-
Notifications
You must be signed in to change notification settings - Fork 3
/
README.txt
123 lines (101 loc) · 5.46 KB
/
README.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
pts-dropbear: Dropbear SSH tools with ed25519 and other improvements by pts
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pts-dropbear is a C source tree of the Dropbear embedded SSH server, client
and tools for Unix, with modifications by pts.
Based on: dropbear-2017.75.tar.bz2
https://matt.ucc.asn.au/dropbear/releases/dropbear-2017.75.tar.bz2
The most important improvements in pts-dropbear:
* Added ssh-ed25519 crypto for server host keys and user keys. The
implementation is based on TweetNaCl v20140427.
* Added environment variable propagation (similar to OpenSSH AcceptEnv,
command-line flag -A) to Dropbear sshd.
* Added autodetection and loading of OpenSSH hostkeys to Dropbear
sshd (with `make OPENSSHHOSTKEYLOAD=1').
* Added flag to dropbearkey to generate private keys in OpenSSH format
directly (dropbearkey -Z openssh, with `make WRITEOPENSSHKEYS=1').
* Improved some command-line flags (e.g. dropbear -E is always available).
* Added compilation instructions for pts-xstatic (statically linked i386 Linux
binary). Binary size is 350456 bytes.
* Added option to compile without loading any system hostkeys (e.g. from
/etc/dropbear) (with `make NOSYSHOSTKEYLOAD=1').
* Made dropbearkey behavior more compatible with ssh-keygen in OpenSSH:
** dropbearkey now creates a .pub file.
** -b bits flag.
** -C comment flag. (The comment will be added only to the public key file, and
not to the private key file.)
** -P passphrase flag. Only the empty passhprase is allowed.
** -N passphrase flag. Only the empty passhprase is allowed.
* Added autodection of the input private key file format, as
`dropbearconvert any'.
How to compile:
* To compile regularly with the system gcc, run this (without the leading
`$' signs):
$ sudo apt-get install gcc make
$ ./configure
$ make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" MULTI=1 STATIC=1 SCPPROGRESS=1 NOSYSHOSTKEYLOAD=1 OPENSSHHOSTKEYLOAD=1 WRITEOPENSSHKEYS=1
$ ls -l dropbearmulti
* To compile with pts-xstatic to get a statically linked Linux i386
executable binary, run this (without the leading `$' signs) on a Linux
i386 or amd64 system:
$ sudo apt-get install gcc make
$ sudo apt-get install gcc-multilib # On an amd64 system.
$ wget http://pts.50.hu/files/pts-xstatic/pts-xstatic-latest.sfx.7z
$ chmod u+x pts-xstatic-latest.sfx.7z
$ ./pts-xstatic-latest.sfx.7z -y
$ XSTATIC=pts-xstatic/bin/xstatic ./c.sh
...
(creates drobpearmulti)
How to generate an ssh-ed25519 server host key:
* Use this command:
$ dropbearkey -Z openssh -t ed25519 -f dropbear_hostkey_ed25519
Please note that `-Z openssh' is optional. By default it creates the
private key file in the OpenSSH format, for improved interoperability. The
alternative is `-Z dropbear'.
* Alternatively, this command works if you have OpenSSH:
$ ssh-keygen -N "" -t ed25519 -f dropbear_hostkey_ed25519
* Alternatively, you can use this Python script:
https://github.com/pts/py_ssh_keygen_ed25519/blob/master/py_ssh_keygen_ed25519.py
Example invocation:
$ ./py_ssh_keygen_ed25519.py -t ed25519 -Z openssh -f dropbear_hostkey_ed25519
TODO:
* Send patches to upstream Dropbear.
* Add cipher [email protected] (for feature parity with
tinyssh).
* Add querying an ssh-agent to dbclient. (No need to write an ssh-agent,
the Gnome, gpg and OpenSSH ssh-agent implementations are fine.)
* refactor: split keywrite.c (import_write(...)) out keyimport.c, to make
the dropbear (not dropbearmulti) binary smaller.
* --disable-wtmp in c.sh? Add at least a command-line flag. Is the stock
Ubuntu 14.04 /var/log/wtmp compatible with xstatic uClibc wtmp format?
FYI:
* dropbearconvert (and import_read) ignores comments in keys.
* dropbearkey creates private keys without comments (only public keys have comments).
* OpenSSH `ssh -i' ignores comments in the private key file. Good.
* dropbear doesn't support user or host key passphrases.
* dbclient cannot authenticate with an ssh-agent.
* dropbear doesn't try to be smart and slow, e.g. by doing DNS lookups on
the client IP address.
* Dropbear binary size is smaller (353 kB for dropbearmulti linked with
xstatic, containing dropbear, dbclient, dropbearkey, dropbearconvert, scp)
than OpenSSH (836 kB for sshd, 791 kB, 380 kB for ssh-agent for ssh linked
with xstatic, 7.3p1 without OpenSSL).
* OpenSSH crypto operations are faster than in Dropbear. (Is this true?
Benchmark!)
* Dropbear 2017.75 supports these ciphers (with the default compiation flags):
aes128-ctr, aes256-ctr, aes128-cbc, aes256-cbc, twofish256-cbc,
twofish128-cbc, 3des-ctr, 3des-cbc, 3des.
blowfish can also be enabled, but twofish is more efficient.
* OpenSSH_5.3p1 supports these ciphers: (twofish is missing.)
aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc,
3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour,
* OpenSSH_7.2p2 in Ubuntu 14.04 supports these ciphers: (twofish is missing.)
3des-cbc, aes128-cbc, aes128-ctr, [email protected], aes192-cbc
aes192-ctr, aes256-cbc, aes256-ctr, [email protected], arcfour,
arcfour128 arcfour256, [email protected],
* OpenSSH_7.3p1 compiled without OpenSSL supports these ciphers:
aes128-ctr, aes192-ctr, aes256-ctr, [email protected].
* tinyssh 20161101 (and the latest github on 2017-10-01)
supports these ciphers: aes256-str, [email protected].
__END__