annotate README @ 994:5c5ade336926

Prefer stronger algorithms in algorithm negotiation. Prefer diffie-hellman-group14-sha1 (2048 bit) over diffie-hellman-group1-sha1 (1024 bit). Due to meet-in-the-middle attacks the effective key length of three key 3DES is 112 bits. AES is stronger and faster then 3DES. Prefer to delay the start of compression until after authentication has completed. This avoids exposing compression code to attacks from unauthenticated users. (github pull request #9)
author Fedor Brunner <fedor.brunner@azet.sk>
date Fri, 23 Jan 2015 23:00:25 +0800
parents 8bc704f417f3
children 10dd3df31d5b
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
821
f8b28a3de6cb Don't say "SSH 2" any more since protocol version 1 is irrelevant
Matt Johnston <matt@ucc.asn.au>
parents: 717
diff changeset
1 This is Dropbear, a smallish SSH server and client.
701
20dafc77322e link to Dropbear webpage
Matt Johnston <matt@ucc.asn.au>
parents: 382
diff changeset
2 https://matt.ucc.asn.au/dropbear/dropbear.html
4
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
4 INSTALL has compilation instructions.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
5
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
6 MULTI has instructions on making a multi-purpose binary (ie a single binary
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
7 which performs multiple tasks, to save disk space)
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
8
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
9 SMALL has some tips on creating small binaries.
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
10
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
11 See TODO for a few of the things I know need looking at, and please contact
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
12 me if you have any questions/bugs found/features/ideas/comments etc :)
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
14 Matt Johnston
fe6bca95afa7 Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
15 [email protected]
380
d5faf4814ddb Update to LibTomCrypt 1.16
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
16
d5faf4814ddb Update to LibTomCrypt 1.16
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
17
75
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
18 In the absence of detailed documentation, some notes follow:
72
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
19 ============================================================================
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
20
90
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
21 Server public key auth:
72
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
22
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
23 You can use ~/.ssh/authorized_keys in the same way as with OpenSSH, just put
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
24 the key entries in that file. They should be of the form:
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
25
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
26 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
27
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
28 You must make sure that ~/.ssh, and the key file, are only writable by the
290
94ee16f5b8a8 0.48 progress
Matt Johnston <matt@ucc.asn.au>
parents: 161
diff changeset
29 user. Beware of editors that split the key into multiple lines.
72
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
30
717
74deece07742 update text about authorized_keys options
Matt Johnston <matt@ucc.asn.au>
parents: 701
diff changeset
31 Dropbear supports some options for authorized_keys entries, see the manpage.
72
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
32
75
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
33 ============================================================================
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
34
90
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
35 Client public key auth:
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
36
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
37 Dropbear can do public key auth as a client, but you will have to convert
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
38 OpenSSH style keys to Dropbear format, or use dropbearkey to create them.
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
39
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
40 If you have an OpenSSH-style private key ~/.ssh/id_rsa, you need to do:
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
41
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
42 dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_rsa.db
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
43 dbclient -i ~/.ssh/id_rsa.db <hostname>
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
44
874
68e2a0f6c1ef Update README
Matt Johnston <matt@ucc.asn.au>
parents: 821
diff changeset
45 Dropbear does not support encrypted hostkeys though can connect to ssh-agent.
90
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
46
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
47 ============================================================================
c2ac796b130e merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents: 75
diff changeset
48
75
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
49 If you want to get the public-key portion of a Dropbear private key, look at
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
50 dropbearkey's '-y' option.
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
51
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
52 ============================================================================
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
53
874
68e2a0f6c1ef Update README
Matt Johnston <matt@ucc.asn.au>
parents: 821
diff changeset
54 To run the server, you need to server keys, this is one-off:
72
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
55 ./dropbearkey -t rsa -f dropbear_rsa_host_key
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
56 ./dropbearkey -t dss -f dropbear_dss_host_key
901
8bc704f417f3 README: fix ecdsa key generation command
Catalin Patulea <cat@vv.carleton.ca>
parents: 874
diff changeset
57 ./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key
72
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
58
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
59 or alternatively convert OpenSSH keys to Dropbear:
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
60 ./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
61
874
68e2a0f6c1ef Update README
Matt Johnston <matt@ucc.asn.au>
parents: 821
diff changeset
62 You can also get Dropbear to create keys when the first connection is made -
68e2a0f6c1ef Update README
Matt Johnston <matt@ucc.asn.au>
parents: 821
diff changeset
63 this is preferable to generating keys when the system boots. Make sure
68e2a0f6c1ef Update README
Matt Johnston <matt@ucc.asn.au>
parents: 821
diff changeset
64 /etc/dropbear/ exists and then pass '-R' to the dropbear server.
68e2a0f6c1ef Update README
Matt Johnston <matt@ucc.asn.au>
parents: 821
diff changeset
65
75
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
66 ============================================================================
72
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
67
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
68 If the server is run as non-root, you most likely won't be able to allocate a
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
69 pty, and you cannot login as any user other than that running the daemon
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
70 (obviously). Shadow passwords will also be unusable as non-root.
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
71
75
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
72 ============================================================================
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
73
72
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
74 The Dropbear distribution includes a standalone version of OpenSSH's scp
9597c2e3b9d4 Some doc changes
Matt Johnston <matt@ucc.asn.au>
parents: 4
diff changeset
75 program. You can compile it with "make scp", you may want to change the path
161
b9d3f725e00b 0.44 release changes
Matt Johnston <matt@ucc.asn.au>
parents: 90
diff changeset
76 of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default
75
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
77 the progress meter isn't compiled in to save space, you can enable it by
a54d20c96178 Some documentation touchups
Matt Johnston <matt@ucc.asn.au>
parents: 72
diff changeset
78 adding 'SCPPROGRESS=1' to the make commandline.