Mercurial > dropbear
annotate README @ 1790:42745af83b7d
Introduce extra delay before closing unauthenticated sessions
To make it harder for attackers, introduce a delay to keep an
unauthenticated session open a bit longer, thus blocking a connection
slot until after the delay.
Without this, while there is a limit on the amount of attempts an attacker
can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to
handle one attempt is still short and thus for each of the allowed parallel
attempts many attempts can be chained one after the other. The attempt rate
is then:
"MAX_UNAUTH_PER_IP / <process time of one attempt>".
With the delay, this rate becomes:
"MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
---|---|
date | Wed, 15 Feb 2017 13:53:04 +0100 |
parents | d32bcb5c557d |
children |
rev | line source |
---|---|
821
f8b28a3de6cb
Don't say "SSH 2" any more since protocol version 1 is irrelevant
Matt Johnston <matt@ucc.asn.au>
parents:
717
diff
changeset
|
1 This is Dropbear, a smallish SSH server and client. |
701 | 2 https://matt.ucc.asn.au/dropbear/dropbear.html |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 INSTALL has compilation instructions. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 MULTI has instructions on making a multi-purpose binary (ie a single binary |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 which performs multiple tasks, to save disk space) |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 SMALL has some tips on creating small binaries. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 |
1548 | 11 Please contact me if you have any questions/bugs found/features/ideas/comments etc :) |
12 There is also a mailing list http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear | |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 Matt Johnston |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 [email protected] |
380 | 16 |
17 | |
75 | 18 In the absence of detailed documentation, some notes follow: |
72 | 19 ============================================================================ |
20 | |
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
21 Server public key auth: |
72 | 22 |
23 You can use ~/.ssh/authorized_keys in the same way as with OpenSSH, just put | |
24 the key entries in that file. They should be of the form: | |
25 | |
26 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname | |
27 | |
28 You must make sure that ~/.ssh, and the key file, are only writable by the | |
290 | 29 user. Beware of editors that split the key into multiple lines. |
72 | 30 |
717
74deece07742
update text about authorized_keys options
Matt Johnston <matt@ucc.asn.au>
parents:
701
diff
changeset
|
31 Dropbear supports some options for authorized_keys entries, see the manpage. |
72 | 32 |
75 | 33 ============================================================================ |
34 | |
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
35 Client public key auth: |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
36 |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
37 Dropbear can do public key auth as a client, but you will have to convert |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
38 OpenSSH style keys to Dropbear format, or use dropbearkey to create them. |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
39 |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
40 If you have an OpenSSH-style private key ~/.ssh/id_rsa, you need to do: |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
41 |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
42 dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_rsa.db |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
43 dbclient -i ~/.ssh/id_rsa.db <hostname> |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
44 |
874 | 45 Dropbear does not support encrypted hostkeys though can connect to ssh-agent. |
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
46 |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
47 ============================================================================ |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
48 |
75 | 49 If you want to get the public-key portion of a Dropbear private key, look at |
50 dropbearkey's '-y' option. | |
51 | |
52 ============================================================================ | |
53 | |
1628
ff3f274ea56c
Add missing word to readme (#77)
Michael Jones <jonesmz@users.noreply.github.com>
parents:
1548
diff
changeset
|
54 To run the server, you need to generate server keys, this is one-off: |
72 | 55 ./dropbearkey -t rsa -f dropbear_rsa_host_key |
56 ./dropbearkey -t dss -f dropbear_dss_host_key | |
901
8bc704f417f3
README: fix ecdsa key generation command
Catalin Patulea <cat@vv.carleton.ca>
parents:
874
diff
changeset
|
57 ./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key |
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1628
diff
changeset
|
58 ./dropbearkey -t ed25519 -f dropbear_ed25519_host_key |
72 | 59 |
60 or alternatively convert OpenSSH keys to Dropbear: | |
61 ./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key | |
62 | |
874 | 63 You can also get Dropbear to create keys when the first connection is made - |
64 this is preferable to generating keys when the system boots. Make sure | |
65 /etc/dropbear/ exists and then pass '-R' to the dropbear server. | |
66 | |
75 | 67 ============================================================================ |
72 | 68 |
69 If the server is run as non-root, you most likely won't be able to allocate a | |
70 pty, and you cannot login as any user other than that running the daemon | |
71 (obviously). Shadow passwords will also be unusable as non-root. | |
72 | |
75 | 73 ============================================================================ |
74 | |
72 | 75 The Dropbear distribution includes a standalone version of OpenSSH's scp |
76 program. You can compile it with "make scp", you may want to change the path | |
161 | 77 of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default |
75 | 78 the progress meter isn't compiled in to save space, you can enable it by |
79 adding 'SCPPROGRESS=1' to the make commandline. |