Hi,
It took longer than I wanted but here it is the latest version of:
Dropbear 2022.83 with the latest security patches and fixes taken from OpenWRT. The build is almost the same, but I excluded the "100-pubkey_path.patch" which conflicted with the KOReader pubkey patches (the former enhances security, while the latter loosens it due to FAT32 not having permissions)
Applied OpenWRT patches:
Code:
SOURCE: https://github.com/openwrt/openwrt/t...opbear/patches
001-add-if-DROPBEAR_RSA-guards.patch
002-fix-y2038-issues.patch
003-fix-DROPBEAR_DSS.patch
004-allow-users-s-own-gid-in-pty-permission-check.patch
005-const-parameter-mp_int.patch
006-dropbearkey-add-missing-break-in-switch.patch
007-fix-building-only-client-or-server.patch
008-disable-rsa-signatures-when-no-rsa-hostkey.patch
009-use-write-rather-than-fprintf-in-segv-handler.patch
010-remove-SO_LINGER.patch
011-add-option-to-bind-to-interface.patch
012-add-ifdef-guards-for-SO_BINDTODEVICE.patch
013-make-banner-reading-failure-non-fatal.patch
014-dropbearkey-ignore-unsupported-command-line-option.patch
015-libtommath-fix-possible-integer-overflow.patch
016-src-svr-tcpfwd-Fix-noremotetcp-behavior.patch
017-Don-t-try-to-shutdown-a-pty.patch
018-dropbearkey-add-alias-to-ssh-keygen.patch
019-Allow-inetd-with-non-syslog.patch
020-Fix-test-for-multiuser-kernels.patch
021-Implement-Strict-KEX-mode.patch
110-change_user.patch
130-ssh_ignore_x_args.patch
140-disable_assert.patch
160-lto-jobserver.patch
600-allow-blank-root-password.patch
900-configure-hardening.patch
901-bundled-libs-cflags.patch
910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
Created the "localoptions.h" from default_options.h for easy patching. Looked at OpenWRT build which disables ECDSA ECDH (for security IIRC) and enabled ED25519. OpenWRT recommends when doing your own builds to disable RSA, but their default builds leave them enabled for compatibility, thus so did I. However I set the default RSA keysize to 4096 bits, according to:
https://security.stackexchange.com/q...actices#144044
Then converted the KOReader patches from 2018.76 to 2022.83, but dropped the dropbear-2018.76-upstream-fixes.patch since it was outdated.
Applied the new 2022.83 patches
Code:
OLDSOURCE=https://github.com/koreader/koreader-base/tree/master/thirdparty/dropbear[/url]
SOURCE:https://www.mobileread.com/forums/at...1&d=1712039536
dropbear-2022.83-kindle-nochdir-hack.patch
dropbear-2022.83-kindle-nopasswd-hack.patch
dropbear-2022.83-kindle-options-hack.patch
dropbear-2022.83-kindle-pubkey-gen-hack.patch
dropbear-2022.83-kindle-pubkey-hack.patch
dropbear-2022.83-scp-command-hack-cervantes.patch
dropbear-2022.83-scp-command-hack-kindle.patch
dropbear-2022.83-scp-command-hack-kobo.patch
dropbear-2022.83-scp-command-hack-pocketbook.patch
Steps I took for compiling dropbear:
Code:
#0. enter build environment (KOBO-TC in my case)
#1. defined some extra build variables, which you can adapt to your situation
DEVICE=kobo
BUILD=../build
#2. downloaded the source
wget https://matt.ucc.asn.au/dropbear/rel...022.83.tar.bz2
#3. unpacked it
tar -xvf dropbear-2022.83.tar.bz2
#4. unpacked patches (attached to post below)
tar -xvf dropbear-2022-83-patches.tar.gz
#5. enter source directory
cd dropbear-2022.83
#6. created the localoptions file from default options
grep "^#define" default_options.h >localoptions.h
#7. applied OpenWRT patches (source: see above)
for patch in ../patches/0_openwrt/*.patch;do
patch -p1 <$patch
done
#8. applied OpenWRT build choices
patch -p1 <../patches/dropbear-2022.83_openwrt_build_choices.txt
#9. applied generic KOReader patches
for patch in ../patches/1_koreader/dropbear-2022.83-kindle-*.patch;do
patch -p1 <$patch
done
#10. applied device specific patches
patch -p1 <../patches/1_koreader/dropbear-2022.83-scp-command-hack-$DEVICE.patch
#11. create build directory
mkdir $BUILD
#12. run configure
./configure \
--host=arm-kobo-linux-gnueabihf \
--prefix=$BUILD \
--disable-pam \
--enable-openpty \
--enable-syslog \
--disable-lastlog \
--disable-utmpx \
--disable-utmp \
--disable-wtmp \
--disable-wtmpx \
--disable-loginfunc \
--disable-pututline \
--disable-pututxline \
--disable-zlib \
--enable-bundled-libtom
#13. build dropbear from our patched source
make
#14. installed it to our build directory
make install
#15. then stripped all executables
find $BUILD/bin $BUILD/sbin \
-type f \
-exec arm-kobo-linux-gnueabihf-strip --strip-unneeded {} \;
Tested it by running: ./dropbear -nREF
Code:
-R Create hostkeys as required
-F Don't fork into background
-E Log to stderr rather than syslog
-n Disable password checking (/!\ Hack, don't use this!)
root@kobo$ ./dropbear -nREF
[1516] Apr 02 05:59:41 Not backgrounding
[1521] Apr 02 05:59:44 Child connection from 192.168.1.2:34606
[1521] Apr 02 05:59:45 Bad password attempt for 'root' from 192.168.1.2:34606 (But we're letting you in, as configured ;))
[1521] Apr 02 05:59:45 Bad password attempt for 'root' from 192.168.1.2:34606
[1521] Apr 02 05:59:52 Exit (root) from <192.168.1.2:34606>: Disconnect received
Verified with NMAP to see if it was configured correctly, and that seems to be the case here.
Code:
$ nmap --script ssh2-enum-algos 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up (0.0085s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE
2222/tcp open EtherNetIP-1
| ssh2-enum-algos:
| kex_algorithms: (6)
| curve25519-sha256
| curve25519-sha256@libssh.org
| diffie-hellman-group14-sha256
| diffie-hellman-group14-sha1
| kexguess2@matt.ucc.asn.au
| kex-strict-s-v00@openssh.com
| server_host_key_algorithms: (3)
| ssh-ed25519
| rsa-sha2-256
| ssh-rsa
| encryption_algorithms: (3)
| chacha20-poly1305@openssh.com
| aes128-ctr
| aes256-ctr
| mac_algorithms: (2)
| hmac-sha1
| hmac-sha2-256
| compression_algorithms: (1)
|_ none
Nmap done: 1 IP address (1 host up) scanned in 6.75 seconds
Yay!
I compiled a version for KOBO, if you use another device like Kindle Cervantes or PocketBook, you need to compile it yourself, or wait for a new KOReader update if they choose to accept these patches.