[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SSH/SSL/TLS SFTP HTTPS suite needed for on Devboard_82



If you need HTTPS and you have already gotten the OpenSSL 
Libraries built for ETRAX AND you don't want to change
out boa you should consider using "stunnel". 
See http://www.stunnel.org/

This allows you to create a SSL connection on the standard HTTPS port
443 and then "forward" (locally) the now unencrypted traffic onto
Boa at port 80.

This is what I use with boa and it allows boa to be 
ignorant as to http or https -- that's all handled invisibly
by stunnel. Works great for me, if you have a lot of traffic
it might not be the most efficient way to do it but it sure
is easy to get going without changing out the web server.

Regards,

----------------------------------
David Kilp
Cross Match Technologies
3962 RCA Blvd., Suite 6001
Palm Beach Gardens, FL 33410
561-622-8852


-----Original Message-----
From: owner-dev-etrax@xxxxxxx.com">mailto:owner-dev-etrax@xxxxxxx.com] On
Behalf Of Erich W. Gunther
Sent: Wednesday, January 07, 2004 11:25 AM
To: dev-etrax@xxxxxxx.com
Subject: SSH/SSL/TLS SFTP HTTPS suite needed for on Devboard_82


Hello all.  I am a newbie to this list and ETRAX development but I just
wanted to report that I was able to use the Makefile provided by
Friedrich Lobenstock to successfully build Dropbear on the first try!
Thanks!

I still need to find a way to implement secure FTP and HTTPS on the
ETRAX platform however.  I have to completely eliminate the insecure
ftp, http, and telnet protocols from this platform.  I just can't
implement embedded systems with insecure protocols any more - I suspect
that most embedded developers are running into this situation.

Here is what I have found so far.

I think I successfully built the OpenSSL libraries and SSL program after
a lot of messing around with Makefiles.

I am considering using the GoAhead web server because it claims to work
with the OpenSSL libraries to implement HTTPS.  I don't see any support
forthcoming for HTTPS in Boa.  Does anyone have a better recommendation
on how to implement HTTPS?

I still have not been able to build OpenSSH but I solved that by using
Dropbear instead - love it.  I have not been able to get a secure FTP
server implementation to work yet.  Can anyone help me out there?

Once I have a workable SFTP server, I will need to figure out how to
implement the remote firmware upgrade capability in it like that
provided by the FTP server that comes with the development kit which I
will have to disable to finish securing the box.

In the future, it would be really nice if the AXIS development kit came
with such a secure set of communications interfaces instead of the
traditional examples.

Best regards,

Erich

-----Original Message-----
From: owner-dev-etrax@xxxxxxx.com">mailto:owner-dev-etrax@xxxxxxx.com] On
Behalf Of Friedrich Lobenstock
Sent: Wednesday, January 07, 2004 10:04 AM
To: Axis Etrax Mailing Liste
Subject: Re: [APPS] dropbear-0.39 (SSHD) for devboard_82 R1_91

Hi!

*As the Axis mailinglist seems to be alive again and nobody
reacted on my offer, here the posting to this list*

Pieter Grimmerink wrote on 06.01.2004 15:39 MET:
> On Friday 19 December 2003 16:32, Friedrich Lobenstock wrote:
> 
>>One reason why I created the keys on the host is also that I don't
>>have to clean up .ssh/known_hosts after each flash to the developer
>>system - they keys do not get overwritten once created.
> 
> And these existing keys won't work anymore after an update?
> I mean, why do the known_hosts have to be deleted?

If you create a new host key everytime you've flashed the developer
board you will get such warnings:

fl@xxxxxxx.254
5790: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
5790: @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
5790: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
5790: IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
5790: Someone could be eavesdropping on you right now (man-in-the-middle
attack)!
5790: It is also possible that the RSA host key has just been changed.
5790: The fingerprint for the RSA key sent by the remote host is
86:d8:e9:35:cb:51:63:63:a0:53:bf:dd:98:5b:9e:fb.
5790: Please contact your system administrator.
5790: Add correct host key in /home/fl/.ssh/known_hosts to get rid of
this message.
5790: Offending key in /home/fl/.ssh/known_hosts:56
5790: RSA host key for 192.168.1.254 has changed and you have requested
strict checking.
5790: Host key verification failed.

To save one from deleting the offending line from .ssh/known_hosts
during
testing I've decided to create the keys on the developer host which will
not be overwritten during recompiles (only a 'make mrproper' would do
that).

> By the way, when I compile dropbear-0.39 with your wrapper makefile, I
get the 
> following error when the key-tool is configured:
> 
> touch -c dropbear-0.39/.config.key
> [ ! -e dropbear-0.39/.config.key ] && ( \
>         cd dropbear-0.39; \
>         autoconf; \
>         ./configure \
>         --disable-zlib --disable-shadow --disable-lastlog \
>         --disable-utmp --disable-utmpx --disable-wtmp \
>         --disable-wtmpx --disable-libutil --disable-pututline \
>         --disable-pututxline \
>         --prefix=/usr \
> )
> checking for gcc...   gcc-cris  -isystem 
> /home/pieter/devboard_82/target/cris-axis-linux-gnu/include -mlinux
> checking for C compiler default output... a.out
> checking whether the C compiler works... configure: error: cannot run
C 
> compiled programs.
> If you meant to cross compile, use `--host'.
> 
> 
> So it still uses gcc-cris, even though this executable should be
compiled on 
> the development host I guess.
> Does this work for you, withouth a CC=gcc parameter for the configure
script?

I think I've still a little problem in this Makefile. Can you please
try running 'make clean' first.

-- 
MfG / Regards
Friedrich Lobenstock