README 3.06 KB
Newer Older
Matt Johnston's avatar
Matt Johnston committed
1
This is Dropbear, a smallish SSH 2 server and client.
Matt Johnston's avatar
Matt Johnston committed
2
https://matt.ucc.asn.au/dropbear/dropbear.html
3
4
5
6
7
8
9
10
11
12
13
14
15

INSTALL has compilation instructions.

MULTI has instructions on making a multi-purpose binary (ie a single binary
which performs multiple tasks, to save disk space)

SMALL has some tips on creating small binaries.

See TODO for a few of the things I know need looking at, and please contact
me if you have any questions/bugs found/features/ideas/comments etc :)

Matt Johnston
[email protected]
Matt Johnston's avatar
Matt Johnston committed
16

Matt Johnston's avatar
Matt Johnston committed
17
18

In the absence of detailed documentation, some notes follow:
Matt Johnston's avatar
Matt Johnston committed
19
20
============================================================================

21
Server public key auth:
Matt Johnston's avatar
Matt Johnston committed
22
23
24
25
26
27
28

You can use ~/.ssh/authorized_keys in the same way as with OpenSSH, just put
the key entries in that file. They should be of the form:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= [email protected]

You must make sure that ~/.ssh, and the key file, are only writable by the
Matt Johnston's avatar
Matt Johnston committed
29
user. Beware of editors that split the key into multiple lines.
Matt Johnston's avatar
Matt Johnston committed
30
31
32
33

NOTE: Dropbear ignores authorized_keys options such as those described in the
OpenSSH sshd manpage, and will not allow a login for these keys. 

Matt Johnston's avatar
Matt Johnston committed
34
35
============================================================================

36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Client public key auth:

Dropbear can do public key auth as a client, but you will have to convert
OpenSSH style keys to Dropbear format, or use dropbearkey to create them.

If you have an OpenSSH-style private key ~/.ssh/id_rsa, you need to do:

dropbearconvert openssh dropbear ~/.ssh/id_rsa  ~/.ssh/id_rsa.db
dbclient -i ~/.ssh/id_rsa.db <hostname>

Currently encrypted keys aren't supported, neither is agent forwarding. At some
stage both hopefully will be.

============================================================================

Matt Johnston's avatar
Matt Johnston committed
51
52
53
54
55
If you want to get the public-key portion of a Dropbear private key, look at
dropbearkey's '-y' option.

============================================================================

Matt Johnston's avatar
Matt Johnston committed
56
57
58
59
60
61
62
To run the server, you need to generate server keys, this is one-off:
./dropbearkey -t rsa -f dropbear_rsa_host_key
./dropbearkey -t dss -f dropbear_dss_host_key

or alternatively convert OpenSSH keys to Dropbear:
./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key

Matt Johnston's avatar
Matt Johnston committed
63
============================================================================
Matt Johnston's avatar
Matt Johnston committed
64
65
66
67
68

If the server is run as non-root, you most likely won't be able to allocate a
pty, and you cannot login as any user other than that running the daemon
(obviously). Shadow passwords will also be unusable as non-root.

Matt Johnston's avatar
Matt Johnston committed
69
70
============================================================================

Matt Johnston's avatar
Matt Johnston committed
71
72
The Dropbear distribution includes a standalone version of OpenSSH's scp
program. You can compile it with "make scp", you may want to change the path
Matt Johnston's avatar
Matt Johnston committed
73
of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default
Matt Johnston's avatar
Matt Johnston committed
74
75
the progress meter isn't compiled in to save space, you can enable it by 
adding 'SCPPROGRESS=1' to the make commandline.