ELS Howto: Dropbear SSH

Synopsis

This document explains how to set up your Elemental Linux Server (ELS) system for encrypted remote access and file transfers using the Dropbear secure shell (SSH) implementation.

Prerequisites

You need to have your ELS system set up to build from source code. You should also have another machine on your network with an SSH client and rsync for testing purposes.

Installation

Dropbear does not come as a binary package and must be installed from source. The following instructions explain how to build Dropbear and install it into the /usr/local hierarchy:

  1. Create, format and mount a partition for /usr/local if it does not already exist. (Review the ELS installation instructions for a refresher on creating partitions.)
  2. Download the latest Dropbear source from http://matt.ucc.asn.au/dropbear/ and extract it in /usr/local/src.
  3. Change directory to /usr/local/src/dropbear-version and run ./configure
  4. Edit options.h, find the two macro definitions with /etc/dropbear in the path and change them to use /usr/local/etc instead.
  5. Build Dropbear with the make command.
  6. Install Dropbear with the make install command.
  7. Copy the manual pages from the Dropbear source directory into the /usr/local/man/ hierarchy.

Example

The following example shows how you would install Dropbear-0.53.1 onto an ELS system with a separate /usr/local partition already set up. 

cd /usr/local/src
wget http://matt.ucc.asn.au/dropbear/dropbear-0.53.1.tar.gz
tar -zxf dropbear-0.53.1.tar.gz

cd dropbear-0.53.1
./configure

vi options.h
#define DSS_PRIV_FILENAME "/usr/local/etc/dropbear_dss_host_key"
#define RSA_PRIV_FILENAME "/usr/local/etc/dropbear_rsa_host_key"

make

make install

cp dbclient.1 /usr/local/man/man1/
cp dropbear.8 /usr/local/man/man8/
cp dropbearkey.8 /usr/local/man/man8/

Configuration

Before using Dropbear for remote access, you must carry out the following set-up tasks:

  1. Generate host keys with the dropbearkey command and place them in the /usr/local/etc directory.
  2. Add an entry for dropbear in /etc/inetd.conf
  3. Create the necessary firewall rules to allow incoming traffic on TCP port 22.

Example

The following example shows the commands you would enter to configure your ELS host to accept incoming SSH connections from any host on the network. 

dropbearkey -t dss -f /usr/local/etc/dropbear_dss_host_key
dropbearkey -t rsa -f /usr/local/etc/dropbear_rsa_host_key

vi /etc/inetd.conf

ssh  stream  tcp  nowait  root  /usr/local/sbin/dropbear  dropbear -i

killall -HUP inetd

vi /etc/firewall

-A INPUT -p tcp --dport 22 -j ACCEPT

/etc/init.d/network restart

Testing

Once everything is configured, you'll want to test remote logins and file transfers.

  1. Find a remote host with SSH and rsync.
  2. Log into the ELS machine over SSH.
  3. Transfer a file from the ELS machine to the remote host using rsync over SSH.

The following example shows a non-privileged user named 'joe' accessing his ELS box from a remote host and creating a file. After the file is created, he logs out and then proceeds to retrieve the file using rsync over SSH. 

joe@test-box:~> ssh joe@els-host
The authenticity of host 'els-host (10.10.10.22)' can't be established.
RSA key fingerprint is 12:34:56:78:90:12:34:56:78:90:12:34:56:78:90:12.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'els-host' (RSA) to the list of known hosts.
joe@els-host's password:
els-host:~$ cat "This is a test." >testing.txt
els-host:~$ exit

joe@test-box:~> rsync -avz -e ssh joe@els-host:testing.txt .
joe@els-host's password:
receiving incremental file list
testing.txt

sent 30 bytes  received 110 bytes  40.00 bytes/sec
total size is 16  speedup is 0.11

If you cannot access your ELS machine via SSH here are a few things to check.

  1. Verify that you can ping the ELS host by its DNS name.
  2. Use the command netstat -tln to be sure that inetd is listening on port 22.
  3. Check that the firewall on your ELS machine allows incoming access on port 22 using the command iptables -L -n.
  4. Verify that there are no other firewalls between the ELS machine and the test box that would block traffic on port 22.
  5. Double-check the /etc/dropbear directory for the presence of host keys.

Additional Information

For help with Dropbear, the author of the software offers additional information and mailing list on his web site.