Dropbear
From Gentoo Wiki
Dropbear is a lightweight SSH server. It runs on a variety of POSIX-based platforms.
Installation
USE flags
USE flags for net-misc/dropbear Small SSH 2 client/server designed for small memory environments
+shadow
|
Enable shadow password support |
+syslog
|
Enable support for syslog |
bsdpty
|
Add support for legacy BSD pty's rather than dynamic UNIX pty's -- do not use this flag unless you are absolutely sure you actually want it |
minimal
|
Install a very minimal build (disables, for example, plugins, fonts, most drivers, non-critical features) |
multicall
|
Build all the programs as one little binary (to save space) |
pam
|
Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip |
savedconfig
|
Use this to restore your config from /etc/portage/savedconfig ${CATEGORY}/${PN}. Make sure your USE flags allow for appropriate dependencies |
static
|
!!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
verify-sig
|
Verify upstream signatures on distfiles |
zlib
|
Add support for zlib compression |
Emerge
root #emerge --ask net-misc/dropbearConfiguration
For manual and help use following command:
user $dropbear -hDropbear server v2020.80 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dropbear [options]
-b bannerfile Display the contents of bannerfile before user login
(default: none)
-r keyfile Specify hostkeys (repeatable)
defaults:
- dss /etc/dropbear/dropbear_dss_host_key
- rsa /etc/dropbear/dropbear_rsa_host_key
- ecdsa /etc/dropbear/dropbear_ecdsa_host_key
- ed25519 /etc/dropbear/dropbear_ed25519_host_key
-R Create hostkeys as required
-F Don't fork into background
-E Log to stderr rather than syslog
-m Don't display the motd on login
-w Disallow root logins
-G Restrict logins to members of specified group
-s Disable password logins
-g Disable password logins for root
-B Allow blank password logins
-T Maximum authentication tries (default 10)
-j Disable local port forwarding
-k Disable remote port forwarding
-a Allow connections to forwarded ports from any host
-c command Force executed command
-p [address:]port
Listen on specified tcp port (and optionally address),
up to 10 can be specified
(default port is 22 if none specified)
-P PidFile Create pid file PidFile
(default /var/run/dropbear.pid)
-i Start for inetd
-W <receive_window_buffer> (default 24576, larger may be faster, max 1MB)
-K <keepalive> (0 is never, default 0, in seconds)
-I <idle_timeout> (0 is never, default 0, in seconds)
-V Version
The listed running options can be used below to configure the /etc/conf.d/dropbear daemon.
Server
Files
Edit /etc/conf.d/dropbear - Global (system wide) configuration file for the SSH daemon. Add at least the -w parameter to the configuration file file to disable root login while running dropbear daemon.
FILE
/etc/conf.d/dropbearDisable Root logins via SSH# /etc/conf.d/dropbear: config file for /etc/init.d/dropbear
# -w disables root logins
# -p changes the TCP port number to listen on, default TCP port 22
DROPBEAR_OPTS="-w"
Assigning a different TCP port number -p to f.e.: 2222 at the beginning, saves the possible default port assingment collision, when running OpenSSH on the same system.
FILE
/etc/conf.d/dropbearDisable Root logins via SSH, run on port 2222# /etc/conf.d/dropbear: config file for /etc/init.d/dropbear
# -w disables root logins
# -p changes the TCP port number to listen to 2222
DROPBEAR_OPTS="-w -p 2222"
OpenRC
root #rc-update add dropbear defaultroot #/etc/init.d/dropbear startsystemd
Client
Usage
Client
The SSH client software to open a SSH session to target node, is called dbclient.
user $dbclient -hDropbear SSH client v2020.80 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dbclient [options] [user@]host[/port][,[user@]host/port],...] [command]
-p <remoteport>
-l <username>
-t Allocate a pty
-T Don't allocate a pty
-N Don't run a remote command
-f Run in background after auth
-y Always accept remote host key if unknown
-y -y Don't perform any remote host key checking (caution)
-s Request a subsystem (use by external sftp)
-o option Set option in OpenSSH-like format ('-o help' to list options)
-i <identityfile> (multiple allowed, default .ssh/id_dropbear)
-A Enable agent auth forwarding
-L <[listenaddress:]listenport:remotehost:remoteport> Local port forwarding
-g Allow remote hosts to connect to forwarded ports
-R <[listenaddress:]listenport:remotehost:remoteport> Remote port forwarding
-W <receive_window_buffer> (default 24576, larger may be faster, max 1MB)
-K <keepalive> (0 is never, default 0)
-I <idle_timeout> (0 is never, default 0)
-B <endhost:endport> Netcat-alike forwarding
-J <proxy_program> Use program pipe rather than TCP connection
-c <cipher list> Specify preferred ciphers ('-c help' to list options)
-m <MAC list> Specify preferred MACs for packet verification (or '-m help')
-b [bind_address][:bind_port]
-V Version
To open a SSH session to a target node use following command. In example below it is shown how to login using larry username, to gentoo.org server, running the SSH service on TCP port 2222.
user $dbclient larry@gentoo.org/2222Troubleshooting
Verify the used TCP ports bound to a running dropbaer daemon:
root #ss -tulpen | egrep 'Net|drop'Netid State Recv-Q Send-Q Local Address:Port Peer Address:PortProcess
tcp LISTEN 0 1000 0.0.0.0:2222 0.0.0.0:* users:(("dropbear",pid=32739,fd=4)) ino:55966 sk:1004 <->
tcp LISTEN 0 0 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=9680,fd=3)) ino:27008 sk:81b26748
tcp LISTEN 0 1000 [::]:2222 [::]:* users:(("dropbear",pid=32739,fd=5)) ino:55967 sk:1005 v6only:1 <->
Showing dropbear runs on port 2222, on all local interfaces, using IPv4 0.0.0.0 and IPv6 [::].
Removal
root #emerge --ask --depclean --verbose net-misc/dropbearSee also
- OpenSSH — the ubiquitous tool for logging into and working on remote machines securely.