04-dropbear
dropbear
dropbear是ssh协议的另一个实现,轻量化的实现方案,多用于嵌入式环境中
dropbear实践
1 安装dropbear
[root@husa log]# yum install dropbear
正在解决依赖关系
--> 正在检查事务
---> 软件包 dropbear.x86_64.0.2015.67-1.el7 将被 安装
--> 正在处理依赖关系 libtommath.so.0()(64bit),它被软件包 dropbear-2015.67-1.el7.x86_64 需要
--> 正在处理依赖关系 libtomcrypt.so.0()(64bit),它被软件包 dropbear-2015.67-1.el7.x86_64 需要
--> 正在检查事务
---> 软件包 libtomcrypt.x86_64.0.1.17-22.el7 将被 安装
---> 软件包 libtommath.x86_64.0.0.42.0-3.el7 将被 安装
--> 解决依赖关系完成
2 查看dropbear生成了哪些文件
[root@husa log]# rpm -ql dropbear
/etc/dropbear
/usr/bin/dbclient
/usr/bin/dropbearconvert
/usr/bin/dropbearkey
/usr/lib/systemd/system/dropbear-keygen.service
/usr/lib/systemd/system/dropbear.service
/usr/sbin/dropbear
/usr/share/doc/dropbear-2015.67
/usr/share/doc/dropbear-2015.67/CHANGES
/usr/share/doc/dropbear-2015.67/LICENSE
/usr/share/doc/dropbear-2015.67/README
/usr/share/doc/dropbear-2015.67/TODO
/usr/share/man/man1/dbclient.1.gz
/usr/share/man/man1/dropbearconvert.1.gz
/usr/share/man/man1/dropbearkey.1.gz
/usr/share/man/man8/dropbear.8.gz
3 使用dropbear帮助
[root@husa log]# dropbear -h
Dropbear server v2015.67 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dropbear [options]
-b bannerfile Display the contents of bannerfile before user login
(default: none)
-r keyfile Specify hostkeys (repeatable)
defaults:
dss /etc/dropbear/dropbear_dss_host_key
rsa /etc/dropbear/dropbear_rsa_host_key
ecdsa /etc/dropbear/dropbear_ecdsa_host_key
-R Create hostkeys as required
-F Don't fork into background
-E Log to stderr rather than syslog
-m Don't display the motd on login
-w Disallow root logins
-s Disable password logins
-g Disable password logins for root
-B Allow blank password logins
-j Disable local port forwarding
-k Disable remote port forwarding
-a Allow connections to forwarded ports from any host
-p [address:]port
Listen on specified tcp port (and optionally address),
up to 10 can be specified
(default port is 22 if none specified)
-P PidFile Create pid file PidFile
(default /var/run/dropbear.pid)
-i Start for inetd
-W <receive_window_buffer> (default 24576, larger may be faster, max 1MB)
-K <keepalive> (0 is never, default 0, in seconds)
-I <idle_timeout> (0 is never, default 0, in seconds)
-V Version
从帮助可以看出默认密钥文件在/etc/dropbear/目录下,如何生成这些密钥文件?
4 生成dropbear密钥
4.1 /usr/bin/dropbearkey命令生成
dropbearkey - create private keys for the use with dropbear(8) or
dbclient(1)
SYNOPSIS
dropbearkey -t type -f file [-s bits]
DESCRIPTION
dropbearkey generates a RSA DSS, or ECDSA format SSH private key, and
saves it to a file for the use with the Dropbear client or server.
Note that some SSH implementations use the term "DSA" rather than
"DSS", they mean the same thing.
4.2 dropbear-keygen.service服务生成
[root@husa system]# systemctl start dropbear-keygen.service
5 配置dropbear自动启用且在22022端口打开
在dropbear-keygen.service中指定一个端口就行了
5.1 查看dropbear-keygen.service文件发现/etc/sysconfig/dropbear中需要配置OPTIONS
[root@husa system]# vim dropbear.service
[Unit]
Description=Dropbear SSH Server Daemon
Documentation=man:dropbear(8)
Wants=dropbear-keygen.service
After=network.target
[Service]
EnvironmentFile=-/etc/sysconfig/dropbear
ExecStart=/usr/sbin/dropbear -E -F $OPTIONS
5.2 /etc/sysconfig/dropbear中配置OPTIONS
[root@husa system]# vim /etc/sysconfig/dropbear
OPTIONS = "-p 22022"
6 启动dropbear服务
[root@husa system]# systemctl start dropbear.service
7 在另一台主机上登陆
[root@husa ssh]# ssh -p 22022 root@192.168.200.143
The authenticity of host '[192.168.200.143]:22022 ([192.168.200.143]:22022)' can't be established.
RSA key fingerprint is 98:0e:0c:5e:f2:9e:20:71:7c:ab:3e:13:e2:c5:f8:37.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.200.143]:22022' (RSA) to the list of known hosts.
root@192.168.200.143's password:
Permission denied, please try again.
root@192.168.200.143's password:
[root@husa ~]# ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 00:0c:29:eb:ce:aa txqueuelen 1000 (Ethernet)
RX packets 394555 bytes 26450216 (25.2 MiB)
RX errors 0 dropped 203 overruns 0 frame 0
TX packets 47 bytes 3838 (3.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno33554984: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.200.143 netmask 255.255.255.0 broadcast 192.168.200.255
inet6 fe80::20c:29ff:feeb:ceb4 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:eb:ce:b4 txqueuelen 1000 (Ethernet)
RX packets 6820 bytes 1112294 (1.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2758 bytes 920236 (898.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 20 bytes 2000 (1.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20 bytes 2000 (1.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0