SourceForge.net Logo

Chapter 4. Daemons and Drivers

Abstract

The previous chapter described how to get the kernel up and running. This chapter continues by building the daemons that provide the services for the router. Succeeding chapters configure these services.

This chapter is a part of the "Secure Internet Appliance for Small Office / Home Office HOWTO". It relies on the environment variables listed in Section 2.1, “Environment Variables”.

4.1. Secure Shell (SSH)

Secure Shell (SSH) allows you to login to another computer over a network and copy files back and forth. It provides strong authentication and secure communications over unsecured channels. It can be used as a secure replacement for telnet, rlogin, rsh, and rcp.

This SISO router uses the dropbear implementation of SSH. Dropbear is a small footprint SSH2 server that is compatible with the OpenSSH public key authentication method. For more information refer to "Dropbear SSH server and client" [19].

The version 0.46 and up uses /dev/random instead of /dev/urandom. In my config /dev/random was not seeded enough to return the requested number of bytes to dropbear). As a workaround Section 3.2, “Coreutils - busybox” creates a symbolic link from /dev/random pointing to /dev/random. [20]

wget -P $DL_DIR http://matt.ucc.asn.au/dropbear/releases/dropbear-0.50.tar.gz  #was 0.43, 0.48.1
tar -C $PRJ_DIR/apps -xvzf $DL_DIR/dropbear-0.50.tar.gz
cd $PRJ_DIR/apps/dropbear-0.50

Compile a key generator for the compile host.

rm -rf config.cache
./configure
make clean
make PROGRAMS="dropbear dropbearkey"  # we only need dropbearkey; dropbear is only compiled to prevent a error in options.h
mv dropbearkey dropbearkey-oncompilehost

Configure for the target. Ignore the /dev/pts: No such file or directory error.

rm -rf config.cache options.h.org
./configure CC=${TOOLCHAIN_CROSS}gcc \
            CFLAGS="-Os -I$ROOTFS_DIR/usr/include" \
            LDFLAGS="-L$ROOTFS_DIR/usr/lib" \
            --host=i586-linux \
            --prefix=$ROOTFS_DIR/usr \
            --exec-prefix=$ROOTFS_DIR/usr \
            --disable-utmp --disable-utmpx --disable-wtmp --disable-wtmpx \
            --disable-pututline --disable-pututxline \
            --disable-openpty --disable-lastlog --disable-shadow \
            --with-zlib=$ROOTFS_DIR/usr/lib

Disable undesired features.

[[ -f options.h.org ]] || mv options.h options.h.org
sed "/^#define DROPBEAR_AES128_CBC/s,#define,#undef,g; \
     /^#define DROPBEAR_TWOFISH128_CBC/s,#define,#undef,g; \
     /^#define ENABLE_X11FWD/s,#define,#undef,g; \
     /^#define DROPBEAR_MD5_HMAC/s,#define,#undef,g; \
     /^#define DBMULTI_CONVERT/s,#define,#undef,g;" \
    < options.h.org > options.h

Compile and install to rootfs.d.

make clean
make PROGRAMS=dropbear
install -s -m 755 dropbear $ROOTFS_DIR/usr/sbin

Generate the host keys and add them to the rootfs.d directory.

mkdir -p $ROOTFS_DIR/etc/sysconfig/dropbear/
[[ -f $ROOTFS_DIR/etc/sysconfig/dropbear/rsa_host_key ]] || \
  ./dropbearkey-oncompilehost -t rsa \
    -f $ROOTFS_DIR/etc/sysconfig/dropbear/rsa_host_key

[[ -f $ROOTFS_DIR/etc/sysconfig/dropbear/dds_host_key ]] || \
  ./dropbearkey-oncompilehost -t dss -f \
    $ROOTFS_DIR/etc/sysconfig/dropbear/dss_host_key

4.1.1. Public Key Authentication

Public key authentication limits logins to hosts that have their public key installed on the router. The commands below will generate generate a key pair on the compile host. The public key is then added to the router's rootfs.d.

if [ ! -f $HOME/.ssh/id_rsa.pub ] ; then
    ssh-keygen -t rsa
fi
install -d -m 750 $ROOTFS_DIR/root
install -d -m 750 $ROOTFS_DIR/root/.ssh
USER=`cut -d' ' -f3 $HOME/.ssh/id_rsa.pub`
touch $ROOTFS_DIR/root/.ssh/authorized_keys
if ! grep -q $USER $ROOTFS_DIR/root/.ssh/authorized_keys ; then
  cat $HOME/.ssh/id_rsa.pub >> $ROOTFS_DIR/root/.ssh/authorized_keys
  chmod 640 $ROOTFS_DIR/root/.ssh/authorized_keys
fi

4.1.2. Password Authentication (optional)

Password authentication gives the flexibility to login from any host. This is also the main disadvantage. The example below creates a /etc/passwd with the same root password as on the compile host.

if grep -q ^root:x: $ROOTFS_DIR/etc/passwd ; then
    MD5=`grep ^root: < /etc/passwd | cut -f2 -d:`
    if [ "$MD5" == "x" ]; then 
      MD5=`sudo grep ^root: /etc/shadow | cut -f2 -d:`
    fi
    sed "/^root:/s,:x:0:0:,:$MD5:0:0:,;" < $ROOTFS_DIR/etc/passwd > /tmp/$$
    mv /tmp/$$ $ROOTFS_DIR/etc/passwd
fi
install -d -m 700 $ROOTFS_DIR/root



[20] A more detailed description can be found at http://people.freebsd.org/~dougb/randomness.html.