Dropbear SSH a lightweight alternative to OpenSSH

DropBear SSH
Dropbear is a small and lightweight SSH server and client that can replace OpenSSH on any POSIX platform such as GNU / Linux, * BSD, Cygwin … Dropbear is free software since it is released under MIT-style licenses.

Features:

  • A small memory footprint suitable for memory-constrained environments.
  • Dropbear server implements X11 forwarding, and authentication-agent forwarding for OpenSSH clients
  • Compatible with OpenSSH ~/.ssh/authorized_keys public key authentication
  • The server, client, keygen, and key converter can be compiled into a single binary
  • Multi-hop mode uses SSH TCP forwarding to tunnel through multiple SSH hosts in a single command. dbclient user1@hop1,user2@hop2,destination

1. Install

Fedora

$ sudo dnf -y install dropbear

CentOS

Install EPEL repo.

$ sudo yum -y install epel-release

Install Dropbear.

$ yum -y install dropbear

Alpine

$ sudo apk add dropbear

Debian/Ubuntu/Devuan

$ sudo apt-get -y install dropbear

Android

Before installing Dropbear on Android you must install Termux, see the video: Termux – emulador de terminal para Android (Spanish)

Install Dropbear.

$ apt install dropbear

2. Stop OpenSSH service

Before starting the Dropbear service be sure to stop the sshd service.

systemd based distro: Fedora, CentOS, Debian, Ubuntu

$ sudo bash -c 'systemctl stop sshd && systemctl disable sshd'

OpenRC based distro: Alpine

$ sudo bash -c 'rc-service sshd stop && rc-update del sshd'

sysvinit based distro: Devuan

$ sudo bash -c 'service sshd stop && update-rc.d sshd disable'

Android

For Android it is not necessary to stop the SSH service because it is not installed by default.

3. Start Dropbear service

systemd based distro: Fedora, CentOS, Debian, Ubuntu

$ sudo systemctl start dropbear

OpenRC based distro: Alpine

$ sudo rc-service dropbear start

sysvinit based distro: Devuan

$ sudo service dropbear start

Android

We start Dropbear in foreground, by default Dropbear will be listening in port 8022

$ dropbear -F

4. Start the service with the OS

systemd based distro: Fedora, CentOS, Debian, Ubuntu

$ sudo systemctl enable dropbear

OpenRC based distro: Alpine

$ sudo rc-update add dropbear

sysvinit based distro: Devuan

$ sudo update-rc.d sshd enable

Android

It is not advisable to have an SSH server running on Android permanently for security and performance reasons however you can do it by installing Termux:Boot

5. Connect to Dropbear server

To connect to the Dropbear server you can use the ssh client (OpenSSH) or the dbclient tool. The dbclient tool is part of the Dropbear package. For Android, the recommended way to connect is using public and private keys since you do not have the password for the connecting user (at least in standard mode), for more details see the following video:

Cómo instalar un servidor SSH en Android (Spanish).

For Android you must add the -p 8022 option to the commands: ssh, dbclient.

Using user and password

$ ssh usuario@miservidor.midominio
$ dbclient usuario@miservidor.midominio

Using public and private keys

With ssh

To connect to the dropbear server using the ssh client you must use the public and private keys generated by ssh-keygen.

1. Generate public and private keys
 $ ssh-keygen -t ecdsa 
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/sedlav/.ssh/id_ecdsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/sedlav/.ssh/id_ecdsa.
Your public key has been saved in /home/sedlav/.ssh/id_ecdsa.pub.
The key fingerprint is:
SHA256:m+Cg8yFD07sWN05oFHI6SXJsSXJe2nGYUtMalQFn2og sedlav@librebyte.net
The key's randomart image is:
+---[ECDSA 256]---+
|.ooo***o         |
|.+O=*Xo          |
| =E*++.          |
|  +.o            |
|  ooo.. S        |
| . o+++. o       |
|  =.o=..o        |
|   =.o.          |
|   .o            |
+----[SHA256]-----+
2. Copy the public key to the server
$ ssh-copy-id -i .ssh/id_ecdsa.pub sedlav@dropbearserver
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ecdsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
sedlav@dropbearserver's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'sedlav@dropbearserver'"
and check to make sure that only the key(s) you wanted were added.
3. Connect
$ ssh sedlav@dropbearserver

With dbclient

To connect to the dropbear server using dbclient you must use public and private keys generated by dropbearkey

$ dropbearkey -t ecdsa -f .ssh/id_dropbear_ecdsa | grep "^ecdsa" > .ssh/id_dropbear_ecdsa.pub 
Generating key, this may take a while...
2. Copy the public key to the server
$ cat .ssh/id_dropbear_ecdsa.pub | dbclient sedlav@dropbearserver 'cat - >> .ssh/authorized_keys'
sedlav@dropbearserver's password:
3. Connect
$ dbclient -i .ssh/id_dropbear_ecdsa sedlav@dropbearserver

Note .ssh DIR must have 700 perms mode and authorized_keys file must have 600 perms mode or you will not be able to connect to the Dropbear server.

Further reading

YouTube video

5 thoughts on “Dropbear SSH a lightweight alternative to OpenSSH”

  1. Can we use dropbear with OpenVPN installations? I have access to a 128MB VPS, but hard a hard time installing OpenVPN due to memory constraints.

    1. With Dropbear you can tunnel your connection to any remote service, but in the server side you need a Dropbear service running.

  2. Looks like DropBear covers the essentials, and it’s always good to have more than one Free Software implementation of the SSH protocol. Problem: the OpenSSH project produces such a good and secure client and server–that remains relatively lightweight after all these years–that I’m not sure where DropBear would fit in. Are there any specific advantages over the OpenSSH project’s implementation?

  3. Great guide! There’s not much information out there about Dropbear SSH. For anyone trying to figure out where to specify settings for Dropbear, it’s located in the ‘dropbear’ file in ‘/etc/default’. There’s a line with DROPBEAR_EXTRA_ARGS= that you can specify extra arguments such as DROPBEAR_EXTRA_ARGS=”-g” to disable root password logins. You can find a full list of the arguments in ‘dropbear -help’.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.