view README @ 687:167fdc091c05

Improve RNG seeding. Try to read from /dev/urandom multiple times, take input from extra sources, and use /dev/random when generating private keys
author Matt Johnston <matt@ucc.asn.au>
date Fri, 29 Jun 2012 23:19:43 +0800
parents 0cbe8f6dbf9e
children 20dafc77322e
line wrap: on
line source

This is Dropbear, a smallish SSH 2 server and client.

INSTALL has compilation instructions.

MULTI has instructions on making a multi-purpose binary (ie a single binary
which performs multiple tasks, to save disk space)

SMALL has some tips on creating small binaries.

See TODO for a few of the things I know need looking at, and please contact
me if you have any questions/bugs found/features/ideas/comments etc :)

Matt Johnston
[email protected]


In the absence of detailed documentation, some notes follow:
============================================================================

Server public key auth:

You can use ~/.ssh/authorized_keys in the same way as with OpenSSH, just put
the key entries in that file. They should be of the form:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzkxEoJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname

You must make sure that ~/.ssh, and the key file, are only writable by the
user. Beware of editors that split the key into multiple lines.

NOTE: Dropbear ignores authorized_keys options such as those described in the
OpenSSH sshd manpage, and will not allow a login for these keys. 

============================================================================

Client public key auth:

Dropbear can do public key auth as a client, but you will have to convert
OpenSSH style keys to Dropbear format, or use dropbearkey to create them.

If you have an OpenSSH-style private key ~/.ssh/id_rsa, you need to do:

dropbearconvert openssh dropbear ~/.ssh/id_rsa  ~/.ssh/id_rsa.db
dbclient -i ~/.ssh/id_rsa.db <hostname>

Currently encrypted keys aren't supported, neither is agent forwarding. At some
stage both hopefully will be.

============================================================================

If you want to get the public-key portion of a Dropbear private key, look at
dropbearkey's '-y' option.

============================================================================

To run the server, you need to generate server keys, this is one-off:
./dropbearkey -t rsa -f dropbear_rsa_host_key
./dropbearkey -t dss -f dropbear_dss_host_key

or alternatively convert OpenSSH keys to Dropbear:
./dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key

============================================================================

If the server is run as non-root, you most likely won't be able to allocate a
pty, and you cannot login as any user other than that running the daemon
(obviously). Shadow passwords will also be unusable as non-root.

============================================================================

The Dropbear distribution includes a standalone version of OpenSSH's scp
program. You can compile it with "make scp", you may want to change the path
of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h . By default
the progress meter isn't compiled in to save space, you can enable it by 
adding 'SCPPROGRESS=1' to the make commandline.