So you want to break off the connection if it isn't in the .ssh/known_host file.
Currently there is no way to do that, but with a little adaption it is possible
attached a small patch to look for an env var SSH_ASKHOSTKEY
if it is set to "y" or "n" it will use that as answer instead of
asking tha
or when you have no root access...
On Tue, May 25, 2021 at 11:14 AM Walter Harms wrote:
>
> yes, under normal circumstances you would use iptables to block the port. But
> when you are forced to byte-counting and you do not want to install other
> programms (and maintains them) on your embedded
You can add some small code in svr_main.c for allowing/denying remote
servers based on their ip address
getaddrstring(&remoteaddr, &remote_host, NULL, 0);
/* HH hostallow start */
/* Check if remote host is allowed */
if (host
Indeed that is the correct question, because you can easily do
#if DROPBEAR_SVR_MULTIUSER
if (getuid() != ses.authstate.pw_uid) {
setgid and setuid part
}
#endif
On Wed, Mar 10, 2021 at 11:41 AM Geoff Winkless wrote:
>
> On Tue, 9 Mar 2021 at 15:43, Kazuo Kuroi wrote:
> > That'
The change is also by putting a delay in the connection close it is
going to work against you.
Suppose this happens constantly, will you be able to make a valid connection ?
I use a different approach, allow only a fix src ip access and drop
any other connection.
You can do that with iptables, so
What program created the key? As far as I can tell the test
> is correct, the top bit might be unset?
>
> Cheers,
> Matt
>
> On Thu, Aug 27, 2020 at 07:36:26AM +0200, Hans Harder wrote:
> > HI,
> >
> > I noticed that I got warnings that the RSA key was too short.
HI,
I noticed that I got warnings that the RSA key was too short.
Further investigation showed that I was using a 1024 bits RSA key but
the mp_count_bits function return 1023 count (probably 0 based)
in rsa.c it states:if (mp_count_bits(key->n) < MIN_RSA_KEYLEN)
Is this intentional or shou
Does anybody have an example of the external public-key authentication api
Sounds interesting, but I am not sure how to use this...
thx
Hans
On Mon, Jun 15, 2020 at 5:53 PM Matt Johnston wrote:
> Hi all,
>
> Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko
> for adding
> The bigger issue here is why not reread keys at every new session? That
seems to like the right thing to do in any case?
Performance...
Why should you do that.
You should not change your host keys everytime, because the connecting
client will have a conflict and get a warning about a possible
Underneath patch files which adds options to specify how much debug
trace info is compiled in and how much output is shown during
execution. This will add a small amount to your executable size.
For dbclient this will :
level 1 = init/exit info + remoteid + auth method information
level 2 = c
I usually build the version without trace information, until I run
into troubles.
Then when building the trace version it gives out too much infomation.
Ever thought about given out limited trace information depending on
the number of -v given...
So basicly whenever I face a connection problem, I
Underneath the patch against the current git version
Hans
diff -w dropbear-git/cli-runopts.c dropbear-patch/cli-runopts.c
--- dropbear-git/cli-runopts.c
+++ dropbear-patch/cli-runopts.c
@@ -629,9 +629,7 @@
/* Set up the proxycmd */
unsigned int cmd_len = 0;
did some testing with a small adaption in cli-runopts.c
Basicly if a proycmd if used and multihop is used, I pass the proxycmd with
-J in each exec
Seems to work :)
underneath the complete function... didn't have time to make a diff to the
original...
Hans
static void parse_multihop_hostname(c
I have to do a multihop behind after a proxy connect...
so I do something like:
dbclient -J "corkscrew proxyserver proxyport makado 22" user@makado
,user@canyons
but I get the message : Exited: -J can't be used with multihop mode
Basicly what I see in cli-runopts.c that if multihop is detecte
Hi Matt,
I was looking for a SSH honeypot... so I thought about adapting dropbear.
Seems to me it would be easy to disable any successfull logins by adapting
the
file svr_auth.c with
/* Send a success message to the user, and set the "authdone" flag */
void send_msg_userauth_success() {
#if DR
configured with:
./configure --disable-pam --disable-syslog --disable-shadow \
--disable-lastlog --disable-utmp --disable-utmpx \
--disable-wtmp --disable-wtmpx --disable-loginfunc \
--disable-pututline --disable-pututxline
For Linux: no problems
For AIX
When I compile dbclient without ECDSA support I get underneath error.
However same source compiled with ECDSA the same connection works.
part of the debug output, added some extra output in kexdh_init and
kexdh_reply
to see what values where given
Seems that something goes wrong in buf_rsa_veri
I changed the DEBUG_TRACE functionality and added a DEBUG_LEVEL setting
which allows you to add only a minimum number of messages to dbclient only.
By specifying 1 or more -v options you will increase verbosity.
1x -v will show connection, remoteid and auth methods
2x -v will show choosen algos
3
Currently some settings are checked with #ifdef instead of #if :
INETD_MODE and NON_INETD_MODE in svr-main.c
DO_MOTD in svr-chansession.c and svr-runopts.c
DROPBEAR_RSA and DROPBEAR_DSS in keyimport.c
DROPBEAR_CLI_PUBKEY_AUTH in cli-runopts.c
Hans
On Wed, Aug 3, 2016 at 7:56 PM, Hans
I see that localoptions.h now can be used to enable/disable options which
are in default_options.h and sysoptions.h... nice
There is a wrong definition in the default_options.h
/* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime
*/
#ifndef ENABLE_USER_ALGO_LIST
#define ENAB
I have it running as a separate daemon on a few systems as a non root user
without problems..
I changed the config.h to disable all the features which might require more
rights than the user has or uses OS functions for instance
DISABLE_PAM, DISABLE_LASTLOG, DISABLE_SYSLOG
I only use the use
Hi Matt,
noticed that in sysoptions.h this is added at line 130
/* These are disabled in Dropbear 2016.73 by default since the spec
draft-ietf-curdle-ssh-kex-sha2-02 is under development. */
#define DROPBEAR_DH_GROUP14_256 0
#define DROPBEAR_DH_GROUP16 0
Should that not be in options.h und
How difficult is it to get X11 forwarding in the dbclient.
currently I only have it working when using openssh with -X option.
But because of multihop (more than 2 hops) I have to use dbclient, but it
doesn't support X11 forwarding.
thx
Hans
you can use scp with -y -y option.
This is passed to dbclient with the underneath patch for scp
--- a/scp.c 2014-10-08 05:34:21.0 -0600
+++ b/scp.c 2014-10-08 05:35:38.0 -0600
@@ -324,7 +324,7 @@ main(int argc, char **argv)
addargs(&args, "%s", ssh_program);
Perhaps not something to have default in dropbear, put perhaps of interest
for someone...
In order to restrict access from certain ip addresses only, you can, with
this patch, start a dropbear with option -S
This will only allow password logins if a corresponding file
/etc/dropbear/ip__any.allow
t), I'll
> put that on the todo list for the next release.
>
> Cheers,
> Matt
>
> On Mon, Sep 15, 2014 at 04:21:22PM +0200, Hans Harder wrote:
> > I am getting a 'String too long' error whenever I try to connect to a
> SunOS
> > server with dbclient
&g
I am getting a 'String too long' error whenever I try to connect to a SunOS
server with dbclient
In order to find out how much it is to long, I adapted 1 line in buffer.c
Now I get the message:"exited: String too long (2056 > 1400)"
That is a lot larger than 1400...
Any concerns before I increas
Hi Matt,
This is a patch for the serverpart of dropbear:
- cmdline option -U forcing all user logins to use 1 fixed user
- If used, the original user will be saved in env var SSH_ORGUSER
- if a public key is used to grant a user access, the info part of the ssh
key will be saved in env.var SSD_P
I am trying to connect using ssh: -v -i privkey -p 7000 hans@host hostname
And I get:
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending command: hostname
deb
I had some problems with the multihop for scp using different portnumbers.
The original syntax uses / as separator, which conflicts with the
current code in scp for detecting source and destination
Ex. scp file user@host1/,user@host2/22:.
Simplest way of solvng this was to allow also another
Added check that only the dropbear user is allowed to login if it is
running as non-root.
Removed the log message,
--- loginrec.c 2013-04-15 08:01:58.0 -0600
+++ loginrec.c 2013-04-17 06:01:57.0 -0600
@@ -329,8 +329,6 @@ login_write (struct logininfo *li)
{
#ifndef HAVE_CYG
I get compile errors with the new version, because I compile this in a
uclib environment without zlib.
I use ./configure --disable-zlib
In common-kex.c I run into compile errors.
common-kex.o(.text+0x203): In function `switch_keys':
: undefined reference to `gen_new_zstream_recv'
common-kex.o(.te
Hi,
>
> Thanks for the patch. I think I'll change it slightly to use
> "-y -y" rather than "-Y" - saves using another letter.
>
> Cheers,
> Matt
>
> On Sun, Apr 07, 2013 at 04:03:37PM +0200, Hans Harder wrote:
>> Underneath some modifications against a s
Underneath some modifications against a stock 2013.56 version
- Added -Y option to completely ignore check for hostkeys
Needed this for connections to logical hosts, same as openssh -o
StrictHostKeychecking=no
- Added -y and -Y in function multihop_passthrough_args
- fix: in function multihop_
34 matches
Mail list logo