Mercurial > dropbear
annotate README @ 1788:1fc0012b9c38
Fix handling of replies to global requests (#112)
The current code assumes that all global requests want / need a reply.
This isn't always true and the request itself indicates if it wants a
reply or not.
It causes a specific problem with [email protected] messages.
These are sent by OpenSSH after authentication to inform the client of
potential other host keys for the host. This can be used to add a new
type of host key or to rotate host keys.
The initial information message from the server is sent as a global
request, but with want_reply set to false. This means that the server
doesn't expect an answer to this message. Instead the client needs to
send a prove request as a reply if it wants to receive proof of
ownership for the host keys.
The bug doesn't cause any current problems with due to how OpenSSH
treats receiving the failure message. It instead treats it as a
keepalive message and further ignores it.
Arguably this is a protocol violation though of Dropbear and it is only
accidental that it doesn't cause a problem with OpenSSH.
The bug was found when adding host keys support to libssh, which is more
strict protocol wise and treats the unexpected failure message an error,
also see https://gitlab.com/libssh/libssh-mirror/-/merge_requests/145
for more information.
The fix here is to honor the want_reply flag in the global request and
to only send a reply if the other side expects a reply.
| author | Dirkjan Bussink <d.bussink@gmail.com> |
|---|---|
| date | Thu, 10 Dec 2020 16:13:13 +0100 |
| parents | d32bcb5c557d |
| children |
| rev | line source |
|---|---|
|
821
f8b28a3de6cb
Don't say "SSH 2" any more since protocol version 1 is irrelevant
Matt Johnston <matt@ucc.asn.au>
parents:
717
diff
changeset
|
1 This is Dropbear, a smallish SSH server and client. |
| 701 | 2 https://matt.ucc.asn.au/dropbear/dropbear.html |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 INSTALL has compilation instructions. |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 MULTI has instructions on making a multi-purpose binary (ie a single binary |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 which performs multiple tasks, to save disk space) |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 SMALL has some tips on creating small binaries. |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 |
| 1548 | 11 Please contact me if you have any questions/bugs found/features/ideas/comments etc :) |
| 12 There is also a mailing list http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear | |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 Matt Johnston |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 [email protected] |
| 380 | 16 |
| 17 | |
| 75 | 18 In the absence of detailed documentation, some notes follow: |
| 72 | 19 ============================================================================ |
| 20 | |
|
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
21 Server public key auth: |
| 72 | 22 |
| 23 You can use ~/.ssh/authorized_keys in the same way as with OpenSSH, just put | |
| 24 the key entries in that file. They should be of the form: | |
| 25 | |
| 26 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname | |
| 27 | |
| 28 You must make sure that ~/.ssh, and the key file, are only writable by the | |
| 290 | 29 user. Beware of editors that split the key into multiple lines. |
| 72 | 30 |
|
717
74deece07742
update text about authorized_keys options
Matt Johnston <matt@ucc.asn.au>
parents:
701
diff
changeset
|
31 Dropbear supports some options for authorized_keys entries, see the manpage. |
| 72 | 32 |
| 75 | 33 ============================================================================ |
| 34 | |
|
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
35 Client public key auth: |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
36 |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
37 Dropbear can do public key auth as a client, but you will have to convert |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
38 OpenSSH style keys to Dropbear format, or use dropbearkey to create them. |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
39 |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
40 If you have an OpenSSH-style private key ~/.ssh/id_rsa, you need to do: |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
41 |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
42 dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_rsa.db |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
43 dbclient -i ~/.ssh/id_rsa.db <hostname> |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
44 |
| 874 | 45 Dropbear does not support encrypted hostkeys though can connect to ssh-agent. |
|
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
46 |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
47 ============================================================================ |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
48 |
| 75 | 49 If you want to get the public-key portion of a Dropbear private key, look at |
| 50 dropbearkey's '-y' option. | |
| 51 | |
| 52 ============================================================================ | |
| 53 | |
|
1628
ff3f274ea56c
Add missing word to readme (#77)
Michael Jones <jonesmz@users.noreply.github.com>
parents:
1548
diff
changeset
|
54 To run the server, you need to generate server keys, this is one-off: |
| 72 | 55 ./dropbearkey -t rsa -f dropbear_rsa_host_key |
| 56 ./dropbearkey -t dss -f dropbear_dss_host_key | |
|
901
8bc704f417f3
README: fix ecdsa key generation command
Catalin Patulea <cat@vv.carleton.ca>
parents:
874
diff
changeset
|
57 ./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key |
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1628
diff
changeset
|
58 ./dropbearkey -t ed25519 -f dropbear_ed25519_host_key |
| 72 | 59 |
| 60 or alternatively convert OpenSSH keys to Dropbear: | |
| 61 ./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key | |
| 62 | |
| 874 | 63 You can also get Dropbear to create keys when the first connection is made - |
| 64 this is preferable to generating keys when the system boots. Make sure | |
| 65 /etc/dropbear/ exists and then pass '-R' to the dropbear server. | |
| 66 | |
| 75 | 67 ============================================================================ |
| 72 | 68 |
| 69 If the server is run as non-root, you most likely won't be able to allocate a | |
| 70 pty, and you cannot login as any user other than that running the daemon | |
| 71 (obviously). Shadow passwords will also be unusable as non-root. | |
| 72 | |
| 75 | 73 ============================================================================ |
| 74 | |
| 72 | 75 The Dropbear distribution includes a standalone version of OpenSSH's scp |
| 76 program. You can compile it with "make scp", you may want to change the path | |
| 161 | 77 of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default |
| 75 | 78 the progress meter isn't compiled in to save space, you can enable it by |
| 79 adding 'SCPPROGRESS=1' to the make commandline. |