SSH/Dropbear 2022.83 + latest security patches + ed25519

bitfreak · 04-02-2024, 03:22 AM

Hi,

It took longer than I wanted but here it is the latest version of: Dropbear 2022.83 with the latest security patches and fixes taken from OpenWRT. The build is almost the same, but I excluded the "100-pubkey_path.patch" which conflicted with the KOReader pubkey patches (the former enhances security, while the latter loosens it due to FAT32 not having permissions)

Applied OpenWRT patches:

Code:

SOURCE: https://github.com/openwrt/openwrt/t...opbear/patches
001-add-if-DROPBEAR_RSA-guards.patch
002-fix-y2038-issues.patch
003-fix-DROPBEAR_DSS.patch
004-allow-users-s-own-gid-in-pty-permission-check.patch
005-const-parameter-mp_int.patch
006-dropbearkey-add-missing-break-in-switch.patch
007-fix-building-only-client-or-server.patch
008-disable-rsa-signatures-when-no-rsa-hostkey.patch
009-use-write-rather-than-fprintf-in-segv-handler.patch
010-remove-SO_LINGER.patch
011-add-option-to-bind-to-interface.patch
012-add-ifdef-guards-for-SO_BINDTODEVICE.patch
013-make-banner-reading-failure-non-fatal.patch
014-dropbearkey-ignore-unsupported-command-line-option.patch
015-libtommath-fix-possible-integer-overflow.patch
016-src-svr-tcpfwd-Fix-noremotetcp-behavior.patch
017-Don-t-try-to-shutdown-a-pty.patch
018-dropbearkey-add-alias-to-ssh-keygen.patch
019-Allow-inetd-with-non-syslog.patch
020-Fix-test-for-multiuser-kernels.patch
021-Implement-Strict-KEX-mode.patch
110-change_user.patch
130-ssh_ignore_x_args.patch
140-disable_assert.patch
160-lto-jobserver.patch
600-allow-blank-root-password.patch
900-configure-hardening.patch
901-bundled-libs-cflags.patch
910-signkey-fix-use-of-rsa-sha2-256-pubkeys.patch

Created the "localoptions.h" from default_options.h for easy patching. Looked at OpenWRT build which disables ECDSA ECDH (for security IIRC) and enabled ED25519. OpenWRT recommends when doing your own builds to disable RSA, but their default builds leave them enabled for compatibility, thus so did I. However I set the default RSA keysize to 4096 bits, according to: https://security.stackexchange.com/q...actices#144044

Then converted the KOReader patches from 2018.76 to 2022.83, but dropped the dropbear-2018.76-upstream-fixes.patch since it was outdated.

Applied the new 2022.83 patches

Code:

OLDSOURCE=https://github.com/koreader/koreader-base/tree/master/thirdparty/dropbear[/url]
SOURCE:https://www.mobileread.com/forums/at...1&d=1712039536
dropbear-2022.83-kindle-nochdir-hack.patch
dropbear-2022.83-kindle-nopasswd-hack.patch
dropbear-2022.83-kindle-options-hack.patch
dropbear-2022.83-kindle-pubkey-gen-hack.patch
dropbear-2022.83-kindle-pubkey-hack.patch
dropbear-2022.83-scp-command-hack-cervantes.patch
dropbear-2022.83-scp-command-hack-kindle.patch
dropbear-2022.83-scp-command-hack-kobo.patch
dropbear-2022.83-scp-command-hack-pocketbook.patch

Steps I took for compiling dropbear:

Code:

#0. enter build environment (KOBO-TC in my case)
#1. defined some extra build variables, which you can adapt to your situation
DEVICE=kobo
BUILD=../build
#2. downloaded the source
wget https://matt.ucc.asn.au/dropbear/rel...022.83.tar.bz2
#3. unpacked it
tar -xvf dropbear-2022.83.tar.bz2
#4. unpacked patches (attached to post below)
tar -xvf dropbear-2022-83-patches.tar.gz
#5. enter source directory
cd dropbear-2022.83
#6. created the localoptions file from default options
grep "^#define" default_options.h >localoptions.h
#7. applied OpenWRT patches (source: see above)
for patch in ../patches/0_openwrt/*.patch;do
  patch -p1 <$patch
done
#8. applied OpenWRT build choices
patch -p1 <../patches/dropbear-2022.83_openwrt_build_choices.txt
#9. applied generic KOReader patches
for patch in ../patches/1_koreader/dropbear-2022.83-kindle-*.patch;do
  patch -p1 <$patch
done
#10. applied device specific patches
patch -p1 <../patches/1_koreader/dropbear-2022.83-scp-command-hack-$DEVICE.patch
#11. create build directory
mkdir $BUILD
#12. run configure
./configure \
  --host=arm-kobo-linux-gnueabihf \
  --prefix=$BUILD \
  --disable-pam \
  --enable-openpty \
  --enable-syslog \
  --disable-lastlog \
  --disable-utmpx \
  --disable-utmp \
  --disable-wtmp \
  --disable-wtmpx \
  --disable-loginfunc \
  --disable-pututline \
  --disable-pututxline \
  --disable-zlib \
  --enable-bundled-libtom
#13. build dropbear from our patched source
make
#14. installed it to our build directory
make install
#15. then stripped all executables
find $BUILD/bin $BUILD/sbin \
  -type f \
  -exec arm-kobo-linux-gnueabihf-strip --strip-unneeded {} \;

Tested it by running: ./dropbear -nREF

Code:

-R Create hostkeys as required
-F Don't fork into background
-E Log to stderr rather than syslog
-n Disable password checking (/!\ Hack, don't use this!)

root@kobo$ ./dropbear -nREF
[1516] Apr 02 05:59:41 Not backgrounding
[1521] Apr 02 05:59:44 Child connection from 192.168.1.2:34606
[1521] Apr 02 05:59:45 Bad password attempt for 'root' from 192.168.1.2:34606 (But we're letting you in, as configured ;))
[1521] Apr 02 05:59:45 Bad password attempt for 'root' from 192.168.1.2:34606
[1521] Apr 02 05:59:52 Exit (root) from <192.168.1.2:34606>: Disconnect received

Verified with NMAP to see if it was configured correctly, and that seems to be the case here.

Code:

$ nmap --script ssh2-enum-algos 192.168.1.1
Nmap scan report for 192.168.1.1
Host is up (0.0085s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT     STATE SERVICE
2222/tcp open  EtherNetIP-1
| ssh2-enum-algos: 
|   kex_algorithms: (6)
|       curve25519-sha256
|       curve25519-sha256@libssh.org
|       diffie-hellman-group14-sha256
|       diffie-hellman-group14-sha1
|       kexguess2@matt.ucc.asn.au
|       kex-strict-s-v00@openssh.com
|   server_host_key_algorithms: (3)
|       ssh-ed25519
|       rsa-sha2-256
|       ssh-rsa
|   encryption_algorithms: (3)
|       chacha20-poly1305@openssh.com
|       aes128-ctr
|       aes256-ctr
|   mac_algorithms: (2)
|       hmac-sha1
|       hmac-sha2-256
|   compression_algorithms: (1)
|_      none
Nmap done: 1 IP address (1 host up) scanned in 6.75 seconds

Yay!

I compiled a version for KOBO, if you use another device like Kindle Cervantes or PocketBook, you need to compile it yourself, or wait for a new KOReader update if they choose to accept these patches.

Frenzie · 04-02-2024, 06:31 PM

Sounds fine to me, in principle anyway. Would you mind opening a PR for it?

bitfreak · 05-05-2024, 04:13 PM

Quote:

Originally Posted by Frenzie

Sounds fine to me, in principle anyway. Would you mind opening a PR for it?

Sorry for the late reply, I just do not seem to have any time lately.
Please do what you think is right

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Aura HD Dropbear SSH preinstalled: new way to access?	frafra	Kobo Developer's Corner	5	06-14-2014 04:07 PM
SSH keys with dropbear?	enn	Kindle Developer's Corner	2	10-07-2010 01:54 AM
iLiad PC and iliad together: ssh? dropbear?	daudi	iRex Developer's Corner	10	01-13-2008 10:47 AM
iLiad dropbear ssh: how to change root password?	daudi	iRex Developer's Corner	2	01-10-2008 05:49 PM
Adobe patches latest Reader security flaw	Alexander Turcic	Reading and Management	11	10-29-2007 05:56 PM

04-02-2024, 06:31 PM	#2
Frenzie Wizard Posts: 1,675 Karma: 730583 Join Date: Oct 2014 Location: Antwerp Device: Kobo Aura H2O	Sounds fine to me, in principle anyway. Would you mind opening a PR for it?