# TL;dr Dropbear is a relatively small SSH server and client. ```bash docker run -it --rm debian:10 bash sed -i "s|deb.debian.org|mirrors.huaweicloud.com|g" /etc/apt/sources.list && \ sed -i "s|security.debian.org|mirrors.huaweicloud.com|g" /etc/apt/sources.list && \ apt-get clean && \ apt-get update apt install -qy autoconf gcc make tcl gettext difference libexpat1-dev libcurl4-openssl-dev libssl-dev zlib1g-dev # 如果报错 tar (child): bzip2: Cannot exec: No such file or directory tar (child): Error is not recoverable: exiting now tar: Child returned status 2 tar: Error is not recoverable: exiting now # 安装 apt install bzip2 #wget https://matt.ucc.asn.au/dropbear/releases/dropbear-2019.78.tar.bz2 curl -L -o dropbear.tar.bz2 https://matt.ucc.asn.au/dropbear/releases/dropbear-2020.80.tar.bz2 tar -jxvf dropbear.tar.bz2 cd dropbear-2020.80 ./configure ``` ```bash checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed configure: No $CFLAGS set... using "-Os -W -Wall" for GCC configure: Checking if compiler 'gcc' supports -Wno-pointer-sign configure: Setting -Wno-pointer-sign configure: Checking if compiler 'gcc' supports -fno-strict-overflow configure: Setting -fno-strict-overflow configure: Checking for available hardened build flags: configure: Setting -fPIE configure: Setting -Wl,-pie configure: Setting -Wl,-z,now -Wl,-z,relro configure: Setting -fstack-protector-strong configure: Setting -D_FORTIFY_SOURCE=2 configure: Setting -mfunction-return=thunk configure: Setting -mindirect-branch=thunk checking for special C compiler options needed for large files... no checking for _FILE_OFFSET_BITS value needed for large files... no checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu checking for ar... ar checking for ranlib... ranlib checking for strip... strip checking for install... install checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking whether __UCLIBC__ is declared... no checking for crypt... no checking for crypt in -lcrypt... yes checking for deflate in -lz... yes configure: Enabling zlib configure: Disabling PAM configure: Using openpty if available checking for library containing openpty... -lutil configure: Enabling syslog checking shadow.h usability... yes checking shadow.h presence... yes checking for shadow.h... yes configure: Using shadow passwords if available configure: Disabling fuzzing checking for ANSI C header files... (cached) yes checking for sys/wait.h that is POSIX.1 compatible... yes checking netinet/in.h usability... yes checking netinet/in.h presence... yes checking for netinet/in.h... yes checking netinet/tcp.h usability... yes checking netinet/tcp.h presence... yes checking for netinet/tcp.h... yes checking crypt.h usability... yes checking crypt.h presence... yes checking for crypt.h... yes checking pty.h usability... yes checking pty.h presence... yes checking for pty.h... yes checking libutil.h usability... no checking libutil.h presence... no checking for libutil.h... no checking libgen.h usability... yes checking libgen.h presence... yes checking for libgen.h... yes checking for inttypes.h... (cached) yes checking stropts.h usability... yes checking stropts.h presence... yes checking for stropts.h... yes checking utmp.h usability... yes checking utmp.h presence... yes checking for utmp.h... yes checking utmpx.h usability... yes checking utmpx.h presence... yes checking for utmpx.h... yes checking lastlog.h usability... yes checking lastlog.h presence... yes checking for lastlog.h... yes checking paths.h usability... yes checking paths.h presence... yes checking for paths.h... yes checking util.h usability... no checking util.h presence... no checking for util.h... no checking netdb.h usability... yes checking netdb.h presence... yes checking for netdb.h... yes checking security/pam_appl.h usability... no checking security/pam_appl.h presence... no checking for security/pam_appl.h... no checking pam/pam_appl.h usability... no checking pam/pam_appl.h presence... no checking for pam/pam_appl.h... no checking netinet/in_systm.h usability... yes checking netinet/in_systm.h presence... yes checking for netinet/in_systm.h... yes checking sys/uio.h usability... yes checking sys/uio.h presence... yes checking for sys/uio.h... yes checking linux/pkt_sched.h usability... yes checking linux/pkt_sched.h presence... yes checking for linux/pkt_sched.h... yes checking sys/random.h usability... yes checking sys/random.h presence... yes checking for sys/random.h... yes checking for an ANSI C-conforming const... yes checking for uid_t in sys/types.h... yes checking for mode_t... yes checking for pid_t... yes checking for size_t... yes checking whether time.h and sys/time.h may both be included... yes checking for uint8_t... yes checking for u_int8_t... yes checking for uint16_t... yes checking for u_int16_t... yes checking for uint32_t... yes checking for u_int32_t... yes checking for struct sockaddr_storage... no checking for socklen_t... yes checking for struct sockaddr_storage... yes checking for struct sockaddr_in6... yes checking for struct in6_addr... yes checking for struct addrinfo... yes checking for gai_strerror... yes checking for struct utmp.ut_host... yes checking for struct utmp.ut_pid... yes checking for struct utmp.ut_type... yes checking for struct utmp.ut_tv... yes checking for struct utmp.ut_id... yes checking for struct utmp.ut_addr... yes checking for struct utmp.ut_addr_v6... yes checking for struct utmp.ut_exit... yes checking for struct utmp.ut_time... yes checking for struct utmpx.ut_host... yes checking for struct utmpx.ut_syslen... no checking for struct utmpx.ut_type... yes checking for struct utmpx.ut_id... yes checking for struct utmpx.ut_addr... no checking for struct utmpx.ut_addr_v6... yes checking for struct utmpx.ut_time... no checking for struct utmpx.ut_tv... yes checking for struct sockaddr_storage.ss_family... yes checking for endutent... yes checking for getutent... yes checking for getutid... yes checking for getutline... yes checking for pututline... yes checking for setutent... yes checking for utmpname... yes checking for endutxent... yes checking for getutxent... yes checking for getutxid... yes checking for getutxline... yes checking for pututxline... yes checking for setutxent... yes checking for utmpxname... yes checking for logout... yes checking for updwtmp... yes checking for logwtmp... yes checking for clock_gettime... yes checking mach/mach_time.h usability... no checking mach/mach_time.h presence... no checking for mach/mach_time.h... no checking for mach_absolute_time... no checking for explicit_bzero... yes checking for memset_s... no checking for getrandom... yes checking for mp_to_ubin in -ltommath... no checking for poly1305_init in -ltomcrypt... no checking for library containing login... none required checking for logout... (cached) yes checking for updwtmp... (cached) yes checking for logwtmp... (cached) yes checking if your system defines LASTLOG_FILE... no checking if your system defines _PATH_LASTLOG... yes checking if your system defines UTMP_FILE... yes checking if your system defines WTMP_FILE... yes checking if your system defines UTMPX_FILE... no checking if your system defines WTMPX_FILE... no checking whether gcc needs -traditional... no checking for working memcmp... yes checking sys/select.h usability... yes checking sys/select.h presence... yes checking for sys/select.h... yes checking sys/socket.h usability... yes checking sys/socket.h presence... yes checking for sys/socket.h... yes checking types of arguments for select... int,fd_set *,struct timeval * checking for getpass... yes checking for getspnam... yes checking for getusershell... yes checking for putenv... yes checking for clearenv... yes checking for strlcpy... no checking for strlcat... no checking for daemon... yes checking for basename... yes checking for _getpty... no checking for getaddrinfo... yes checking for freeaddrinfo... yes checking for getnameinfo... yes checking for fork... yes checking for writev... yes checking for getgrouplist... yes checking for library containing basename... none required configure: creating ./config.status config.status: creating Makefile config.status: creating libtomcrypt/Makefile config.status: creating libtommath/Makefile config.status: creating config.h configure: configure: Using bundled libtomcrypt and libtommath configure: configure: Now edit localoptions.h to choose features. ``` ```bash make #make scp make install ``` ```bash install -d /usr/local/sbin install dropbear /usr/local/sbin install -d /usr/local/share/man/man8 install -m 644 ./dropbear.8 /usr/local/share/man/man8/dropbear.8 install -d /usr/local/bin install dbclient /usr/local/bin install -d /usr/local/share/man/man1 if test -e ./dbclient.1; then install -m 644 ./dbclient.1 /usr/local/share/man/man1/dbclient.1; fi install -d /usr/local/bin install dropbearkey /usr/local/bin install -d /usr/local/share/man/man1 if test -e ./dropbearkey.1; then install -m 644 ./dropbearkey.1 /usr/local/share/man/man1/dropbearkey.1; fi install -d /usr/local/bin install dropbearconvert /usr/local/bin install -d /usr/local/share/man/man1 if test -e ./dropbearconvert.1; then install -m 644 ./dropbearconvert.1 /usr/local/share/man/man1/dropbearconvert.1; fi ## 安装完成后目录 root@40c05fb00c80:/dropbear-2020.80# ls -l /usr/local/bin/ total 584 -rwxr-xr-x 1 root root 255480 Aug 17 13:00 dbclient -rwxr-xr-x 1 root root 169528 Aug 17 13:00 dropbearconvert -rwxr-xr-x 1 root root 164736 Aug 17 13:00 dropbearkey root@40c05fb00c80:/dropbear-2020.80# ls -l /usr/local/sbin/ total 260 -rwxr-xr-x 1 root root 264208 Aug 17 13:00 dropbear ``` ```bash ## 启动 dropbear -F -E -p 2222 ``` ```bash [7898] Aug 17 13:02:37 Failed loading /etc/dropbear/dropbear_rsa_host_key [7898] Aug 17 13:02:37 Failed loading /etc/dropbear/dropbear_dss_host_key [7898] Aug 17 13:02:37 Failed loading /etc/dropbear/dropbear_ecdsa_host_key [7898] Aug 17 13:02:37 Failed loading /etc/dropbear/dropbear_ed25519_host_key [7898] Aug 17 13:02:37 Early exit: No hostkeys available. 'dropbear -R' may be useful or run dropbearkey. ``` ```bash mkdir -p /etc/dropbear dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key dropbearkey -t rsa -s 4096 -f /etc/dropbear/dropbear_rsa_host_key dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key dropbearkey -t ed25519 -f /etc/dropbear/dropbear_ed25519_host_key ``` ```bash root@40c05fb00c80:/dropbear-2020.80# ls -l /etc/dropbear/ total 12 -rw------- 1 root root 459 Aug 17 13:03 dropbear_dss_host_key -rw------- 1 root root 141 Aug 17 13:03 dropbear_ecdsa_host_key -rw------- 1 root root 1573 Aug 17 13:03 dropbear_rsa_host_key ``` ```bash dropbear -help Dropbear server v2020.80 https://matt.ucc.asn.au/dropbear/dropbear.html Usage: dropbear [options] -b bannerfile Display the contents of bannerfile before user login (default: none) -r keyfile Specify hostkeys (repeatable) defaults: - dss /etc/dropbear/dropbear_dss_host_key - rsa /etc/dropbear/dropbear_rsa_host_key - ecdsa /etc/dropbear/dropbear_ecdsa_host_key - ed25519 /etc/dropbear/dropbear_ed25519_host_key -R Create hostkeys as required -F Don't fork into background -E Log to stderr rather than syslog -m Don't display the motd on login -w Disallow root logins -G Restrict logins to members of specified group -s Disable password logins -g Disable password logins for root -B Allow blank password logins -T Maximum authentication tries (default 10) -j Disable local port forwarding -k Disable remote port forwarding -a Allow connections to forwarded ports from any host -c command Force executed command -p [address:]port Listen on specified tcp port (and optionally address), up to 10 can be specified (default port is 22 if none specified) -P PidFile Create pid file PidFile (default /var/run/dropbear.pid) -i Start for inetd -W (default 24576, larger may be faster, max 1MB) -K (0 is never, default 0, in seconds) -I (0 is never, default 0, in seconds) -V Version ``` # ref * https://matt.ucc.asn.au/dropbear/dropbear.html * https://jusene.github.io/2017/03/31/dropbear/ * https://cikeblog.com/install-dropbear-under-centos-and-configure-boot-self-start.html * https://linux.die.net/man/8/dropbear