嵌入式Linux下Dropbear SSH配置优化

1).简介

嵌入式Linux 由于运行平台通常资源受限同时对稳定性要求高，因此需要比较精简，那么针对SSH服务器/客户端应用，通常也不使用庞大的OpenSSH，而是采用十分精简的Dropbear SSH工具。Dropbear是一个基于MIT License的开源软件，其一些基本信息可以参考如下软件发布页面：

https://matt.ucc.asn.au/dropbear/dropbear.html

本文所演示的平台来自于ToradexApalisiMX8嵌入式平台，基于NXP iMX8系列ARM处理器，核心为Cortex-A52/A53。

2).硬件准备

a).Apalis iMX8 ARM核心版配合Apalis Eva Board载板，并连接调试串口和网口以便测试。

3).具体配置说明

a). Apalis iMX8模块标准Ycoto Linux BSP中已经包含Dropbear相关软件，不过由于默认配置为了开发测试方便，默认使能了debug-tweaks功能（比如这样可以允许root账户无密码登录），这样如下面Ycoto Project/Openembedded相关文件说明也就同时也使能了weak ciphers

./ layers/meta-toradex-demos/recipes-core/dropbear/dropbear_%.bbappend

---------------------------------------

# THE Eclipse RSE system explorer uses a ssh client which cannot cope with the

# dropbear ssh server if weak ciphers are disabled.

# If debug-tweaks is set in IMAGE_FEATURES then enable also weak ciphers.

# With debug-tweaks we allow password less root access, enforcing strong

# ciphers is pointless anyway.

PACKAGECONFIG = "${@bb.utils.contains("IMAGE_FEATURES", "debug-tweaks", "", "disable-weak-ciphers",d)}"

---------------------------------------

b).为了使Dropbear SSH安全性更高，可以在Ycoto编译环境下参考如下patch文件修改关闭debug-tweaks和weak ciphers。因为同时这样也关闭了root用户无密码登录，因此也需要给root用户配置默认密码。

./ local.conf文件修改patch

---------------------------------------

--- a/build/conf/local.conf2023-05-30 12:16:33.780891419 +0800

+++ b/build/conf/local.conf2023-05-31 10:55:36.841801362 +0800

@@ -277,3 +277,9 @@

include conf/machine/include/${MACHINE}.inc

# DO NOT SET THE MACHINE AFTER THE ABOVE INCLUDE

+# accept the Freescale EULA

+ACCEPT_FSL_EULA = "1"

+# add root password

+EXTRA_IMAGE_FEATURES = "allow-root-login package-management"

+INHERIT += "extrausers"

+EXTRA_USERS_PARAMS = "usermod -P Abcd1234 root"

---------------------------------------

./参考这里的说明将上述修改下重新编译生成的Ycoto Linux Image通过Toradex Easy Installer更新到Apalis iMX8模块，此时测试无论本地串口登录还是远程SSH登录root用户都需要输入预设的密码了，增强了安全性。

c).为了进一步提高SSH安全性，可以创建普通user用户用于远程登录，而禁止root用户SSH远程登录。这样也可以通过限制user用户的权限来提高系统安全性。

./创建新的user用户

---------------------------------------

root@apalis-imx8-07308034:~# useradd testuser

root@apalis-imx8-07308034:~# passwd testuser

New password:

Retype new password:

passwd: password updated successfully

---------------------------------------

./禁止root用户SSH登录，参考如下patch修改/etc/default/dropbear文件

---------------------------------------

---a/etc/default/dropbear

+++b/etc/default/dropbear

@@ -1,2 +1,2 @@

# Disallow root logins by default

-DROPBEAR_EXTRA_ARGS=""

+DROPBEAR_EXTRA_ARGS=" -w"

---------------------------------------

./测试使用testuser用户远程SSH登录成功，root用户登录失效

---------------------------------------

### root login ###

$ ssh root@10.20.1.168

root@10.20.1.168's password:

Permission denied, please try again.

### testuser login ###

$ ssh testuser@10.20.1.168

testuser@10.20.1.168's password:

mkdir: cannot create directory '/run/user/1000': Permission denied

chmod: cannot access '/run/user/1000': No such file or directory

apalis-imx8-07308034:~$

---------------------------------------

./另外，如果需要本地串口testuser或者root用户自动登录，可以参考如下patch修改

---------------------------------------

--- a/lib/systemd/system/serial-getty@.service

+++ b/lib/systemd/system/serial-getty@.service

@@ -30,7 +30,7 @@

[Service]

Environment="TERM=xterm"

-ExecStart=-/sbin/agetty -8 -L %I 115200 $TERM

+ExecStart=-/sbin/agetty -8-a testuser-L %I 115200 $TERM

Type=idle

Restart=always

UtmpIdentifier=%I

---------------------------------------

d).远程SSH除了默认的密码登录方式外，还可以开启安全等级更高的通过public key来无密码登录

./在需要远程登录Apalis iMX8设备的PC主机环境下通过ssh-keygen工具生成SSH private key/public key pair

---------------------------------------

### generate 4096-bits key pair ###

$ ssh-keygen -b 4096

Generating public/private rsa key pair.

Enter file in which to save the key (/home/simon/.ssh/id_rsa): /home/simon/local/tmp/ssh-test/id_rsa

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/simon/local/tmp/ssh-test/id_rsa.

Your public key has been saved in /home/simon/local/tmp/ssh-test/id_rsa.pub.

The key fingerprint is:

SHA256:Pr5PQjzRuPMVS3Rrkdtq+7pDVOFMGumBLpFGkjGSEs0 simon@simon-Latitude-5300

The key's randomart image is:

+---[RSA 4096]----+

.+..++.. o.++.

. E..o* o +Bo.

. + + +.+*

. + o =o .

S . o. .

o + . +

+ o o .

. + o

oo. o=.

+----[SHA256]-----+

---------------------------------------

./通过SSH远程命令将生成的public key写入到Apalis iMX8 dropbear authorized_keys文件

---------------------------------------

### create ssh folder on apalis iMX8 device ###

apalis-imx8-07308034:~$ mkdir /home/testuser/.ssh

### add public key to apalis iMX8 authorized_keys file from Host PC remotely ###

$ ssh testuser@10.20.1.168 "tee -a /home/testuser/.ssh/authorized_keys" < /home/simon/local/tmp/ssh-test/id_rsa.pub

---------------------------------------

./参考如下patch修改Apalis iMX8 dropbear启动配置来使public key验证生效

---------------------------------------

--- a/lib/systemd/system/dropbear@.service

+++ b/lib/systemd/system/dropbear@.service

@@ -4,9 +4,9 @@

After=syslog.target dropbearkey.service

[Service]

-Environment="DROPBEAR_RSAKEY_DIR=/etc/dropbear"

+Environment="DROPBEAR_RSAKEY_DIR=/home/testuser/.ssh/"

EnvironmentFile=-/etc/default/dropbear

-ExecStart=-/usr/sbin/dropbear -i -r ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key $DROPBEAR

_EXTRA_ARGS

+ExecStart=-/usr/sbin/dropbear -i $DROPBEAR_EXTRA_ARGS

ExecReload=/bin/kill -HUP $MAINPID

StandardInput=socket

KillMode=process

---------------------------------------

./重启Apalis iMX8使配置生效后，再次尝试远程SSH登录，可以实现无需密码而是采用public key验证登录

---------------------------------------

$ ssh -i /home/simon/local/tmp/ssh-test/id_rsa testuser@10.20.1.168

mkdir: cannot create directory '/run/user/1000': Permission denied

chmod: cannot access '/run/user/1000': No such file or directory

apalis-imx8-07308034:~$

---------------------------------------

e).更多关于dropbear工具命令参数说明可以参考如下

https://manpages.ubuntu.com/manpages/bionic/man8/dropbear.8.html

4).总结

本文基于嵌入式Linux简单演示了 轻量化SSH工具软件Dropbear的增强安全性配置供参考。