4.5 Using Dropbear for SSH

SSH, or secure shell, is a protocol for remote login with an advantage over telnet being that it can use public key authentication instead of passwords. Another advantage over the telnet protocol is that plain text is not transfered; the data sent between the host connections is encrypted.

dropbear is a small SSH v2 server and client package. Keys are generated and the server is started on system bootup by default, unless either the ttylinux dropbear starup script detects the CPU is slower than 1 GHz or the nosshd boot options was specified.

dropbear allows password and public key authentication. Public key authentication can use DSS and RSA keys and works with keys generated by the popular OpenSSH package. Having a public key from OpenSSH in the file .ssh/authorized_keys should allow secure login from the machine that has the corresponding private key. The permissions on the .ssh directory must not include group or other write permission, otherwise dropbear will refuse public key authentication.

The SSH client program is called dbclient. It is different from the server in that it cannot use keys in OpenSSH format. You can use the dropbearconvert program to convert an OpenSSH format key for use by dbclient or you can use dropbearkey to create a new key.

To convert an OpenSSH key stored in  /.ssh/id_rsa, do:

	dropbearconvert openssh dropbear \
		~/.ssh/id_rsa ~/.ssh/id_rsa.db

The new key will be stored in  /.ssh/id_rsa.db. You can use the -i switch to dbclient to make it use your new key for authentication. The public key part of the old OpenSSH key can be used as-is for pasting into your  /.ssh/authorized_keys file. Conversion is only needed for the private key.

To create a new RSA key to store in  /.ssh/id_rsa.db, you can use the following command:

	dropbearkey -t rsa -f ~/.ssh/id_rsa.db

The public key part of the new key will be printed to the screen. You can put it into the  /.ssh/authorized_keys file on all machines where you want to be able to login using your new private key stored in  /.ssh/id_rsa.db. You can create a DSS key instead of an RSA key by using -t dss instead of -t rsa. Should you lose the public key, you can always get it back by using the private key and the -y switch to dropbearkey:

	dropbearkey -y -f ~/.ssh/id_rsa.db

If you want to use scp to copy files from another machine, the standard scp program from OpenSSH is included with dropbear and ttylinux.