# HG changeset patch # User Matt Johnston # Date 1225894480 0 # Node ID b85507ade01056c28e31d602815779f366606b51 # Parent 4e251543b941af63ad5449187fa497d38bae4bee - Update manuals, include section on authorized_keys - Change default PATH to /usr/bin:/bin - Mention DEBUG_TRACE in -v help text diff -r 4e251543b941 -r b85507ade010 CHANGES --- a/CHANGES Wed Nov 05 13:53:14 2008 +0000 +++ b/CHANGES Wed Nov 05 14:14:40 2008 +0000 @@ -1,3 +1,50 @@ +0.52 + +- Add "netcat-alike" option (-B) to dbclient, allowing Dropbear to tunnel + standard input/output to a TCP port-forwarded remote host. + +- Add "proxy command" support to dbclient, to allow using a spawned process for + IO rather than a direct TCP connection. eg + dbclient remotehost + is equivalent to + dbclient -J 'nc remotehost 22' remotehost + (the hostname is still provided purely for looking up saved host keys) + +- Combine netcat-alike and proxy support to allow "multihop" connections, with + comma-separated host syntax. Allows running + dbclient user1@host1,user2@host2,user3@host3 + to end up at host3 via the other two, using SSH TCP forwarding. It's a bit + like onion-routing. All connections are established from the local machine. + The comma-separated syntax can also be used for scp/rsync, eg + scp -S dbclient matt@martello,root@wrt,canyons:/tmp/dump . + to bounce through a few hosts. + +- Allow restrictions on authorized_keys logins such as restricting commands + to be run etc. This is a subset of those allowed by OpenSSH, doesn't + yet allow restricting source host. + +- Use vfork() for scp on uClinux + +- Default to PATH=/usr/bin:/bin for shells. + +- Report errors if -R forwarding fails + +- Add counter mode cipher support, which avoids some security problems with the + standard CBC mode. + +- Support zlib@openssh.com delayed compression for client/server. It can be + required for the Dropbear server with the '-Z' option. This is useful for + security as it avoids exposing the server to attacks on zlib by + unauthenticated remote users, though requires client side support. + +- options.h has been split into options.h (user-changable) and sysoptions.h + (less commonly changed) + +- Support "dbclient -s sftp" to specify a subsystem + +- Fix a bug in replies to channel requests that could be triggered by recent + versions of PuTTY + 0.51 - Thu 27 March 2008 - Make a copy of password fields rather erroneously relying on getwpnam() diff -r 4e251543b941 -r b85507ade010 dbclient.1 --- a/dbclient.1 Wed Nov 05 13:53:14 2008 +0000 +++ b/dbclient.1 Wed Nov 05 14:14:40 2008 +0000 @@ -106,8 +106,11 @@ this case a connection will be made to the first host, then a TCP forwarded connection will be made through that to the second host, and so on. Hosts other than the final destination will not see anything other than the encrypted SSH stream. +A port for a host can be specified with a slash (eg matt@martello/44 ). This syntax can also be used with scp or rsync (specifying dbclient as the -ssh/rsh command). A port for a host can be specified with a slash (eg matt@martello/44 ). +ssh/rsh command). A file can be "bounced" through multiple SSH hops, eg + +scp -S dbclient matt@martello,root@wrt,canyons:/tmp/dump . .SH ENVIRONMENT .TP diff -r 4e251543b941 -r b85507ade010 dropbear.8 --- a/dropbear.8 Wed Nov 05 13:53:14 2008 +0000 +++ b/dropbear.8 Wed Nov 05 14:14:40 2008 +0000 @@ -94,6 +94,60 @@ a certain period of inactivity. The trade-off is that a session may be closed if there is a temporary lapse of network connectivity. A setting if 0 disables keepalives. +.SH FILES + +.TP +Authorized Keys + +~/.ssh/authorized_keys can be set up to allow remote login with a RSA or DSS +key. Each line is of the form +.TP +[restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment] + +and can be extracted from a Dropbear private host key with "dropbearkey -y". This is the same format as used by OpenSSH, though the restrictions are a subset (keys with unknown restrictions are ignored). +Restrictions are comma separated, with double quotes around spaces in arguments. +Available restrictions are: + +.TP +.B no-port-forwarding +Don't allow port forwarding for this connection + +.TP +.B no-agent-forwarding +Don't allow agent forwarding for this connection + +.TP +.B no-X11-forwarding +Don't allow X11 forwarding for this connection + +.TP +.B no-pty +Disable PTY allocation. Note that a user can still obtain most of the +same functionality with other means even if no-pty is set. + +.TP +.B command="\fIforced_command\fR" +Disregard the command provided by the user and always run \fIforced_command\fR. + +The authorized_keys file and its containing ~/.ssh directory must only be +writable by the user, otherwise Dropbear will not allow a login using public +key authentication. + +.TP +Host Key Files + +Host key files are read at startup from a standard location, by default +/etc/dropbear/dropbear_dss_host_key and /etc/dropbear/dropbear_rsa_host_key +or specified on the commandline with -d or -r. These are of the form generated +by dropbearkey. + +.TP +Message Of The Day + +By default the file /etc/motd will be printed for any login shell (unless +disabled at compile-time). This can also be disabled per-user +by creating a file ~/.hushlogin . + .SH AUTHOR Matt Johnston (matt@ucc.asn.au). .br diff -r 4e251543b941 -r b85507ade010 options.h --- a/options.h Wed Nov 05 13:53:14 2008 +0000 +++ b/options.h Wed Nov 05 14:14:40 2008 +0000 @@ -259,7 +259,7 @@ #define DEFAULT_KEEPALIVE 0 /* The default path. This will often get replaced by the shell */ -#define DEFAULT_PATH "/bin:/usr/bin" +#define DEFAULT_PATH "/usr/bin:/bin" /* Some other defines (that mostly should be left alone) are defined * in sysoptions.h */ diff -r 4e251543b941 -r b85507ade010 svr-runopts.c --- a/svr-runopts.c Wed Nov 05 13:53:14 2008 +0000 +++ b/svr-runopts.c Wed Nov 05 14:14:40 2008 +0000 @@ -83,7 +83,7 @@ "-W (default %d, larger may be faster, max 1MB)\n" "-K (0 is never, default %d)\n" #ifdef DEBUG_TRACE - "-v verbose\n" + "-v verbose (compiled with DEBUG_TRACE)\n" #endif ,DROPBEAR_VERSION, progname, #ifdef DROPBEAR_DSS