* [Buildroot] [PATCH] dropbear: change start-up script to honour pre-existing keys @ 2017-11-15 19:45 Markus Mayer 2017-11-15 21:05 ` Peter Korsgaard 2017-11-15 21:18 ` Arnout Vandecappelle 0 siblings, 2 replies; 6+ messages in thread From: Markus Mayer @ 2017-11-15 19:45 UTC (permalink / raw) To: buildroot From: Markus Mayer <mmayer@broadcom.com> Rather than starting dropbear with option -R at all times, we only do so if no existing key file is found. This lets dropbear honour pre-existing key files, including keys copied into the root file system at build time. Signed-off-by: Markus Mayer <mmayer@broadcom.com> --- package/dropbear/S50dropbear | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/package/dropbear/S50dropbear b/package/dropbear/S50dropbear index 9474eaa..8eea9ae 100644 --- a/package/dropbear/S50dropbear +++ b/package/dropbear/S50dropbear @@ -7,7 +7,7 @@ test -r /etc/default/dropbear && . /etc/default/dropbear start() { - DROPBEAR_ARGS="$DROPBEAR_ARGS -R" + msg=' ' # If /etc/dropbear is a symlink to /var/run/dropbear, and # - the filesystem is RO (i.e. we can not rm the symlink), @@ -26,7 +26,14 @@ start() { fi fi - printf "Starting dropbear sshd: " + ls /etc/dropbear/*host_key >/dev/null 2>&1 + if [ $? != 0 ]; then + # No key files found. We need to generate a key. + DROPBEAR_ARGS="$DROPBEAR_ARGS -R" + msg='(with new key) ' + fi + + printf "Starting dropbear sshd: $msg" umask 077 start-stop-daemon -S -q -p /var/run/dropbear.pid \ -- 2.7.4 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] dropbear: change start-up script to honour pre-existing keys 2017-11-15 19:45 [Buildroot] [PATCH] dropbear: change start-up script to honour pre-existing keys Markus Mayer @ 2017-11-15 21:05 ` Peter Korsgaard 2017-11-15 21:18 ` Arnout Vandecappelle 1 sibling, 0 replies; 6+ messages in thread From: Peter Korsgaard @ 2017-11-15 21:05 UTC (permalink / raw) To: buildroot >>>>> "Markus" == Markus Mayer <code@mmayer.net> writes: > From: Markus Mayer <mmayer@broadcom.com> > Rather than starting dropbear with option -R at all times, we only do > so if no existing key file is found. This lets dropbear honour > pre-existing key files, including keys copied into the root file system > at build time. But -R already only generates keys if needed? See svr-kex.c::svr_ensure_hostkey() Why is that not working for you? -- Bye, Peter Korsgaard ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] dropbear: change start-up script to honour pre-existing keys 2017-11-15 19:45 [Buildroot] [PATCH] dropbear: change start-up script to honour pre-existing keys Markus Mayer 2017-11-15 21:05 ` Peter Korsgaard @ 2017-11-15 21:18 ` Arnout Vandecappelle [not found] ` <CAGt4E5uZzBjfTqQh9RAN+wek9B+31PgWn3XJwSrDYz-sg6yFCA@mail.gmail.com> 1 sibling, 1 reply; 6+ messages in thread From: Arnout Vandecappelle @ 2017-11-15 21:18 UTC (permalink / raw) To: buildroot On 15-11-17 20:45, Markus Mayer wrote: > From: Markus Mayer <mmayer@broadcom.com> > > Rather than starting dropbear with option -R at all times, we only do > so if no existing key file is found. This lets dropbear honour > pre-existing key files, including keys copied into the root file system > at build time. That's exactly what the -R option does, no? It creates host keys if they don't exist yet. Cfr. svr_ensure_hostkey in svr-kex.c. Regards, Arnout > > Signed-off-by: Markus Mayer <mmayer@broadcom.com> > --- > package/dropbear/S50dropbear | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/package/dropbear/S50dropbear b/package/dropbear/S50dropbear > index 9474eaa..8eea9ae 100644 > --- a/package/dropbear/S50dropbear > +++ b/package/dropbear/S50dropbear > @@ -7,7 +7,7 @@ > test -r /etc/default/dropbear && . /etc/default/dropbear > > start() { > - DROPBEAR_ARGS="$DROPBEAR_ARGS -R" > + msg=' ' > > # If /etc/dropbear is a symlink to /var/run/dropbear, and > # - the filesystem is RO (i.e. we can not rm the symlink), > @@ -26,7 +26,14 @@ start() { > fi > fi > > - printf "Starting dropbear sshd: " > + ls /etc/dropbear/*host_key >/dev/null 2>&1 > + if [ $? != 0 ]; then > + # No key files found. We need to generate a key. > + DROPBEAR_ARGS="$DROPBEAR_ARGS -R" > + msg='(with new key) ' > + fi > + > + printf "Starting dropbear sshd: $msg" > umask 077 > > start-stop-daemon -S -q -p /var/run/dropbear.pid \ > -- Arnout Vandecappelle arnout at mind be Senior Embedded Software Architect +32-16-286500 Essensium/Mind http://www.mind.be G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF ^ permalink raw reply [flat|nested] 6+ messages in thread
[parent not found: <CAGt4E5uZzBjfTqQh9RAN+wek9B+31PgWn3XJwSrDYz-sg6yFCA@mail.gmail.com>]
* [Buildroot] [PATCH] dropbear: change start-up script to honour pre-existing keys [not found] ` <CAGt4E5uZzBjfTqQh9RAN+wek9B+31PgWn3XJwSrDYz-sg6yFCA@mail.gmail.com> @ 2017-11-15 22:29 ` Arnout Vandecappelle 2017-11-16 7:32 ` Peter Korsgaard 0 siblings, 1 reply; 6+ messages in thread From: Arnout Vandecappelle @ 2017-11-15 22:29 UTC (permalink / raw) To: buildroot On 15-11-17 22:24, Markus Mayer wrote: > On 15 November 2017 at 13:18, Arnout Vandecappelle <arnout@mind.be> wrote: >> >> >> On 15-11-17 20:45, Markus Mayer wrote: >>> From: Markus Mayer <mmayer@broadcom.com> >>> >>> Rather than starting dropbear with option -R at all times, we only do >>> so if no existing key file is found. This lets dropbear honour >>> pre-existing key files, including keys copied into the root file system >>> at build time. >> >> That's exactly what the -R option does, no? It creates host keys if they don't >> exist yet. Cfr. svr_ensure_hostkey in svr-kex.c. > > That's what I expected, too, but it doesn't work that way for me. > > I am not entirely sure why. I do see dropbear using a different SSH > key every time the system is booted, even if a key file already exists > whenever it is started using -R. It is trying to use ECDSA keys. The > pre-generated key I am copying into the rootfs is an RSA key. I am > running with initrd, so the ECDSA key disappears upon reboot. Fact > remains that it is ignoring the existing RSA key. > > Here's an example of what I see: > > # ssh localhost > Host 'localhost' is not in the trusted hosts file. > (ssh-rsa fingerprint md5 3c:62:78:a7:4a:4e:c5:69:cb:57:06:c6:b1:20:2e:9a) > Do you want to continue connecting? (y/n) ^C > > Using the RSA key, as it is supposed to. But only because it was > started without -R. > > # ps aux|grep drop > 1471 root /usr/sbin/dropbear > 1506 root grep drop > > Re-starting with -R. > > # kill 1471 > # /usr/sbin/dropbear -R > > And trying it again. > > # ssh localhost > Host 'localhost' is not in the trusted hosts file. > (ecdsa-sha2-nistp521 fingerprint md5 > f4:c8:5a:37:ac:20:80:96:9f:2b:72:1b:ee:7d:c1:1e) > Do you want to continue connecting? (y/n) ^C > > Promptly using an ECDSA key now. Freshly generated. OK, I see what happens. Your ssh client is requesting an ECDSA key. So when dropbear is given the -R option and the ECDSA key doesn't exist, it will generate one. If -R is not given, it will not generate a key and it will just fail. Then the client will fall back to requesting an RSA key, and this is one that can be supplied. I still don't think that your solution in the init script is very elegant. I think it's rather exceptional that you want only an RSA host key in your rootfs and not an ECDSA and/or DSS key. If you really want that, you can put a custom init script in your fs overlay that removes -R completely. Or you can add a DROPBEAR_POST_EXTRACT_HOOK in your local.mk that removes DROPBEAR_ECDSA from options.h. Regards, Arnout - > > # date > Thu Jan 1 00:03:12 UTC 1970 > > # ls -l /etc/dropbear/ > total 8 > -rw------- 1 root root 243 Jan 1 00:01 dropbear_ecdsa_host_key > -rw------- 1 root root 1573 Nov 1 2017 dropbear_rsa_host_key > > dropbear_ecdsa_host_key is does not exist in the initrd. > dropbear_rsa_host_key does. > > Regards, > -Markus > >> Regards, >> Arnout >> >>> >>> Signed-off-by: Markus Mayer <mmayer@broadcom.com> >>> --- >>> package/dropbear/S50dropbear | 11 +++++++++-- >>> 1 file changed, 9 insertions(+), 2 deletions(-) >>> >>> diff --git a/package/dropbear/S50dropbear b/package/dropbear/S50dropbear >>> index 9474eaa..8eea9ae 100644 >>> --- a/package/dropbear/S50dropbear >>> +++ b/package/dropbear/S50dropbear >>> @@ -7,7 +7,7 @@ >>> test -r /etc/default/dropbear && . /etc/default/dropbear >>> >>> start() { >>> - DROPBEAR_ARGS="$DROPBEAR_ARGS -R" >>> + msg=' ' >>> >>> # If /etc/dropbear is a symlink to /var/run/dropbear, and >>> # - the filesystem is RO (i.e. we can not rm the symlink), >>> @@ -26,7 +26,14 @@ start() { >>> fi >>> fi >>> >>> - printf "Starting dropbear sshd: " >>> + ls /etc/dropbear/*host_key >/dev/null 2>&1 >>> + if [ $? != 0 ]; then >>> + # No key files found. We need to generate a key. >>> + DROPBEAR_ARGS="$DROPBEAR_ARGS -R" >>> + msg='(with new key) ' >>> + fi >>> + >>> + printf "Starting dropbear sshd: $msg" >>> umask 077 >>> >>> start-stop-daemon -S -q -p /var/run/dropbear.pid \ >>> >> >> -- >> Arnout Vandecappelle arnout at mind be >> Senior Embedded Software Architect +32-16-286500 >> Essensium/Mind http://www.mind.be >> G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven >> LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle >> GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF -- Arnout Vandecappelle arnout at mind be Senior Embedded Software Architect +32-16-286500 Essensium/Mind http://www.mind.be G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] dropbear: change start-up script to honour pre-existing keys 2017-11-15 22:29 ` Arnout Vandecappelle @ 2017-11-16 7:32 ` Peter Korsgaard 2017-11-17 0:03 ` Markus Mayer 0 siblings, 1 reply; 6+ messages in thread From: Peter Korsgaard @ 2017-11-16 7:32 UTC (permalink / raw) To: buildroot >>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes: Hi, > I still don't think that your solution in the init script is very elegant. I > think it's rather exceptional that you want only an RSA host key in your rootfs > and not an ECDSA and/or DSS key. If you really want that, you can put a custom > init script in your fs overlay that removes -R completely. Or you can add a > DROPBEAR_POST_EXTRACT_HOOK in your local.mk that removes DROPBEAR_ECDSA from > options.h. Agreed, don't enable ecdsa support (in your client and in dropbear) if you don't want it. -- Bye, Peter Korsgaard ^ permalink raw reply [flat|nested] 6+ messages in thread
* [Buildroot] [PATCH] dropbear: change start-up script to honour pre-existing keys 2017-11-16 7:32 ` Peter Korsgaard @ 2017-11-17 0:03 ` Markus Mayer 0 siblings, 0 replies; 6+ messages in thread From: Markus Mayer @ 2017-11-17 0:03 UTC (permalink / raw) To: buildroot On 15 November 2017 at 23:32, Peter Korsgaard <peter@korsgaard.com> wrote: >>>>>> "Arnout" == Arnout Vandecappelle <arnout@mind.be> writes: > > Hi, > > > I still don't think that your solution in the init script is very elegant. I > > think it's rather exceptional that you want only an RSA host key in your rootfs > > and not an ECDSA and/or DSS key. If you really want that, you can put a custom > > init script in your fs overlay that removes -R completely. Or you can add a > > DROPBEAR_POST_EXTRACT_HOOK in your local.mk that removes DROPBEAR_ECDSA from > > options.h. > > Agreed, don't enable ecdsa support (in your client and in dropbear) if > you don't want it. Sure. I have no problem using a different solution. I was just surprised that dropbear wouldn't look for all key types before generating a new one. But that's not a buildroot issue. Regards, -Markus ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-11-17 0:03 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-11-15 19:45 [Buildroot] [PATCH] dropbear: change start-up script to honour pre-existing keys Markus Mayer
2017-11-15 21:05 ` Peter Korsgaard
2017-11-15 21:18 ` Arnout Vandecappelle
[not found] ` <CAGt4E5uZzBjfTqQh9RAN+wek9B+31PgWn3XJwSrDYz-sg6yFCA@mail.gmail.com>
2017-11-15 22:29 ` Arnout Vandecappelle
2017-11-16 7:32 ` Peter Korsgaard
2017-11-17 0:03 ` Markus Mayer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox