Dropbear SFTP Access - SOLVED

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Author Message
morockin
DD-WRT Novice


Joined: 23 Nov 2010
Posts: 4

PostPosted: Tue Nov 30, 2010 21:22    Post subject: Dropbear SFTP Access - SOLVED Reply with quote
Apologies if this post is not well laid out, this is the first time I have posted an answer rather than a response.

I have been trying to get sftp to work in DD-Wrt/Optware for the last week using the tutorials on this site. My goal was to have SFTP access without installing OpenSSH (which eats up more resources than necessary if you can get Dropbear to work). Here is the process I finally came up with that actually enables SFTP under Dropbear.

Enabling SFTP in Dropbear

(This tutuorial assumes you have optware installed and mount at /opt)

Step 1 - Install Packages

#Dropbear
ipkg install dropbear

#SFTP Server
ipkg install openssh-sftp-server

Step 2 - Copy DD-Wrt Original Dropbear (Optional Step)

#I think the dropbear ipkg install is somehow incomplete, so I copied the existing dropbear in dd-wrt to be sure.

cp /usr/sbin/dropbear /opt/sbin/dropbear
cp /usr/sbin/dropbearmulti /opt/sbin/dropbearmulti

Step 3 - Correct RSA and DSS Key Locations

#This is the primary omission in other HOWTO's

vi /opt/etc/default/dropbear

#Add the following two values
DROPBEAR_RSA=/opt/etc/dropbear/dropbear_rsa_host_key
DROPBEAR_DSS=/opt/etc/dropbear/dropbear_dss_host_key

#Change the port for Dropbear to whatever you like
DROPBEAR_PORT=XX (I suggest something other than 22 or 2222)

Step 4 - Modify the Dropbear Service File

#This is to correct the paths to the RSA and DSS files
vi /opt/etc/init.d/S51dropbear

#Add the following to the "/opt/sbin/dropbear -p $DROPBEAR_PORT" line
-d $DROPBEAR_DSS -r $DROPBEAR_RSA

Step 5 - Modify the Dropbear Files

#telnet in to router to that you don't get booted when you kill dropbear

killall dropbear #to kill existing process

perl -pi -e 's/\/usr\/libexec\/sftp-server/\/opt\/libexec\/sftp-server/g' /opt/sbin/dropbearmulti

perl -pi -e 's/\/usr\/libexec\/sftp-server/\/opt\/libexec\/sftp-server/g' /opt/sbin/dropbear

reboot

And voila, that should allow you to SFTP in to whatever port you set in Step 3
Sponsor
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Wed Dec 01, 2010 0:31    Post subject: Re: Dropbear SFTP Access - SOLVED Reply with quote
morockin wrote:
perl -pi -e 's/\/usr\/libexec\/sftp-server/\/opt\/libexec\/sftp-server/g' /opt/sbin/dropbearmulti

perl -pi -e 's/\/usr\/libexec\/sftp-server/\/opt\/libexec\/sftp-server/g' /opt/sbin/dropbear

Doesn't this assume you have perl installed onto your router?

Second question: Will the steps laid out stay active over every reboot?

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
morockin
DD-WRT Novice


Joined: 23 Nov 2010
Posts: 4

PostPosted: Wed Dec 01, 2010 1:11    Post subject: Reply with quote
The quick answer is yes and yes.

Yes, you must have perl installed but I believe that it is automatic if you use frater's optware script. If you don't have perl, then you could try the "sed" method in the SFTP wiki.

And, yes, the changes are persistent. On reboot, the defined port will still accept SFTP connections.

I should point out that none of this would be necessary if the dd-wrt developers simu included the SFTP in /usr/libexec rather than forcing us to use this optware workaround.
juso
DD-WRT Novice


Joined: 14 Sep 2010
Posts: 5

PostPosted: Wed Dec 08, 2010 19:30    Post subject: Re: Dropbear SFTP Access - SOLVED Reply with quote
morockin wrote:
Apologies if this post is not well laid out, this is the first time I have posted an answer rather than a response.

......
......

Step 5 - Modify the Dropbear Files

#telnet in to router to that you don't get booted when you kill dropbear

killall dropbear #to kill existing process

perl -pi -e 's/\/usr\/libexec\/sftp-server/\/opt\/libexec\/sftp-server/g' /opt/sbin/dropbearmulti

perl -pi -e 's/\/usr\/libexec\/sftp-server/\/opt\/libexec\/sftp-server/g' /opt/sbin/dropbear

reboot

And voila, that should allow you to SFTP in to whatever port you set in Step 3


Hi morockin

Thank you very much for your directions. I followed the instructions but have a problem that after all this done I got 2 versions of dropbear running on the router, one is old, from /usr/sbin/ with all the default arguments and another one from /opt/sbin/ with correct arguments. The old one seems starting earlier than the new one and thus occupying the port. Tried to disable the SSHd in web-gui but then it also closes the port, so now need to mess with iptables. Did you have any of such problems on your router?

Have a good day
morockin
DD-WRT Novice


Joined: 23 Nov 2010
Posts: 4

PostPosted: Thu Dec 09, 2010 2:57    Post subject: Two Dropbear(s) Reply with quote
For wholly unrelated reasons, I actually have both Dropbear versions running (I don't want certain users with SSH rights to have SFTP access) on different ports. To solve your problem, I would simply use a script to kill the "original" Dropbear process before loading the "fixed" version. The easiest thing to do would be to edit the S80dropbear script to kill first and load second. Are you comfortable with scripting?
juso
DD-WRT Novice


Joined: 14 Sep 2010
Posts: 5

PostPosted: Thu Dec 09, 2010 18:26    Post subject: Re: Two Dropbear(s) Reply with quote
morockin wrote:
For wholly unrelated reasons, I actually have both Dropbear versions running (I don't want certain users with SSH rights to have SFTP access) on different ports. To solve your problem, I would simply use a script to kill the "original" Dropbear process before loading the "fixed" version. The easiest thing to do would be to edit the S80dropbear script to kill first and load second. Are you comfortable with scripting?


Ah, ok, I see. Yes, I can do the scripting (not too familiar with Linux scripting but this sounds not too tricky.

Also, I tried the optware dropbear and for some reasons it doesn't work with WAN connections (ssh port opened with iptables). If I kill it and start the built in dropbear - everything is fine (with both WAN and LAN connections), if I kill the built-in one and start the optware one - it doesn't work with WAN, while working with LAN connections. Very strange, will try to update with perl the built-in dropbear, may be optware one got a bug or something.

Thank you anyway!
crashfly
DD-WRT Guru


Joined: 24 Feb 2009
Posts: 2026
Location: Sol System > Earth > USA > Arkansas

PostPosted: Thu Dec 09, 2010 22:37    Post subject: Re: Two Dropbear(s) Reply with quote
juso wrote:
Ah, ok, I see. Yes, I can do the scripting (not too familiar with Linux scripting but this sounds not too tricky.

Also, I tried the optware dropbear and for some reasons it doesn't work with WAN connections (ssh port opened with iptables). If I kill it and start the built in dropbear - everything is fine (with both WAN and LAN connections), if I kill the built-in one and start the optware one - it doesn't work with WAN, while working with LAN connections. Very strange, will try to update with perl the built-in dropbear, may be optware one got a bug or something.

Thank you anyway!

It is likely there is an additional port used for data transfers on SFTP (not entirely sure). If that is the case, then that would account for it not working on the WAN.

_________________
E3000 22200M KongVPN K26
WRT600n v1.1 refirb mega 18767 BS K24 NEWD2 [not used]
WRT54G v2 16214 BS K24 [access point]

Try Dropbox for syncing files - get 2.5gb online for free by signing up.

Read! Peacock thread
*PLEASE* upgrade PAST v24SP1 or no support.
juso
DD-WRT Novice


Joined: 14 Sep 2010
Posts: 5

PostPosted: Sun Dec 12, 2010 11:17    Post subject: Re: Two Dropbear(s) Reply with quote
juso wrote:

Ah, ok, I see. Yes, I can do the scripting (not too familiar with Linux scripting but this sounds not too tricky.

Also, I tried the optware dropbear and for some reasons it doesn't work with WAN connections (ssh port opened with iptables). If I kill it and start the built in dropbear - everything is fine (with both WAN and LAN connections), if I kill the built-in one and start the optware one - it doesn't work with WAN, while working with LAN connections. Very strange, will try to update with perl the built-in dropbear, may be optware one got a bug or something.

Thank you anyway!


Just as an update for anyone who may face same issue - the problem was with iptables, appending PREROUTING statement (-A), which adds the rule at the end of the tables, once I inserted the statement at the beginning of table (with -I) everything seems to work. So, if you want to run opt-ware dropbear on WAN port, then do all the above, as in the first post of the thread by morockin, then disable the default dropbear (SSHd) in the web-interface, which will remove all routing rules from the iptables and then add following rules:

iptables -I INPUT -p tcp -m tcp -d `nvram get lan_ipaddr` --dport 22 -j logaccept
iptables -t nat -I PREROUTING -p tcp -m tcp -d `nvram get wan_ipaddr` --dport 2222 -j DNAT --to-destination `nvram get lan_ipaddr`:22


obviously changing 2222 to the WAN port you want to use for working with SSH.
can't flash
DD-WRT User


Joined: 14 Jan 2010
Posts: 73
Location: Flint, Michigan

PostPosted: Sun Mar 27, 2011 5:43    Post subject: SFTP Not Working Again? Reply with quote
I attempted to get SFTP to work following these steps here. Does anyone know if the newer builds are different? Also, does running Samba offer the same file-transfer capability as would SFTP? Sorry if that's a n00b question
_________________
Netgear R7800
DD-WRT v3.0-r54545 std
Release: 12/18/2023 (SVN revision: 54545)
mofonyx
DD-WRT Novice


Joined: 11 Aug 2010
Posts: 6

PostPosted: Sat May 28, 2011 22:41    Post subject: Re: Two Dropbear(s) Reply with quote
juso wrote:
juso wrote:

Ah, ok, I see. Yes, I can do the scripting (not too familiar with Linux scripting but this sounds not too tricky.

Also, I tried the optware dropbear and for some reasons it doesn't work with WAN connections (ssh port opened with iptables). If I kill it and start the built in dropbear - everything is fine (with both WAN and LAN connections), if I kill the built-in one and start the optware one - it doesn't work with WAN, while working with LAN connections. Very strange, will try to update with perl the built-in dropbear, may be optware one got a bug or something.

Thank you anyway!


Just as an update for anyone who may face same issue - the problem was with iptables, appending PREROUTING statement (-A), which adds the rule at the end of the tables, once I inserted the statement at the beginning of table (with -I) everything seems to work. So, if you want to run opt-ware dropbear on WAN port, then do all the above, as in the first post of the thread by morockin, then disable the default dropbear (SSHd) in the web-interface, which will remove all routing rules from the iptables and then add following rules:

iptables -I INPUT -p tcp -m tcp -d `nvram get lan_ipaddr` --dport 22 -j logaccept
iptables -t nat -I PREROUTING -p tcp -m tcp -d `nvram get wan_ipaddr` --dport 2222 -j DNAT --to-destination `nvram get lan_ipaddr`:22


obviously changing 2222 to the WAN port you want to use for working with SSH.


Hi,

I'm trying to get this to work but everything is greek to me I have no idea what's going on.

My External SSH port is 2244 and the Dropbear port is 2245.

How do I go about making this accessible via WAN?

Many thanks.
yuvi
DD-WRT Novice


Joined: 29 Feb 2012
Posts: 1

PostPosted: Wed Feb 29, 2012 6:49    Post subject: Not able to setup SFTP Reply with quote
Hi,
Morockin,

I followed your step but still getting the following error, when I tried to connect from command prompt:

Code:
$sftp root@192.168.10.1
DD-WRT v24-sp2 big (c) 2009 NewMedia-NET GmbH
Release: 12/07/09 (SVN revision: 13401)
root@192.168.10.1's password:
sh: /usr/libexec/sftp-server: not found
Connection closed



My Router is Linksys WRT610N ver.2

Could you please give me some direction to enable SFTP..

Thanks,
Yuvi Sad
volitation
DD-WRT User


Joined: 30 Dec 2011
Posts: 91

PostPosted: Thu Jun 28, 2012 20:23    Post subject: Reply with quote
Works on E4200 running big build # 19327.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum