dropbear: better handle interfaces - introduce 'DirectInterface' option to bind exactly to specified interface; fixes #9666 and late IPv4/IPv6 address assignment - option 'DirectInterface' takes precedence over 'Interface' - improve interface/address handling, e.g. verify count of listening endpoints due to dropbear limit (10 for now) Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
dropbear: better handle receive window size - correct maximum receive window size - adjust receive window size against maximum allowed value - warn about too high receive window size in syslog improves f95eecfb Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
dropbear: adjust file permissions runtime: - adjust ownership/permissions while starting dropbear build time: - correct file permissions for preseed files in $(TOPDIR)/files/etc/dropbear/ (if any) closes #10849 Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
dropbear: 'rsakeyfile' -> 'keyfile' transition end users should have done this since OpenWrt 19.07. if they didn't do this yet - perform auto-transition. schedule 'rsakeyfile' removal for next year release. Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
dropbear: increase default receive window size Increasing the receive window size improves throughout on higher-latency links such as WAN connections. The current default of 24KB caps out at around 500 KB/s. Increasing the receive buffer to 256KB increases the throughput to at least 11 MB/s. Signed-off-by: David Bauer <mail@david-bauer.net>
dropbear: add ed25519 for failsafe key At least Fedora and RHEL 9 set RSAMinSize=2048, so when trying to use failsafe, we get 'Bad server host key: Invalid key length' To workaround the issue, we can use: ssh -o RSAMinSize=1024 ... Generating 2048 bits RSA is extremely slow, so add ed25519. We keep RSA 1024 to be as compatible as possible. Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
dropbear: add ForceCommand uci option adds ForceCommand option. If the command is specified, it forces users to execute the command when they log in. Signed-off-by: Nozomi Miyamori <inspc43313@yahoo.co.jp> Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
dropbear: init: replace backticks with $() This replaces deprecated backticks by more versatile $(...) syntax. Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com> [add commit description] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
dropbear: add ed25519 and chacha20-poly1305 - add Ed25519 support (backport): * DROPBEAR_ED25519 option for ssh-ed25519, * disabled by default - add Chacha20-Poly1305 support (backport): * DROPBEAR_CHACHA20POLY1305 for chacha20-poly1305@openssh.com, * enabled by default - update feature costs in binary size Signed-off-by: Vladislav Grishenko <themiron@mail.ru>
dropbear: move failsafe code out of base-files The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Failsafe code of dropbear should be in the dropbear package not the base-files package. Signed-off-by: Kyle Copperfield <kmcopper@danwin1210.me>
dropbear: introduce config option "keyfile" (replacement for "rsakeyfile") * option "keyfile" is more generic than "rsakeyfile". * option "rsakeyfile" is considered to be deprecated and should be removed in future releases. * warn user (in syslog) if option "rsakeyfile" is used * better check options ("rsakeyfile" and "keyfile"): don't append "-r keyfile" to command line if file is absent (doesn't exist or empty), warn user (in syslog) about such files Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
procd: Add wrapper for uci_validate_section() This adds a wrapper (uci_load_validate) for uci_validate_section() that allows callers (through a callback function) to access the values set by uci_validate_section(), without having to manually declare a (potentially long) list of local variables. The callback function receives two arguments when called, the config section name and the return value of uci_validate_section(). If no callback function is given, then the wrapper exits with the value returned by uci_validate_section(). This also updates several init scripts to use the new wrapper function. Signed-off-by: Jeffery To <jeffery.to@gmail.com>
dropbear: fix dropbear startup issue Interface triggers are installed by the dropbear init script in case an interface is configured for a given dropbear uci section. As dropbear is started after network the interface trigger event can be missed during a small window; this is especially the case if lan is specified as interface. Fix this by starting dropbear before network so no interface trigger is missed. As dropbear is started earlier than netifd add a boot function to avoid the usage of network.sh functions as call to such functions will fail at boottime. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Acked-by: Jo-Philipp Wich <jo@mein.io>
dropbear: close all active clients on shutdown Override the default shutdown action (stop) and close all processes of dropbear Since commit 498fe85, the stop action only closes the process that's listening for new connections, maintaining the ones with existing clients. This poses a problem when restarting or shutting-down a device, because the connections with existing SSH clients, like OpenSSH, are not properly closed, causing them to hang. This situation can be avoided by closing all dropbear processes when shutting-down the system, which closes properly the connections with current clients. Signed-off-by: Christian Schoenebeck <christian.schoenebeck@gmail.com> [Luis: Rework commit message] Signed-off-by: Luis Araneda <luaraneda@gmail.com>
dropbear: add option to set receive window size The default receive window size in dropbear is hardcoded to 24576 byte to limit memory usage. This value was chosen for 100Mbps networks, and limits the throughput of scp on faster networks. It also severely limits scp throughput on high-latency links. Add an option to set the receive window size so that people can improve performance without having to recompile dropbear. Setting the window size to the highest value supported by dropbear improves throughput from my build machine to an APU2 on the same LAN from 7MB/s to 7.9MB/s, and to an APU2 over a link with ~65ms latency from 320KB/s to 7.5MB/s. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>