OpenWRT: OpenSSH instead of Dropbear

Article published the ; modified the
3 minutes to read

This article has 572 words.
RAW source of the article:

Description

In fact, Dropbear is the SSH server on OpenWRT. Even if this lightweight server use only SSH Protocol v2, it has some gaps:

  • A partial support of SFTP protocol; you need to add the package openssh-sftp-server
  • No user privilege separation
  • No official support for cryptographic modules, approved by approved by the FIPS 140-2. (although in our particular context, it is not a necessity)
  • Since version 2020.79, Dropbear seems to manage the Elliptic curve algorithms — which is not the case for the previous versions, included before OpenWRT 19.07.4 ­—:
    • hostkey ed25519
    • chiffer chacha20-poly1305
    • or even the key signatures rsa-sha2

Installation

# /etc/init.d/sshd enable
# /etc/init.d/sshd start
Info

Configuration

Dropbear configuration

Let’s the default port on Dropbear

However, you can configure it, either through the LUCI interface, or in CLI, like as:

# uci set dropbear.@dropbear[0].Port=xxx
# uci commit dropbear
# /etc/init.d/dropbear restart
  • xxx: the port number segun your choice.

and connect you on this port…

OpenSSH Configuration

  • Configuration file: /etc/ssh/sshd_config

Apply ABSOLUTELY this following recommandations:

  • Use only the v2 protocol,
  • Do not connect with root account
  • disable the PasswordAuthentication option
  • use only the PubkeyAuthentication option

Now, we harden the configuration:

Info
Warning

moduli

If you installed the openssh-moduli package, prefer accept only DH key exchange greater than or equal to 3072 bits.

Let’s save the file, before, in case of…

# cp /etc/ssh/moduli /etc/ssh/moduli.bckp
# chmod 0400 /etc/ssh/moduli.bckp

Then, you need to recreate

Tip

TL;DR

Here a minimalist example of the configuration file:

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

PermitRootLogin no
MaxAuthTries 3

PubkeyAuthentication yes

AuthorizedKeysFile	.ssh/authorized_keys

PasswordAuthentication no
PermitEmptyPasswords no

Subsystem	sftp	/usr/lib/sftp-server
Warning

Service management

OpenSSH Service

Voila, now, connect you… but, after testing the configuration and start the service:

# sshd -t

If the configuration is valid:

# /etc/init.d/sshd enable
# /etc/init.d/sshd start

Dropbear Service

Now, it’s possible to stop and disable the dropbear service:

# /etc/init.d/dropbear stop
# /etc/init.d/dropbear disable

Backup system

Normally, the /etc/ssh directory and its contents are included in the backup system maded by the sysupgrade tool.

To check: # sysupgrade -l | grep ssh

If it’s not case, edit the /etc/sysupgrade.conf file to add this folder.

Troubleshooting

Race condition

⇒ Not possible to connect after reboot:

Have you set the ListenAdress option on the configuration file?

If yes, comment the corresponding line . OpenSSH can not start due to race condition.

When you specify this option, OpenSSH will run when you start on the CLI. But, during the (re)boot, OpenSSH will fail because the network interface(s) is|are not ready!

Then, do not specify this option and configure you firewall to auth only your LAN network interface.

source

Documentation

Wikipedia