{patch] dropbear adaptions to run as non-root

[HansH111]

Attached some minor adaptions to run a non-root dropbear service and also change the location of the hostkeys used to a user enabled or custom location.

Added 2 cmdline options:
-H default location for hostkeys
this enables to specify in default_options.h the bare hostkey filenames.
in svr-runopts it is determined if you start dropbear as root (location /etc/dropbear) or as non-root (location ~/.ssh)

-U: specify a forced userid
So whatever you type in as username, you will be login with the forced userid... and as bonus the envvar SSH_ORGUSER will be set with the typed in username.
So this way you can still run as root, but always be forced to a certain user and also know which user was requested.

We use this to have dropbear acting as a user service, since we don't have any root rights or /etc access.

patchfiles.tgz

[SerJaimeLannister]

I am interested in this ! Any updates?

[SerJaimeLannister]

I am actually interested in running dbclient non root , is there a possibility to do so?

[mkj]

I am actually interested in running dbclient non root , is there a possibility to do so?

dbclient can run as any user

[SerJaimeLannister]

I am actually interested in running dbclient non root , is there a possibility to do so?

dbclient can run as any user

I am sorry for responding late.
But here's what I want

I want to use a service like https://pinggy.io/ , even when I don't have root permissions. I can't seem to actually make this work unless I have root permissions on a specific restricted server.

[SerJaimeLannister]

Attached some minor adaptions to run a non-root dropbear service and also change the location of the hostkeys used to a user enabled or custom location.

Added 2 cmdline options: -H default location for hostkeys this enables to specify in default_options.h the bare hostkey filenames. in svr-runopts it is determined if you start dropbear as root (location /etc/dropbear) or as non-root (location ~/.ssh)

-U: specify a forced userid So whatever you type in as username, you will be login with the forced userid... and as bonus the envvar SSH_ORGUSER will be set with the typed in username. So this way you can still run as root, but always be forced to a certain user and also know which user was requested.

We use this to have dropbear acting as a user service, since we don't have any root rights or /etc access.

patchfiles.tgz

I keep on coming back to this .

Can you please instead create a github repo instead of such patchfile considering the patchfile is failing to build right now

[HansH111]

Sorry been a bit busy lately, I see what I can do this weekend.

[HansH111]

Only the line numbers didn't match, since it was from 2022...
build it and tested it with a normal user, should work for you.
I build it statically as:
./configure --disable-pam --disable-syslog --disable-shadow
--disable-lastlog --disable-utmp --disable-utmpx
--disable-wtmp --disable-wtmpx --disable-loginfunc
--enable-static
--disable-pututline --disable-pututxline --with-zlib

you can get the pull request here: #347 (comment)

[SerJaimeLannister]

Dear brother. I can't thank you enough. This has made my day.

There were some issues in building static which took an hour of my time mainly
/usr/bin/ld: ./obj/common-session.o: in function fill_passwd': common-session.c:(.text+0x963): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking /usr/bin/ld: ./obj/dbutil.o: in function expand_homedir_path':
dbutil.c:(.text+0x9f4): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/bin/ld: ./obj/common-session.o: in function `fill_passwd':
common-session.c:(.text+0x9e1): warning: Using 'getspnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

But I am not sure how magically I had a dbclient which wasn't linked dynamically, that is my only gripe but it does work which is so nice.

I can't thank you enough. I can't thank this project enough.

Though I have gotten what I wanted , since now I am stashing that binary forever lol, but I wish for other people if you could provide a github action which can provide a static binary as well since I didn't see it (I am not sure , I had searched static in the workfile , I may be totally wrong and I already apologize if that's the case)

Again thanks a lot.

[SerJaimeLannister]

Edit: Though this works , I tried it on one of my nats & it says this Floating point exception (core dumped) , Though I suppose this is not the project's fault. Thanks a lot.

[HansH111]

I use Alpine Linux to build a static version of dropbear using:
-no-pie -g -DNDEBUG -s -march=x86-64 -fPIC -m64 -mtune=generic -Wl,--build-id=none

Alpine Linux uses the musl library instead of glibc
I use WSL or docker to get a small Alpine Linux container for compiling static binaries.

[SerJaimeLannister]

I get this error
/dropbear # ./configure -no-pie -g -DNDEBUG -s -march=x86-64 -fPIC
-m64 -mtune=generic -Wl,--build-id=none
configure: error: unrecognized option: -no-pie' Try ./configure --help' for more information

I have installed it inside podman run -it --rm alpine /bin/ash

[HansH111]

Not using configure, use CFLAGS and LDFLAGS
so for instance
export CFLAGS="-no-pie -g -DNDEBUG -s -march=x86-64 -fPIC -m64 -mtune=generic "
export LDFLAGS="-mtune=generic -no-pie -s -static"
and then the configure command