Chrooted Drop Bear SSH Server HowTo
This tutorial is being written to help you install Drop Bear SSH server into a chroot environment. It covers the below sections:
* Installation of Drop Bear
* Setup Drop Bear
* Setup Chroot Environment
* Debug Chrooted Drop Bear
Drop Bear
Dropbear is a relatively small SSH 2 server and client. It is an alternative lightweight program for OpenSSH and it is designed for environments with low memory and processor resources, such as embedded systems.
https://matt.ucc.asn.au/dropbear/dropbear.html
All steps in this tutorial are run as root user with Debian 9 as operating system. The steps below should work for other Linux OS as well.
Installation
Download
wget -c https://matt.ucc.asn.au/dropbear/dropbear-2018.76.tar.bz2
Extract
tar jxf dropbear-2018.76.tar.bz2
Install Build tools
For Debian 9, the tools to compile the software can be installed with apt:
apt-get install build-essential zlib1g-dev
Configuration
In our installation, we choose: /chroot/dropbear as the root path of our chroot environment. And for educational purposes only, we change the default TCP port of ssh to 2222:
cd dropbear-2018.76
./configure --prefix=/chroot/dropbear
sed -i 's/22/2222/g' options.h
Compilation
Simple as that:
make
Installation
The default installation process:
make install
Keys
The next step is to create dss & rsa keys for dropbear ssh server.
We must create the dropbear's key folder first:
mkdir -pv /chroot/dropbear/etc/dropbear
And then:
/chroot/dropbear/bin/dropbearkey -t dss -f /chroot/dropbear/etc/dropbear/dropbear.dss
/chroot/dropbear/bin/dropbearkey -t rsa -s 4096 -f /chroot/dropbear/etc/dropbear/dropbear.rsa
As you can see, we used the chroot environment path without the need of our distribution path hierarchy. The Drop Bear's keys are already installed to our chroot environment at once.
Shared Libraries
We now have to check all the necessary shared libraries that dropbear needs to run inside a chroot environment:
ldd /chroot/dropbear/sbin/dropbear
Chroot Environment
Structure
cd /chroot/dropbear/
mkdir -pv dev/pts proc etc lib usr/lib var/run var/log lib/x86_64-linux-gnu lib64
Libraries
cp /lib/x86_64-linux-gnu/libutil.so.1 lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libz.so.1 lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libcrypt.so.1 lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu/libc.so.6 lib/x86_64-linux-gnu/
cp /lib64/ld-linux-x86-64.so.2 lib64/
Extra Libraries
These libraries are mostly for the authentication process.
cp /lib/x86_64-linux-gnu/libnss_dns.so.2 lib/x86_64-linux-gnu/
cp /lib/x86_64-linux-gnu//libnss_files.so.2 lib/x86_64-linux-gnu/
Files
Copy necessaries files from root to chroot:
cp /etc/localtime etc/
cp /etc/nsswitch.conf etc/
cp /etc/resolv.conf etc/
cp /etc/host.conf etc/
cp /etc/hosts etc/
touch var/log/lastlog
touch var/run/utmp
touch var/log/wtmp
echo 'SSH' > etc/dropbear/dropbear.banner
Devices
We now must be very careful with the next step of our process. We have to create all the necessary devices for dropbear to run.
(Remember, we are always on the chroot path – eg. /chroot/dropbear.)
mknod dev/urandom c 1 9
chmod 0666 dev/urandom
mknod dev/ptmx c 5 2
chmod 0666 dev/ptmx
mknod dev/tty c 5 0
chmod 0666 dev/tty
Users
Of course, we need to add users to our chroot dropbear setup. You can choose to add an existing user or you can create a new one. I prefer to add an existing user (eg. ebal):
grep ^ebal /etc/passwd > etc/passwd
grep ^ebal /etc/group > etc/group
grep ^ebal /etc/shadow > etc/shadow
mkdir -pv home/ebal
chown ebal.ebal !$
Shell
Every user needs a shell! But we don't need to install bash, we can simply use busybox. Busybox is a lightweight shell and combines a lot of common unix utils into a small executable binary file.
cp /etc/shells etc/
sed -i 's/bash/sh/' etc/passwd
cd bin
wget -c https://busybox.net/downloads/binaries/1.27.1-i686/busybox
chmod 0755 busybox
ln -s busybox sh
cd ../
Mount Points
This is the most important thing that we (you) have to do properly. The new environment needs access to terminals (this is necessary for a user to login) and to proc filesystem.
mount -o bind /dev/pts dev/pts/
mount -o bind /proc proc/
Run Drop Bear
Finally, we are ready to run Drop Bear from a chroot environment:
chroot /chroot/dropbear/ \
/sbin/dropbear \
-b /etc/dropbear/dropbear.banner \
-d /etc/dropbear/dropbear.dss \
-r /etc/dropbear/dropbear.rsa \
-F -E -w -g -p 2222
Debug
But if something goes wrong, we can always debug the running process with strace:
strace -f chroot /chroot/dropbear/ \
/sbin/dropbear \
-b /etc/dropbear/dropbear.banner \
-d /etc/dropbear/dropbear.dss \
-r /etc/dropbear/dropbear.rsa \
-F -E -w -g -p 2222