Dropbear

From Gentoo Wiki
Jump to:navigation Jump to:search



Dropbear is a lightweight SSH server. It runs on a variety of POSIX-based platforms.

Installation

USE flags

USE flags for net-misc/dropbear small SSH 2 client/server designed for small memory environments

bsdpty Add support for legacy BSD pty's rather than dynamic UNIX pty's -- do not use this flag unless you are absolutely sure you actually want it
minimal Install a very minimal build (disables, for example, plugins, fonts, most drivers, non-critical features)
multicall Build all the programs as one little binary (to save space)
pam Add support for PAM (Pluggable Authentication Modules)DANGEROUS to arbitrarily flip
savedconfig Use this to restore your config from /etc/portage/savedconfig ${CATEGORY}/${PN}. Make sure your USE flags allow for appropriate dependencies
shadow Enable shadow password support
static !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically
syslog Enable support for syslog
zlib Add support for zlib (de)compression

Emerge

root #emerge --ask net-misc/dropbear

Configuration

For manual and help use following command:

user $dropbear -h
Dropbear server v2020.80 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dropbear [options]
-b bannerfile   Display the contents of bannerfile before user login
                (default: none)
-r keyfile      Specify hostkeys (repeatable)
                defaults: 
                - dss /etc/dropbear/dropbear_dss_host_key
                - rsa /etc/dropbear/dropbear_rsa_host_key
                - ecdsa /etc/dropbear/dropbear_ecdsa_host_key
                - ed25519 /etc/dropbear/dropbear_ed25519_host_key
-R              Create hostkeys as required
-F              Don't fork into background
-E              Log to stderr rather than syslog
-m              Don't display the motd on login
-w              Disallow root logins
-G              Restrict logins to members of specified group
-s              Disable password logins
-g              Disable password logins for root
-B              Allow blank password logins
-T              Maximum authentication tries (default 10)
-j              Disable local port forwarding
-k              Disable remote port forwarding
-a              Allow connections to forwarded ports from any host
-c command      Force executed command
-p [address:]port
                Listen on specified tcp port (and optionally address),
                up to 10 can be specified
                (default port is 22 if none specified)
-P PidFile      Create pid file PidFile
                (default /var/run/dropbear.pid)
-i              Start for inetd
-W <receive_window_buffer> (default 24576, larger may be faster, max 1MB)
-K <keepalive>  (0 is never, default 0, in seconds)
-I <idle_timeout>  (0 is never, default 0, in seconds)
-V    Version

The listed running options can be used below to configure the /etc/conf.d/dropbear daemon.

Server

Files

Edit /etc/conf.d/dropbear - Global (system wide) configuration file for the SSH daemon. Add at least the -w parameter to the configuration file file to disable root login while running dropbear daemon.

FILE /etc/conf.d/dropbearDisable Root logins via SSH
# /etc/conf.d/dropbear: config file for /etc/init.d/dropbear

# -w disables root logins
# -p # changes the port number to listen on
DROPBEAR_OPTS="-w"
OpenRC
root #rc-update add dropbear default
root #/etc/init.d/dropbear start
systemd

Client

Usage

Client

The SSH client software to open a SSH session to target node, is called dbclient.

user $dbclient -h
Dropbear SSH client v2020.80 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dbclient [options] [user@]host[/port][,[user@]host/port],...] [command]
-p <remoteport>
-l <username>
-t    Allocate a pty
-T    Don't allocate a pty
-N    Don't run a remote command
-f    Run in background after auth
-y    Always accept remote host key if unknown
-y -y Don't perform any remote host key checking (caution)
-s    Request a subsystem (use by external sftp)
-o option     Set option in OpenSSH-like format ('-o help' to list options)
-i <identityfile>   (multiple allowed, default .ssh/id_dropbear)
-A    Enable agent auth forwarding
-L <[listenaddress:]listenport:remotehost:remoteport> Local port forwarding
-g    Allow remote hosts to connect to forwarded ports
-R <[listenaddress:]listenport:remotehost:remoteport> Remote port forwarding
-W <receive_window_buffer> (default 24576, larger may be faster, max 1MB)
-K <keepalive>  (0 is never, default 0)
-I <idle_timeout>  (0 is never, default 0)
-B <endhost:endport> Netcat-alike forwarding
-J <proxy_program> Use program pipe rather than TCP connection
-c <cipher list> Specify preferred ciphers ('-c help' to list options)
-m <MAC list> Specify preferred MACs for packet verification (or '-m help')
-b    [bind_address][:bind_port]
-V    Version

To open a SSH session to a target node use following command. In example below it is shown how to login using larry username, to gentoo.org server, running the SSH service on TCP port 2000.

user $dbclient larry@gentoo.org/2000

Removal

root #emerge --ask --depclean --verbose net-misc/dropbear

See also

  • OpenSSH — an encrypted terminal program that replaces the classic telnet tool on Unix-like operating systems.

External resources