Running Dropbear Without Root Permissions

Nixon, Kent W kwn2 at pitt.edu
Mon Jun 13 17:36:09 AWST 2016 

Hi all,

As a few of you pointed out, the issue was with permissions. When run from a standard user account, dropbear did not have permission to read the /etc/shadow file. This was noted in the README, but I managed to miss it.

Figured out how to get everything up and running with key-based authentication, and now it's all running smoothly.

Thanks!

~ Kent

-----Original Message-----
From: Matt Johnston [mailto:matt at ucc.asn.au] 
Sent: Sunday, June 12, 2016 9:27 PM
To: Hans Harder <hans at atbas.org>
Cc: dropbear at ucc.asn.au; Nixon, Kent W <kwn2 at pitt.edu>
Subject: Re: Running Dropbear Without Root Permissions

My guess is that the problem is related to /etc/shadow. If the crypted password there isn't readable then it will use the entry from /etc/passwd - I guess that's something like '!!' which would signify a locked account.

For testing you can always hardcode a password crypt in debug.h

Cheers,
Matt

On Sun, Jun 12, 2016 at 11:31:55AM +0200, Hans Harder wrote:
> I have it running as a separate daemon on a few systems as a non root 
> user without problems..
> I changed the config.h to disable all the features which might require 
> more rights than the user has or uses OS functions....  for instance  
> DISABLE_PAM, DISABLE_LASTLOG,  DISABLE_SYSLOG I only use the user 
> daemon with ssh keys...
> 
> Also I changed the locations of all the needed files to a local 
> locaition for instance in the options.h file  where the hostkeys are 
> located  (removed the /etc path from it)
> 
> That should make it work I believe
> 
> 
> Hans
> 
> 
> On Fri, Jun 10, 2016 at 10:43 AM, Nixon, Kent W <kwn2 at pitt.edu> wrote:
> 
> > Hi all,
> >
> > I'm currently testing my (default) compile settings of dropbear 
> > 2016.73 on an x86_64 Ubuntu 14.04 machine. I'm running the dropbear 
> > server from the terminal of a standard user account and attempting 
> > to connect using dbclient as that same user from the same machine 
> > just to test/learn how to use dropbear before I attempt to 
> > cross-compile it and run it on an Android system.
> >
> > I currently run the following command to start the server:
> >
> > dropbear -F -p 6666 -E -R -m
> >
> > And attempt to connect (using the same machine) as the same user 
> > that is running dropbear using:
> >
> > dbcleint -p 6666 -y <username>@127.0.0.1
> >
> > Everything seems to work well, except that after I enter the 
> > appropriate password, the client is rejected by the server which posts the message:
> >
> > User account '<username>' is locked
> >
> > However, following the same steps as above, but running the dropbear 
> > server with root permissions, everything works as expected (i.e. I 
> > am able to open a remote shell without any problems).
> >
> > What changes when dropbear is run with standard user permissions 
> > that is causing the account to be 'locked'? Do I need to locate the 
> > rsa/dss/ecdsa keys somewhere else other than /etc/dropbear/?
> >
> > Thanks in advance for your time and consideration!
> >
> > ~ Kent
> >

More information about the Dropbear mailing list