A Very Disappointing Self-Answer
Having set this problem aside for a day and come back to it, I was both relieved and perturbed (more perturbed than relieved) to find that everything was, mysteriously, working properly.
So, What Was the Issue?
No settings were changed or adjusted -- not on the router, not on the SSH server, and not on the SSH client's machine. It's fairly safe to say it was the router not handling the incoming traffic properly, in spite of proper settings. Given that dinky home router software isn't really designed to deal with port forwarding, it took the poor guy a while to implement the necessary changes.
But It's Been Like 6 Hours!!
Yeah dude, I know. I spent all day trying to figure out what was wrong -- and didn't ever find it because there wasn't anything wrong. Evidently, it can take 6 hours -- possibly more -- for the router settings to take effect.
So How Do I Know If This Is My Issue?
A nifty tool I came across during this escapade is tcpdump
. This lean little guy sniffs traffic for you, offering valuable insight into what's actually going on. Plus, he's got some super filtering features that allow you to narrow down exactly what you want to look at/for. For example, the command:
tcpdump -i wlan1 port 22 -n -Q inout
Tells tcpdump
to look for traffic via the wlan1 interface (-i
= 'interface'), only through port 22, ignore DNS name resolution (-n
= 'no name resolution'), and we want to see both incoming and outgoing traffic (-Q
accepts in
, out
, or inout
; inout
is the default).
By running this command on your SSH server while attempting to connect via a remote machine, it quickly becomes clear where precisely the problem lies. There are, essentially, 3 possibilities:
- If you're seeing incoming traffic from the remote machine, but no outgoing traffic from your local server, the problem lies with the server: there's probably a firewall rule that needs to be changed, etc.
- If you're seeing both incoming and outgoing, but your remote machine isn't receiving the response, it's most likely the router: it's allowing the incoming traffic, but dropping your outgoing packets.
- If there's no traffic at all, that's probably a router issue as well: the remote machine's
SYN
packets are being ignored and dropped by the router before they even reach your server.
And once you've discovered where the problem lies, a fix is (usually) trivial.
Short answer: You are probably running OpenWrt, and you need to put your public key in /etc/dropbear/authorized_keys
instead of /root/.ssh/authorized_keys
.
Long answer:
The GitHub repo you point to is the one maintained by the dropbear author; it says that ~/.ssh/authorized_keys
works, and according to GitHub it has done so at least for 14 years. Looking at the code in svr-authpubkey.c it adds /.ssh/authorized_keys
to the "pw_dir".
I, however, had the same problem as you have, and I discovered that the binary provided in OpenWrt 18.06.1 is actually opening /etc/dropbear/authorized_keys
. Using that file works for me.
This behavior is documented in the OpenWrt docs.
So how come?
Given that the code above cannot produce that filename on its own (the .ssh
is missing) and there is no .ssh
symlink anywhere, I ran strings
on the binary. That showed that /etc/dropbear/authorized_keys
is mentioned explicitly, just before the %s/.ssh/authorized_keys
that can be expected from the GitHub code. I conclude that the OpenWrt binary is not compiled from the same sources... and indeed, OpenWrt patches the upstream code with this patch. It changes the file used to /etc/dropbear/authorized_keys
if (and only if) the target user is root.
Since you mention opkg
, I imagine you are also using OpenWrt, and that this is your problem. I've added an OpenWrt tag to your question.
Best Answer
If you want to run an ssh server on a rooted phone, you can install
SSHDroid
.You can build a Debian image via
deboostrap
. Debian runs onARM
so you wont have problems building an image for that arquitechture. There is an interesting howto writen for SG1, you could try it out.