Linux Embedded Dropbear
Dropbear SSH Server on Embedded Linux
В Dropbear Server реализованы все основные компоненты протокола SSH 2, а также поддержка X11 и туннелирование аутентификации (для использования локальных ключей при установлении соединения с удалённого сервера).
dropbear - это реализация SSH 2 для систем с ограниченным объёмом оперативной памяти
dropbearclient заменяет ssh и scp
dropbear заменяет sshd.
Download the latest source code .tar.gz file from http://matt.ucc.asn.au/dropbear/.
Dropbear, you need to cross-compile Dropbear for your Embedded Linux Target
Download and unzip Dropbear source code (for example: dropbear-2012.55.tar.gz)
In Dropbear directory create "build" sub-directory
In the "build" directory create following "build.sh" script (you need to modify path to your cross tools, gcc and strip):
export PATH=/opt/toolchains/stbgcc-4.5.4-2.9/bin:$PATH
../configure --prefix=$($PWD) CC=mipsel-linux-gcc --host=mipsel-linux
make
mipsel-linux-strip -v dropbear
mipsel-linux-strip -v dropbearkey
"dropbear" and "dropbearkey" executables will be created, copy them to Embedded Linux Target and place them in "/bin" directory
You need to prepare "sftp-server" for Embedded Linux Target, so you need to cross-compile OpenSSH
Download and unzip OpenSSH source code (for example: openssh-6.0p1.tar.gz)
In OpenSSH directory create "build" sub-directory
In the "build" directory create following "build.sh" script (you need to modify path to your cross tools, gcc and strip):
export PATH=/opt/toolchains/stbgcc-4.5.4-2.9/bin:$PATH
../configure --prefix=$($PWD) CC=mipsel-linux-gcc --host=mipsel-linux
make sftp-server
mipsel-linux-strip -v sftp-server
Run "build.sh" (don't forget "chmod a+x build.sh")
"sftp-server" executable will be created, copy it to your Embedded Linux Target and place it to the "/usr/libexec" directory
$ dropbear -h
Usage: dropbear [options]
-b bannerfile Display the contents of bannerfile before user login
(default: none)
-r keyfile Specify hostkeys (repeatable)
defaults:
dss /etc/dropbear/dropbear_dss_host_key
rsa /etc/dropbear/dropbear_rsa_host_key
ecdsa /etc/dropbear/dropbear_ecdsa_host_key
-R Create hostkeys as required
-F Don't fork into background
-E Log to stderr rather than syslog
-m Don't display the motd on login
-w Disallow root logins
-s Disable password logins
-g Disable password logins for root
-B Allow blank password logins
-j Disable local port forwarding
-k Disable remote port forwarding
-a Allow connections to forwarded ports from any host
-p [address:]port
Listen on specified tcp port (and optionally address),
up to 10 can be specified
(default port is 22 if none specified)
-P PidFile Create pid file PidFile
(default /var/run/dropbear.pid)
-i Start for inetd
-W <receive_window_buffer> (default 24576, larger may be faster, max 1MB)
-K <keepalive> (0 is never, default 0, in seconds)
-I <idle_timeout> (0 is never, default 0, in seconds)
-V Version
Review the Dropbear options before running it to have the service working as you expect
/etc/default/dropbear
This is the default configuration:
config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'
The below example shows one on port 22 on the lan side, one on port 2022 on the wan side. Note: wan side is set for PasswordAuth off so make sure you have added an ssh-key.
Also make sure to check your firewall DNAT (port forward) to allow access to the wan side port, 2022 in this case.
config dropbear
option PasswordAuth 'on'
option RootPasswordAuth 'on'
option Port '22'
option Interface 'lan'
config dropbear
option PasswordAuth 'off'
option Interface 'wan'
option Port '2022'
First, you need to start the dropbear deamon with the flag -a. Preferably:
option 'GatewayPorts' 'on'
The example above shows two dropbear instances:
The first instance will listen on port 22 on the lan interface (default internal network)
The second one on port 2022 on the wan interface (default external network)
Also make sure to check your firewall DNAT (port forward) to allow access to the wan side port, 2022 in this case.
The dropbear section contains these settings:
/etc/config/dropbear
config dropbear
option RootPasswordAuth 'off'
option PasswordAuth
option Interface 'wan'
option Port '2022'
config dropbear
# Set to 0 to disable starting dropbear at system boot.
option enable 'on'
# Set to 1 to enable verbose output by the start script.
option verbose 0
# Name of a file to be printed before the user has authenticated successfully.
option BannerFile /etc/dropbear/Banner
# Set to 0 to disable authenticating with passwords.
option PasswordAuth 'on'
# Port number to listen on.
option Port 22
# Set to 0 to disable authenticating as root with passwords.
option RootPasswordAuth 'on'
# Set to 0 to disable SSH logins as root.
option RootLogin 'on'
# Set to 1 to allow remote hosts to connect to forwarded ports.
option GatewayPorts 0
# Tells dropbear to listen only on the specified interface.e.g. lan либо wan либо ..
option Interface "lan"
# Path to RSA file
option rsakeyfile /etc/dropbear/dropbear_rsa_host_key
# Path to DSS/DSA file
option dsskeyfile /etc/dropbear/dropbear_dss_host_key
# Keep Alive
option SSHKeepAlive 300
# Idle Timeout
option IdleTimeout 0
# Whether to annouce the service via mDNS
option dns 'on'
If you try to run multiple dropbear instances and they are not started you probably have a timing issue. To fix the timing issue just create a small hotplug script in /etc/hotplug.d/iface/40-dropbear that simply restarts dropbear after the WAN interface is restarted.
/etc/hotplug.d/iface/40-dropbear
#!/bin/sh
if [ "$INTERFACE" = "wan" ] && [ "$ACTION" = "ifup" -o "$ACTION" == "ifupdate" ]
then
/etc/init.d/dropbear restart
fi
Finally, restart dropbear.
/etc/init.d/dropbear restart
ЧЕРНОВИК, продолжение следует 
Комментарии
Отправить комментарий