View previous topic :: View next topic |
Author |
Message |
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9677 Location: almost Mile High in the USA
|
Posted: Sat Aug 27, 2022 3:20 pm Post subject: SOLVED: building an initramfs with dropbear... |
|
|
I was trying to drop a dropbear on my minimal initramfs. Unfortunately when running it, it claims none of the users are available - if I ssh root@initramfsmachine it reports 'root' as an invalid user despite not setting -w (disallow root) or -g (disallow password root logins) despite root being in /etc/passwd .. Adding another user in /etc/passwd also gets rejected as an invalid user.
As far as I can tell by looking at the sourcecode, I think getpwnam is failing. I dared not to install gdb on my intitramfs to debug...
Anyone have an idea why it's rejecting users in /etc/passwd to get an initramfs working with dropbear? My current guess is that I'm missing some file somewhere? Probably something with glibc...
edit: corrected function name...
---Solved---
Needed to copy the optional /lib/libnss* to the initramfs and mount devpts! _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Last edited by eccerr0r on Sun Aug 28, 2022 1:30 am; edited 2 times in total |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 918 Location: Richmond Hill, Canada
|
Posted: Sat Aug 27, 2022 3:40 pm Post subject: |
|
|
Is your dropbear statically linked? is it a MULTI build? which LibC used?
In which state your dropbear server started? after devtmpfs mounted?
I don't necessary know the detail of how dropbear work, but I like to build a initrd with dropbear also, So I would like to help debug this problem to learn how to configuration/build correctly. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9677 Location: almost Mile High in the USA
|
Posted: Sat Aug 27, 2022 8:00 pm Post subject: |
|
|
Not statically built, not multilib(x86)/not multicall(separate dropbear and dbclient), and using glibc.
Started after devtmpfs mounted.
Actually I might have to say I did cheat and this might have to be in unsupported software as I built this binary without portage so I could statically build the internal libtom but also have it dynamically link to glibc ...oops... But anyway. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 918 Location: Richmond Hill, Canada
|
Posted: Sat Aug 27, 2022 8:47 pm Post subject: |
|
|
I check the repo, README said dropbear/README wrote: | If the server is run as non-root, you most likely won't be able to allocate a
pty, and you cannot login as any user other than that running the daemon
(obviously). Shadow passwords will also be unusable as non-root. |
So did you start dropbear as root?
I am sure you did not link with PAM right?
How do you setup host key(s)? Do you pre-generated and copy in to inited? or use "-R" option?
What are the dropbear command line options you used for start?
How did you determine failed login is due to "invalid user"? did dropbear logged an error message? |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9677 Location: almost Mile High in the USA
|
Posted: Sat Aug 27, 2022 9:02 pm Post subject: |
|
|
Only root on initramfs.
Built without pam or shadow.
Used -R to get host key and forgot the other options. I logged to stderr and saw the error on stderr. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 918 Location: Richmond Hill, Canada
|
Posted: Sat Aug 27, 2022 9:14 pm Post subject: |
|
|
I am curious how without shadow work, I think glibc would need to build/configured to bypass /etc/shadow.
I will have a look at source code to see when using configure option "--disable-shadow", how the code path work. |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 918 Location: Richmond Hill, Canada
|
Posted: Sat Aug 27, 2022 10:15 pm Post subject: |
|
|
Do your inited have /etc/shells?
according dropbear/srv-auth.c wrote: | /* Check that the username exists and isn't disallowed (root), and has a valid shell. |
So check /etc/passwd, your root entry shell field should have value match entry in /etc/shells or empty then dropbear assume it is "/bin/sh" and missing /etc/shells will set default shell list to "/bin/sh, /bin/csh" |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9677 Location: almost Mile High in the USA
|
Posted: Sat Aug 27, 2022 10:17 pm Post subject: |
|
|
Hmm ... Gives me some ideas to try... Glibc might be freaking out due to incomplete shadow ...
No, not sure if it was that check that failed, backtracking through the logic, the error must have been a getpwnam that failed...
---- edit ----
My conclusion may or may not be right ... I tried tracing the binary and it never even tried to check /etc/passwd for entries which is darn weird...
---- edit ----
Corrected function name _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Last edited by eccerr0r on Sun Aug 28, 2022 12:40 am; edited 1 time in total |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 918 Location: Richmond Hill, Canada
|
Posted: Sat Aug 27, 2022 11:31 pm Post subject: |
|
|
Can you share what exact error message for those failed session?
Is it "Max auth tries reached - user is invalid"?
It will help to know what error message because there are several code logic path will exit(1) with error message this will help narrow down which path the logic took. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9677 Location: almost Mile High in the USA
|
Posted: Sun Aug 28, 2022 12:14 am Post subject: |
|
|
Login attempt for nonexistent user
Using debug statements it is failing with ENOENT .
-EDIT-
FOUND IT.
Looks like I neglected to copy the optional /lib/libnss* shared libraries...
Now onto the next problem: no ptys... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Last edited by eccerr0r on Sun Aug 28, 2022 1:08 am; edited 1 time in total |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 918 Location: Richmond Hill, Canada
|
Posted: Sun Aug 28, 2022 1:06 am Post subject: |
|
|
Thanks for the information.
I am not sure if it is possible to get that error message without reading /etc/passwd. As far as I can tell from code logic, it will require to use getpwnam(), however since glibc can use nsswitch.conf to direct where to get passwd entries, do you have /etc/nsswitch.conf file in your initrd? if you do have /etc/nsswitch.conf the "passwd:" entry should have "files" in it.
Also is /etc/passwd permission is correct? if it is more than root:rw I wonder maybe getpwnam() may fail.
Finally could it be /etc/passwd corrupted? have hidden character(s) embedded? One of my early debug session in this forum was /etc/passwd each line have extra blank at EOL. so sudo/su error was always the "shell" not found. which is very confusing since the "shell" binary dose in in file system. the OP only find out because he saw someone use a WINDOWs tool edit the file. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9677 Location: almost Mile High in the USA
|
Posted: Sun Aug 28, 2022 1:17 am Post subject: |
|
|
Didn't need nsswitch.conf, but needed the optional shared libraries. now to figure out how to create a pty...
Solved!!! just needed to mount /dev/pts and all is well!
Thanks, we're done, off to finalizing my initramfs! _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching?
Last edited by eccerr0r on Sun Aug 28, 2022 1:29 am; edited 1 time in total |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 918 Location: Richmond Hill, Canada
|
Posted: Sun Aug 28, 2022 1:22 am Post subject: |
|
|
Just remember a command line tool you can use *getent* it is part of glibc (I think). maybe try to load it in to your initrd to help debug. on my machine it is in /usr/bin/getent
use to verify /etc/passwd. |
|
Back to top |
|
|
|