[PATCH] wildcard host keys
I'm using dropbear on an embedded device that has to connect to a server at an IP address that isn't known in advance, but is verifiable with a host key. So I added the ability to use * in the known_hosts file to match any hostname/IP. This is better than disabling host key checking altogether, as I can still verify it's connecting to an authorized server. Someone else may find the patch useful. -- Jamie This allows the known_hosts file to use wildcard * to match any host. This is used to prevent the interactive y/n question as long as the host key is in the recognised list - essential for non-interactive setup of tunnels, to IPs that aren't known when the /root directory is created. --- dropbear-0.46/cli-kex.c.orig2006-08-30 03:49:40.0 +0100 +++ dropbear-0.46/cli-kex.c 2006-08-30 03:58:54.0 +0100 @@ -202,6 +202,14 @@ break; } + /* Match * wildcard hostname. */ + if (line-len = 2 +strncmp(* , buf_getptr(line, 2), 2) == 0) { + buf_incrpos(line, 2); + TRACE((matched wildcard host)) + goto check_algo; + } + /* The line is too short to be sensible */ /* 30 is 'enough to hold ssh-dss plus the spaces, ie so we don't * buf_getfoo() past the end and die horribly - the base64 parsing @@ -225,6 +233,7 @@ continue; } + check_algo: if ( strncmp(buf_getptr(line, algolen), algoname, algolen) != 0) { TRACE((algo doesn't match)) continue;
Re: [PATCH] dropbear-051: uClinux vfork
Farrell Aultman wrote: Between dropbear-047 and dropbear-051 changes were made that accounted for the fact that uClinux needs to use vfork instead of fork. However, fork was not replaced with vfork in all places. I moved the conditional preproccessor check for uClinux into the includes.h file, so that fork is always replaced with vfork in all of the dropbear code when compiling for uClinux. A side effect is that the code is cleaner since you just call fork without wrapping it every time with a conditional preprocessor check. Have you checked that it's safe to call vfork in all those places? vfork is not always a safe replacement for fork, even on uClinux where fork doesn't work. -- Jamie
Re: Configure dropbear to be fast/insecure? (need a Microblaze speed-up!)
Mike Frysinger wrote: if it's all private / development, why dont you just use telnet w/out login ? Maybe because ssh command file file2 works while it doesn't work with telnet? ssh is a much more convenient and reliable interface. -- Jamie
Re: Single-address space, no processes?
Matt Johnston wrote: > It mightn't be necessary to pass pointers around everywhere if > ses/svr_ses/cli_ses could be thread-local pointer variables - how widely > supported is thread-local storage? If you can get a "current thread id" or set one "thread-local value", you can make thread-local variables in portable C using macros without compiler support. It's not as fast as compiler supported thread-local storage, but it's portable other than function to get the id, and provided you can set the value, it's not necessarily slow. Best, -- Jamie
Re: bug: stdio pipe is root owned so reopening it fails
Hi Matt, Matt Johnston wrote: > Not really sure of a good workaround. You can fchmod() or fchown() the pipe descriptor, with fchown() being more secure. # echo hello | (ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0) prw--- 1 root root 0 May 1 17:06 /proc/self/fd/0 cat: /proc/self/fd/0: Permission denied # echo hello | (chmod a+rw /proc/self/fd/0; ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0) prw-rw-rw- 1 root root 0 May 1 17:05 /proc/self/fd/0 hello # echo hello | (chown nobody: /proc/self/fd/0; ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0) prw--- 1 nobody nogroup 0 May 1 17:06 /proc/self/fd/0 hello Best, - Jamie Matt Johnston wrote: > Hi Szabolcs, > > Ah, that's a bit nasty. I guess the difference is that OpenSSH runs the daemon > as the user, while Dropbear runs as root. > > The procfs manpage mentions the problem. [1]http://man7.org/linux/man-pages/ > man5/proc.5.html > > Note that for file descriptors referring to inodes (pipes and > sockets, see above), those inodes still have permission bits > and ownership information distinct from those of the > /proc/[pid]/fd entry, and that the owner may differ from the > user and group IDs of the process. An unprivileged process > may lack permissions to open them, as in this example: > > $ echo test | sudo -u nobody cat > test > $ echo test | sudo -u nobody cat /proc/self/fd/0 > cat: /proc/self/fd/0: Permission denied > > Not really sure of a good workaround.
Re: OpenWRT Dropbear v2020.80: Exit before auth: No matching algo kex
Walter Harms wrote: > This is caused by changes in ssh_config. You can try: > ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 USER@TARGET > > or persistent in ssh_config > KexAlgorithms=+diffie-hellman-group1-sha1 > > your mileage may vary etc. > > re, > wh Thanks! This advice has shown me how to connect directly to an old OpenSSH server again (not Dropbear), instead of via intermediate hops on intermediate servers :) However after reading [1] I decided a safer kex is diffie-hellman-group14-sha1 (group14 instead of group1). Mentioning this in case it's also an option for old Dropbear/OpenWRT users. [1] https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-09.html#rfc.section.3.4 "Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)". Best, -- Jamie