Bug #1140
closed
- Description updated (diff)
- Status changed from New to In Progress
- % Done changed from 0 to 10
Default dropbear config is in /etc/default/dropbear.
This is a shell script, so I can do things like this:
DROPBEAR_ROOTLOGIN="-w"
DROPBEAR_ARGS="${DROPBEAR_ROOTLOGIN} ..."
This sets up the DROPBEAR_ARGS used by S50dropbear to set the command line for dropbear, which is the only way to configure the daemon.
The online man page appears out of date. This is the version running on PiBox.
Dropbear server v2022.83 https://matt.ucc.asn.au/dropbear/dropbear.html
Usage: dropbear [options]
-b bannerfile Display the contents of bannerfile before user login
(default: none)
-r keyfile Specify hostkeys (repeatable)
defaults:
- dss /etc/dropbear/dropbear_dss_host_key
- rsa /etc/dropbear/dropbear_rsa_host_key
- ecdsa /etc/dropbear/dropbear_ecdsa_host_key
- ed25519 /etc/dropbear/dropbear_ed25519_host_key
-R Create hostkeys as required
-F Don't fork into background
-e Pass on server process environment to child process
-E Log to stderr rather than syslog
-m Don't display the motd on login
-w Disallow root logins
-G Restrict logins to members of specified group
-s Disable password logins
-g Disable password logins for root
-B Allow blank password logins
-t Enable two-factor authentication (both password and public key required)
-T Maximum authentication tries (default 10)
-j Disable local port forwarding
-k Disable remote port forwarding
-a Allow connections to forwarded ports from any host
-c command Force executed command
-p [address:]port
Listen on specified tcp port (and optionally address),
up to 10 can be specified
(default port is 22 if none specified)
-P PidFile Create pid file PidFile
(default /var/run/dropbear.pid)
-i Start for inetd
-W <receive_window_buffer> (default 24576, larger may be faster, max 10MB)
-K <keepalive> (0 is never, default 0, in seconds)
-I <idle_timeout> (0 is never, default 0, in seconds)
-z disable QoS
-V Version
I'd say the following arguments would be useful: -r, -R<>, -m, with -R<> used on firstboot and -r used at runtime to prevent cycling through keys.
The following should have blank env vars but could be configured once users are added: -w, -s, -g
The -P option is not needed because the init script uses start-stop-daemon which manages a pid file for the dropbear daemon.
- Description updated (diff)
- Status changed from In Progress to Closed
- % Done changed from 10 to 100
Tools added to build and deployed to a PiStore test platform. Users added, ssh keys used for login. Configuration file for dropbear added for extending security.
Code committed and pushed.
Closing issue.
Also available in: Atom
PDF
Updated by