pts-dropbear icon indicating copy to clipboard operation
pts-dropbear copied to clipboard

Published 20 hours ago verified publisher icon pts

Metadata

Dropbear SSH tools with ed25519 and other improvements by pts

pts-dropbear: Dropbear SSH tools with ed25519 and other improvements by pts ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ pts-dropbear is a C source tree of the Dropbear embedded SSH server, client and tools for Unix, with modifications by pts.

Based on: dropbear-2017.75.tar.bz2 https://matt.ucc.asn.au/dropbear/releases/dropbear-2017.75.tar.bz2

The most important improvements in pts-dropbear:

  • Added ssh-ed25519 crypto for server host keys and user keys. The implementation is based on TweetNaCl v20140427.
  • Added environment variable propagation (similar to OpenSSH AcceptEnv, command-line flag -A) to Dropbear sshd.
  • Added autodetection and loading of OpenSSH hostkeys to Dropbear sshd (with `make OPENSSHHOSTKEYLOAD=1').
  • Added flag to dropbearkey to generate private keys in OpenSSH format directly (dropbearkey -Z openssh, with `make WRITEOPENSSHKEYS=1').
  • Improved some command-line flags (e.g. dropbear -E is always available).
  • Added compilation instructions for pts-xstatic (statically linked i386 Linux binary). Binary size is 350456 bytes.
  • Added option to compile without loading any system hostkeys (e.g. from /etc/dropbear) (with `make NOSYSHOSTKEYLOAD=1').
  • Made dropbearkey behavior more compatible with ssh-keygen in OpenSSH: ** dropbearkey now creates a .pub file. ** -b bits flag. ** -C comment flag. (The comment will be added only to the public key file, and not to the private key file.) ** -P passphrase flag. Only the empty passhprase is allowed. ** -N passphrase flag. Only the empty passhprase is allowed.
  • Added autodection of the input private key file format, as `dropbearconvert any'.

How to compile:

  • To compile regularly with the system gcc, run this (without the leading `$' signs):

    $ sudo apt-get install gcc make $ ./configure $ make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" MULTI=1 STATIC=1 SCPPROGRESS=1 NOSYSHOSTKEYLOAD=1 OPENSSHHOSTKEYLOAD=1 WRITEOPENSSHKEYS=1 $ ls -l dropbearmulti

  • To compile with pts-xstatic to get a statically linked Linux i386 executable binary, run this (without the leading `$' signs) on a Linux i386 or amd64 system:

    $ sudo apt-get install gcc make $ sudo apt-get install gcc-multilib # On an amd64 system. $ wget http://pts.50.hu/files/pts-xstatic/pts-xstatic-latest.sfx.7z $ chmod u+x pts-xstatic-latest.sfx.7z $ ./pts-xstatic-latest.sfx.7z -y $ XSTATIC=pts-xstatic/bin/xstatic ./c.sh ... (creates drobpearmulti)

How to generate an ssh-ed25519 server host key:

  • Use this command:

    $ dropbearkey -Z openssh -t ed25519 -f dropbear_hostkey_ed25519

    Please note that -Z openssh' is optional. By default it creates the private key file in the OpenSSH format, for improved interoperability. The alternative is -Z dropbear'.

  • Alternatively, this command works if you have OpenSSH:

    $ ssh-keygen -N "" -t ed25519 -f dropbear_hostkey_ed25519

  • Alternatively, you can use this Python script: https://github.com/pts/py_ssh_keygen_ed25519/blob/master/py_ssh_keygen_ed25519.py

    Example invocation:

    $ ./py_ssh_keygen_ed25519.py -t ed25519 -Z openssh -f dropbear_hostkey_ed25519

TODO:

  • Send patches to upstream Dropbear.
  • Add cipher [email protected] (for feature parity with tinyssh).
  • Add querying an ssh-agent to dbclient. (No need to write an ssh-agent, the Gnome, gpg and OpenSSH ssh-agent implementations are fine.)
  • refactor: split keywrite.c (import_write(...)) out keyimport.c, to make the dropbear (not dropbearmulti) binary smaller.
  • --disable-wtmp in c.sh? Add at least a command-line flag. Is the stock Ubuntu 14.04 /var/log/wtmp compatible with xstatic uClibc wtmp format?

FYI:

  • dropbearconvert (and import_read) ignores comments in keys.
  • dropbearkey creates private keys without comments (only public keys have comments).
  • OpenSSH `ssh -i' ignores comments in the private key file. Good.
  • dropbear doesn't support user or host key passphrases.
  • dbclient cannot authenticate with an ssh-agent.
  • dropbear doesn't try to be smart and slow, e.g. by doing DNS lookups on the client IP address.
  • Dropbear binary size is smaller (353 kB for dropbearmulti linked with xstatic, containing dropbear, dbclient, dropbearkey, dropbearconvert, scp) than OpenSSH (836 kB for sshd, 791 kB, 380 kB for ssh-agent for ssh linked with xstatic, 7.3p1 without OpenSSL).
  • OpenSSH crypto operations are faster than in Dropbear. (Is this true? Benchmark!)
  • Dropbear 2017.75 supports these ciphers (with the default compiation flags): aes128-ctr, aes256-ctr, aes128-cbc, aes256-cbc, twofish256-cbc, twofish128-cbc, 3des-ctr, 3des-cbc, 3des. blowfish can also be enabled, but twofish is more efficient.
  • OpenSSH_5.3p1 supports these ciphers: (twofish is missing.) aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc, 3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour, [email protected].
  • OpenSSH_7.2p2 in Ubuntu 14.04 supports these ciphers: (twofish is missing.) 3des-cbc, aes128-cbc, aes128-ctr, [email protected], aes192-cbc aes192-ctr, aes256-cbc, aes256-ctr, [email protected], arcfour, arcfour128 arcfour256, [email protected], [email protected].
  • OpenSSH_7.3p1 compiled without OpenSSL supports these ciphers: aes128-ctr, aes192-ctr, aes256-ctr, [email protected].
  • tinyssh 20161101 (and the latest github on 2017-10-01) supports these ciphers: aes256-str, [email protected].

END

Metadata

24
Stars
3
Forks
Watchers

Owner

verified publisher icon pts

Metadata

Dropbear SSH tools with ed25519 and other improvements by pts

Back