Dropbear, SFTP and passwordless logins in Debian
Feb 28th, 2009 by morpheus
This tutorial will walk you through the installation of dropbear and getting SFTP and passwordless authentication working on a Debian system.
Dropbear is a lightweight SSH server and client . It implements SSH2 protocol, just like OpenSSH, but without all the bells and whistles. So much so that it doesn’t even come bundled with SFTP capability.
But we can use the SFTP server that comes bundled with OpenSSH to work with Dropbear.
Let’s begin –
It’s always a good idea to update & upgrade your installation first –
:~# apt-get update :~# apt-get upgrade
First we need to install OpenSSH, if you don’t already have it (only to use its SFTP server with dropbear) –
:~# apt-get install openssh-server
Now let’s install Dropbear –
:~# apt-get install dropbear
Dropbear gets installed, but it is disabled by default. To enable it, edit /etc/default/dropbear and –
modify the line –
NO_START=1
to read –
NO_START=0
You can optionally change the listening port (22 by default) by editing the DROPBEAR_PORT variable in the same file. It’s recommended that you do this, for enhanced security. Remember to also change the port number that you connect to in your SSH/SFTP client.
Now that we’ve enabled Dropbear, we need to disable OpenSSH.
:~# mv /etc/rc2.d/S16ssh /etc/rc2.d/K16ssh
finally –
:~# /etc/init.d/ssh stop :~# /etc/init.d/dropbear start
Now, without closing your existing SSH connection, open a new SSH session and make sure your SSH client can connect and show you the username/password prompt. If it doesn’t work and you logout your current connection – you’ll be left without access to your server.
Once you’re sure it all works, you can logout and login again to end all OpenSSH processes, and let Dropbear takeover SSH responsibilities.
If you check your resource usage, before and after, you should be able to notice the difference now 😉
Also, since we haven’t uninstalled OpenSSH, Dropbear will be able to serve SFTP with the OpenSSH’s SFTP server. This is located at /usr/lib/openssh/sftp-server , and symlinked as /usr/lib/sftp-server.
If you want, you can also backup the sftp-server binary, remove openssh-server package and put the binary back at /usr/lib/sftp-server – and dropbear will still be able to serve SFTP with it.
Now that Dropbear is up and running, let’s setup private/public key pair based passwordless authentication for the root user – it’s convenient and just as secure (if not more so).
Let’s generate a key pair for SSH use –
:~# ssh-keygen
the default paths are good for use with Dropbear.
Don’t enter a passphrase if you don’t want to have to enter it everytime you login to SSH or do SFTP.
Now we must authorise the generated public key for SSH use –
:~# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys
and copy the private key to your local machine.
*hint* At this point, you can use SFTP to copy this file 😉
It is now safe to delete the generated key pair –
:~# rm /root/.ssh/id_rsa :~# rm /root/.ssh/id_rsa.pub
Now you can point your SSH/SFTP client to use the private key to allow password-less login.
If, like me, you’re using PuTTY (or WinSCP) – you’ll need to convert the private key to PuTTY compatible .ppk format.
To do this, download PuTTYGen.
Once you run PuTTYGen, select “Conversions” -> “Import key” and import the private key file.
Next, click “Save private key” and save the converted private key in PuTTY’s own format.
This converted private key can now be used with PuTTY client (Connection -> SSH -> Auth -> “Private key file for authentication”), and with WinSCP for passwordless login to SFTP.
Lastly, we need to disable password login for root in Dropbear. To do this, edit the file /etc/default/dropbear and –
edit the line –
DROPBEAR_EXTRA_ARGS=""
to read –
DROPBEAR_EXTRA_ARGS="-g"
and then
:~# /etc/init.d/dropbear restart
And we’re all done !
A lightweight replacement SSH server with SFTP and passwordless logins for root !
All with the usual ease of Debian and apt.
p.s. – You can use these switches in dropbear configuration –
- Disallow root logins –
DROPBEAR_EXTRA_ARGS="-w" - Disable password logins –
DROPBEAR_EXTRA_ARGS="-s" - Disable password logins for root –
DROPBEAR_EXTRA_ARGS="-g" - or any combination thereof, like –
DROPBEAR_EXTRA_ARGS="-w -s"
7 Comments on “Dropbear, SFTP and passwordless logins in Debian”
Leave a Reply
XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>
Hey I was looking for a way to disable root login in dropbear: thank you very much 🙂
If you inbuild the password and username into the connection file then you won’t need to enter such info every time you want to connect. Less secure but more convenient.
PuttyGen can generate the private key directly, to cut down on the transferring of sensitive private keys. You’ll have to get your public key into authorized_keys file on the server still, but the public key is ascii and can be copy/pasted via a text editor running in PuTTY.
Also, if you want the extra security of using a passphrase, check out pageant from the putty toolset. It will let you type in your passphrase once, and then further putty sessions can use the key without needing you to reenter the passphrase, as long as pageant stays running in your tooltray.
@Paul: I’m suppose your comment is just spam, but in case you didn’t notice, this is talking about SFTP, the replacement for FTP that any right-minded person’s been using for at least a decade now. Which has keys, which remove the need for passwords, and are just as convenient as trying to “inbuild” the password into the “connection file”.
Thanks “Another Nic” for pointing this out – I hadn’t noticed this before.
PuTTYgen does indeed allow for generation of a key pair – a very straightforward process, too !
The tutorial you shared is easy to understand and would be easy to follow.
Another option as of Wheezy is to install dropbear and gesftpserver. Then create a symlink of /usr/lib/sftp-server pointing to /usr/lib/gesftpserver. gesftpserver is supposed to be a drop-in replacement for the sftp server that comes with openssh-server. It works perfectly for me, although the documentation for gesftpserver states it is still under heavy development.
[…] https://www.cybermilitia.net/2009/02/28/dropbear-on-debian/ […]