Skip to content

Dropbear 2024.84

Compare
Choose a tag to compare
@mkj mkj released this 04 Apr 11:58
· 42 commits to master since this release

Download tarballs from https://matt.ucc.asn.au/dropbear/releases/dropbear-2024.84.tar.bz2 or
https://mirror.dropbear.nl/mirror/releases/dropbear-2024.84.tar.bz2
The tarball is reproducible from git with release.sh

Features and Changes:

Note >> for compatibility/configuration changes

  • >> Only use /etc/shadow when a user has x as the crypt in /etc/passwd.
    This is the documented behaviour of passwd(5) so should be consistent with
    other programs. Thanks to Paulo Cabral for the report.
    Note that any users without x as the crypt will not be able
    to log in with /etc/shadow, in cases were the existing configuration
    differs.

  • Support -o StrictHostKeyChecking, patch from Sergey Ponomarev

  • Support -o BatchMode, from Sergey Ponomarev and Hans Harder

  • Support various other -o options compatible with OpenSSH, from
    Sergey Ponomarev. Includes -o PasswordAuthentication

  • Add dbclient config file support, ~/.ssh/dropbear_config
    Thanks to tjkolev
    Disabled by default, set #define DROPBEAR_USE_SSH_CONFIG 1

  • Add support for unix socket forwarding (destination) on
    the server, thanks to WangYi for the implementation

  • Add option to bind to interface, from Diederik De Coninck

  • Ignore unsupported arguments in dropbearkey, allow running
    binary as 'ssh-key'. From Sergey Ponomarev

  • Save a public key file on generation with dropbearkey.
    -C can be used for a comment, and choose a default key
    type (ed25519 first preference).
    Thanks to Sergey Ponomarev

  • Allow inetd to run in non-syslog modes. Thanks to Laurent Bercot
    for the report

  • Allow user's own gid in PTY permissions, lets Dropbear work as non-root
    even if /dev/pts isn't mounted with gid=5

  • src/distrooptions.h can now be used as another config file.
    This can be used by distributions for customisations (separate
    to the build directory's localoptions.h)

Fixes:

  • dbclient host >> output would previously overwrite "output", instead of
    appending. Thanks for the report from eSotoIoT

  • Add "Strict KEX" support. This mitigates a SSH protocol flaw which lets
    a MITM attacker silently remove packets immediately after the
    first key exchange. At present the flaw does not seem to reduce Dropbear's
    security (the only packet affected would be a server-sig-algs extension,
    which is used for compatibility not security).
    For Dropbear, chacha20-poly1305 is the only affected cipher.
    Both sides of the connection must support Strict KEX for it to be used.

    The protocol flaw is tracked as CVE-2023-48795, details
    at https://terrapin-attack.com . Thanks to the researchers Fabian Bäumer,
    Marcus Brinkmann, and Jörg Schwenk. Thanks to OpenSSH for specifying
    strict KEX mode.

  • Fix blocking while closing forwarded TCP sessions. Noticable
    when many connections are being forwarded. Reported and
    tested by GektorUA. Github #230

  • Don't offer RSA (then fail) if there is no RSA key. Regression in 2020.79
    Github #219

  • Fix missing response to remote TCP requests when it is disabled.
    Patch from Justin Chen. Github #254

  • Fix building with DROPBEAR_RSA disabled

  • /proc/timer_list is no longer used for entropy, it was a bottleneck.
    Thanks to Aleksei Plotnikov for the report.

  • Don't unconditionally enable DROPBEAR_DSS

  • Make banner reading failure non-fatal

  • Fix DROPBEAR_SVR_MULTIUSER. This appears to have been broken since when it
    was added in 2019. If you're using this let me know (it might be removed
    if I don't hear otherwise). Thanks to davidatrsp

  • Fix Y2038 issues

Infrastructure:

  • Move source files to src/ subdirectory. Thanks to tjkolev

  • Remove more files with "make distclean"

  • Add tests for disabled options