Mercurial > dropbear
view dropbear.8 @ 1306:34e6127ef02e
merge fixes from PuTTY import.c
toint() from misc.c
(revids are from hggit conversion)
changeset: 4620:60a336a6c85c
user: Simon Tatham <[email protected]>
date: Thu Feb 25 20:26:33 2016 +0000
files: import.c
description:
Fix potential segfaults in reading OpenSSH's ASN.1 key format.
The length coming back from ber_read_id_len might have overflowed, so
treat it as potentially negative. Also, while I'm here, accumulate it
inside ber_read_id_len as an unsigned, so as to avoid undefined
behaviour on integer overflow, and toint() it before return.
Thanks to Hanno Böck for spotting this, with the aid of AFL.
(cherry picked from commit 5b7833cd474a24ec098654dcba8cb9509f3bf2c1)
Conflicts:
import.c
(cherry-picker's note: resolving the conflict involved removing an
entire section of the original commit which fixed ECDSA code not
present on this branch)
changeset: 4619:9c6c638d98d8
user: Simon Tatham <[email protected]>
date: Sun Jul 14 10:45:54 2013 +0000
files: import.c ssh.c sshdss.c sshpubk.c sshrsa.c
description:
Tighten up a lot of casts from unsigned to int which are read by one
of the GET_32BIT macros and then used as length fields. Missing bounds
checks against zero have been added, and also I've introduced a helper
function toint() which casts from unsigned to int in such a way as to
avoid C undefined behaviour, since I'm not sure I trust compilers any
more to do the obviously sensible thing.
[originally from svn r9918]
changeset: 4618:3957829f24d3
user: Simon Tatham <[email protected]>
date: Mon Jul 08 22:36:04 2013 +0000
files: import.c sshdss.c sshrsa.c
description:
Add an assortment of extra safety checks.
[originally from svn r9896]
changeset: 4617:2cddee0bce12
user: Jacob Nevins <[email protected]>
date: Wed Dec 07 00:24:45 2005 +0000
files: import.c
description:
Institutional failure to memset() things pointed at rather than pointers.
Things should now be zeroed and memory not leaked. Spotted by Brant Thomsen.
[originally from svn r6476]
changeset: 4616:24ac78a9c71d
user: Simon Tatham <[email protected]>
date: Wed Feb 11 13:58:27 2004 +0000
files: import.c
description:
Jacob's last-minute testing found a couple of trivial bugs in
import.c, and my attempts to reproduce them in cmdgen found another
one there :-)
[originally from svn r3847]
changeset: 4615:088d39a73db0
user: Simon Tatham <[email protected]>
date: Thu Jan 22 18:52:49 2004 +0000
files: import.c
description:
Placate some gcc warnings.
[originally from svn r3761]
changeset: 4614:e4288bad4d93
parent: 1758:108b8924593d
user: Simon Tatham <[email protected]>
date: Fri Oct 03 21:21:23 2003 +0000
files: import.c
description:
My ASN.1 decoder returned wrong IDs for anything above 0x1E! Good
job it's never had to yet. Ahem.
[originally from svn r3479]
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Tue, 12 Jul 2016 23:00:01 +0800 |
parents | 80cacacfec23 |
children | ee2ffa044c7e |
line wrap: on
line source
.TH dropbear 8 .SH NAME dropbear \- lightweight SSH server .SH SYNOPSIS .B dropbear [\fIflag arguments\fR] [\-b .I banner\fR] [\-r .I hostkeyfile\fR] [\-p [\fIaddress\fR:]\fIport\fR] .SH DESCRIPTION .B dropbear is a small SSH server .SH OPTIONS .TP .B \-b \fIbanner bannerfile. Display the contents of the file .I banner before user login (default: none). .TP .B \-r \fIhostkey Use the contents of the file .I hostkey for the SSH hostkey. This file is generated with .BR dropbearkey (1) or automatically with the '-R' option. See "Host Key Files" below. .TP .B \-R Generate hostkeys automatically. See "Host Key Files" below. .TP .B \-F Don't fork into background. .TP .B \-E Log to standard error rather than syslog. .TP .B \-m Don't display the message of the day on login. .TP .B \-w Disallow root logins. .TP .B \-s Disable password logins. .TP .B \-g Disable password logins for root. .TP .B \-j Disable local port forwarding. .TP .B \-k Disable remote port forwarding. .TP .B \-p\fR [\fIaddress\fR:]\fIport Listen on specified .I address and TCP .I port. If just a port is given listen on all addresses. up to 10 can be specified (default 22 if none specified). .TP .B \-i Service program mode. Use this option to run .B dropbear under TCP/IP servers like inetd, tcpsvd, or tcpserver. In program mode the \-F option is implied, and \-p options are ignored. .TP .B \-P \fIpidfile Specify a pidfile to create when running as a daemon. If not specified, the default is /var/run/dropbear.pid .TP .B \-a Allow remote hosts to connect to forwarded ports. .TP .B \-W \fIwindowsize Specify the per-channel receive window buffer size. Increasing this may improve network performance at the expense of memory use. Use -h to see the default buffer size. .TP .B \-K \fItimeout_seconds Ensure that traffic is transmitted at a certain interval in seconds. This is useful for working around firewalls or routers that drop connections after a certain period of inactivity. The trade-off is that a session may be closed if there is a temporary lapse of network connectivity. A setting if 0 disables keepalives. If no response is received for 3 consecutive keepalives the connection will be closed. .TP .B \-I \fIidle_timeout Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds. .TP .B \-V Print the version .SH FILES .TP Authorized Keys ~/.ssh/authorized_keys can be set up to allow remote login with a RSA, ECDSA, or DSS key. Each line is of the form .TP [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment] and can be extracted from a Dropbear private host key with "dropbearkey -y". This is the same format as used by OpenSSH, though the restrictions are a subset (keys with unknown restrictions are ignored). Restrictions are comma separated, with double quotes around spaces in arguments. Available restrictions are: .TP .B no-port-forwarding Don't allow port forwarding for this connection .TP .B no-agent-forwarding Don't allow agent forwarding for this connection .TP .B no-X11-forwarding Don't allow X11 forwarding for this connection .TP .B no-pty Disable PTY allocation. Note that a user can still obtain most of the same functionality with other means even if no-pty is set. .TP .B command=\fR"\fIforced_command\fR" Disregard the command provided by the user and always run \fIforced_command\fR. The authorized_keys file and its containing ~/.ssh directory must only be writable by the user, otherwise Dropbear will not allow a login using public key authentication. .TP Host Key Files Host key files are read at startup from a standard location, by default /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/dropbear_rsa_host_key, and /etc/dropbear/dropbear_ecdsa_host_key or specified on the commandline with -r. These are of the form generated by dropbearkey. The -R option can be used to automatically generate keys in the default location - keys will be generated after startup when the first connection is established. This had the benefit that the system /dev/urandom random number source has a better chance of being securely seeded. .TP Message Of The Day By default the file /etc/motd will be printed for any login shell (unless disabled at compile-time). This can also be disabled per-user by creating a file ~/.hushlogin . .SH ENVIRONMENT VARIABLES Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH, and TERM. The variables below are set for sessions as appropriate. .TP .B SSH_TTY This is set to the allocated TTY if a PTY was used. .TP .B SSH_CONNECTION Contains "<remote_ip> <remote_port> <local_ip> <local_port>". .TP .B DISPLAY Set X11 forwarding is used. .TP .B SSH_ORIGINAL_COMMAND If a 'command=' authorized_keys option was used, the original command is specified in this variable. If a shell was requested this is set to an empty value. .TP .B SSH_AUTH_SOCK Set to a forwarded ssh-agent connection. .SH NOTES Dropbear only supports SSH protocol version 2. .SH AUTHOR Matt Johnston ([email protected]). .br Gerrit Pape ([email protected]) wrote this manual page. .SH SEE ALSO dropbearkey(1), dbclient(1), dropbearconvert(1) .P https://matt.ucc.asn.au/dropbear/dropbear.html