Mercurial > dropbear
annotate README @ 994:5c5ade336926
Prefer stronger algorithms in algorithm negotiation.
Prefer diffie-hellman-group14-sha1 (2048 bit) over
diffie-hellman-group1-sha1 (1024 bit).
Due to meet-in-the-middle attacks the effective key length of
three key 3DES is 112 bits. AES is stronger and faster then 3DES.
Prefer to delay the start of compression until after authentication
has completed. This avoids exposing compression code to attacks
from unauthenticated users.
(github pull request #9)
| author | Fedor Brunner <fedor.brunner@azet.sk> |
|---|---|
| date | Fri, 23 Jan 2015 23:00:25 +0800 |
| parents | 8bc704f417f3 |
| children | 10dd3df31d5b |
| rev | line source |
|---|---|
|
821
f8b28a3de6cb
Don't say "SSH 2" any more since protocol version 1 is irrelevant
Matt Johnston <matt@ucc.asn.au>
parents:
717
diff
changeset
|
1 This is Dropbear, a smallish SSH server and client. |
| 701 | 2 https://matt.ucc.asn.au/dropbear/dropbear.html |
|
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 INSTALL has compilation instructions. |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 MULTI has instructions on making a multi-purpose binary (ie a single binary |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 which performs multiple tasks, to save disk space) |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 SMALL has some tips on creating small binaries. |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 See TODO for a few of the things I know need looking at, and please contact |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
12 me if you have any questions/bugs found/features/ideas/comments etc :) |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 Matt Johnston |
|
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 [email protected] |
| 380 | 16 |
| 17 | |
| 75 | 18 In the absence of detailed documentation, some notes follow: |
| 72 | 19 ============================================================================ |
| 20 | |
|
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
21 Server public key auth: |
| 72 | 22 |
| 23 You can use ~/.ssh/authorized_keys in the same way as with OpenSSH, just put | |
| 24 the key entries in that file. They should be of the form: | |
| 25 | |
| 26 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname | |
| 27 | |
| 28 You must make sure that ~/.ssh, and the key file, are only writable by the | |
| 290 | 29 user. Beware of editors that split the key into multiple lines. |
| 72 | 30 |
|
717
74deece07742
update text about authorized_keys options
Matt Johnston <matt@ucc.asn.au>
parents:
701
diff
changeset
|
31 Dropbear supports some options for authorized_keys entries, see the manpage. |
| 72 | 32 |
| 75 | 33 ============================================================================ |
| 34 | |
|
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
35 Client public key auth: |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
36 |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
37 Dropbear can do public key auth as a client, but you will have to convert |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
38 OpenSSH style keys to Dropbear format, or use dropbearkey to create them. |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
39 |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
40 If you have an OpenSSH-style private key ~/.ssh/id_rsa, you need to do: |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
41 |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
42 dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_rsa.db |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
43 dbclient -i ~/.ssh/id_rsa.db <hostname> |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
44 |
| 874 | 45 Dropbear does not support encrypted hostkeys though can connect to ssh-agent. |
|
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
46 |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
47 ============================================================================ |
|
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
48 |
| 75 | 49 If you want to get the public-key portion of a Dropbear private key, look at |
| 50 dropbearkey's '-y' option. | |
| 51 | |
| 52 ============================================================================ | |
| 53 | |
| 874 | 54 To run the server, you need to server keys, this is one-off: |
| 72 | 55 ./dropbearkey -t rsa -f dropbear_rsa_host_key |
| 56 ./dropbearkey -t dss -f dropbear_dss_host_key | |
|
901
8bc704f417f3
README: fix ecdsa key generation command
Catalin Patulea <cat@vv.carleton.ca>
parents:
874
diff
changeset
|
57 ./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key |
| 72 | 58 |
| 59 or alternatively convert OpenSSH keys to Dropbear: | |
| 60 ./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key | |
| 61 | |
| 874 | 62 You can also get Dropbear to create keys when the first connection is made - |
| 63 this is preferable to generating keys when the system boots. Make sure | |
| 64 /etc/dropbear/ exists and then pass '-R' to the dropbear server. | |
| 65 | |
| 75 | 66 ============================================================================ |
| 72 | 67 |
| 68 If the server is run as non-root, you most likely won't be able to allocate a | |
| 69 pty, and you cannot login as any user other than that running the daemon | |
| 70 (obviously). Shadow passwords will also be unusable as non-root. | |
| 71 | |
| 75 | 72 ============================================================================ |
| 73 | |
| 72 | 74 The Dropbear distribution includes a standalone version of OpenSSH's scp |
| 75 program. You can compile it with "make scp", you may want to change the path | |
| 161 | 76 of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default |
| 75 | 77 the progress meter isn't compiled in to save space, you can enable it by |
| 78 adding 'SCPPROGRESS=1' to the make commandline. |