Server rejects all authentication attempts unless /etc/shells contains /system/bin/sh

[flytkgl]

What is the user and password or Where should the authorized_keys file

When I put the authorized_keys file in /.ssh or /etc/dropbear or /etc/dropbear/.ssh and use the private key to login, it still prompts that the private key is not registered

[ribbons]

Just wanted to check, are you referring to using the dropbear (e.g. SSH server) binary rather than the dbclient binary?

[flytkgl]

using dropbear . I put it in the /system/bin directory of the TV box and accessed it from my computer, but it kept telling me that the private key was not registered

I think dropbear need to do some adjustment can be used independently in the android system, such as parameter specifies the user name password, run the permissions, etc., refer to https://github.com/pengrui2009/dropbear-android

[ribbons]

Yes, as I mention in the readme, i don't use the dropbear server myself so it is quite likely to need further configuration before it is usable. I would guess that dropbear would be trying to look in the user's home directory (wherever Android reports that to be). I found that when running dbclient under a standard app user this is a hardcoded (not very useful) path so I ended up submitting a patch upstream to allow this to be overridden via environment variable.

[ribbons]

I've made a small update to localoptions.h to set DEBUG_TRACE to 4, so if you download the appropriate workflow asset binary for your architecture from https://github.com/ribbons/android-dropbear/actions/runs/2939324910, replace the existing dropbear binary and run it with -vvvv it should hopefully give a much clearer log as to what the issue is (e.g. show where it is looking for authorized_keys and/or detail permission errors etc).

[flytkgl]

Here's the run log. I still don't know where the authorized_keys file goes

:/data/local/tmp # ./dropbear -p :2233 -F -E -r /storage/emulated/0/.ssh/id_dropbear -vvvv                                                                                                            
TRACE4 (15597) 0.000000: enter buf_get_rsa_priv_key
TRACE4 (15597) 0.000527: enter buf_get_rsa_pub_key
TRACE4 (15597) 0.001085: leave buf_get_rsa_pub_key: success
TRACE4 (15597) 0.001675: leave buf_get_rsa_priv_key
TRACE4 (15597) 0.002053: leave loadhostkey
TRACE4 (15597) 0.002404: Disabling key type 1
TRACE4 (15597) 0.002743: Disabling key type 2
TRACE4 (15597) 0.003353: Disabling key type 3
TRACE4 (15597) 0.003791: Disabling key type 4
TRACE4 (15597) 0.004644: Disabling key type 6
TRACE4 (15597) 0.005057: Disabling key type 5
TRACE4 (15597) 0.005749: Disabling key type 7
TRACE4 (15597) 0.006240: listensockets: 1 to try
TRACE4 (15597) 0.006853: listening on ':2233'
TRACE4 (15597) 0.007400: enter dropbear_listen
TRACE4 (15597) 0.007909: dropbear_listen: all interfaces
TRACE4 (15597) 0.010085: leave dropbear_listen: success, 2 socks bound
TRACE4 (15597) 0.010253: Couldn't set IPV6_TCLASS (Protocol not available)
[15597] Aug 29 10:08:55 Not backgrounding
[15613] Aug 29 10:08:58 Child connection from 192.168.1.118:5403
TRACE4 (15613) 3.920112: enter session_init
TRACE4 (15613) 3.920735: setnonblocking: 5
TRACE4 (15613) 3.921224: leave setnonblocking
TRACE4 (15613) 3.921704: setnonblocking: 5
TRACE4 (15613) 3.922188: leave setnonblocking
TRACE4 (15613) 3.922669: update_channel_prio
TRACE4 (15613) 3.923244: update_channel_prio: not any
TRACE4 (15613) 3.923916: Dropbear priority transitioning 0 -> 1
TRACE4 (15613) 3.924488: Couldn't set IPV6_TCLASS (Protocol not available)
TRACE4 (15613) 3.925704: setnonblocking: 3
TRACE4 (15613) 3.926240: leave setnonblocking
TRACE4 (15613) 3.927357: setnonblocking: 4
TRACE4 (15613) 3.928089: leave setnonblocking
TRACE4 (15613) 3.928978: leave session_init
TRACE4 (15613) 3.929678: kexinitialise()
TRACE4 (15613) 3.930180: algolist add 187 'curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,kexguess2@matt.ucc.asn.au'
TRACE4 (15613) 3.930489: algolist add 20 'rsa-sha2-256,ssh-rsa'
TRACE4 (15613) 3.931266: algolist add 51 'chacha20-poly1305@openssh.com,aes128-ctr,aes256-ctr'
TRACE4 (15613) 3.931449: algolist add 51 'chacha20-poly1305@openssh.com,aes128-ctr,aes256-ctr'
TRACE4 (15613) 3.931558: algolist add 23 'hmac-sha1,hmac-sha2-256'
TRACE4 (15613) 3.931810: algolist add 23 'hmac-sha1,hmac-sha2-256'
TRACE4 (15613) 3.931920: algolist add 21 'zlib@openssh.com,none'
TRACE4 (15613) 3.932025: algolist add 21 'zlib@openssh.com,none'
TRACE4 (15613) 3.932225: DATAALLOWED=0
TRACE4 (15613) 3.932777: -> KEXINIT
TRACE4 (15613) 3.932946: maybe_empty_reply_queue - no data allowed
TRACE4 (15613) 3.933159: empty queue dequeing
TRACE4 (15613) 3.934880: enter ident_readln
TRACE4 (15613) 3.935864: leave ident_readln: return 49
TRACE1 (15613) 3.936202: remoteident: SSH-2.0-nsssh2_5.0.0045 NetSarang Computer, Inc.
TRACE4 (15613) 3.936290: maybe_empty_reply_queue - no data allowed
TRACE4 (15613) 3.936463: process_packet: packet type = 20,  len 1408
TRACE4 (15613) 3.936545: got expected packet 20 during kexinit
TRACE4 (15613) 3.936612: <- KEXINIT
TRACE4 (15613) 3.936683: enter recv_msg_kexinit
TRACE3 (15613) 3.936884: buf_match_algo: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
TRACE4 (15613) 3.936989: kexguess2 0
TRACE3 (15613) 3.937058: kex algo curve25519-sha256@libssh.org
TRACE3 (15613) 3.937131: buf_match_algo: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256,ssh-ed25519
TRACE2 (15613) 3.937204: hostkey algo ssh-rsa
TRACE3 (15613) 3.937289: buf_match_algo: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,aes256-ctr,aes192-ctr,aes128-ctr,rijndael-cbc@lysator.liu.se,arcfour128,arcfour256
TRACE2 (15613) 3.937391: enc  c2s is aes256-ctr
TRACE3 (15613) 3.937477: buf_match_algo: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes256-cbc,rijndael128-cbc,rijndael192-cbc,rijndael256-cbc,aes256-ctr,aes192-ctr,aes128-ctr,rijndael-cbc@lysator.liu.se,arcfour128,arcfour256
TRACE2 (15613) 3.937575: enc  s2c is aes256-ctr
TRACE3 (15613) 3.937664: buf_match_algo: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,none
TRACE2 (15613) 3.937742: hmac c2s is hmac-sha2-256
TRACE3 (15613) 3.937809: buf_match_algo: hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96,hmac-md5,hmac-md5-96,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,none
TRACE2 (15613) 3.937884: hmac s2c is hmac-sha2-256
TRACE3 (15613) 3.937951: buf_match_algo: none
TRACE2 (15613) 3.938017: comp c2s is none
TRACE3 (15613) 3.938083: buf_match_algo: none
TRACE2 (15613) 3.938148: comp s2c is none
TRACE4 (15613) 3.938240: leave recv_msg_kexinit
TRACE4 (15613) 3.938325: maybe_empty_reply_queue - no data allowed
TRACE4 (15613) 3.938438: process_packet: packet type = 30,  len 42
TRACE4 (15613) 3.938513: got expected packet 30 during kexinit
TRACE4 (15613) 3.938582: enter recv_msg_kexdh_init
TRACE4 (15613) 3.938647: enter send_msg_kexdh_reply
TRACE4 (15613) 3.938730: enter buf_put_rsa_pub_key
TRACE4 (15613) 3.938894: leave buf_put_rsa_pub_key
TRACE4 (15613) 3.967388: enter buf_put_rsa_pub_key
TRACE4 (15613) 3.967536: leave buf_put_rsa_pub_key
TRACE4 (15613) 3.967697: buf_put_sign type 100 ssh-rsa
TRACE4 (15613) 3.967721: enter buf_put_rsa_sign
TRACE4 (15613) 4.067138: leave buf_put_rsa_sign
TRACE4 (15613) 4.067224: leave send_msg_kexdh_reply
TRACE4 (15613) 4.067236: enter send_msg_newkeys
TRACE4 (15613) 4.067268: enter gen_new_keys
TRACE4 (15613) 4.067346: leave gen_new_keys
TRACE4 (15613) 4.067375: switch_keys trans
TRACE4 (15613) 4.067385: leave send_msg_newkeys
TRACE4 (15613) 4.067397: leave recv_msg_kexdh_init
TRACE4 (15613) 4.067524: empty queue dequeing
TRACE4 (15613) 4.070814: process_packet: packet type = 21,  len 6
TRACE4 (15613) 4.071014: got expected packet 21 during kexinit
TRACE4 (15613) 4.071065: enter recv_msg_newkeys
TRACE4 (15613) 4.071075: switch_keys recv
TRACE4 (15613) 4.071085: switch_keys done
TRACE4 (15613) 4.071131: kexinitialise()
TRACE4 (15613) 4.071142: leave recv_msg_newkeys
TRACE4 (15613) 4.071216: process_packet: packet type = 5,  len 22
TRACE4 (15613) 4.071267: enter recv_msg_service_request
TRACE4 (15613) 4.072063: accepting service ssh-userauth
TRACE4 (15613) 4.072105: leave recv_msg_service_request: done ssh-userauth
TRACE4 (15613) 4.072165: empty queue dequeing
TRACE4 (15613) 4.073374: process_packet: packet type = 50,  len 40
TRACE4 (15613) 4.073564: enter recv_msg_userauth_request
TRACE4 (15613) 4.073606: enter checkusername
TRACE4 (15613) 4.073636: shell is /system/bin/sh
TRACE4 (15613) 4.073689: test shell is '/bin/sh'
TRACE4 (15613) 4.073714: test shell is '/bin/csh'
TRACE4 (15613) 4.073722: no matching shell
[15613] Aug 29 10:08:59 User 'root' has invalid shell, rejected
TRACE4 (15613) 4.073762: recv_msg_userauth_request: 'none' request
TRACE4 (15613) 4.073771: enter send_msg_userauth_failure
TRACE4 (15613) 4.073780: auth fail: methods 2, 'publickey'
TRACE4 (15613) 4.073825: leave send_msg_userauth_failure
TRACE4 (15613) 4.073866: empty queue dequeing
TRACE4 (15613) 4.076325: process_packet: packet type = 50,  len 468
TRACE4 (15613) 4.076714: enter recv_msg_userauth_request
TRACE4 (15613) 4.076751: enter checkusername
TRACE4 (15613) 4.076759: checkusername: returning cached failure
TRACE4 (15613) 4.076768: enter pubkeyauth
TRACE4 (15613) 4.076777: enter send_msg_userauth_failure
TRACE4 (15613) 4.076788: auth fail: methods 2, 'publickey'
TRACE4 (15613) 4.076834: leave send_msg_userauth_failure
TRACE4 (15613) 4.076860: leave pubkeyauth
TRACE4 (15613) 4.076905: empty queue dequeing
TRACE4 (15613) 5.991011: process_packet: packet type = 1,  len 18
[15613] Aug 29 10:09:01 Exit before auth from <192.168.1.118:5403>: (user 'root', 0 fails): Disconnect received
TRACE4 (15613) 5.991370: enter session_cleanup
TRACE4 (15613) 5.991502: enter chancleanup
TRACE4 (15613) 5.991604: leave chancleanup
TRACE4 (15613) 5.992121: leave session_cleanup

[ribbons]

Okay, so that trace was useful as we're not guessing where the failure was anymore - the server is rejecting the client here: https://github.com/mkj/dropbear/blob/a8d6dac2c53f430bb5721f913478bd294d8b52da/svr-auth.c#L330

The server is checking the root user's shell (/system/bin/sh) against a list of 'valid' shells obtained from getusershell() (/bin/sh and /bin/csh) so the check fails. As bionic (the android libc) doesn't implement that function as far as I can tell, I think the version in Dropbear's compat.c is being used: https://github.com/mkj/dropbear/blob/a8d6dac2c53f430bb5721f913478bd294d8b52da/compat.c#L207

Could you try adding the file /system/etc/shells to your device (I'm assuming /etc/ is a symlink to /system/etc) with the following content (as that should in theory get you past that particular point).

/system/bin/sh

Let me know how you get on.

[flytkgl]

Oh! I added /system/etc/shells and /.ssh/authorized_keys, and now I can login with the private key

[ribbons]

That's great news - thanks for the update :+1:

I'll rename this accordingly and mull over the best way of making /system/bin/sh the default - e.g. if there is a tidy way of making this configurable that I could submit a PR for upstream or if this is just something that should be handled locally as part of this build.

[ribbons]

Okay, I've submitted an upstream PR to resolve this issue and added that patch to the integration branch in this repo. If you wouldn't mind grabbing the binary from https://github.com/ribbons/android-dropbear/actions/runs/2989415302, installing it on your device, removing /system/etc/shells and confirming if it works correctly that would be much appreciated.