Hi Ben,
Does the device log anything from Dropbear in /var/log/auth.log or similar? If
you "telnet localhost 10022" does it print anything?
Cheers,
Matt
> On Fri 25/5/2018, at 11:05 pm, Ben Kinsella
> wrote:
>
> I have various devices on a private network behind a router, and I typically
>
The most likely cause would be that Twisted doesn't handle firstPacketFollows
properly, which seems to be the case looking at
https://github.com/twisted/twisted/blob/trunk/src/twisted/conch/ssh/transport.py#L869
Can you add that to the Twisted bug report?
Cheers,
Matt
> On Tue 5/6/2018, at
Thank you CamVan, I've applied the patch now.
Cheers,
Matt
> On Wed 21/2/2018, at 5:54 am, Camvan T Nguyen wrote:
>
> In our environment, we generate an RSA host key in /var/lib/dropbear and
> start the dropbear service with the following command:
>
> /usr/sbin/dropbear
On Mon 20/8/2018, at 5:50 pm, Matthijs R. Koot wrote:
>
> The user enumeration issue in OpenSSH [0] also exists in Dropbear 2018.76
> and earlier; at least going back to w/v2013.58 (didn't test with earlier
> versions yet). It is specifically related to this code in svr-auth.c [1]:
> [0]
Working again now, LACP stopped working between some switches.
https://dropbear.nl/mirror/ is the geographically separate mirror.
Cheers,
Matt
On 25 August 2018 6:02:04 pm AWST, Roy Tam wrote:
>Dear Cody,
>
>github code mirror is still accessible: https://github.com/mkj/dropbear
>
>2018-08-25
On Wed, Jul 11, 2018 at 05:26:17PM -0300, Daniel Gutson wrote:
> Hi,
>
>considering this:
>
> https://github.com/mkj/dropbear/blob/d740dc548924f2faf0934e5f9a4b83d2b5d6902d/atomicio.c#L55
...
> What if res is negative less than -1, for example -2 ? Shouldn't be a check
> there that res is > 0
On Mon, Jul 23, 2018 at 01:08:54PM +0800, Samuel Hsu wrote:
> As titled, can we use "sed -r" instead of "sed -E".
Hi Samuel,
Thanks, I hadn't noticed that problem. I've pushed a change
to uses non-extended regexes which should work everywhere.
didn't match the key that had
been loaded.
Now it only advertises a single size - first preference existing size,
otherwise the default if no
key exists.
Thanks for letting me know and debugging.
Cheers,
Matt
> On Mon 5/3/2018, at 4:02 pm, Peter Krefting <pe...@softwolves.pp.se> w
Hi Peter,
On Thu, Mar 01, 2018 at 10:37:19AM +0100, Peter Krefting wrote:
> After upgrading to 2018.76, I can no longer log in. On the dropbear end, it
> complains about not being able to read the host key (/mnt/nv is the
> non-volatile storage in my target HW):
>
> Mar 1 11:19:03 gbprobe
Hi Dave,
My first approach would be to run "timeout 600 dropbear -F
-E". Established sessions won't be killed since they each
session is a forked process. That assumes "timeout" exists
on the system busybox etc.
If you want to modify the code put a check after the
select() in main_noinetd().
I suspect selinux is blocking something, after dropbear forks to run the shell.
Can you find where selinux keeps its logs?
When you run 'su' it enters a less restrictive context than normal root, so it
runs ok.
I guess you need to create a selinux policy for the dropbear service - i don't
have
Hi all,
Dropbear 2018.76 is released. As well as the usual
improvements and bugfixes this release simplifies
local configuration options.
You will probably need to adjust your build configuration.
Rather than modifying options.h, local options are now
placed in localoptions.h where they will
> On Wed 28/2/2018, at 12:59 am, Steffen Nurpmeso wrote:
> And yes, i am still using such grumpy networks with VMs, so please
> let me post the "git am" mailbox that adds support for proxy-over-
> localhost.
Hi Steffen,
Thanks for the patch, though I'm not sure it's worth
> On Tue 27/2/2018, at 11:28 pm, Konstantin Tokarev wrote:
>>
>> - Add 'dbclient -J ' to allow dbclient to connect over an existing socket.
>> See dbclient manpage for a socat example. Patch from Harald Becker
>
> Wouldn't it be better to support -o ProxyUseFdPass like in
Hi Laurent,
My best guess is that it was built on lubuntu which uses glibc, but the Udoo
board doesn't have the required /lib/somewhere/libnss*.so libraries - those get
chosen at runtime based on /etc/nsswitch.conf. Building using a uclibc cross
compiler would avoid that - how did you build
> On Fri 16/11/2018, at 2:26 am, Nik Soggia wrote:
>
> So in the end if I delay the kexinit until there is some data on the wire I
> will pull the rabbit out of the cylinder.
The problem is that waiting for the remote banner is still adding a round trip
of delay. That's fine for a local
Hi Nik,
>
> dbclient sends "SSH-2.0-dropbear_2018.76\r\n" and kexinit
> cisco sends "SSH-2.0-Cisco-1.25\r\n"
> then cisco waits "ip ssh time-out" seconds and then closes the TCP socket.
>
> my conjecture is that cisco empties its receive buffer after sendind the
> identification string and
On Wed, Nov 14, 2018 at 06:20:59PM +0300, Konstantin Tokarev wrote:
> Note that OpenSSH enables a couple of workarounds for Cisco-1.*
>
> https://github.com/openssh/openssh-portable/blob/master/compat.c#L88
The tricky thing is that dbclient can't do anything to work around
it here. We haven't
Hi Mike,
> On Sat 10/11/2018, at 12:52 am, W. Michael Petullo wrote:
>
>
> Here is a more practical example which demonstrates the problem:
>
> $ echo false | dbclient -T r...@host.example.com
> $ echo $?
> 0
I think this should now _really_ be fixed with
Hi Michael,
On 2018-11-09 3:48 pm, W. Michael Petullo wrote:
>> I am using Dropbear v2017.75 as found on OpenWrt.
>>
>> echo input | ssh -T h; echo $?
>>
>> Despite the error occurring, the above command line prints `0' rather
>> than `1.' Since this triggers the error, I would expect the
Hi all,
Dropbear 2019.78 is released. There was a regression
in dbclient 2019.77, terminal modes would not be reset when
the client exited. The server has no changes.
Cheers,
Matt
2019.78 - 27 March 2019
- Fix dbclient regression in 2019.77. After exiting the terminal would be left
in a bad
Beware that dbclient in 2019.77 has a regression, it won't
reset TTY modes on exit. That's fixed in
https://secure.ucc.asn.au/hg/dropbear/rev/4b01f4826a29
Cheers,
Matt
On Sat, Mar 23, 2019 at 10:02:49PM +0800, Matt Johnston wrote:
> Hi all,
>
> At long last Dropbear 2019.77 is relea
Hi all,
At long last Dropbear 2019.77 is released. Most changes are
bug fixes, with a few small features. There are security
fixes to avoid revealing the existence of valid usernames.
This release also merges the fuzzing branch. In a
normal build this should have no effect on operation.
There
Hi Mike,
The limit's arbitrary so 32 would be fine. Maybe even something like 100.
I'll increase it for the next release.
Cheers,
Matt
> On Fri 1/3/2019, at 8:28 am, W. Michael Petullo wrote:
>
> Dropbear's auth.h defines MAX_USERNAME_LEN as 25 and provides the
> commentary "arbitrary for the
Hi Gilles,
The main() for each of those is in svr-main.c and cli-main.c respectively.
https://secure.ucc.asn.au/hg/dropbear/file/tip/cli-main.c#l45
The Makefile is a bit convoluted so that it can also build them all into a
single binary.
specified patch
> <https://secure.ucc.asn.au/hg/dropbear/rev/0dc3103a5900>?
> 3. Use the current repo tip?
>
> Thanks!
> Russ
>
> On Fri, Mar 9, 2018 at 3:19 AM Peter Krefting
> wrote:
>
> > Matt Johnston:
> >
> > > This should be fixe
problem with sha1 as a hmac?
Cheers,
Matt
> On Thu 11/4/2019, at 12:11 pm, Chahar, Rohini
> wrote:
>
> Hi Matt,
>
> Please find my responses below.
>
> Regards,
> Rohini
>
> From: Matt Johnston mailto:m...@ucc.asn.au>>
> Sent: 10 April 2019 18:3
Hi Kenny,
I don't think I've seen that problem before. Does Dropbear log anything in
/var/log/auth.log or similar?
Or if logging isn't set up on the system, if you run dropbear -F -E it will log
to the console.
The clock shouldn't make any difference.
Cheers,
Matt
> On Thu 20/6/2019, at
Hi Sergey,
Dropbear doesn't support it - it would be fine to add, it just didn't exist in
OpenSSH when I implemented the other Dropbear forwarding.
I might add it in future though no guarantees - patches gladly accepted! The
SSH agent fowarding code is probably very similar already.
Cheers,
Hi Rohini,
I'm not entirely clear about the problem - is the conneciton failing or is it
just selecting hmac-sha2-sha1 which you don't want?
The algorithm chosen will be the first one in the client's list that is also in
the server's list. When you do the "copy to the server" is it dropbear as
Hi Joakim,
The server needs to be stopped and restarted. If this is for new keys at
first-boot you could look at the -R option.
Cheers,
Matt
On Wed, Dec 11, 2019 at 03:38:36PM +, Joakim Tjernlund wrote:
> Is there a way to tell a running dropbear server to reread host keys if the
> keys
> On Fri 13/12/2019, at 2:14 am, Joakim Tjernlund
> wrote:
>
> On Thu, 2019-12-12 at 18:34 +0100, Hans Harder wrote:
>>
>>> The bigger issue here is why not reread keys at every new session? That
>>> seems to like the right thing to do in any case?
>>
>> Performance...
I don't _think_
ng these pipes that are kept open to be there
> forever in that state. Any other suggestions may help.
>
>
> Thanks for your help again,
> Binny
>
> From: Matt Johnston mailto:m...@ucc.asn.au>>
> Sent: Wednesday, October 9, 2019 6:56 PM
> To: Jeshan, Binny
Thank you Vladislav, I've merged this now via github,
https://secure.ucc.asn.au/hg/dropbear/rev/d32bcb5c557d
It's a nice clean and thorough implementation.
Cheers,
Matt
> On Fri 6/3/2020, at 10:45 pm, Vladislav Grishenko
> wrote:
>
> Hello,
>
> Initially inspired by Péter Szabó work
> On Thu 26/3/2020, at 6:45 pm, Alexander Dahl wrote:
>
> Gentle ping on this patch.
Hi Alex,
Sorry for the delay, it's merged now.
Cheers,
Matt
Hi Szabolcs,
Ah, that's a bit nasty. I guess the difference is that OpenSSH runs the daemon
as the user, while Dropbear runs as root.
The procfs manpage mentions the problem.
http://man7.org/linux/man-pages/man5/proc.5.html
Note that for file descriptors referring to inodes
Hi Adrian,
With dropbear you should be able to list the hosts comma separated
dbclient -i /mydir/id_rsa username1@server1,username2@server2
Does that work? It should do something equivalent to the first one though,
unless I've missed something.
Cheers,
Matt
> On Sun 3/5/2020, at 11:38 pm,
Hi Bruno,
That syntax should work. What platform is it? Have you tried typing it manually
in case there were strange unicode characters copy/pasted?
Cheers,
Matt
> On Tue 12/5/2020, at 6:26 pm, bruno wrote:
>
> Hello, anyone has an exemple of scp dropbear use ?
>
> it seems that :
>
> scp
Hi Daniel,
-K is equivalent to the OpenSSH ClientAliveInterval. The server will send
traffic to check that the connection is open.
-I will disconnect if there is no traffic for a certain time interval. It won't
try to send any traffic over the connection, it just passively looks at what
Hi Tania,
I think you could probably add "> /dev/null 2> /dev/null" after one of the
ipconfig commands in /usr/share/initramfs-tools/scripts/functions, though I'm
not too familiar with how they all fit together. (Or if it's dhclient for ipv6
printing the output, get rid of the "-v" for
Hi,
The first thing I'd try would be to build with -O0 compilation flags to rule
out compiler optimisations doing something strange.
Cheers,
Matt
> On Thu 19/3/2020, at 3:42 pm, Horshack wrote:
>
> Update - I cloned and built the dbclient source so I could enable the debug
> tracing
the SIMD registers aren't being
>> preserved/restored properly somewhere, probably during a context switch,
>> specifically s16–s31 (d8–d15, q4–q7), which AAPCS says must be preserved and
>> which I see being used in the disassembly of fast_s_mp_sqr(). I'lll write
>>
Hi Ruben,
Not sure about that particular android program but Filezilla usually works as
an alright sftp program.
Cheers,
Matt
> On Sun 8/3/2020, at 2:42 am, Ruben Safir wrote:
>
> Hello
>
> Hello - I am sure this has been asked but I couldn't find an answer with
> a web search..
>
> can
Hi,
Given in tcpdump there was no response at all (not even a rejection), my guess
is there is a firewall on the OpenWrt host that drops all port 22 packets.
Are firewall rules listed if you go "iptables -vnL" , or in a config file?
Cheers,
Matt
> On Tue 20/10/2020, at 1:50 pm, 许大仙 wrote:
>
Hi Kazuo,
It's a gnu extension, equivalent to
chansess->original_command = chansess->cmd ? chansess->cmd : m_strdup("");
I've pushed a fix now, I prefer a plain "if" statement.
Cheers,
Matt
> On Thu 8/10/2020, at 8:59 am, Kazuo Kuroi wrote:
>
> Hi folks,
>
> MIPSPro 7.4.4m on IRIX doesn't
Hi Piotr,
Dropbear 2020.79 had some changes to the code that parses algorithms, it now is
more strict about its MAX_PROPOSED_ALGO = 20 limit.
Not intentionally, but as a side-effect.
sshj advertises 30 different ciphers.
I've increased the limit to 50 in
Forcing diffie-hellman-group1-sha1 shouldn't usually be necessary.
The only case would be for servers prior to 2018.76 that compiled with all
other default options disabled.
Cheers,
Matt
> On Fri 23/10/2020, at 9:00 pm, Tang Jiye wrote:
>
> Hi Walter,
>
> What if I want to use ecdh and
> On Tue 16/6/2020, at 9:58 am, Guilhem Moulin wrote:
>> - […] x11 forwarding are now disabled by default.
>
> I have no opinion about disabling this at compile-time, however the
> current implementation locks out (“Bad public key options”) users with
> ‘no-X11-forwarding’ in their
...
>
> thx
> Hans
>
> On Mon, Jun 15, 2020 at 5:53 PM Matt Johnston <mailto:m...@ucc.asn.au>> wrote:
> Hi all,
>
> Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko
> for adding ed25519 and chacha20-poly1305 support which have
> been
Hi all,
Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko
for adding ed25519 and chacha20-poly1305 support which have
been wanted for a while.
This release also supports rsa-sha2 signatures which will be
required by OpenSSH in the near future - rsa with sha1 will
be
Hi Emil,
That syntax should work. In my shell here (zsh) I have to put "[127.0.0.1]:22"
in quotes, could that be the problem?
What commandline do you see if you look at "ps aux"?
Cheers,
Matt
> On Tue 22/12/2020, at 9:13 am, Emil Christopher Solli Melar
> wrote:
>
> Hello! I use Dropbear
Hi Hans,
Sorry I missed replying to this message a while ago.
What program created the key? As far as I can tell the test
is correct, the top bit might be unset?
Cheers,
Matt
On Thu, Aug 27, 2020 at 07:36:26AM +0200, Hans Harder wrote:
> HI,
>
> I noticed that I got warnings that the RSA key
ake hostname, port and identity details like openssh?
>
> Cheers,
>
> Flex
>
> On Mon, 4 Jan 2021, 05:41 Matt Johnston, <mailto:m...@ucc.asn.au>> wrote:
> Sounds like your problem is with android not Dropbear :)
>
> On 4 January 2021 4:57:30 am AWST, Ruben Safir <
On Wed 20/1/2021, at 8:15 pm, Thomas De Schampheleire
wrote:
>
>> # HG changeset patch
>> Introduce extra delay before closing unauthenticated sessions
>
> Any comments on this patch?
>
Hi Thomas,
Sorry for the delay getting back to you. I've applied the patch, it seems like
it could be
Sounds like your problem is with android not Dropbear :)
On 4 January 2021 4:57:30 am AWST, Ruben Safir wrote:
>dropbear is a waste of time and it doesn't even work.
>
>I don't know why it is Fing Hard for the table with android can't have
>an openssh daman running so we can tranfer files on and
On Thu, May 20, 2021 at 02:29:20PM +, Walter Harms wrote:
> Thx for the fast response,
> for the background: little system, far-far-away land, but some script-kiddie
> is filling the log ...
> so no iptables or other fancy stuff. Seems i have to change that, somehow.
>
> @matt:
> in case i
Hi Walter,
Dropbear doesn't have IP restrictions built in. You could use
iptables/nftables, or tcpwrappers etc if you're running
Dropbear in inetd mode.
Cheers,
Matt
On Thu, May 20, 2021 at 01:23:28PM +, Walter Harms wrote:
> Hello List,
> actually i expected this would be a FAQ but i can
On Tue 29/6/2021, at 9:47 pm, roy...@gmail.com wrote:
>
>> That itself wouldn't be a problem if we could just crypt all incoming
>> password attempts before checking a username's existence - the problem is
>> that the password crypt algorithm can vary per user, so the time will vary
>> too. We
Hi Roy,
On Tue 29/6/2021, at 7:18 pm, roy...@gmail.com wrote:
>
>> - Make failure delay more consistent to avoid revealing valid usernames, set
>> server password
>> limit of 100 characters. Problem reported by usd responsible disclosure team
>
> What is the technical reason of limiting
Hi Dan,
MacOS uses PAM for password auth. As well as --enable-pam for
configure it needs
#define DROPBEAR_SVR_PASSWORD_AUTH 0
#define DROPBEAR_SVR_PAM_AUTH 1
in localoptions.h at build time.
Not sure that Homebrew sets the localoptions.h
t only have characters a-z A-Z 0-9 .,_-+@)
Patch from Hans Harder, modified by Matt Johnston
- Let dbclient multihop mode be used with '-J'.
Patch from Hans Harder
- Allow home-directory relative paths ~/path for various settings
and command line options.
*_PRIV_FILENAME DROPBEAR_PIDFILE SFTPSERVER_PAT
On Wed, Jan 19, 2022 at 04:23:29PM +0100, Thomas De Schampheleire wrote:
> I recently encountered connection issues when using dropbear as client
> (2020.81)
> to certain SSH implementations. In both cases, the issue was related to the
> host
> key verification. It took me a while to find the
On 2022-06-24 11:26 am, johnea wrote:
I've run across a number of other references since that timeframe that
indicate that dropbear can run on no-MMU platforms using uClibc.
Searching hasn't really led to a conclusive answer. So, could you
please confirm:
Can dropbear run as a listening
On 2022-06-25 7:49 am, James Miller wrote:
I set up a small low-resource VPS a few years ago to use mainly as a
light-use xmpp server. I got Dropbear operating there so I could admin
it. Dropbear seemed a good choice since system resources were so
anemic. I recall it being quite challenging to
Sorry for the late reply.
Dropbear doesn't currently support unix domain socket forwarding.
Cheers,
Matt
On 2022-06-07 3:57 pm, Heiko Thiery wrote:
Hi,
Does anyone know if it is possible to do a ssh forwarding on unix
domain sockets when using dropbear?
When I try I get the following error:
Thanks for the report.
This was a regression in the re-exec changes, I've pushed a fix to
https://github.com/mkj/dropbear/commit/544f28a05165eb97e18cc03fc8990da842ec3a94
The childpipe file descriptor is used to notify the parent listener that
auth has completed, but I'd missed that the inetd
Hi Matt,
The server had a missing mount, archives are working again now.
(A few recent messages didn't make the archives, I'll forward/reply them
in).
Thanks for letting me know.
Cheers,
Matt
On 2022-06-08 6:12 am, Matthias Lang wrote:
Hi,
According to
On 2022-11-21 11:05 pm, M Rubon wrote:
I have an automated remote script that connects to a set of known
servers. I never want be prompted to add a new host key if the server
is missing from .ssh/known_hosts. If the key is missing, the client
should just immediately exit.
Dropbear seems to
On Tue, Nov 08, 2022 at 04:57:40PM +0200, Rogan Dawes wrote:
> I have created an SSH private key in my M1 Mac's Secure Enclave, and am
> using it to SSH to various targets. Those using OpenSSH work fine, and I am
> prompted to unlock the SE. However, those using dropbear do not work,
> giving me
On 2022-11-11 11:50 am, Rogan Dawes wrote:
> I was under the impression that the ssh protocol included a handshake step
> where supported algorithms were exchanged, and keys that do not match are
> eliminated?
For public key auth the client sends each public key it has to offer,
the server
Hi all,
Dropbear 2024.85 is released. It fixes a couple of build
regressions in 2024.84. There is no need to upgrade if
2024.84 built OK for your configuration.
https://matt.ucc.asn.au/dropbear/releases/dropbear-2024.85.tar.bz2
Cheers,
Matt
2024.85 - 25 April 2024
This release fixes build
Hi Mark,
I haven't used tru64 for a while, but if you send a log I can have a
look.
Cheers,
Matt
On 2024-03-18 5:49 pm, Mark Butt wrote:
> Hello,
>
> I have a DEC AlphaServer 4100 with Tru64 5.1B-6. This is a small side
> project that I am working on. When searching for a compatible
Thanks, I've applied it.
Matt
On 2024-04-05 3:37 pm, Peter Krefting wrote:
Fixes compile when disabling SHA-1 with
#define DROPBEAR_SHA1_HMAC 0
#define DROPBEAR_RSA_SHA1 0
#define DROPBEAR_DH_GROUP14_SHA1 0
while keeping SHA-256 enabled.
Should also fix the opposite, but that is not a
Hi all,
Dropbear 2024.84 is released. It has a few new features and
various fixes, contributed by numerous people over the past
year+.
Download it from
https://matt.ucc.asn.au/dropbear/releases/dropbear-2024.84.tar.bz2
or https://mirror.dropbear.nl/mirror/releases/dropbear-2024.84.tar.bz2
The
201 - 274 of 274 matches
Mail list logo