[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSH/SSL/TLS SFTP HTTPS suite needed for on Devboard_82



Hello all.  I am a newbie to this list and ETRAX development but I just
wanted to report that I was able to use the Makefile provided by
Friedrich Lobenstock to successfully build Dropbear on the first try!
Thanks!

I still need to find a way to implement secure FTP and HTTPS on the
ETRAX platform however.  I have to completely eliminate the insecure
ftp, http, and telnet protocols from this platform.  I just can't
implement embedded systems with insecure protocols any more - I suspect
that most embedded developers are running into this situation.

Here is what I have found so far.

I think I successfully built the OpenSSL libraries and SSL program after
a lot of messing around with Makefiles.

I am considering using the GoAhead web server because it claims to work
with the OpenSSL libraries to implement HTTPS.  I don't see any support
forthcoming for HTTPS in Boa.  Does anyone have a better recommendation
on how to implement HTTPS?

I still have not been able to build OpenSSH but I solved that by using
Dropbear instead - love it.  I have not been able to get a secure FTP
server implementation to work yet.  Can anyone help me out there?

Once I have a workable SFTP server, I will need to figure out how to
implement the remote firmware upgrade capability in it like that
provided by the FTP server that comes with the development kit which I
will have to disable to finish securing the box.

In the future, it would be really nice if the AXIS development kit came
with such a secure set of communications interfaces instead of the
traditional examples.

Best regards,

Erich

-----Original Message-----
From: owner-dev-etrax@xxxxxxx.com">mailto:owner-dev-etrax@xxxxxxx.com] On
Behalf Of Friedrich Lobenstock
Sent: Wednesday, January 07, 2004 10:04 AM
To: Axis Etrax Mailing Liste
Subject: Re: [APPS] dropbear-0.39 (SSHD) for devboard_82 R1_91

Hi!

*As the Axis mailinglist seems to be alive again and nobody
reacted on my offer, here the posting to this list*

Pieter Grimmerink wrote on 06.01.2004 15:39 MET:
> On Friday 19 December 2003 16:32, Friedrich Lobenstock wrote:
> 
>>One reason why I created the keys on the host is also that I don't
>>have to clean up .ssh/known_hosts after each flash to the developer
>>system - they keys do not get overwritten once created.
> 
> And these existing keys won't work anymore after an update?
> I mean, why do the known_hosts have to be deleted?

If you create a new host key everytime you've flashed the developer
board you will get such warnings:

fl@xxxxxxx.254
5790: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
5790: @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
5790: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
5790: IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
5790: Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
5790: It is also possible that the RSA host key has just been changed.
5790: The fingerprint for the RSA key sent by the remote host is
86:d8:e9:35:cb:51:63:63:a0:53:bf:dd:98:5b:9e:fb.
5790: Please contact your system administrator.
5790: Add correct host key in /home/fl/.ssh/known_hosts to get rid of
this message.
5790: Offending key in /home/fl/.ssh/known_hosts:56
5790: RSA host key for 192.168.1.254 has changed and you have requested
strict checking.
5790: Host key verification failed.

To save one from deleting the offending line from .ssh/known_hosts
during
testing I've decided to create the keys on the developer host which will
not be overwritten during recompiles (only a 'make mrproper' would do
that).

> By the way, when I compile dropbear-0.39 with your wrapper makefile, I
get the 
> following error when the key-tool is configured:
> 
> touch -c dropbear-0.39/.config.key
> [ ! -e dropbear-0.39/.config.key ] && ( \
>         cd dropbear-0.39; \
>         autoconf; \
>         ./configure \
>         --disable-zlib --disable-shadow --disable-lastlog \
>         --disable-utmp --disable-utmpx --disable-wtmp \
>         --disable-wtmpx --disable-libutil --disable-pututline \
>         --disable-pututxline \
>         --prefix=/usr \
> )
> checking for gcc...   gcc-cris  -isystem 
> /home/pieter/devboard_82/target/cris-axis-linux-gnu/include -mlinux
> checking for C compiler default output... a.out
> checking whether the C compiler works... configure: error: cannot run
C 
> compiled programs.
> If you meant to cross compile, use `--host'.
> 
> 
> So it still uses gcc-cris, even though this executable should be
compiled on 
> the development host I guess.
> Does this work for you, withouth a CC=gcc parameter for the configure
script?

I think I've still a little problem in this Makefile. Can you please
try running 'make clean' first.

-- 
MfG / Regards
Friedrich Lobenstock