Minor dropbear tweaks (#4077)

* Tweak dropbear plugin a bit Create hostkeys on demand Make platform-specific stuff only run on the affected platform.
2025-08-10 00:52:38 +00:00 · 2018-07-15 18:39:52 +02:00
parent e977c4a394
commit 5d0359b257
2 changed files with 27 additions and 14 deletions
--- a/2
+++ b/2
--- a/plugins/SSH.koplugin/main.lua
+++ b/plugins/SSH.koplugin/main.lua
@@ -9,9 +9,9 @@ local util = require("util")
 local _ = require("gettext")
 local T = require("ffi/util").template

-- This plugin use a patched dropbear that add two things :
-- the -n option to allow login without password
-- read the keyfile from the relative path: settings/SSH/authorized_keys
+-- This plugin uses a patched dropbear that adds two things:
+-- the -n option to bypass password checks
+-- reads the authorized_keys file from the relative path: settings/SSH/authorized_keys

 local path = DataStorage:getFullDataDir()
 if not util.pathExists("dropbearmulti") then
@@ -32,13 +32,16 @@ end
 function SSH:start()
    local cmd = string.format("%s %s %s %s%s %s %s %s",
        "./dropbearmulti dropbear",
-        "-E", "-r ", path, "/settings/SSH/dropbear_rsa_host_key",
+        "-E",
+        "-R",
        "-p", self.SSH_port,
        "-P /tmp/dropbear_koreader.pid")
     if self.allow_no_password then
        cmd = string.format("%s %s", cmd, "-n")
    end
-    if os.execute("command -v iptables") then
+
+    -- Make a hole in the Kindle's firewall
+    if Device:isKindle() then
        os.execute(string.format("%s %s %s",
            "iptables -A INPUT -p tcp --dport", self.SSH_port,
            "-m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT"))
@@ -47,17 +50,17 @@ function SSH:start()
            "-m conntrack --ctstate ESTABLISHED -j ACCEPT"))
    end
    -- An SSH/telnet server of course needs to be able to manipulate pseudoterminals...
-    -- Some Kobo don't have this, so we check it on every platfrom, it can't hurt.
-    os.execute([[if [ ! -d "/dev/pts" ] ; then
-        mkdir -p /dev/pts
-        mount -t devpts devpts /dev/pts
-        fi]])
+    -- Kobo's init scripts fail to set this up...
+    if Device:isKobo() then
+        os.execute([[if [ ! -d "/dev/pts" ] ; then
+            mkdir -p /dev/pts
+            mount -t devpts devpts /dev/pts
+            fi]])
+    end
+
    if not util.pathExists(path.."/settings/SSH/") then
        os.execute("mkdir "..path.."/settings/SSH")
    end
-    if not util.pathExists(path.."/settings/SSH/dropbear_rsa_host_key") then
-        os.execute("./dropbearmulti dropbearkey -t rsa -f "..path.."/settings/SSH/dropbear_rsa_host_key")
-    end
    logger.dbg("[Network] Launching SSH server : ", cmd)
    if os.execute(cmd) == 0 then
        local info = InfoMessage:new{
@@ -82,6 +85,16 @@ end

 function SSH:stop()
    os.execute("cat /tmp/dropbear_koreader.pid | xargs kill")
+
+    -- Plug the hole in the Kindle's firewall
+    if Device:isKindle() then
+        os.execute(string.format("%s %s %s",
+            "iptables -D INPUT -p tcp --dport", self.SSH_port,
+            "-m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT"))
+        os.execute(string.format("%s %s %s",
+            "iptables -D OUTPUT -p tcp --sport", self.SSH_port,
+            "-m conntrack --ctstate ESTABLISHED -j ACCEPT"))
+    end
 end

 function SSH:show_port_dialog()