HOW TO: Native SSHd on Android

Search This thread

staulkor

Senior Member
Jan 12, 2007
259
30
Phoenix, AZ, USA
After many hours of yelling and screaming at my linux dev box, I finally got everything working so I can cross compile and port in theory any application to Android. Obviously the first step was to get SSHd working on the phone, specifically dropbear since it is much simpler than openssh.

Follow these exactly and you should have a running dropbear daemon.

If you have already rooted your phone and have busybox on your phone, I HIGHLY recommend walking through this to make sure you have done everything that is listed. There are a few things you must do for dropbear to work correctly

NOTE: I have not been able to login yet! I have been unable to find the password data for the phone. It is asking for a password when you login with root. And yes, I have tried no password and also common ones along with "android". All result in me still being locked out.

With that out of the way, lets begin. I am assuming you have a virgin G1. I will walk you through the entire procedure.

PART 1 - ROOTING YOUR PHONE

1. Download pTerminal from the marketplace or from http://android-dls.com/files/src.com.poidio.terminal.apk. If you choose to download the file from the link provided, download it on the phone by going to this forum post and long holding the link.

2. Run pTerminal and type

Code:
cd /system/bin

and then

Code:
telnetd

3. Connect the phone to your wifi and go back to pTerminal and run:

Code:
netstat

This will show you the local ip of the G1.

4. Using your favorite telnet client, connect to your phone on the default telnet port 23.

PART 2 - BUSYBOX

5. Welcome to root access :) We now need to get busybox on the phone. Again, pull up this thread on your phone and long hold the following link: http://staulkor.com/android/busybox.xxx. Dont mind the .xxx extension. Browser wont let you download certain extension types. The xxx will be renamed to asc automatically.

6. We now need to remount /system because it is currently read only. After that we will copy busybox off the sdcard and put it in the bin directory and then make it executable. Go to your telnet app and type:

Code:
mount -o remount,rw /dev/block/mtdblock3 /system
dd if=/sdcard/download/busybox.asc of=/system/bin/busybox
chmod 4755 /system/bin/busybox
cd /system/bin
busybox cp -s busybox cp

You now have access to the cp command. You can use that syntax to make a symlink to any of the busybox commands. MAKE SURE you do NOT overwrite the default symlinks. They have special syntaxes and you will most likely break things.

PART 3 - DROPBEAR

7. Now that you have busybox and the cp command (you MUST have the cp command), we need to create a directory.

Code:
mkdir /system/etc/dropbear

This is where the encryption keys will be kept.

8. Now you have the required directory, you can download dropbear and dropbearkey.

Dropbear - http://www.staulkor.com/android/android-dropbear-0.51.rev1.xxx
Dropbearkey - http://www.staulkor.com/android/android-dropbearkey-0.51.rev1.xxx

Again, download them on the phone by long pressing each link and saving it.

I am using version 0.51 of dropbear. The rev1 is so you know what revision of the android port it is. Changes may have to be made and recompiled and I want to make sure you guys can tell the versions apart short of an md5 hash :)

9. Now that they are downloaded, they again change the .xxx extension to .asc automatically. We need to move them to /system/bin and make them executable.

Code:
cp /sdcard/download/android-dropbear-0.51.rev1.asc /system/bin/dropbear
cp /sdcard/download/android-dropbearkey-0.51.rev1.asc /system/bin/dropbearkey
chmod 4755 /system/bin/dropbear
chmod 4755 /system/bin/dropbearkey

10. Now we have to create the encryption keys. If you do not create them, dropbear will not run at all.

Code:
dropbearkey -t rsa -f /system/etc/dropbear/dropbear_rsa_host_key
dropbearkey -t dss -f /system/etc/dropbear/dropbear_dss_host_key

11. Now dropbear is totally installed. You can run it by typing:

Code:
dropbear

To check if it is running, type:

Code:
ps

and to make sure it is listening, type:

Code:
netstat

and look for the 0.0.0.0:22 LISTENING

At any point if you have to kill dropbear, you will need to run ps, find the PID and then do "kill <pid>" without the brackets of course.

12. Now we can try to login to the phone. I run Vista on my main box, so I use putty for my ssh/telnet client. If you use linux/osx and type:

Code:
ssh [email protected]<ip address of G1>

You should be able to connect to the phone and it will ask for a password.

13. ?????????? -- We need to be able to login. I cant find any password data on the phone. I am looking for that data to see if there is even a password, or if it would be possible to create a password, or a new user, or something.

Enjoy! :D

Credits:
Rooting the phone - http://android-dls.com/forum/index.php?f=15&t=151&rb_v=viewtopic
Busybox - http://android-dls.com/forum/index.php?f=15&t=153&rb_v=viewtopic
And big thanks to DarkriftX for making those tutorials and helping the cause :)
 
Last edited:
  • Like
Reactions: kazuni

humble

Senior Member
Dec 17, 2007
199
5
thanks staulkor, you even followed though with the walk-though. now its time for you to catch some Z's you desserved it.:D
 
Last edited:

jriley60

Senior Member
Nov 1, 2008
198
0
Atlanta
what's with all the fish names lol if anyone is trying brute force add a list of fish names hehe. i'm going to have to crash i have tried everything i know how and looked through almost everyfile i could think to look through.
 

CleverJake37

Member
Nov 6, 2008
22
0
Howdy Boys

A few notes I made whilst following the walkthrough

Code:
busybox cp -s busybox cp

this was failing without me cd'ing over to /system/bin on the telnet terminal

not sure why, since it is in the binaries file, but, whatever


secondly


I think you meant

Code:
cp /sdcard/download/android-dropbearkey-0.51.rev1.asc /system/bin/dropbearkey

not

Code:
cd /sdcard/download/android-dropbearkey-0.51.rev1.asc /system/bin/dropbearkey




enough pety stuff, to the meat and potatoes







Just because there is a prompt for a password, doesnt mean the password exists, or even if that user exists
for proof try to
Code:
ssh [email protected]<ip address with an SSH server>
now I may be 1337, but definitely not 1337 enough to have made my own password on your 'puter :)

so, the bigest thing would be assigning a password with good ol passwd

since staulkor and the gang has been great enough to get busybox over there, we need to get a user with which we have the password, I chose the aptly named user "ssh"

so I ran

adduser ssh -HD && passwd ssh

but that returns

[CODE[passwd: unknown uid 0 [/CODE]

meaning, as far as I know, that its trying to change the password, but it does not have one for user 0 (aka root), so its looped into an error

so I did
Code:
 busybox echo root:x:0:0:root:/root:/ > /etc/passwd

to add the root user to the passwd file, allowing for it to define passwords
note - I am not sure what the home dir and the shell directory (/system/bin/sh?) should be officially, but this seems to work, for the time being

from there passwd works

Code:
passwd: no record of ssh in /etc/shadow, using /etc/passwd
Changing password for ssh
New password:
Bad password: too weak
Retype password:
Password for ssh changed by root


the bad password error comes up even with a 16 alphanumeric, so im not sure wtf thats about

ssh still does not work when I try, however

Code:
busybox login ssh[/]

returns a password prompt, which accepts when entered correctly, which takes me to an ash shell, as prompted to in the /etc/passwd file

I hope that helps some.

Im pretty sure you could set the root password, now that its empty set, but I haven't studied the boot procedure
and I do not want to bork up something that mounts as root expecting no password. 

Id rather have a locked phone than an unlocked brick =]

anyone have the guts to try?
 
Last edited:

staulkor

Senior Member
Jan 12, 2007
259
30
Phoenix, AZ, USA
Wow, good info :) Thanks for catching my typos. I have edited the first post with the corrections.

Looks like you are getting somewhere with applying a password. The only reason I said to ssh to [email protected]<ip address> was because I was assuming that would be the account ;) I do know that you can put [email protected]<ip address> and it will still try to authenticate, but I think root is a reasonable assumption.

Anyways, I am off to bed soon, so android development will cease until tomorrow after class.

My plan is to configure dropbear to take public authentication keys instead of passwords.

I am pretty sure it will work, but I just need to confirm.
 

staulkor

Senior Member
Jan 12, 2007
259
30
Phoenix, AZ, USA
I have been messing with public key authentication for about an hour now. It is accepting it, but saying "Permission denied (publickey)". I am assuming its saying that because I honestly have no idea where the authorized_keys file goes. I put it in /system/etc/dropbear thinking it will look in the same spot where the private keys are for the server, but no luck.

The only setting in the options.h file before I compile is to enable pub key auth (and yes, it is enabled). I guess tomorrow I will hunt through the code looking to see how it looks for this file.
 

drak0

Member
Jun 24, 2007
49
1
I have been messing with public key authentication for about an hour now. It is accepting it, but saying "Permission denied (publickey)". I am assuming its saying that because I honestly have no idea where the authorized_keys file goes. I put it in /system/etc/dropbear thinking it will look in the same spot where the private keys are for the server, but no luck.

make sure authorized_keys2 has permissions of '600' (chmod 600 authorized_keys2). That *might* be why dropbear is bitching...

Although, this assumes you are putting it in the correct place - usually ~/.ssh/... but if $HOME isn't defined... *shrug*

Good luck! :)
 
Last edited:

biktor_gj

Senior Member
Jan 25, 2008
1,408
7,003
Howdy Boys
...
so I did
Code:
 busybox echo root:x:0:0:root:/root:/ > /etc/passwd
...

from there passwd works
Im pretty sure you could set the root password, now that its empty set, but I haven't studied the boot procedure
and I do not want to bork up something that mounts as root expecting no password.

Id rather have a locked phone than an unlocked brick =]

anyone have the guts to try?

You can clone the root user id and you don't need to touch the "root's line" or his password for anything...

echo root:x:0:0:root:/root:/ > /etc/passwd
echo justme:x:0:0:justme:/justme:/ >> /etc/passwd

So you have a second user with the same uid, with a different password on shadow or passwd file. This way, when you enter the username justme with justme's password, you should get a root shell based on the uid. This works normally on Fedora and Debian, it should work on android too (even with busybox...)
 
Last edited:

CleverJake37

Member
Nov 6, 2008
22
0
Nada
that didnt do it
though that is a neat trick
thanks, im gonna use it in teh future
=]


so I ran
Code:
 dropbear -F -E

to monitor to stout and not background it

I tried sshing in via [email protected] and [email protected]
and its returned

Code:
[792] Nov 07 02:48:57 login attempt for nonexistent user from 192.168.0.11:47790

confirming my earlier beliefs
=[

I also tried the -s option in dropbear to allow for passwordless logins, but to no avail

return from

Code:
ssh -v 192.168.1.8

Code:
OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.0.8 [192.168.0.8] port 22.
debug1: Connection established.
debug1: identity file /home/patrick/.ssh/identity type -1
debug1: identity file /home/patrick/.ssh/id_rsa type -1
debug1: identity file /home/patrick/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version android-dropbear_0.51
debug1: no match: android-dropbear_0.51
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host '192.168.0.8' is known and matches the RSA host key.
debug1: Found key in /home/patrick/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/patrick/.ssh/identity
debug1: Trying private key: /home/patrick/.ssh/id_rsa
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/patrick/.ssh/id_dsa
debug1: No more authentication methods to try.
Permission denied (publickey).[\CODE]


seems like its attempting to read the key, but its not able to for some reason

I think the biggest issue is creating a userbase that dropbear can read from
 

Dimath

Senior Member
Nov 5, 2008
77
1
Los Angeles
Ah, what a crap...
I downloaded the sources of dropbear, it gives this message when some function "getpwnam((char*)username)" returns NULL. It's system function or something, I mean, it's not a part of dropbear. Description from Internet: "getpwnam - get passwd record given user login name". Searching around, I guess is looking in /etc/passwd for the record for given username.

I tried to create /etc/passwd file and /etc/group, and I am even able to use /system/bin/login to login as root (with password) or as a user created by 'adduser', but all that does not affect anyhow to dropbear error message.

So, I runned out of ideas :-/ Would be good to compile dropbear from sources to know for sure what it is doing, but sounds too complicated. Actually, people who compiled the android version should know how it works...
 
Last edited:

Top Liked Posts

  • There are no posts matching your filters.
  • 1
    After many hours of yelling and screaming at my linux dev box, I finally got everything working so I can cross compile and port in theory any application to Android. Obviously the first step was to get SSHd working on the phone, specifically dropbear since it is much simpler than openssh.

    Follow these exactly and you should have a running dropbear daemon.

    If you have already rooted your phone and have busybox on your phone, I HIGHLY recommend walking through this to make sure you have done everything that is listed. There are a few things you must do for dropbear to work correctly

    NOTE: I have not been able to login yet! I have been unable to find the password data for the phone. It is asking for a password when you login with root. And yes, I have tried no password and also common ones along with "android". All result in me still being locked out.

    With that out of the way, lets begin. I am assuming you have a virgin G1. I will walk you through the entire procedure.

    PART 1 - ROOTING YOUR PHONE

    1. Download pTerminal from the marketplace or from http://android-dls.com/files/src.com.poidio.terminal.apk. If you choose to download the file from the link provided, download it on the phone by going to this forum post and long holding the link.

    2. Run pTerminal and type

    Code:
    cd /system/bin

    and then

    Code:
    telnetd

    3. Connect the phone to your wifi and go back to pTerminal and run:

    Code:
    netstat

    This will show you the local ip of the G1.

    4. Using your favorite telnet client, connect to your phone on the default telnet port 23.

    PART 2 - BUSYBOX

    5. Welcome to root access :) We now need to get busybox on the phone. Again, pull up this thread on your phone and long hold the following link: http://staulkor.com/android/busybox.xxx. Dont mind the .xxx extension. Browser wont let you download certain extension types. The xxx will be renamed to asc automatically.

    6. We now need to remount /system because it is currently read only. After that we will copy busybox off the sdcard and put it in the bin directory and then make it executable. Go to your telnet app and type:

    Code:
    mount -o remount,rw /dev/block/mtdblock3 /system
    dd if=/sdcard/download/busybox.asc of=/system/bin/busybox
    chmod 4755 /system/bin/busybox
    cd /system/bin
    busybox cp -s busybox cp

    You now have access to the cp command. You can use that syntax to make a symlink to any of the busybox commands. MAKE SURE you do NOT overwrite the default symlinks. They have special syntaxes and you will most likely break things.

    PART 3 - DROPBEAR

    7. Now that you have busybox and the cp command (you MUST have the cp command), we need to create a directory.

    Code:
    mkdir /system/etc/dropbear

    This is where the encryption keys will be kept.

    8. Now you have the required directory, you can download dropbear and dropbearkey.

    Dropbear - http://www.staulkor.com/android/android-dropbear-0.51.rev1.xxx
    Dropbearkey - http://www.staulkor.com/android/android-dropbearkey-0.51.rev1.xxx

    Again, download them on the phone by long pressing each link and saving it.

    I am using version 0.51 of dropbear. The rev1 is so you know what revision of the android port it is. Changes may have to be made and recompiled and I want to make sure you guys can tell the versions apart short of an md5 hash :)

    9. Now that they are downloaded, they again change the .xxx extension to .asc automatically. We need to move them to /system/bin and make them executable.

    Code:
    cp /sdcard/download/android-dropbear-0.51.rev1.asc /system/bin/dropbear
    cp /sdcard/download/android-dropbearkey-0.51.rev1.asc /system/bin/dropbearkey
    chmod 4755 /system/bin/dropbear
    chmod 4755 /system/bin/dropbearkey

    10. Now we have to create the encryption keys. If you do not create them, dropbear will not run at all.

    Code:
    dropbearkey -t rsa -f /system/etc/dropbear/dropbear_rsa_host_key
    dropbearkey -t dss -f /system/etc/dropbear/dropbear_dss_host_key

    11. Now dropbear is totally installed. You can run it by typing:

    Code:
    dropbear

    To check if it is running, type:

    Code:
    ps

    and to make sure it is listening, type:

    Code:
    netstat

    and look for the 0.0.0.0:22 LISTENING

    At any point if you have to kill dropbear, you will need to run ps, find the PID and then do "kill <pid>" without the brackets of course.

    12. Now we can try to login to the phone. I run Vista on my main box, so I use putty for my ssh/telnet client. If you use linux/osx and type:

    Code:
    ssh [email protected]<ip address of G1>

    You should be able to connect to the phone and it will ask for a password.

    13. ?????????? -- We need to be able to login. I cant find any password data on the phone. I am looking for that data to see if there is even a password, or if it would be possible to create a password, or a new user, or something.

    Enjoy! :D

    Credits:
    Rooting the phone - http://android-dls.com/forum/index.php?f=15&t=151&rb_v=viewtopic
    Busybox - http://android-dls.com/forum/index.php?f=15&t=153&rb_v=viewtopic
    And big thanks to DarkriftX for making those tutorials and helping the cause :)
    1
    Looks like somebody beat you to it!

    http://www.upche.org/doku.php?id=wiki:android4

    This is only confirmed on the emulator. I guess install dropbear on the emulator (watch out, when you close the emulator, you will have to reinstall everything again the next time it boots up) and then try this out and see if you can login.
    1
    For anyone who's still struggling with it, I got it working. All I did was add:

    service sshd /system/bin/sh /system/bin/rundropbear
    oneshot

    to the end of /system/init.rc. This calls my rundropbear script which is simply:

    #!/system/bin/sh
    dropbear -A paul -C <password> -R /system/etc/dropbear/authorized_keys -U0 -G0

    And now I can log in with [email protected], with password and sshkey auth :)
    1
    Binaries

    Hey guys,

    This thread hasn't had any activity since last month, but since no one else posted them, I thought I should put some dropbear binaries up for people to use.

    I did not compile these, instead I shamelessly extracted them from someone else's rom. They look to be compiled without any changes, so it's probably cool, but if he contacts me, i'll pull them.

    I don't know how to put them into an update.zip for flashing, so you'll have to copy them to your phone manually. I REPEAT, YOU CANNOT FLASH THE ATTACHED ZIP, AND HAVE TO EXTRACT IT AND COPY THE FILES OVER MANUALLY. I've included instructions below.

    If you push the 95dropbear file, it will start on boot. I have not noticed any battery loss associated with leaving dropbear running, waiting for connections.

    Login as root, pw is password. you can change the password by editing the 95dropbear file (replace -Y with -C if you want to use a cleartext password)

    Terminal Emulator:
    Code:
    mount -o remount,rw /system
    cp /sdcard/dropbear /system/bin/dropbear
    cp /sdcard/dropbearkey /system/bin/dropbearkey
    cp /sdcard/95dropbear /system/etc/init.d/95dropbear
    chmod 755 /system/bin/dropbear /system/bin/dropbearkey /system/etc/init.d/95dropbear

    ADB:
    Code:
    adb remount
    adb push dropbear /system/bin/dropbear
    adb push dropbearkey /system/bin/dropbearkey
    adb push 95dropbear /system/etc/init.d/95dropbear
    adb shell chmod 755 /system/bin/dropbear /system/bin/dropbearkey /system/etc/init.d/95dropbear
Our Apps
Get our official app!
The best way to access XDA on your phone
Nav Gestures
Add swipe gestures to any Android
One Handed Mode
Eases uses one hand with your phone