dropbear

mirror of https://github.com/clearml/dropbear synced 2025-01-31 02:46:58 +00:00

Go to file

Matt Johnston d1dec41f76 Constant time memcmp for the hmac and password crypt		2013-10-03 22:25:30 +08:00
debian	2013.58	2013-04-18 22:57:47 +08:00
libtomcrypt	- Add hmac-sha2-256 and hmac-sha2-512. Needs debugging, seems to be	2012-05-10 08:38:37 +08:00
libtommath	fix out-of-tree cleaning	2012-04-08 02:06:54 -04:00
.hgsigs	Added signature for changeset f168962bab85	2013-04-18 23:10:24 +08:00
.hgtags	Added tag DROPBEAR_2013.58 for changeset e76614145aea	2013-04-18 23:10:19 +08:00
agentfwd.h	Fixed compilation with unset ENABLE_{SVR,CLI}_AGENTFWD.	2012-03-26 16:17:16 +04:00
algo.h	Get rid of client/server specific buf_match_algo, use single	2013-03-30 23:55:05 +08:00
atomicio.c
atomicio.h
auth.h	Be a bit more careful about when we want to use CLI_AUTH_IMMEDIATE	2013-04-02 00:11:53 +08:00
bignum.c	Improve capitalisation for all logged strings	2011-02-23 15:50:30 +00:00
bignum.h	Fix a few options and headers	2013-04-03 07:33:47 +08:00
buffer.c	Move the more verbose TRACE() statements into TRACE2()	2013-04-01 00:07:26 +08:00
buffer.h	New standard linked list to use, rather than adhoc SignKeyList or TCPFwdList	2009-07-06 12:59:13 +00:00
CHANGES	Save with utf8 encoding	2013-04-18 23:15:17 +08:00
channel.h	Add ~. and ~^Z handling to exit/suspend dbclient	2013-03-23 23:16:06 +08:00
chansession.h	- Fix use-after-free if multiple command requests were sent. Move	2011-12-04 05:31:25 +08:00
circbuffer.c	use an empty writebuf rather than a NULL one	2013-03-20 22:31:07 +08:00
circbuffer.h
cli-agentfwd.c	Fix a few compile warnings	2013-03-23 23:17:01 +08:00
cli-auth.c	Be a bit more careful about when we want to use CLI_AUTH_IMMEDIATE	2013-04-02 00:11:53 +08:00
cli-authinteract.c	Fix memory leak found by Klocwork	2011-04-07 12:34:44 +00:00
cli-authpasswd.c	Add support for SSH_ASKPASS_ALWAYS env variable for dbclient. If it	2007-09-14 00:19:44 +00:00
cli-authpubkey.c	Slight formatting change for ENABLE_CLI_AGENTFWD if statement	2012-04-09 21:29:41 +08:00
cli-channel.c	Rearranged some more bits, marked some areas that need work.	2006-10-02 16:34:06 +00:00
cli-chansession.c	Only send a failure response to a channel request if wantreply is set.	2013-09-21 00:34:36 +08:00
cli-kex.c	requirenext fixup for firstkexfollows	2013-04-14 23:16:16 +08:00
cli-main.c	Run the cleanup handler also when we close due to TCP connection being closed	2013-04-01 22:26:55 +08:00
cli-runopts.c	strdup the proxycmd to avoid crash when freeing, from Lluís Batlle i Rossell	2013-07-08 22:42:32 +08:00
cli-session.c	setup tcp after requesting a channel - might hide some DNS latency	2013-04-04 07:51:13 +08:00
cli-tcpfwd.c	Print the server allocated port when using dbclient -R 0:....	2011-11-05 23:12:15 +08:00
common-algo.c	merge kexguess branch	2013-04-03 00:49:24 +08:00
common-channel.c	Improve EOF handling for half-close. Patch from Catalin Patulea	2013-09-21 00:17:22 +08:00
common-chansession.c
common-kex.c	Fix build when zlib is disabled, from	2013-04-16 22:16:32 +08:00
common-runopts.c	Fix "-c none" so that it allows aes during authentication	2013-03-20 23:52:49 +08:00
common-session.c	requirenext fixup for firstkexfollows	2013-04-14 23:16:16 +08:00
compat.c	Fix compat basename() to handle paths with no slashes. Thanks to Frank Teo	2013-03-19 20:04:55 +08:00
compat.h
config.guess	Update config.guess and config.sub	2013-05-13 21:06:35 +08:00
config.sub	Update config.guess and config.sub	2013-05-13 21:06:35 +08:00
configure.ac	Fix bad comma in header list	2013-05-13 21:35:13 +08:00
dbclient.1	Use % rather than # for port delimiter	2013-04-17 23:17:27 +08:00
dbmulti.c	Add URL to usage text	2013-03-21 23:10:47 +08:00
dbutil.c	Constant time memcmp for the hmac and password crypt	2013-10-03 22:25:30 +08:00
dbutil.h	Constant time memcmp for the hmac and password crypt	2013-10-03 22:25:30 +08:00
debug.h	requirenext fixup for firstkexfollows	2013-04-14 23:16:16 +08:00
dropbear.8	Document "-m" and "-c"	2013-02-22 23:53:49 +08:00
dropbearconvert.c
dropbearkey.8	Document "-m" and "-c"	2013-02-22 23:53:49 +08:00
dropbearkey.c	Add URL to usage text	2013-03-21 23:10:47 +08:00
dss.c	Move the more verbose TRACE() statements into TRACE2()	2013-04-01 00:07:26 +08:00
dss.h	Rename rsa_key to dropbear_rsa_key (and same for dss too) so	2010-07-21 12:55:25 +00:00
fake-rfc2553.c	- Update fake-rfc2553.{c,h} from OpenSSH 5.5p1	2010-07-21 13:53:23 +00:00
fake-rfc2553.h	- Update fake-rfc2553.{c,h} from OpenSSH 5.5p1	2010-07-21 13:53:23 +00:00
filelist.txt
gendss.c	/dev/random blocks on busy servers too.	2012-07-19 21:34:27 +08:00
gendss.h	Rename rsa_key to dropbear_rsa_key (and same for dss too) so	2010-07-21 12:55:25 +00:00
genrsa.c	/dev/random blocks on busy servers too.	2012-07-19 21:34:27 +08:00
genrsa.h	Rename rsa_key to dropbear_rsa_key (and same for dss too) so	2010-07-21 12:55:25 +00:00
includes.h	Try using writev() for writing packets out to tcp	2013-03-31 23:15:35 +08:00
INSTALL	Fix spelling typo	2007-07-19 14:07:41 +00:00
install-sh
kex.h	Add kexguess2 behaviour	2013-03-29 23:29:48 +08:00
keyimport.c	Remove an unused variable	2008-09-22 14:13:14 +00:00
keyimport.h
LICENSE	LICENSE - Update copyright to 2008	2008-11-05 13:53:14 +00:00
list.c	list.c also has no trailing newline	2011-07-05 12:52:06 +00:00
list.h	Fix lost ending newline	2011-07-05 12:50:15 +00:00
listener.c	Fixed DEBUG_TRACE macro so that we don't get semicolons left about the place	2005-01-02 20:25:56 +00:00
listener.h
loginrec.c	If running as non-root only allow that user to log in	2013-04-17 22:29:18 +08:00
loginrec.h
Makefile.in	merge from head roundtrip changes	2013-04-01 00:13:41 +08:00
MULTI
options.h	Don't enable CLI_IMMEDIATE_AUTH by default, it breaks blank password logins	2013-04-18 21:47:38 +08:00
packet.c	Constant time memcmp for the hmac and password crypt	2013-10-03 22:25:30 +08:00
packet.h	- Get rid of decryptreadbuf, just decrypt in-place with readbuf	2009-03-01 16:15:57 +00:00
process-packet.c	Fix error message for requirenext change	2013-04-15 22:01:41 +08:00
progressmeter.c	Update to scp from OpenSSH portable 4.3p2	2006-03-08 14:20:24 +00:00
progressmeter.h
queue.c	Move the more verbose TRACE() statements into TRACE2()	2013-04-01 00:07:26 +08:00
queue.h	Try using writev() for writing packets out to tcp	2013-03-31 23:15:35 +08:00
random.c	limit how much we read from rt_cache etc	2013-05-28 22:16:57 +08:00
random.h	/dev/random blocks on busy servers too.	2012-07-19 21:34:27 +08:00
README	update text about authorized_keys options	2013-03-21 23:11:16 +08:00
rsa.c	Move the more verbose TRACE() statements into TRACE2()	2013-04-01 00:07:26 +08:00
rsa.h	Rename rsa_key to dropbear_rsa_key (and same for dss too) so	2010-07-21 12:55:25 +00:00
runopts.h	-y -y to disable hostkey checking	2013-04-14 22:49:10 +08:00
scp.c	Fix incorrect logic for USE_VFORK and calling arg_setup()	2013-03-31 23:29:03 +08:00
scpmisc.c	Define _GNU_SOURCE for vasprintf	2013-03-24 00:02:20 +08:00
scpmisc.h	put back the TIMEVAL_TO_TIMESPEC and timersub macros for Linux	2006-03-11 14:57:12 +00:00
service.h	Don't bother waiting for a ssh-connection service reply - the server	2013-03-31 21:38:17 +08:00
session.h	requirenext fixup for firstkexfollows	2013-04-14 23:16:16 +08:00
signkey.c	Move the more verbose TRACE() statements into TRACE2()	2013-04-01 00:07:26 +08:00
signkey.h	Rename rsa_key to dropbear_rsa_key (and same for dss too) so	2010-07-21 12:55:25 +00:00
SMALL	0.44 release changes	2005-01-02 17:08:27 +00:00
ssh.h	propagate from branch 'au.asn.ucc.matt.dropbear' (head 0501e6f661b5415eb76f3b312d183c3adfbfb712)	2006-03-21 16:20:59 +00:00
sshpty.c	ignore I_PUSH if it isn't defined, for Android from Reimar Döffinger	2013-03-19 20:12:19 +08:00
sshpty.h
svr-agentfwd.c	Clean up fd on failure. Found by Klocwork	2011-04-07 13:25:00 +00:00
svr-auth.c	improve auth failure delays to avoid indicating which users exist	2013-05-26 18:39:24 +08:00
svr-authpam.c	- Fix minor leak	2012-02-22 22:05:24 +08:00
svr-authpasswd.c	Constant time memcmp for the hmac and password crypt	2013-10-03 22:25:30 +08:00
svr-authpubkey.c	Improve capitalisation for all logged strings	2011-02-23 15:50:30 +00:00
svr-authpubkeyoptions.c	Fixed compilation with unset ENABLE_{SVR,CLI}_AGENTFWD.	2012-03-26 16:17:16 +04:00
svr-chansession.c	Remove accidental one second sleep leftover from debugging	2013-08-12 22:41:00 +08:00
svr-kex.c	requirenext fixup for firstkexfollows	2013-04-14 23:16:16 +08:00
svr-main.c	Fix a few compile warnings	2013-03-23 23:17:01 +08:00
svr-runopts.c	Add URL to usage text	2013-03-21 23:10:47 +08:00
svr-service.c	Improve capitalisation for all logged strings	2011-02-23 15:50:30 +00:00
svr-session.c	merge kexguess branch	2013-04-03 00:49:24 +08:00
svr-tcpfwd.c	Server shouldn't return "localhost" in response to -R forward connections	2012-05-09 21:09:34 +08:00
svr-x11fwd.c	Fix a few compile warnings	2013-03-23 23:17:01 +08:00
sysoptions.h	2013.58	2013-04-18 22:57:47 +08:00
tcp-accept.c	Server shouldn't return "localhost" in response to -R forward connections	2012-05-09 21:09:34 +08:00
tcpfwd.h	Server shouldn't return "localhost" in response to -R forward connections	2012-05-09 21:09:34 +08:00
termcodes.c	add IUTF8	2013-04-02 19:11:13 +08:00
termcodes.h
TODO	0.48 progress	2006-03-09 12:37:38 +00:00
x11fwd.h

README

This is Dropbear, a smallish SSH 2 server and client.
https://matt.ucc.asn.au/dropbear/dropbear.html

INSTALL has compilation instructions.

MULTI has instructions on making a multi-purpose binary (ie a single binary
which performs multiple tasks, to save disk space)

SMALL has some tips on creating small binaries.

See TODO for a few of the things I know need looking at, and please contact
me if you have any questions/bugs found/features/ideas/comments etc :)

Matt Johnston
matt@ucc.asn.au


In the absence of detailed documentation, some notes follow:
============================================================================

Server public key auth:

You can use ~/.ssh/authorized_keys in the same way as with OpenSSH, just put
the key entries in that file. They should be of the form:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname

You must make sure that ~/.ssh, and the key file, are only writable by the
user. Beware of editors that split the key into multiple lines.

Dropbear supports some options for authorized_keys entries, see the manpage.

============================================================================

Client public key auth:

Dropbear can do public key auth as a client, but you will have to convert
OpenSSH style keys to Dropbear format, or use dropbearkey to create them.

If you have an OpenSSH-style private key ~/.ssh/id_rsa, you need to do:

dropbearconvert openssh dropbear ~/.ssh/id_rsa  ~/.ssh/id_rsa.db
dbclient -i ~/.ssh/id_rsa.db <hostname>

Currently encrypted keys aren't supported, neither is agent forwarding. At some
stage both hopefully will be.

============================================================================

If you want to get the public-key portion of a Dropbear private key, look at
dropbearkey's '-y' option.

============================================================================

To run the server, you need to generate server keys, this is one-off:
./dropbearkey -t rsa -f dropbear_rsa_host_key
./dropbearkey -t dss -f dropbear_dss_host_key

or alternatively convert OpenSSH keys to Dropbear:
./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key

============================================================================

If the server is run as non-root, you most likely won't be able to allocate a
pty, and you cannot login as any user other than that running the daemon
(obviously). Shadow passwords will also be unusable as non-root.

============================================================================

The Dropbear distribution includes a standalone version of OpenSSH's scp
program. You can compile it with "make scp", you may want to change the path
of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default
the progress meter isn't compiled in to save space, you can enable it by 
adding 'SCPPROGRESS=1' to the make commandline.