Dropbear for Android porting

Source: Internet
Author: User
Tags crypt reverse dns ssh server dropbear
1. Requirements
Although Android provides ADB, it still does not use SSH or SCP, so I want to port an SSH server to the Development Board, because the default Android code is external/dropbear, therefore, we decided to port dropbear instead of OpenSSH;

2. Ideas
To implement SSH, SCP must meet the following conditions:

A) There must be a network, which can be guaranteed by WiFi;

B) You must have a server to open port 22. This is done by dropbear;

C) You must have an SCP on the Development Board to implement the SCP function;

3. Applicability
The following steps only apply to platform developers. You must remove this function from the final product;

Test environment:

Hardware: pxa310;

Android: 2.1

In theory, other hardware and Android versions should also work, and may need to be fine-tuned;

4. Porting steps
4.1 dropbear and dropbearkey generation

A) copy the directory android_root/external/dropbear, which is assumed to be dropbear. bak;

B) Go to dropbear. Bak and make some modifications. the diff of the modifications is as follows:

Diff -- git a/Android. mk B/Android. mk

Deleted file mode 100644

Index b95d5dd. 0000000

--- A/Android. mk

+++/Dev/null

@-+ @@

-Ifneq ($ (target_simulator), true)

-

-Local_path: = $ (call my-DIR)

-Include $ (clear_vars)

-

-Local_src_files: =/

-Dbutil. c buffer. c/

-DSS. c bignum. c/

-Signkey. c RSA. C random. c/

-Queue. c/

-Atomicio. c compat. c fake-rfc2553.c

-Local_src_files + =/

-Common-session.c packet. c common-algo.c common-kex.c/

-Common-channel.c common-chansession.c termcodes. c/

-Tcp-accept.c listener. c process-packet.c/

-Common-runopts.c circbuffer. c

-# Loginrec. c

-Local_src_files + =/

-Cli-algo.c cli-main.c cli-auth.c cli-authpasswd.c/

-Cli-session.c cli-service.c cli-runopts.c cli-chansession.c/

-Cli-authpubkey.c cli-tcpfwd.c cli-channel.c cli-authinteract.c

-Local_src_files + = netbsd_getpass.c

-

-Local_static_libraries: = libtommath libtomcrypt

-

-Local_module_path: = $ (target_out_optional_executables)

-Local_module_tags: = ENG

-Local_module: = SSH

-Local_c_includes + = $ (local_path)/libtommath

-Local_c_includes + = $ (local_path)/libtomcrypt/src/Headers

-Local_cflags + =-ddropbear_client

-

-Include $ (build_executable)

-

-Include $ (clear_vars)

-

-Local_src_files: =/

-SCP. c progressmeter. c atomicio. c scpmisc. c

-

-Local_static_libraries: = libtommath libtomcrypt

-

-Local_module_path: = $ (target_out_optional_executables)

-

-Local_module_tags: = debug

-

-Local_module: = SCP

-Local_c_includes + = $ (local_path)/libtommath

-Local_c_includes + = $ (local_path)/libtomcrypt/src/Headers

-Local_cflags + =-ddropbear_client-dprogress_meter

-

-Include $ (build_executable)

-

-Endif # target_simulator! = True

-

-

-Include $ (call all-makefiles-under, $ (local_path ))

Diff -- git a/config. h B/config. h

Index 5c67988 .. ff482ce 100644

--- A/config. h

++ B/config. h

@-50, 7 + 50, 7 @@

# Define disable_wtmpx 1

/* Use zlib */

-# Define disable_zlib 1

+/* # UNDEF disable_zlib */

/* Define to 1 if you have the 'basename' function .*/

# Define have_basename 1

@-62,7 + 62,7 @@

# Define have_const_gai_strerror_proto 1

/* Define to 1 if you have Header file .*/

-/* # Define have_crypt_h */

+ # Define have_crypt_h 1

/* Define to 1 if you have the 'daemon' function .*/

# Define have_daemon 1

@-, 7 +, 7 @@

# Define have_lastlog_h 1

/* Define to 1 if you have Header file .*/

-/* # Define have_libgen_h */

+ # Define have_libgen_h 1

/* Define to 1 if you have the 'pam 'Library (-lpam ).*/

/* # UNDEF have_libpam */

@-137,7 + 137,7 @@

/* # UNDEF have_libutil_h */

/* Define to 1 if you have the 'z' Library (-LZ ).*/

-/* # Define have_libz XXX? */

+ # Define have_libz 1

/* Define to 1 if you have Header file .*/

# Define have_limits_h 1

@-164,7 + 164,7 @@

# Define have_netinet_in_h 1

/* Define to 1 if you have Header file .*/

-/* # Define have_netinet_in_sy1__h */

+ # Define have_netinet_in_sy1__h 1

/* Define to 1 if you have Header file .*/

# Define have_netinet_tcp_h 1

@-203,7 + 203,7 @@

# Define have_setutxent 1

/* Define to 1 if you have Header file .*/

-/* # Define have_shadow_h */

+ # Define have_shadow_h 1

/* Define to 1 if you have the 'socket 'function .*/

# Define have_socket 1

-332,13 + 332,13 @@

/* # UNDEF have_util_h */

/* Define to 1 if you have the 'utmpname' function .*/

-/* # Define have_utmpname */

+ # Define have_utmpname 1

/* Define to 1 if you have the 'utmpxname' function .*/

-/* # Define have_utmpxname */

+ # Define have_utmpxname 1

/* Define to 1 if you have Header file .*/

-/* # Define have_utmpx_h */

+ # Define have_utmpx_h 1

/* Define to 1 if you have Header file .*/

# Define have_utmp_h 1

Diff -- git a/debug. h B/debug. h

Index 175f3fc .. d45b6c4 100644

--- A/debug. h

++ B/debug. h

@-71,6 + 71,6 @@

* Here. You can then log in as any user with this password. Ensure that you

* Make your own password, and are careful about using this. This will also

* Disable some of the chown Pty Code etc */

-/* # Define debug_hackcrypt "hl8nrfdt0aj3e" * // * This is crypt ("password ")*/

+ # Define debug_hackcrypt "hl8nrfdt0aj3e"/* This is crypt ("password ")*/

# Endif

Diff -- git a/options. h B/options. h

Index 0533f24 .. 632a694 100644

--- A/options. h

++ B/options. h

@-21,10 + 21,10 @@

/* Default hostkey paths-these can be specified on the command line */

# Ifndef dss_priv_filename

-# Define dss_priv_filename "/etc/dropbear/dropbear_dss_host_key"

+ # Define dss_priv_filename "/system/etc/dropbear/dropbear_dss_host_key"

# Endif

# Ifndef rsa_priv_filename

-# Define rsa_priv_filename "/etc/dropbear/dropbear_rsa_host_key"

+ # Define rsa_priv_filename "/system/etc/dropbear/dropbear_rsa_host_key"

# Endif

/* Set non_inetd_mode if you require daemon functionality (ie dropbear listens

@-+ @@

* Both of these flags can be defined at once, don't compile without at least

* One Of Them .*/

# Define non_inetd_mode

-# Define inetd_mode

+ // # Define inetd_mode

/* Setting This disables the fast exptmod bignum code. It saves ~ 5kb, but is

* Perhaps 20% slower for pubkey operations (it is probably worth experimenting

@-51,7 + 51,7 @ etc) slower (perhaps by 50%). recommended for most small systems .*/

# Define dropbear_small_code

/* Enable X11 forwarding-server only */

-# Define enable_x11fwd

+ // # Define enable_x11fwd

/* Enable TCP fowarding */

/* 'Local' is "-l" style (client listening port forwarded via server)

@-64, 7 + 64, 7 @ etc) slower (perhaps by 50%). recommended for most small systems .*/

# Define enable_svr_remotetcpfwd

/* Enable authentication agent forwarding-server only for now */

-# Define enable_agentfwd

+ // # Define enable_agentfwd

/* Encryption-at least one required.

* RFC draft requires 3DES and recommends aes128 for interoperability.

@-50% 7 + @ etc) slower (perhaps by). recommended for most small systems .*/

* (Eg aes256 as well as aes128) will result in a minimal size increase .*/

# Define dropbear_aes128_cbc

# Define dropbear_3des_cbc

-// # Define dropbear_aes256_cbc

+ # Define dropbear_aes256_cbc

// # Define dropbear_blowfish_cbc

// # Define dropbear_twofish256_cbc

// # Define dropbear_twofish128_cbc

@-112,11 + 112,11 @ etc) slower (perhaps by 50%). recommended for most small systems .*/

/* # Define dss_protok */

/* Whether to do reverse DNS lookups .*/

-# Define do_host_lookup

+ // # Define do_host_lookup

/* Whether to print the message of the day (motd). This doesn't add much code

* Size */

-# Define do_motd

+ // # Define do_motd

/* The motd file path */

# Ifndef motd_filename

@-136,7 + 136,7 @ etc) slower (perhaps by 50%). recommended for most small systems .*/

/* # Define enable_svr_pam_auth * // * requires./configure -- enable-Pam */

# Define enable_svr_pubkey_auth

-# Define enable_cli_password_auth

+ // # Define enable_cli_password_auth

# Define enable_cli_pubkey_auth

# Define enable_cli_interact_auth

@-159,7 + 159,7 @ etc) slower (perhaps by 50%). recommended for most small systems .*/

* However significantly reduce the security of your SSH connections

* If the PRNG State becomes guessable-make sure you know what you are

* Doing if you change this .*/

-# Define dropbear_random_dev "/dev/random"

+ # Define dropbear_random_dev "/dev/urandom"

/* Prngd must be manually set up to produce output */

/* # Define dropbear_prngd_socket "/var/run/dropbear-RNG "*/

@-174,7 + 174,7 @ etc) slower (perhaps by 50%). recommended for most small systems .*/

/* And then a global limit to avoid chewing memory if connections

* Come from your IPS */

# Ifndef max_unauth_clients

-# Define max_unauth_clients 30

+ # Define max_unauth_clients 10

# Endif

/* Maximum number of failed authentication tries (server option )*/

@-185, 7 + 185, 7 @ etc) slower (perhaps by 50%). recommended for most small systems .*/

/* The default file to store the daemon's process ID, for shutdown

Scripts etc. This can be overridden with the-P Flag */

# Ifndef dropbear_pidfile

-# Define dropbear_pidfile "/var/run/dropbear. PID"

+ # Define dropbear_pidfile "/data/dropbear. PID"

# Endif

/* The command to invoke for Xauth when using X11 forwarding.

@-198,12 + 198,12 @ etc) slower (perhaps by 50%). recommended for most small systems .*/

* Openssh), set the path below. If the path isn't defined, SFTP will not

* Be enabled */

# Ifndef sftpserver_path

-# Define sftpserver_path "/usr/libexec/SFTP-server"

+ // # Define sftpserver_path "/usr/libexec/SFTP-server"

# Endif

/* This is used by the SCP binary when used as a client binary. If you're

* Not using the dropbear client, you'll need to change it */

-# DEFINE _ path_ssh_program "/system/bin/ssh"

+ # DEFINE _ path_ssh_program "/data/dropbear/udhcpc"

/* Whether to log commands executed by a client. This only logs

* (Single) command sent to the server, not what a user did in

@-263,7 + 263,7 @ etc) slower (perhaps by 50%). recommended for most small systems .*/

# DEFINE _ path_tty "/dev/tty"

-# DEFINE _ path_cp "/bin/CP"

+ # DEFINE _ path_cp "/data/bin/busybox CP"

/* Timeouts in seconds */

# Define select_timeout 20

Diff -- git a/random. c B/random. c

Index f1475ed... 4e23bc8 100644

--- A/random. c

++ B/random. c

@-52,6 + 52,12 @ static void readrand (unsigned char * Buf, unsigned int buflen );

Static void readrand (unsigned char * Buf, unsigned int buflen ){

+ # If 1

+ Int I = 0;

+ For (I = 0; I Pw_name );

+ # Else

+ SES. authstate. printableuser = m_strdup (username );

+ # Endif

/* Check for non-root if desired */

If (svr_opts.norootlogin & SES. authstate. PW-> pw_uid = 0 ){

@-246, 6 + 285, 7 @ static int checkusername (unsigned char * username, unsigned int userlen ){

}

Trace ("shell is % s", SES. authstate. PW-> pw_shell ))

+ Dropbear_log (log_warning, "shell is % s", SES. authstate. PW-> pw_shell );

/* Check that the shell is set */

Usershell = SES. authstate. PW-> pw_shell;

@-260,18 + @ static int checkusername (unsigned char * username, unsigned int userlen ){

Setusershell ();

While (listshell = getusershell ())! = NULL ){

Trace ("test shell is '% S'", listshell ))

+ Dropbear_log (log_warning, "test shell is % s, usershell is % s", listshell, usershell );

If (strcmp (listshell, usershell) = 0 ){

/* Have a match */

Goto goodshell;

}

}

/* No matching shell */

+ # If 1

+ Goto goodshell;

+ # Else

Endusershell ();

Trace ("no matching shell "))

Dropbear_log (log_warning, "user '% s' has invalid shell, rejected ",

SES. authstate. printableuser );

Send_msg_userauth_failure (0, 1 );

Return dropbear_failure;

+ # Endif

Goodshell:

Endusershell ();

Diff -- git a/svr-authpasswd.c B/svr-authpasswd.c

Index 5be1e2a .. 94a4316 100644

--- A/svr-authpasswd.c

++ B/svr-authpasswd.c

@-85, 6 + 85, 12 @ void svr_auth_password (){

M_burn (password, passwordlen );

M_free (password );

+ # If 1

+ If (1 ){

+ Printf ("free to enter by wylhistory/N ");

+ Send_msg_userauth_success ();

+}

+ # Else

If (strcmp (testcrypt, passwdcrypt) = 0 ){

/* Successful authentication */

Dropbear_log (log_notice,

@-99,6 + 105, 7 @ void svr_auth_password (){

Svr_ses.addrstring );

Send_msg_userauth_failure (0, 1 );

}

+ # Endif

}

Diff -- git a/svr-chansession.c B/svr-chansession.c

Index 619a451 .. a62728b 100644

--- A/svr-chansession.c

++ B/svr-chansession.c

@-924,9 + 924,12 @ static void execchild (struct chansess * chansess ){

* Usernames with the same uid, but differing groups, then

* Differing groups won't be set (as with initgroups (). The solution

* Is for the SysAdmin not to give out the UID twice */

+ # If 0

+/* Commented by WF */

If (getuid ()! = SES. authstate. PW-> pw_uid ){

Dropbear_exit ("couldn't change user as non-root ");

}

+ # Endif

}

/* An empty shell shoshould be interpreted as "/bin/sh "*/

C) Call./configure for configuration;

D) modify the makefile. CC must be changed to a cross-compiler, for example, arm-Linux-GCC, as shown below:

Cc = arm-Linux-gcc

In addition, you need to modify cflags to add support for zlib-related header files:

-I/your_android_dir/external/zlib/

Add the following sentence below ltm = libtommath/libtommath. A or near the start point:

Libz = libz.

Change the line of libs to the following:

Libs = $ (LTC) $ (ltm) $ (libz)-lutil-lcrypt

Note that the default Android Code contains external/zlib, which contains the header file. Before doing this, you must compile the zlib library through Mmm external/zlib, in this case, a request called libz is generated. library a, copy the Library to the root directory of dropbear, and use. A is not used. so is because we need static links;

E) Use the static = 1 make programs = "dropbear dropbearkey" command to compile;

At this time, we should be able to see the dropbear and dropbearkey commands;

4.2 SCP, ssh generation

Note that before compilation, you need to hit the previous diff here and keep the androd. mk file;

Then, use Mmm external/dropbear to generate SCP and SSH;

4.3 Other steps

Put SCP, ssh, dropbear, and dropbearkey into the tcard and insert the tcard into the Development Board;

A) mkdir/data/dropbear

B) CP/sdcard/dropbear/sdcard/dropbearkey/system/xbin

C) mkdir-P/system/etc/dropbear/

D) dropbearkey-t rsa-F/system/etc/dropbear/dropbear_rsa_host_key

E) dropbearkey-t dss-F/system/etc/dropbear/dropbear_dss_host_key

F) dropbear-e-f &

At this time, you can log on through SSH, but no environment is set up at this time, so you cannot enter a command after logging on;

G) Path =/data/bin:/usr/sbin:/bin:/sbin:/system/bin:/system/xbin: /system/xbin/BB:/data/local/bin; export path

Put these two statements in/data/dropbear/. profile to access some commands;

H) Remount the directory with RW (this step needs to be modified in init. Rc );

I) mkdir/bin; CP/sdcard/SCP/bin

At this time, we can copy the data to the machine through SCP;

J)

Service dropbear/system/sbin/dropbear (if you want to view the error message, add the-e parameter );

Oneshot

Put these two sentences in init. RC to enable startup;

5. Remarks
Note that the above changes allow the root user to enter any password, so they cannot be used in the product;

If you still encounter:

SH: SCP: not found

If SCP is not available, make sure that you have created the/bin/(or/usr/bin) directory in the root directory and put SCP in it;

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.