Dropbear is a thin Secure Shell 2 (SSH 2) server and client. It is a good alternative to OpenSSH when you have storage and memory restrictions, specially in embedded systems.<\/p>\n
Cross-compiling and running Dropbear in an embedded system is not a difficult task, but the documentation is not very clear for everybody. You can start by reading the README and INSTALL files contained in the package and then, if you still have questions, you can keep reading this article in which I’ll try to give a short and clear explanation:<\/p>\n
As you may expect from a package of this kind that was written with embedded systems in mind, it supports uClibc. The configuration, compilation and installation are the same as for libc, but it can have some tweaks that are described in the INSTALL file.<\/p>\n
Download<\/strong> Environment configuration<\/strong> Configuration<\/strong><\/p>\n Dropbear doesn’t have a configure script since it’s not based on autotools. It contains an options.h file in which you can select many parameters that vary from the keys installation paths to the supported encryption algorithms and X11 forwarding among others. Some other default<\/em> functionality in OpenSSH are supported in Dropbear too, but are not very relevant for embedded systems such as X11 forwarding.<\/p>\n Once you have decided the options that you need, the configuration is straight-forward as many other packages:<\/p>\n Compilation<\/strong><\/p>\n The compilation is the step that allows you to choose the services that you want in Dropbear: the generated binary is a multi-purpose executable that contains the functionality that you need. Here you can select if you want an executable that works as a server (dropbear<\/em>), that generates keys (dropbearkey<\/em>), that allows Secure Copy (scp<\/em>), Secure FTP (sftp<\/em>), and keys conversion from OpenSSH to Dropbear format (dropbearconvert<\/em> and dbclient<\/em>). In this same step you can choose if you want a dynamically or statically – linked executable. For embedded systems is common to use a statically linked executable by adding the STATIC=1<\/em> argument to make<\/em>.<\/p>\n A final make<\/em> command that contains the Dropbear server, it’s key generation and Secure Copy, looks like follows:<\/p>\n Installation<\/strong> But this will use the default path that some times in embedded systems is not sufficient because different paths can be used. In these cases you’ll have to copy manually the executable called dropbearmulti<\/em> to the desired location and create symbolic links that have the name of the program that you want to use that point to this executable. If you have used Busybox, the concept of symbolic links pointing to the same executable will be familiar:<\/p>\n Stripping is quite a good thing when you need to save storage:<\/p>\n Dropbear 0.52 ships with an alternative standalone scp<\/em> program that is taken from OpenSSH. If you want to use this instead of the default built-in, you need to compile it separately:<\/p>\n For further compilation hints you can take a look at the SMALL and MULTI files provided in the package.<\/p>\n Keys creation<\/strong><\/p>\n SSH uses public-key cryptography to authenticate a remote client. Thus, once you have Dropbear properly installed, but before using it, you need to create the cryptographic keys. You can create your keys using two different methods: RSA and DSS. Let’s create the keys using both methods. Be sure that the private keys generated in \/etc\/dropbear<\/em> remain secret! Connect to the server using Dropbear<\/strong><\/p>\n At this point you are able to connect to the target using your login\/passwd. Normally in an embedded system the only user is root.<\/p>\n Start dropbear server in the target:<\/p>\n Check the different execution options using the –help<\/em> flag. Finally, you can use ssh and scp:<\/p>\n If you need to connect very often to the target, typing the passwd each time can be very annoying and could pose a security risk. For this purpose you can store the public key of your host (client) in the target (server). You will end-up with the private key id_rsa<\/em> and public key id_rsa.pub<\/em> in \/home\/user\/.ssh\/<\/em>. Once you have your host’s (client) public key in your target’s (server) filesystem, you can login to your target without using a passwd speeding up your login procedure!<\/p>\n Running from inetd<\/strong><\/p>\n If you want to use Dropbear from inetd<\/em> you have to enable it in the options.h<\/em> file before compiling:<\/p>\n In the inetd.conf<\/em> configuration file you have to add the following line:<\/p>\n Notice that if you compile with inetd<\/em> support, Dropbear will refuse to start from the command line. Obviously, this applies for the other way around too.<\/p>\n Conclusion<\/strong> Dropbear is a thin Secure Shell 2 (SSH 2) server and client. It is a good alternative to OpenSSH when you have storage and memory restrictions, specially in embedded systems. Cross-compiling and running Dropbear in an embedded system is not a difficult task, but the documentation is not very clear for everybody. You can start\u2026 Read More »<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,15],"tags":[22,24,58,59,36],"class_list":["post-30","post","type-post","status-publish","format-standard","hentry","category-compiling","category-security","tag-cross-compiling","tag-dropbear","tag-networking","tag-security","tag-ssh"],"_links":{"self":[{"href":"https:\/\/paguilar.org\/index.php?rest_route=\/wp\/v2\/posts\/30","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/paguilar.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/paguilar.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/paguilar.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/paguilar.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=30"}],"version-history":[{"count":0,"href":"https:\/\/paguilar.org\/index.php?rest_route=\/wp\/v2\/posts\/30\/revisions"}],"wp:attachment":[{"href":"https:\/\/paguilar.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/paguilar.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/paguilar.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nhttp:\/\/matt.ucc.asn.au\/dropbear\/dropbear-0.52.tar.bz2<\/a><\/p>\n
\nAs normal, set the environment variables that make our life easier. Change them according to your needs.
\nI normally have an SH4 based processor in my desk at home.<\/p>\n\n$ export PREFIX=\/opt\/STM\/STLinux-2.3\/devkit\/sh4\/target\/usr\/local\n$ export HOST=sh4-linux\n$ export BUILD=i386-linux\n$ export COMPILER=sh4-linux-gcc\n<\/pre>\n
\nI strongly suggest you to have a look at this file. This will give you a good idea of what Dropbear is capable of.
\nIn any case, I list here what I consider some of the most relevant options for embedded systems:<\/p>\n\n
\n$ CC=$COMPILER .\/configure --build=$BUILD --host=$HOST --prefix=$PREFIX\n<\/pre>\n
\nIf you want at least two of this services you need to give to make<\/em> the argument PROGRAMS=”the programs that you want”<\/em> and the MULTI=1<\/em> argument.<\/p>\n\n$ make PROGRAMS=\"dropbear dropbearkey scp\" STATIC=1 MULTI=1<\/pre>\n
\nYou can use the standard method for installing Dropbear plus the same arguments used during compilation:<\/p>\n\n$ make PROGRAMS=\"dropbear dropbearkey scp\" STATIC=1 MULTI=1 install<\/pre>\n
\n# $PREFIX\/..\/.. is target's root filesytem: \/opt\/STM\/STLinux-2.3\/devkit\/sh4\/target\/\n# Copy the real executable dropbearmulti to the target's root filesystem \/usr\/local\/bin\n$ cp dropbearmulti $PREFIX\/bin\n\n# Create the symbolic links dropbearkey and dbclient\n$ ln -s dropbearmulti dropbearkey\n$ ln -s dropbearmulti dbclient\n\n# Create the symbolic link scp in the target's filesytem \/usr\/bin\n$ cd $PREFIX\/..\/bin\n$ ln -s ..\/local\/bin\/dropbearmulti scp\n<\/pre>\n
\n$ cd $PREFIX\/bin\n$ sh4-linux-strip dropbearmulti\n<\/pre>\n
$ make scp<\/pre>\n
\nYou can read the following links for an in-depth explanation of how SSH and public-key cryptography work:
\nSSH: http:\/\/en.wikipedia.org\/wiki\/Secure_Shell<\/a>
\nPublic-key cryptography: http:\/\/en.wikipedia.org\/wiki\/Public-key_cryptography<\/a><\/p>\n
\nBoth kind of keys seem to be equally secure, but RSA seems to be faster for signature verification that is the most common operation when using the keys.<\/p>\n
\nConnect to your target via serial or telnet (at the end of this post you will, hopefully, use ssh instead of telnet):<\/p>\n\n$ mkdir -pv \/etc\/dropbear\n$ cd \/etc\/dropbear\n\n# Generate the RSA private and public keys.\n$ dropbearkey -t rsa -f dropbear_rsa_host_key\nWill output 1024 bit rsa secret key to 'dropbear_rsa_host_key'\nGenerating key, this may take a while...\nPublic key portion is: \nssh-rsa\nAAAAB3NzaC1yc2EAAAADAQABAAAAgncEwjavI+PfbQ+WNDYev\/g2f5PGTD7ZzAnauZP4dWOi0MTVFGOZXTf9\/cWXwx12zZ2KUOS5UfWk9SdH\/t67MPVDDptFaq0kJ5ReA6JzqhwaKguMIdNGTdM2HfwJabvSnDL4SZgpxXtOJYZhWaqMMO8OP560gE21h6O0mH75\/IBJUak=\nroot@my_target\nFingerprint: md5 0a:bb:43:82:41:7b:8a:8b:4d:41:43:e7:71:54:a7:ce\n\n# Generate the DSS private and public keys.\n$ dropbearkey -t dss -f dropbear_dss_host_key\nWill output 1024 bit dss secret key to 'dropbear_dss_host_key'\nGenerating key, this may take a while...\nPublic key portion is: \nssh-dss\nAAAAB3NzaC1kc3MAAACBALIEmhf5c65czi\/2rq1Xu2I0Vv+DqeEUQDDmeFke4nyBqVOuQTq8JrHzuRz8SbeohqhXWx\/\/546HLK\/RwIG6Gkj5+RQ7uvcc9bcprwJtQVU+U1qmgepPsl6e0Cofldbz+LBLWE5R1sg1ExX\/NzGNtKzIbukXUABK12\/sveGODeWpAAAAFQCNmGPNFcQyso8x+Zc52FLuRrtTfQAAAIEAiN4pNvhdyNX0lg1nop0ei+qp7H8kmurXWhZMZmaKWVYOc8YqvELL\/U1s9fNNPsxEBTi6ysYLM1MCHNizQ4x\/npsC\/1e6URaIub\/Dtf55N5Bn1LaItdK2EO1wLemf1\/+3yuvJvhvI2yaPEEAzIgmQatTdE38HwY3+AxXSgccqsBcAAACBAJv9gJtcu5rHGal4VCaVRcM41z+omA7agAtcpmcXOBXr719T2qSZF+GoAeLlfThndaCTchpDQXNDxwTaW6G9RxGOhrDgyKR4MgShljnBfq0wsVx06l23Ex92d8xSmXJz4E\/BwtLhjUouAsrW\/IJbxQlwp3stmvtik6IYP\/BiM2kf\nroot@my_target\nFingerprint: md5 a7:ad:8e:f8:d2:78:73:ec:a7:1b:aa:ba:9b:ad:aa:2a\n<\/pre>\n
\nThe generated public keys shown in this post are just an example.<\/p>\n$ dropbear <\/pre>\n
\nOptional, but recommended, is to add in \/etc\/hosts<\/em> in the target’s filesystem the hostname of the client (host).<\/p>\n\n# Connect from host (client) to target (server) using SSH.\n# It will prompt for root's passwd.\n$ ssh root@192.168.0.135\n\n# Copy the file 'hola' from the host (client) to the directory \/etc in the target (server).\n# It will prompt for root's passwd.\n$ scp hola root@192.168.0.135:\/etc\/hola\n<\/pre>\n
\nIt would be better not to send the passwd at all.<\/p>\n
\nAssuming that your host (client) is a Unix machine that has OpenSSH installed, you can easily create your keys:<\/p>\n\n# Key creation in the host (client) using OpenSSH:\n$ ssh-keygen\nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/home\/user\/.ssh\/id_rsa): y\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in y.\nYour public key has been saved in y.pub.\nThe key fingerprint is:\n74:84:22:e2:f9:6d:fc:b5:b1:72:40:58:e2:23:ff:ea user@my_client\nThe key's randomart image is:\n+--[ RSA 2048]----+\n| |\n| . |\n| . . o .. |\n| . . +o. . |\n| . . S..o. |\n| . o.+..o. |\n| . .... |\n| o. .. |\n| ..+B=+. |\n+-----------------+\n<\/pre>\n
\nCopy the host’s (client) public key to ~\/.ssh\/authorized_keys in the target’s filesystem. Notice that ~ is normally \/root, but if you’re logging in with another username, change it accordingly.
\nWarning<\/em>: If you copy-paste the public key, check that your text editor copies-pastes it correctly, otherwise you will end-up with a broken key. You’re safe if you use vi.<\/p>\n#undef NON_INETD_MODE\n#define INETD_MODE<\/pre>\n
22 stream tcp nowait root \/usr\/local\/bin\/dropbear dropbear -i<\/pre>\n
\nHaving a working Dropbear server is not a difficult task. You only have to pay attention at compilation time of the services you want from it, and when running it, of the location where you have to store the keys, specially if you want to use them for logging in without a passwd.
\nReading the INSTALL, README and other instruction files is always a good idea, no matter how extensive they are.<\/p>\n","protected":false},"excerpt":{"rendered":"