Bering-uClibc 5.x - User Guide - Basic Configuration - Using Dropbear - a small SSH replacement

From bering-uClibc
Jump to: navigation, search
Basic Configuration - Using Dropbear - a small SSH replacement
Prev Bering-uClibc 5.x - User Guide Next


Objectives

This article describes the initial installation and configuration of the light weight ssh server "Dropbear" which is part of the base Bering-uClibc distribution. Dropbear was developed by Matt Johnston and for more information on Dropbear itself you should visit his webpages (http://matt.ucc.asn.au/dropbear/dropbear.html).

Load the dropbear package

Note:
For Bering-uClibc, dropbear and dropbearkey have been compiled into one
binary, just like busybox that also provides different applications in one
binary. Therefore only one package (dropbear.lrp) is needed. This is a
difference from other ssh applications (sshd, lshd) used with LEAF
packages, where key generation utility and daemon are provided in two
separate packages.

If you start with a fresh Bering-uClibc installation you can skip this step because the default leaf.cfg file provided with Bering-uClibc looks like this:

LRP="root license dhcpcd keyboard shorwall dnsmasq dropbear mhttpd webconf"

The package dropbear.lrp is loaded on startup.

If you have edited leaf.cfg in the past, and dropbear.lrp is currently not installed on your system, you can do two things:
- add the package again to leaf.cfg and reboot.
- add dropbear.lrp to leaf.cfg and load package manually.

Key generation

If you boot Bering-uClibc and no the keys are found, they'll generated at boot time. Don't forget to save your configuration, otherwise they'll be generated again during next boot.

To create new keys manually, run the command gendropbearkeys. After giving this command, sit back and enjoy a cup of coffee while your machine generates the RSA and DSS keys.
Tip: Use your LEAF box to generate entropy.

Set root password

Dropbear will not let you log in as "root" without a password. Set the root password with the command passwd while logged in as "root".

Check Shorewall rules

The default configuration of the Shorewall package provided with Bering-uClibc should allow you to login to your LEAF box with ssh from the local network. Nevertheless it is wise to make sure that this is really so. Assuming that you have not renamed the zone for the local network, this zone is called "loc". The file /etc/shorewall/rules should then have lines like this:

###########################################################################
###
#ACTION  SOURCE         DEST            PROTO   DEST    SOURCE     ORIGINAL
#                                               PORT    PORT(S)    DEST
(...)
# Accept SSH connections from the local network for administration
#
SSH(ACCEPT)   loc            fw   
(...)

If this is not the case, add these lines and backup the shorwall.lrp package.

Finishing up

Save your configuration with 'lrcfg -> s', reboot your machine and watch dropbear start. You can now remotely log in to your Bering-uClibc box with an ssh client or scp files from/to your Bering-uClibc box.

Miscellaneous

Note that you can't run dropbear and sshd at the same time, unless you change dropbear or sshd's port. /etc/default/dropbear is the config file for dropbear.

Legal Notice

Export of cryptographic software from Australia is subject to export controls - you should ensure that you are not breaching these controls. See Crypto Law Survey for some good research.


Prev Up Next