| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
Got lost merging the DEBUG/TRACE level patch
|
|
|
|
|
|
|
| |
Now can correctly handle '-b [ipv6address]:port'
Code is shared with dropbear -p, though they handle colon-less arguments
differently
|
|
|
|
|
|
| |
Based on a patch from Hans Harder.
This also tidies formatting and un-needed parts
|
| |
|
|
|
|
|
|
|
| |
When multihop executes dbclient it should only add -i arguments
from the original commandline, not the default id_dropbear key.
Otherwise multiple -i arguments keep getting added which
results in servers disconnecting with too many auth attempts
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When dropbear is used in a very restricted environment (such as in a
initrd), the default user shell is often also very restricted
and doesn't take care of setting the PATH so the user ends up
with the PATH set by dropbear. Unfortunately, dropbear always
sets "/usr/bin:/bin" as default PATH even for the root user
which should have /usr/sbin and /sbin too.
For a concrete instance of this problem, see the "Remote Unlocking"
section in this tutorial: https://paxswill.com/blog/2013/11/04/encrypted-raspberry-pi/
It speaks of a bug in the initramfs script because it's written "blkid"
instead of "/sbin/blkid"... this is just because the scripts from the
initramfs do not expect to have a PATH without the sbin directories and
because dropbear is not setting the PATH appropriately for the root user.
I'm thus suggesting to use the attached patch to fix this misbehaviour (I
did not test it, but it's easy enough). It might seem anecdotic but
multiple Kali users have been bitten by this.
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
|
| |
|
|
|
|
|
|
|
|
|
| |
For the time being Dropbear will only allow SK auth with default
parameters, user-presence needs to be set.
In future handling of authorized_keys option "no-touch-required" can be
added.
This code would also be refactored to share between ecdsa and ed25519
once I get hardware/emulation to test ed25519.
|
|
|
|
| |
Caught by just-added c89 build
|
| |
|
| |
|
|
|
|
| |
(Part was missed from previous series of commits)
|
|
|
|
|
|
| |
Patch modified by Matt Johnston
Signed-off-by: Begley Brothers Inc <begleybrothers@gmail.com>
|
|
|
|
|
|
| |
Also trim whitespaces.
Signed-off-by: Begley Brothers Inc <begleybrothers@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Why:
Running dropbear as a user (rootless) is aided if
files and programs can be saved/removed without
needing sudo.
What:
Use the same convention as DROPBEAR_DEFAULT_CLI_AUTHKEY;
if not starting with '/', then is relative to hedge's /home/hedge:
*_PRIV_FILENAME
DROPBEAR_PIDFILE
SFTPSERVER_PATH
default_options.h commentary added.
Changes kept to a minimum, so log entry in svr_kex.c#163
is refactored.
From:
Generated hostkey is <path> ... <finger-print>
to:
Generated hostkey path is <path>
Generated hostkey fingerprint is <fp>
Otherwise the unexpanded path was reported.
Patch modified by Matt Johnston
Signed-off-by: Begley Brothers Inc <begleybrothers@gmail.com>
|
|
|
|
|
|
|
|
| |
This is necessary on NFS with squash root.
Based on work from Chris Dragan
This commit also tidies some trailing whitespace.
Fixes github pull #107
|
|
|
|
| |
Add comments for SK keys
|
| |
|
| |
|
|
|
|
|
|
| |
SHA256 is always compiled and only enable SHA1 when needed. Fingerprints
are always SHA256: base64 format, md5 and sha1 are removed. dbrandom now
uses sha256 its hash function.
|
|
|
|
|
| |
Twofish CTR was never enabled by default and CBC modes are
deprecated
|
| |
|
|
|
|
| |
Simplify handling for different key types
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Added support for reading and writing. PEM writing support
has been removed.
OpenSSH file format routines have been moved to signkey_ossh.c
|
|
|
|
|
|
| |
This introduces buf_put_ed25519_priv_ossh and buf_get_ed25519_priv_ossh
to handle OpenSSH internal private key format. Previously writing
OpenSSH format keys didn't write the private part correctly.
|
| |
|
| |
|
|
|
|
| |
-vvvv is equivalent to the old -v
|
|
|
|
|
|
| |
Otherwise child shells can't enable coredumps if desired.
Fixes #145 on github
|
|
|
|
|
|
|
|
| |
This reverts git commit f972813ecdc7bb981d25b5a63638bd158f1c8e72.
The sk algorithms need to remain in the sigalgs list so that they
are included in the server-sig-algs ext-info message sent by
the server. RFC8308 for server-sig-algs requires that all algorithms are
listed (though OpenSSH client 8.4p1 tested doesn't require that)
|
| |
|
|
|
|
|
| |
This makes github actions create a tarball sha256sum for comparison.
The release.sh script now works in a git repository too.
|
|\ |
|
| |
| |
| |
| | |
Also try a less repetitive way of specifying macros
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
|\ \
| |/ |
|
| |
| |
| |
| |
| | |
This makes it safe to use from fuzzer-pubkey without leaking
the value since the cleanup isn't called
|