Description
In fact, Dropbear is the SSH server on OpenWRT. Even if this lightweight server use only SSH Protocol v2, it has some gaps:
- A partial support of SFTP protocol; you need to add the package openssh-sftp-server
- No user privilege separation
- No official support for cryptographic modules, approved by approved by the FIPS 140-2. (although in our particular context, it is not a necessity)
- Since version 2020.79, Dropbear seems to manage the Elliptic curve
algorithms — which is not the case for the previous versions, included
before OpenWRT 19.07.4 —:
- hostkey ed25519
- chiffer chacha20-poly1305
- or even the key signatures rsa-sha2
Installation
# /etc/init.d/sshd enable
# /etc/init.d/sshd start
/etc/ssh/moduli file is a file containing the prime numbers and
generators to be used by the SSH server in the DH
group
key exchange method. Prefer to install it…Configuration
Dropbear configuration
Let’s the default port on Dropbear
However, you can configure it, either through the LUCI interface, or in CLI, like as:
# uci set dropbear.@dropbear[0].Port=xxx
# uci commit dropbear
# /etc/init.d/dropbear restart
- xxx: the port number segun your choice.
and connect you on this port…
OpenSSH Configuration
- Configuration file:
/etc/ssh/sshd_config
Apply ABSOLUTELY this following recommandations:
- Use only the v2 protocol,
- Do not connect with root account
- disable the PasswordAuthentication option
- use only the PubkeyAuthentication option
Now, we harden the configuration:
- recreate the host keys , and allow only the Ed25519 algorithm.
- auth only:
- strong encryption
- the following algorithms:
moduli
If you installed the openssh-moduli package, prefer accept only DH key exchange greater than or equal to 3072 bits.
Let’s save the file, before, in case of…
# cp /etc/ssh/moduli /etc/ssh/moduli.bckp
# chmod 0400 /etc/ssh/moduli.bckp
Then, you need to recreate
If you have correctly configured a user with sudo rights:
# sudo awk '$5 >= 3071' /etc/ssh/moduli | sudo tee /etc/ssh/moduli.safe
# mv /etc/ssh/moduli.safe /etc/ssh/moduli
TL;DR
Here a minimalist example of the configuration file:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
PermitRootLogin no
MaxAuthTries 3
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
Subsystem sftp /usr/lib/sftp-server
Service management
OpenSSH Service
Voila, now, connect you… but, after testing the configuration and start the service:
# sshd -t
If the configuration is valid:
# /etc/init.d/sshd enable
# /etc/init.d/sshd start
Dropbear Service
Now, it’s possible to stop and disable the dropbear service:
# /etc/init.d/dropbear stop
# /etc/init.d/dropbear disable
Backup system
Normally, the /etc/ssh directory and its contents are included in the
backup system maded by the sysupgrade tool.
To check: # sysupgrade -l | grep ssh
If it’s not case, edit the /etc/sysupgrade.conf file to add this folder.
Troubleshooting
Race condition
⇒ Not possible to connect after reboot:
Have you set the ListenAdress option on the configuration file?
If yes, comment the corresponding line . OpenSSH can not start due to race condition.
When you specify this option, OpenSSH will run when you start on the CLI. But, during the (re)boot, OpenSSH will fail because the network interface(s) is|are not ready!
Then, do not specify this option and configure you firewall to auth only your LAN network interface.