Last time, we set up telnet on the Clara HD and set up the USB network interface. Now we will extend this to enable SSH on the device.

Unfortunately, unlike telnet, the Clara HD does not ship with any SSH binaries, so we will need to cross-compile them from source.

Determining the target architecture

Grab the source of config.guess, and copy it to the Clara HD, for example over USB, or pasting the source into a new file via a telnet session.

On the Clara HD, navigate to the location of config.guess and run:

sh config.guess

The script should output its guess of which target architecture to use. For the Clara HD, this should be armv7l-unknown-linux-gnueabihf.

Installing build toolchain

Based on the target architecture detected, install the relevant build toolchain. For simplicity, I will use the pre-built Linaro Toolchain binaries. On the computer:

curl -O https://releases.linaro.org/components/toolchain/binaries/7.3-2018.05/arm-linux-gnueabihf/gcc-linaro-7.3.1-2018.05-x86_64_arm-linux-gnueabihf.tar.xz
tar xJf gcc-linaro-7.3.1-2018.05-x86_64_arm-linux-gnueabihf.tar.xz
export PATH=$PWD/gcc-linaro-7.3.1-2018.05-x86_64_arm-linux-gnueabihf/bin:$PATH

Cross-compile Dropbear

On the computer, download the latest Dropbear sources, and run e.g.:

tar xjf dropbear-2018.76.tar.bz2
cd dropbear-2018.76
./configure --host=arm-linux-gnueabihf --disable-zlib --enable-static
make PROGRAMS='dropbear dropbearkey' MULTI=1

This will create a statically-linked dropbearmulti binary. Copy this file across to /opt/dropbear/dropbearmulti on the Clara HD. For example, I started an HTTP server using python -m http.server 8080 and on the Clara HD ran:

cd /opt
mkdir dropbear
cd dropbear
wget http://192.168.2.1:8080/dropbearmulti
chmod +x dropbearmulti

Set up Dropbear

Now we need to set up Dropbear on the Clara HD. From /opt/dropbear, run:

./dropbearmulti dropbearkey -t dss -f dss_key
./dropbearmulti dropbearkey -t rsa -f rsa_key
./dropbearmulti dropbearkey -t ecdsa -f ecdsa_key

We can now test Dropbear by running:

./dropbearmulti dropbear -F -E -r /opt/dropbear/dss_key -r /opt/dropbear/rsa_key -r /opt/dropbear/ecdsa_key

(If you haven't set up a root password, you can add the -B flag to enable blank passwords.)

Assuming no errors are reported, we can return to the computer and attempt ssh root@192.168.2.2 (or the equivalent IP address over WiFi).

$ ssh root@192.168.2.2
root@192.168.2.2's password:
[root@(none) ~]#

Tada!

Auto-start Dropbear on boot

Similarly to telnet in part 3, we can now set Dropbear to start up automatically on boot.

On the Clara HD, edit /opt/inetd.conf and add:

22 stream tcp nowait root /opt/dropbear/dropbearmulti dropbear -i -r /opt/dropbear/dss_key -r /opt/dropbear/rsa_key -r /opt/dropbear/ecdsa_key

(Assuming that you set up everything in part 3. Add the -B flag if necessary.)

After rebooting the Clara HD, Dropbear should now be automatically started.

Enabling SSH key authentication and securing remote access

Dropbear is compatible with SSH public key authentication, so we can run ssh-copy-id root@192.168.2.2 as usual, and proceed with ssh root@192.168.2.2 as usual with SSH key authentication.

If everything is in order, we can disable password authentication by adding the -s flag in /opt/inetd.conf. We can also disable telnet by removing or commenting the line beginning 23 stream… in /opt/inetd.conf.