Using SSH keys on the Pre

Ricyteach · 07/12/2009, 08:22 AM

I have rooted and installed dropbear, and everything is working great. I'm pretty new to the whole concept of using SSH, so I have a question.

From what I understand, it is possible to prevent brute force attacks against a an SSH server (in this case, the Pre) to determine the correct password by using a public and private key.

I've done a little research on this but am confused how to implement this on the Pre. How do I generate public and private keys with dropbear, and use these keys with Putty on a windows machine to SSH with my Pre? Do I even need a password if I am using these keys?

If someone would be willing to explain not only how to do it, but give a brief description also of what is actually going on, I'd appreciate it all the more. I'm here to learn, people!

Ricyteach · 07/12/2009, 08:27 AM

Just to make it more clear what I'm talking about, I am interested in learning how to implement method #2 found at this link (an article on making your SSH connections more secure):

How to Secure SSH Server from Attacks

RickNY · 12:35 AM

Its pretty easy to do.. No, you do not need to use a password once you have keys set up -- in fact, once I have public key authentication set up on anything I have control of, I disable the ability to use password logins on the SSH server. I strongly suggest using a passphrase with your key -- without it, if someone gets a hold of your keyfile, they'll have free access to use it. On the page you linked to, in the section "Method 2: Using SSH Public/Private Key Authentication", at Step 3 -- enter a passphrase in the two fields puttygen provides. If you do not want to keep entering the passphrase in every time you use the key, you can use Pageant (inlcuded in the putty.zip), which is an authentication agent. You basically load your key the first time, enter the passphrase, and the agent will push through your key for you each time automatically without having to enter the passphrase a second time.

For the instructions on that page, to modify it for Dropbear:

1) Log into your Pre with Putty using your username. Make the filesystem read/write:

Code:

sudo mount -o remount,rw /

2) Make sure you are in your home directory by typing pwd -- You should be in /var/home/(yourusername) -- if you are not, cd to it
3) Type the following:

Code:

mkdir .ssh

3) Follow that with

Code:

chmod 700 ~/.ssh

4) Copy the public key from puttygen to your clipboard. In the program, on the window at the top, make sure all of the key is selected. If it isnt, you can right-click in the window and choose 'Select All'. Copy it to your clipboard with CTRL-C
5) Go to your SSH session in Putty
6) Enter the following:

Code:

vi ~/.ssh/authorized_keys

7) Press 'i' to enter insert mode in vi
8) You can right-click the mouse -- that should paste the contents of your public key to the vi window
9) Once its pasted, press ESC in vi to return to command mode. Then:

Code:

:x

to exit and save your file.
10) Set the proper permissions on authorized_keys:

Code:

chmod 600 ~/.ssh/authorized_keys

At this point, you should check to make sure it works. If you are using Puttygen and Putty, you'll want to go back to the same Puttygen session that has your key and save the key pair. Save both the public and private keys. The private key is what you will use in Putty, and is the file you'll need for the section titled 'Final Steps' in that page you found.

Once you get public key auth working, its a good idea to then disable password authentication. To do this, you need to edit the optware-dropbear script in /etc/event.d:

Code:

sudo vi /etc/event.d/optware-dropbear

Scroll down to the line that begins with exec /opt/sbin/dropbear -g -F -p 222 move the cursor to the first - after dropbear. Enter insert mode in vi by pressing i. Type -s and a space, then ESC to exit insert mode. Your line should now look like this:

Code:

exec /opt/sbin/dropbear -s -g -F -p 222

Save your changes by making sure you are in command mode (hit ESC again just to make sure). Save your changes with :x

Make the filesystem readonly again:

Code:

sudo mount -o remount,ro /

Reboot your pre:

Code:

sudo -i
reboot

Check to make sure you can login with your key.. It should work.. The -s switch on the dropbear script disables password logins. Its important that you are certain the key authentication works before disabling password authentication.

Sorry -- this was a quick writeup.. It may need some tweaking.

Ricyteach · 07/12/2009, 04:26 PM

Thanks Rick this answer came much more quickly and detailed than I expected! I haven't done it yet but I'll be sure to thank and give you feed back when I do.

I might be paranoid, but this seems like information that really ought to be on the Pre Dev Wiki- if thousands of people have used the Pre Dev Wiki to get password-enabled SSH working on their Pres, and enough of them follow the directions on enabling connecting via SSH over the EVDO connection, you could have a major security problem that could easily be avoided. I don't know a whole lot about this stuff, but it seems like it would be easy enough for a smarty pants hacker to sniff the sprintpcs range of ip addresses, find open port 222 (dead giveaway that a person used the Pre Dev to install SSH on their Pre, no?), and brute force their way into the thing. From there, it would be easy to steal all kinds of information, alter system files, backdoors, VIRUSES.... nightmare!

This (or a strong password) seems like a good solution to stop that from happening.

Thoughts from anyone who knows more about this stuff? I really am pretty clueless when it comes right to it.

Ricyteach · 07/12/2009, 06:23 PM

Rick, some quick corrections to the instructions above.

This line didn't work as written:

Quote:

chmod 700 /.ssh

I think it should read:

chmod 700 .ssh

That worked fine for me.

Other than that, perfect! Thanks!

RickNY · 11:10 PM

Quote:

Originally Posted by Ricyteach

I think it should read:

chmod 700 .ssh

Actually was supposed to be

Code:

chmod 700 ~/.ssh

I forgot the tilde.

Also, I dont know how strict the checks are in Dropbear, but you should also do a:

Code:

chmod 600 ~/.ssh/authorized_keys

RickNY · 07/12/2009, 11:19 PM

Quote:

Originally Posted by Ricyteach

I don't know a whole lot about this stuff, but it seems like it would be easy enough for a smarty pants hacker to sniff the sprintpcs range of ip addresses, find open port 222 (dead giveaway that a person used the Pre Dev to install SSH on their Pre, no?), and brute force their way into the thing.

There's probably very little interest in doing such a thing.. They would have much more productive results scanning for real computers running SSH on its IANA assigned port of 22. Contrary to popular belief, most hacking attempts these days are attempts at finding machines that can be rooted to participate in botnets and not by smarty pants hackers looking to steal people's files. People's file usually are worth nothing. Well equipped botnets can make you some good coin.

lovingHDTV · 10/03/2009, 06:13 PM

This is exactly what I've been looking for. Worked great for both my Pres.

dave

Ricyteach · 10/04/2009, 12:28 AM

yup been working great for mine ever since, too!

karun · 08/28/2011, 02:07 PM

Hi

I installed dropbear via optware. How do I actually start the daemon? I do not see it running in the "top"

thanks

07/12/2009, 08:22 AM	#1 (permalink)
Ricyteach Member Join Date: Jun 2009 Posts: 102 Likes Received: 0 Thanks: 16 Thanked 12 Times in 9 Posts	Using SSH keys on the Pre I have rooted and installed dropbear, and everything is working great. I'm pretty new to the whole concept of using SSH, so I have a question. From what I understand, it is possible to prevent brute force attacks against a an SSH server (in this case, the Pre) to determine the correct password by using a public and private key. I've done a little research on this but am confused how to implement this on the Pre. How do I generate public and private keys with dropbear, and use these keys with Putty on a windows machine to SSH with my Pre? Do I even need a password if I am using these keys? If someone would be willing to explain not only how to do it, but give a brief description also of what is actually going on, I'd appreciate it all the more. I'm here to learn, people!
	Liked by

07/12/2009, 08:27 AM	#2 (permalink)
Ricyteach Member Join Date: Jun 2009 Posts: 102 Likes Received: 0 Thanks: 16 Thanked 12 Times in 9 Posts	Just to make it more clear what I'm talking about, I am interested in learning how to implement method #2 found at this link (an article on making your SSH connections more secure): How to Secure SSH Server from Attacks
	Liked by

07/12/2009, 09:28 AM	#3 (permalink)
RickNY Member Join Date: Jun 2009 Posts: 258 Likes Received: 0 Thanks: 7 Thanked 34 Times in 24 Posts	Its pretty easy to do.. No, you do not need to use a password once you have keys set up -- in fact, once I have public key authentication set up on anything I have control of, I disable the ability to use password logins on the SSH server. I strongly suggest using a passphrase with your key -- without it, if someone gets a hold of your keyfile, they'll have free access to use it. On the page you linked to, in the section "Method 2: Using SSH Public/Private Key Authentication", at Step 3 -- enter a passphrase in the two fields puttygen provides. If you do not want to keep entering the passphrase in every time you use the key, you can use Pageant (inlcuded in the putty.zip), which is an authentication agent. You basically load your key the first time, enter the passphrase, and the agent will push through your key for you each time automatically without having to enter the passphrase a second time. For the instructions on that page, to modify it for Dropbear: 1) Log into your Pre with Putty using your username. Make the filesystem read/write: Code: sudo mount -o remount,rw / 2) Make sure you are in your home directory by typing pwd -- You should be in /var/home/(yourusername) -- if you are not, cd to it 3) Type the following: Code: mkdir .ssh 3) Follow that with Code: chmod 700 ~/.ssh 4) Copy the public key from puttygen to your clipboard. In the program, on the window at the top, make sure all of the key is selected. If it isnt, you can right-click in the window and choose 'Select All'. Copy it to your clipboard with CTRL-C 5) Go to your SSH session in Putty 6) Enter the following: Code: vi ~/.ssh/authorized_keys 7) Press 'i' to enter insert mode in vi 8) You can right-click the mouse -- that should paste the contents of your public key to the vi window 9) Once its pasted, press ESC in vi to return to command mode. Then: Code: :x to exit and save your file. 10) Set the proper permissions on authorized_keys: Code: chmod 600 ~/.ssh/authorized_keys At this point, you should check to make sure it works. If you are using Puttygen and Putty, you'll want to go back to the same Puttygen session that has your key and save the key pair. Save both the public and private keys. The private key is what you will use in Putty, and is the file you'll need for the section titled 'Final Steps' in that page you found. Once you get public key auth working, its a good idea to then disable password authentication. To do this, you need to edit the optware-dropbear script in /etc/event.d: Code: sudo vi /etc/event.d/optware-dropbear Scroll down to the line that begins with exec /opt/sbin/dropbear -g -F -p 222 move the cursor to the first - after dropbear. Enter insert mode in vi by pressing i. Type -s and a space, then ESC to exit insert mode. Your line should now look like this: Code: exec /opt/sbin/dropbear -s -g -F -p 222 Save your changes by making sure you are in command mode (hit ESC again just to make sure). Save your changes with :x Make the filesystem readonly again: Code: sudo mount -o remount,ro / Reboot your pre: Code: sudo -i reboot Check to make sure you can login with your key.. It should work.. The -s switch on the dropbear script disables password logins. Its important that you are certain the key authentication works before disabling password authentication. Sorry -- this was a quick writeup.. It may need some tweaking. Last edited by RickNY; 10/04/2009 at 12:35 AM. Reason: Corrected typo, added chmod for authorized_keys
	Liked by Thanked by daventx, lovingHDTV, Ricyteach

07/12/2009, 04:26 PM	#4 (permalink)
Ricyteach Member Join Date: Jun 2009 Posts: 102 Likes Received: 0 Thanks: 16 Thanked 12 Times in 9 Posts	Thanks Rick this answer came much more quickly and detailed than I expected! I haven't done it yet but I'll be sure to thank and give you feed back when I do. I might be paranoid, but this seems like information that really ought to be on the Pre Dev Wiki- if thousands of people have used the Pre Dev Wiki to get password-enabled SSH working on their Pres, and enough of them follow the directions on enabling connecting via SSH over the EVDO connection, you could have a major security problem that could easily be avoided. I don't know a whole lot about this stuff, but it seems like it would be easy enough for a smarty pants hacker to sniff the sprintpcs range of ip addresses, find open port 222 (dead giveaway that a person used the Pre Dev to install SSH on their Pre, no?), and brute force their way into the thing. From there, it would be easy to steal all kinds of information, alter system files, backdoors, VIRUSES.... nightmare! This (or a strong password) seems like a good solution to stop that from happening. Thoughts from anyone who knows more about this stuff? I really am pretty clueless when it comes right to it.
	Liked by

10/03/2009, 06:13 PM	#8 (permalink)
lovingHDTV Member Join Date: Sep 2009 Posts: 9 Likes Received: 0 Thanks: 1 Thanked 0 Times in 0 Posts	This is exactly what I've been looking for. Worked great for both my Pres. dave
	Liked by

10/04/2009, 12:28 AM	#9 (permalink)
Ricyteach Member Join Date: Jun 2009 Posts: 102 Likes Received: 0 Thanks: 16 Thanked 12 Times in 9 Posts	yup been working great for mine ever since, too!
	Liked by

08/28/2011, 02:07 PM	#10 (permalink)
karun Member Join Date: Jan 2009 Posts: 104 Likes Received: 4 Thanks: 4 Thanked 4 Times in 4 Posts	Hi I installed dropbear via optware. How do I actually start the daemon? I do not see it running in the "top" thanks
	Liked by

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode