FOXSAT-HDR Dropbear SSH with keys

WARNING: This article relates to the dropbear package version 2012.55 and not the updated package 2012.55-1 that now includes the ability to login with keys. It is no longer necessary to use these instructions to modify the dropbear installation on your FOXSAT-HDR. The instructions on how to generate and distribute client keys are still valid.

I have just upgraded the functionality of my Humax FOXSAT-HDR with some custom firmware. The new firmware came with Telnet active but I prefer to use SSH with RSA or DSA keys. Dropbear is the installable package that provides SSH for the custom firmware but I couldn’t find any documentation with the firmware that explained how to get it working with client keys.

Following an evening of research and experimentation, I found a way of getting it to work. Ubuntu/Linux/BSD users can use this process to configure Dropbear on the FOXSAT-HDR to use SSH authorized_keys instead of passwords. I worked around the read-only file system by changing the root account home directory to /tmp.

Install Dropbear on your custom firmware FOXSAT-HDR using opkg or the web interface. Test that it works using a password. Dropbox appears to be configured to use only the root account. From my Ubuntu machine I login from a terminal session using:-

ssh root@foxsat-hdr

When you are happy it is working OK. Open another terminal session and create a DSA public key file on your Ubuntu PC. The file will be ~/.ssh/id_dsa.pub

cd
cd .ssh
ssh-keygen -t dsa
ls

Copy the key(s) to the FOXSAT-HDR. You may already have a public RSA key present in the .ssh folder.

scp id_*.pub root@foxsat-hdr:/tmp

If you are not already logged in to the FOXSAT-HDR via SSH, do so now to create the two authorized_keys files required.

cd /opt/etc
mkdir .ssh
chmod 700 .ssh
cd .ssh
cat /tmp/id_*.pub >> authorized_keys
chmod 600 authorized_keys
ln -s /opt/etc/.ssh/authorized_keys /opt/etc/.ssh/authorized_keys2

Create an init.d script to fix the keys on startup. The root account will have it’s home directory moved to /tmp so that the hidden key folder can be found in there. The ‘echo’ command line is quite long and ends in ‘fix’, it is not two lines.

echo -e "#!/bin/sh\n\nln -s /opt/etc/.ssh /tmp/.ssh">/opt/etc/init.d/S55sshpubkeyfix

chmod 755 /opt/etc/init.d/S55sshpubkeyfix

Now edit the password file using vi to change the root account home directory from ‘/’ to ‘/tmp’. If you don’t know how to use vi, read this first. Otherwise, here is a command list to refresh your memory.

cp /opt/etc/passwd /opt/etc/passwd.old
vi /opt/etc/passwd

When you have saved the file. Check it, then reboot if it is good.

cat /opt/etc/passwd
reboot

Your FOXSAT-HDR will reboot and you should be able to login using SSH. This time switch on debugging to check the authentication sequence during login. If it works, you will not have to use a password to establish a secure shell.

ssh -vv root@foxsat-hdr

Telnet can be deactivated using ‘Service Management’ in the web interface.

I have more than one SSH client

If you want to use SSH from another Ubuntu PC it is easy to copy its DSA client key to the FOXSAT-HDR now that the authorized_keys file has been created.

ssh-keygen -t dsa
ssh-copy-id root@foxsat-hdr

Improvement

This could be incorporated into the Dropbear package if the maintainer emptied the authorized_keys file (zero length) before sealing the package file. Users would then only need to use ssh-keygen and ssh-copy-id to make use of the additional security.

Leave a Response