README 3.21 KB
Newer Older
1
This is Dropbear, a smallish SSH server and client.
Matt Johnston's avatar
Matt Johnston committed
2
https://matt.ucc.asn.au/dropbear/dropbear.html
3
4
5
6
7
8
9
10
11
12
13
14
15

INSTALL has compilation instructions.

MULTI has instructions on making a multi-purpose binary (ie a single binary
which performs multiple tasks, to save disk space)

SMALL has some tips on creating small binaries.

See TODO for a few of the things I know need looking at, and please contact
me if you have any questions/bugs found/features/ideas/comments etc :)

Matt Johnston
[email protected]
Matt Johnston's avatar
Matt Johnston committed
16

Matt Johnston's avatar
Matt Johnston committed
17
18

In the absence of detailed documentation, some notes follow:
Matt Johnston's avatar
Matt Johnston committed
19
20
============================================================================

21
Server public key auth:
Matt Johnston's avatar
Matt Johnston committed
22
23
24
25
26
27
28

You can use ~/.ssh/authorized_keys in the same way as with OpenSSH, just put
the key entries in that file. They should be of the form:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= [email protected]

You must make sure that ~/.ssh, and the key file, are only writable by the
Matt Johnston's avatar
Matt Johnston committed
29
user. Beware of editors that split the key into multiple lines.
Matt Johnston's avatar
Matt Johnston committed
30

31
Dropbear supports some options for authorized_keys entries, see the manpage.
Matt Johnston's avatar
Matt Johnston committed
32

Matt Johnston's avatar
Matt Johnston committed
33
34
============================================================================

35
36
37
38
39
40
41
42
43
44
Client public key auth:

Dropbear can do public key auth as a client, but you will have to convert
OpenSSH style keys to Dropbear format, or use dropbearkey to create them.

If you have an OpenSSH-style private key ~/.ssh/id_rsa, you need to do:

dropbearconvert openssh dropbear ~/.ssh/id_rsa  ~/.ssh/id_rsa.db
dbclient -i ~/.ssh/id_rsa.db <hostname>

Matt Johnston's avatar
Matt Johnston committed
45
Dropbear does not support encrypted hostkeys though can connect to ssh-agent.
46
47
48

============================================================================

Matt Johnston's avatar
Matt Johnston committed
49
50
51
52
53
If you want to get the public-key portion of a Dropbear private key, look at
dropbearkey's '-y' option.

============================================================================

Matt Johnston's avatar
Matt Johnston committed
54
To run the server, you need to server keys, this is one-off:
Matt Johnston's avatar
Matt Johnston committed
55
56
./dropbearkey -t rsa -f dropbear_rsa_host_key
./dropbearkey -t dss -f dropbear_dss_host_key
57
./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key
Matt Johnston's avatar
Matt Johnston committed
58
59
60
61

or alternatively convert OpenSSH keys to Dropbear:
./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key

Matt Johnston's avatar
Matt Johnston committed
62
63
64
65
You can also get Dropbear to create keys when the first connection is made -
this is preferable to generating keys when the system boots. Make sure 
/etc/dropbear/ exists and then pass '-R' to the dropbear server.

Matt Johnston's avatar
Matt Johnston committed
66
============================================================================
Matt Johnston's avatar
Matt Johnston committed
67
68
69
70
71

If the server is run as non-root, you most likely won't be able to allocate a
pty, and you cannot login as any user other than that running the daemon
(obviously). Shadow passwords will also be unusable as non-root.

Matt Johnston's avatar
Matt Johnston committed
72
73
============================================================================

Matt Johnston's avatar
Matt Johnston committed
74
75
The Dropbear distribution includes a standalone version of OpenSSH's scp
program. You can compile it with "make scp", you may want to change the path
Matt Johnston's avatar
Matt Johnston committed
76
of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default
Matt Johnston's avatar
Matt Johnston committed
77
78
the progress meter isn't compiled in to save space, you can enable it by 
adding 'SCPPROGRESS=1' to the make commandline.