Introduction This guide aims to describe the my system.

I've searched a lot Most of what is described here it is all gathered together for including myself).

steps I had to take to get dropbear installed on for this information and finally got it working. can be found elsewhere. The added value is that the benefit of anyone who wants to do the same (

I use my PopCornHour (PCH) as a networked-attached storage (NAS) where I place m y media files but also other documents. My goal was to achieve a secure connecti on to PCH from outside my network and to be able to: * copy files from/to the PCH * start a console to the PCH to examine or change setings * give download tasks to nzbget * be able to access the configuration pages of my ADSL modem and VOIP gatewa y (tunnel into my internal network) Everything I describe here is strictly tailored to my environment and my goals a nd may not be suitable for anything else. So use the guide wisely and don't take anything to the letter. My main work environment is Windows. I use Linux inside virtual machines and occ asionaly boot a LiveCD. Building the Cross-compilation Toolchain Download and install VmWare. Download the Debian Etch 4.0 VmWare image (other distributions of your choice ma y also be used). Download the Syabas NMT (SMP8634) toolchain and place it in the ~/popcorn/smp di rectory. In the Debian image some packages were missing, so I had to install them: Code: apt-get apt-get apt-get apt-get apt-get apt-get install install install install install update flex bison gettext genromfs ncurses-dev

Unpack the toolchain: Code: cd ~/popcorn/smp tar xf smp86xx_toolchain.20080505.tar.bz2 cd smp86xx_toolchain.20080505 Read the README file. Make sure your terminal window has at least 19 rows and 80 columns. Configure the build: Code: make menuconfig

Select Kernel Headers options (Linux 2.6.11.0 kernel headers) ---> Select Select Select Select Toolchain Options ---> uCLibc version 0.9.28.3 ---> binUtils version 2.17 ---> gcc version 4.0.4 --->

At this point the build can start: Code: make When the build is done, the file toolchain-path.env will be created, that contai ns the environment settings necessary to use the toolchain. Make this file executable and run it or copy-paste it's contents into the comman d-line before starting any cross-compilation. Building Dropbear Create the ~/popcorn/dropbear directory and download the latest version of dropb ear (at the time of writing this was dropbear-0.51.tar.gz). You can get it for e xample by using: Code: cd ~/popcorn/dropbear wget http://matt.ucc.asn.au/dropbear/dropbear-0.51.tar.gz Unpack it: Code: tar xvzf dropbear-0.51.tar.gz cd dropbear-0.51 Read the README, INSTALL and MULTI files. Configure the build: Code: ./configure --host=mipsel-linux --disable-zlib I needed to use --disable-zlib as I still haven't sorted out how to cross-compil e it. Any hints are welcome! Update: I have been able to build and use zlib. See below. You shouldn't need to change anything in options.h at this point but have a look anyway at what settings are available. I have chosen to build a combined binary la busybox: Code: make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" MULTI=1 In the end, you will get a binary called dropbearmulti. This is all you need. It contains all of the above programs. Compiling and Using zlib I have been able to build zlib and then use it for dropbear so I am sharing this

with you: Get zlib from the OpenWrt project and unpack it into a directory: Code: cd ~/popcorn mkdir 05_zlib cd 05_zlib wget http://downloads.openwrt.org/sources/zlib-1.2.3.tar.bz2 tar xvjf zlib-1.2.3.tar.bz2 cd zlib-1.2.3 Prepare it for cross-compilation: Code: CC=mipsel-linux-gcc ./configure Now you're ready to make: Code: make When the build is done you need 3 files: Code: zlib.h zconf.h libz.a You must make these files available to the toolchain. I chose to copy them to th e directory where the toolchain was built: Code: cp zlib.h ~/popcorn/00_smp/smp86xx_toolchain.20080505/build_mipsel_nofpu/staging _dir/include cp zconf.h ~/popcorn/00_smp/smp86xx_toolchain.20080505/build_mipsel_nofpu/stagin g_dir/include cp libz.a ~/popcorn/00_smp/smp86xx_toolchain.20080505/build_mipsel_nofpu/staging _dir/lib Now you can configure and build dropbear as described above without using --disa ble-zlib: Code: ./configure --host=mipsel-linux make ________________________________________________________________________________ _________________________________________ Installing Dropbear on the PCH From this point on, work moves to the PCH. All commands have to be issued on a t elnet terminal connected to PCH. There are good tutorials on how to install and run telnetd on PCH so I will skip this. I've added /share/start_app.sh to the start() function in /mnt/syb8634/etc/ftpse rver.sh. So start_app.sh will be executed at every reboot. One of the things I'v e added to start_app.sh is the following command: Code:

cp -r -P -p /share/apps/start/* / This allows me to place whatever files (and softlinks) I need in /share/apps/start (i.e. on my internal harddisk) and have them copied to the roo t of the filesystem at startup. This is very important, as files like /etc/passwd, /etc/shadow, /etc/groups get overwritten at every startup, so user passwords, home directories and shell sett ings are lost and need to be refreshed every time. Beware! I'm no security expert and have no idea what kind of security risks this method involves! Gather your own information and make your own informed decisio n as to what to use and how. The contents of my /share/apps/start directory is listed here below: Code: root@PCH-A100 .: drwxr-xr-x drwxr-xr-x drwxr-xr-x drwxr-xr-x in /opt/sybhttpd/localhost.drives/HARD_DISK/apps/start # ls -AlR 2 3 3 5 root root root root root root root root root 4096 4096 4096 4096 Sep Sep Sep Sep 14 14 14 14 23:00 22:03 21:53 22:28 bin etc mnt usr

./bin: lrwxrwxrwx 1 root bin/busybox26 ./etc: drwxr-xr-x -rw-r--r--rw-r--r--rw-r--r-2 1 1 1 root root root root

28 Sep 14 23:00 login -> ../mnt/syb8634/

root root root root root root root root root root root root root root root root root root root root root root root

4096 135 650 436

Sep Sep Sep Sep

18 14 14 14

21:06 21:54 21:54 21:55

dropbear group passwd shadow

./etc/dropbear: -rw-r--r-1 root -rw-r--r-1 root ./mnt: drwxr-xr-x 4 root

459 Sep 14 21:59 dropbear_dss_host_key 427 Sep 14 21:59 dropbear_rsa_host_key 4096 Sep 14 22:21 syb8634 4096 Sep 14 21:43 bin 4096 Sep 21 16:41 sbin 9 9 9 598768 9 9 9 9 9 9 9 9 9 9 Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep 14 14 14 14 14 14 14 14 14 14 14 14 14 14 21:34 21:34 21:35 21:13 21:35 21:35 21:35 21:35 21:35 21:35 21:35 21:35 21:35 21:35 ash -> busybox26 awk -> busybox26 basename -> busybox26 busybox26 cat -> busybox26 chmod -> busybox26 chown -> busybox26 chroot -> busybox26 clear -> busybox26 cmp -> busybox26 cp -> busybox26 crond -> busybox26 crontab -> busybox26 cut -> busybox26

./mnt/syb8634: drwxrwxrwx 2 root drwxrwxrwx 2 root ./mnt/syb8634/bin: lrwxrwxrwx 1 root lrwxrwxrwx 1 root lrwxrwxrwx 1 root -rwxr-xr-x 1 root lrwxrwxrwx 1 root lrwxrwxrwx 1 root lrwxrwxrwx 1 root lrwxrwxrwx 1 root lrwxrwxrwx 1 root lrwxrwxrwx 1 root lrwxrwxrwx 1 root lrwxrwxrwx 1 root lrwxrwxrwx 1 root lrwxrwxrwx 1 root

lrwxrwxrwx lrwxrwxrwx i lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx i lrwxrwxrwx earmulti lrwxrwxrwx ulti -rwxr-xr-x lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx

1 root 1 root 1 root 1 root 1 root 1 root 1 root 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root

root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root root

9 Sep 14 21:35 date -> busybox26 13 Sep 14 21:42 dbclient -> dropbearmult 9 Sep 14 21:35 dd -> busybox26 9 Sep 14 21:35 df -> busybox26 13 Sep 14 21:41 dropbear -> dropbearmult 13 Sep 14 21:43 dropbearconvert -> dropb 13 Sep 14 21:42 dropbearkey -> dropbearm 499146 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 13 9 9 9 9 9 13 9 9 9 9 9 9 9 Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep 18 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 14 23:01 21:36 21:36 21:36 21:36 21:36 21:36 21:36 21:36 21:36 21:33 21:33 21:36 21:36 21:37 21:37 21:37 21:37 21:37 21:37 21:33 21:37 21:33 21:33 21:37 21:38 21:38 21:38 21:38 21:38 21:33 21:38 21:38 21:38 21:39 21:17 21:39 21:39 21:39 21:39 21:39 21:42 21:39 21:39 21:39 21:39 21:33 21:39 21:40 dropbearmulti du -> busybox26 echo -> busybox26 egrep -> busybox26 env -> busybox26 ether-wake -> busybox26 expr -> busybox26 false -> busybox26 fgrep -> busybox26 find -> busybox26 ftpget -> busybox26 ftpput -> busybox26 grep -> busybox26 gunzip -> busybox26 gzip -> busybox26 head -> busybox26 hostname -> busybox26 ifconfig -> busybox26 kill -> busybox26 killall -> busybox26 less -> busybox26 ln -> busybox26 login -> busybox26 more -> busybox26 passwd -> busybox26 ping -> busybox26 poweroff -> busybox26 ps -> busybox26 pwd -> busybox26 realpath -> busybox26 reboot -> busybox26 reset -> busybox26 rm -> busybox26 rmdir -> busybox26 route -> busybox26 scp -> dropbearmulti sed -> busybox26 sh -> busybox26 sha1sum -> busybox26 sleep -> busybox26 sort -> busybox26 ssh -> dropbearmulti strings -> busybox26 tail -> busybox26 tar -> busybox26 telnet -> busybox26 telnetd -> busybox26 tftp -> busybox26 time -> busybox26

lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx lrwxrwxrwx

1 1 1 1 1 1 1 1 1 1 1 1

root root root root root root root root root root root root

root root root root root root root root root root root root root root

9 9 9 9 9 9 9 9 9 9 9 9

Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep

14 14 14 14 14 14 14 14 14 14 14 14

21:40 21:40 21:40 21:40 21:40 21:40 21:33 21:40 21:40 21:33 21:40 21:41

top -> busybox26 touch -> busybox26 traceroute -> busybox26 true -> busybox26 umount -> busybox26 uptime -> busybox26 vi -> busybox26 wc -> busybox26 wget -> busybox26 which -> busybox26 xargs -> busybox26 yes -> busybox26

./mnt/syb8634/sbin: lrwxrwxrwx 1 root earmulti lrwxrwxrwx 1 root x26 ./usr: drwxr-xr-x drwxr-xr-x drwxr-xr-x ./usr/bin: ./usr/etc: lrwxrwxrwx 1 root zbget/nzbget.conf 2 root 2 root 2 root

20 Sep 14 21:45 dropbear -> ../bin/dropb 16 Sep 21 16:41 telnetd -> ../bin/busybo

root root root

4096 Sep 14 22:59 bin 4096 Sep 14 22:10 etc 4096 Sep 21 16:42 sbin

root

26 Sep 14 22:10 nzbget.conf -> /share/.n

./usr/sbin: lrwxrwxrwx 1 root root b8634/bin/dropbearmulti lrwxrwxrwx 1 root root 8634/bin/busybox26

35 Sep 21 16:42 dropbear -> ../../mnt/sy 31 Sep 21 16:42 telnetd -> ../../mnt/syb

Everything is prepared to be copied as-is to the root of the file system. Most l ikely, it would be more elegant to tar everything and untar it upon startup. I w ill consider that at some moment in the future. In ./etc/dropbear above, there are two key files that dropbear uses. To generate them, use: Code: dropbearkey -t rsa -s 1024 -f dropbear_rsa_host_key dropbearkey -t dss -f dropbear_dss_host_key Finally, to automatically start dropbear after reboot, add the following command at a convenient place in start_app.sh: Code: dropbear -a -p 22 & Now you should be able to connect to your PCH with an SSH client like PuTTY. Enj oy! Generating Passwords and Setting-up the Accounts The normal way of generating passwords is to use the passwd command. In my envir onment this doesn't work hoewever. I get an error saying:

Code: passwd: An error occurred updating the password file. Not having had the time and skills to investigate what is wrong, I decided to be practical about it and find alternative ways. This is how I discovered the makepwd.pl perl script that generates passwords for me to paste into the shadow file. (Unfortunately I don't remember where I've got it from -- googled it but t hen forgot where I've found it and can't find it again. Also I don't know how to attach files to posts so I am pasting the code here): Code: #!perl -w -use strict; #use Crypt; use Term::ReadKey; # if no native crypt function, use the crypt module END { ReadMode ('restore'); } # just in case

my $usage = <<EOD; Usage: $0 {create|check} user [password] create create a new password check check a password user username password if not present prompts for one interactively EOD die $usage if @ARGV < 2; my $dbg = 0; # debug

# legal encrypted chars my @legal_enc = ('.', '/', '0'..'9', 'A'..'Z', 'a'..'z'); # legal encrypted chrs # legal clear passwd chrs (26+26+10+24=86): "a-zA-Z0-9!#$%&()*+,-./:;<=>?@[\]^"; my @legal_clear = ('a'..'z', 'A'..'Z', '0'..'9', split //, '!#$%&()*+,-./:;<=>?@[\]^'); my %legal_clear; foreach (@legal_clear) { $legal_clear{$_} =1; } my my my my $passwd_file = './passwd'; $enc_passwd; $user; $passwd;

#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # my $tmp = (time + $$) % 65536; # srand ($tmp); # # for (1 .. 1000) { # # if ($_ & 1) { # @ARGV = ('create', 'fubar') if $_ & 1; # my $tmp = ''; # for (my $ii = 0; $ii < 10; $ii++) { # $tmp .= chr rand (256); # } # push @ARGV, $tmp; # } else { # @ARGV = ('check', 'fubar', $passwd); # }

print "@ARGV\n";

#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - my $create_passwd = 0; # 1 if creating a new passwd else 0 my $type = shift; $create_passwd = 1 if $type eq 'create'; $user = ''; $user = shift; $passwd = ''; $passwd = shift; # plain text passwd gotten from input form or ? # used to look up encrypted passwd in file # gotten from input form or ?

# to auto magically create a passwd - something like this should work #my $max_chars = 10; #$passwd = join '', @legal_clear[map { rand @legal_clear } (1 .. $max_chars)]; # go get a passwd if none on command line if (not $passwd) { $| = 1; # unbuffer stdout print "Password: "; ReadMode ('cbreak'); while (defined (my $ch = ReadKey ())) { last if $ch eq "\x0d"; if ($ch eq "\x08") { # backspace print "\b \b" if $passwd; # back up 1 chop $passwd; next; } if ($ch eq "\x15") { # ^U print "\b \b" x length $passwd; # back 1 for each char $passwd = ''; next; } if (not exists $legal_clear{$ch}) { print "\n'$ch' not a legal password character\n"; print 'Password: ', "*" x length $passwd; # retype *'s next; } $passwd .= $ch; print '*'; } ReadMode ('restore'); } # check for legal passwd my $retry = 0; foreach (split //, $passwd) { if (not exists $legal_clear{$_}) { print "'$_' not a legal password character\n"; $retry = 1; }

} die "Try again\n" if $retry; print "$passwd \n" if $dbg; $enc_passwd = ''; # encrypted passwd from passwd file

print "user='$user'; passwd='$passwd'; enc_passwd='$enc_passwd'\n" if $dbg; #- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Password adding part: if ($create_passwd) { # this part is to create a new encrypted password. Basically the same # as htpasswd would do. Create a salt and encrypt the password. # Would allow you to add new users to your passwd file. # use plain text password $enc_passwd = &crypt_passwd ($passwd); print "enc_passwd='$enc_passwd'\n"; # Now add it to your passwd file and you're done. if (not -e $passwd_file) { open NPW, ">$passwd_file" or die "Error opening passwd file for write: $!\n"; print NPW "$user:$enc_passwd\n"; close NPW; } else { open OPW, $passwd_file or die "Error opening passwd file for read: $!\n"; open NPW, ">$passwd_file.new" or die "Error opening passwd file for write: $!\n"; my $found = 0; while (<OPW>) { if (/^$user:/) { s/^$user:[^:\s]+/$user:$enc_passwd/; $found = 1; } print NPW; } print NPW "$user:$enc_passwd\n" if not $found; close OPW; close NPW; rename ($passwd_file, "$passwd_file.old") or die "Error renaming old passwd file: $!\n"; rename ("$passwd_file.new", $passwd_file) or die "Error renaming new passwd file: $!\n"; }

# # # # # # # # # # # # # # }

# you can also use htpasswd to add direct to passwd file my $htpasswd = '<path>htpasswd'; print "$htpasswd -b $passwd_file $user $passwd\n" if $dbg; my $ret = system "$htpasswd -b $passwd_file $user $passwd"; print "ret=$ret\n" if $dbg; # Now you would open the passwd file and find the user you # added and get the encrypted passwd back if you needed it. # On Win32, Apache htpasswd uses MD5 as default method, so it # won't help for the rest of this example. The -d option # should make it use crypt instead.

#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - # Password checking part: # # # # The user logs in and gives his plain text passwd You retrieve encrypted password from passwd file for this user (1st field) You encrypt the plaintext password using first 2 letters of encrypted password as salt

open PW, $passwd_file or die "Error opening passwd file for write: $!\n"; my $found = 0; while (<PW>) { if (/^$user:([^:\s]+)/) { $enc_passwd = $1; print "enc_passwd ='$enc_passwd'\n" if $dbg; $found = 1; last; } } close PW; if (not $found) { print "User '$user' not found in passwd file\n"; exit 2; } # encrypt passwd using enc_passwd for salt my $crypt_passwd = crypt ($passwd, $enc_passwd); print "crypt_passwd='$crypt_passwd'\n" if $dbg; if ($crypt_passwd eq $enc_passwd) { print "Passwd OK\n"; } else { print "Passwd not OK\n"; } #} exit 0;

#- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - sub crypt_passwd { # $crypted_passwd = crypt_passwd ($plainpasswd [, $salt]); my $passwd = shift; my $salt; # if salt supplied if (defined $_[0]) { $salt = substr $_[0], 0, 2; # get first 2 chars for salt

# else create a salt using time, pid and rand } else { my $tmp = (time + $$) % 65536; srand ($tmp); $salt = $legal_enc[sprintf "%u", rand (@legal_enc)]; $salt .= $legal_enc[sprintf "%u", rand (@legal_enc)]; } my $new_passwd = crypt ($passwd, $salt); return $new_passwd; } In the passwd file I've defined /bin/sh as shell for root, guest, nmt and ftpuse r. Also, I have defined home directories for each of the above users in /mnt/syb 8634/home/ Authenticating with a Pair of Keys To make it even easier to connect, and eliminate the need of typing the password at every connection, you can configure the system to authenticate using a pair of keys. Dropbear supports the OpenSSH authorized_keys method. To use this method you need to generate a pair of keys using for example PuTTYge n. * Select SSH-2 RSA and press Generate. * Save the private key into a file (e.g. PopCorn Private Key.ppk). * Copy the key located at the top of the PuTTYgen window and save it into a file named authorized_keys. It must have the following structure: Quote:ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsY rWvXhvUV+ZAM9uGuew ZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwd xAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname Place the file authorized_keys in a directory named .ssh in the home directory o f the user that you want to login using this key. In PuTTY, under Connection|SSH|Auth add the private key you've saved earlier, Po pCorn Private Key.ppk. Also, under Connection|Data specify the Auto-login username. This is the username that has the home directory where you've placed the authorized_keys file before.

Greets, Adrian