Chrooted Drop Bear HowTo

Want to support HowtoForge? Become a subscriber!
 
Submitted by ebal (Contact Author) (Forums) on Fri, 2010-04-09 18:16. :: Linux | Security

Chrooted Drop Bear HowTo

This tutorial is being written to help you install Drop Bear to a chroot environment. It covers the below sections:

* Installation of Drop Bear
* Setup Drop Bear
* Setup Chroot Enviroment
* Debug Chrooted Drop Bear

 

Drop Bear

Dropbear is a relatively small SSH 2 server and client. It is an alternative lightweight program for  openssh and it is designed for environments with low memory and processor resources, such as embedded systems.

http://matt.ucc.asn.au/dropbear/dropbear.html

 

Installation

Download

wget -c http://matt.ucc.asn.au/dropbear/releases/dropbear-0.52.tar.bz2

 

Extract

tar jxf dropbear-0.52.tar.bz2

 

Configuration

In our installation we choose: /chroot/dropbear as the root path of our chroot environment. And for educational purposes only, we change the default TCP port of ssh to 2222:

cd dropbear-0.52
./configure --prefix=/chroot/dropbear
sed -i 's/22/2222/g' options.h

 

Compilation

Simple as that:

make

 

Installation

The default installation process:

make install

 

Keys

The next step is to create dss & rsa keys for dropbear ssh server.

We must create the dropbear's key folder first:

mkdir -pv /chroot/dropbear/etc/dropbear

And then:

/chroot/dropbear/bin/dropbearkey -t dss -f /chroot/dropbear/etc/dropbear/dropbear.dss
/chroot/dropbear/bin/dropbearkey -t rsa -s 4096 -f /chroot/dropbear/etc/dropbear/dropbear.rsa

As you can see, we used the chroot environment path without the need of our distribution path hierarchy. The Drop Bear's keys are already installed to our chroot environment at once.

 

Shared Libraries

We now have to check all the necessary shared libraries that dropbear needs to run inside a chroot environment:

ldd /chroot/dropbear/sbin/dropbear

 

Chroot Environment

Structure

cd /chroot/dropbear/
mkdir -pv dev/pts proc etc lib usr/lib var/run var/log

 

Libraries

cp /lib/libutil.so.1 lib/
cp /usr/lib/libz.so.1 usr/lib/
cp /lib/libcrypt.so.1 lib
cp /lib/libc.so.6 lib/
cp /lib/ld-linux.so.2 lib/

 

Extra Libraries

This libraries are mostly for the authentication process.

cp /lib/libnss_dns.so.2 lib/
cp /lib/libnss_files.so.2 lib/

 

Files

Copy necessaries files from root to chroot:

cp /etc/localtime etc/
cp /etc/nsswitch.conf etc/
cp /etc/resolv.conf etc/
cp /etc/host.conf etc/
cp /etc/hosts etc/
touch var/log/lastlog
touch var/run/utmp
touch var/log/wtmp

 

Devices

We now must be very careful with the next step of our process. We have to create all the necessary devices for dropbear to run.

(Remember, we are always on the chroot path – eg. /chroot/dropbear.)

mknod dev/urandom c 1 9
chmod 0666 dev/urandom
mknod dev/ptmx c 5 2
chmod 0666 dev/ptmx
mknod dev/tty c 5 0
chmod 0666 dev/tty

 

Users

Of course we need to add users to our chroot dropbear setup. You can choose to add an existing user or you can create a new one. I prefer to add an existing user (eg. ebal):

grep ^ebal /etc/passwd > etc/passwd
grep ^ebal /etc/group > etc/group
grep ^ebal /etc/shadow > etc/shadow
mkdir home/ebal
chown ebal.ebal !$

 

Shell

Every user needs a shell! But we don't need to install bash, we can simply use busybox. Busybox is a lightweight shell and combines a lot of common unix utils into a small executable binary file.

cp /etc/shells etc/
sed -i 's/bash/sh/' etc/passwd
cd bin
wget -c http://busybox.net/downloads/binaries/1.16.0/busybox-i686
mv busybox-i686 busybox
chmod 0755 busybox
ln -s busybox sh
cd ../

 

Mount Points

This is the most important thing that we (you) have to do properly. The new environment needs access to terminals (this is necessary for a user to login) and to proc filesystem.

mount -o bind /dev/pts dev/pts/
mount -o bind /proc proc/

 

Run 

Finally we are ready to run Drop Bear from a chroot enviroment:

chroot /chroot/dropbear/ \
/sbin/dropbear \
-b /etc/dropbear/dropbear.banner \
-d /etc/dropbear/dropbear.dss \
-r /etc/dropbear/dropbear.rsa \
-m -w -g

 

Debug

But if something goes wrong, we can always debug the running process with strace:

strace -f chroot /chroot/dropbear/ \
/sbin/dropbear \
-b /etc/dropbear/dropbear.banner \
-d /etc/dropbear/dropbear.dss \
-r /etc/dropbear/dropbear.rsa \
-F -E -m -w -g


Copyright (c) 2010 Evaggelos Balaskas
Permission is granted to copy, distribute and/or modify the content of
this page under the terms of the GNU Free Documentation License, Version 1.2
or any later version published by the Free Software Foundation; with no
Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is available at http://www.gnu.org/licenses/fdl.html
add comment | view as pdf view as pdf | Display a printer-friendly version of this page. print
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
notes
Submitted by weakish (not registered) on Tue, 2010-06-08 16:24.

1, In section users, when creating the user home directory, we need to add the -p option, since we haven't create the home directory before. That is, instead of mkdir home/ebal
using mkdir -p home/ebal
2, In the same section: Use "." to distinguish user and group is deprecated. In recent versions of chown, you should use this syntax user:group.

reply | view as pdf view as pdf
Jailkit makes live much easier
Submitted by Olivier (not registered) on Tue, 2010-04-13 08:58.
Why not use Jailkit? It can automate much of this work?
reply | view as pdf view as pdf