Dropbear 2024.84
Download tarballs from https://matt.ucc.asn.au/dropbear/releases/dropbear-2024.84.tar.bz2 or
https://mirror.dropbear.nl/mirror/releases/dropbear-2024.84.tar.bz2
The tarball is reproducible from git with release.sh
Features and Changes:
Note >> for compatibility/configuration changes
-
>> Only use /etc/shadow when a user has
x
as the crypt in /etc/passwd.
This is the documented behaviour of passwd(5) so should be consistent with
other programs. Thanks to Paulo Cabral for the report.
Note that any users without x as the crypt will not be able
to log in with /etc/shadow, in cases were the existing configuration
differs. -
Support -o StrictHostKeyChecking, patch from Sergey Ponomarev
-
Support -o BatchMode, from Sergey Ponomarev and Hans Harder
-
Support various other -o options compatible with OpenSSH, from
Sergey Ponomarev. Includes -o PasswordAuthentication -
Add dbclient config file support, ~/.ssh/dropbear_config
Thanks to tjkolev
Disabled by default, set #define DROPBEAR_USE_SSH_CONFIG 1 -
Add support for unix socket forwarding (destination) on
the server, thanks to WangYi for the implementation -
Add option to bind to interface, from Diederik De Coninck
-
Ignore unsupported arguments in dropbearkey, allow running
binary as 'ssh-key'. From Sergey Ponomarev -
Save a public key file on generation with dropbearkey.
-C can be used for a comment, and choose a default key
type (ed25519 first preference).
Thanks to Sergey Ponomarev -
Allow inetd to run in non-syslog modes. Thanks to Laurent Bercot
for the report -
Allow user's own gid in PTY permissions, lets Dropbear work as non-root
even if /dev/pts isn't mounted with gid=5 -
src/distrooptions.h can now be used as another config file.
This can be used by distributions for customisations (separate
to the build directory's localoptions.h)
Fixes:
-
dbclient host >> output
would previously overwrite "output", instead of
appending. Thanks for the report from eSotoIoT -
Add "Strict KEX" support. This mitigates a SSH protocol flaw which lets
a MITM attacker silently remove packets immediately after the
first key exchange. At present the flaw does not seem to reduce Dropbear's
security (the only packet affected would be a server-sig-algs extension,
which is used for compatibility not security).
For Dropbear, chacha20-poly1305 is the only affected cipher.
Both sides of the connection must support Strict KEX for it to be used.The protocol flaw is tracked as CVE-2023-48795, details
at https://terrapin-attack.com . Thanks to the researchers Fabian Bäumer,
Marcus Brinkmann, and Jörg Schwenk. Thanks to OpenSSH for specifying
strict KEX mode. -
Fix blocking while closing forwarded TCP sessions. Noticable
when many connections are being forwarded. Reported and
tested by GektorUA. Github #230 -
Don't offer RSA (then fail) if there is no RSA key. Regression in 2020.79
Github #219 -
Fix missing response to remote TCP requests when it is disabled.
Patch from Justin Chen. Github #254 -
Fix building with DROPBEAR_RSA disabled
-
/proc/timer_list is no longer used for entropy, it was a bottleneck.
Thanks to Aleksei Plotnikov for the report. -
Don't unconditionally enable DROPBEAR_DSS
-
Make banner reading failure non-fatal
-
Fix DROPBEAR_SVR_MULTIUSER. This appears to have been broken since when it
was added in 2019. If you're using this let me know (it might be removed
if I don't hear otherwise). Thanks to davidatrsp -
Fix Y2038 issues
Infrastructure:
-
Move source files to src/ subdirectory. Thanks to tjkolev
-
Remove more files with "make distclean"
-
Add tests for disabled options