Dropbear is a small and lightweight SSH server and client that can replace OpenSSH on any POSIX platform such as GNU / Linux, * BSD, Cygwin … Dropbear is free software since it is released under MIT-style licenses.
Features:
- A small memory footprint suitable for memory-constrained environments.
- Dropbear server implements X11 forwarding, and authentication-agent forwarding for OpenSSH clients
- Compatible with OpenSSH ~/.ssh/authorized_keys public key authentication
- The server, client, keygen, and key converter can be compiled into a single binary
- Multi-hop mode uses SSH TCP forwarding to tunnel through multiple SSH hosts in a single command. dbclient user1@hop1,user2@hop2,destination
1. Install
Fedora
$ sudo dnf -y install dropbear
CentOS
Install EPEL repo.
$ sudo yum -y install epel-release
Install Dropbear.
$ yum -y install dropbear
Alpine
$ sudo apk add dropbear
Debian/Ubuntu/Devuan
$ sudo apt-get -y install dropbear
Android
Before installing Dropbear on Android you must install Termux, see the video: Termux – emulador de terminal para Android (Spanish)
Install Dropbear.
$ apt install dropbear
2. Stop OpenSSH service
Before starting the Dropbear service be sure to stop the sshd service.
systemd based distro: Fedora, CentOS, Debian, Ubuntu
$ sudo bash -c 'systemctl stop sshd && systemctl disable sshd'
OpenRC based distro: Alpine
$ sudo bash -c 'rc-service sshd stop && rc-update del sshd'
sysvinit based distro: Devuan
$ sudo bash -c 'service sshd stop && update-rc.d sshd disable'
Android
For Android it is not necessary to stop the SSH service because it is not installed by default.
3. Start Dropbear service
systemd based distro: Fedora, CentOS, Debian, Ubuntu
$ sudo systemctl start dropbear
OpenRC based distro: Alpine
$ sudo rc-service dropbear start
sysvinit based distro: Devuan
$ sudo service dropbear start
Android
We start Dropbear in foreground, by default Dropbear will be listening in port 8022
$ dropbear -F
4. Start the service with the OS
systemd based distro: Fedora, CentOS, Debian, Ubuntu
$ sudo systemctl enable dropbear
OpenRC based distro: Alpine
$ sudo rc-update add dropbear
sysvinit based distro: Devuan
$ sudo update-rc.d sshd enable
Android
It is not advisable to have an SSH server running on Android permanently for security and performance reasons however you can do it by installing Termux:Boot
5. Connect to Dropbear server
To connect to the Dropbear server you can use the ssh client (OpenSSH) or the dbclient tool. The dbclient tool is part of the Dropbear package. For Android, the recommended way to connect is using public and private keys since you do not have the password for the connecting user (at least in standard mode), for more details see the following video:
Cómo instalar un servidor SSH en Android (Spanish).
For Android you must add the -p 8022 option to the commands: ssh, dbclient.
Using user and password
$ ssh usuario@miservidor.midominio $ dbclient usuario@miservidor.midominio
Using public and private keys
With ssh
To connect to the dropbear server using the ssh client you must use the public and private keys generated by ssh-keygen.
1. Generate public and private keys
$ ssh-keygen -t ecdsa Generating public/private ecdsa key pair. Enter file in which to save the key (/home/sedlav/.ssh/id_ecdsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/sedlav/.ssh/id_ecdsa. Your public key has been saved in /home/sedlav/.ssh/id_ecdsa.pub. The key fingerprint is: SHA256:m+Cg8yFD07sWN05oFHI6SXJsSXJe2nGYUtMalQFn2og sedlav@librebyte.net The key's randomart image is: +---[ECDSA 256]---+ |.ooo***o | |.+O=*Xo | | =E*++. | | +.o | | ooo.. S | | . o+++. o | | =.o=..o | | =.o. | | .o | +----[SHA256]-----+
2. Copy the public key to the server
$ ssh-copy-id -i .ssh/id_ecdsa.pub sedlav@dropbearserver /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ecdsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys sedlav@dropbearserver's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'sedlav@dropbearserver'" and check to make sure that only the key(s) you wanted were added.
3. Connect
$ ssh sedlav@dropbearserver
With dbclient
To connect to the dropbear server using dbclient you must use public and private keys generated by dropbearkey
$ dropbearkey -t ecdsa -f .ssh/id_dropbear_ecdsa | grep "^ecdsa" > .ssh/id_dropbear_ecdsa.pub Generating key, this may take a while...
2. Copy the public key to the server
$ cat .ssh/id_dropbear_ecdsa.pub | dbclient sedlav@dropbearserver 'cat - >> .ssh/authorized_keys' sedlav@dropbearserver's password:
3. Connect
$ dbclient -i .ssh/id_dropbear_ecdsa sedlav@dropbearserver
Note .ssh DIR must have 700 perms mode and authorized_keys file must have 600 perms mode or you will not be able to connect to the Dropbear server.
Further reading
Can we use dropbear with OpenVPN installations? I have access to a 128MB VPS, but hard a hard time installing OpenVPN due to memory constraints.
With Dropbear you can tunnel your connection to any remote service, but in the server side you need a Dropbear service running.
Looks like DropBear covers the essentials, and it’s always good to have more than one Free Software implementation of the SSH protocol. Problem: the OpenSSH project produces such a good and secure client and server–that remains relatively lightweight after all these years–that I’m not sure where DropBear would fit in. Are there any specific advantages over the OpenSSH project’s implementation?
Dropbear is smaller than OpenSSH, has few dependencies and can be compiled to a 110kB statically linked binary with uClibc then is targeted to embedded devices, such as wireless routers. You can view more details on: https://matt.ucc.asn.au/dropbear/dropbear.html
Great guide! There’s not much information out there about Dropbear SSH. For anyone trying to figure out where to specify settings for Dropbear, it’s located in the ‘dropbear’ file in ‘/etc/default’. There’s a line with DROPBEAR_EXTRA_ARGS= that you can specify extra arguments such as DROPBEAR_EXTRA_ARGS=”-g” to disable root password logins. You can find a full list of the arguments in ‘dropbear -help’.