Hi,
There was a security flaw in dropbear (the default SSH server on SHR) configuration that made it listen to all network interfaces (wifi,gprs,usb) instead of making it listen only to usb. This is a problem because the default password is blank,and the SHR distribution runs as root by default.
Notes about the commands:
The command to type are the ones coming just after the root@om-gta02 ~ $
The line that doesn't contain root@om-gta02 ~ $ are the output of the command
Resolution:
The advised way to handle it is to upgrade dropbear,or the entire distribution,or to reinstall To update dropbear the following run the following commands
root@om-gta02 ~ $ opkg update
Downloading http://build.shr-project.org/shr-unstable/ipk//all/Packages.gz
Inflating http://build.shr-project.org/shr-unstable/ipk//all/Packages.gz
Updated list of available packages in /var/lib/opkg/shr-all
Downloading http://build.shr-project.org/shr-unstable/ipk//armv4/Packages.gz
Inflating http://build.shr-project.org/shr-unstable/ipk//armv4/Packages.gz
Updated list of available packages in /var/lib/opkg/shr-armv4
Downloading http://build.shr-project.org/shr-unstable/ipk//armv4t/Packages.gz
Inflating http://build.shr-project.org/shr-unstable/ipk//armv4t/Packages.gz
Updated list of available packages in /var/lib/opkg/shr-armv4t
Downloading http://build.shr-project.org/shr-unstable/ipk//om-gta02/Packages.gz
Inflating http://build.shr-project.org/shr-unstable/ipk//om-gta02/Packages.gz
Updated list of available packages in /var/lib/opkg/
shr-om-gta02 $ opkg upgrade dropbear
Upgrading dropbear on root from 0.51-r1.01 to 0.51-r1.02...
Downloading http://build.shr-project.org/shr-unstable/ipk//armv4t/dropbear_0.51-r1.02_armv4t.ipk Configuring dropbear
System startup links for /etc/init.d/dropbear already exist.
Restarting Dropbear SSH server:
Connection to 192.168.0.202 closed by remote host.
Connection to 192.168.0.202 closed.
Then reboot your phone
Workarounds:
*you can change the default password using the passwd command(just type passwd in the terminal and type your password(note that you won't see * apearing on the screen while typing the password)),that will prevent unauthorized access but dropbear will keep listening on all interfaces To change the password run the following command:
root@om-gta02 ~ $ passwd
Changing password for root
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:
Re-enter new password:
Password changed.
*you can make it listen only on the USB interface adding this the following content to the /etc/default/dropbear file:
DROPBEAR_PORT=`ip addr list usb0 | awk 'BEGIN { FS="[ /]+" } /inet / { print $3 }'`:22
Then reboot your phone
Verify that it worked: connect your openmoko to the wifi and verify that you can't ssh into it from the wifi,192.168.1.108 must be replaced by the ip address of your openmoko
$ ssh root@192.168.1.108
ssh: connect to host 192.168.1.108 port 22: Connection refused
In order to find the ip address of your openmoko run the following command on the openmoko: root@om-gta02 ~ $ ip addr list eth0 | awk 'BEGIN { FS="[ /]+" } /inet / { print $3 }'
192.168.1.108
History of the bug solving:
At first we thought that it was because there wasn't something like that in dropbear.inc: SRC_URI_append_openmoko = "file://default"
and that adding the following:
SRC_URI_append_shr = "file://default"
would solve it but it was in the recipe then we thought it was because the default file was in org.openembedded.dev/recipes/dropbear/dropbear/openmoko and not in org.openembedded.dev/recipes/dropbear/dropbear/shr
But it was a veriffication of the SRC_URI variable with bitbkae -i and peek showed that it was in the default file was included in the SRC_URI
Then we thought that someone could have forgotten to bump the PR,we bumped the PR and rebuilt the dropbear package,and then the ipk contained the default file,and upgrading dropbear made the bug disappear
Future:
SHR plan to switch to openssh,in order to avoid such problems and to have a better ssh client (dropbear client doesn't support all the features that openssh does such as the key encryption) and server
There was a security flaw in dropbear (the default SSH server on SHR) configuration that made it listen to all network interfaces (wifi,gprs,usb) instead of making it listen only to usb. This is a problem because the default password is blank,and the SHR distribution runs as root by default.
Notes about the commands:
The command to type are the ones coming just after the root@om-gta02 ~ $
The line that doesn't contain root@om-gta02 ~ $ are the output of the command
Resolution:
The advised way to handle it is to upgrade dropbear,or the entire distribution,or to reinstall To update dropbear the following run the following commands
root@om-gta02 ~ $ opkg update
Downloading http://build.shr-project.org/shr-unstable/ipk//all/Packages.gz
Inflating http://build.shr-project.org/shr-unstable/ipk//all/Packages.gz
Updated list of available packages in /var/lib/opkg/shr-all
Downloading http://build.shr-project.org/shr-unstable/ipk//armv4/Packages.gz
Inflating http://build.shr-project.org/shr-unstable/ipk//armv4/Packages.gz
Updated list of available packages in /var/lib/opkg/shr-armv4
Downloading http://build.shr-project.org/shr-unstable/ipk//armv4t/Packages.gz
Inflating http://build.shr-project.org/shr-unstable/ipk//armv4t/Packages.gz
Updated list of available packages in /var/lib/opkg/shr-armv4t
Downloading http://build.shr-project.org/shr-unstable/ipk//om-gta02/Packages.gz
Inflating http://build.shr-project.org/shr-unstable/ipk//om-gta02/Packages.gz
Updated list of available packages in /var/lib/opkg/
shr-om-gta02 $ opkg upgrade dropbear
Upgrading dropbear on root from 0.51-r1.01 to 0.51-r1.02...
Downloading http://build.shr-project.org/shr-unstable/ipk//armv4t/dropbear_0.51-r1.02_armv4t.ipk Configuring dropbear
System startup links for /etc/init.d/dropbear already exist.
Restarting Dropbear SSH server:
Connection to 192.168.0.202 closed by remote host.
Connection to 192.168.0.202 closed.
Then reboot your phone
Workarounds:
*you can change the default password using the passwd command(just type passwd in the terminal and type your password(note that you won't see * apearing on the screen while typing the password)),that will prevent unauthorized access but dropbear will keep listening on all interfaces To change the password run the following command:
root@om-gta02 ~ $ passwd
Changing password for root
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers.
Enter new password:
Re-enter new password:
Password changed.
*you can make it listen only on the USB interface adding this the following content to the /etc/default/dropbear file:
DROPBEAR_PORT=`ip addr list usb0 | awk 'BEGIN { FS="[ /]+" } /inet / { print $3 }'`:22
Then reboot your phone
Verify that it worked: connect your openmoko to the wifi and verify that you can't ssh into it from the wifi,192.168.1.108 must be replaced by the ip address of your openmoko
$ ssh root@192.168.1.108
ssh: connect to host 192.168.1.108 port 22: Connection refused
In order to find the ip address of your openmoko run the following command on the openmoko: root@om-gta02 ~ $ ip addr list eth0 | awk 'BEGIN { FS="[ /]+" } /inet / { print $3 }'
192.168.1.108
History of the bug solving:
At first we thought that it was because there wasn't something like that in dropbear.inc: SRC_URI_append_openmoko = "file://default"
and that adding the following:
SRC_URI_append_shr = "file://default"
would solve it but it was in the recipe then we thought it was because the default file was in org.openembedded.dev/recipes/dropbear/dropbear/openmoko and not in org.openembedded.dev/recipes/dropbear/dropbear/shr
But it was a veriffication of the SRC_URI variable with bitbkae -i and peek showed that it was in the default file was included in the SRC_URI
Then we thought that someone could have forgotten to bump the PR,we bumped the PR and rebuilt the dropbear package,and then the ipk contained the default file,and upgrading dropbear made the bug disappear
Future:
SHR plan to switch to openssh,in order to avoid such problems and to have a better ssh client (dropbear client doesn't support all the features that openssh does such as the key encryption) and server
Why do you want to not listen to wifi or other ?
SHR users uses wifi to connect their FR to their LAN !
A thing is false, Dropbear can be secured with rsa/dss keys.
See at :
MAN DROPBEAR
http://pwet.fr/man/linux/administration … e/dropbear
MAN DROPBEARKEY
http://pwet.fr/man/linux/administration … ropbearkey
@piratebab:
you can change that removing that that line:
DROPBEAR_PORT=`ip addr list usb0 | awk 'BEGIN { FS="[ /]+" } /inet / { print $3 }'`:22
in /etc/default/dropbear
better doing so after setting a password
if we permit empty password on wifi that isn't great
@FreedomSound:
your link point nowhere but...I didn't meant that we can't use keys...I meant that the key are not encrypted...that is to say:
your keys can't have a password so anyone who has access to your device can ssh into your machine or even copy your keys
Denis.