View Full Version : Dropbear ssh server
02-11-2006, 01:16 AM
Here is a port of dropbear (http://matt.ucc.asn.au/dropbear/dropbear.html) SSH server for mips TiVo.
Dropbear includes a client, server, key generator, and scp in a single compilation called dropbearmulti. Much like busybox, symlinks are created pointing each program in the package back to dropbearmulti.
To install this package:
1. transfer the dropbearmulti_XXXX.zip file to your TiVo and expand into /tivo-bin
2. cd /tivo-bin
3. ln -sf dropbearmulti dropbear
4. ln -sf dropbearmulti dbclient
5. ln -sf dropbearmulti dropbearkey
6. ln -sf dropbearmulti scp
7. mkdir -p /tivo-bin/ssh
8. chmod 700 /tivo-bin/ssh
9. dropbearkey -t dss -f /tivo-bin/ssh/dropbear_dss_host_key
10. dropbearkey -t rsa -f /tivo-bin/ssh/dropbear_rsa_host_key
11. touch /tivo-bin/ssh/authorized_keys
12. chmod 600 /tivo-bin/ssh/*
13. If you want to use a public and private key authentication, you need to generate a key using Putty. You want to export an openssh-compatible public key and write it to /tivo-bin/ssh/authorized_keys. If you're not sure what I'm talking about, then take a moment and rtfm.
14. add "root:x:0:0:root:/var/hack:/bin/bash" (no quotes) to /etc/passwd (it may already be there if you have setup crond). See here (http://dealdatabase.com/forum/showpost.php?p=278550&postcount=3) for notes on using BASH
15. add "root:x:0:" to /etc/group
16. you can use password authentication by setting a password for root using crypt.
17. now you can start the server with /tivo-bin/dropbear from rc.sysinit.author
18. connect using ssh root@tivo
Now there are a few caveats to using this port. The location of the host keys is configurable with the -d and -r switch, but the location of authorized_keys is not. So you might as well put all the keys in /tivo-bin/ssh as per above. Note that the chmod's above are important.
The following environment is automatically setup for non interactive sessions (otherwise you end up with a default environment).
If you run into trouble, try launching dropbear with the -F -E switches and connect using ssh -v, which will give you some debug info.
Overall, dropbear works well. It secures access to the TiVo and can be launched from rc.sysinit.author directly.
Newest version is here. (http://dealdatabase.com/forum/showpost.php?p=299760&postcount=8)
See here (http://dealdatabase.com/forum/showpost.php?p=286508&postcount=6) for autossh.
01-11-2007, 12:36 AM
Here's an update to the dropbear SSH server for mips TiVo.
Dropbear sshd v0.48.2 compiled for TiVo mips
Usage: dropbear [options]
-b bannerfile Display the contents of bannerfile before user login
-d dsskeyfile Use dsskeyfile for the dss host key
-r rsakeyfile Use rsakeyfile for the rsa host key
-F Don't fork into background
-E Log to stderr rather than syslog
-w Disallow root logins
-s Disable password logins
-g Disable password logins for root
-j Disable local port forwarding
-k Disable remote port forwarding
-a Allow connections to forwarded ports from any host
-p port Listen on specified tcp port, up to 10 can be specified
(default 22 if none specified)
All of my previous post describing dropbear still applies, except that the server NOW has the ability to do password authentication using information stored in /etc/passwd.
Typically, your /etc/passwd file will look something like this:
The "x" indicates that the passwd for root is not set. To set the password for root you have two choices. In the first, I have included a small utility (crypt) to manually encrypt your password:
crypt - DES one-way password encryption tool.
Usage: crypt '<salt>' '<key>'
<salt> is a two-character string chosen from the set [a-zA-Z0-9./]
<key> is a user's typed password (40-character string max)
e.g., crypt '0Z' 'T1V0' -> 0ZefiBk.NHbhM
The output of crypt can be used to replace "x" for root in /etc/passwd:
You should now be able to login using "T1V0" as the password. The second method uses the program passwd in busybox (I'm running 1.5.0) to encrypt and update your password in one step. Maybe Alphawolf can add passwd to busybox in his next compile.:)
03-18-2007, 01:05 PM
To set up dropbear to use bash as its default shell you need to do two things:
1. Edit "/etc/shells" (create if it doesn't already exist) to include bash:
2. Edit "/etc/passwd" to use bash and also define the default director:
default dir |
You should then create a ".profile" in "/var/hack" to setup your environment.
As mentioned above, if you run dropbear in such a way that is does not need to assign a terminal, then it will use a predefined, hardcoded environment (this is out of necessity):
If you execute:
ssh root@tivo 'echo $PATH'
you will see the above path, no matter what is in your .profile. This is what is called a non interactive session, and is generally a special case. This environment allows you to run non interactive TiVo tcl scripts through ssh.
05-31-2007, 03:44 PM
Here is dropbear 0.49.1 for TiVo mips, which updates to the current version. The change log for this version is as follows (from Matt Johnston's website):
- Security: dbclient previously would prompt to confirm a
mismatching hostkey but wouldn't warn loudly. It will now
exit upon a mismatch.
- Compile fixes, make sure that all variable definitions are at the start
of a scope.
- Added -P pidfile argument to the server (from Swen Schillig)
- Add -N dbclient option for "no command"
- Add -f dbclient option for "background after auth"
- Add ability to limit binding to particular addresses, use
-p [address:]port, patch from Max-Gerd Retzlaff.
- Try to finally fix ss_family compilation problems (for old
- Fix finding relative-path server hostkeys when running daemonized
- Use $HOME in preference to that from /etc/passwd, so that
dbclient can still work on broken systems.
- Fix various issues found by Klocwork defect analysis, mostly memory leaks
and error-handling. Thanks to Klocwork for their service.
- Improve building in a separate directory
- Add compile-time LOG_COMMANDS option to log user commands
- Add '-y' flag to dbclient to unconditionally accept host keys,
patch from Luciano Miguel Ferreira Rocha
- Return immediately for "sleep 10 & echo foo", rather than waiting
for the sleep to return (pointed out by Rob Landley).
- Avoid hanging after exit in certain cases (such as scp)
- Various minor fixes, in particular various leaks reported by
- Disable core dumps on startup
- Don't erase over every single buffer, since it was a bottleneck.
On systems where it really matters, encrypted swap should be utilised.
- Read /dev/[u]random only once at startup to conserve kernel entropy
- Upgrade to LibTomCrypt 1.16 and LibTomMath 0.40
- Upgrade config.status and config.guess
08-10-2007, 12:35 AM
Updated archive as per the following change log.
0.50 - Wed 8 August 2007
- Add DROPBEAR_PASSWORD environment variable to specify a dbclient password
- Use /dev/urandom by default, since that's what everyone does anyway
- Correct vfork() use for uClinux in scp
(thanks to Alex Landau)
- Exit with an exit code of 1 if dropbear can't bind to any ports
(thanks to Nicolai Ehemann)
- Improve network performance and add a -W <receive_window> argument for
adjusting the tradeoff between network performance and memory consumption.
- Fix a problem where reply packets could be sent during key exchange,
in violation of the SSH spec. This could manifest itself with connections
being terminated after 8 hours with new TCP-forward connections being
- Add -K <keepalive_time> argument, ensuring that data is transmitted
over the connection at least every N seconds.
- dropbearkey will no longer generate DSS keys of sizes other than 1024
bits, as required by the DSS specification. (Other sizes are still
accepted for use to provide backwards compatibility).
If you have questions post in Series 2 Support Thread Here (http://www.dealdatabase.com/forum/showthread.php?t=55261).
08-26-2007, 03:35 PM
Here is a port of Carson Harding's autossh (http://www.harding.motd.ca/autossh/) for TiVo mips. It can be used with dropbear to maintain ssh tunnels between machines.
From his website:
* autossh is a program to start a copy of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. The idea is from rstunnel (Reliable SSH Tunnel), but implemented in C.
* The author's view is that it is not as fiddly as rstunnel to get to work.
* Connection monitoring using a loop of port forwardings or a remote echo service.
* Backs off on rate of connection attempts when experiencing rapid failures such as connection refused.
* Compiled and tested on OpenBSD, Linux, Solaris, Mac OS X, Cygwin, and AIX; should work on other BSDs.
This version of autossh is hard-coded for /tivo-bin/dbclient from dropbear, but this can be changed with an environmental variable. The best way to understand how autossh can be used is to read the README (http://www.harding.motd.ca/autossh/README).
Here is an example that I use with dbclient from dropbear to tunnel tivowebplus:
autossh -M20000 -R 8080:localhost:80 email@example.com -N -i /tivo-bin/ssh/id_dsa -fIn this example I use a dropbear generated key (id_dsa), but I could have set the environmental variable DROPBEAR_PASSWORD (new for dropbear version 0.50.1) to automate the password login without the key. For the meaning of the other switches passed to dbclient, see the post above.
Running autossh alone gives:
usage: autossh [-V] [-M monitor_port[:echo_port]] [-f] [SSH_OPTIONS]
-M specifies monitor port. May be overridden by environment
variable AUTOSSH_PORT. 0 turns monitoring loop off.
Alternatively, a port for an echo service on the remote
machine may be specified. (Normally port 7.)
-f run in background (autossh handles this, and does not
pass it to ssh.)
-V print autossh version and exit.
Environment variables are:
AUTOSSH_GATETIME - how long must an ssh session be established
before we decide it really was established
AUTOSSH_LOGFILE - file to log to (default is to use the syslog
AUTOSSH_LOGLEVEL - level of log verbosity
AUTOSSH_MAXSTART - max times to restart (default is no limit)
AUTOSSH_MESSAGE - message to append to echo string (max 64 bytes)
AUTOSSH_PATH - path to ssh if not default
AUTOSSH_PIDFILE - write pid to this file
AUTOSSH_POLL - how often to check the connection (seconds)
AUTOSSH_FIRST_POLL - time before first connection check (seconds)
AUTOSSH_PORT - port to use for monitor connection
AUTOSSH_DEBUG - turn logging to maximum verbosity and log to
Note on the installation: autossh requires the libnsl.so.1 library (included), which must be placed in /lib; autossh can be placed in /tivo-bin (like with dropbear). One last thing...please make sure your tunnels work before you hand them over to autossh to manage.
04-16-2008, 03:42 PM
0.51 - Thu 27 March 2008
- Make a copy of password fields rather erroneously relying on getwpnam()
to be safe to call multiple times
- If $SSH_ASKPASS_ALWAYS environment variable is set (and $SSH_ASKPASS is
as well) always use that program, ignoring isatty() and $DISPLAY
- Wait until a process exits before the server closes a connection, so
that an exit code can be sent. This fixes problems with exit codes not
being returned, which could cause scp to fail.
11-13-2008, 09:41 PM
0.52 - Wed 12 November 2008
- Add "netcat-alike" option (-B) to dbclient, allowing Dropbear to tunnel
standard input/output to a TCP port-forwarded remote host.
- Add "proxy command" support to dbclient, to allow using a spawned process for
IO rather than a direct TCP connection. eg
is equivalent to
dbclient -J 'nc remotehost 22' remotehost
(the hostname is still provided purely for looking up saved host keys)
- Combine netcat-alike and proxy support to allow "multihop" connections, with
comma-separated host syntax. Allows running
to end up at host3 via the other two, using SSH TCP forwarding. It's a bit
like onion-routing. All connections are established from the local machine.
The comma-separated syntax can also be used for scp/rsync, eg
rsync -a -e dbclient m@gateway,m2@host,martello:/home/matt/ ~/backup/
to bounce through a few hosts.
- Add -I "idle timeout" option (contributed by Farrell Aultman)
- Allow restrictions on authorized_keys logins such as restricting commands
to be run etc. This is a subset of those allowed by OpenSSH, doesn't
yet allow restricting source host.
- Use vfork() for scp on uClinux
- Default to PATH=/usr/bin:/bin for shells.
- Report errors if -R forwarding fails
- Add counter mode cipher support, which avoids some security problems with the
standard CBC mode.
- Support firstname.lastname@example.org delayed compression for client/server. It can be
required for the Dropbear server with the '-Z' option. This is useful for
security as it avoids exposing the server to attacks on zlib by
unauthenticated remote users, though requires client side support.
- options.h has been split into options.h (user-changable) and sysoptions.h
(less commonly changed)
- Support "dbclient -s sftp" to specify a subsystem
- Fix a bug in replies to channel requests that could be triggered by recent
versions of PuTTY
02-24-2011, 10:46 PM
Updated to 0.53.1...
0.53 - Thurs 24 February 2011
- Various performance/memory use improvements
- Client agent forwarding now works, using OpenSSH's ssh-agent
- Improve robustness of client multihop mode
- Fix a prime generation bug in bundled libtommath. This is unlikely to have
generated any bad keys in the wild.
- Attempt to build against system libtomcrypt/libtommath if available. This
can be disabled with ./configure --enable-bundled-libtom
- Make -K (keepalive) and -I (idle timeout) work together sensibly in the client.
The idle timeout is no longer reset by SSH_MSG_IGNORE packets.
- Compile fix if ENABLE_CLI_PROXYCMD is disabled
- /usr/bin/X11/xauth is now the default path
- Client remote forward (-L/-R) arguments now accept a listen address
- In uClinux avoid trashing the parent process when a session exits
- Blowfish is now disabled by default since it has large memory usage
- Add option to change zlib windowbits/memlevel. Use less memory by default
- DROPBEAR_SMALL_CODE is now disabled by default
- SSH_ORIGINAL_COMMAND environment variable is set by the server when an
authorized_keys command is specified.
- Set SSH_TTY and SSH_CONNECTION environment variables in the server
- Client banner is now printed to standard error rather than standard output
- Capitalisation in many log messages has been made consistent. This may affect
scripts that parse logfiles.
Powered by vBulletin® Version 4.2.0 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.