Dropbear
Dropbear is a lightweight SSH server. It runs on a variety of POSIX-based platforms.
Installation
USE flags
USE flags for net-misc/dropbear Small SSH 2 client/server designed for small memory environments
+shadow
|
Enable shadow password support |
+syslog
|
Enable support for syslog |
+test-async
|
Enable tests using dev-python/asyncssh |
bsdpty
|
Add support for legacy BSD pty's rather than dynamic UNIX pty's -- do not use this flag unless you are absolutely sure you actually want it |
legacy-ciphers
|
Enable support for deprecated, soon-to-be-dropped DSA keys. See https://marc.info/?l=openssh-unix-dev>m=170494903207436>w=2. |
minimal
|
Install a very minimal build (disables, for example, plugins, fonts, most drivers, non-critical features) |
multicall
|
Build all the programs as one little binary (to save space) |
pam
|
Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip |
savedconfig
|
Use this to restore your config from /etc/portage/savedconfig ${CATEGORY}/${PN}. Make sure your USE flags allow for appropriate dependencies |
static
|
!!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
verify-sig
|
Verify upstream signatures on distfiles |
zlib
|
Add support for zlib compression |
Emerge
root #
emerge --ask net-misc/dropbear
Configuration
For manual and help use following command:
user $
dropbear -h
Dropbear server v2020.80 https://matt.ucc.asn.au/dropbear/dropbear.html Usage: dropbear [options] -b bannerfile Display the contents of bannerfile before user login (default: none) -r keyfile Specify hostkeys (repeatable) defaults: - dss /etc/dropbear/dropbear_dss_host_key - rsa /etc/dropbear/dropbear_rsa_host_key - ecdsa /etc/dropbear/dropbear_ecdsa_host_key - ed25519 /etc/dropbear/dropbear_ed25519_host_key -R Create hostkeys as required -F Don't fork into background -E Log to stderr rather than syslog -m Don't display the motd on login -w Disallow root logins -G Restrict logins to members of specified group -s Disable password logins -g Disable password logins for root -B Allow blank password logins -T Maximum authentication tries (default 10) -j Disable local port forwarding -k Disable remote port forwarding -a Allow connections to forwarded ports from any host -c command Force executed command -p [address:]port Listen on specified tcp port (and optionally address), up to 10 can be specified (default port is 22 if none specified) -P PidFile Create pid file PidFile (default /var/run/dropbear.pid) -i Start for inetd -W <receive_window_buffer> (default 24576, larger may be faster, max 1MB) -K <keepalive> (0 is never, default 0, in seconds) -I <idle_timeout> (0 is never, default 0, in seconds) -V Version
The listed running options can be used below to configure the /etc/conf.d/dropbear daemon.
Server
Files
Edit /etc/conf.d/dropbear - Global (system wide) configuration file for the SSH daemon. Add at least the -w
parameter to the configuration file file to disable root login while running dropbear daemon.
# /etc/conf.d/dropbear: config file for /etc/init.d/dropbear
# -w disables root logins
# -p changes the TCP port number to listen on, default TCP port 22
DROPBEAR_OPTS="-w"
Assigning a different TCP port number -p
to f.e.: 2222 at the beginning, saves the possible default port assingment collision, when running OpenSSH on the same system.
# /etc/conf.d/dropbear: config file for /etc/init.d/dropbear
# -w disables root logins
# -p changes the TCP port number to listen to 2222
DROPBEAR_OPTS="-w -p 2222"
OpenRC
root #
rc-update add dropbear default
root #
/etc/init.d/dropbear start
systemd
Client
Usage
Client
The SSH client software to open a SSH session to target node, is called dbclient
.
user $
dbclient -h
Dropbear SSH client v2020.80 https://matt.ucc.asn.au/dropbear/dropbear.html Usage: dbclient [options] [user@]host[/port][,[user@]host/port],...] [command] -p <remoteport> -l <username> -t Allocate a pty -T Don't allocate a pty -N Don't run a remote command -f Run in background after auth -y Always accept remote host key if unknown -y -y Don't perform any remote host key checking (caution) -s Request a subsystem (use by external sftp) -o option Set option in OpenSSH-like format ('-o help' to list options) -i <identityfile> (multiple allowed, default .ssh/id_dropbear) -A Enable agent auth forwarding -L <[listenaddress:]listenport:remotehost:remoteport> Local port forwarding -g Allow remote hosts to connect to forwarded ports -R <[listenaddress:]listenport:remotehost:remoteport> Remote port forwarding -W <receive_window_buffer> (default 24576, larger may be faster, max 1MB) -K <keepalive> (0 is never, default 0) -I <idle_timeout> (0 is never, default 0) -B <endhost:endport> Netcat-alike forwarding -J <proxy_program> Use program pipe rather than TCP connection -c <cipher list> Specify preferred ciphers ('-c help' to list options) -m <MAC list> Specify preferred MACs for packet verification (or '-m help') -b [bind_address][:bind_port] -V Version
To open a SSH session to a target node use following command. In example below it is shown how to login using larry
username, to gentoo.org
server, running the SSH service on TCP port 2222
.
user $
dbclient larry@gentoo.org/2222
Troubleshooting
Verify the used TCP ports bound to a running dropbaer daemon:
root #
ss -tulpen | egrep 'Net|drop'
Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess tcp LISTEN 0 1000 0.0.0.0:2222 0.0.0.0:* users:(("dropbear",pid=32739,fd=4)) ino:55966 sk:1004 <-> tcp LISTEN 0 0 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=9680,fd=3)) ino:27008 sk:81b26748 tcp LISTEN 0 1000 [::]:2222 [::]:* users:(("dropbear",pid=32739,fd=5)) ino:55967 sk:1005 v6only:1 <->
Showing dropbear runs on port 2222
, on all local interfaces, using IPv4 0.0.0.0
and IPv6 [::]
.
Removal
root #
emerge --ask --depclean --verbose net-misc/dropbear
See also
- OpenSSH — the ubiquitous tool for logging into and working on remote machines securely.