Your message dated Fri, 16 Aug 2024 20:47:08 +0000
with message-id <e1sf3qm-005xhq...@fasolo.debian.org>
and subject line Bug#1069768: fixed in dropbear 2022.83-1+deb12u2
has caused the Debian Bug report #1069768,
regarding The 'no-port-forwarding' key restriction disables server alive
message support
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1069768: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069768
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: dropbear-initramfs
Version: 2022.83-1+deb12u1
Severity: normal
X-Debbugs-Cc: deb...@rocketjump.eu
Hi,
I have a remote server running bookworm that is configured to use
dropbear-initramfs and cryptsetup-initramfs to unlock the LUKS container. The
way I unlock it is shown below:
$ until ssh r...@hopper-boot.rocketjump.eu cryptroot-unlock; do sleep 3; done
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection refused
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection refused
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection refused
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection refused
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection refused
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
ssh: connect to host hopper-boot.rocketjump.eu port 22: Connection timed out
Please unlock disk md2_crypt
Timeout, server hopper-boot.rocketjump.eu not responding.
Please unlock disk md2_crypt
Timeout, server hopper-boot.rocketjump.eu not responding.
Please unlock disk md2_crypt
Timeout, server hopper-boot.rocketjump.eu not responding.
Timeout, server hopper-boot.rocketjump.eu not responding.
Timeout, server hopper-boot.rocketjump.eu not responding.
Timeout, server hopper-boot.rocketjump.eu not responding.
^C^C
As you can see, while rebooting the connection is refused, as sshd is already
shutdown, but the server is reachable. Then the connection times out while it's
still doing a POST. At some point dropbear becomes reachable, as shown by the
output of "Please unlock disk md2_crypt", however the connection seems to error
out after a while, and after three attempts, dropbear becomes unresponsive. This
forces me to hard reset the server and try again until I catch it in the right
moment.
After some debugging, it turns out that ServerAliveInterval != 0 will cause the
ssh client to reset the connection, which dropbear will count as unlock attempt,
and after three tries it will fail and drop to initramfs shell, after which it's
not reachable anymore.
It would be great to prominently document that dropbear(-initramfs) does not
handle the ServerAliveInterval ssh client setting.
Greets,
Lee
-- System Information:
Debian Release: 12.5
APT prefers stable-updates
APT policy: (990, 'stable-updates'), (990, 'stable-security'), (990,
'proposed-updates'), (990, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-20-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages dropbear-initramfs depends on:
ii busybox 1:1.35.0-4+b3
pn dropbear-bin <none>
ii initramfs-tools 0.142
ii udev 252.23-1~deb12u1
Versions of packages dropbear-initramfs recommends:
ii cryptsetup-initramfs 2:2.6.1-4~deb12u2
dropbear-initramfs suggests no packages.
--- End Message ---
--- Begin Message ---
Source: dropbear
Source-Version: 2022.83-1+deb12u2
Done: Guilhem Moulin <guil...@debian.org>
We believe that the bug you reported is fixed in the latest version of
dropbear, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1069...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Guilhem Moulin <guil...@debian.org> (supplier of updated dropbear package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Jul 2024 14:22:02 +0200
Source: dropbear
Architecture: source
Version: 2022.83-1+deb12u2
Distribution: bookworm
Urgency: medium
Maintainer: Guilhem Moulin <guil...@debian.org>
Changed-By: Guilhem Moulin <guil...@debian.org>
Closes: 1069768
Changes:
dropbear (2022.83-1+deb12u2) bookworm; urgency=medium
.
* Fix noremotetcp behavior. Keepalive packets were being ignored when the
‛-k’ flag (or ‛no-port-forwarding’ authorized_keys(5) restriction) was
used. (Closes: #1069768)
Checksums-Sha1:
94d4006f8180af4c02618bc5715120b28187e011 2614 dropbear_2022.83-1+deb12u2.dsc
d5ef218525b46bda6707d8f5821e934b45d33c5d 37388
dropbear_2022.83-1+deb12u2.debian.tar.xz
7c20de8c079194c832c0886d061c4bfcd61bef60 7591
dropbear_2022.83-1+deb12u2_amd64.buildinfo
Checksums-Sha256:
5cd3be2f26c260c6be303fa6e94080658f5dac254edeaef2843028e5eb561ad7 2614
dropbear_2022.83-1+deb12u2.dsc
e071c4ac1d787a1c1c7a16e37c4a134f5d554a23bda9380d00ebe8ced8ea2471 37388
dropbear_2022.83-1+deb12u2.debian.tar.xz
fa6bd2ec194a5eaae10deed2e8d0dde9e77057c68eaa6b0f9a741fd26d91e57a 7591
dropbear_2022.83-1+deb12u2_amd64.buildinfo
Files:
ef09fc42613207685621f3b52c112fab 2614 net optional
dropbear_2022.83-1+deb12u2.dsc
85e819738f470e75de530ef8081ef042 37388 net optional
dropbear_2022.83-1+deb12u2.debian.tar.xz
d26023ffba0e655cb9b328a623207431 7591 net optional
dropbear_2022.83-1+deb12u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmaNNIoACgkQ05pJnDwh
pVJWdQ/9Gp10RqEcP0gJQsrT0L2EtSMSNANioVtf70PXz+MU66HaexfM0H5AuMN3
+fao2jRwff3CAH+mgrJCkhOW+u+m/Fw+4P/puqBpsrISVEirp+v9Y63aiPu720AA
y0n1oLoVafJhJJlD1vZdMKSjdN5OQPeK82WJmG471NXKqcxWFzxyYz5R/Cq9Gg+T
iDG31/viK5g14pzs0Sh2mXOnHNsaPvvsNEbd0fI7MW4T8l15SlbgH6/LGGQB7Zh5
vZfWmralN0dysnUaVVkLtwO3sKVyzXvDeuB/0O+Wp/QyjLpTDSwa2xdvu0bOCKHe
TbVdM1IKH92AKWcdQRtR1QGjbh6aCXboFNnuRelrG9A3an0uAzU1jAn1hBHJbmNt
zehRmcTEmfdrvWalmtz4l/TYmth6pCStWZB/M5bbPnqTp7pmPAGrpwB2MkGgOhF+
vgVVefNRBR8m6l7Gae5El2gw5o2O68hk2ZwRuq5xG9Fmmtki9H+hVzvEOI2tw5iJ
cMKGoGPBHBLq/5sSpJkclRaGhJ9xtrgMSs8yiaRVDWaIt/vKdtqjZGyUi2uijfg7
0XGaX42ak0FOgC5Kj5zQ9DV4+uXjpvNJAuWt8/LO2mLmDGGiFHQ9qCB8Xoetz/ga
Vg9fXQ7yF2X5uBfDqaaBivjlWJyZPVb8Nrn/OSabFkYlQC7TSrU=
=O2zq
-----END PGP SIGNATURE-----
pgpZuc0YIxePa.pgp
Description: PGP signature
--- End Message ---
