[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Dropbear support?


No problem. Thanks for looking into this.

Thanks,
Adrian


On 09/27/13, at 11:29 AM, Aris Adamantiadis <aris@xxxxxxxxxx> wrote:

> Hi,
> 
> I have looked at the problem. We detect the end of banner well but are
> expecting a SSH_KEXINIT packet in order to start the key exchange. We
> optimistically bet on the fact that the other side is sending this
> packet right away. Unfortunately dropbear does exactly the same (for a
> server, why ?), so we are both wrong.
> Unfortunately a fix to this issue will be a little intrusive and will
> take time (we need to rewrite part of the key exchange mechanism) so I
> cannot make any promise on a deadline.
> 
> Aris
> 
> Le 25/09/13 14:54, Aris Adamantiadis a écrit :
>> Thanks,
>> 
>> It looks like libssh cannot detect the end of banner. I'll install
>> dropbear to test myself and also have a look at the rfc to see if we're
>> doing something wrong.
>> 
>> Aris
>> 
>> Le 25/09/13 14:26, Adrian Baerlocher a écrit :
>>> I've attached the pcap file below. I'm running Dropbear directly on the same host (I've also tried connecting remote). I'm able to connect using OpenSSH without any problems. It seems to get stuck after sending the libssh 'banner'. Eventually the request times out and is closed.
>>> 
>>> Thanks,
>>> Adrian
>>> 
>>> 
>>> 
>>> 
>>> 
>>> On 09/24/13, at 5:28 PM, Aris Adamantiadis <aris@xxxxxxxxxxxx> wrote:
>>> 
>>>> Hi Adrian,
>>>> 
>>>> A pcap capture taken with tcpdump -s0 or wireshark would be usefull to
>>>> begin. I suspect Dropbear is shy and expects libssh to make the first
>>>> move and send the first packet of some kind.
>>>> 
>>>> Aris
>>>> Le 24/09/13 21:56, Adrian Baerlocher a écrit :
>>>>> No luck, I'm afraid. In fact, it appears Dropbear ignores the log
>>>>> message priority. I will try creating a pcap file next.
>>>>> 
>>>>> Thanks,
>>>>> Adrian
>>>>> 
>>>>> 
>>>>> On 09/24/13, at 1:45 PM, Dustin Oprea <myselfasunder@xxxxxxxxx
>>>>> <mailto:myselfasunder@xxxxxxxxx>> wrote:
>>>>> 
>>>>>> If this is from syslog, syslog might not be configured to allow all
>>>>>> logging. That being said, try running the server directly (not as a
>>>>>> service). It looks like both the server and the client send errors to
>>>>>> STDERR. The server log routine (in svr-session.c):
>>>>>> 
>>>>>> if (!svr_opts.usingsyslog || havetrace)
>>>>>> {
>>>>>> struct tm * local_tm = NULL;
>>>>>> timesec = time(NULL);
>>>>>> local_tm = localtime(&timesec);
>>>>>> if (local_tm == NULL
>>>>>> || strftime(datestr, sizeof(datestr), "%b %d %H:%M:%S", 
>>>>>> local_tm) == 0)
>>>>>> {
>>>>>> /* upon failure, just print the epoch-seconds time. */
>>>>>> snprintf(datestr, sizeof(datestr), "%d", (int)timesec);
>>>>>> }
>>>>>> fprintf(stderr, "[%d] %s %s\n", getpid(), datestr, printbuf);
>>>>>> }
>>>>>> 
>>>>>> It looks like error, warning, info, and debug logging all go into
>>>>>> STDERR. In this case, it looks like a majority of the messages are
>>>>>> LOG_INFOs.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> Dustin
>>>>>> 
>>>>>> On Tue, Sep 24, 2013 at 12:06 PM, Adrian Baerlocher
>>>>>> <adrian@xxxxxxxxxxxx <mailto:adrian@xxxxxxxxxxxx>> wrote:
>>>>>> 
>>>>>>   Logging from the server doesn't provide much help (the disconnect
>>>>>>   occurs from client timeout):
>>>>>> 
>>>>>>   dropbear[37646]: Child connection from 127.0.0.1:56535
>>>>>>   <http://127.0.0.1:56535/>
>>>>>>   dropbear[37646]: Exit before auth: Disconnect received
>>>>>> 
>>>>>>   I'll try creating a pcap file next.
>>>>>> 
>>>>>>   Thanks,
>>>>>>   Adrian
>>>>>> 
>>>>>> 
>>>>>>   On 09/24/13, at 11:49 AM, Andreas Schneider <asn@xxxxxxxxxxxxxx
>>>>>>   <mailto:asn@xxxxxxxxxxxxxx>> wrote:
>>>>>> 
>>>>>>> On Tuesday 24 September 2013 10:04:27 Adrian Baerlocher wrote:
>>>>>>>> Does anyone know of any compatibility issues with Dropbear
>>>>>>>> (dropbear_2013.58)? I'm seeing libssh (0.5.5) time out after
>>>>>>   exchanging
>>>>>>>> banners. I'm able to connect via OpenSSH, however.
>>>>>>> 
>>>>>>> Could you turn on debugging on the server and find out what's
>>>>>>   going wrong? If
>>>>>>> this doesn't give any hint then probably creating a pcap file
>>>>>>   will help.
>>>>>>> 
>>>>>>> http://git.libssh.org/projects/libssh.git/tree/include/libssh/pcap.h
>>>>>>> 
>>>>>>> 
>>>>>>>     -- andreas
>>>>>>> 
>>>>>>> --
>>>>>>> Andreas Schneider                   GPG-ID: F33E3FC6
>>>>>>> www.cryptomilk.org <http://www.cryptomilk.org/>              
>>>>>>    asn@xxxxxxxxxxxxxx <mailto:asn@xxxxxxxxxxxxxx>
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>> 
> 


References:
Dropbear support?Adrian Baerlocher <adrian@xxxxxxxxxxxx>
Re: Dropbear support?Andreas Schneider <asn@xxxxxxxxxxxxxx>
Re: Dropbear support?Adrian Baerlocher <adrian@xxxxxxxxxxxx>
Re: Dropbear support?Dustin Oprea <myselfasunder@xxxxxxxxx>
Re: Dropbear support?Adrian Baerlocher <adrian@xxxxxxxxxxxx>
Re: Dropbear support?Aris Adamantiadis <aris@xxxxxxxxxxxx>
Re: Dropbear support?Adrian Baerlocher <adrian@xxxxxxxxxxxx>
Re: Dropbear support?Aris Adamantiadis <aris@xxxxxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org