Dropbear

The forum for our foreign guests... Please post in English
Sourcerer
Neugieriger
Neugieriger
Beiträge: 11
Registriert: Montag 17. April 2006, 22:48

Dropbear

Beitrag von Sourcerer »

I've been playing around with the tuxbox sources recently (more specifically the dreambox tag), and I managed to get dropbear (SSH implementation geared towards embedded systems) working.

I haven't been able to find where patches should be sent (and I assume that CVS access isn't publicly writable), so I was wondering;
who / where can I send patches to?

Cheers,

Michel Stam
rasc
Senior Member
Beiträge: 5071
Registriert: Dienstag 18. September 2001, 00:00
Kontaktdaten:

Beitrag von rasc »

you may post them here... (if not to large)
;-)
ChakaZulu
Developer
Beiträge: 457
Registriert: Sonntag 23. März 2003, 00:39

Beitrag von ChakaZulu »

hi,

isn't that already working? "make dropbear" should do the job according to this thread (in german :()
http://forum.tuxbox-cvs.sourceforge.net ... t=dropbear

greetings,

ChakaZulu
Sourcerer
Neugieriger
Neugieriger
Beiträge: 11
Registriert: Montag 17. April 2006, 22:48

Beitrag von Sourcerer »

Simple enough :)

http://www.reverze.net/dropbear-0.48.1.patch.tar.gz
Size should be about 3kbytes.

Instructions:

Extract tarbal in the CVS sandbox root.

This will place one diff in cdk/Patches, and one diff (tuxbox.cdk.diff) in the CVS sandbox root. After applying (patch -p0 <tuxbox.cdk.diff), the dropbear target will be added to the contrib_apps make target.

Devations from the default dropbear installation;
server keys are placed in /var/etc/dropbear.

clients that should be authorized by public key can be placed in /var/.ssh/authorized_keys, much like with OpenSSH.

I removed support for the ssh client as this saves a few k on code. SCP server support is available, so it can be used as a substitute for say, ftp and/or telnet. SFTP, again, is not.

Adding something along the lines of:
if [ -r /var/etc/dropbear/dropbear_dss_host_key -a -r /var/etc/dropbear/dropbear_rsa_host_key ]; then
/sbin/dropbear
fi
to /etc/init.d/rcS will ensure that SSH support will be booted if the keys have been generated properly.

Server keys can be generated as follows:
dropbearkey -t dss -f /var/etc/dropbear/dropbear_dss_host_key
dropbearkey -t rsa -f /var/etc/dropbear/dropbear_rsa_host_key

Let me know how it works out.

Cheers,

Michel
Sourcerer
Neugieriger
Neugieriger
Beiträge: 11
Registriert: Montag 17. April 2006, 22:48

Beitrag von Sourcerer »

I saw we made a post almost simultaneously ;)

I've done a grep on the CVS sandbox I have here (was made somewhere last weekend, saturday I believe).

No occurances of dropbear throughout the tree.

Perhaps the person made a patch locally but hasn't submitted it thus far?
(my german isn't that good).

From what I gather there's binaries being offered. Could be wrong though.

Cheers

Michel
Barf
Developer
Beiträge: 1475
Registriert: Dienstag 4. Februar 2003, 22:02
Kontaktdaten:

Beitrag von Barf »

Sourcerer hat geschrieben:I've done a grep on the CVS sandbox I have here (was made somewhere last weekend, saturday I believe).

No occurances of dropbear throughout the tree.
Then your grep is broken :wink: See the Makefile(s) and rules-*. This is what I call Download-unpack-patch-configure-build-install-clean-targets, explained (in English!) here.
From what I gather there's binaries being offered.
This project develops open source software. Who cares for binaries?
Sourcerer
Neugieriger
Neugieriger
Beiträge: 11
Registriert: Montag 17. April 2006, 22:48

Beitrag von Sourcerer »

I assure you, my grep is -not- broken.
I'm fairly certain I know how I should perform a grep.
(grep -r dropbear * in the sandbox root, or find . -type f -exec grep dropbear {} \; if you're using an old grep or are just fond of using find).

Now thats out of the way ....

The patch I developed is according to the URL below:
http://wiki.tuxbox.org/Development:README.3rdparty.en
Which looks much like the one you posted. Since the whole deal compiles and works here, I don't think this is the issue.

To confirm I used the CVS view on cvs.tuxbox-cvs.sourceforge.net. There is a dropbear in the MAIN branch of rules-archive (I'm using revision 1.103.2.30.2.36 in the dreambox branch).
I think the dreambox branch does not include the dropbear target that is present in the MAIN branch' rules-archive/rules-make/rules-install, please confirm.

I know this project develops open source software; The reason I sent this patch as opposed to providing binaries should be an indication of that knowledge.

Lets keep this constructive.

Cheers,

Michel
Barf
Developer
Beiträge: 1475
Registriert: Dienstag 4. Februar 2003, 22:02
Kontaktdaten:

Beitrag von Barf »

Michel,

I can confirm that

- The HEAD as well as the newmake branch contains dropbear,
- the dreambox does not.

That was the meaning of my message, not to suggest that your grep (or your knowledge on how to use it) actually was broken. There was a smiley at the end of the line...

I can admit that the statement on binares was unnecessary, however, it was in no way meant as an insult, and I think this should have been clear.
Sourcerer
Neugieriger
Neugieriger
Beiträge: 11
Registriert: Montag 17. April 2006, 22:48

Beitrag von Sourcerer »

Ok,

No problems.

What I did notice is that the MAIN branch contains the 0.44 version of dropbear;

From: http://matt.ucc.asn.au/dropbear/dropbear.html
Security update 11 Dec 2005: Dropbear server versions prior to 0.47 have a buffer sizing error that may allow authenticated users to run code as the server user (usually root). All users are advised to upgrade or apply a patch.
I can take a look at this (aka compare the dropbear.diff I wrote with the one in CVS HEAD). That way dropbear can be brought to 0.48.1.

Can you tell me how I should go about bringing the rules-* in both branches in sync? (I rarely have to do this kind of thing with CVS, though make checkout seems to hint that this happens more frequently for tuxbox)
(I mean in such a way that this problem does not reoccur in the future).

Cheers,

Michel
Barf
Developer
Beiträge: 1475
Registriert: Dienstag 4. Februar 2003, 22:02
Kontaktdaten:

Beitrag von Barf »

Sourcerer hat geschrieben:Can you tell me how I should go about bringing the rules-* in both branches in sync?
I can offer only very general advice. You can get a CVS-account by PM-ing derget. General advice on merging CVS-Branches is found here, see als "The Cederqvist. My favorite tool for merging textfiles is Emacs.
Mac23
Einsteiger
Einsteiger
Beiträge: 127
Registriert: Donnerstag 23. Oktober 2003, 20:50

Beitrag von Mac23 »

I would also suggest to include the new version of dropbear (0.48.1) into the CVS (isn et it better than a patch?!). Beside the security issues there are also some other updates which fixed for example a bug in the client for me. I eve tested it without problems on my dBox.

There are only some minor changes for rules-archive, rules-make and dropbear-options.h (cdk/Patches).

With the current dropbear-options.h (version 0.44) I got an compile error with the new version, so I changed the option file on my own. Now it es working :)

Here it is:

Code: Alles auswählen

/* Dropbear SSH
 * Copyright (c) 2002,2003 Matt Johnston
 * All rights reserved. See LICENSE for the license. */

#ifndef _OPTIONS_H_
#define _OPTIONS_H_

/******************************************************************
 * Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif"
 * parts are to allow for commandline -DDROPBEAR_XXX options etc.
 ******************************************************************/

#ifndef DROPBEAR_DEFPORT
#define DROPBEAR_DEFPORT "22"
#endif

/* Default hostkey paths - these can be specified on the command line */
#ifndef DSS_PRIV_FILENAME
#define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
#endif
#ifndef RSA_PRIV_FILENAME
#define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
#endif

/* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
 * on chosen ports and keeps accepting connections. This is the default.
 *
 * Set INETD_MODE if you want to be able to run Dropbear with inetd (or
 * similar), where it will use stdin/stdout for connections, and each process
 * lasts for a single connection. Dropbear should be invoked with the -i flag
 * for inetd, and can only accept IPv4 connections.
 *
 * Both of these flags can be defined at once, don't compile without at least
 * one of them. */
#define NON_INETD_MODE
#define INETD_MODE

/* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is
 * perhaps 20% slower for pubkey operations (it is probably worth experimenting
 * if you want to use this) */
/*#define NO_FAST_EXPTMOD*/

/* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
several kB in binary size, however will make the symmetrical ciphers (AES, DES
etc) slower (perhaps by 50%). Recommended for most small systems. */
#define DROPBEAR_SMALL_CODE

/* Enable X11 Forwarding - server only */
// #define ENABLE_X11FWD

/* Enable TCP Fowarding */
/* 'Local' is "-L" style (client listening port forwarded via server)
 * 'Remote' is "-R" style (server listening port forwarded via client) */

#define ENABLE_CLI_LOCALTCPFWD
#define ENABLE_CLI_REMOTETCPFWD

#define ENABLE_SVR_LOCALTCPFWD
#define ENABLE_SVR_REMOTETCPFWD

/* Enable Authentication Agent Forwarding - server only for now */
#define ENABLE_AGENTFWD

/* Encryption - at least one required.
 * RFC Draft requires 3DES and recommends AES128 for interoperability.
 * Including multiple keysize variants the same cipher 
 * (eg AES256 as well as AES128) will result in a minimal size increase.*/
#define DROPBEAR_AES128_CBC
#define DROPBEAR_3DES_CBC
// #define DROPBEAR_AES256_CBC
#define DROPBEAR_BLOWFISH_CBC
// #define DROPBEAR_TWOFISH256_CBC
#define DROPBEAR_TWOFISH128_CBC

/* Message Integrity - at least one required.
 * RFC Draft requires sha1 and recommends sha1-96.
 * sha1-96 may be of use for slow links, as it has a smaller overhead.
 *
 * Note: there's no point disabling sha1 to save space, since it's used
 * for the random number generator and public-key cryptography anyway.
 * Disabling it here will just stop it from being used as the integrity portion
 * of the ssh protocol.
 *
 * These hashes are also used for public key fingerprints in logs.
 * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
 * which are not the standard form. */
#define DROPBEAR_SHA1_HMAC
// #define DROPBEAR_SHA1_96_HMAC
#define DROPBEAR_MD5_HMAC

/* Hostkey/public key algorithms - at least one required, these are used
 * for hostkey as well as for verifying signatures with pubkey auth.
 * Removing either of these won't save very much space.
 * SSH2 RFC Draft requires dss, recommends rsa */
#define DROPBEAR_RSA
#define DROPBEAR_DSS

/* RSA can be vulnerable to timing attacks which use the time required for
 * signing to guess the private key. Blinding avoids this attack, though makes
 * signing operations slightly slower. */
// #define RSA_BLINDING

/* Define DSS_PROTOK to use PuTTY's method of generating the value k for dss,
 * rather than just from the random byte source. Undefining this will save you
 * ~4k in binary size with static uclibc, but your DSS hostkey could be exposed
 * if the random number source isn't good. In general this isn't required */
/* #define DSS_PROTOK */

/* Whether to do reverse DNS lookups. */
// #define DO_HOST_LOOKUP

/* Whether to print the message of the day (MOTD). This doesn't add much code
 * size */
// #define DO_MOTD

/* The MOTD file path */
#ifndef MOTD_FILENAME
#define MOTD_FILENAME "/etc/motd"
#endif

/* Authentication Types - at least one required.
   RFC Draft requires pubkey auth, and recommends password */

/* Note: PAM auth is quite simple, and only works for PAM modules which just do
 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
 * It's useful for systems like OS X where standard password crypts don't work,
 * but there's an interface via a PAM module - don't bother using it otherwise.
 * You can't enable both PASSWORD and PAM. */

#define ENABLE_SVR_PASSWORD_AUTH
/* #define ENABLE_SVR_PAM_AUTH */ /* requires ./configure --enable-pam */
#define ENABLE_SVR_PUBKEY_AUTH

#define ENABLE_CLI_PASSWORD_AUTH
#define ENABLE_CLI_PUBKEY_AUTH
// #define ENABLE_CLI_INTERACT_AUTH

/* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of
 * a helper program for the ssh client. The helper program should be
 * specified in the SSH_ASKPASS environment variable, and dbclient
 * should be run with DISPLAY set and no tty. The program should
 * return the password on standard output */
/*#define ENABLE_CLI_ASKPASS_HELPER*/

/* Random device to use - define either DROPBEAR_RANDOM_DEV or
 * DROPBEAR_PRNGD_SOCKET.
 * DROPBEAR_RANDOM_DEV is recommended on hosts with a good /dev/(u)random,
 * otherwise use run prngd (or egd if you want), specifying the socket. 
 * The device will be queried for a few dozen bytes of seed a couple of times
 * per session (or more for very long-lived sessions). */

/* If you are lacking entropy on the system then using /dev/urandom
 * will prevent Dropbear from blocking on the device. This could
 * however significantly reduce the security of your ssh connections
 * if the PRNG state becomes guessable - make sure you know what you are
 * doing if you change this. */
#define DROPBEAR_RANDOM_DEV "/dev/urandom"

/* prngd must be manually set up to produce output */
/*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/

/* Specify the number of clients we will allow to be connected but
 * not yet authenticated. After this limit, connections are rejected */
/* The first setting is per-IP, to avoid denial of service */
#ifndef MAX_UNAUTH_PER_IP
#define MAX_UNAUTH_PER_IP 5
#endif

/* And then a global limit to avoid chewing memory if connections 
 * come from many IPs */
#ifndef MAX_UNAUTH_CLIENTS
#define MAX_UNAUTH_CLIENTS 30
#endif

/* Maximum number of failed authentication tries (server option) */
#ifndef MAX_AUTH_TRIES
#define MAX_AUTH_TRIES 10
#endif

/* The file to store the daemon's process ID, for shutdown scripts etc */
#ifndef DROPBEAR_PIDFILE
#define DROPBEAR_PIDFILE "/tmp/dropbear.pid"
#endif

/* The command to invoke for xauth when using X11 forwarding.
 * "-q" for quiet */
#ifndef XAUTH_COMMAND
#define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q"
#endif

/* if you want to enable running an sftp server (such as the one included with
 * OpenSSH), set the path below. If the path isn't defined, sftp will not
 * be enabled */
/*
#ifndef SFTPSERVER_PATH
#define SFTPSERVER_PATH "/usr/libexec/sftp-server"
#endif
*/

/* This is used by the scp binary when used as a client binary. If you're
 * not using the Dropbear client, you'll need to change it */
#define _PATH_SSH_PROGRAM "/sbin/dbclient"

/* Multi-purpose binary configuration has now moved. Look at the top
 * of the Makefile for instructions, or INSTALL */

/*******************************************************************
 * You shouldn't edit below here unless you know you need to.
 *******************************************************************/

#ifndef DROPBEAR_VERSION
#define DROPBEAR_VERSION "0.48"
#endif

#define LOCAL_IDENT "SSH-2.0-dropbear_" DROPBEAR_VERSION
#define PROGNAME "dropbear"

/* Spec recommends after one hour or 1 gigabyte of data. One hour
 * is a bit too verbose, so we try 8 hours */
#ifndef KEX_REKEY_TIMEOUT
#define KEX_REKEY_TIMEOUT (3600 * 8)
#endif
#ifndef KEX_REKEY_DATA
#define KEX_REKEY_DATA (1<<30) /* 2^30 == 1GB, this value must be < INT_MAX */
#endif
/* Close connections to clients which haven't authorised after AUTH_TIMEOUT */
#ifndef AUTH_TIMEOUT
#define AUTH_TIMEOUT 300 /* we choose 5 minutes */
#endif

/* Minimum key sizes for DSS and RSA */
#ifndef MIN_DSS_KEYLEN
#define MIN_DSS_KEYLEN 512
#endif
#ifndef MIN_RSA_KEYLEN
#define MIN_RSA_KEYLEN 512
#endif

#define MAX_BANNER_SIZE 2000 /* this is 25*80 chars, any more is foolish */
#define MAX_BANNER_LINES 20 /* How many lines the client will display */

/* the number of NAME=VALUE pairs to malloc for environ, if we don't have
 * the clearenv() function */
#define ENV_SIZE 100

#define MAX_CMD_LEN 1024 /* max length of a command */
#define MAX_TERM_LEN 200 /* max length of TERM name */

#define MAX_HOST_LEN 254 /* max hostname len for tcp fwding */
#define MAX_IP_LEN 15 /* strlen("255.255.255.255") == 15 */

#define DROPBEAR_MAX_PORTS 10 /* max number of ports which can be specified,
								 ipv4 and ipv6 don't count twice */

#define _PATH_TTY "/dev/tty"

#define _PATH_CP "/bin/cp"

/* Timeouts in seconds */
#define SELECT_TIMEOUT 20

/* success/failure defines */
#define DROPBEAR_SUCCESS 0
#define DROPBEAR_FAILURE -1

/* various algorithm identifiers */
#define DROPBEAR_KEX_DH_GROUP1 0

#define DROPBEAR_SIGNKEY_ANY 0
#define DROPBEAR_SIGNKEY_RSA 1
#define DROPBEAR_SIGNKEY_DSS 2
#define DROPBEAR_SIGNKEY_NONE 3

#define DROPBEAR_COMP_NONE 0
#define DROPBEAR_COMP_ZLIB 1

/* Required for pubkey auth */
#if defined(ENABLE_SVR_PUBKEY_AUTH) || defined(DROPBEAR_CLIENT)
#define DROPBEAR_SIGNKEY_VERIFY
#endif

/* SHA1 is 20 bytes == 160 bits */
#define SHA1_HASH_SIZE 20
/* SHA512 is 64 bytes == 512 bits */
#define SHA512_HASH_SIZE 64
/* MD5 is 16 bytes = 128 bits */
#define MD5_HASH_SIZE 16

/* largest of MD5 and SHA1 */
#define MAX_MAC_LEN SHA1_HASH_SIZE


#define MAX_KEY_LEN 32 /* 256 bits for aes256 etc */
#define MAX_IV_LEN 20 /* must be same as max blocksize, 
						 and >= SHA1_HASH_SIZE */
#define MAX_MAC_KEY 20

#define MAX_NAME_LEN 64 /* maximum length of a protocol name, isn't
						   explicitly specified for all protocols (just
						   for algos) but seems valid */

#define MAX_PROPOSED_ALGO 20

/* size/count limits */
#define MAX_LISTEN_ADDR 10

#define MAX_PACKET_LEN 35000
#define MIN_PACKET_LEN 16
#define MAX_PAYLOAD_LEN 32768

#define MAX_TRANS_PAYLOAD_LEN 32768
#define MAX_TRANS_PACKET_LEN (MAX_TRANS_PAYLOAD_LEN+50)

#define MAX_TRANS_WINDOW 500000000 /* 500MB is sufficient, stopping overflow */
#define MAX_TRANS_WIN_INCR 500000000 /* overflow prevention */

#define MAX_STRING_LEN 1400 /* ~= MAX_PROPOSED_ALGO * MAX_NAME_LEN, also
							   is the max length for a password etc */

/* For a 4096 bit DSS key, empirically determined */
#define MAX_PUBKEY_SIZE 1700
/* For a 4096 bit DSS key, empirically determined */
#define MAX_PRIVKEY_SIZE 1700

/* The maximum size of the bignum portion of the kexhash buffer */
/* Sect. 8 of the transport draft, K_S + e + f + K */
#define KEXHASHBUF_MAX_INTS (1700 + 130 + 130 + 130)

#define DROPBEAR_MAX_SOCKS 2 /* IPv4, IPv6 are all we'll get for now. Revisit
								in a few years time.... */

#define DROPBEAR_MAX_CLI_PASS 1024

#define DROPBEAR_MAX_CLI_INTERACT_PROMPTS 80 /* The number of prompts we'll 
												accept for keyb-interactive
												auth */

#if defined(DROPBEAR_AES256_CBC) || defined(DROPBEAR_AES128_CBC)
#define DROPBEAR_AES_CBC
#endif

#if defined(DROPBEAR_TWOFISH256_CBC) || defined(DROPBEAR_TWOFISH128_CBC)
#define DROPBEAR_TWOFISH_CBC
#endif

#ifndef ENABLE_X11FWD
#define DISABLE_X11FWD
#endif

#ifndef ENABLE_AGENTFWD
#define DISABLE_AGENTFWD
#endif

#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD)
#define ENABLE_CLI_ANYTCPFWD 
#endif

#if defined(ENABLE_CLI_LOCALTCPFWD) || defined(ENABLE_SVR_REMOTETCPFWD)
#define DROPBEAR_TCP_ACCEPT
#endif

#if defined(ENABLE_CLI_REMOTETCPFWD) || defined(ENABLE_CLI_LOCALTCPFWD) || \
	defined(ENABLE_SVR_REMOTETCPFWD) || defined(ENABLE_SVR_LOCALTCPFWD) || \
	defined(ENABLE_AGENTFWD) || defined(ENABLE_X11FWD)
#define USING_LISTENERS
#endif

#if defined(DROPBEAR_CLIENT) || defined(ENABLE_SVR_PUBKEY_AUTH)
#define DROPBEAR_KEY_LINES /* ie we're using authorized_keys or known_hosts */
#endif

#if defined(ENABLE_SVR_PASSWORD_AUTH) && defined(ENABLE_SVR_PAM_AUTH)
#error "You can't turn on PASSWORD and PAM auth both at once. Fix it in options.h"
#endif

#if defined(DROPBEAR_RANDOM_DEV) && defined(DROPBEAR_PRNGD_SOCKET)
#error "You can't turn on DROPBEAR_PRNGD_SOCKET and DROPBEAR_RANDOM_DEV at once"
#endif

#if !defined(DROPBEAR_RANDOM_DEV) && !defined(DROPBEAR_PRNGD_SOCKET)
#error "You must choose one of DROPBEAR_PRNGD_SOCKET or DROPBEAR_RANDOM_DEV in options.h"
#endif

/* We use dropbear_client and dropbear_server as shortcuts to avoid redundant
 * code, if we're just compiling as client or server */
#if defined(DROPBEAR_SERVER) && defined(DROPBEAR_CLIENT)

#define IS_DROPBEAR_SERVER (ses.isserver == 1)
#define IS_DROPBEAR_CLIENT (ses.isserver == 0)

#elif defined(DROPBEAR_SERVER)

#define IS_DROPBEAR_SERVER 1
#define IS_DROPBEAR_CLIENT 0

#elif defined(DROPBEAR_CLIENT)

#define IS_DROPBEAR_SERVER 0
#define IS_DROPBEAR_CLIENT 1

#else
#error You must compiled with either DROPBEAR_CLIENT or DROPBEAR_SERVER selected
#endif

#endif /* _OPTIONS_H_ */
Sourcerer
Neugieriger
Neugieriger
Beiträge: 11
Registriert: Montag 17. April 2006, 22:48

Beitrag von Sourcerer »

Ok, sorry for the radiosilence, I was stuck to my bed for the past couple of days.

I'm looking at the various option.h files (mine, the one posted above, and the one in CVS);

One thing I did notice is the ssh client. As the telnet client is not available either (at least not in the dreambox branch), is there any pressing need to include the ssh client in dropbear? This saves approximately 16k (on stripped binaries, of course). Especially useful with the Dreambox 7000S I have here (short on flash space even on a default build).

Also noted is the absence of public key cryptography; for security reasons I'd recommend including it (public key cryptography being safer than password authentication, as well as being easier if properly set up). Of course, that will add some code to the equasion

Another is port forwarding; I don't actually use it, though I can imagine others would ;)

I'd like to post this and find an agreement to save someone else from having to make their own build or needless commits to CVS.

Most other options are similar, if not identical.

I'll get into the process of acquiring CVS access (or I'll ask Derget to commit it for me).

Let me know.

Cheers,

Michel
Mac23
Einsteiger
Einsteiger
Beiträge: 127
Registriert: Donnerstag 23. Oktober 2003, 20:50

Beitrag von Mac23 »

@Sourcerer:

All things you asked? are perfectly working with dropbear using the posted options file (see above) for example and make flash-dropbear (FYI: I em using a dbox).
One thing I did notice is the ssh client. As the telnet client is not available either (at least not in the dreambox branch), is there any pressing need to include the ssh client in dropbear?
The dropbear binary includes the client (dbclient) and the server.
Also noted is the absence of public key cryptography; for security reasons I'd recommend including it (public key cryptography being safer than password authentication, as well as being easier if properly set up). Of course, that will add some code to the equasion
It works for me without any problems (I use RSA keys). The only thing to note is, that you MUST set a password (passwd) to use key or password authentication with dropbear.
Another is port forwarding; I don't actually use it, though I can imagine others would
That es also working with both (client / server). The dropbear client had some problems (bug) with port forwarding in version 0.44 but with 0.48.1 it works fine :) - that es only one reason to update the CVS ;)
Sourcerer
Neugieriger
Neugieriger
Beiträge: 11
Registriert: Montag 17. April 2006, 22:48

Beitrag von Sourcerer »

Hey Mac,

The reasoning was not whether it was currently working, but more whether it was necessary; I'm reviewing the various options in the dropbear client so as to commit a new options file to CVS.

Hence, I was reviewing your file, as well as the one in CVS and my own file (as previously stated).

I was more looking for options/suggestions what you need, rather than what is possible. Since dropbear will run on an embedded system, flash space is usually short in supply, so keeping the binary as small as possible while still retaining security is the key.

My question to you; what features of those available to you do you use/need?
Are there options we can exclude because they're not used (anymore)?

Cheers,

Michel
Mac23
Einsteiger
Einsteiger
Beiträge: 127
Registriert: Donnerstag 23. Oktober 2003, 20:50

Beitrag von Mac23 »

Sourcerer hat geschrieben: The reasoning was not whether it was currently working, but more whether it was necessary;
Ok, one reason for updating dropbear in CVS (a bug) I eve given ;)
Sourcerer hat geschrieben: My question to you; what features of those available to you do you use/need?
Are there options we can exclude because they're not used (anymore)?
What do you think about an options file with a minimum of features. If someone (who has the ability to build an image) need more features he will surely change the options himself (my opinion).

For me it es only important that there is an usable options file in CVS (as I was updating to dropbear-0.48.1 I had to change the old one (0.44)).

Mac23
Sourcerer
Neugieriger
Neugieriger
Beiträge: 11
Registriert: Montag 17. April 2006, 22:48

Beitrag von Sourcerer »

Ok, here goes:

Changes as opposed to the original file (I'll refrain from posting the diff, but if anyone is interested I'll be happy to post a link or something...

For convenience, I've changed the paths to the dropbear keys to /var/etc/dropbear as opposed to /etc/dropbear (saves copying etc during the bootprocess)

code savers:
FAST_EXPTMOD
ENABLE_X11FWD
ENABLE_CLI_LOCALTCPFWD
ENABLE_CLI_REMOTETCPFWD
ENABLE_SVR_LOCALTCPFWD
ENABLE_SVR_REMOTETCPFWD
AGENT_FWD
DROPBEAR_BLOWFISH_CBC
DROPBEAR_TWOFISH256_CBC
DROPBEAR_TWOFISH128_CBC
ssh client support

Others:
DO_HOST_LOOKUP disabled (no syslog)
DO_MOTD disabled
sftp (there's scp support available)

Binary size (stripped) comes in at around 140k

If you agree with this I'll get the patch into CVS.

Let me know.

Cheers,

Michel
Sourcerer
Neugieriger
Neugieriger
Beiträge: 11
Registriert: Montag 17. April 2006, 22:48

Beitrag von Sourcerer »

Sorry for the long radiosilence, RL caught up with me.

I've built the patches. I'll properly test it on the Dreambox, as I've got 2 of those around at home. Below you can find the diffs for both the dreambox branch and the main branch.
Differences are in the rules-* files, as there's slight differences with the build process (very slight, mostly cosmetic).

main branch
dreambox branch

I'll get into contact for the CVS commit within the next few days.

Cheers,

Michel
Sourcerer
Neugieriger
Neugieriger
Beiträge: 11
Registriert: Montag 17. April 2006, 22:48

Beitrag von Sourcerer »

Small update;

I've mailed Derget over the weekend. I'll make a post once I have more information.

Cheers,

Michel
Sourcerer
Neugieriger
Neugieriger
Beiträge: 11
Registriert: Montag 17. April 2006, 22:48

Beitrag von Sourcerer »

I got word from Derget this morning;

dropbear support has been added to the main and dreambox branches (both at 0.48.1 using the same options.h).

Cheers,

Michel
Mac23
Einsteiger
Einsteiger
Beiträge: 127
Registriert: Donnerstag 23. Oktober 2003, 20:50

Beitrag von Mac23 »

Nice to hear that :-)

Thanks!
Barf
Developer
Beiträge: 1475
Registriert: Dienstag 4. Februar 2003, 22:02
Kontaktdaten:

Beitrag von Barf »

Sourcerer hat geschrieben: main branch
dreambox branch
... and left out the newmake branch!? :cry: Anyhow...
pantau
Einsteiger
Einsteiger
Beiträge: 130
Registriert: Dienstag 25. November 2003, 07:14

Beitrag von pantau »

@Barf

hätte da zu deinen änderungen (dropbear) für den newmake branch 2 Fragen.

warum werden die dropbear_rsa/dss_host_key files nicht mehr in /var/etc/dropbear angelegt ?

wäre die ".ssh" nicht besser in /var/etc/ aufgehoben als im root bereich, bzw wozu wird die benötigt ?

lg Pantau
Barf
Developer
Beiträge: 1475
Registriert: Dienstag 4. Februar 2003, 22:02
Kontaktdaten:

Beitrag von Barf »

[Since this is "Foreign Guest Forum" I will answer in English.]

In both cases, I do not know. I just ported Sourcerer's work to newmake. Your questions seem legitimate, though. I hope that Sourcerer can answer.
pantau
Einsteiger
Einsteiger
Beiträge: 130
Registriert: Dienstag 25. November 2003, 07:14

Beitrag von pantau »

ok, Thanks now i em still waiting for Sourcerer answer

by pantau
rhabarber1848
CDK-Experte
Beiträge: 4335
Registriert: Donnerstag 3. April 2008, 14:05

Re: Dropbear

Beitrag von rhabarber1848 »

Due to the fact that I would like to have a SSH server on my Dbox
I came across Dropbear but only to find out that the archive
is not online anymore. Also CDK wants to compile Dropbear 0.48.1
where version 0.51 is already available. Version 0.49 also fixed
a security-related bug so I think its time to upgrade :wink:

dropbear.diff

This patch contains the following fixes:
- update dropbear to version 0.51
- use dropbear maintainer site for downloading
- options.h needs some updates, used defaults from dropbear 0.51
- patched dropbear sourcecode to allow logins when user root has an empty password

Small note for the last item: Due to the fact that user root has no password
by default and the Dbox can be accessed by telnet already it makes no sense
to keep the security-related code to disallow logins in this situation.

To add dropbear to your image add "make flash-dropbear" to your customization
script root-local.sh. It will enlarge your image by (only) 145332 byte, unpacked.
Antworten