What is dropbear linux

How to unlock LUKS using Dropbear SSH keys remotely in Linux

O n Linux, we encrypt our partitions and entire disk using Linux Unified Key Setup-on-disk-format (LUKS) for security and privacy reasons. We unlock LUKS protected disk by providing a passphrase at boot time. You need to be in front of your computer or use a remote console to open the encrypted disk under Linux at boot time. However, if your system is in the basement, remote datacenter/office, or upstairs office, you won’t able to unlock and boot your Linux box. We can use the Dropbear SSH server for LUKS encrypted Debian or Ubuntu or any other Linux distro via SSH to solve this problem. Let us see how to unlock LUKS using Dropbear SSH keys in Linux at boot time.

Why use and unlock LUKS encrypted root and boot disk using Dropbear ssh?

• Useful for a remote Linux server or cloud server
• Boot and gain access to your box when you don’t have a remote KVM console.
• In other words we can boot Linux server when you don’t have a keyboard and screen attached to your box.

What is the Dropbear SSH server?

Dropbear is a free and open-source SSH server created explicitly for embedded Linux and Unix systems with low resource requirements. It implements version 2 of the Secure Shell (SSH) protocol. It supports RSA and elliptic curve cryptography for key exchange. Dropbear is compatible with OpenSSH

/.ssh/authorized_keys public key authentication. I am assuming that you already installed Debian or Ubuntu Linux with LVM and LUKS. Here is my set up where I have software RAID-1 too:

1. /boot/efi – The system boot partition is created when your motherboard runs UEFI rather than BIOS.
2. /dev/md0 – Linux /boot/ (RAID-1 /dev/md0 mounted into /boot/) directory holds only the files needed during the boot process. The boot loader initialized RAM disk called initrd. We use update-initramfs to hook our Dropbear ssh server into the boot process. Run the ls command to look into /boot/ directory. You will see the files as follows:
   ls -1 /boot/*$(uname -r)*
   /boot/config-4.19.0-13-amd64
   /boot/initrd.img-4.19.0-13-amd64
   /boot/System.map-4.19.0-13-amd64
   /boot/vmlinuz-4.19.0-13-amd64
   vmlinuz is my Linux kernel, and initrd contains Linux drivers, RAID support, Dropbear ssh server, and other stuff to boot the Linux system.
3. /dev/md1 – My LUKS encrypted system RAID-1 device. It has two LVM members. One for swap and another for the root partition. In other words, all data is encrypted except /boot/efi and /boot/ partition. It is also possible to encrypt /boot/. Remember your security and threat model is different, so you may want to employ additional protection such as BIOS/UEFI password on boot, securing your home/office/datacenter access, enabling FDE as per your needs so on.

My sample set up for remote unlocking of LUKS-encrypted root in Ubuntu/Debian

Run the lsblk command to see the current disks, RAID, encryption and LVM info:
# lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT

We can also use the cat command to identity encrypted partitions:
sudo cat /etc/crypttab
Here is what I see:

My Linux os version and Linux kernal version in production as follows:
lsb_release -a && uname -mrs
Sample outputs:

Enough talk. Let us get our hands dirty and see how to decrypt LUKS devices remotely via Dropbear SSH.

Step to unlock LUKS using Dropbear SSH keys in Linux

I will install the Dropbear ssh for my LUKS encrypted Debian 10.x and Ubuntu 20.04 LTS server and enable remote unlocking.

Step 1 – Installing the Dropbear on Debian or Ubuntu

Run the apt command/apt-get command as follows:
## First, apply Debian security patches ##
sudo apt update
sudo apt upgrade
sudo apt install dropbear-initramfs

NOTE: You may see a warning such as “ dropbear: WARNING: Invalid authorized_keys file, remote unlocking of cryptroot via SSH won’t work! “. Just ignore it.

Step 2 – Configuring the Dropbear to unlock LUKS encrypted system

Use the su command or sudo command to become root user:
sudo -i
Cd into /etc/dropbear-initramfs using the cd command:
cd /etc/dropbear-initramfs
Edit the config file:
# vim config
Edit/Update DROPBEAR_OPTIONS as follows:
DROPBEAR_OPTIONS=»-I 180 -j -k -p 2222 -s»
Where options are follows:

1. -I 180 : Disconnect the session if no traffic is transmitted or received in 180 seconds.
2. -j : Disable ssh local port forwarding.
3. -k : Also disable remote port forwarding.
4. -p 2222 : Listen Dropbear ssh server on specified address and TCP port. If just a port such as 2222 is given listen on all addresses. up to 10 can be specified (default 22 if none specified).
5. -s : Disable password logins. We are going set up SSH Keys on a Linux / Unix system for authentication to reduce attack surface.

Step 3 – Configuring static IP

For a local Linux server in your basement, you can probably figure out the IP given to Dropbox via your DHCP server, which is the default behavior. However, a remote server in a data center or a cloud needs a public IP address like a normal OpenSSH session. Here is how to set up a public IP address. Edit the /etc/initramfs-tools/initramfs.conf
# vim /etc/initramfs-tools/initramfs.conf
Append staic IP info for your Dropbear ssh during boot time:
IP=192.168.2.19::192.168.2.254:255.255.255.0:debian
Where:

1. IP= – Start static IP config
2. :: – Field seprator
3. 192.168.2.19 – IPv4
4. 192.168.2.254 – Gateway
5. 255.255.255.0 – Netmask
6. debian – Hostname

The full syntax is as follows for IPv4 and IPv6 staitc IP settings:

Источник

What is dropbear linux

DropBear is an open source SSH service tool, including client and server;
Here is to be transplanted into the embedded Linux system, mainly to cross-compile with the compiler of the target platform.
Next, compilation steps and methods are simply:

Download the source code

Download the DropBear source package, you can download on the official website, you can download here:

I am packing the ZLIB code that relies on the dependence.

2. Compile

Unzip source file

After the compression package is decompressed, there is a file directory:

DropBear-2019.78 —— is the source code of Dropbear

DropBear_bin —— is a DROPBEAR compiled installation directory

LibZ ———————- is the source code directory of Zlib

Zlib_bin ——————— is Zlib compile results installation directory

2. Compile ZLIB

The script file in the following red circle is the script that configures the cross-compiler, you can refer to these scripts to configure a cross-compiler of your own platform.

After configuring the script, you can generate makefile after execution.

Then execute make; make install.

If the configured installation directory is not zlib_bin, you can copy the compile results to the past.

3. Compile DropBear

Enter the source code directory of Dropbear, modify the script build

This only needs to modify the compiler according to the compiler of our own platform, and then execute ./build

If there is no problem, make Makefile, then execute make; make install.

The compilation results are as follows:

The bin directory is the executable:

Where dbclient is the client program of SSH; the DropBear service program is under SBIN.

4. Generate a key file

After these files are downloaded into the board, perform the following command in the board to generate a key file:

cd /etc/dropbeardropbearkey -t rsa -f dropbear_rsa_host_keydropbearkey -t dss -f dropbear_dss_host_key

Источник

Dropbear configuration

The SSH configuration is handled by the Dropbear subsystem of uci and the configuration file is located in /etc/config/dropbear .

Sections

The dropbear configuration contains settings for the dropbear SSH server in a single section.

Dropbear

The dropbear section contains these settings. Names are case-sensitive.

Name	Type	Required	Default	Description
enable	boolean	no	1	Set to 0 to disable starting dropbear at system boot.
verbose	boolean	no	0	Set to 1 to enable verbose output by the start script.
BannerFile	string	no	(none)	Name of a file to be printed before the user has authenticated successfully.
PasswordAuth	boolean	no	1	Set to 0 to disable authenticating with passwords.
Port	integer	no	22	Port number to listen on.
RootPasswordAuth	boolean	no	1	Set to 0 to disable authenticating as root with passwords.
RootLogin	boolean	no	1	Set to 0 to disable SSH logins as root.
GatewayPorts	boolean	no	0	Set to 1 to allow remote hosts to connect to forwarded ports.
Interface	string	no	(none)	Write an interface name, for example lan . With this setting you can limit connections to clients that can reach the IP of this interface. So for example the LAN IP of the interface can only be seen from clients in the LAN network, but not from the WAN in the default firewall configuration. It’s used in dropbear’s -p option that does the following: “Listen on specified address and TCP port. If just a port is given listen on all addresses. up to 10 can be specified (default 22 if none specified). ”
keyfile	file	no	(none)	Path to host key file.
rsakeyfile	file	no	(none)	Path to RSA host key file. Deprecated. See keyfile .
SSHKeepAlive	integer	no	300	Keep Alive
IdleTimeout	integer	no	0	Idle Timeout
mdns	integer	no	1	Whether to announce the service via mDNS
MaxAuthTries	integer	no	3	Amount of times you can retry writing the password when logging in before the SSH server closes the connection from this commit

Default configuration

This is the default configuration:

Extras

Multiple instances

Add a second instance of dropbear listening on port 2022.

Security considerations

Problems facing with a public SSH :

References

• Last modified: 2021/09/10 17:10
• by bobafetthotmail

Self-registration in the wiki has been disabled.
If you want to contribute to the OpenWrt wiki, please post HERE in the forum or ask on IRC for access.

Except where otherwise noted, content on this wiki is licensed under the following license:
CC Attribution-Share Alike 4.0 International

Источник

dropbear (8) — Linux Man Pages

dropbear: lightweight SSH server

Command to display dropbear manual in Linux: $ man 8 dropbear

SYNOPSIS

DESCRIPTION

OPTIONS

FILES

/.ssh/authorized_keys can be set up to allow remote login with a RSA, ECDSA, or DSS key. Each line is of the form [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp. [comment]

and can be extracted from a Dropbear private host key with «dropbearkey -y». This is the same format as used by OpenSSH, though the restrictions are a subset (keys with unknown restrictions are ignored). Restrictions are comma separated, with double quotes around spaces in arguments. Available restrictions are:

no-port-forwarding Don’t allow port forwarding for this connection

no-agent-forwarding Don’t allow agent forwarding for this connection

no-X11-forwarding Don’t allow X11 forwarding for this connection

no-pty Disable PTY allocation. Note that a user can still obtain most of the same functionality with other means even if no-pty is set.

command= forced_command Disregard the command provided by the user and always run forced_command .

The authorized_keys file and its containing

/.ssh directory must only be writable by the user, otherwise Dropbear will not allow a login using public key authentication.

Host key files are read at startup from a standard location, by default /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/dropbear_rsa_host_key, and /etc/dropbear/dropbear_ecdsa_host_key or specified on the commandline with -r. These are of the form generated by dropbearkey. The -R option can be used to automatically generate keys in the default location — keys will be generated after startup when the first connection is established. This had the benefit that the system /dev/urandom random number source has a better chance of being securely seeded.

Message Of The Day

By default the file /etc/motd will be printed for any login shell (unless disabled at compile-time). This can also be disabled per-user by creating a file

ENVIRONMENT VARIABLES

The variables below are set for sessions as appropriate.

SSH_TTY This is set to the allocated TTY if a PTY was used.

DISPLAY Set X11 forwarding is used.

SSH_ORIGINAL_COMMAND If a ‘command=’ authorized_keys option was used, the original command is specified in this variable. If a shell was requested this is set to an empty value.

SSH_AUTH_SOCK Set to a forwarded ssh-agent connection.

Источник