view · edit · print · history

This howto covers the setup and usage of the DropBear secure shell for remote command line access. DropBear is a much more light weight implementation of a SSH daemon than OpenSSH which also requires the OpenSSL libraries. DropBear however does not have some of the features that OpenSSH includes like agent forwarding and support for SFTP (which is quicker than SCP). [Note: it seems if OpenSSH with sftp server is installed, DropBear can make use of the openssh-sftp-server even if OpenSSH is not running; at least for me it works while still having the low in-memory footprint of DropBear ].

I have a Windows 2000 machine which I want to be able to use from work (behind a number of firewalls) to access the slug on my home broadband network. So what do I need to do?

1) Unsling your slug - see Unslung

2) Install the DropBear package which gives you your SSH daemon. You can do this by executing the following via telnet.

# ipkg update
# ipkg install dropbear

3) Reboot and check DropBear is running.

# ps -ef

And look for a line something like the following:

692 root 1628 S dropbear

(If the dropbear line has '-p 2222' or similar at the end, you will need to specify this custom port number to connect to dropbear with SSH or Putty)

4) OK so it's running. What the heck do you do now? Well, you need to get an SSH client for your Windows box. I use the free client called Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/) so that's what I'm going to talk about here. Download it and install.

5) If you intend to use a shell other than sh (e.g. /opt/bin/bash) then you need to create an /etc/shells file with the following contents:


6) You can now connect using your client. If you stop at this point then the NSLU2 will allow all connections to be made, and may potentially have the client complain about unknown keys. If this doesn't concern you (and for general use, it shouldn't) then you can stop at this point.

7) Now we need to generate some keys. So run Start->Programs->Putty->Puttygen key generation program. Click the "generate" button to generate some new keys. In the top part of the window you will see a public key string something like the following (The key here has been shortened for display purposes. Your generated key will be a much longer string):

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAA......aJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname

This is what is called a public key.

8) First of all save your private key pair (*.ppk) file with a password to encrypt it.

9) Copy the public key similar to the string in (7) above to the clipboard. Now what we need to do is load that public key as an authorized key for 'root'. (I'm assuming that if you want to authorise another user you will execute the same pattern).

First of all telnet into the SLUG as the user we want to authorise (e.g. root) and change to the home directory:

# cd ~

Now create the hidden directory for the SSH settings

# mkdir .ssh
# cd .ssh

Once we have this we want to save our public key into the authorized keys file which can be done easily as follows (The key here has been shortened for display purposes. Your generated key will be a much longer string):

# echo ssh-rsa AAAAB3NzaC1yc2EAAAABIwAA......aJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= someone@hostname > authorized_keys

NOTE: I found problems using nano (small compact file editor) to create the file, because it kept changing the spacing and carriage returns which causes the key not to validate. The whole key should be on a single line.

Check that this file is not editable by anyone but the current user ensure that the write permissions are write only for the user (i.e. have a mask like -rwxr--r-- when you do an ls -l)

# chmod a+r authorized_keys
# chmod og-wx authorized_keys

10) OK so that should get us ready for authentication by key file. Furthermore we can prevent anyone logging in as root via SSH without a key. What we need to do is kill the currently running dropbear processes and restart them with the -s option. So lets find the processes to kill:

# ps -ef

We need to kill all the dropbear processes by their PID using the following:

# kill -9 xxx <- where xxx is replaced with the IDs? as listed in the ps command output above

Now we need to restart dropbear with the login with keys only option:

# /opt/sbin/dropbear -s

To make this permanent we need to add the "-s" option on start up. this can be done by editing the /opt/etc/init.d/S51dropbear file. So that it looks like the following:

# cat /opt/etc/init.d/S51dropbear

/opt/sbin/dropbear -s

11) Having set up the server as we want it all we have to do now is to connect with Putty. Start->Programs->Putty->Putty. It will come up with the options for the server (IP address etc) which you need to set. Also set up the SSH authentication by key - pointing the key to the *.ppk file that you created and saved in (8).

12) Click open and when requested log in as 'root'. It should authenticate using the keys and a shell prompt will appear.

login as: root
Authenticating with public key "root@slug" from agent

BusyBox? v0.60.4 (2004.07.01-03:05+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.



If you want to be able to access your files, upload and download over SSH then you need an SCP client. For myself, wanting to access my files over the internet securely from my Windows box at work, I downloaded WinSCP (http://winscp.net/) and simply configured it up, by entering the IP address, pointing to the key file and entering the username. It worked out of the box, I could browse all the files on the SLUG as if logged in to console.

WinSCP minimises the amount of time you spend bashing away at the keyboard to achieve simple tasks, while simultaneously providing a better picture of what goes on in the Slug.

When logging in with WinSCP and using SCP with DropBear, you may receive an error message referring to the command: "groups". This command may well be absent in the slug. In WinSCP, at the login window, select "Advanced options". In the tree, select "Environment->SCP". Untick "Lookup user groups" and save your login profile.

DropBear or OpenSSH? Have a look here: (http://winscp.net/eng/docs/protocols)

Note: it seems if OpenSSH with sftp server is installed, DropBear can make use of the openssh-sftp-server even if OpenSSH is not running; at least for me it works while still having the low in-memory footprint of DropBear.

If you've problem logging into your slug with dropbear, i.e. if you wait the login prompt for ages, it may be a problem related to the random number generator. Try this quick and dirty trick:

# cd /dev
# mv random random.orig
# cp urandom random

Bear in mind that this reduces the security of the SSH session key, so think of this as a short-term workaround.

view · edit · print · history · Last edited by Kees Moerman.
Based on work by Kees Moerman, tms13, Ernst J Oud, Peter, Piter, Lord JieM, maurice, prikryl, sharth, JP, MattMcNeill, paulhar, tman, MattMcN, rwhitby, snrub, and ka6sox.
Originally by MattMcN.
Page last modified on May 10, 2010, at 04:18 AM