Secure chronos

Kurt2 · November 23, 2024, 1:45am

I have a security concern with this fydetab that ssh is enabled and that root login is enabled. I am not a fan of this at all, even though there doesn’t seem to be any .ssh folder in the root directory this seems like a huge security hole that there are already premade host keys in the /mnt/stateful_partition/etc/ssh/ directory that the sshd_config file points to.

I don’t see any point to allow root to login to a fydetab duo, and running ssh 24/7 without any way to disable it.

I followed the directions to make changes to the filesystem from ( https://www.chromium.org/chromium-os/developer-library/guides/device/developer-mode/#making-changes-to-the-filesystem ) but it seems the effort was fruitless since opening the sshd_config file with sudo vim still tells me it is read-only.

sshd ?! why?

I don’t know any reason why this tablet comes with ssh enabled, that’s honestly pretty crazy and I think we should try to disable this obvious backdoor that’s enabled in chronos

after making forcing removal of rootfs_verification, perhaps I did it wrong

sudo vim /etc/ssh/sshd_config

# Force protocol v2 only
Protocol 2

# /etc is read-only.  Fetch keys from stateful partition
# Not using v1, so no v1 key
HostKey /mnt/stateful_partition/etc/ssh/ssh_host_rsa_key
HostKey /mnt/stateful_partition/etc/ssh/ssh_host_ed25519_key

PermitRootLogin yes
PasswordAuthentication no
UsePAM yes
PrintMotd no
PrintLastLog no
UseDns no
Subsystem sftp internal-sftp
# Make DUT responsible to keep connection to server alive for at least half
# a day, even if network is down. We don't care about leaking/ghost connections
# as this is the config for the DUT which gets rebooted periodically.
# Ping ssh client/autotest server once every 60 seconds.
ClientAliveInterval 60
# Do this 720 times for 12 hours.
ClientAliveCountMax 720
# Ignore temporary network outages.
TCPKeepAlive no
# Allow for many concurrent ssh sessions.
MaxSessions 50

# TODO(b/296125036) Support clients which require ssh-rsa.
# Some ssh clients do not support stronger non-SHA1-based schemes, so we
# have to allow ssh-rsa to avoid breaking some of the labs and testing
# infrastructure. Once those are moved over to ssh clients that support
# schemes like rsa-sha2-256 or stronger.
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsa
~                                                                                                                                                                                   
~                                                                                                                                                                                   
~                                                                                                                                                                                   
~                                                                                                                                                                                   
~                                                                                                                                                                                   
"/etc/ssh/sshd_config" [readonly] 34L, 1218B

ssh is seemingly impossible to kill as well:

chronos@fydetab_duo-fydeos ~ $ ps aux |grep sshd
root     14289  0.0  0.0   7628  5668 ?        Ss   19:26   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
chronos  14903  0.0  0.0   2344  1048 pts/0    S+   19:30   0:00 grep --colour=auto sshd
chronos@fydetab_duo-fydeos ~ $ sudo kill -9 14289
chronos@fydetab_duo-fydeos ~ $ ps aux |grep sshd
root     14920  0.6  0.0   7628  5672 ?        Ss   19:30   0:00 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

neither systemctl or service exists to use and I’m not very familiar with how chronos handles services

unable disable unnecessary services

especially the ones iptables is allowing through

secondly iptables is allowing any connection to not only ssh but also adbd to accept anything coming in on tcp 5555 by default…for both ipv4 and ipv6 on wlan0 this isn’t ideal.

Chain ingress_port_firewall (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  vmtap0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5555
    0     0 ACCEPT     tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:5555

Chain ingress_port_firewall (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp      vmtap0 *       ::/0                 ::/0                 tcp dpt:5555
    0     0 ACCEPT     tcp      wlan0  *       ::/0                 ::/0                 tcp dpt:5555

sudo netstat -antup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1542/sshd: /usr/sbi 
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      3482/adbd           
tcp        0      0 127.0.0.1:5037          0.0.0.0:*               LISTEN      3482/adbd

I would like to also disable these services listening on 1900 and 5353

udp        0      0 0.0.0.0:1900            0.0.0.0:*                           1653/patchpaneld    
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           1653/patchpaneld  
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           1653/patchpaneld    
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           1653/patchpaneld  
udp6       0      0 :::1900                 :::*                                1653/patchpaneld    
udp6       0      0 :::1900                 :::*                                1653/patchpaneld    
udp6       0      0 :::5353                 :::*                                1653/patchpaneld    
udp6       0      0 :::5353                 :::*                                1653/patchpaneld

helpful commands

sudo -s gives you root, with a difficult limited shell

other scares

passwd can’t change the root’s password

# passwd
New password: 
Retype new password: 
passwd: Authentication token lock busy
passwd: password unchanged

Any help on what I can do to secure this new tablet?

hacker · November 23, 2024, 2:50am

mount -o remount rw /
Then change the password.

Kurt2 · November 23, 2024, 2:35pm

Thanks, with that I can turn off ssh by removing the sshd_config and change the root password, but getting rid of these other services I’m not so sure how to do it correctly with chronos.

You basically have to do the remount command every time you enter the shell.

Making and empty sshd_config file, a very unnatural solution in the unix/linux environment to stop a service from operating but works well for now.

killing adbd works as expected:

chronos@fydetab_duo-fydeos /etc/ssh $ ps aux |grep adbd
root      3654  0.0  0.0   9536     4 ?        Ssl  08:38   0:00 /usr/sbin/adbd
chronos  10227  0.0  0.0   2344  1032 pts/0    S+   08:40   0:00 grep --colour=auto adbd
chronos@fydetab_duo-fydeos /etc/ssh $ sudo kill -9 3654
chronos@fydetab_duo-fydeos /etc/ssh $ ps aux |grep adbd
chronos  10412  0.0  0.0   2344  1052 pts/0    S+   08:40   0:00 grep --colour=auto adbd

as far as getting into and altering a systemctl type service manager or knowing how to manage the packages remains a mystery, I’ll update if I figure anything else out to remove these unintended insecure backdoors