[Buildroot] Persistent dropbear keys

Thomas De Schampheleire patrickdepinguin at gmail.com
Mon Jan 11 08:56:00 UTC 2016


On Fri, Jan 8, 2016 at 6:45 PM, Peter Korsgaard <peter at korsgaard.com> wrote:
>>>>>> "Thomas" == Thomas De Schampheleire <patrickdepinguin at gmail.com> writes:
>
>  > Hello,
>  > Commit e7d04dd2df8bb935c61f7c814ee88eba7e75b5e4 (package/dropbear: fix
>  > generating keys on RO file systems) (+ some subsequent commits)
>  > changed the handling of the /etc/dropbear directory. Previously
>  > /etc/dropbear was a real directory in the rootfs, now it initially is
>  > a link to /var/run/dropbear. During S50dropboar, the link is replaced
>  > with a real (empty) directory (if rootfs is writable) or a warning is
>  > given.
>
>  > I understand all this. However, what I do not understand is how you
>  > are then creating persistent dropbear keys. From how I understand the
>  > code, the keys are persistent across reboots, but not between upgrades
>  > of the rootfs, because after an upgrade a new empty /etc/dropbear is
>  > created.
>
> If your upgrade overwrites /etc/dropbear, then yes.
>
> E.G. I use a persistent writable unionfs on /etc, so changes to /etc are
> not lost after an upgrade.
>
>
>  > In my case, the rootfs is an initramfs, but mounted rw at boot time.
>
>  > The solution I have been using is with an S49dropbear_keys script that:
>  > - at 'stop', verifies the correctness of the keys in /etc/dropbear
>  > (with dropbearkey) and if ok copies them to a real persistent medium,
>  > - at 'start', verifies if there are any keys on the persistent medium,
>  > verify their correctness, and if ok copies them to /etc/dropbear.
>
> Why don't you just make /etc/dropbear a symlink to your persistent
> medium?

While I had not thought of that when designing my current solution,
doing that without additional checking can be a problem: if the key on
the persistent storage gets corrupted somehow, new connections would
no longer be possible. I.e. make a small change in the existing key in
/etc/dropbear, restart dropbear, and connection attempts fail with
following syslog entry:

Jan  3 06:41:58 hostname authpriv.info dropbear[14789]: Exit before
auth: Couldn't read or generate hostkey
/etc/dropbear/dropbear_rsa_host_key

Just like with my current solution that actually copies the keys
(rather than symlinking) I think you need to verify the keys
before/after reboot, using dropbearkey. However, the symlink solution
has the disadvantage in this case that an unexpected reboot (without
the additional key check) potentially results in a corrupted key in
/etc/dropbear, while the copy solution will only copy validated keys
(during controlled reboot).

So, I don't think my current solution is so bad after all. How do you see this?

/Thomas



More information about the buildroot mailing list