[PATCH] Print errno information in write_packet

2014-05-18 Thread ronny . meeus 
This patch put the error information into the log output to have a better view
on the reason of a packet write failure.

Signed-off-by: Ronny Meeus 

diff --git a/packet.c b/packet.c
--- a/packet.c
+++ b/packet.c
@@ -90,7 +90,7 @@ void write_packet() {
TRACE2(("leave write_packet: EINTR"))
return;
} else {
-   dropbear_exit("Error writing");
+   dropbear_exit("Error writing %s", strerror(errno));
}
}
 
@@ -131,7 +131,7 @@ void write_packet() {
TRACE2(("leave writepacket: EINTR"))
return;
} else {
-   dropbear_exit("Error writing");
+   dropbear_exit("Error writing %s", strerror(errno));
}
} 
all_ignore = (packet_type == SSH_MSG_IGNORE);

[PATCH] Limit size of the iovect passed to writev in packet.c

2014-05-18 Thread ronny . meeus 
The writev allows only a limited number of entries to be present in the
iovector. This number depends on the OS. If more entries are passed, the
writev operation fails and the connection is closed.

This patch limits the size of the vector to the maximum number accepted
by the OS. On some operating systems IOV_MAX is not defined, if this is
the case UIO_MAXIOV is being used as the maximum value.

In the problematic scenario the Linux box, running dropbear, has a slow
uplink. If an ssh is done to the box and a command is executed that
generates a lot of small fragments (for example a 'find .' in the root),
a lot of small interactions are seen between dropbear and the shell process.
The observation was that the amount of entries pending in the queue could
go up to 7500. Since all entries present in the queue will be passed to
writev an error will be returned since Linux only accepts 1024 entries to
be present in the vector. The result is that the connection is being closed.

Signed-off-by: Ronny Meeus 

diff --git a/packet.c b/packet.c
--- a/packet.c
+++ b/packet.c
@@ -64,13 +64,24 @@ void write_packet() {
struct iovec *iov = NULL;
int i;
struct Link *l;
+   int iov_max_count;
 #endif

TRACE2(("enter write_packet"))
dropbear_assert(!isempty(&ses.writequeue));
 
 #ifdef HAVE_WRITEV
-   iov = m_malloc(sizeof(*iov) * ses.writequeue.count);
+
+#ifndef IOV_MAX
+#define IOV_MAX UIO_MAXIOV
+#endif
+
+   /* Make sure the size of the iov is below the maximum allowed by the 
OS. */
+   iov_max_count = ses.writequeue.count;
+   if (iov_max_count > IOV_MAX)
+   iov_max_count = IOV_MAX;
+
+   iov = m_malloc(sizeof(*iov) * iov_max_count);
for (l = ses.writequeue.head, i = 0; l; l = l->link, i++)
{
writebuf = (buffer*)l->item;
@@ -83,7 +94,7 @@ void write_packet() {
iov[i].iov_base = buf_getptr(writebuf, len);
iov[i].iov_len = len;
}
-   written = writev(ses.sock_out, iov, ses.writequeue.count);
+   written = writev(ses.sock_out, iov, iov_max_count);
if (written < 0) {
if (errno == EINTR) {
m_free(iov);

Failed to connect to dropbear version 2020.81

2023-06-05 Thread Ronny Meeus 
Hello

we have a dropbear version 2020,81 running in an old release of our SW
as our login server.
Currently we experience issues logging in on the system from the
remote system running Openssh (using dropbear also on the client side
we see a similar result).

At the end of the mail I pasted the output we get.
(after the trace "debug1: expecting SSH2_MSG_KEX_ECDH_REPLY", nothing
is seen anymore)

This issue is not seen persistently and seems to occur on random systems.
After a reboot the issue seems to be resolved, not clear whether it
will come back after some time or not.

For the moment it is impossible to collect local traces on the server
node since we cannot reach it anymore.
Doing a telnet to the port  is actually showing the dropbear
version etc, meaning that the connection as such (at TCP level) seems
to be OK.

Is this a known issue and is there something we can do as a workaround
(or do we have means to collect more information about the root
cause)?

Thanks.

Best regards,
Ronny

~ # ssh -p  root@169.254.1.4 -
OpenSSH_8.4p1, OpenSSL 1.1.1j  16 Feb 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname 169.254.1.4 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
'/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
'/root/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug2: ssh_connect_direct
debug1: Connecting to 169.254.1.4 [169.254.1.4] port .
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.4
debug1: Remote protocol version 2.0, remote software version dropbear_2020.81
debug1: no match: dropbear_2020.81
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 169.254.1.4: as 'root'
debug3: put_host_port: [169.254.1.4]:
debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
debug2: host key algorithms:
ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,sk-ecdsa-sha2-nistp256-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,sk-ssh-ed25519-cert-...@openssh.com,rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com,ssh-ed25519,sk-ssh-ed25...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos:
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com
debug2: ciphers stoc:
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com
debug2: MACs ctos:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc:
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,z...@openssh.com,zlib
debug2: compression stoc: none,z...@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms:
curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,kexgue...@matt.ucc.asn.au
debug2: host key algorithms:
ssh-ed25519,ecdsa-sha2-nistp256,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1...@openssh.com,aes128-ctr,aes256-ctr
debug2: ciphers stoc: chacha20-po

Re: Failed to connect to dropbear version 2020.81

2023-06-06 Thread Ronny Meeus 
Hello

the root cause has been found in the meantime.
The problem was that the file system on which the keys are stored was full.
Since the dropbear is started with the -R option, the keys are
generated only the first time a login is done. If at that moment there
is no room left, the reported behavior is seen.

Best regards
Ronny

Op ma 5 jun 2023 om 14:41 schreef Ronny Meeus :
>
> Hello
>
> we have a dropbear version 2020,81 running in an old release of our SW
> as our login server.
> Currently we experience issues logging in on the system from the
> remote system running Openssh (using dropbear also on the client side
> we see a similar result).
>
> At the end of the mail I pasted the output we get.
> (after the trace "debug1: expecting SSH2_MSG_KEX_ECDH_REPLY", nothing
> is seen anymore)
>
> This issue is not seen persistently and seems to occur on random systems.
> After a reboot the issue seems to be resolved, not clear whether it
> will come back after some time or not.
>
> For the moment it is impossible to collect local traces on the server
> node since we cannot reach it anymore.
> Doing a telnet to the port  is actually showing the dropbear
> version etc, meaning that the connection as such (at TCP level) seems
> to be OK.
>
> Is this a known issue and is there something we can do as a workaround
> (or do we have means to collect more information about the root
> cause)?
>
> Thanks.
>
> Best regards,
> Ronny
>
> ~ # ssh -p  root@169.254.1.4 -
> OpenSSH_8.4p1, OpenSSL 1.1.1j  16 Feb 2021
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: resolve_canonicalize: hostname 169.254.1.4 is address
> debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' ->
> '/root/.ssh/known_hosts'
> debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' ->
> '/root/.ssh/known_hosts2'
> debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
> debug2: ssh_connect_direct
> debug1: Connecting to 169.254.1.4 [169.254.1.4] port .
> debug1: Connection established.
> debug1: identity file /root/.ssh/id_rsa type -1
> debug1: identity file /root/.ssh/id_rsa-cert type -1
> debug1: identity file /root/.ssh/id_dsa type -1
> debug1: identity file /root/.ssh/id_dsa-cert type -1
> debug1: identity file /root/.ssh/id_ecdsa type -1
> debug1: identity file /root/.ssh/id_ecdsa-cert type -1
> debug1: identity file /root/.ssh/id_ecdsa_sk type -1
> debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
> debug1: identity file /root/.ssh/id_ed25519 type -1
> debug1: identity file /root/.ssh/id_ed25519-cert type -1
> debug1: identity file /root/.ssh/id_ed25519_sk type -1
> debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
> debug1: identity file /root/.ssh/id_xmss type -1
> debug1: identity file /root/.ssh/id_xmss-cert type -1
> debug1: Local version string SSH-2.0-OpenSSH_8.4
> debug1: Remote protocol version 2.0, remote software version dropbear_2020.81
> debug1: no match: dropbear_2020.81
> debug2: fd 3 setting O_NONBLOCK
> debug1: Authenticating to 169.254.1.4: as 'root'
> debug3: put_host_port: [169.254.1.4]:
> debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts"
> debug3: send packet: type 20
> debug1: SSH2_MSG_KEXINIT sent
> debug3: receive packet: type 20
> debug1: SSH2_MSG_KEXINIT received
> debug2: local client KEXINIT proposal
> debug2: KEX algorithms:
> curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,ext-info-c
> debug2: host key algorithms:
> ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,sk-ecdsa-sha2-nistp256-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,sk-ssh-ed25519-cert-...@openssh.com,rsa-sha2-512-cert-...@openssh.com,rsa-sha2-256-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp...@openssh.com,ssh-ed25519,sk-ssh-ed25...@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
> debug2: ciphers ctos:
> chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com
> debug2: ciphers stoc:
> chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com
> debug2: MACs ctos:
> umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
> debug