote:
> Not really sure of a good workaround.

You can fchmod() or fchown() the pipe descriptor, with fchown() being more 
secure.

# echo hello | (ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0)
prw--- 1 root root 0 May  1 17:06 /proc/self/fd/0
cat: /proc/self/fd/0: Permission denied

# echo hello | (chmod a+rw /proc/self/fd/0; ls -lL /proc/self/fd/0; sudo -u 
nobody cat /proc/self/fd/0)
prw-rw-rw- 1 root root 0 May  1 17:05 /proc/self/fd/0
hello

# echo hello | (chown nobody: /proc/self/fd/0; ls -lL /proc/self/fd/0; sudo 
-u nobody cat /proc/self/fd/0)
prw--- 1 nobody nogroup 0 May  1 17:06 /proc/self/fd/0
hello

Best,
- Jamie


Matt Johnston wrote:
> Hi Szabolcs,
>
> Ah, that's a bit nasty. I guess the difference is that OpenSSH runs the daemon
> as the user, while Dropbear runs as root.
>
> The procfs manpage mentions the problem. [1]http://man7.org/linux/man-pages/
> man5/proc.5.html
>
>   Note that for file descriptors referring to inodes (pipes and
>   sockets, see above), those inodes still have permission bits
>   and ownership information distinct from those of the
>   /proc/[pid]/fd entry, and that the owner may differ from the
>   user and group IDs of the process.  An unprivileged process
>   may lack permissions to open them, as in this example:
>
>   $ echo test | sudo -u nobody cat
>   test
>   $ echo test | sudo -u nobody cat /proc/self/fd/0
>   cat: /proc/self/fd/0: Permission denied
>
> Not really sure of a good workaround.

Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex

2020-10-23 Thread Jamie Lokier 
Walter Harms wrote:
> This is caused by changes in ssh_config. You can try:
>   ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 USER@TARGET 
> 
> or persistent in ssh_config 
> KexAlgorithms=+diffie-hellman-group1-sha1 
> 
> your mileage may vary etc.
> 
> re,
>  wh

Thanks!

This advice has shown me how to connect directly to an old OpenSSH server again
(not Dropbear), instead of via intermediate hops on intermediate servers :)

However after reading [1] I decided a safer kex is diffie-hellman-group14-sha1
(group14 instead of group1).

Mentioning this in case it's also an option for old Dropbear/OpenWRT users.

[1] 
https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-09.html#rfc.section.3.4
"Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)".

Best,
-- Jamie