Mercurial > dropbear
annotate README @ 1653:76189c9ffea2
External Public-Key Authentication API (#72)
* Implemented dynamic loading of an external plug-in shared library to delegate public key authentication
* Moved conditional compilation of the plugin infrastructure into the configure.ac script to be able to add -ldl to dropbear build only when the flag is enabled
* Added tags file to the ignore list
* Updated API to have the constructor to return function pointers in the pliugin instance. Added support for passing user name to the checkpubkey function. Added options to the session returned by the plugin and have dropbear to parse and process them
* Added -rdynamic to the linker flags when EPKA is enabled
* Changed the API to pass a previously created session to the checkPubKey function (created during preauth)
* Added documentation to the API
* Added parameter addrstring to plugin creation function
* Modified the API to retrieve the auth options. Instead of having them as field of the EPKASession struct, they are stored internally (plugin-dependent) in the plugin/session and retrieved through a pointer to a function (in the session)
* Changed option string to be a simple char * instead of unsigned char *
author | fabriziobertocci <fabriziobertocci@gmail.com> |
---|---|
date | Wed, 15 May 2019 09:43:57 -0400 |
parents | ff3f274ea56c |
children | d32bcb5c557d |
rev | line source |
---|---|
821
f8b28a3de6cb
Don't say "SSH 2" any more since protocol version 1 is irrelevant
Matt Johnston <matt@ucc.asn.au>
parents:
717
diff
changeset
|
1 This is Dropbear, a smallish SSH server and client. |
701 | 2 https://matt.ucc.asn.au/dropbear/dropbear.html |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 INSTALL has compilation instructions. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
6 MULTI has instructions on making a multi-purpose binary (ie a single binary |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 which performs multiple tasks, to save disk space) |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
9 SMALL has some tips on creating small binaries. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
10 |
1548 | 11 Please contact me if you have any questions/bugs found/features/ideas/comments etc :) |
12 There is also a mailing list http://lists.ucc.gu.uwa.edu.au/mailman/listinfo/dropbear | |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
14 Matt Johnston |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 [email protected] |
380 | 16 |
17 | |
75 | 18 In the absence of detailed documentation, some notes follow: |
72 | 19 ============================================================================ |
20 | |
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
21 Server public key auth: |
72 | 22 |
23 You can use ~/.ssh/authorized_keys in the same way as with OpenSSH, just put | |
24 the key entries in that file. They should be of the form: | |
25 | |
26 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname | |
27 | |
28 You must make sure that ~/.ssh, and the key file, are only writable by the | |
290 | 29 user. Beware of editors that split the key into multiple lines. |
72 | 30 |
717
74deece07742
update text about authorized_keys options
Matt Johnston <matt@ucc.asn.au>
parents:
701
diff
changeset
|
31 Dropbear supports some options for authorized_keys entries, see the manpage. |
72 | 32 |
75 | 33 ============================================================================ |
34 | |
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
35 Client public key auth: |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
36 |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
37 Dropbear can do public key auth as a client, but you will have to convert |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
38 OpenSSH style keys to Dropbear format, or use dropbearkey to create them. |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
39 |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
40 If you have an OpenSSH-style private key ~/.ssh/id_rsa, you need to do: |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
41 |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
42 dropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_rsa.db |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
43 dbclient -i ~/.ssh/id_rsa.db <hostname> |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
44 |
874 | 45 Dropbear does not support encrypted hostkeys though can connect to ssh-agent. |
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
46 |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
47 ============================================================================ |
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
75
diff
changeset
|
48 |
75 | 49 If you want to get the public-key portion of a Dropbear private key, look at |
50 dropbearkey's '-y' option. | |
51 | |
52 ============================================================================ | |
53 | |
1628
ff3f274ea56c
Add missing word to readme (#77)
Michael Jones <jonesmz@users.noreply.github.com>
parents:
1548
diff
changeset
|
54 To run the server, you need to generate server keys, this is one-off: |
72 | 55 ./dropbearkey -t rsa -f dropbear_rsa_host_key |
56 ./dropbearkey -t dss -f dropbear_dss_host_key | |
901
8bc704f417f3
README: fix ecdsa key generation command
Catalin Patulea <cat@vv.carleton.ca>
parents:
874
diff
changeset
|
57 ./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key |
72 | 58 |
59 or alternatively convert OpenSSH keys to Dropbear: | |
60 ./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key | |
61 | |
874 | 62 You can also get Dropbear to create keys when the first connection is made - |
63 this is preferable to generating keys when the system boots. Make sure | |
64 /etc/dropbear/ exists and then pass '-R' to the dropbear server. | |
65 | |
75 | 66 ============================================================================ |
72 | 67 |
68 If the server is run as non-root, you most likely won't be able to allocate a | |
69 pty, and you cannot login as any user other than that running the daemon | |
70 (obviously). Shadow passwords will also be unusable as non-root. | |
71 | |
75 | 72 ============================================================================ |
73 | |
72 | 74 The Dropbear distribution includes a standalone version of OpenSSH's scp |
75 program. You can compile it with "make scp", you may want to change the path | |
161 | 76 of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default |
75 | 77 the progress meter isn't compiled in to save space, you can enable it by |
78 adding 'SCPPROGRESS=1' to the make commandline. |