Skip to content

Commit

Permalink
Updating README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@dmikushin
dmikushin committed Jan 31, 2020
1 parent 9d524a5 commit 02624f4
Showing 1 changed file with 59 additions and 38 deletions.
97 changes: 59 additions & 38 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,8 @@
# Portable OpenSSH

[![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/openssh.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:openssh)
# Minimal OpenSSH client/server with patches for Android cell phones

OpenSSH is a complete implementation of the SSH protocol (version 2) for secure remote login, command execution and file transfer. It includes a client ``ssh`` and server ``sshd``, file transfer utilities ``scp`` and ``sftp`` as well as tools for key generation (``ssh-keygen``), run-time key storage (``ssh-agent``) and a number of supporting programs.

This is a port of OpenBSD's [OpenSSH](https://openssh.com) to most Unix-like operating systems, including Linux, OS X and Cygwin. Portable OpenSSH polyfills OpenBSD APIs that are not available elsewhere, adds sshd sandboxing for more operating systems and includes support for OS-native authentication and auditing (e.g. using PAM).
This is a port of OpenBSD's [OpenSSH](https://openssh.com) to most Unix-like operating systems, including Linux, OS X and Cygwin done by [https://github.com/openssh/openssh-portable](https://github.com/openssh/openssh-portable), and further tailored to limited Android environment (adb shell). Android shell does not provide user names and account information, such as /etc/passwd. Furthermore, this version limits encryption protocols to internal implementations. As a result, a complex dependency on `libcrypto` is lifted off, and `ed25519` becomes the only supported (and still - the best one!) encryption protocol (that is, no DSA or RSA support). The low-level installation process involves access to the base system and therefore requires a bootloader with permissive recovery mode, such as [TWRP](https://github.com/TeamWin/Team-Win-Recovery-Project).

## Documentation

Expand All @@ -19,59 +17,82 @@ The official documentation for OpenSSH are the man pages for each tool:
* [ssh-keyscan(8)](https://man.openbsd.org/ssh-keyscan.8)
* [sftp-server(8)](https://man.openbsd.org/sftp-server.8)

## Stable Releases
## Building Portable OpenSSH for Android

The instructions below assume armv7. You may need to adjust the compiler to target armv8 (arm64) variant.

Stable release tarballs are available from a number of [download mirrors](https://www.openssh.com/portable.html#downloads). We recommend the use of a stable release for most users. Please read the [release notes](https://www.openssh.com/releasenotes.html) for details of recent changes and potential incompatibilities.
* Obtain GCC ARM cross toolchain:

## Building Portable OpenSSH
```
sudo apt install gcc-arm-linux-gnueabi
```

### Dependencies
* Build Musl:

Portable OpenSSH is built using autoconf and make. It requires a working C compiler, standard library and headers, and [zlib](https://www.zlib.net/). ``libcrypto`` from either [LibreSSL](https://www.libressl.org/) or [OpenSSL](https://www.openssl.org) may also be used, but OpenSSH may be built without it supporting a subset of crypto algorithms. Certain platforms and build-time options may require additional dependencies, see README.platform for details.
```
git clone git://git.musl-libc.org/musl
cd musl
mkdir build
cd build
../configure --prefix=$(pwd)/../install
```

### Building a release
* Build and install Bash 5.0, which is going to be used for the login shell as show here: https://github.com/dmikushin/bash-anrdoid

Releases include a pre-built copy of the ``configure`` script and may be built using:
* Build OpenSSH with minimum dependencies, statically linking against Musl:

```
tar zxvf openssh-X.YpZ.tar.gz
cd openssh
./configure # [options]
make && make tests
git clone https://github.com/dmikushin/openssh-android
cd openssh-android
mkdir build
cd build
LDFLAGS=-static CFLAGS="-D__ANDROID__ -O3 -fomit-frame-pointer -ffast-math" CC=$(pwd)/../../musl/install/bin/musl-gcc ../configure --prefix=$(pwd)/../install --host=arm-linux-gnueabi --without-zlib --without-openssl
```

See the [Build-time Customisation](#build-time-customisation) section below for configure options. If you plan on installing OpenSSH to your system, then you will usually want to specify destination paths.

### Building from git
## Installation

Reboot your phone into accessible recovery mode, such as TWRP. Mount /system partition as writable and use `adb` to roll the compiled OpenSSH binaries:

```
adb push ./ssh /system/bin/
adb push ./sshd /system/bin/
adb push ./ssh-keygen /system/bin/
adb push ./sshd_config /system/etc/ssh/
```

If building from git, you'll need [autoconf](https://www.gnu.org/software/autoconf/) installed to build the ``configure`` script. The following commands will check out and build portable OpenSSH from git:
Furthermore, we would want to generate the host SSH keys by manually calling `ssh-keygen`:

```
git clone https://github.com/openssh/openssh-portable # or https://anongit.mindrot.org/openssh.git
cd openssh-portable
autoreconf
./configure
make && make tests
adb shell
ssh-keygen -f /system/etc/ssh/ssh_host_ed25519_key -N '' -t ed25519
```

### Build-time Customisation
Generate another key pair to be used for remote authentication:

There are many build-time customisation options available. All Autoconf destination path flags (e.g. ``--prefix``) are supported (and are usually required if you want to install OpenSSH).
```
adb shell
ssh-keygen -f /system/etc/ssh/ssh_user_key -N '' -t ed25519
mv /system/etc/ssh/ssh_user_key.pub /system/etc/ssh/authorized_keys
exit
adb pull /system/etc/ssh/ssh_user_key ./
adb shell rm /system/etc/ssh/ssh_user_key
```

For a full list of available flags, run ``configure --help`` but a few of the more frequently-used ones are described below. Some of these flags will require additional libraries and/or headers be installed.
## Deployment

Flag | Meaning
--- | ---
``--with-pam`` | Enable [PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) support. [OpenPAM](https://www.openpam.org/), [Linux PAM](http://www.linux-pam.org/) and Solaris PAM are supported.
``--with-libedit`` | Enable [libedit](https://www.thrysoee.dk/editline/) support for sftp.
``--with-kerberos5`` | Enable Kerberos/GSSAPI support. Both [Heimdal](https://www.h5l.org/) and [MIT](https://web.mit.edu/kerberos/) Kerberos implementations are supported.
``--with-selinux`` | Enable [SELinux](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) support.
``--with-security-key-builtin`` | Include built-in support for U2F/FIDO2 security keys. This requires [libfido2](https://github.com/Yubico/libfido2) be installed.
Reboot the phone into Android and launch the SSH server:

## Development
```
adb shell
/system/bin/sshd
exit
```

Portable OpenSSH development is discussed on the [openssh-unix-dev mailing list](https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev) ([archive mirror](https://marc.info/?l=openssh-unix-dev)). Bugs and feature requests are tracked on our [Bugzilla](https://bugzilla.mindrot.org/).
Given that the phone has a reachable IP address (e.g. the phone is connected to your home wireless router), connect to it directly:

## Reporting bugs
```
$ ssh 192.168.12.202 -p 2222 -i ./ssh_user_key
shell@alto5_premium:/ $ uname -a
Linux localhost [email protected]_rb1.29-MIUI-Kernel #1 SMP PREEMPT Tue Jan 9 15:35:54 MSK 2018 armv7l GNU/Linux
```

_Non-security_ bugs may be reported to the developers via [Bugzilla](https://bugzilla.mindrot.org/) or via the mailing list above. Security bugs should be reported to [[email protected]](mailto:openssh.openssh.com).

0 comments on commit 02624f4

Please sign in to comment.