Now we're ready to build the Dropbear SSH server and client package in preparation for adding a secure access feature to the NS4300N. As usual, you'll need to download the source tar package - I used the current version 0.52, though you should check the main project page for updates first:
wget http://matt.ucc.asn.au/dropbear/releases/dropbear-0.52.tar.bz2 tar -xjf dropbear-0.52.tar.bz2 cd dropbear-0.52
And again, I built a small
doit.sh
script to help with building the package:
#!/bin/sh BASE=~/src/crosstool/gcc-3.4.3-glibc-2.3.2/powerpc-linux-gnu export CC=powerpc-linux-gnu-gcc export AR=powerpc-linux-gnu-ar export PATH=$BASE/bin:$PATH ./configure --prefix=$BASE/powerpc-linux-gnu \ --libdir=$BASE/powerpc-linux-gnu/lib \ --includedir=$BASE/powerpc-linux-gnu/include \ --host=powerpc-linux-gnu \ --with-zlib=$BASE/powerpc-linux-gnu make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" MULTI=1 make strip
Once it's done building, you'll have a single executable
dropbearmulti that works alot like
BusyBox, "The Swiss Army
Knife of Embedded Linux". BusyBox is based on one binary
executable, whose function changes based on what name it is called.
Incidently, the NS4300N uses BusyBox internally.
Promise added a plugin package mechanism to add features to the NS4300N.
One of the first plugins they made available was DLNA then
the open source media server FireFly (previously called
mtdaapd) as iTunes. The plugin package structure allows
for an included installation script to be run once, a control script to be
run at initialization & shutdown, and configuration controls to auto-start
the package service or wait for manual intervention, among other features.
One NS4300N feature that must be worked around is an access control to prevent
remote shell sessions running on the Linux firmware. This "feature" of the
firmware has changed with every major firmware release by Promise, and so
the method that I will detail below is only likely to work with firmware
versions through SR5 (v1.05.0000.03) and possibly SR5.1 (v1.05.0000.07) -
I haven't tried it. It is most likely that newer versions of the firmware
will require a new plugin package format that is encrypted. We'll burn that
bridge when we get there.
Our goal now is to put the dropbear executable into a plugin
package that will install the binary and make the SSH service available to
both the server and its local network. Here's how I did it:
plugin │ ├──rev (revision information) │ └──dropbear │ ├──upgrade_script (one time use, executable) │ └──SSH │ ├──plugin.conf (configuration information) │ ├──etc │ │ │ └──dropbear.conf │ └──sbin │ ├──dropbearmulti │ └──ssh_start (service start script, executable)(If the Unicode line drawing characters from
ISO 8879:1986//ENTITIES Box and Line Drawing//EN do not render
properly above, I have used plain old ASCII art below).
The revision file rev
is used by the NS4300N firmware mainly for
housekeeping purposes. The final line tells the NS4300N plugin installer
what script to run only once, when the package is installed:
PKGNAME=dropbear PKGVERSION=00.52.0000.00 FWVERSION=01.03.0000.01 FIXSCRIPT=upgrade_script
The plugin.conf file is
similar to the rev file.
The last line tells the NS4300N firmware that every time the package is
started, sbin/ssh_start will be executed:
APPNAME=SSH APPSTRING=Dropbear SSH2 server VERSION=00.52.0000.00 AUTOSTART=YES SWAPMEM=NO APPBINDIR=sbin MAINPROCESS=dropbear CONTROLSCRIPT=ssh_start
Here's a sample
dropbear.conf
file that I used:
PasswordAuth 'on' Port '22' DssKeyfile '/data/usr/local/dropbear/etc/keys/dropbear_dss_host_key' RsaKeyfile '/data/usr/local/dropbear/etc/keys/dropbear_rsa_host_key' RootLogin 'disable' RootPasswordAuth 'disable' LocalPortForwarding 'disable' RemotePortForwarding 'disable'
Now it's time to look at the upgrade script, obviously named
upgrade_script.
For this project, the only help the installation
process needs is moving the configuration file to an easily accessible place
in the NS4300N file system:
#!/usr/bin/perl # # plugin # | # +--rev (revision information) # | # +--dropbear # | # +--upgrade_script (one time use, executable) # | # +--SSH # | # +--plugin.conf (configuration information) # | # +--etc # | | # | +--dropbear.conf # | # +--sbin # | # +--dropbearmulti # | # +--ssh_start (service start script, executable) # $cp_cmd = "/bin/cp"; $df_cmd = "/bin/df"; $mkdir_cmd = "/bin/mkdir"; $cfg_dir = "/data/usr/local/dropbear/etc"; $cfg_file = "dropbear.conf"; # search installed path #first_volume=""; open(IN,"$df_cmd |"); while(<IN>){ if (/(VOLUME\d+)/) { if ( -d "/$1/PLUGINAPP/SSH" ) { $app_path = "/$1/PLUGINAPP/SSH"; last; } } } close(IN); # copy configuration file to /data/usr/local/dropbear/etc/config if none if ( !( -f $cfg_file ) ) { if ( !( -d $cfg_dir ) ) { system("$mkdir_cmd -p $cfg_dir"); } system("$cp_cmd $app_path/etc/$cfg_file $cfg_dir/$cfg_file >/dev/null 2>/dev/null"); }
Here's the fun part: the initialization script
ssh_start. One of its
tasks is to get
around the NS4300N's firmware's attempts to prevent remote access. There
are several approaches to solving this problem, and in all likelyhood, a
new method will be necessary for the next version of firmware. This code
demonstrates two methods that currently work: one comes from the web page
that inspired my work, and the other is the approach that I developed from
my investigation a while back. I put both methods in this script for
future use if required. However, I selected my method because it is the
more simple of the two. You can select the other method by changing the
variable $simple_code to 0. In addition, the script will add
the user admin to the /etc/sudoers file to make
life easier. It is too long and tedious to list verbatim here, but is
available at the link above.
I created another doit.sh
script that executes in a directory with the files
rev,
upgrade_script,
plugin.conf,
dropbear.conf,
dropbearmulti, and
ssh_start, creating
dropbear_005200.ppg.
Well, yes, I suppose you could just download the package I prepared, but
really, where's the fun in that?
#!/bin/sh mkdir dropbear mkdir dropbear/SSH mkdir dropbear/SSH/etc mkdir dropbear/SSH/sbin mv upgrade_script dropbear mv plugin.conf dropbear/SSH mv dropbear.conf dropbear/SSH/etc mv dropbearmulti dropbear/SSH/sbin mv ssh_start dropbear/SSH/sbin chmod 755 dropbear/upgrade_script chmod 755 dropbear/SSH/sbin/ssh_start chmod 755 dropbear/SSH/sbin/dropbearmulti sudo chown -R root:root dropbear rev tar -czf dropbear.tar.gz rev dropbear dd if=/dev/zero of=dropbear_005200.ppg bs=1k count=97 cat dropbear.tar.gz >> dropbear_005200.ppg sudo \rm -rf dropbear rev dropbear.tar.gz