sftp not working with own compiled dropbear, but working with Alt-F's default one. Why?
1,032 views
Skip to first unread message
Mark van Leeuwen
Apr 2, 2019, 6:52:10 PM4/2/19
to al...@googlegroups.com
Hello,
Initial goal: have my dlink 320L nas with Alt-F accessible remotely via sftp on a custom port to be able to do offsite backups via Duplicati.
As both dropbear and openssh shipped with Alt-F 1.0 are pretty outdated, I am concerned about how inherintly insecure those might be as various CVEs have been published in the meantime, So I compiled from source an up to date version of dropbear.
Steps in a nutshell:
- nEnsure bzip2, make and dev-bundle packages from Alt-F repo are installed via the GUI
- Download source tarball for zlib and dropbear from their respective websites
- unzip/tar those sources into /tmp/zlib-1.2.11 and /tmp/dropbear-2019.78
- cd /tmp/dropbear-2019.78
- export CFLAGS="-I../zlib-1.2.11 -I../../zlib-1.2.11"
- ./configure --disable-harden --disable-lastlog
- make strip
- ./dropbear -V
Compilation notes:
- --disable-harden is mandatory to avoid compilation errors
- --disable-lastlog is not needed if the liine to automatically create the /var/log/lastlog file in /etc/init.d/S62dropbear. is uncommented. See https://groups.google.com/forum/#!topic/alt-f/h6OtWAB553c for mroe details as the wtmp error also appears for my build.
In order to test, I run the following command as root
# /tmp/dropbear-2019.78/dropbear -F -E -p 2223 -P /tmp/db.test.pid
Trying to connect with a ssh client on port 2223 -> no problem
Trying to connect with a sftp client on port 2223 -> Logs [407] Apr 03 00:09:08 Exit (MYUSERNAME): Exited normally
In the sftp client (winSCP in my case), I get logs claimng that /usr/libexec/sftp-server is missing
. 2019-04-03 00:09:09.503 --------------------------------------------------------------------------
. 2019-04-03 00:09:09.524 Looking up host "nas-dlink" for SSH connection
. 2019-04-03 00:09:09.524 Connecting to 192.168.0.4 port 2223
. 2019-04-03 00:09:09.524 We claim version: SSH-2.0-WinSCP_release_5.15
. 2019-04-03 00:09:09.538 Server version: SSH-2.0-dropbear_2019.78
. 2019-04-03 00:09:09.538 Using SSH protocol version 2
. 2019-04-03 00:09:09.539 Have a known host key of type ecdsa-sha2-nistp384
. 2019-04-03 00:09:09.539 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
[...]
. 2019-04-03 00:09:09.865 Access granted
. 2019-04-03 00:09:09.865 Opening session as main channel
. 2019-04-03 00:09:09.865 Opened main channel
. 2019-04-03 00:09:09.866 Requesting OpenSSH-style agent forwarding
. 2019-04-03 00:09:09.896 Agent forwarding enabled
. 2019-04-03 00:09:09.897 Started a shell/command
. 2019-04-03 00:09:09.913 --------------------------------------------------------------------------
. 2019-04-03 00:09:09.913 Using SFTP protocol.
. 2019-04-03 00:09:09.913 Doing startup conversation with host.
! 2019-04-03 00:09:09.913 sh: /usr/libexec/sftp-server: not found
. 2019-04-03 00:09:09.913 Server sent command exit status 127
. 2019-04-03 00:09:09.913 Disconnected: All channels closed
* 2019-04-03 00:09:09.939 (EFatal) **Connection has been unexpectedly closed.** Server sent command exit status 127.
That file is indeed missing, and googleing this problem revealed that one should also compile openssh and extract this executabel from it and place it into /usr/libexec
But this is what I do not understand:
Now if I connect using the same sftp client to the default dropbear running in Alt-F on port 22 (inetd mode for now), then no problem, sftp works.
. 2019-04-03 00:46:45.854 Access granted
. 2019-04-03 00:46:45.854 Opening session as main channel
. 2019-04-03 00:46:45.855 Opened main channel
. 2019-04-03 00:46:45.855 Requesting OpenSSH-style agent forwarding
. 2019-04-03 00:46:45.892 Agent forwarding enabled
. 2019-04-03 00:46:46.090 Started a shell/command
. 2019-04-03 00:46:46.100 --------------------------------------------------------------------------
. 2019-04-03 00:46:46.103 Using SFTP protocol.
. 2019-04-03 00:46:46.104 Doing startup conversation with host.
> 2019-04-03 00:46:46.112 Type: SSH_FXP_INIT, Size: 5, Number: -1
< 2019-04-03 00:46:46.113 Type: SSH_FXP_VERSION, Size: 150, Number: -1
. 2019-04-03 00:46:46.113 SFTP version 3 negotiated.
. 2019-04-03 00:46:46.113 Unknown server extension posix-...@openssh.com="1"
. 2019-04-03 00:46:46.113 Supports sta...@openssh.com extension version "2"
. 2019-04-03 00:46:46.113 Unknown server extension fsta...@openssh.com="2"
. 2019-04-03 00:46:46.113 Supports hard...@openssh.com extension version "1"
. 2019-04-03 00:46:46.113 Unknown server extension fs...@openssh.com="1"
. 2019-04-03 00:46:46.113 We believe the server has signed timestamps bug
Any idea why my own compiled dropbear is complaining about missing /usr/libexec/sftp-server while the default one is happilly sftp-ing without?
Thanks, Mark
João Cardoso
Apr 3, 2019, 12:33:12 PM4/3/19
to Alt-F
Thanks for your detailed query.
For some reason I can't remember now, the ssh sftp-server is located at /usr/lib/sftp-server , so you need to configure your dropbear build with that in mind or create a link. See https://sourceforge.net/p/alt-f/code/HEAD/tree/trunk/alt-f/package/dropbear/dropbear.mk for the changes to dropbear configuration, namely #define SFTPSERVER_PATH "/usr/lib/sftp-server" in dropbear's options.h
Regarding the sftp tag, I believe that you can create it yourself.
PS: no tag for sftp in google groups, what a pity.
Mark van Leeuwen
Apr 3, 2019, 5:05:15 PM4/3/19
to Alt-F
The #define SFTPSERVER_PATH "/usr/lib/sftp-server" did the trick, thanks!
Note that in more recent version of dropbear, this #define is in dropbear's default_options.h but overriding it should supposedly happen in a localoptions.h file that needs to be created.
Any particular reason for the other two #define in https://sourceforge.net/p/alt-f/code/HEAD/tree/trunk/alt-f/package/dropbear/dropbear.mk ?
Anyway, my next step for my "original goal" would be to compile openssh to get the most recent version of sftp-server...IF anything "particular" I will open a new thread.
Thansk again.
João Cardoso
Apr 3, 2019, 7:15:39 PM4/3/19
to Alt-F
On Wednesday, April 3, 2019 at 10:05:15 PM UTC+1, Mark van Leeuwen wrote:
The #define SFTPSERVER_PATH "/usr/lib/sftp-server" did the trick, thanks!Note that in more recent version of dropbear, this #define is in dropbear's default_options.h but overriding it should supposedly happen in a localoptions.h file that needs to be created.Any particular reason for the other two #define in https://sourceforge.net/p/alt-f/code/HEAD/tree/trunk/alt-f/package/dropbear/dropbear.mk ?
Probably older dropbear versions needed them
Anyway, my next step for my "original goal" would be to compile openssh to get the most recent version of sftp-server...
That is going to be difficult, as openssh depends on openssl (see the openssh.mk file) and you will need to build it first. the dev-bundle package only contains headers for the base toolchain. And compiling openssl and openssh on the box will take... days?
The recomended procedure is to use a PC with opensuse linux (to avoid other distro-related issues) or install it on a virtual machine, see the sourceforge wiki "how to build"
IF anything "particular" I will open a new thread.
Yes, please do that.
Thansk again.
Reply all
Reply to author
Forward
0 new messages