Sysdeploy/openwrt
2
0
Fork 2
Code Issues 5 Pull Requests 2 Packages Projects 1 Releases Wiki Activity

Try to replace dropbear by openssh-server using imagebuilder #9

Merged
PeterSurda merged 2 commits from lee.miller/openwrt:openssh into main 2023-02-09 09:02:20 +00:00
Conversation 11 Commits 2 Files Changed 2 +19 -1
lee.miller commented 2023-01-25 09:09:13 +00:00
Collaborator
Copy Link

Hi!

This is a possible simple solution for #5

Hi! This is a possible simple solution for #5
lee.miller added 1 commit 2023-01-25 09:09:13 +00:00
lee.miller force-pushed openssh from 1f284ec032 to 15b8d70716 2023-01-27 22:24:49 +00:00 Compare
PeterSurda commented 2023-02-01 00:53:08 +00:00
Owner
Copy Link

Ok but a couple of issues.

  • It doesn't start by default. To start by default, it looks like you need to make these symlinks:
/etc/rc.d/S50sshd -> ../init.d/sshd
/etc/rc.d/K50sshd -> ../init.d.sshd

  • Doesn't accept root password. Which I don't want anyway, but I'd also like to disable password authentication explicitly in /etc/ssh/sshd_config

  • I want to populate default authorized_keys

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI8QxHD/hCeA/8VY0qkQEh5LNedXMDR7o+qJ0KlsstqebtN/Egwto37arI0x/GRDD0QRSzpgm2AVsTeDGOV1AAw= ssh_token@mireille
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Pebz7cNpL/Hikzfwzdnujcd1BWw4D4e1OXQaoCGcq2/gL+Wym8InL5qZ5hOgaF8lRVX5ys7m75uOyg8LOIRu0A27TzWzf9brV8TF5rsIhHYSK0CAA81G5NqOQgP3b7SANcs3PEWtxz+OeqFo7dcsQZijczRNunM73CBsTFZQCmNE2ZBh2QaQ1d/1lmYTqGlJ8DJrqeXXVc3S1Jln2nZ49XQMqdG49KvU66Xhd8kaukucDBl8iNLWpQ+N9Ao1SOnNlJVpLi6XUy9Hx3X3wVbrLQaHslIG6+AeZGpO/l3gKrQM3fjM2H+w9ow1rWcMdHgjxWZUryE7K1vzbpm4vNIf shurdeek@brusli
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVrfim4EMF7FzAnQF51frpsPgNJxfkzvBEC80wgwwP0AzD2iFPS57a6sXbie+sX7ALX89gmRwFtrKOwGYRYoQfU6dAhPirbpKY4BcTQx8N31fazceVJL0Y1kqSngNjYMbo1q0L5dgLBtPoVGcnriFAVGLg1+p9FIJTDK4rbwnYyDJyjruSAfnqVaWmqlMNAZNhqxOikBOh5M+3qPj0wmSKOE1roE4HmQKUl62UjDWTkLLNx5u75QywQz+r8S0QNkSu/0iaeUdgkv3p0SsU4X5dmwuZdbySMWkqy0zUCky2+qDqxzN6wHgnePZcedSobsIpxwDK0IrHpbaaBzVNn1uh shurdeek@nitrokey1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1ADz4g7BkLoq9CEffl7jxp4MsBrtv12rYpskUMV2HKH48Uwue/yjqvwxaRk4Nd0TG2fQisqsB3GYLRe+6R00zbn2kA5k49gQEt6EnVVlsTWSp6iutCi8CEOSxFew/r//NOJbKQPWN2yCh8TQowks+lM/zwlFhzfoqDjgMCU13IW/O9RphnMACnx1o/EvUeoozcCMbAzJOq4I/YOSJwavuTUUClnD4tyPs1HyYVcw+4Bti1QERkE+tbbgXUAy7WvxXpEflfenHHIAnjqUCW3LUJ6wTroq55FQ1RT7WE+XddL5OI+o4vbQVG8cbYXwCk6/m+P051v9PfnyecI6qj8wd shurdeek@yubikey1
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoNYZ1L/rR44/sUb6fzTXb99CrP+B9j01DRin5RT8Y59oD9R9TvsQcLztpXzvl4JQJfvjGou3ywVAuXTf8ksf/VHWnfGtZ3X1nWvuAeERwTFIIl8gR9xwTVjXDsLp3Feiqw6wHKdMI3BqI3oJ/Wn6gBxWgnm5UZbZMdWlAEAH1ucdxTOZ/+3aTC/hGb0N6ujp7MExTSUAs5xeSKHpocTdkD2RajC2Y+mbug0yt92XCHZX39zsQcxFd4NokTa2iJNO0bAYWXlXDPWRLuUfOrWWfuLn+OPH71pj+ysb6jrwFk+1sGV9h1GuxZne1+i42CGKoKomJaCMLE7kvMF6Solu/ shurdeek@whisper
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrIjXkTOxLxaCA0o1SmC2bV09Hb3/seHYdd8kAKlTItbfnu0y/8RB+zRYt111ZmlfvbczsX5qNwaJoEwAxrkjtA5D/BnvSMSrxvmkRKtUMnXLOldr3hrZjRuTAmP3YxwcGfrNWv/+UcNSf1QE6NRJDxOSrBQ7qYAMaiq+6acztY7nvVWJ9ZntFOOaWOhkVWoCeDWmBEjRlQ1hCIMxm8BhopFaumkEVnnku/OskS2ZD6SFe6aKSXmaHV4nwtiQ5GiwdIEnrQ1GzK3h7SfRu/BXRhcnnPGIeRBuKaq/P1bqLsnFChPsrvkEP1Z/daosaGanIzODxkFO0rAkdScI4kHUhZba0vb3ahV4JpAwaH8dEQm0nkuxbUe2YR3eii6bMh9zv7BiXJnyTQtRzdYn4Im2eeSTOIlckohJWunhdnU9cRy8lFH7zILmr6sqxmjXxFzXS1KUas/+0yD4lgDDlsQtF6qI6pA75/tmK8pIq8915ShZA14bwDXWYLBDx+sy24iyG+kpSumzDqyNXvm+Z+bHHYAjI1uUcTKltnPQ4nJrhmY2+M4IhmL1LVyQU7K63BYlTtuV1106Xa8tQnzTblJKXPMqy/3LlV4TbSyUNJR0a5ma7LR/vxeloL1gxRQCQYJxcM1MD6VroqKUPIzhOWCdEPcM2+9oySOZbqDKfrenTMQ== yubikey@lenovopadpro
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCJfhSCRSrz1rSFtSWNt6EzL08l1DOjcEKBREUwtKZgxDJcj2MdXH6Z7otnJUUmOqf43x35eayCpQz8EG8eKJio= johndoe@macbook.pro@secretive.MacBook-Pro.local
Ok but a couple of issues. - [x] It doesn't start by default. To start by default, it looks like you need to make these symlinks: ``` /etc/rc.d/S50sshd -> ../init.d/sshd /etc/rc.d/K50sshd -> ../init.d.sshd ``` - [x] Doesn't accept root password. Which I don't want anyway, but I'd also like to disable password authentication explicitly in `/etc/ssh/sshd_config` - [x] I want to populate default `authorized_keys` ``` ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBI8QxHD/hCeA/8VY0qkQEh5LNedXMDR7o+qJ0KlsstqebtN/Egwto37arI0x/GRDD0QRSzpgm2AVsTeDGOV1AAw= ssh_token@mireille ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Pebz7cNpL/Hikzfwzdnujcd1BWw4D4e1OXQaoCGcq2/gL+Wym8InL5qZ5hOgaF8lRVX5ys7m75uOyg8LOIRu0A27TzWzf9brV8TF5rsIhHYSK0CAA81G5NqOQgP3b7SANcs3PEWtxz+OeqFo7dcsQZijczRNunM73CBsTFZQCmNE2ZBh2QaQ1d/1lmYTqGlJ8DJrqeXXVc3S1Jln2nZ49XQMqdG49KvU66Xhd8kaukucDBl8iNLWpQ+N9Ao1SOnNlJVpLi6XUy9Hx3X3wVbrLQaHslIG6+AeZGpO/l3gKrQM3fjM2H+w9ow1rWcMdHgjxWZUryE7K1vzbpm4vNIf shurdeek@brusli ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVrfim4EMF7FzAnQF51frpsPgNJxfkzvBEC80wgwwP0AzD2iFPS57a6sXbie+sX7ALX89gmRwFtrKOwGYRYoQfU6dAhPirbpKY4BcTQx8N31fazceVJL0Y1kqSngNjYMbo1q0L5dgLBtPoVGcnriFAVGLg1+p9FIJTDK4rbwnYyDJyjruSAfnqVaWmqlMNAZNhqxOikBOh5M+3qPj0wmSKOE1roE4HmQKUl62UjDWTkLLNx5u75QywQz+r8S0QNkSu/0iaeUdgkv3p0SsU4X5dmwuZdbySMWkqy0zUCky2+qDqxzN6wHgnePZcedSobsIpxwDK0IrHpbaaBzVNn1uh shurdeek@nitrokey1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1ADz4g7BkLoq9CEffl7jxp4MsBrtv12rYpskUMV2HKH48Uwue/yjqvwxaRk4Nd0TG2fQisqsB3GYLRe+6R00zbn2kA5k49gQEt6EnVVlsTWSp6iutCi8CEOSxFew/r//NOJbKQPWN2yCh8TQowks+lM/zwlFhzfoqDjgMCU13IW/O9RphnMACnx1o/EvUeoozcCMbAzJOq4I/YOSJwavuTUUClnD4tyPs1HyYVcw+4Bti1QERkE+tbbgXUAy7WvxXpEflfenHHIAnjqUCW3LUJ6wTroq55FQ1RT7WE+XddL5OI+o4vbQVG8cbYXwCk6/m+P051v9PfnyecI6qj8wd shurdeek@yubikey1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCoNYZ1L/rR44/sUb6fzTXb99CrP+B9j01DRin5RT8Y59oD9R9TvsQcLztpXzvl4JQJfvjGou3ywVAuXTf8ksf/VHWnfGtZ3X1nWvuAeERwTFIIl8gR9xwTVjXDsLp3Feiqw6wHKdMI3BqI3oJ/Wn6gBxWgnm5UZbZMdWlAEAH1ucdxTOZ/+3aTC/hGb0N6ujp7MExTSUAs5xeSKHpocTdkD2RajC2Y+mbug0yt92XCHZX39zsQcxFd4NokTa2iJNO0bAYWXlXDPWRLuUfOrWWfuLn+OPH71pj+ysb6jrwFk+1sGV9h1GuxZne1+i42CGKoKomJaCMLE7kvMF6Solu/ shurdeek@whisper ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCrIjXkTOxLxaCA0o1SmC2bV09Hb3/seHYdd8kAKlTItbfnu0y/8RB+zRYt111ZmlfvbczsX5qNwaJoEwAxrkjtA5D/BnvSMSrxvmkRKtUMnXLOldr3hrZjRuTAmP3YxwcGfrNWv/+UcNSf1QE6NRJDxOSrBQ7qYAMaiq+6acztY7nvVWJ9ZntFOOaWOhkVWoCeDWmBEjRlQ1hCIMxm8BhopFaumkEVnnku/OskS2ZD6SFe6aKSXmaHV4nwtiQ5GiwdIEnrQ1GzK3h7SfRu/BXRhcnnPGIeRBuKaq/P1bqLsnFChPsrvkEP1Z/daosaGanIzODxkFO0rAkdScI4kHUhZba0vb3ahV4JpAwaH8dEQm0nkuxbUe2YR3eii6bMh9zv7BiXJnyTQtRzdYn4Im2eeSTOIlckohJWunhdnU9cRy8lFH7zILmr6sqxmjXxFzXS1KUas/+0yD4lgDDlsQtF6qI6pA75/tmK8pIq8915ShZA14bwDXWYLBDx+sy24iyG+kpSumzDqyNXvm+Z+bHHYAjI1uUcTKltnPQ4nJrhmY2+M4IhmL1LVyQU7K63BYlTtuV1106Xa8tQnzTblJKXPMqy/3LlV4TbSyUNJR0a5ma7LR/vxeloL1gxRQCQYJxcM1MD6VroqKUPIzhOWCdEPcM2+9oySOZbqDKfrenTMQ== yubikey@lenovopadpro ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCJfhSCRSrz1rSFtSWNt6EzL08l1DOjcEKBREUwtKZgxDJcj2MdXH6Z7otnJUUmOqf43x35eayCpQz8EG8eKJio= johndoe@macbook.pro@secretive.MacBook-Pro.local ```
lee.miller added 1 commit 2023-02-02 02:37:39 +00:00
lee.miller force-pushed openssh from 756a744c4f to c1e61f67ee 2023-02-02 03:42:56 +00:00 Compare
PeterSurda commented 2023-02-02 04:38:41 +00:00
Owner
Copy Link

The PR looks promising, let me test it.

The PR looks promising, let me test it.
PeterSurda commented 2023-02-02 12:22:48 +00:00
Owner
Copy Link

Something weird is happening when trying to boot this. dmesg shows that the /tmp/overlay can't be mounted, and without the overlay the system doesn't work properly. I can login via console but nothing works properly. It's as if the image was corrupt or something. I flashed the microSD card both on a mac and linux and I get the same result.

Something weird is happening when trying to boot this. `dmesg` shows that the /tmp/overlay can't be mounted, and without the overlay the system doesn't work properly. I can login via console but nothing works properly. It's as if the image was corrupt or something. I flashed the microSD card both on a mac and linux and I get the same result.
PeterSurda commented 2023-02-02 13:12:56 +00:00
Owner
Copy Link

After further testing, it looks to be some filesystem weirdness. I modify distroconfig.txt to enable the USB, as otherwise I can't use the keyboard. If I do this before first boot, the root filesystem gets screwed up or something. So I have to boot first, then power down, edit distroconfig.txt (on another machine) and then put the SD card back into the device and boot again.

Now regarding openssh:

  • /etc/uci-defaults/99-custom is executed upon each boot. Maybe then as a last step, it should remove itself?
  • openssh runs correctly
  • PermitRootLogin no should be replaced with PasswordAuthentication no
  • the authorized_keys don't get deployed and there is no /root/.ssh directory. I'm not sure ~ will work inside the uci-defaults script but maybe I'm wrong
After further testing, it looks to be some filesystem weirdness. I modify distroconfig.txt to enable the USB, as otherwise I can't use the keyboard. If I do this before first boot, the root filesystem gets screwed up or something. So I have to boot first, then power down, edit distroconfig.txt (on another machine) and then put the SD card back into the device and boot again. Now regarding openssh: - [ ] `/etc/uci-defaults/99-custom` is executed upon each boot. Maybe then as a last step, it should remove itself? - [x] openssh runs correctly - [ ] `PermitRootLogin no` should be replaced with `PasswordAuthentication no` - [ ] the `authorized_keys` don't get deployed and there is no /root/.ssh directory. I'm not sure `~` will work inside the uci-defaults script but maybe I'm wrong
lee.miller force-pushed openssh from c1e61f67ee to 33cf5864e1 2023-02-02 16:59:20 +00:00 Compare
lee.miller added 1 commit 2023-02-02 17:01:07 +00:00
lee.miller commented 2023-02-02 17:04:09 +00:00
Author
Collaborator
Copy Link
  • PermitRootLogin no should be replaced with PasswordAuthentication no

It seems to be set by default, at least staging_dir/target-aarch64_cortex-a72_musl/root-bcm27xx/etc/ssh/sshd_config has it uncommented. There is also PermitRootLogin prohibit-password mentioned as default.

> - [ ] `PermitRootLogin no` should be replaced with `PasswordAuthentication no` It seems to be set by default, at least `staging_dir/target-aarch64_cortex-a72_musl/root-bcm27xx/etc/ssh/sshd_config` has it uncommented. There is also `PermitRootLogin prohibit-password` mentioned as default.
lee.miller commented 2023-02-02 17:08:29 +00:00
Author
Collaborator
Copy Link
  • /etc/uci-defaults/99-custom is executed upon each boot. Maybe then as a last step, it should remove itself?

The doc says: If they exit with code 0 they are deleted afterwards.

> - [ ] `/etc/uci-defaults/99-custom` is executed upon each boot. Maybe then as a last step, it should remove itself? The doc [says](https://openwrt.org/docs/guide-developer/uci-defaults#uci_defaults): If they exit with code 0 they are deleted afterwards.
PeterSurda commented 2023-02-03 01:17:22 +00:00
Owner
Copy Link
  • PermitRootLogin no should be replaced with PasswordAuthentication no

It seems to be set by default, at least staging_dir/target-aarch64_cortex-a72_musl/root-bcm27xx/etc/ssh/sshd_config has it uncommented. There is also PermitRootLogin prohibit-password mentioned as default.

When I boot it, sshd_config has PasswordAuthentication commented. If I try to ssh in like that, it's asking for password. If I manually add PasswordAuthentication no, then it doesn't ask for password (i.e. and only checks keys).

> > > - [ ] `PermitRootLogin no` should be replaced with `PasswordAuthentication no` > > It seems to be set by default, at least `staging_dir/target-aarch64_cortex-a72_musl/root-bcm27xx/etc/ssh/sshd_config` has it uncommented. There is also `PermitRootLogin prohibit-password` mentioned as default. When I boot it, `sshd_config` has `PasswordAuthentication` commented. If I try to ssh in like that, it's asking for password. If I manually add `PasswordAuthentication no`, then it doesn't ask for password (i.e. and only checks keys).
PeterSurda commented 2023-02-03 01:19:06 +00:00
Owner
Copy Link
  • /etc/uci-defaults/99-custom is executed upon each boot. Maybe then as a last step, it should remove itself?

The doc says: If they exit with code 0 they are deleted afterwards.

It looks like the other default files are deleted upon first boot, just the 99-custom stays there. Why? Don't know. Maybe /sbin isn't in PATH so service doesn't resolve?

> > > - [ ] `/etc/uci-defaults/99-custom` is executed upon each boot. Maybe then as a last step, it should remove itself? > > The doc [says](https://openwrt.org/docs/guide-developer/uci-defaults#uci_defaults): If they exit with code 0 they are deleted afterwards. It looks like the other default files are deleted upon first boot, just the 99-custom stays there. Why? Don't know. Maybe `/sbin` isn't in PATH so `service` doesn't resolve?
PeterSurda requested changes 2023-02-03 02:23:28 +00:00
.buildbot/openwrt/build.sh Outdated
@ -50,0 +53,4 @@
mkdir -p files/etc/uci-defaults
cat << "EOF" > files/etc/uci-defaults/99-custom
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
mkdir -p ~/.ssh
PeterSurda commented 2023-02-03 02:12:51 +00:00
Owner
Copy Link

this works now, but ~ is /

this works now, but `~` is `/`
.buildbot/openwrt/build.sh Outdated
@ -50,0 +54,4 @@
cat << "EOF" > files/etc/uci-defaults/99-custom
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
mkdir -p ~/.ssh
mv authorized_keys ~/.ssh/
PeterSurda commented 2023-02-03 02:23:22 +00:00
Owner
Copy Link

I think this is not run. Maybe it's about the current directory?

I think this is not run. Maybe it's about the current directory?
👍 1
lee.miller force-pushed openssh from 04a7a3bb64 to 9e2394be2b 2023-02-03 12:40:30 +00:00 Compare
PeterSurda commented 2023-02-04 08:59:07 +00:00
Owner
Copy Link

Looks ok, I'll be able to test on Tuesday.

Looks ok, I'll be able to test on Tuesday.
PeterSurda commented 2023-02-08 08:39:17 +00:00
Owner
Copy Link

key is now in the right location. The permissions are too loose though. Can we maybe put it into the subdirectories into files? Like files/root/.ssh/authorized_keys? Then you can skip the mkdir and mv

regarding sshd, debugging revealed that

  • it's already enabled by default, so no need to enable, but do need to restart instead of start
  • you need to use /sbin/service and not just service
key is now in the right location. The permissions are too loose though. Can we maybe put it into the subdirectories into `files`? Like `files/root/.ssh/authorized_keys`? Then you can skip the `mkdir` and `mv` regarding sshd, debugging revealed that - it's already enabled by default, so no need to `enable`, but do need to `restart` instead of `start` - you need to use `/sbin/service` and not just `service`
lee.miller force-pushed openssh from 9e2394be2b to 2f3be6009c 2023-02-08 14:26:07 +00:00 Compare
PeterSurda commented 2023-02-09 09:01:50 +00:00
Owner
Copy Link

Ok it works except he permissions for /root/.ssh and /root/.ssh/authorized keys should be more restrictive. I'll merge, you can fix it in a separate PR.

Ok it works except he permissions for /root/.ssh and /root/.ssh/authorized keys should be more restrictive. I'll merge, you can fix it in a separate PR.
PeterSurda approved these changes 2023-02-09 09:02:13 +00:00
PeterSurda merged commit 2f3be6009c into main 2023-02-09 09:02:20 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
PeterSurda
Labels
Clear labels   
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Sysdeploy/openwrt#9
No description provided.
Delete Branch "lee.miller/openwrt:openssh"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?