Dropbear

From RidgeRun Developer Wiki
Revision as of 14:56, 4 September 2017 by Spalli (talk | contribs)


Dropbear is a relatively small SSH server and client. It runs on a variety of POSIX-based platforms. Dropbear is particularly useful for "embedded" type Linux systems.

Enabling dropbear

How to enable Dropbear server

1-Open sdk configuration system 

cd $DEVDIR
make config

2- Enable Dropbear server: 

-> File System Configuration
  -> Select target's file system software 
    [*] dropbear-0.53 (SSH Server)

3- When Dropbear is selected, scp and ssh are showed 

-*- dropbear-0.53 (SSH Server)
[*]   Enable dbclient (SSH Client)
[*]   Enable scp

4- You should also enabled some user and password management tools

-> File System Configuration 

  -> Select target's file system software 
    -> Busybox configuration
       -> Login/Password Management Utilities 
          [*] adduser
          [*] addgroup
          [*] deluser
          [*] passwd

Starting dropbear server

To start server, run the following script: 

/etc/init.d/dropbear start

When this script run, normally the public key is printed in the log, similar to (long keys shortened to make it easier to ready): 

Generating RSA key...Will output 1024 bit rsa secret key to '/etc/dropbear/dropbear_rsa_host_key'
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3NzaC1yc .... QFWVtE= root@davinci
Fingerprint: md5 59:d1:68:f3:03:d9:4c:68:ae:c2:d8:57:59:ce:0f:a7
Generating DSS key...Will output 1024 bit dss secret key to '/etc/dropbear/dropbear_dss_host_key'
Generating key, this may take a while...
Public key portion is:
ssh-dss AAAAB3NzaC1kc ... WDUE3+Q== root@davinci
Fingerprint: md5 2c:65:92:b6:a9:99:34:59:86:1c:c0:61:3b:02:2f:f0
Starting Dropbear SSH server: NET: Registered protocol family 10 dropbear.

Commands to use ssh

From target: 

dbclient user@host

From host: 

ssh user@host

Commands to use scp

From target or host: 

scp $LOCAL_FILE user@host:/$REMOTE_DIRECTORY

Example ssh client connecting to target hardware using a password

If something goes wrong while trying to connect to the dropbear ssh daemon, you can get some hints looking in /var/log/messages on the target file system.

On the target device: 

mkdir -p /root
passwd root

On your host computer (adjust target hardware name/IP address as needed): 

ssh root@10.111.0.42

You should see something similar to the following if all is working correctly: 

Welcome to
__________ .__     .___               __________                
\______   \|__|  __| _/  ____    ____ \______   \ __ __   ____  
 |       _/|  | / __ |  / ___\ _/ __ \ |       _/|  |  \ /    \ 
 |    |   \|  |/ /_/ | / /_/  >\  ___/ |    |   \|  |  /|   |  \
 |____|_  /|__|\____ | \___  /  \___  >|____|_  /|____/ |___|  /
        \/          \//_____/       \/        \/             \/ 
	   
    Embedded Linux Solutions
 
For further information see:
http://www.ridgerun.com


BusyBox v1.20.2 (2014-10-13 18:36:29 MDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.

~ #

Adding root ssh login to development directory

If you always want the target file system to contain the same ssh keys and ability to use ssh to log in as root, run the steps above (using root NFS mount) and verify you can ssh in as root user, then: 

make config # Kernel configuration -> Extra kernel arguments: davinci_emac.ethaddr=00:0C:0C:A0:02:b5
mkdir -p $DEVDIR/fs/overlay/root  $DEVDIR/fs/overlay/etc/dropbear
cp $DEVDIR/fs/fs/etc/dropbear/* $DEVDIR/fs/overlay/etc/dropbear
cp $DEVDIR/fs/fs/etc/passwd $DEVDIR/fs/overlay/etc
touch $DEVDIR/fs/overlay/root/.gitignore

git add $DEVDIR/fs/overlay/root/.gitignore $DEVDIR/fs/overlay/etc/dropbear/* $DEVDIR/fs/overlay/etc/passwd bsp/mach-*/bspconfig

These steps are useful when developing the product. You should delete the keys from the overlay file system before generating production code.

The above steps should not be used if more than one board will be on the same subnet as all boards will have the same ethernet MAC address.

Setting keys to get ssh connectivity without password requests

To enable this mode, add "-s" option at the start server command, it can be added in the devdir fs script or in the target fs directly.

To add this option in the devdir, open the file $DEVDIR/fs/apps/dropbear.x.y/dropbear and add the option "-s" in the flag DROPBEAR_EXTRA_ARGS 

DROPBEAR_EXTRA_ARGS=-s

After do that, rebuild and reinstall the application, then start the Dropbear server running the following script: 

/etc/init.d/dropbear start

The first time that this script run, the script prints in log the public key. If Dropbear was started at this point, the public key can be print it manually, this process must be explained in the next section.

To add this option in the target fs directly, repeat the same action in the script /etc/init.d/dropbear. After that, restart the application 

/etc/init.d/dropbear restart

How to get Dropbear public and private keys in target manually

The "dropbearkey" tool creates public and private keys or show the public key.

To create an pair of keys, run the following command: 

dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key

The last command saves in /etc/dropbear/dropbear_rsa_host_key the private key, and prints the public key. To show only the public key in the required format, run the commmand: 

dropbearkey -y -f /etc/dropbear/dropbear_rsa_host_key | grep ssh-rsa

How to set Dropbear public key in host

When the public key was generated by Dropbear in the target, it must be added in the correctly host file location.

The public key must added in the file 

/home/<user>/.ssh/authorized_keys

The public key generated by Dropbear must have similar format to: 

ssh-rsa AAAAB3NzaC1yc.................C1vSjw2Xcm9KU9mXJtKRj <user>@<host>

After to add the public key in the host, reinitialize the ssh server: 

/etc/init.d/ssh restart

How to get OpenSSH public and private keys in host computer (dsa)

You need to create a public / private key and install the public key on the target file system.

On your host computer: 

ssh-keygen -t dsa -f $HOME/.ssh/id_dsa

There are two options for installing the public key on the target file system.

If you are using $DEVDIR/myapps/fs_overlay: 

sudo mkdir -p $DEVDIR/myapps/fs_overlay/fs/home/tfischer/.ssh
sudo cat $HOME/.ssh/id_dsa.pub >> $DEVDIR/myapps/fs_overlay/fs/home/tfischer/.ssh/authorized_keys
sudo chmod 0600 $DEVDIR/myapps/fs_overlay/fs/etc/dropbear/authorized_keys

Otherwise, just install the public key directly into the SDK target file system directory: 

sudo cat $HOME/.ssh/id_dsa.pub >> $DEVDIR/fs/fs/home/tfischer/.ssh/authorized_keys
sudo chmod 0600 $DEVDIR/fs/fs/home/tfischer/.ssh/authorized_keys

In both cases you need to make sure the owner and group for the .ssh directory and .ssh/authorized_keys is set correctly from the target device's point of view.

On your host computer, verify you can ssh to target hardware without using a password: 

ssh 10.0.0.167

You need to create a public / private key and install the public key on the target file system.

On your host computer: 

ssh-keygen -t dsa -f $HOME/.ssh/id_dsa

There are two options for installing the public key on the target file system.

If you are using $DEVDIR/myapps/fs_overlay: 

sudo mkdir -p $DEVDIR/myapps/fs_overlay/fs/home/tfischer/.ssh
sudo cat $HOME/.ssh/id_dsa.pub >> $DEVDIR/myapps/fs_overlay/fs/home/tfischer/.ssh/authorized_keys
sudo chmod 0600 $DEVDIR/myapps/fs_overlay/fs/etc/dropbear/authorized_keys

Otherwise, just install the public key directly into the SDK target file system directory: 

sudo cat $HOME/.ssh/id_dsa.pub >> $DEVDIR/fs/fs/home/tfischer/.ssh/authorized_keys
sudo chmod 0600 $DEVDIR/fs/fs/home/tfischer/.ssh/authorized_keys

In both cases you need to make sure the owner and group for the .ssh directory and .ssh/authorized_keys is set correctly from the target device's point of view.

On your host computer, verify you can ssh to target hardware without using a password: 

ssh 10.0.0.167

How to get OpenSSH public and private keys in host computer (ras)

The following command, creates two files in ~/.ssh/, one is named id_rsa and is the private key (It mustn't be touched) and other that is named id_rsa.pub, this file contain the public key, this content must be added in target location explained in the next section. 

ssh-keygen -b 4096 -t rsa

How to set OpenSSH public key in target

The public key generated in host, must be added in the target file /home/<user>/.ssh/authorized_keys, It must have format similar to: 

ssh-rsa AAAAB3NzaC1yc2EA ................... SVr8uIPvPCYwSsvq5yU= <user>@<host>


Set the permissions correctly 

chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

After to do that, restart the Dropbear server using the following command: 

/etc/init.d/dropbear restart

Commands to use ssh without password request

From host: 

ssh user@host

From target: 

dbclient user@host -i /etc/dropbear/dropbear_rsa_host_key

Commands to use scp without password request

Form host: 

scp $LOCAL_FILE user@host:/$REMOTE_DIRECTORY

Form target: 

$ scp $LOCAL_FILE user@host:/$REMOTE_DIRECTORY -i /etc/dropbear/dropbear_rsa_host_key


There is more information about Remote Access.

Retrieved from "http://developer.ridgerun.com/wiki/index.php?title=Dropbear&oldid=14386"