Results 1 to 9 of 9

Thread: Dropbear ssh server

  1. #1
    Join Date
    Nov 2004
    Posts
    24

    Dropbear ssh server

    Here is a port of dropbear SSH server for mips TiVo.

    Dropbear includes a client, server, key generator, and scp in a single compilation called dropbearmulti. Much like busybox, symlinks are created pointing each program in the package back to dropbearmulti.

    To install this package:
    1. transfer the dropbearmulti_XXXX.zip file to your TiVo and expand into /tivo-bin
    2. cd /tivo-bin
    3. ln -sf dropbearmulti dropbear
    4. ln -sf dropbearmulti dbclient
    5. ln -sf dropbearmulti dropbearkey
    6. ln -sf dropbearmulti scp
    7. mkdir -p /tivo-bin/ssh
    8. chmod 700 /tivo-bin/ssh
    9. dropbearkey -t dss -f /tivo-bin/ssh/dropbear_dss_host_key
    10. dropbearkey -t rsa -f /tivo-bin/ssh/dropbear_rsa_host_key
    11. touch /tivo-bin/ssh/authorized_keys
    12. chmod 600 /tivo-bin/ssh/*
    13. If you want to use a public and private key authentication, you need to generate a key using Putty. You want to export an openssh-compatible public key and write it to /tivo-bin/ssh/authorized_keys. If you're not sure what I'm talking about, then take a moment and rtfm.
    14. add "root:x:0:0:root:/var/hack:/bin/bash" (no quotes) to /etc/passwd (it may already be there if you have setup crond). See here for notes on using BASH
    15. add "root:x:0:" to /etc/group
    16. you can use password authentication by setting a password for root using crypt.
    17. now you can start the server with /tivo-bin/dropbear from rc.sysinit.author
    18. connect using ssh root@tivo

    Now there are a few caveats to using this port. The location of the host keys is configurable with the -d and -r switch, but the location of authorized_keys is not. So you might as well put all the keys in /tivo-bin/ssh as per above. Note that the chmod's above are important.

    The following environment is automatically setup for non interactive sessions (otherwise you end up with a default environment).
    TIVO_ROOT=
    PATH=/bin:/sbin:/tvbin:/tivo-bin:/var/hack/bin:/var/hack/sbin
    MFS_DEVICE=/dev/hda10
    If you run into trouble, try launching dropbear with the -F -E switches and connect using ssh -v, which will give you some debug info.

    Overall, dropbear works well. It secures access to the TiVo and can be launched from rc.sysinit.author directly.

    Newest version is here.

    See here for autossh.
    Last edited by supernaut; 11-15-2008 at 06:02 PM. Reason: Clarification

  2. #2
    Join Date
    Nov 2004
    Posts
    24
    Here's an update to the dropbear SSH server for mips TiVo.

    Dropbear sshd v0.48.2 compiled for TiVo mips
    Usage: dropbear [options]
    Options are:
    -b bannerfile Display the contents of bannerfile before user login
    (default: none)
    -d dsskeyfile Use dsskeyfile for the dss host key
    (default: /tivo-bin/ssh/dropbear_dss_host_key)
    -r rsakeyfile Use rsakeyfile for the rsa host key
    (default: /tivo-bin/ssh/dropbear_rsa_host_key)
    -F Don't fork into background
    -E Log to stderr rather than syslog
    -w Disallow root logins
    -s Disable password logins
    -g Disable password logins for root
    -j Disable local port forwarding
    -k Disable remote port forwarding
    -a Allow connections to forwarded ports from any host
    -p port Listen on specified tcp port, up to 10 can be specified
    (default 22 if none specified)
    All of my previous post describing dropbear still applies, except that the server NOW has the ability to do password authentication using information stored in /etc/passwd.

    Typically, your /etc/passwd file will look something like this:

    root:x:root:/var/hack:/bin/bash

    The "x" indicates that the passwd for root is not set. To set the password for root you have two choices. In the first, I have included a small utility (crypt) to manually encrypt your password:

    crypt - DES one-way password encryption tool.

    Usage: crypt '<salt>' '<key>'

    <salt> is a two-character string chosen from the set [a-zA-Z0-9./]
    <key> is a user's typed password (40-character string max)
    e.g., crypt '0Z' 'T1V0' -> 0ZefiBk.NHbhM
    The output of crypt can be used to replace "x" for root in /etc/passwd:

    root:0ZefiBk.NHbhM:root:/var/hack:/bin/bash

    You should now be able to login using "T1V0" as the password. The second method uses the program passwd in busybox (I'm running 1.5.0) to encrypt and update your password in one step. Maybe Alphawolf can add passwd to busybox in his next compile.
    Last edited by supernaut; 06-05-2007 at 08:18 PM. Reason: Removed old archive.

  3. #3
    Join Date
    Nov 2004
    Posts
    24
    Other Notes:

    To set up dropbear to use bash as its default shell you need to do two things:

    1. Edit "/etc/shells" (create if it doesn't already exist) to include bash:
    Code:
    BASH=/bin/bash
    2. Edit "/etc/passwd" to use bash and also define the default director:

    Code:
    root:0:0:0:root:/var/hack:/bin/bash
    
                         |       |
                  default dir    | 
                               shell
    You should then create a ".profile" in "/var/hack" to setup your environment.

    As mentioned above, if you run dropbear in such a way that is does not need to assign a terminal, then it will use a predefined, hardcoded environment (this is out of necessity):
    Code:
    TIVO_ROOT=
    PATH=/bin:/sbin:/tvbin:/tivo-bin:/var/hack/bin:/var/hack/sbin
    MFS_DEVICE=/dev/hda10
    If you execute:
    Code:
    ssh root@tivo 'echo $PATH'
    you will see the above path, no matter what is in your .profile. This is what is called a non interactive session, and is generally a special case. This environment allows you to run non interactive TiVo tcl scripts through ssh.
    Last edited by supernaut; 09-12-2007 at 04:21 PM.

  4. #4
    Join Date
    Nov 2004
    Posts
    24
    Here is dropbear 0.49.1 for TiVo mips, which updates to the current version. The change log for this version is as follows (from Matt Johnston's website):

    - Security: dbclient previously would prompt to confirm a
    mismatching hostkey but wouldn't warn loudly. It will now
    exit upon a mismatch.

    - Compile fixes, make sure that all variable definitions are at the start
    of a scope.

    - Added -P pidfile argument to the server (from Swen Schillig)

    - Add -N dbclient option for "no command"

    - Add -f dbclient option for "background after auth"

    - Add ability to limit binding to particular addresses, use
    -p [address:]port, patch from Max-Gerd Retzlaff.

    - Try to finally fix ss_family compilation problems (for old
    glibc systems)

    - Fix finding relative-path server hostkeys when running daemonized

    - Use $HOME in preference to that from /etc/passwd, so that
    dbclient can still work on broken systems.

    - Fix various issues found by Klocwork defect analysis, mostly memory leaks
    and error-handling. Thanks to Klocwork for their service.

    - Improve building in a separate directory

    - Add compile-time LOG_COMMANDS option to log user commands

    - Add '-y' flag to dbclient to unconditionally accept host keys,
    patch from Luciano Miguel Ferreira Rocha

    - Return immediately for "sleep 10 & echo foo", rather than waiting
    for the sleep to return (pointed out by Rob Landley).

    - Avoid hanging after exit in certain cases (such as scp)

    - Various minor fixes, in particular various leaks reported by
    Erik Hovland

    - Disable core dumps on startup

    - Don't erase over every single buffer, since it was a bottleneck.
    On systems where it really matters, encrypted swap should be utilised.

    - Read /dev/[u]random only once at startup to conserve kernel entropy

    - Upgrade to LibTomCrypt 1.16 and LibTomMath 0.40

    - Upgrade config.status and config.guess
    Last edited by supernaut; 08-10-2007 at 01:38 AM. Reason: Removed old archive

  5. #5
    Join Date
    Nov 2004
    Posts
    24
    Updated archive as per the following change log.

    0.50 - Wed 8 August 2007

    - Add DROPBEAR_PASSWORD environment variable to specify a dbclient password

    - Use /dev/urandom by default, since that's what everyone does anyway

    - Correct vfork() use for uClinux in scp
    (thanks to Alex Landau)

    - Exit with an exit code of 1 if dropbear can't bind to any ports
    (thanks to Nicolai Ehemann)

    - Improve network performance and add a -W <receive_window> argument for
    adjusting the tradeoff between network performance and memory consumption.

    - Fix a problem where reply packets could be sent during key exchange,
    in violation of the SSH spec. This could manifest itself with connections
    being terminated after 8 hours with new TCP-forward connections being
    established.

    - Add -K <keepalive_time> argument, ensuring that data is transmitted
    over the connection at least every N seconds.

    - dropbearkey will no longer generate DSS keys of sizes other than 1024
    bits, as required by the DSS specification. (Other sizes are still
    accepted for use to provide backwards compatibility).

    If you have questions post in Series 2 Support Thread Here.

    MD5: 67eacf7d3e96f09f345543e459d7c0b9
    Last edited by supernaut; 04-16-2008 at 04:43 PM. Reason: Remove old archive.

  6. #6
    Join Date
    Nov 2004
    Posts
    24
    Here is a port of Carson Harding's autossh for TiVo mips. It can be used with dropbear to maintain ssh tunnels between machines.

    From his website:
    * autossh is a program to start a copy of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. The idea is from rstunnel (Reliable SSH Tunnel), but implemented in C.
    * The author's view is that it is not as fiddly as rstunnel to get to work.
    * Connection monitoring using a loop of port forwardings or a remote echo service.
    * Backs off on rate of connection attempts when experiencing rapid failures such as connection refused.
    * Compiled and tested on OpenBSD, Linux, Solaris, Mac OS X, Cygwin, and AIX; should work on other BSDs.
    * Freeware.
    This version of autossh is hard-coded for /tivo-bin/dbclient from dropbear, but this can be changed with an environmental variable. The best way to understand how autossh can be used is to read the README.

    Here is an example that I use with dbclient from dropbear to tunnel tivowebplus:
    autossh -M20000 -R 8080:localhost:80 user@x.x.x.x -N -i /tivo-bin/ssh/id_dsa -f
    In this example I use a dropbear generated key (id_dsa), but I could have set the environmental variable DROPBEAR_PASSWORD (new for dropbear version 0.50.1) to automate the password login without the key. For the meaning of the other switches passed to dbclient, see the post above.

    Running autossh alone gives:
    usage: autossh [-V] [-M monitor_port[:echo_port]] [-f] [SSH_OPTIONS]

    -M specifies monitor port. May be overridden by environment
    variable AUTOSSH_PORT. 0 turns monitoring loop off.
    Alternatively, a port for an echo service on the remote
    machine may be specified. (Normally port 7.)
    -f run in background (autossh handles this, and does not
    pass it to ssh.)
    -V print autossh version and exit.

    Environment variables are:
    AUTOSSH_GATETIME - how long must an ssh session be established
    before we decide it really was established
    (in seconds)
    AUTOSSH_LOGFILE - file to log to (default is to use the syslog
    facility)
    AUTOSSH_LOGLEVEL - level of log verbosity
    AUTOSSH_MAXSTART - max times to restart (default is no limit)
    AUTOSSH_MESSAGE - message to append to echo string (max 64 bytes)
    AUTOSSH_PATH - path to ssh if not default
    AUTOSSH_PIDFILE - write pid to this file
    AUTOSSH_POLL - how often to check the connection (seconds)
    AUTOSSH_FIRST_POLL - time before first connection check (seconds)
    AUTOSSH_PORT - port to use for monitor connection
    AUTOSSH_DEBUG - turn logging to maximum verbosity and log to
    stderr
    Note on the installation: autossh requires the libnsl.so.1 library (included), which must be placed in /lib; autossh can be placed in /tivo-bin (like with dropbear). One last thing...please make sure your tunnels work before you hand them over to autossh to manage.
    Attached Files Attached Files
    Last edited by supernaut; 09-12-2007 at 04:23 PM.

  7. #7
    Join Date
    Nov 2004
    Posts
    24
    New version:
    0.51 - Thu 27 March 2008

    - Make a copy of password fields rather erroneously relying on getwpnam()
    to be safe to call multiple times

    - If $SSH_ASKPASS_ALWAYS environment variable is set (and $SSH_ASKPASS is
    as well) always use that program, ignoring isatty() and $DISPLAY

    - Wait until a process exits before the server closes a connection, so
    that an exit code can be sent. This fixes problems with exit codes not
    being returned, which could cause scp to fail.
    Last edited by supernaut; 11-13-2008 at 10:42 PM. Reason: Removed old archive

  8. #8
    Join Date
    Nov 2004
    Posts
    24
    New version:
    0.52 - Wed 12 November 2008

    - Add "netcat-alike" option (-B) to dbclient, allowing Dropbear to tunnel
    standard input/output to a TCP port-forwarded remote host.

    - Add "proxy command" support to dbclient, to allow using a spawned process for
    IO rather than a direct TCP connection. eg
    dbclient remotehost
    is equivalent to
    dbclient -J 'nc remotehost 22' remotehost
    (the hostname is still provided purely for looking up saved host keys)

    - Combine netcat-alike and proxy support to allow "multihop" connections, with
    comma-separated host syntax. Allows running

    dbclient user1@host1,user2@host2,user3@host3

    to end up at host3 via the other two, using SSH TCP forwarding. It's a bit
    like onion-routing. All connections are established from the local machine.
    The comma-separated syntax can also be used for scp/rsync, eg

    rsync -a -e dbclient m@gateway,m2@host,martello:/home/matt/ ~/backup/

    to bounce through a few hosts.

    - Add -I "idle timeout" option (contributed by Farrell Aultman)

    - Allow restrictions on authorized_keys logins such as restricting commands
    to be run etc. This is a subset of those allowed by OpenSSH, doesn't
    yet allow restricting source host.

    - Use vfork() for scp on uClinux

    - Default to PATH=/usr/bin:/bin for shells.

    - Report errors if -R forwarding fails

    - Add counter mode cipher support, which avoids some security problems with the
    standard CBC mode.

    - Support zlib@openssh.com delayed compression for client/server. It can be
    required for the Dropbear server with the '-Z' option. This is useful for
    security as it avoids exposing the server to attacks on zlib by
    unauthenticated remote users, though requires client side support.

    - options.h has been split into options.h (user-changable) and sysoptions.h
    (less commonly changed)

    - Support "dbclient -s sftp" to specify a subsystem

    - Fix a bug in replies to channel requests that could be triggered by recent
    versions of PuTTY
    Attached Files Attached Files

  9. #9
    Join Date
    Nov 2004
    Posts
    24
    Updated to 0.53.1...
    0.53 - Thurs 24 February 2011

    - Various performance/memory use improvements

    - Client agent forwarding now works, using OpenSSH's ssh-agent

    - Improve robustness of client multihop mode

    - Fix a prime generation bug in bundled libtommath. This is unlikely to have
    generated any bad keys in the wild.
    See
    https://bugzilla.redhat.com/show_bug.cgi?id=615088
    http://bugs.gentoo.org/show_bug.cgi?id=328383
    http://bugs.gentoo.org/show_bug.cgi?id=328409

    - Attempt to build against system libtomcrypt/libtommath if available. This
    can be disabled with ./configure --enable-bundled-libtom

    - Make -K (keepalive) and -I (idle timeout) work together sensibly in the client.
    The idle timeout is no longer reset by SSH_MSG_IGNORE packets.

    - Compile fix if ENABLE_CLI_PROXYCMD is disabled

    - /usr/bin/X11/xauth is now the default path

    - Client remote forward (-L/-R) arguments now accept a listen address

    - In uClinux avoid trashing the parent process when a session exits

    - Blowfish is now disabled by default since it has large memory usage

    - Add option to change zlib windowbits/memlevel. Use less memory by default

    - DROPBEAR_SMALL_CODE is now disabled by default

    - SSH_ORIGINAL_COMMAND environment variable is set by the server when an
    authorized_keys command is specified.

    - Set SSH_TTY and SSH_CONNECTION environment variables in the server

    - Client banner is now printed to standard error rather than standard output

    - Capitalisation in many log messages has been made consistent. This may affect
    scripts that parse logfiles.
    Attached Files Attached Files
    Last edited by supernaut; 02-24-2011 at 11:50 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •