venerdì 4 gennaio 2019

Compile and use Dropbear on a '486 machine

Well, I was able to compile and run latest dropbear-2018.76 on an i486 machine running stock RedHat 6.0 "Hedwig" featuring:
  • kernel Linux 2.2.5 released March 1999
  • gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
  • libc-2.1.1
  • fun fact: there were no ssh packages in RedHat 6.0 install CD
  • very fun fact: I can now ssh to a ~24 years old machine sporting a ~20 years old Linux kernel and libc.
  • login as root, because the default RedHat 6 installation does not create an unprivileged user (if you want to access it via telnet you need first to create an user; then you can switch to root using su);
  • wget --verbose
    (note the "http" instead of usual "https")
  • bunzip2 dropbear-*.bz2
    tar xf dropbear-*.tar
    cd dropbear-2018.76
  • vi
    (remove the "-E" flag from "sed" command)
  • ./configure --prefix=/usr OLDCFLAGS=-O2
    (using "-O2" because "-Os" optimizes for size: this is an AMD 486 and I need speed over size;
    also ignore those "mkdir -v" warning; mkdir shipped in 1999 did not have verbose flag;will take more than 8 minutes)
  • vi Makefile
    (remove the "-pie" from "LDFLAGS=" line; it was detected but the compiler does not like it)
  • vi libtommath/
    (remove the "-Wextra" from the "CFLAGS +=" line and remove the "-Wsystem-headers -Wdeclaration-after-statement" in the following "CFLAGS +=" additional warnings line; these flags are not supported by egcs
  • vi libtomcrypt/
    (in the "LTC_CFLAGS +=" lines, remove the "-Wextra" and the "-Wsystem-headers" and the "-Wdeclaration-after-statement")
  • vi common-channel.c
    libc-2.1.1 does not define SHUT_* constants in its header files; just add at the top:
    #define SHUT_RD 0
    #define SHUT_WR 1
    #define SHUT_RDWR 2
  • vi netio.c
  • egcs doesn't support variable declarations in the middle of a function; move these two lines just before TRACE(("enter dropbear_listen")):
    u_int16_t *allocated_lport_p = NULL;
    int allocated_lport = 0;
  • vi cli-main.c
    same as above: move this declaration at the start of cli_main():
    pid_t proxy_cmd_pid = 0;
  • make
    it will take less than 25 minutes if "-Os" (37 minutes if "-O2");
    note: ignore these compiler warnings:
    • "...tomcrypt_prng.h:76: warning: unnamed struct/union that defines no instances"
    • "...bignum.h:32: warning: `sentinel' attribute directive ignored"
  • make install
    mkdir /etc/dropbear
    dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
    dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
    dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key
  • usage: you have to explicitly tell the ethernet interface IP address and port because that ancient libc will crash if defaulting to "all interfaces". This is the line I added to /etc/rc.d/rc.local file:
  •  /usr/sbin/dropbear -p
  • also added my ssh key into ~/ssh/.authorized_keys for a passwordless login
  • note: if you want some Superb Security you should disable all the other services, including telnet
Bleeding edge security !! ('486 processor doesn't have Spectre/Meltdown/etc vulnerabilities).
Now I can ssh into a real '486. Wow!

Nessun commento:

Posta un commento