OpenWrt Forum Archive

Topic: Getting dropbear to listen on multiple ports.

The content of this topic has been archived on 22 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I'm running Kamikaze 7.07. So far, all good smile.

I got one 'issue' though. I seem to be unable to specify multiple ports in the dropbear config file in /etc/config. If i add a second 'Port' line, dropbear borks and i cannot get in via SSH anymore. Specifying two ports in one option like this:

Port "22 12473"

doesn't work either.

I have been looking at /etc/init.d/dropbear, and this is the part where the config variables get translated into command line options for dropbear:

        case "$cfgt" in
                dropbear)
                        config_get passauth $cfg PasswordAuth
                        config_get port $cfg Port

                        case "$passauth" in
                                no|off|disabled|0) nopasswd=1;;
                        esac
                        DROPBEAR_ARGS="${nopasswd:+-s }${port:+-p $port}"
                ;;
        esac

Will I have to 'hack' this script, or is there a clean way (i.e. through the configuration file) to get it to listen to two or more ports anyway?

If this cannot be done through the config file, I'd like to make this a feature request big_smile (since dropbear itself supports it out of the box). Having to change the startup script would be a bit messy, since that gets overwritten when i upgrade those packages... I'd rather not run a second instance either.

Thanks in advance!

(Last edited by Borromini on 6 Aug 2007, 11:42)

This is my quick patch for this:

20c20,23
<                       DROPBEAR_ARGS="${nopasswd:+-s }${port:+-p $port}"
---
>                       test -z "$port" || for p in $port
>                       do portarg="${portarg} -p $p"
>                       done
>                       DROPBEAR_ARGS="${nopasswd:+-s }${portarg}"

I hope it helps. smile

And, if you've already got a Kamikaze router deployed, you can just do an ugly hack in the config file and put "22 -p 12473" to get it to work with the old existing scripts. :-)  However, be very careful about knowing what your script does, because it isn't very hard to break dropbear so there is no remote login anymore...

Thanks for the help guys smile. I ended up disabling dropbear and putting a line in rc.local for it with two ports and password authentication disabled.

If you happen to lock yourself out of SSH access, and you have X-WRT installed, there's still the web interface that allows you to edit files and reboot the router tongue. That has been a lifesaver more than once tongue.

I am planning on 'migrating' to 7.09 shortly (I got 7.07 on now, I suffer from versionitis), I will try that patch then smile. It would be very nice & clean if I could stick to the default scripts, that makes upgrading a little less messy too smile.

(Last edited by Borromini on 21 Dec 2007, 05:42)

Okay, an update. Wimpunk, I inserted your code into the dropbear init script (it looks like OpenWRT doesn't come with diff? sad) and it worked flawlessly smile. To remedy the lack of settings preservation during an upgrade, I wrote an upgrade script that reloads my settings, but it's with lots of sed appends (aka a bit clumsy). I'm gonna look into the buildroot to see if busybox has diff.

Since vanilla OpenWRT doesn't come with diff or patch, I'll put in a sed sequence that can be used on the router directly smile:

sed -i 's@DROPBEAR_ARGS="${nopasswd:+-s }${port:+-p $port}"@test -z "$port" || for p in $port@g' /etc/init.d/dropbear
sed -i '20a\                        do portarg="${portarg} -p $p"' /etc/init.d/dropbear
sed -i '21a\                        done' /etc/init.d/dropbear
sed -i '22a\                        DROPBEAR_ARGS="${nopasswd:+-s }${portarg}"' /etc/init.d/dropbear

Hope it's useful to someone tongue. I know you could group all commands by using -i -e $command1 $command2 but i'm not sure the correct order would be maintained - I don't know if sed takes into account already added lines while it processes.

I built a custom image with diff & patch enabled, but then I realised diffing & patching would end me up with a huge diff... Longer than all this sed stuff, and harder to integrate in a do-it-all script. So I just kept the seds tongue. I might do a diff once, you never know.

(Last edited by Borromini on 9 Jan 2008, 09:15)

Here is how I did this in kamiaze 7.09

root@router:~# uci show dropbear
dropbear.cfg1=dropbear
dropbear.cfg1.PasswordAuth=off
dropbear.cfg1.Port=22
dropbear.cfg2=dropbear
dropbear.cfg2.PasswordAuth=on
dropbear.cfg2.Port=50022

In /etc/init.d/dropbear, move
/usr/sbin/dropbear $DROPBEAR_ARGS
from the start() method and put in in the config_cb() right after
DROPBEAR_ARGS="${nopasswd:+-s }${port:+-p $port}"

This way dropbear is started for each config.

Now I can use client cert only from wan and client cert or password from lan.

warsql wrote:

Here is how I did this in kamiaze 7.09

root@router:~# uci show dropbear
dropbear.cfg1=dropbear
dropbear.cfg1.PasswordAuth=off
dropbear.cfg1.Port=22
dropbear.cfg2=dropbear
dropbear.cfg2.PasswordAuth=on
dropbear.cfg2.Port=50022

In /etc/init.d/dropbear, move
/usr/sbin/dropbear $DROPBEAR_ARGS
from the start() method and put in in the config_cb() right after
DROPBEAR_ARGS="${nopasswd:+-s }${port:+-p $port}"

This way dropbear is started for each config.

Now I can use client cert only from wan and client cert or password from lan.

Why does this work? Is it a problem that the start section of the script no longer starts a dropbear instance?

I used this setup in kamikaze 8.09, but it worries me even though it worked.

The best solution would be if someone would provide a patch which adds support for multiple dropbear instances...

I've since moved to the 2.4 kernel with Kamikaze (r14417) and when using LuCI, the dropbear configuration tab show multiple dropbear instances, each separately configurable.

If some one can give a proper coding.It did not work properly.I tried couple of the ideas from here

I'm running r14417, I managed to load an add-on to get a dropbear/SSHd panel, but don't see any way to get multiple instances. Did you tweak a config file first?

I have

root@k6dbg-1:~# uci show dropbear
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth=on
dropbear.@dropbear[0].Port=22

Ah. I edited /etc/config/dropbear:

config dropbear
        option PasswordAuth 'on'
        option Port         '22'

config dropbear
        option PasswordAuth 'off'
        option Port         '50022'

Now

root@k6dbg-1:/etc/config# uci show dropbear
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].PasswordAuth=on
dropbear.@dropbear[0].Port=22
dropbear.@dropbear[1]=dropbear
dropbear.@dropbear[1].PasswordAuth=off
dropbear.@dropbear[1].Port=50022

and now I see two instances under "Dropbear SSHd", and they're what I expect.

But this configuration isn't really right - my system is now listening only on port 50022!

ps shows
  710 root      1872 S    /usr/sbin/dropbear -s -p 50022
  840 root      1932 S    /usr/sbin/dropbear -s -p 50022

So it appears that the /etc/init.d/dropbear script still isn't right... it still requires the change shown above in post #6... that got me to having the two separate instances I was after:

  775 root      1872 S    /usr/sbin/dropbear -p 22
  776 root      1872 S    /usr/sbin/dropbear -s -p 50022

I also had to open the firewall to port 50022 in /etc/config/firewall

config 'rule'
        option 'src' 'wan'
        option 'dest_port' '50022'
        option 'target' 'ACCEPT'
        option 'proto' 'tcp'

(Last edited by cak on 2 May 2009, 18:50)

I'm running Kamikaze 7.0.9; I've got myself set up to do cert-based login from an external port. But it doesn't seem to work for the "normal" port 22 - it *only* does password auth.

Is that to be expected? If PasswordAuth=on, the cert won't work? Or have I fubar'd the cert?

I can happily report my improvised sed sequence still works in 8.09. I have two routers set up with a dual port dropbear, but yes, you cannot manage that from the web interface. It will error trying to restart the service, but it will show both ports in the port field.

Powercycling the device should bring up dropbear just fine (works flawlessly here).

I think the "correct" answer to this question is to use rc.local for this problem.

i.e.

add

 /usr/sbin/dropbear -s -p 5022

to /etc/rc.local and stop the fiddling there.

Certainly it is cleaner (and easier)  than hacking the scripts to permit two dropbears (why just two, why not infinite?).

One argument for making the changes at the level of UCI and init.d would be that it is worth it for OpenWrt to accommodate this "consumer" desire for running dropbear on (sometimes) two ports.

Meh, it's probably still cleanest to just add it to rc.local.

Cheers,

fooz

Just add another dropbear section in the dropbear config file (/etc/config/dropbear) is the correct answer. Just run the second instance of dropbear on a different port:

/etc/config/dropbear

config dropbear
    option PasswordAuth 'on'
    option RootPasswordAuth 'on'
    option Port         '22'
#    option BannerFile   '/etc/banner'

config dropbear
    option PasswordAuth 'on'
    option RootPasswordAuth 'on'
    option Port         '2022'
#    option BannerFile   '/etc/banner'

Sorry to reopen such an old post, but I'm facing a problem with Attitude Adjustment  (12.09, r36088) on my TP-LINK WR1043ND and above configuration. I used a similar configuration on another router with Backfire 10.4, but it is not working right with this version.

Whenever I restart the router, I get two instances of dropbear listening on port 22, instead of one listening on port 22 and another on port 50022. The output of ps shows these instances:

 9374 root      1216 S    /usr/sbin/dropbear -P /var/run/dropbear.1.pid -p 10.0.0.1:22
 9770 root      1156 S    /usr/sbin/dropbear -P /var/run/dropbear.1.pid -p 10.0.0.1:22

This is my /etc/config/dropbear file:

config dropbear
        option PasswordAuth 'on'
        option Port '22'
        option Interface 'lan'

config dropbear
        option PasswordAuth 'on'
        option Interface 'wan'
        option Port '50022'
        option RootPasswordAuth 'off'

If I access dropbear configuration in LuCI and click save&apply, a third dropbear instance is open on the right port, as you can see with another ps command:

 9374 root      1216 S    /usr/sbin/dropbear -P /var/run/dropbear.1.pid -p 10.0.0.1:22
 9770 root      1156 S    /usr/sbin/dropbear -P /var/run/dropbear.1.pid -p 10.0.0.1:22
 9776 root      1156 S    /usr/sbin/dropbear -P /var/run/dropbear.2.pid -p xx.xx.xx.xx:50022 -g

I don't know if the problem arises upon reboot because dropbear is started before the wan interface gets its ip address from ppoe (DSL). Can anybody help me fix this issue? It's really annoying having to manually restart dropbear everytime the router is rebooted.
Thanks in advance.

I'm trying this solution. Will check if it works:
https://dev.openwrt.org/ticket/10844#comment:3

It seems that the problem arises because the wan interface does not have a valid ip address set when the router is restarted. I'll check if such a script does the trick.

Yes it is a timing problem that occurs because dropbear is started before wan is up.
You can write a script in /etc/hotplug.d/iface/ that calls "/etc/init.d/dropbear restart" when $ACTION = ifup and $INTERFACE = wan

Thanks a lot.
I've tested that script and it works now. I'll check it when the ip is renewed automatically in 24 hours.

--edit--
It works like a charm, now. Thanks for adding it to the wiki. It's much easier to find this info now.

(Last edited by LtGoose on 16 Aug 2013, 21:57)

I have put this into the Wiki including the hotplug script:

Dropbear Configuration

I have created an additional unprivileged user that can "ssh -l root localhost" and authenticate... just double checking if this config would  work in restricting remote root access, but allow remote SSH access via the unprivileged account.. and not lock me out of my router once I assert it... :-) ... (i.e. remotely login unprivileged and assume root.) 

config dropbear
        option PasswordAuth 'on'
        option Interface 'lan'
        option RootLogin 'on'
        option RootPasswordAuth 'on'
        option Port '22'

config dropbear
        option PasswordAuth 'on'
        option Interface 'wan'
        option RootLogin 'off'
        option Port '22'

The discussion might have continued from here.