Register Guidelines E-Books Search Today's Posts Mark Forums Read

Go Back   MobileRead Forums > E-Book Software > KOReader

Notices

Reply
 
Thread Tools Search this Thread
Old 04-02-2024, 02:22 AM   #1
bitfreak
Enthusiast
bitfreak can teach chickens to fly.bitfreak can teach chickens to fly.bitfreak can teach chickens to fly.bitfreak can teach chickens to fly.bitfreak can teach chickens to fly.bitfreak can teach chickens to fly.bitfreak can teach chickens to fly.bitfreak can teach chickens to fly.bitfreak can teach chickens to fly.bitfreak can teach chickens to fly.bitfreak can teach chickens to fly.
 
Posts: 35
Karma: 3790
Join Date: Jan 2024
Device: Kobo
SSH/Dropbear 2022.83 + latest security patches + ed25519

Hi,

It took longer than I wanted but here it is the latest version of: Dropbear 2022.83 with the latest security patches and fixes taken from OpenWRT. The build is almost the same, but I excluded the "100-pubkey_path.patch" which conflicted with the KOReader pubkey patches (the former enhances security, while the latter loosens it due to FAT32 not having permissions)

Applied OpenWRT patches:
Code:
SOURCE: https://github.com/openwrt/openwrt/t...opbear/patches
001-add-if-DROPBEAR_RSA-guards.patch
002-fix-y2038-issues.patch
003-fix-DROPBEAR_DSS.patch
004-allow-users-s-own-gid-in-pty-permission-check.patch
005-const-parameter-mp_int.patch
006-dropbearkey-add-missing-break-in-switch.patch
007-fix-building-only-client-or-server.patch
008-disable-rsa-signatures-when-no-rsa-hostkey.patch
009-use-write-rather-than-fprintf-in-segv-handler.patch
010-remove-SO_LINGER.patch
011-add-option-to-bind-to-interface.patch
012-add-ifdef-guards-for-SO_BINDTODEVICE.patch
013-make-banner-reading-failure-non-fatal.patch
014-dropbearkey-ignore-unsupported-command-line-option.patch
015-libtommath-fix-possible-integer-overflow.patch
016-src-svr-tcpfwd-Fix-noremotetcp-behavior.patch
017-Don-t-try-to-shutdown-a-pty.patch
018-dropbearkey-add-alias-to-ssh-keygen.patch
019-Allow-inetd-with-non-syslog.patch
020-Fix-test-for-multiuser-kernels.patch
021-Implement-Strict-KEX-mode.patch
110-change_user.patch
130-ssh_ignore_x_args.patch
140-disable_assert.patch
160-lto-jobserver.patch
600-allow-blank-root-password.patch
900-configure-hardening.patch
901-bundled-libs-cflags.patch
910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch
Created the "localoptions.h" from default_options.h for easy patching. Looked at OpenWRT build which disables ECDSA ECDH (for security IIRC) and enabled ED25519. OpenWRT recommends when doing your own builds to disable RSA, but their default builds leave them enabled for compatibility, thus so did I. However I set the default RSA keysize to 4096 bits, according to: https://security.stackexchange.com/q...actices#144044

Then converted the KOReader patches from 2018.76 to 2022.83, but dropped the dropbear-2018.76-upstream-fixes.patch since it was outdated.

Applied the new 2022.83 patches
Code:
OLDSOURCE=https://github.com/koreader/koreader-base/tree/master/thirdparty/dropbear[/url]
SOURCE:https://www.mobileread.com/forums/at...1&d=1712039536
dropbear-2022.83-kindle-nochdir-hack.patch
dropbear-2022.83-kindle-nopasswd-hack.patch
dropbear-2022.83-kindle-options-hack.patch
dropbear-2022.83-kindle-pubkey-gen-hack.patch
dropbear-2022.83-kindle-pubkey-hack.patch
dropbear-2022.83-scp-command-hack-cervantes.patch
dropbear-2022.83-scp-command-hack-kindle.patch
dropbear-2022.83-scp-command-hack-kobo.patch
dropbear-2022.83-scp-command-hack-pocketbook.patch
Steps I took for compiling dropbear:
Code:
#0. enter build environment (KOBO-TC in my case)
#1. defined some extra build variables, which you can adapt to your situation
DEVICE=kobo
BUILD=../build
#2. downloaded the source
wget https://matt.ucc.asn.au/dropbear/rel...022.83.tar.bz2
#3. unpacked it
tar -xvf dropbear-2022.83.tar.bz2
#4. unpacked patches (attached to post below)
tar -xvf dropbear-2022-83-patches.tar.gz
#5. enter source directory
cd dropbear-2022.83
#6. created the localoptions file from default options
grep "^#define" default_options.h >localoptions.h
#7. applied OpenWRT patches (source: see above)
for patch in ../patches/0_openwrt/*.patch;do
  patch -p1 <$patch
done
#8. applied OpenWRT build choices
patch -p1 <../patches/dropbear-2022.83_openwrt_build_choices.txt
#9. applied generic KOReader patches
for patch in ../patches/1_koreader/dropbear-2022.83-kindle-*.patch;do
  patch -p1 <$patch
done
#10. applied device specific patches
patch -p1 <../patches/1_koreader/dropbear-2022.83-scp-command-hack-$DEVICE.patch
#11. create build directory
mkdir $BUILD
#12. run configure
./configure \
  --host=arm-kobo-linux-gnueabihf \
  --prefix=$BUILD \
  --disable-pam \
  --enable-openpty \
  --enable-syslog \
  --disable-lastlog \
  --disable-utmpx \
  --disable-utmp \
  --disable-wtmp \
  --disable-wtmpx \
  --disable-loginfunc \
  --disable-pututline \
  --disable-pututxline \
  --disable-zlib \
  --enable-bundled-libtom
#13. build dropbear from our patched source
make
#14. installed it to our build directory
make install
#15. then stripped all executables
find $BUILD/bin $BUILD/sbin \
  -type f \
  -exec arm-kobo-linux-gnueabihf-strip --strip-unneeded {} \;
Tested it by running: ./dropbear -nREF
Code:
-R Create hostkeys as required
-F Don't fork into background
-E Log to stderr rather than syslog
-n Disable password checking (/!\ Hack, don't use this!)

root@kobo$ ./dropbear -nREF
[1516] Apr 02 05:59:41 Not backgrounding
[1521] Apr 02 05:59:44 Child connection from 192.168.1.2:34606
[1521] Apr 02 05:59:45 Bad password attempt for 'root' from 192.168.1.2:34606 (But we're letting you in, as configured ;))
[1521] Apr 02 05:59:45 Bad password attempt for 'root' from 192.168.1.2:34606
[1521] Apr 02 05:59:52 Exit (root) from <192.168.1.2:34606>: Disconnect received
Verified with NMAP to see if it was configured correctly, and that seems to be the case here.
Code:
$ nmap --script ssh2-enum-algos 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up (0.0085s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT     STATE SERVICE
2222/tcp open  EtherNetIP-1
| ssh2-enum-algos: 
|   kex_algorithms: (6)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       kexguess2@matt.ucc.asn.au
|       kex-strict-s-v00@openssh.com
|   server_host_key_algorithms: (3)
|       ssh-ed25519
|       rsa-sha2-256
|       ssh-rsa
|   encryption_algorithms: (3)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes256-ctr
|   mac_algorithms: (2)
|       hmac-sha1
|       hmac-sha2-256
|   compression_algorithms: (1)
|_      none
Nmap done: 1 IP address (1 host up) scanned in 6.75 seconds
Yay!

I compiled a version for KOBO, if you use another device like Kindle Cervantes or PocketBook, you need to compile it yourself, or wait for a new KOReader update if they choose to accept these patches.
Attached Files
File Type: gz dropbear-2022.83-kobo.tar.gz (398.8 KB, 20 views)
File Type: gz dropbear-2022-83-patches.tar.gz (23.1 KB, 28 views)

Last edited by bitfreak; 04-02-2024 at 02:14 PM. Reason: grammer
bitfreak is offline   Reply With Quote
Old 04-02-2024, 05:31 PM   #2
Frenzie
Wizard
Frenzie ought to be getting tired of karma fortunes by now.Frenzie ought to be getting tired of karma fortunes by now.Frenzie ought to be getting tired of karma fortunes by now.Frenzie ought to be getting tired of karma fortunes by now.Frenzie ought to be getting tired of karma fortunes by now.Frenzie ought to be getting tired of karma fortunes by now.Frenzie ought to be getting tired of karma fortunes by now.Frenzie ought to be getting tired of karma fortunes by now.Frenzie ought to be getting tired of karma fortunes by now.Frenzie ought to be getting tired of karma fortunes by now.Frenzie ought to be getting tired of karma fortunes by now.
 
Posts: 1,613
Karma: 724945
Join Date: Oct 2014
Location: Antwerp
Device: Kobo Aura H2O
Sounds fine to me, in principle anyway. Would you mind opening a PR for it?
Frenzie is offline   Reply With Quote
Advert
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Aura HD Dropbear SSH preinstalled: new way to access? frafra Kobo Developer's Corner 5 06-14-2014 03:07 PM
SSH keys with dropbear? enn Kindle Developer's Corner 2 10-07-2010 12:54 AM
iLiad PC and iliad together: ssh? dropbear? daudi iRex Developer's Corner 10 01-13-2008 09:47 AM
iLiad dropbear ssh: how to change root password? daudi iRex Developer's Corner 2 01-10-2008 04:49 PM
Adobe patches latest Reader security flaw Alexander Turcic Reading and Management 11 10-29-2007 04:56 PM


All times are GMT -4. The time now is 03:40 PM.


MobileRead.com is a privately owned, operated and funded community.