
Dropbear SSH, a lightweight alternative to OpenSSH - sedlav
https://www.librebyte.net/en/network/dropbear-ssh-a-lightweight-alternative-to-openssh/
======
rl3
I use an ad-free, open-source Android app called SimpleSSHD that implements a
Dropbear SSH server. Being able to SSH into your phone and wirelessly perform
an incremental rsync backup of all your photos and data is life-changing
compared to the hell that is cables and the MTP protocol.

Thank you to all these projects for delivering me from the clutches of MTP, I
am indebted.

~~~
adrianratnapala
A long time ago, when I tried something like that, I was stymied because the
SSH server did not have permissions to write to any directory which the
document readers etc. could see.

Is this sort of thing still a problem? How did you get around it?

~~~
tjoff
I haven't used SimpleSSHD but I use Termux, which gives me a "normal" terminal
(no root required).

Since Android 8 I've lost write access to general locations in the sd-card but
I still have read access, as well as read+write on the internal storage.

It has an ssh server which can be nice if you want to edit some files on the
phone remotely but that's not needed for rsync. I have a shortcut on the home
screen which triggers a script that runs an rsync command for photos and other
stuff I want to backup. Also use it to reverse-sync a folder from my NAS, want
to send a file to the phone? But the file in that folder and run the script.

~~~
pozibrothers
I think that you need to run the command "termux-setup-storage" to be able to
r/w again:

[https://wiki.termux.com/wiki/Termux-setup-
storage](https://wiki.termux.com/wiki/Termux-setup-storage)

~~~
tjoff
Thanks, doesn't work though. I have write access to the private directory for
termux on the sdcard but nothing else (which unfortunately breaks my usage,
I'll report it to them any day to see if a fix is possible).

~~~
sedlav
This is the way Termux works so far, External storage: Storage on external SD
cards. Each app has a private folder on the external SD card, and interchange
between them needs to use a special API not yet available in Termux.

[https://wiki.termux.com/wiki/Internal_and_external_storage](https://wiki.termux.com/wiki/Internal_and_external_storage)

~~~
tjoff
It worked fine in Android 7, when I updated to 8 my scripts started getting
permission-denied errors on writes.

I don't see anything in that link that says that sdcard (outside private
folder) is read-only.

The way I read "Each app has a private folder on the external SD card, and
interchange between them needs to use a special API not yet available in
Termux." is that I can't read another applications private folder, but I'm not
trying to - I just want (write+delete) access to the publicly accessible parts
of the sdcard (lots of other applications do this, and termux did in Android
7).

~~~
sedlav
Well I have Android 7 and termux works in the way you described at first: I
have write access to the private directory for termux on the sdcard but
nothing else... other applications can access every DIR in sdclard due
implements SAF:
[https://developer.android.com/guide/topics/providers/documen...](https://developer.android.com/guide/topics/providers/document-
provider) and I think this what termux doc refers to.

------
fapjacks
A word of caution: Many (most) IRC spambot detectors check if your connecting
IP is also running a Dropbear SSHd service. This can cause you to be k-lined
in some instances, and it's not immediately obvious to basically everyone why
the anti-spambot bots are flagging your connection. Of course, this isn't
Dropbear SSHd's fault. Just something you might want to keep in mind if you
use both of these things.

~~~
DownGoat
It is because dropbear is very common in embedded systems. They are commonly
riddled with vulnerabilities, so they are getting hacked almost as soon as
they are publicly reachable. This is not because of dropbear, but because they
are typically configured with weak credentials that are newer changed. I guess
IRC servers see a lot of spam from such devices, so they just drop all systems
which has dropbear.

~~~
irundebian
It's probably also because of dropbear since embedded devices often run old
versions and dropbear seemed to be vulnerable to severe vulnerabilities in the
past:

[https://www.cvedetails.com/vulnerability-
list/vendor_id-1580...](https://www.cvedetails.com/vulnerability-
list/vendor_id-15806/year-2017/Dropbear-Ssh-Project.html)

------
thom_nic
If anyone is interested in _other_ lightweight tools to complement a minimal
embedded linux distro, check out Troglobit's GitHub repo:
[https://github.com/troglobit](https://github.com/troglobit). He has a
collection of tiny apps perfect for embedded systems, such as...

    
    
      - mdnsd (not in Busybox), 
      - merecat httpd (much more full-featured than busybox  httpd) 
      - inadyn dynamic DNS updater
      - finit (IMO much nicer than busybox's runsv)
      - watchdogd
      - uftpd
      - ntpd (with ipv6 support!)
    

He has been super responsive to requests as well.

~~~
JoshuaRLi
This is great, thanks for sharing!

------
burnte
Very common in embedded devices. This link isn't working at the moment, so
here's a link to the actual project:
[https://matt.ucc.asn.au/dropbear/dropbear.html](https://matt.ucc.asn.au/dropbear/dropbear.html)

~~~
hrnnnnnn
I followed that literarary-clock kindle tutorial at the weekend, and I think
dropbear was the SSH client the networking hack used. Makes sense if it's
designed to be low-resource.

------
mirimir
Dropbear works well for preboot LUKS unlocking with remote servers.

~~~
loxias
Currently, all my remote servers of any import use LUKS to encrypt the PVs. My
/boot is a tiny unencrypted filesystem containing just the kernel, and an
initrd, which prompts for my decryption key before booting. (afaict, the
standard setup)

For remote servers, I reboot them and then have to use a serial console to
type in the LUKS password.

Are you saying that with this, I could put an ssh server in the initrd (and I
guess I'd have to make sure network was up as well), that I could log in to to
provide my LUKS password???? Because that would be ... beautiful.

~~~
mkj
For Ubuntu or Debian the dropbear-initramfs package should handle most of it,
it looks like [https://hamy.io/post/0005/remote-unlocking-of-luks-
encrypted...](https://hamy.io/post/0005/remote-unlocking-of-luks-encrypted-
root-in-ubuntu-debian/) is an alright run through.

Another approach is to use something like OpenWRT as a bootloader then
pivot_root into the real distribution after unlocking it - not sure there are
any good instructions online for that though. I'm using it on a Raspberry Pi
colocated 14000km away for [https://dropbear.nl](https://dropbear.nl), it
works pretty well. Kexec is great for remote kernel upgrades too.

~~~
loxias
You are rocking my world. :D

When I first started switching my VPSs to having full disk encryption, I think
it was around lenny though it might have been squeeze. Anyway, me and another
peer thought it would be good practice to, while we figured we'd never cover
every possible surface, find a standard deployment for debian VMs where even
though we have no physical access to the hosts, wherever possible minimized
the ability of an employee at a hosting company accessing our precious,
precious bits.

The memory hadn't come back when I wrote my first comment, but one of the
ideas we had at the time _was_ shoving sshd inside the initrd! But we
concluded it would be hard -- involving not only making a static build of sshd
(which I did some eons ago when I had foolish opinions concerning /bin
/usr/bin) but also probably trimming code away from it or adding executable
compression, and modifying the initrd creation scripts....either way -- too
much complexity.

So I went the route previously described. Now I learn that not only is there
an ssh implementation which i can statically link into a tiny binary (which
helps some other projects...), but someone went threw the trouble of making a
modified initrd package with it!

Fantastic. Look for an email from me soon offering help on a specific project
I noticed on your github...

I'm well aware of building my own scripts that use chroot/pivot_root tricks --
I personally like using them for making small boxes that run everything from
ram and keep no persistent state.

But just out of random curiosity, what's the advantage of using OpenWRT?

~~~
mkj
> But just out of random curiosity, what's the advantage of using OpenWRT?

I can't remember the exact reason, maybe it was because then the "bootloader"
is completely decoupled from the main OS which makes upgrading kernels etc
easier. It was about 5 years ago I set it up.

I should add, all the Debian initramfs work has been contributed by various
people over the years - full credit to people such as the Debian maintainers,
currently Guilhem Moulin.

~~~
loxias
> should add, all the Debian initramfs work has been contributed by various
> people over the years

Oh certainly, I would have assumed it was.

All I know for sure is that many moons ago I would have loved this feature,
could have probably done it myself at great great great effort but didn't want
to, and now, hey, here it is :) progress!!

As for decoupling and lowering complexity... <tiny voice> occasionally i miss
LILO... </>

I've been paging through the code (dropbear) so far, very clear. Glad that
there's TCP forwarding, as it opens the door to another possible solution in
search of a problem. Namely, with USB over IP tunneled through dropbear, a
user would have the ability to plug in a yubikey or some sort of challenge
response device. ; )

Also, I sent you a note.

------
blackfawn
I believe Dropbear still has limited to no SFTP support but otherwise I've
been very happy with it.

Dropbear is the default SSH server for DietPi[0], a lightweight image for
Raspberry Pi and other (mainly single board) computers.

[0] [https://dietpi.com/](https://dietpi.com/)

------
perch56
In a recent vulnerability assessment that I performed, I was surprised to find
out that Cisco is using Dropbear on products such as UCS Managed C240M
servers.

~~~
jacobush
So there is SSHD on ios... :-P

------
fulafel
Check out the security track record before using this. There have been
occasional RCE's.

------
jacob019
Often used with ARM, why is it never used by default on X86/X64 distros? I
would think that the "lightweight" alternative would be lean and mean, kind of
like Nginx vs Apache.

~~~
ajross
Nginx won because it was faster, simpler and more easily extended, not because
it was "lightweight" per se.

In comparison, dropbear doesn't really do anything that ssh doesn't, and lags
in a bunch of esoteric features that "most" people don't use but that
inevitably some people do. Who wants to use a distro where one's preferred
ssh-agent feature or X11 forwarding inexplicably doesn't work?

Dropbear is small and builds cleanly everywhere, so it's what you pick if
you're size constrained or just need "an ssh" for your embedded environment
and don't want to bother integrating something larger. No one specifically
wants it at the command line on their "Linux" system.

~~~
mkj
Dropbear author here.

It used to have one unique feature, but OpenSSH has copied it now[0] :)

    
    
       dbclient host1,host2,user@host3 
    

to onion-TCP-forward through a few hosts.

[0] [https://manpages.debian.org/stretch/openssh-
client/ssh.1.en....](https://manpages.debian.org/stretch/openssh-
client/ssh.1.en.html#J_10)

~~~
rhubinak
Hi,

First of all, thank you for creating Dropbear SSH. I would love to try it. I
am currently using OpenSSH with PAM (Google Authenticator) and Ed25519. Does
Dropbear support both PAM and Ed25519?

~~~
mkj
PAM support is fairly rudimentary and only supports username/password. ed25519
isn't supported - a few people have wanted it I might add it at some point. I
haven't seen a real reason to go with that over ecdsa.

~~~
crest
The reason to use Ed25519 over ECDSA is that ECDSA can't be used unless you
have a good CPRNG. Just ask Sony what happens if you reuse a nonce with
(EC-)DSA.

~~~
mkj
True, that could be a good reason. Forgot to mention and can't edit in the
previous comment, there's a PoC ed25519 implementation I need to look at
merging.

------
fao_
Does this have anything to do with [http://bearssl.org/](http://bearssl.org/)
?

~~~
Tomte
No, Bear SSL is recent, DropBear has existed for a very long time.

------
iveqy
I needed a ssh server with some tweaks a few years ago. I must say that the
dropbear code was very neatly written, easy to read and easy to understand. It
made me to choose dropbear instead of openssh for my tweaks.

I would have used dropbear on my main machine as well, but it doesn't seem to
support ~/.ssh/config

------
millette
Archived: [http://archive.is/9lu2S](http://archive.is/9lu2S)

------
mehrdadn
I recall I've had trouble finding good documentation on the equivalent of
OpenSSH features in Dropbear. Stuff like restricting the client IP or
disabling port forwarding... lesser-used features like these. It's been a
while though.

~~~
gelstudios
The general pattern used by most of these "lightweight" implementations of
system software is granular compile-time options for every additional bit of
functionality.

[https://busybox.net](https://busybox.net) is a good example of this.

------
faragon
Dropbear SSH is also shipped into OpenWrt. It works great, including ssh keys,
useful for ssh/scp automation.

------
vermaden
I only miss one option in the Dropbead, the _UseDNS No_ equivalent from
OpenSSH.

~~~
mkj
That should be the default in Dropbear (as a compile-time option)?

    
    
      #define DO_HOST_LOOKUP 0

------
S-E-P
Used Dropbear on many occasion on both iOS and Android, very quality this one

------
GTP
"resource limit reached" When publishing something on hn kills it.

------
eldios
Dropbear has been created in 2002.

From the project ChangeLog:

```

[..]

0.28 - Sun Apr 6 2003

\- Initial public release

Development was started in October 2002

```

..why is it surfacing now on HN? O_o

~~~
zymhan
I mean it's good to remind people of older and less-known projects, but
Dropbear is quite common for embedded Linux applications.

OpenWRT uses it for example.

------
tamatsyk
> Resource Limit Is Reached :\

