ADB Secured Using Vendor private/pub key

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ADB Secured Using Vendor private/pub key

Bob Pfingsten
All,

I am trying to figure out how to lock down ADB so only people that have the pre-generated private key can access ADB through USB or WiFi/Ethernet.  I have generated a key pair using adb keygen (also tried with ssl-keygen) but I can't seem to get things locked down.  When my device is deployed to production I don't want to allow anyone to shell into the OS using ADB.  I have set /vendor/build.prop: ro.adb.secure=1 (also tried ro.adb.secure=0) and copied my public key to /data/misc/adb/adb_keys and also tried at the root /adb_keys and rebooted the device.  I moved my private key to a hidden location (outside of .Android) so it would not know the private key.  However, anytime I do adb devices it shows the device and allows me to connect.  I would have expected it to show "unauthorized" or something to that effect.  Also I have the following build.prop setting: persist.sys.usb.config=adb.   Any help would greatly be appreciated.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/android-platform.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/664cf2d1-c90b-4c1e-8bee-a2b4f90aa735%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ADB Secured Using Vendor private/pub key

meet thakkar
Hi Bob,

You will have to add the public key to the 

  1. store  adb private key in file ( lets call it adbkey.user)
  2. adb kill-server
  3. Copy/Replace the adbkey.user file to ~/.android/adbkey  (adbkey is text file which stores privatekey of your computer used for purpose of ADB over USB)
  4. adb shell (voila!)

That should work. 

Regards,
Meet Thakkar



On Mon, 15 Jul 2019 at 12:25, Bob Pfingsten <[hidden email]> wrote:
All,

I am trying to figure out how to lock down ADB so only people that have the pre-generated private key can access ADB through USB or WiFi/Ethernet.  I have generated a key pair using adb keygen (also tried with ssl-keygen) but I can't seem to get things locked down.  When my device is deployed to production I don't want to allow anyone to shell into the OS using ADB.  I have set /vendor/build.prop: ro.adb.secure=1 (also tried ro.adb.secure=0) and copied my public key to /data/misc/adb/adb_keys and also tried at the root /adb_keys and rebooted the device.  I moved my private key to a hidden location (outside of .Android) so it would not know the private key.  However, anytime I do adb devices it shows the device and allows me to connect.  I would have expected it to show "unauthorized" or something to that effect.  Also I have the following build.prop setting: persist.sys.usb.config=adb.   Any help would greatly be appreciated.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/android-platform.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/664cf2d1-c90b-4c1e-8bee-a2b4f90aa735%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/android-platform.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/CAAyHW8kurvxxENQxr7mxRyQReM%3DrEt21-DCftbLKRxeD%3D6augA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ADB Secured Using Vendor private/pub key

Satish Patel
In reply to this post by Bob Pfingsten


On Tue, Jul 16, 2019 at 12:55 AM Bob Pfingsten <[hidden email]> wrote:
All,

I am trying to figure out how to lock down ADB so only people that have the pre-generated private key can access ADB through USB or WiFi/Ethernet.  I have generated a key pair using adb keygen (also tried with ssl-keygen) but I can't seem to get things locked down.  When my device is deployed to production I don't want to allow anyone to shell into the OS using ADB.  I have set /vendor/build.prop: ro.adb.secure=1 (also tried ro.adb.secure=0) and copied my public key to /data/misc/adb/adb_keys and also tried at the root /adb_keys and rebooted the device.  I moved my private key to a hidden location (outside of .Android) so it would not know the private key.  However, anytime I do adb devices it shows the device and allows me to connect.  I would have expected it to show "unauthorized" or something to that effect.  Also I have the following build.prop setting: persist.sys.usb.config=adb.   Any help would greatly be appreciated.
What is your build type? Is it user build or eng build. Normaly in eng and userdebug abd will gets enabled by default.  

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/android-platform.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/664cf2d1-c90b-4c1e-8bee-a2b4f90aa735%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


--
Regards,
satish patel

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/android-platform.
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/CAEFWKbvweDoC9S4Zv7NQ3KD4tU5Unq8FsWpJNwTay2de7zSQKA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: ADB Secured Using Vendor private/pub key

Bob Pfingsten
In reply to this post by meet thakkar
Where does the public key go on the device?  I tried /data/misc/adb and at the root / but that did not seem to work as expected

On Wednesday, July 17, 2019 at 11:27:32 AM UTC-7, meet thakkar wrote:
Hi Bob,

You will have to add the public key to the 

  1. store  adb private key in file ( lets call it adbkey.user)
  2. adb kill-server
  3. Copy/Replace the adbkey.user file to ~/.android/adbkey  (adbkey is text file which stores privatekey of your computer used for purpose of ADB over USB)
  4. adb shell (voila!)

That should work. 

Regards,
Meet Thakkar



On Mon, 15 Jul 2019 at 12:25, Bob Pfingsten <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="jOXPXMicCAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">bobpfi...@...> wrote:
All,

I am trying to figure out how to lock down ADB so only people that have the pre-generated private key can access ADB through USB or WiFi/Ethernet.  I have generated a key pair using adb keygen (also tried with ssl-keygen) but I can't seem to get things locked down.  When my device is deployed to production I don't want to allow anyone to shell into the OS using ADB.  I have set /vendor/build.prop: ro.adb.secure=1 (also tried ro.adb.secure=0) and copied my public key to /data/misc/adb/adb_keys and also tried at the root /adb_keys and rebooted the device.  I moved my private key to a hidden location (outside of .Android) so it would not know the private key.  However, anytime I do adb devices it shows the device and allows me to connect.  I would have expected it to show "unauthorized" or something to that effect.  Also I have the following build.prop setting: persist.sys.usb.config=adb.   Any help would greatly be appreciated.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="jOXPXMicCAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">android-...@googlegroups.com.
To post to this group, send email to <a href="javascript:" target="_blank" gdf-obfuscated-mailto="jOXPXMicCAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">android-...@googlegroups.com.
Visit this group at <a href="https://groups.google.com/group/android-platform" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/group/android-platform&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/group/android-platform&#39;;return true;">https://groups.google.com/group/android-platform.
To view this discussion on the web visit <a href="https://groups.google.com/d/msgid/android-platform/664cf2d1-c90b-4c1e-8bee-a2b4f90aa735%40googlegroups.com?utm_medium=email&amp;utm_source=footer" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/msgid/android-platform/664cf2d1-c90b-4c1e-8bee-a2b4f90aa735%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/msgid/android-platform/664cf2d1-c90b-4c1e-8bee-a2b4f90aa735%40googlegroups.com?utm_medium\x3demail\x26utm_source\x3dfooter&#39;;return true;">https://groups.google.com/d/msgid/android-platform/664cf2d1-c90b-4c1e-8bee-a2b4f90aa735%40googlegroups.com.
For more options, visit <a href="https://groups.google.com/d/optout" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;" onclick="this.href=&#39;https://groups.google.com/d/optout&#39;;return true;">https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "android-platform" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/android-platform/bac2b10b-a025-4773-8d08-bf2307b7417a%40googlegroups.com.