Dropbear

From Gentoo Wiki
Jump to:navigation Jump to:search

Dropbear is a lightweight SSH server. It runs on a variety of POSIX-based platforms.

Installation

USE flags

USE flags for net-misc/dropbear Small SSH 2 client/server designed for small memory environments

+shadow Enable shadow password support
+syslog Enable support for syslog
+test-async Enable tests using dev-python/asyncssh
bsdpty Add support for legacy BSD pty's rather than dynamic UNIX pty's -- do not use this flag unless you are absolutely sure you actually want it
legacy-ciphers Enable support for deprecated, soon-to-be-dropped DSA keys. See https://marc.info/?l=openssh-unix-dev>m=170494903207436>w=2.
minimal Install a very minimal build (disables, for example, plugins, fonts, most drivers, non-critical features)
multicall Build all the programs as one little binary (to save space)
pam Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip
savedconfig Use this to restore your config from /etc/portage/savedconfig ${CATEGORY}/${PN}. Make sure your USE flags allow for appropriate dependencies
static !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically
test Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
verify-sig Verify upstream signatures on distfiles
zlib Add support for zlib compression

Emerge

root #emerge --ask net-misc/dropbear

Configuration

For manual and help use following command:

user $dropbear -h
Dropbear server v2020.80 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dropbear [options]
-b bannerfile   Display the contents of bannerfile before user login
                (default: none)
-r keyfile      Specify hostkeys (repeatable)
                defaults: 
                - dss /etc/dropbear/dropbear_dss_host_key
                - rsa /etc/dropbear/dropbear_rsa_host_key
                - ecdsa /etc/dropbear/dropbear_ecdsa_host_key
                - ed25519 /etc/dropbear/dropbear_ed25519_host_key
-R              Create hostkeys as required
-F              Don't fork into background
-E              Log to stderr rather than syslog
-m              Don't display the motd on login
-w              Disallow root logins
-G              Restrict logins to members of specified group
-s              Disable password logins
-g              Disable password logins for root
-B              Allow blank password logins
-T              Maximum authentication tries (default 10)
-j              Disable local port forwarding
-k              Disable remote port forwarding
-a              Allow connections to forwarded ports from any host
-c command      Force executed command
-p [address:]port
                Listen on specified tcp port (and optionally address),
                up to 10 can be specified
                (default port is 22 if none specified)
-P PidFile      Create pid file PidFile
                (default /var/run/dropbear.pid)
-i              Start for inetd
-W <receive_window_buffer> (default 24576, larger may be faster, max 1MB)
-K <keepalive>  (0 is never, default 0, in seconds)
-I <idle_timeout>  (0 is never, default 0, in seconds)
-V    Version

The listed running options can be used below to configure the /etc/conf.d/dropbear daemon.

Server

Files

Edit /etc/conf.d/dropbear - Global (system wide) configuration file for the SSH daemon. Add at least the -w parameter to the configuration file file to disable root login while running dropbear daemon.

FILE /etc/conf.d/dropbearDisable Root logins via SSH
# /etc/conf.d/dropbear: config file for /etc/init.d/dropbear

# -w disables root logins
# -p changes the TCP port number to listen on, default TCP port 22
DROPBEAR_OPTS="-w"

Assigning a different TCP port number -p to f.e.: 2222 at the beginning, saves the possible default port assingment collision, when running OpenSSH on the same system.

FILE /etc/conf.d/dropbearDisable Root logins via SSH, run on port 2222
# /etc/conf.d/dropbear: config file for /etc/init.d/dropbear

# -w disables root logins
# -p changes the TCP port number to listen to 2222
DROPBEAR_OPTS="-w -p 2222"
OpenRC
root #rc-update add dropbear default
root #/etc/init.d/dropbear start
systemd

Client

Usage

Client

The SSH client software to open a SSH session to target node, is called dbclient.

user $dbclient -h
Dropbear SSH client v2020.80 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dbclient [options] [user@]host[/port][,[user@]host/port],...] [command]
-p <remoteport>
-l <username>
-t    Allocate a pty
-T    Don't allocate a pty
-N    Don't run a remote command
-f    Run in background after auth
-y    Always accept remote host key if unknown
-y -y Don't perform any remote host key checking (caution)
-s    Request a subsystem (use by external sftp)
-o option     Set option in OpenSSH-like format ('-o help' to list options)
-i <identityfile>   (multiple allowed, default .ssh/id_dropbear)
-A    Enable agent auth forwarding
-L <[listenaddress:]listenport:remotehost:remoteport> Local port forwarding
-g    Allow remote hosts to connect to forwarded ports
-R <[listenaddress:]listenport:remotehost:remoteport> Remote port forwarding
-W <receive_window_buffer> (default 24576, larger may be faster, max 1MB)
-K <keepalive>  (0 is never, default 0)
-I <idle_timeout>  (0 is never, default 0)
-B <endhost:endport> Netcat-alike forwarding
-J <proxy_program> Use program pipe rather than TCP connection
-c <cipher list> Specify preferred ciphers ('-c help' to list options)
-m <MAC list> Specify preferred MACs for packet verification (or '-m help')
-b    [bind_address][:bind_port]
-V    Version

To open a SSH session to a target node use following command. In example below it is shown how to login using larry username, to gentoo.org server, running the SSH service on TCP port 2222.

user $dbclient larry@gentoo.org/2222

Troubleshooting

Verify the used TCP ports bound to a running dropbaer daemon:

root #ss -tulpen | egrep 'Net|drop'
Netid State  Recv-Q Send-Q   Local Address:Port Peer Address:PortProcess
tcp   LISTEN 0      1000           0.0.0.0:2222      0.0.0.0:*    users:(("dropbear",pid=32739,fd=4)) ino:55966 sk:1004 <->
tcp   LISTEN 0      0              0.0.0.0:22        0.0.0.0:*    users:(("sshd",pid=9680,fd=3)) ino:27008 sk:81b26748                                                      
tcp   LISTEN 0      1000              [::]:2222         [::]:*    users:(("dropbear",pid=32739,fd=5)) ino:55967 sk:1005 v6only:1 <->

Showing dropbear runs on port 2222, on all local interfaces, using IPv4 0.0.0.0 and IPv6 [::].

Removal

root #emerge --ask --depclean --verbose net-misc/dropbear

See also

  • OpenSSH — the ubiquitous tool for logging into and working on remote machines securely.