Project

General

Profile

Actions

Bug #1140

closed

Missing tools for production system

Added by Hammel 7 months ago. Updated 7 months ago.

Status:
Closed
Priority:
Immediate
Assignee:
Category:
04 - Busybox
Target version:
Start date:
02 May 2024
Due date:
% Done:

100%

Estimated time:
Severity:
01 - Critical

Description

Need the following for a production system deployment.
  1. addgroup and adduser from Busybox
  2. sudo
  3. dropbear config
    1. man dropbear
    2. OpenWRT Dropbear Configuration
    3. See How to install and config dropbear

There may be others.

Actions #1

Updated by Hammel 7 months ago

  • Description updated (diff)
Actions #2

Updated by Hammel 7 months ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 10

Default dropbear config is in /etc/default/dropbear.

This is a shell script, so I can do things like this:

DROPBEAR_ROOTLOGIN="-w" 

DROPBEAR_ARGS="${DROPBEAR_ROOTLOGIN} ..." 

This sets up the DROPBEAR_ARGS used by S50dropbear to set the command line for dropbear, which is the only way to configure the daemon.

Actions #3

Updated by Hammel 7 months ago

The online man page appears out of date. This is the version running on PiBox.

Dropbear server v2022.83 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dropbear [options]
-b bannerfile   Display the contents of bannerfile before user login
                (default: none)
-r keyfile      Specify hostkeys (repeatable)
                defaults: 
                - dss /etc/dropbear/dropbear_dss_host_key
                - rsa /etc/dropbear/dropbear_rsa_host_key
                - ecdsa /etc/dropbear/dropbear_ecdsa_host_key
                - ed25519 /etc/dropbear/dropbear_ed25519_host_key
-R              Create hostkeys as required
-F              Don't fork into background
-e              Pass on server process environment to child process
-E              Log to stderr rather than syslog
-m              Don't display the motd on login
-w              Disallow root logins
-G              Restrict logins to members of specified group
-s              Disable password logins
-g              Disable password logins for root
-B              Allow blank password logins
-t              Enable two-factor authentication (both password and public key required)
-T              Maximum authentication tries (default 10)
-j              Disable local port forwarding
-k              Disable remote port forwarding
-a              Allow connections to forwarded ports from any host
-c command      Force executed command
-p [address:]port
                Listen on specified tcp port (and optionally address),
                up to 10 can be specified
                (default port is 22 if none specified)
-P PidFile      Create pid file PidFile
                (default /var/run/dropbear.pid)
-i              Start for inetd
-W <receive_window_buffer> (default 24576, larger may be faster, max 10MB)
-K <keepalive>  (0 is never, default 0, in seconds)
-I <idle_timeout>  (0 is never, default 0, in seconds)
-z    disable QoS
-V    Version

I'd say the following arguments would be useful: -r, -R<>, -m, with -R<> used on firstboot and -r used at runtime to prevent cycling through keys.
The following should have blank env vars but could be configured once users are added: -w, -s, -g
The -P option is not needed because the init script uses start-stop-daemon which manages a pid file for the dropbear daemon.

Actions #4

Updated by Hammel 7 months ago

  • Description updated (diff)
Actions #5

Updated by Hammel 7 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 10 to 100

Tools added to build and deployed to a PiStore test platform. Users added, ssh keys used for login. Configuration file for dropbear added for extending security.

Code committed and pushed.

Closing issue.

Actions

Also available in: Atom PDF