ADB Secured Using Vendor private/pub key

1,675 views
Skip to first unread message

Bob Pfingsten

unread,
Jul 15, 2019, 3:25:13 PM7/15/19
to android-platform
All,

I am trying to figure out how to lock down ADB so only people that have the pre-generated private key can access ADB through USB or WiFi/Ethernet.  I have generated a key pair using adb keygen (also tried with ssl-keygen) but I can't seem to get things locked down.  When my device is deployed to production I don't want to allow anyone to shell into the OS using ADB.  I have set /vendor/build.prop: ro.adb.secure=1 (also tried ro.adb.secure=0) and copied my public key to /data/misc/adb/adb_keys and also tried at the root /adb_keys and rebooted the device.  I moved my private key to a hidden location (outside of .Android) so it would not know the private key.  However, anytime I do adb devices it shows the device and allows me to connect.  I would have expected it to show "unauthorized" or something to that effect.  Also I have the following build.prop setting: persist.sys.usb.config=adb.   Any help would greatly be appreciated.

meet thakkar

unread,
Jul 17, 2019, 2:27:32 PM7/17/19
to android-...@googlegroups.com
Hi Bob,

You will have to add the public key to the 

  1. store  adb private key in file ( lets call it adbkey.user)
  2. adb kill-server
  3. Copy/Replace the adbkey.user file to ~/.android/adbkey  (adbkey is text file which stores privatekey of your computer used for purpose of ADB over USB)
  4. adb shell (voila!)

That should work. 

Regards,
Meet Thakkar



On Mon, 15 Jul 2019 at 12:25, Bob Pfingsten <bobpfi...@gmail.com> wrote:
All,

I am trying to figure out how to lock down ADB so only people that have the pre-generated private key can access ADB through USB or WiFi/Ethernet.  I have generated a key pair using adb keygen (also tried with ssl-keygen) but I can't seem to get things locked down.  When my device is deployed to production I don't want to allow anyone to shell into the OS using ADB.  I have set /vendor/build.prop: ro.adb.secure=1 (also tried ro.adb.secure=0) and copied my public key to /data/misc/adb/adb_keys and also tried at the root /adb_keys and rebooted the device.  I moved my private key to a hidden location (outside of .Android) so it would not know the private key.  However, anytime I do adb devices it shows the device and allows me to connect.  I would have expected it to show "unauthorized" or something to that effect.  Also I have the following build.prop setting: persist.sys.usb.config=adb.   Any help would greatly be appreciated.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-platfo...@googlegroups.com.
To post to this group, send email to android-...@googlegroups.com.
Visit this group at https://groups.google.com/group/android-platform.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/664cf2d1-c90b-4c1e-8bee-a2b4f90aa735%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Satish Patel

unread,
Jul 17, 2019, 2:27:32 PM7/17/19
to android-...@googlegroups.com
On Tue, Jul 16, 2019 at 12:55 AM Bob Pfingsten <bobpfi...@gmail.com> wrote:
All,

I am trying to figure out how to lock down ADB so only people that have the pre-generated private key can access ADB through USB or WiFi/Ethernet.  I have generated a key pair using adb keygen (also tried with ssl-keygen) but I can't seem to get things locked down.  When my device is deployed to production I don't want to allow anyone to shell into the OS using ADB.  I have set /vendor/build.prop: ro.adb.secure=1 (also tried ro.adb.secure=0) and copied my public key to /data/misc/adb/adb_keys and also tried at the root /adb_keys and rebooted the device.  I moved my private key to a hidden location (outside of .Android) so it would not know the private key.  However, anytime I do adb devices it shows the device and allows me to connect.  I would have expected it to show "unauthorized" or something to that effect.  Also I have the following build.prop setting: persist.sys.usb.config=adb.   Any help would greatly be appreciated.
What is your build type? Is it user build or eng build. Normaly in eng and userdebug abd will gets enabled by default.  

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-platfo...@googlegroups.com.
To post to this group, send email to android-...@googlegroups.com.
Visit this group at https://groups.google.com/group/android-platform.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/664cf2d1-c90b-4c1e-8bee-a2b4f90aa735%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
Regards,
satish patel

Bob Pfingsten

unread,
Jul 21, 2019, 12:16:47 PM7/21/19
to android-platform
Where does the public key go on the device?  I tried /data/misc/adb and at the root / but that did not seem to work as expected


On Wednesday, July 17, 2019 at 11:27:32 AM UTC-7, meet thakkar wrote:
Hi Bob,

You will have to add the public key to the 

  1. store  adb private key in file ( lets call it adbkey.user)
  2. adb kill-server
  3. Copy/Replace the adbkey.user file to ~/.android/adbkey  (adbkey is text file which stores privatekey of your computer used for purpose of ADB over USB)
  4. adb shell (voila!)

That should work. 

Regards,
Meet Thakkar



On Mon, 15 Jul 2019 at 12:25, Bob Pfingsten <bobpfi...@gmail.com> wrote:
All,

I am trying to figure out how to lock down ADB so only people that have the pre-generated private key can access ADB through USB or WiFi/Ethernet.  I have generated a key pair using adb keygen (also tried with ssl-keygen) but I can't seem to get things locked down.  When my device is deployed to production I don't want to allow anyone to shell into the OS using ADB.  I have set /vendor/build.prop: ro.adb.secure=1 (also tried ro.adb.secure=0) and copied my public key to /data/misc/adb/adb_keys and also tried at the root /adb_keys and rebooted the device.  I moved my private key to a hidden location (outside of .Android) so it would not know the private key.  However, anytime I do adb devices it shows the device and allows me to connect.  I would have expected it to show "unauthorized" or something to that effect.  Also I have the following build.prop setting: persist.sys.usb.config=adb.   Any help would greatly be appreciated.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages