diff options
author | Andreas Baumann <mail@andreasbaumann.cc> | 2023-06-15 17:28:29 +0200 |
---|---|---|
committer | Andreas Baumann <mail@andreasbaumann.cc> | 2023-06-15 17:28:29 +0200 |
commit | 3b4e1a28ca48625800b7ad408fd88a0f7f342308 (patch) | |
tree | edbbc55f949850ab618e29ad3ddfd4800ded641b | |
parent | d269e28cd97bdd34a1d2278e2b1ed52b9158fc8a (diff) | |
download | i486tcc-linux-3b4e1a28ca48625800b7ad408fd88a0f7f342308.tar.gz i486tcc-linux-3b4e1a28ca48625800b7ad408fd88a0f7f342308.tar.bz2 |
added dropbear
-rw-r--r-- | README | 2 | ||||
-rw-r--r-- | configs/versions | 1 | ||||
-rw-r--r-- | docs/goteleport.com_blog_comparing-ssh-keys.txt | 616 | ||||
-rwxr-xr-x | local/etc/rc.init | 11 | ||||
-rw-r--r-- | patches/dropbear-path.patch | 31 | ||||
-rw-r--r-- | patches/musl-tcc.patch (renamed from patches/musl-1.2.3-tcc.patch) | 0 | ||||
-rwxr-xr-x | scripts/build.sh | 26 | ||||
-rwxr-xr-x | scripts/download.sh | 4 | ||||
-rwxr-xr-x | scripts/run_qemu.sh | 2 | ||||
-rwxr-xr-x | scripts/run_qemu_direct.sh | 2 |
10 files changed, 690 insertions, 5 deletions
@@ -66,6 +66,8 @@ patches - vis * disabled probing of 'curses/termcap' with 'pkconfig', added them directly to 'configure' +- dropbear + * patched binary locations and pathes in default_options.h dependencies ------------ diff --git a/configs/versions b/configs/versions index 475dce7..f52ecc0 100644 --- a/configs/versions +++ b/configs/versions @@ -19,3 +19,4 @@ ABASE_VERSION="f2c13" NBD_VERSION="3.25" SAMURAI_VERSION="1.2" JOE_VERSION="4.6" +DROPBEAR_VERSION="2022.83" diff --git a/docs/goteleport.com_blog_comparing-ssh-keys.txt b/docs/goteleport.com_blog_comparing-ssh-keys.txt new file mode 100644 index 0000000..1ba039e --- /dev/null +++ b/docs/goteleport.com_blog_comparing-ssh-keys.txt @@ -0,0 +1,616 @@ + IFRAME: [1]https://www.googletagmanager.com/ns.html?id=GTM-WMR7H6 + + IFRAME: [2]https://www.googletagmanager.com/ns.html?id=GTM-WMR7H6 + + (BUTTON) + [3]Platform + +Platform + + [4]Why Teleport[5]How It Works + [6]Access Modules + [7]SSH[8]Kubernetes[9]Databases[10]Internal Applications[11]Windows + [12]Our Features + [13]Assist[14]Single Sign On[15]Just In Time Access Requests[16]Role + Based Access Control[17]Audit and Session Recordings[18]Device + Trust[19]Passwordless + [20]Solutions + +By Industry + + [21]E-commerce & Entertainment[22]Financial + Services[23]Software-as-a-service (SaaS) Providers + +By Use Case + + [24]Privileged Access Management[25]Machine-to-Machine + Access[26]Developer-friendly browser[27]Passwordless Infrastructure + Access + +By Cloud Provider + + [28]Infrastructure Access for AWS + [29]Integrations + [30]Documentation + [31]Documentation[32]Download Teleport[33]Teleport Clients[34]How It + Works[35]Teleport Labs[36]Teleport Community[37]Teleport Slack + Channel[38]GitHub + [39]Learn + [40]The Blog[41]Our Customers[42]Resources[43]Learn[44]Events + [45]Pricing + [46]Company + [47]About Us[48]Careers[49]News[50]Partners + [51]Sign In + +Sign in to Teleport + + Teleport Cloud LoginLogin to your Teleport Account + Dashboard LoginLegacy Login & Teleport Enterprise Downloads + [52]Get Started + +Table Of Contents + + * [53]Encryption Within the SSH Protocol + * [54]Asymmetric Encryption Algorithms + * [55]Comparing Encryption Algorithms + * [56]Teleport cybersecurity blog posts and tech news + * [57]RSA vs. DSA vs. ECDSA vs. EdDSA + * [58]Conclusion + + Apr 7, 2022 + +Comparing SSH Keys - RSA, DSA, ECDSA, or EdDSA? + + by [59]Ev Kontsevoy + comparing ssh keys + + IFRAME: + [60]https://protocol.podigee.io/3-comparing-ssh-keys/embed?context=exte + rnal&theme=default + + This blog post was originally released on 08/26/20. + + What's worse than an unsafe private key? An unsafe public key. + + The "secure" in secure shell comes from the combination of hashing, + symmetric encryption, and asymmetric encryption. Together, SSH uses + cryptographic primitives to safely connect clients and servers. In the + 25 years since its founding, computing power and speeds in accordance + with [61]Moore's Law have necessitated increasingly complicated + low-level algorithms. This article will focus on asymmetric keygen + algorithms. + + As of 2020, the most widely adopted algorithms are RSA, DSA, ECDSA, and + EdDSA, but it is RSA and EdDSA that provide the best security and + performance. + +Encryption Within the SSH Protocol + + SSH is used almost universally to connect to shells on remote machines. + The most important part of an SSH session is establishing a secure + connection. This happens in two broad steps: + * Negotiation & Connection + * Authentication + +Negotiation & Connection + + In order for an SSH session to work, both client and server must + support the same version of the SSH protocol. Modern clients will + support SSH 2.0, as SSH 1.0 has [62]identified flaws. After coming to a + consensus on which protocol version to follow, both machines negotiate + a per-session symmetric key to encrypt the connection from the outside. + Generating a symmetric key at this stage, when paired with the + asymmetric keys in authentication, prevents the entire session from + being [63]compromised if a key is revealed. Negotiation terms happen + through the [64]Diffie-Helman key exchange, which creates a shared + secret key to secure the whole data stream by combining the private key + of one party with the public key of the other. These keys are different + from the SSH keys used for authentication. For those interested in + learning more about this step, this comprehensive article, [65]SSH + Handshake Explained, is a great starting point. + shared secret creation + shared secret creation + Figure 1: Shared Secret Creation + +Authentication + + After completing the negotiation and connection, a reliable and secure + channel between the client and server has been established. During the + KEX, the client has authenticated the server, but the server has not + yet authenticated the client. In most cases, public-key authentication + is used by the client. This method involves two keys, a [66]public and + private key. Either can be used to encrypt a message, but the other + must be used to decrypt. This is what is meant by asymmetric + encryption. [Figure 2] If Bob encrypts a message with Alice's public + key, only Alice's private key can decrypt the message. This principle + is what allows the SSH protocol to authenticate identity. If Alice + (client) can decrypt Bob's (server) message, then it proves Alice is in + possession of the paired private key. This is, in theory, how SSH keys + authentication should work. Unfortunately with the dynamic nature of + infrastructure today, SSH keys are increasingly shared or [67]managed + improperly, compromising its integrity. To learn more, read this + article, [68]How to SSH Properly. + Alice and Bob SSH keys + Alice and Bob SSH keys + [69]Figure 2: Only Alice's private key can decrypt a message signed + with Alice's public key + +Asymmetric Encryption Algorithms + + What makes asymmetric encryption powerful is that a private key can be + used to derive a paired public key, but not the other way around. This + principle is core to public-key authentication. If Alice had used a + weak encryption algorithm that could be brute-forced by today's + processing capabilities, a third party could derive Alice's private key + using her public key. Protecting against a threat like this requires + careful selection of the right algorithm. + + There are three classes of these algorithms commonly used for + asymmetric encryption: RSA, DSA, and elliptic curve based algorithms. + To properly evaluate the strength and integrity of each algorithm, it + is necessary to understand the mathematics that constitutes the core of + each algorithm. + +RSA: Integer Factorization + + First used in 1978, the RSA cryptography is based on the held belief + that factoring large semi-prime numbers is difficult by nature. Given + that no general-purpose formula has been found to factor a compound + number into its prime factors, there is a direct relationship between + the size of the factors chosen and the time required to compute the + solution. In other words, given a number n=p\*q where p and q are + sufficiently large prime numbers, it can be assumed that anyone who can + factor n into its component parts is the only party that knows the + values of p and q. The same logic exists for public and private keys. + In fact, p & q are necessary variables for the creation of a private + key, and n is a variable for the subsequent public key. This + presentation simplifies RSA integer factorization. For those interested + in learning more, [70]click here. + +DSA: Discrete Logarithm Problem & Modular Exponentiation + + DSA follows a similar schema, as RSA with public/private keypairs that + are mathematically related. What makes DSA different from RSA is that + DSA uses a different algorithm. It solves an entirely different problem + using different elements, equations, and steps. While the discrete log + problem is fun, it is [71]out of scope for this post. What is important + to note is the use of a randomly generated number, m, is used with + signing a message along with a private key, k. This number m must be + kept private. More in this later. + +ECDSA & EdDSA: Elliptic Curve Discrete Logarithm Problem + + Algorithms using elliptic curves are also based on the assumption that + there is no generally efficient solution to solving a discrete log + problem. However, ECDSA/EdDSA and DSA differ in that DSA uses a + mathematical operation known as modular exponentiation while + ECDSA/EdDSA uses elliptic curves. The computational complexity of the + discrete log problem allows both classes of algorithms to achieve the + same level of security as RSA with significantly smaller keys. + bitcoin elliptic curve + bitcoin elliptic curve + Figure 3 - Elliptic curve, Secp256k1 used in the Bitcoin protocol + +Comparing Encryption Algorithms + + Choosing the right algorithm depends on a few criteria: + * Implementation - Can the experts handle it, or does it need to be + rolled? + * Compatibility - Are there SSH clients that do not support a method? + * Performance - How long will it take to generate a sufficiently + secure key? + * Security - Can the public key be derived from the private key? (The + use of quantum computing to break encryption is not discussed in + this article.) + +RSA + + Implementation + + RSA libraries can be found for all major languages, including in-depth + libraries ([72]JS, [73]Python, [74]Go, [75]Rust, [76]C). + Compatibility + + Usage of SHA-1 ([77]OpenSSH) or public keys under 2048-bits may be + unsupported. + Performance Larger keys require more time to generate. + Security + + Specialized algorithms like [78]Quadratic Sieve and [79]General Number + Field Sieve exist to factor integers with specific qualities. + + Time has been RSA's greatest ally and greatest enemy. First published + in 1977, RSA has the widest support across all SSH clients and + languages and has truly stood the test of time as a reliable key + generation method. Subsequently, it has also been subject to Moore's + Law for decades and key bit-length has grown in size. According to NIST + standards, achieving 128-bit security requires a key with length 3072 + bits whereas other algorithms use smaller keys. Bit security measures + the number of trials required to brute-force a key. 128 bit security + means 2^128 trials to break. + RSA key bit-length + RSA key bit-length + + [80]Figure 4 - NIST 2020 Recommendations for RSA key bit-length + (Factoring Modulus) + +DSA + + Implementation + + DSA was adopted by FIPS-184 in 1994. It has ample representation in + [81]major crypto libraries, similar to RSA. + Compatibility + + While DSA enjoys support for PuTTY-based clients, OpenSSH 7.0 + [82]disables DSA by default. + Performance + + [83]Significant improvement in key generation times to achieve + comparable security strengths, though recommended bit-length is the + same as RSA. + Security + + DSA requires the use of a randomly generated unpredictable and secret + value that, [84]if discovered, can reveal the private key. + + Recall earlier in the article: + + "What is important to note is the use of a randomly generated number, + m, is used with signing a message along with a private key, k. This + number m must be kept privately." + + The value mis meant to be a nonce, which is a unique value included in + many cryptographic protocols. However, the additional conditions of + unpredictability and secrecy makes the nonce more akin to a key, and + therefore extremely important. + + Not only is it difficult to [85]ensure true randomness within a + machine, but improper implementation can break encryption. For example: + 1. Android's Java SecureRandom class was known to create [86]colliding + R values. In other words, the class reused some randomly generated + numbers. This exposed a number of different [87]Android-based + Bitcoin wallets to having their private keys stolen. The + requirements of the nonce m means that any two instances with the + same nonce value could be reverse engineered and reveal the private + key used to sign transactions. + 2. Taking this a step further, [88]fail0verflow discovered the private + key used to sign firmware updates for the Sony Playstation 3. In + other words, programmers could write their own code, sign it with + the revealed private key, and run it on the PS3. As it turns out, + Sony was using the [89]same random number to sign each message. + +ECDSA & EdDSA + + The two examples above are not entirely sincere. Both Sony and the + Bitcoin protocol employ ECDSA, not DSA proper. ECDSA is an elliptic + curve implementation of DSA. Functionally, where RSA and DSA require + key lengths of 3072 bits to provide 128 bits of security, ECDSA can + accomplish the same with only 256-bit keys. However, ECDSA relies on + the same level of randomness as DSA, so the only gain is speed and + length, [90]not security. + + In response to the desired speeds of elliptic curves and the undesired + security risks, another class of curves has gained some notoriety. + EdDSA solves the same discrete log problem as DSA/ECDSA, but uses a + different family of elliptic curves known as the [91]Edwards Curve + (EdDSA uses a [92]Twisted Edwards Curve). While offering slight + advantages in speed over ECDSA, its popularity comes from an + improvement in security. Instead of relying on a random number for the + nonce value, EdDSA generates a nonce deterministically as a hash making + it collision resistant. + + Taking a step back, the use of elliptic curves does not automatically + guarantee some level of security. Not all curves are the same. Only a + [93]few curves have made it past rigorous testing. Luckily, the PKI + industry has slowly come to adopt [94]Curve25519 in particular for + EdDSA. Put together that makes the public-key signature algorithm, + [95]Ed25519. + Implementation + + EdDSA is fairly new [96]Crypto++ and [97]cryptlib do not currently + support EdDSA. + Compatibility + + Compatible with newer clients, Ed25519 has seen the [98]largest + adoption among the Edward Curves, though NIST also proposed Ed448 in + their recent draft of [99]SP 800-186. + Performance + + Ed25519 is the fastest performing algorithm across all metrics. As with + ECDSA, public keys are twice the length of the desired bit security. + Security + + EdDSA provides the [100]highest security level compared to key length. + It also improves on the insecurities found in ECDSA. + +Teleport cybersecurity blog posts and tech news + + Every other week we'll send a newsletter with the latest cybersecurity + news and Teleport updates. + ____________________ (BUTTON) Subscribe + +RSA vs. DSA vs. ECDSA vs. EdDSA + + Below we list the common differences between RSA, DSA, ECDSA, and EdDSA + algorithms: + RSA DSA ECDSA EdDSA + Popularity Most widely implemented and supported. Its notorious + security history makes it less popular. Fairly new but not as popular + as EdDSA. Fairly new but favoured by most modern cryptographic + libraries. + Performance Larger keys require more time to generate. Faster for + signature generation but slower for validation. Public keys are twice + the length of the desired bit security. EdDSA is the fastest performing + algorithm across all metrics. + Security Specialized algorithms like [101]Quadratic Sieve and + [102]General Number Field Sieve exist to factor integers with specific + qualities. DSA requires the use of a randomly generated unpredictable + and secret value that, [103]if discovered, can reveal the private key. + Vulnerable if pseudo random number aren't cryptographically strong. + EdDSA provides the highest security level compared to key length. It + also improves on the insecurities found in ECDSA. + +How to generate SSH keys with RSA, DSA, ECDSA, or EdDSA? + + RSA is the default key type when generated using the ssh-keygen + command. To generate SSH keys with given algorithm type, supply -t flag + to ssh-keygen command. Below is an example of generating ed25519 key: +$ ssh-keygen -t ed25519 -C "unique name to identify this key." + + Both public and private keys (ssh key pair) are generated with the + above command. The private key never leave user's computer, and the + public key is stored in the server's authorized_keys file. + + The SSH key fingerprint can be checked with the following command: +$ ssh-keygen -l -f <key file> + + For more details, [104]learn how to generate SSH keys. + +Conclusion + + When it comes down to it, the choice is between RSA 2048/4096 and + Ed25519 and the trade-off is between performance and compatibility. RSA + is universally supported among SSH clients while EdDSA performs much + faster and provides the same level of security with significantly + smaller keys. Peter Ruppel puts the answer succinctly: + + The short answer to this is: as long as the key strength is good + enough for the foreseeable future, it doesn't really matter. Because + here we are considering a signature for authentication within an SSH + session. The cryptographic strength of the signature just needs to + withstand the current, state-of-the-art attacks. + * [105]Ed25519 for SSH + + Just don't use ECDSA/DSA! + +Certificates better than keys + + Although keys are a relatively secure authentication method for SSH + when compared with password-based authentication, keys create an equal + amount of operational and security overhead on the administration side. + Key rotation and key invalidation remain a challenge that can be + resolved using certificate-based authentication. Teleport offers + [106]SSH certificate-based access solution with additional benefits of + audit logging, session recording, and RBAC for SSH. Teleport is open + source and can be used as a drop replacement for OpenSSH servers. Learn + why [107]certificates are better than keys for SSH and get started with + Teleport today - + [108]https://goteleport.com/docs/getting-started/linux-server/ + +Tags + + * [109]ssh + +Teleport Newsletter + + Stay up-to-date with the newest Teleport releases by subscribing to our + monthly updates. + ____________________ (BUTTON) Subscribe + +Teleport Team + + Protect your infrastructure with essential security & compliance + capabilities with Teleport Team + background + +Subscribe to our newsletter + + ____________________ (BUTTON) Subscribe + PAM / Teleport + * Protocols + + [110]Teleport Overview + + [111]SSH + + [112]Kubernetes + + [113]Databases + + [114]Applications + + [115]Windows + + [116]Teleport Features + + [117]Teleport Pricing + * Documentation + + [118]Documentation home + + [119]How Teleport works + + [120]GitHub repository + * Learn + + [121]Why Teleport? + + [122]Blog + + [123]Customers + + [124]Resources + + [125]Events + * Company + + [126]About us + + [127]Security + + [128]Careers + + [129]News + + [130]Partners + + [131]Status + * Get in touch + + [132](855) 818 9008 + + [133]General inquiries + + [134]Customer support + + Connect + o [135]Teleport Community + o [136]Slack + o [137]Github + o [138]Twitter + o [139]LinkedIn + o [140]YouTube + + © 2023 Gravitational Inc.; all rights reserved. + * [141]Terms of service + * [142]Privacy policy + +References + + Visible links: + 1. https://www.googletagmanager.com/ns.html?id=GTM-WMR7H6 + 2. https://www.googletagmanager.com/ns.html?id=GTM-WMR7H6 + 3. https://goteleport.com/teleport/ + 4. https://goteleport.com/why-teleport/ + 5. https://goteleport.com/how-it-works/ + 6. https://goteleport.com/access-modules/ + 7. https://goteleport.com/ssh-server-access/ + 8. https://goteleport.com/kubernetes-access/ + 9. https://goteleport.com/database-access/ + 10. https://goteleport.com/application-access/ + 11. https://goteleport.com/desktop-access/ + 12. https://goteleport.com/features/ + 13. https://goteleport.com/features/assist/ + 14. https://goteleport.com/features/sso-for-ssh/ + 15. https://goteleport.com/features/access-requests/ + 16. https://goteleport.com/features/rbac-for-ssh/ + 17. https://goteleport.com/how-it-works/audit-logging-for-ssh-and-kubernetes/ + 18. https://goteleport.com/docs/access-controls/guides/device-trust/ + 19. https://goteleport.com/passwordless/ + 20. https://goteleport.com/ + 21. https://goteleport.com/use-cases/ecommerce-entertainment/ + 22. https://goteleport.com/use-cases/finance/ + 23. https://goteleport.com/use-cases/saas/ + 24. https://goteleport.com/use-cases/privileged-access-management/ + 25. https://goteleport.com/use-cases/machine-to-machine-access/ + 26. https://goteleport.com/connect/ + 27. https://goteleport.com/passwordless/ + 28. https://goteleport.com/use-cases/aws/ + 29. https://goteleport.com/integrations/ + 30. https://goteleport.com/docs/ + 31. https://goteleport.com/docs/ + 32. https://goteleport.com/download/ + 33. https://goteleport.com/docs/connect-your-client/introduction/ + 34. https://goteleport.com/how-it-works/ + 35. https://goteleport.com/labs/ + 36. https://goteleport.com/community/ + 37. https://goteleport.com/slack/ + 38. https://github.com/gravitational/teleport/ + 39. https://goteleport.com/resources/ + 40. https://goteleport.com/blog/ + 41. https://goteleport.com/case-study/ + 42. https://goteleport.com/resources/ + 43. https://goteleport.com/learn/ + 44. https://goteleport.com/about/events/ + 45. https://goteleport.com/pricing/ + 46. https://goteleport.com/about/ + 47. https://goteleport.com/about/ + 48. https://goteleport.com/careers/ + 49. https://goteleport.com/about/press/ + 50. https://goteleport.com/partners/ + 51. https://teleport.sh/ + 52. https://goteleport.com/signup/ + 53. https://goteleport.com/blog/comparing-ssh-keys/#encryption-within-the-ssh-protocol + 54. https://goteleport.com/blog/comparing-ssh-keys/#asymmetric-encryption-algorithms + 55. https://goteleport.com/blog/comparing-ssh-keys/#comparing-encryption-algorithms + 56. https://goteleport.com/blog/comparing-ssh-keys/#teleport-cybersecurity-blog-posts-and-tech-news + 57. https://goteleport.com/blog/comparing-ssh-keys/#rsa-vs-dsa-vs-ecdsa-vs-eddsa + 58. https://goteleport.com/blog/comparing-ssh-keys/#conclusion + 59. https://goteleport.com/learn/author/evkontsevoy/ + 60. https://protocol.podigee.io/3-comparing-ssh-keys/embed?context=external&theme=default + 61. https://www.quora.com/How-does-Moore-s-Law-affect-the-security-of-cryptographic-algorithms + 62. https://goteleport.com/blog/ssh-handshake-explained/ + 63. https://en.wikipedia.org/wiki/Forward_secrecy + 64. https://www.youtube.com/watch?v=NmM9HA2MQGI + 65. https://goteleport.com/blog/ssh-handshake-explained/ + 66. https://www.cloudflare.com/learning/ssl/how-does-public-key-encryption-work/ + 67. https://goteleport.com/blog/ssh-key-management/ + 68. https://goteleport.com/blog/how-to-ssh-properly/ + 69. https://en.wikipedia.org/wiki/Public-key_cryptography#/media/File:Public_key_encryption.svg + 70. https://www.slideshare.net/dganesan11/security-of-rsa-and-integer-factorization + 71. https://www.youtube.com/watch?v=PQ8AruHaoLo + 72. https://gist.github.com/jo/8619441 + 73. https://cryptography.io/en/latest/ + 74. https://golang.org/pkg/crypto/rsa/ + 75. https://docs.rs/rsa/0.3.0/rsa/ + 76. https://www.libtom.net/LibTomCrypt/ + 77. https://www.openssh.com/txt/release-8.3 + 78. https://mathworld.wolfram.com/QuadraticSieve.html + 79. https://en.wikipedia.org/wiki/General_number_field_sieve + 80. https://www.keylength.com/en/4/ + 81. https://en.wikipedia.org/wiki/Comparison_of_cryptography_libraries + 82. https://www.openssh.com/legacy.html + 83. https://security.stackexchange.com/questions/97411/significance-of-the-difference-between-dsa-and-rsa-in-signature-verifying-speed + 84. https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/ + 85. https://blog.cloudflare.com/ensuring-randomness-with-linuxs-random-number-generator/ + 86. https://crypto.stackexchange.com/questions/9694/technical-details-of-attack-on-android-bitcoin-usage-of-securerandom + 87. https://bitcoin.org/en/alert/2013-08-11-android + 88. https://fail0verflow.com/blog/ + 89. https://www.youtube.com/watch?v=LP1t_pzxKyE + 90. https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/ + 91. https://en.wikipedia.org/wiki/Edwards_curve + 92. https://en.wikipedia.org/wiki/Twisted_Edwards_curve + 93. https://safecurves.cr.yp.to/ + 94. https://en.wikipedia.org/wiki/Curve25519 + 95. https://ed25519.cr.yp.to/ + 96. https://en.wikipedia.org/wiki/Crypto%2B%2B#Algorithms + 97. https://en.wikipedia.org/wiki/Cryptlib#Algorithm_support + 98. https://ianix.com/pub/ed25519-deployment.html#ed25519-libraries + 99. https://www.nist.gov/news-events/news/2019/10/digital-signatures-and-elliptic-curve-cryptography-request-comments-draft + 100. https://ed25519.cr.yp.to/ + 101. https://mathworld.wolfram.com/QuadraticSieve.html + 102. https://en.wikipedia.org/wiki/General_number_field_sieve + 103. https://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-value/ + 104. https://goteleport.com/blog/how-to-set-up-ssh-keys/ + 105. https://blog.peterruppel.de/ed25519-for-ssh/ + 106. https://goteleport.com/how-it-works/certificate-based-authentication-ssh-kubernetes/ + 107. https://goteleport.com/blog/how-to-ssh-properly/ + 108. https://goteleport.com/docs/getting-started/linux-server/ + 109. https://goteleport.com/blog/tags/ssh/ + 110. https://goteleport.com/ + 111. https://goteleport.com/ssh-server-access/ + 112. https://goteleport.com/kubernetes-access/ + 113. https://goteleport.com/database-access/ + 114. https://goteleport.com/application-access/ + 115. https://goteleport.com/desktop-access/ + 116. https://goteleport.com/features/ + 117. https://goteleport.com/pricing/ + 118. https://goteleport.com/docs/ + 119. https://goteleport.com/how-it-works/ + 120. https://github.com/gravitational/teleport/ + 121. https://goteleport.com/why-teleport/ + 122. https://goteleport.com/ + 123. https://goteleport.com/case-study/ + 124. https://goteleport.com/resources/ + 125. https://goteleport.com/about/events/ + 126. https://goteleport.com/about/ + 127. https://goteleport.com/security/ + 128. https://goteleport.com/careers/ + 129. https://goteleport.com/about/press/ + 130. https://goteleport.com/partners/ + 131. https://status.teleport.sh/ + 132. tel:855-818-9008 + 133. https://goteleport.com/contact-us/ + 134. https://goteleport.com/support/ + 135. https://goteleport.com/community/ + 136. https://goteleport.com/slack/ + 137. https://github.com/gravitational/ + 138. https://twitter.com/goteleport/ + 139. https://www.linkedin.com/company/go-teleport/ + 140. https://www.youtube.com/channel/UCmtTJaeEKYxCjfNGiijOyJw/ + 141. https://goteleport.com/tos/ + 142. https://goteleport.com/privacy/ + + Hidden links: + 144. https://goteleport.com/ + 145. https://teleport.sh/ + 146. https://dashboard.gravitational.com/web/login/ + 147. https://www.linkedin.com/company/go-teleport + 148. https://twitter.com/goteleport/ + 149. https://goteleport.com/blog/rss.xml + 150. https://goteleport.com/signup/ diff --git a/local/etc/rc.init b/local/etc/rc.init index 50468f1..f6c7ca8 100755 --- a/local/etc/rc.init +++ b/local/etc/rc.init @@ -18,4 +18,15 @@ respawn getty /dev/tty3 & respawn getty /dev/tty4 & respawn getty /dev/ttyS0 & +if test ! -d /etc/dropbear; then + echo "Generating host keys.." + mkdir /etc/dropbear + dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key + dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key + dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key + dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key +fi +echo "Starting SSH daemon.." +dropbear + echo "Ready." diff --git a/patches/dropbear-path.patch b/patches/dropbear-path.patch new file mode 100644 index 0000000..fe8d49a --- /dev/null +++ b/patches/dropbear-path.patch @@ -0,0 +1,31 @@ +diff -rauN dropbear-2022.83/default_options.h dropbear-2022.83-path-patch/default_options.h +--- dropbear-2022.83/default_options.h 2022-11-14 15:30:00.000000000 +0100 ++++ dropbear-2022.83-path-patch/default_options.h 2023-06-15 14:42:19.428893698 +0200 +@@ -302,7 +302,7 @@ + + /* The command to invoke for xauth when using X11 forwarding. + * "-q" for quiet */ +-#define XAUTH_COMMAND "/usr/bin/xauth -q" ++#define XAUTH_COMMAND "/bin/xauth -q" + + + /* If you want to enable running an sftp server (such as the one included with +@@ -315,7 +315,7 @@ + + /* This is used by the scp binary when used as a client binary. If you're + * not using the Dropbear client, you'll need to change it */ +-#define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient" ++#define DROPBEAR_PATH_SSH_PROGRAM "/bin/dbclient" + + /* Whether to log commands executed by a client. This only logs the + * (single) command sent to the server, not what a user did in a +@@ -351,7 +351,7 @@ + #define DEFAULT_IDLE_TIMEOUT 0 + + /* The default path. This will often get replaced by the shell */ +-#define DEFAULT_PATH "/usr/bin:/bin" +-#define DEFAULT_ROOT_PATH "/usr/sbin:/usr/bin:/sbin:/bin" ++#define DEFAULT_PATH "/bin" ++#define DEFAULT_ROOT_PATH "/bin" + + #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */ diff --git a/patches/musl-1.2.3-tcc.patch b/patches/musl-tcc.patch index 2d6bff5..2d6bff5 100644 --- a/patches/musl-1.2.3-tcc.patch +++ b/patches/musl-tcc.patch diff --git a/scripts/build.sh b/scripts/build.sh index c851663..d946127 100755 --- a/scripts/build.sh +++ b/scripts/build.sh @@ -18,8 +18,8 @@ set -e SCRIPT=$(readlink -f "$0") BASE=$(dirname ${SCRIPT})/.. -CPUS=$(nproc) -#CPUS=1 +#CPUS=$(nproc) +CPUS=1 . "${BASE}/configs/versions" @@ -58,7 +58,7 @@ if [ ! -f "${BASE}/build/stage0/lib/libc.a" ]; then rm -rf "musl-${MUSL_VERSION}" tar xf "${BASE}/downloads/musl-${MUSL_VERSION}.tar.gz" cd "musl-${MUSL_VERSION}" - patch -Np1 < "${BASE}/patches/musl-1.2.3-tcc.patch" + patch -Np1 < "${BASE}/patches/musl-tcc.patch" CC="${BASE}/build/stage0/bin/i386-tcc" ./configure \ --prefix="${BASE}/build/stage0" \ --target=i386-linux-musl --disable-shared @@ -391,6 +391,26 @@ else echo "stage1 joe exists" fi +if [ ! -f "${BASE}/build/stage1/bin/dropbearmulti" ]; then + rm -rf "dropbear-${DROPBEAR_VERSION}" + tar xf "${BASE}/downloads/dropbear-${DROPBEAR_VERSION}.tar.bz2" + cd "dropbear-${DROPBEAR_VERSION}" + patch -Np1 < "${BASE}/patches/dropbear-path.patch" + CC="${BASE}/build/stage1/bin/i386-tcc" \ + ./configure --prefix="${BASE}/build/stage1" \ + --enable-static --disable-shared + make -j$CPUS STATIC=1 MULTI=1 SCPPROGRESS=1 PROGRAMS="dropbear dbclient dropbearkey scp ssh" + cp dropbearmulti "${BASE}/build/stage1/bin/." + make -j$CPUS inst_dropbearmulti + rm -f "${BASE}/build/stage1/sbin/dropbear" + for i in dbclient dropbearkey dropbear scp ssh; do + ln -sf dropbearmulti "${BASE}/build/stage1/bin/${i}" + done + cd .. +else + echo "stage1 dropbear exists" +fi + # TODO FROM HERE # TODO: have some way to deal with dependencies and with the user diff --git a/scripts/download.sh b/scripts/download.sh index 6431b07..872fe8f 100755 --- a/scripts/download.sh +++ b/scripts/download.sh @@ -158,6 +158,10 @@ if [ ! -f "${BASE}/downloads/linux-${LINUX_KERNEL_VERSION}.tar.gz" ]; then wget -O "${BASE}/downloads/linux-${LINUX_KERNEL_VERSION}.tar.gz" "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${LINUX_KERNEL_VERSION}.tar.gz" fi +if [ ! -f "${BASE}/downloads/dropbear-${DROPBEAR_VERSION}.tar.bz2" ]; then + wget -O "${BASE}/downloads/dropbear-${DROPBEAR_VERSION}.tar.bz2" "https://matt.ucc.asn.au/dropbear/releases/dropbear-${DROPBEAR_VERSION}.tar.bz2" +fi + trap - 0 exit 0 diff --git a/scripts/run_qemu.sh b/scripts/run_qemu.sh index 9ce52de..06f8338 100755 --- a/scripts/run_qemu.sh +++ b/scripts/run_qemu.sh @@ -4,6 +4,6 @@ qemu-nbd -f raw root.img -x ROOT & sleep 2 && \ qemu-system-i386 -cpu 486 -m 18M -machine isapc \ -drive "file=floppy00,if=floppy,format=raw" \ - -netdev user,id=net0,net=10.0.0.0/24,host=10.0.0.2,dhcpstart=10.0.0.16,hostfwd=tcp::8080-:80,hostfwd=udp::8081-:81 \ + -netdev user,id=net0,net=10.0.0.0/24,host=10.0.0.2,dhcpstart=10.0.0.16,hostfwd=tcp::2222-:22 \ -device ne2k_isa,iobase=0x300,irq=10,netdev=net0 pkill qemu-nbd diff --git a/scripts/run_qemu_direct.sh b/scripts/run_qemu_direct.sh index f8de126..0e34b13 100755 --- a/scripts/run_qemu_direct.sh +++ b/scripts/run_qemu_direct.sh @@ -5,6 +5,6 @@ sleep 2 && \ qemu-system-i386 -cpu 486 -m 24M -machine isapc \ -kernel bzImage -initrd ramdisk.img \ -append "debug loglevel=7 earlycon=vga earlycon=uart8250,io,0x3f8,9600n8 console=tty0 console=ttyS0,9600n8 iommu=off nomodeset init=/init" \ - -netdev user,id=net0,net=10.0.0.0/24,host=10.0.0.2,dhcpstart=10.0.0.16,hostfwd=tcp::8080-:80 \ + -netdev user,id=net0,net=10.0.0.0/24,host=10.0.0.2,dhcpstart=10.0.0.16,hostfwd=tcp::2222-:22 \ -device ne2k_isa,iobase=0x300,irq=10,netdev=net0 pkill qemu-nbd |