Added check that only the dropbear user is allowed to login if it is
running as non-root.
Removed the log message,
--- loginrec.c 2013-04-15 08:01:58.0 -0600
+++ loginrec.c 2013-04-17 06:01:57.0 -0600
@@ -329,8 +329,6 @@ login_write (struct logininfo *li)
{
#ifndef
I had some problems with the multihop for scp using different portnumbers.
The original syntax uses / as separator, which conflicts with the
current code in scp for detecting source and destination
Ex. scp file user@host1/,user@host2/22:.
Simplest way of solvng this was to allow also another
I am trying to connect using ssh: -v -i privkey -p 7000 hans@host hostname
And I get:
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending command: hostname
Perhaps not something to have default in dropbear, put perhaps of interest
for someone...
In order to restrict access from certain ip addresses only, you can, with
this patch, start a dropbear with option -S
This will only allow password logins if a corresponding file
How difficult is it to get X11 forwarding in the dbclient.
currently I only have it working when using openssh with -X option.
But because of multihop (more than 2 hops) I have to use dbclient, but it
doesn't support X11 forwarding.
thx
Hans
I have it running as a separate daemon on a few systems as a non root user
without problems..
I changed the config.h to disable all the features which might require more
rights than the user has or uses OS functions for instance
DISABLE_PAM, DISABLE_LASTLOG, DISABLE_SYSLOG
I only use the
configured with:
./configure --disable-pam --disable-syslog --disable-shadow \
--disable-lastlog --disable-utmp --disable-utmpx \
--disable-wtmp --disable-wtmpx --disable-loginfunc \
--disable-pututline --disable-pututxline
For Linux: no problems
For
Hi Matt,
I was looking for a SSH honeypot... so I thought about adapting dropbear.
Seems to me it would be easy to disable any successfull logins by adapting
the
file svr_auth.c with
/* Send a success message to the user, and set the "authdone" flag */
void send_msg_userauth_success() {
#if
I have to do a multihop behind after a proxy connect...
so I do something like:
dbclient -J "corkscrew proxyserver proxyport makado 22" user@makado
,user@canyons
but I get the message : Exited: -J can't be used with multihop mode
Basicly what I see in cli-runopts.c that if multihop is
Underneath the patch against the current git version
Hans
diff -w dropbear-git/cli-runopts.c dropbear-patch/cli-runopts.c
--- dropbear-git/cli-runopts.c
+++ dropbear-patch/cli-runopts.c
@@ -629,9 +629,7 @@
/* Set up the proxycmd */
unsigned int cmd_len = 0;
I usually build the version without trace information, until I run
into troubles.
Then when building the trace version it gives out too much infomation.
Ever thought about given out limited trace information depending on
the number of -v given...
So basicly whenever I face a connection problem,
> The bigger issue here is why not reread keys at every new session? That
seems to like the right thing to do in any case?
Performance...
Why should you do that.
You should not change your host keys everytime, because the connecting
client will have a conflict and get a warning about a possible
HI,
I noticed that I got warnings that the RSA key was too short.
Further investigation showed that I was using a 1024 bits RSA key but
the mp_count_bits function return 1023 count (probably 0 based)
in rsa.c it states:if (mp_count_bits(key->n) < MIN_RSA_KEYLEN)
Is this intentional or
Does anybody have an example of the external public-key authentication api
Sounds interesting, but I am not sure how to use this...
thx
Hans
On Mon, Jun 15, 2020 at 5:53 PM Matt Johnston wrote:
> Hi all,
>
> Dropbear 2020.79 is now released. Particular thanks to Vladislav Grishenko
> for
What program created the key? As far as I can tell the test
> is correct, the top bit might be unset?
>
> Cheers,
> Matt
>
> On Thu, Aug 27, 2020 at 07:36:26AM +0200, Hans Harder wrote:
> > HI,
> >
> > I noticed that I got warnings that the RSA key was too short.
The change is also by putting a delay in the connection close it is
going to work against you.
Suppose this happens constantly, will you be able to make a valid connection ?
I use a different approach, allow only a fix src ip access and drop
any other connection.
You can do that with iptables, so
You can add some small code in svr_main.c for allowing/denying remote
servers based on their ip address
getaddrstring(, _host, NULL, 0);
/* HH hostallow start */
/* Check if remote host is allowed */
if
or when you have no root access...
On Tue, May 25, 2021 at 11:14 AM Walter Harms wrote:
>
> yes, under normal circumstances you would use iptables to block the port. But
> when you are forced to byte-counting and you do not want to install other
> programms (and maintains them) on your
Indeed that is the correct question, because you can easily do
#if DROPBEAR_SVR_MULTIUSER
if (getuid() != ses.authstate.pw_uid) {
setgid and setuid part
}
#endif
On Wed, Mar 10, 2021 at 11:41 AM Geoff Winkless wrote:
>
> On Tue, 9 Mar 2021 at 15:43, Kazuo Kuroi wrote:
> >
So you want to break off the connection if it isn't in the .ssh/known_host file.
Currently there is no way to do that, but with a little adaption it is possible
attached a small patch to look for an env var SSH_ASKHOSTKEY
if it is set to "y" or "n" it will use that as answer instead of
asking
20 matches
Mail list logo