Chrooted Drop Bear SSH Server HowTo

This tutorial is being written to help you install Drop Bear SSH server into a chroot environment. It covers the below sections:

* Installation of Drop Bear
* Setup Drop Bear
* Setup Chroot Environment
* Debug Chrooted Drop Bear

Drop Bear

Dropbear is a relatively small SSH 2 server and client. It is an alternative lightweight program for OpenSSH and it is designed for environments with low memory and processor resources, such as embedded systems.

https://matt.ucc.asn.au/dropbear/dropbear.html

All steps in this tutorial are run as root user with Debian 9 as operating system. The steps below should work for other Linux OS as well.

Installation

Download

wget -c https://matt.ucc.asn.au/dropbear/dropbear-2018.76.tar.bz2

Extract

tar jxf dropbear-2018.76.tar.bz2

Install Build tools

For Debian 9, the tools to compile the software can be installed with apt:

apt-get install build-essential zlib1g-dev

Configuration

In our installation, we choose: /chroot/dropbear as the root path of our chroot environment. And for educational purposes only, we change the default TCP port of ssh to 2222:

cd dropbear-2018.76
./configure --prefix=/chroot/dropbear
sed -i 's/22/2222/g' options.h

Compilation

Simple as that:

make

Installation

The default installation process:

make install

Keys

The next step is to create dss & rsa keys for dropbear ssh server.

We must create the dropbear's key folder first:

mkdir -pv /chroot/dropbear/etc/dropbear

And then:

/chroot/dropbear/bin/dropbearkey -t dss -f /chroot/dropbear/etc/dropbear/dropbear.dss
/chroot/dropbear/bin/dropbearkey -t rsa -s 4096 -f /chroot/dropbear/etc/dropbear/dropbear.rsa

As you can see, we used the chroot environment path without the need of our distribution path hierarchy. The Drop Bear's keys are already installed to our chroot environment at once.

Shared Libraries

We now have to check all the necessary shared libraries that dropbear needs to run inside a chroot environment:

ldd /chroot/dropbear/sbin/dropbear

Chroot Environment

Structure

cd /chroot/dropbear/
mkdir -pv dev/pts proc etc lib usr/lib var/run var/log lib/x86_64-linux-gnu lib64

Libraries

cp /lib/x86_64-linux-gnu/libutil.so.1 lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libz.so.1 lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libcrypt.so.1 lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libc.so.6 lib/x86_64-linux-gnu/
cp /lib64/ld-linux-x86-64.so.2 lib64/

Extra Libraries

These libraries are mostly for the authentication process.

cp /lib/x86_64-linux-gnu/libnss_dns.so.2 lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu//libnss_files.so.2 lib/x86_64-linux-gnu/

Files

Copy necessaries files from root to chroot:

cp /etc/localtime etc/
cp /etc/nsswitch.conf etc/
cp /etc/resolv.conf etc/
cp /etc/host.conf etc/
cp /etc/hosts etc/
touch var/log/lastlog
touch var/run/utmp
touch var/log/wtmp
echo 'SSH' > etc/dropbear/dropbear.banner

Devices

We now must be very careful with the next step of our process. We have to create all the necessary devices for dropbear to run.

(Remember, we are always on the chroot path – eg. /chroot/dropbear.)

mknod dev/urandom c 1 9
chmod 0666 dev/urandom
mknod dev/ptmx c 5 2
chmod 0666 dev/ptmx
mknod dev/tty c 5 0
chmod 0666 dev/tty

Users

Of course, we need to add users to our chroot dropbear setup. You can choose to add an existing user or you can create a new one. I prefer to add an existing user (eg. ebal):

grep ^ebal /etc/passwd > etc/passwd
grep ^ebal /etc/group > etc/group
grep ^ebal /etc/shadow > etc/shadow
mkdir -pv home/ebal
chown ebal.ebal !$

Shell

Every user needs a shell! But we don't need to install bash, we can simply use busybox. Busybox is a lightweight shell and combines a lot of common unix utils into a small executable binary file.

cp /etc/shells etc/
sed -i 's/bash/sh/' etc/passwd
cd bin
wget -c https://busybox.net/downloads/binaries/1.27.1-i686/busybox
chmod 0755 busybox
ln -s busybox sh
cd ../

Mount Points

This is the most important thing that we (you) have to do properly. The new environment needs access to terminals (this is necessary for a user to login) and to proc filesystem.

mount -o bind /dev/pts dev/pts/
mount -o bind /proc proc/

Run Drop Bear

Finally, we are ready to run Drop Bear from a chroot environment:

chroot /chroot/dropbear/ \
/sbin/dropbear \
-b /etc/dropbear/dropbear.banner \
-d /etc/dropbear/dropbear.dss \
-r /etc/dropbear/dropbear.rsa \
-F -E -w -g -p 2222

Debug

But if something goes wrong, we can always debug the running process with strace:

strace -f chroot /chroot/dropbear/ \
/sbin/dropbear \
-b /etc/dropbear/dropbear.banner \
-d /etc/dropbear/dropbear.dss \
-r /etc/dropbear/dropbear.rsa \
-F -E -w -g -p 2222
Share this page:

Suggested articles

3 Comment(s)

Add comment

Comments

By: Olivier at: 2010-04-13 07:58:23

Why not use Jailkit? It can automate much of this work?

By: weakish at: 2010-06-08 15:24:09

1, In section users, when creating the user home directory, we need to add the -p option, since we haven't create the home directory before. That is, instead of

mkdir home/ebal
using
mkdir -p home/ebal
2, In the same section: Use "." to distinguish user and group is deprecated. In recent versions of chown, you should use this syntax user:group.

By: Klaus at: 2018-11-13 15:19:10

i don't understand this lol