NSLU2-Linux
view · edit · print · history

Note: Before you do this, make sure you know how to enable telnet access to your Slug. You should have already installed dropbear and determined which flags you wish to start it with. You should have also created the /etc/shells file with any shells you want dropbear to allow. These notes assume you are using the stock firmware's inetd. If you're using the xinetd package, adjust as needed.

1. Install the tcpwrapper package.

ipkg install tcpwrappers

2. Disable automatic startup of the dropbear daemon

cd /opt/etc/init.d
mv S51dropbear dropbear

3. Find the offset of compile-defined REAL_DAEMON_DIR variable in the original tcpd binary.

(Maintainer of the tcpwrappers ipkg, any possibility of changing this? It seems rather useless on the Slug without it.. at least with the stock inetd.)

cd /opt/libexec
cp tcpd tcpd.orig
cp tcpd dropbear
chmod +x dropbear
od -c tcpd.orig | grep "d e v"

Note: use 3 spaces between each character in the grep command.

You should see an output like:

0023640 / d e v / n u l l \0 \0 \0 \0 \0 \0 \0
0024400 o p e n / d e v / n u l l :

4. Convert the first offset from octal to decimal.

In this case, 0023640 = 10144. You can use the scientific mode of the standard Windows calculator, or diehard Linux fans can use dc as such:

echo "8i23640p" | dc

FYI, "8i" sets the input radix to 8 (octal) and "23640p" prints the value in the default output radix (decimal).

5. Replace the /dev/null string with /opt/sbin

echo "/opt/sbin" | dd of=dropbear bs=1 skip=10144
dd if=tcpd.orig bs=1 seek=10153 | dd of=dropbear bs=1 skip=10153

Notes: 10153 is 10144 plus 9 (the length of "/opt/sbin" without the null terminator). Be patient; the command takes a few seconds to finish. I haven't played with changing the path to something else; YMMV.

6. (optional) Verify the change is correct (requires diffutils package)

od -c dropbear > od.out
od -c tcpd.orig | diff - od.out
rm od.out

You should see only one line of change, something like this:

635c635
< 0023640 / d e v / n u l l \0 \0 \0 \0 \0 \0 \0
---
> 0023640 / o p t / s b i n \0 \0 \0 \0 \0 \0 \0

7. Setup the hosts.allow and hosts.deny files for tcpwrappers.

echo "ANY: ANY" > /opt/etc/hosts.deny
echo "dropbear: 192.168." > /opt/etc/hosts.allow
chmod 400 /opt/etc/hosts.allow /opt/etc/hosts.deny

Note: add any other IP address/hosts/domains as appropriate.

8. Configure inetd to automatically start dropbear when receiving a connection on port 22. This is done by creating a diversion script for rc.xinetd.

mkdir /unslung
cat - > /unslung/rc.xinetd
  
#!/bin/sh
grep -q /opt/libexec/dropbear /etc/inetd.conf
if [ $? = 1 ] ; then
   echo -e "ssh\tstream\ttcp\tnowait\troot\t/opt/libexec/dropbear -i" >> /etc/inetd.conf
fi
return 1

(finish with a <Ctrl>-<D> to exit the redirected cat command)

chmod +x /unslung/rc.xinetd

Note: If you want to run dropbear with other arguments, such as -g to disable password logins for root, add them to the script above.

9. Activate the installation

killall dropbear
Open a web browser and enable (or disable) telnet. You could also reboot your Slug, but make sure you know how to enable telnet access if it doesn't work..

Note" If you've changed the script created in the above step, you'll have to manually delete the ssh line in /etc/inetd.conf before reactivating it. Otherwise, your change will have no effect.

10. Verify the installation

SSH to your slug.

Diagnosis:

If something isn't working, here are some hints:

1. Make sure inetd is running and configured correctly.

ps | grep inetd

On the Slug, do a 'cat /etc/inetd.conf'

You should see the line

ssh stream tcp nowait root /opt/libexec/dropbear -i

You may see a telnet line if you've just enabled Telnet. When you disable Telnet, that line should go away, but the ssh line should stay.

2. Display the last few lines of /var/log/messages. You should see something similar to this:

<22>Jul 12 16:37:46 dropbear[8977]: connect from yourhost.yourdomain.com
<22>Jul 12 16:37:46 dropbear[8977]: connect from yourhost.yourdomain.com
<86>Jul 12 16:37:46 dropbear[8977]: Child connection from 192.168.1.3:39081
<85>Jul 12 16:37:51 dropbear[8977]: password auth succeeded for 'user'

Note: the first two "connect from" lines are from tcpd. The next two are from dropbear.

3. Run tcpdmatch

tcpdmatch dropbear 192.168.1.1

You should see output like:

warning: /dev/null: world writable
warning: REAL_DAEMON_DIR /dev/null is not a directory
warning: /etc/inetd.conf, line 1: /dev/null/-i: file lookup: Not a directory
warning: dropbear: no such process name in /etc/inetd.conf
client: address 192.168.1.1
server: process dropbear
matched: /opt/etc/hosts.allow line 1
access: granted

You can ignore the warnings you see above; unless you want to replace the REAL_DAEMON_DIR variable in tcpdmatch and tcpdchk as well.

4. Make sure the shell you have specified in /etc/passwd is listed in /etc/shells.

view · edit · print · history · Last edited by Pete Nelson.
Originally by Pete Nelson.
Page last modified on July 19, 2005, at 05:47 PM