Hello,
Initial goal: have my dlink 320L nas with Alt-F accessible remotely via sftp on a custom port to be able to do offsite backups via Duplicati.
As both dropbear and openssh shipped with Alt-F 1.0 are pretty outdated, I am concerned about how inherintly insecure those might be as various CVEs have been published in the meantime, So I compiled from source an up to date version of dropbear.
Steps in a nutshell:
- nEnsure bzip2, make and dev-bundle packages from Alt-F repo are installed via the GUI
- Download source tarball for zlib and dropbear from their respective websites
- unzip/tar those sources into /tmp/zlib-1.2.11 and /tmp/dropbear-2019.78
- cd /tmp/dropbear-2019.78
- export CFLAGS="-I../zlib-1.2.11 -I../../zlib-1.2.11"
- ./configure --disable-harden --disable-lastlog
- make strip
- ./dropbear -V
Compilation notes:
- --disable-harden is mandatory to avoid compilation errors
- --disable-lastlog is not needed if the liine to automatically create the /var/log/lastlog file in /etc/init.d/S62dropbear. is uncommented. See https://groups.google.com/forum/#!topic/alt-f/h6OtWAB553c for mroe details as the wtmp error also appears for my build.
In order to test, I run the following command as root
# /tmp/dropbear-2019.78/dropbear -F -E -p 2223 -P /tmp/db.test.pid
Trying to connect with a ssh client on port 2223 -> no problem
Trying to connect with a sftp client on port 2223 -> Logs [407] Apr 03 00:09:08 Exit (MYUSERNAME): Exited normally
In the sftp client (winSCP in my case), I get logs claimng that /usr/libexec/sftp-server is missing
. 2019-04-03 00:09:09.503 --------------------------------------------------------------------------
. 2019-04-03 00:09:09.524 Looking up host "nas-dlink" for SSH connection
. 2019-04-03 00:09:09.524 Connecting to 192.168.0.4 port 2223
. 2019-04-03 00:09:09.524 We claim version: SSH-2.0-WinSCP_release_5.15
. 2019-04-03 00:09:09.538 Server version: SSH-2.0-dropbear_2019.78
. 2019-04-03 00:09:09.538 Using SSH protocol version 2
. 2019-04-03 00:09:09.539 Have a known host key of type ecdsa-sha2-nistp384
. 2019-04-03 00:09:09.539 Doing ECDH key exchange with curve Curve25519 and hash SHA-256
[...]
. 2019-04-03 00:09:09.865 Access granted
. 2019-04-03 00:09:09.865 Opening session as main channel
. 2019-04-03 00:09:09.865 Opened main channel
. 2019-04-03 00:09:09.866 Requesting OpenSSH-style agent forwarding
. 2019-04-03 00:09:09.896 Agent forwarding enabled
. 2019-04-03 00:09:09.897 Started a shell/command
. 2019-04-03 00:09:09.913 --------------------------------------------------------------------------
. 2019-04-03 00:09:09.913 Using SFTP protocol.
. 2019-04-03 00:09:09.913 Doing startup conversation with host.
! 2019-04-03 00:09:09.913 sh: /usr/libexec/sftp-server: not found
. 2019-04-03 00:09:09.913 Server sent command exit status 127
. 2019-04-03 00:09:09.913 Disconnected: All channels closed
* 2019-04-03 00:09:09.939 (EFatal) **Connection has been unexpectedly closed.** Server sent command exit status 127.
That file is indeed missing, and googleing this problem revealed that one should also compile openssh and extract this executabel from it and place it into /usr/libexec
But this is what I do not understand:
Now if I connect using the same sftp client to the default dropbear running in Alt-F on port 22 (inetd mode for now), then no problem, sftp works.
. 2019-04-03 00:46:45.854 Access granted
. 2019-04-03 00:46:45.854 Opening session as main channel
. 2019-04-03 00:46:45.855 Opened main channel
. 2019-04-03 00:46:45.855 Requesting OpenSSH-style agent forwarding
. 2019-04-03 00:46:45.892 Agent forwarding enabled
. 2019-04-03 00:46:46.090 Started a shell/command
. 2019-04-03 00:46:46.100 --------------------------------------------------------------------------
. 2019-04-03 00:46:46.103 Using SFTP protocol.
. 2019-04-03 00:46:46.104 Doing startup conversation with host.
> 2019-04-03 00:46:46.112 Type: SSH_FXP_INIT, Size: 5, Number: -1
< 2019-04-03 00:46:46.113 Type: SSH_FXP_VERSION, Size: 150, Number: -1
. 2019-04-03 00:46:46.113 SFTP version 3 negotiated.
. 2019-04-03 00:46:46.113 We believe the server has signed timestamps bug
Any idea why my own compiled dropbear is complaining about missing /usr/libexec/sftp-server while the default one is happilly sftp-ing without?
Thanks, Mark