K4 SSH over WiFi (Dropbear) keys stopped working after restart

[aleq]

Hello Everyone,
I have prepared SSH keys for my Wifi SSH enabled jailbroken K4NT. It worked, until I restarted the device. From that moment, I cannot log in without password. I have even cleared the configuration off the Kindle and redone it again, just like I did it the day before (I think). I have following Ixtab's guide: https://www.mobileread.com/forums/sh...27&postcount=4, but still no dice. As I'm hacking/transforming my unused Kindle into a status monitor, I desperately need to be able to push files to it programatically.

Code:

[aleq@planet] ~/devel/kindlox>ssh-keygen -C "Aleq's Kindle developer key" -f id_kindle
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): <NOTHING JUST ENTER HERE>
Enter same passphrase again: <NOTHING JUST ENTER HERE>
Your identification has been saved in id_kindle.
Your public key has been saved in id_kindle.pub.
The key fingerprint is:
SHA256:LTftDjw7ErpovzfyvjGDscHy78Orok3pzgXWhQrKcjk Aleq's Kindle developer key
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|       .         |
|  .   . .        |
|.. o + . . .     |
|o.E = = S + .    |
|.. o = =.+ o     |
|    o =o+.+ .    |
|   =ooo.*+.=     |
|  .+*o=XB*...    |
+----[SHA256]-----+
[aleq@planet] ~/devel/kindlox>ls id_kindle*
total 56
-rw------- 1 aleq aleq      1679 Jun 25 15:06 id_kindle
-rw-r----- 1 aleq aleq       409 Jun 25 15:06 id_kindle.pub
[aleq@planet] ~/devel/kindlox>cat id_kindle.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZS/3YfCGoQFxAkpAvUbfTJHQnjnSzhupgEWkqMF+TNxDUqLlrWbAtvUy7Fz8Hg9sua5vRu+EDVo6hiLXtUPt8LhuyZ3gACliJ0Y0msvtRw58PoedPd36Mt+cJjIaqWDaY6/yFoJf1WBt2Nbi6aGZb/SvpJZkzwDhK2YxXFDLN+mc5SLPG5OIZzH+gwvfwcjsww/4y6CT3PE2h9dVCqIMyPiE7M0fK5hpnz0R5thjWJMw9Aw4RErjLSQBVdaGO6fn3bOJ2O3LWI8WZFUhxnYeTU0uUZcn3R9RlS/vGLudEkSASxGmx7w/Tyd5TrVplBholZHm8A8ws7z+/dz92lKll Aleq's Kindle developer key
[aleq@planet] ~/devel/kindlox>scp id_kindle.pub root@192.168.1.74:/mnt/us/usbnet/etc/authorized_keys
Unable to negotiate with 192.168.1.74 port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1
lost connection
[aleq@planet] ~/devel/kindlox>scp -o 'KexAlgorithms=+diffie-hellman-group1-sha1' id_kindle.pub root@192.168.1.74:/mnt/us/usbnet/etc/authorized_keys
root@192.168.1.74's password: <PASSWORD ENTERED>
id_kindle.pub                                                                                   100%  409    25.6KB/s   00:00

[aleq@planet] ~/devel/kindlox>ssh  -o 'KexAlgorithms=+diffie-hellman-group1-sha1' -i id_kindle root@192.168.1.74 -v
OpenSSH_7.4p1 Debian-10+deb9u3, OpenSSL 1.0.2l  25 May 2017
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.74 [192.168.1.74] port 22.
debug1: Connection established.
debug1: identity file id_kindle type 1
debug1: key_load_public: No such file or directory
debug1: identity file id_kindle-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u3
debug1: Remote protocol version 2.0, remote software version dropbear_0.52
debug1: no match: dropbear_0.52
debug1: Authenticating to 192.168.1.74:22 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group1-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Server host key: ssh-rsa SHA256:xsBNOprs30YEpnF4ymKvtFdjvElSiVS2I0hE4z8v+D0
debug1: Host '192.168.1.74' is known and matches the RSA host key.
debug1: Found key in /home/aleq/.ssh/known_hosts:9
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: rekey after 4294967296 blocks
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: id_kindle
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
root@192.168.1.74's password:

On Kindle:

Code:

[root@kindle etc]# pwd
/mnt/us/usbnet/etc
[root@kindle etc]# ls -l
-rwxr-xr-x    1 root     root          409 Jun 25 15:09 authorized_keys
[root@kindle etc]# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZS/3YfCGoQFxAkpAvUbfTJHQnjnSzhupgEWkqMF+TNxDUqLlrWbAtvUy7Fz8Hg9sua5vRu+EDVo6hiLXtUPt8LhuyZ3gACliJ0Y0msvtRw58PoedPd36Mt+cJjIaqWDaY6/yFoJf1WBt2Nbi6aGZb/SvpJZkzwDhK2YxXFDLN+mc5SLPG5OIZzH+gwvfwcjsww/4y6CT3PE2h9dVCqIMyPiE7M0fK5hpnz0R5thjWJMw9Aw4RErjLSQBVdaGO6fn3bOJ2O3LWI8WZFUhxnYeTU0uUZcn3R9RlS/vGLudEkSASxGmx7w/Tyd5TrVplBholZHm8A8ws7z+/dz92lKll Aleq's Kindle developer key

I have checked /var/log/messages, nothing strange there.

Any tips, ideas are welcome.

TIA,
A.

[NiLuJe]

Where is that dropbear setup coming from, because that is one horrendously old dropbear version (which also explains the insane hoop-jumping you have to go through regarding the KEX algo). I don't think I ever shipped USBNet with something that old.

EDIT: Okay, I lied. I did. 8 years ago. .

[aleq]

Good point. I have jailbroken that Kindle many many years ago, cannot answer where the Dropbear binary came from. I'll upgrade it and try again.

[aleq]

Thanks, NiLuJe!
Solved indeed by refreshing my obscure old installation (4.0.1 with who knows what) with your latest USBNet package

[knc1]

To avoid further problems, you should install the current firmware, 4.1.3
https://www.amazon.com/gp/help/custo...deId=200774090
(Like in, before the Kindle does it its self while your back is turned.)

[aleq]

Thanks for recommendation. However, I'm hesitant to do so, as I remember I've done various modifications to "/" at that time. I'm not sure if the update will go through well (how sensitive is it to system modifications? Will jailbreak and ssh over wifi survive?) Update mechanism has been also gutted heavily, so it shouldn't stab me into the back. That won't be a problem.

I'm using that Kindle as IoT E-Ink accessory only. Is 4.1.3 bringing any significant improvements to anything low-level or to the browser? I'm very close to have Everything I want how I want...

Should I upgrade under such conditions? Will it bring any advantage to me?

Thanks,
Aleq

[NiLuJe]

It features an OpenSSL/certificates update that basically makes it work with current HTTPS standards.

(And, yes, it's still a patch-based incremental update, so it'll potentially be messy if you heavily modified the rootfs).

[knc1]

Quote:

Originally Posted by aleq

Thanks for recommendation. However, I'm hesitant to do so, as I remember I've done various modifications to "/" at that time. I'm not sure if the update will go through well (how sensitive is it to system modifications? Will jailbreak and ssh over wifi survive?) Update mechanism has been also gutted heavily, so it shouldn't stab me into the back. That won't be a problem.

I'm using that Kindle as IoT E-Ink accessory only. Is 4.1.3 bringing any significant improvements to anything low-level or to the browser? I'm very close to have Everything I want how I want...

Should I upgrade under such conditions? Will it bring any advantage to me?

Thanks,
Aleq

TLS

Quote:

Originally Posted by NiLuJe

It features an OpenSSL/certificates update that basically makes it work with current HTTPS standards.

(And, yes, it's still a patch-based incremental update, so it'll potentially be messy if you heavily modified the rootfs).

Use Kubrick, then update along the path described at the Amazon link I included in my previous post.
Kubrick does a complete image update rather than an incremental fix-up.

[NiLuJe]

Ooh, forgot that we could Kubrick a K4 .

[bagpiper1]

Quote:

Originally Posted by NiLuJe

It features an OpenSSL/certificates update that basically makes it work with current HTTPS standards.

(And, yes, it's still a patch-based incremental update, so it'll potentially be messy if you heavily modified the rootfs).

OpenSSL ? No thanks ! The Heartbleed debacle is probably just the tip of the iceberg. LibreSSL :

Quote:

LibreSSL is an open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. The OpenBSD project forked LibreSSL from OpenSSL 1.0.1g in April 2014 as a response to the Heartbleed security vulnerability,[4][5][6][7] with the goals of modernizing the codebase, improving security, and applying best practice development processes

https://en.wikipedia.org/wiki/LibreSSL

BTW, CWM on my OpenBSD laptop is badass hacker mode :

[NiLuJe]

@bagpiper1: Thank you for your wonderfully on-topic intervention.