Dropbear configuration

The SSH configuration is handled by the Dropbear subsystem of uci and the configuration file is located in /etc/config/dropbear.

Each dropbear SSH server instance uses a single section of the configuration file, and you can have multiple instances.

The dropbear configuration contains settings for the dropbear SSH server in a single section.

The dropbear section contains these settings. Names are case-sensitive.

Name Type Required Default Description
enable boolean no 1 Set to 0 to disable starting dropbear at system boot.
verbose boolean no 0 Set to 1 to enable verbose output by the start script.
BannerFile string no (none) Name of a file to be printed before the user has authenticated successfully.
PasswordAuth boolean no 1 Set to 0 to disable authenticating with passwords.
Port integer no 22 Port number to listen on.
RootPasswordAuth boolean no 1 Set to 0 to disable authenticating as root with passwords.
RootLogin boolean no 1 Set to 0 to disable SSH logins as root.
GatewayPorts boolean no 0 Set to 1 to allow remote hosts to connect to forwarded ports.
Interface string no (none) Write an interface name, for example lan. With this setting you can limit connections to clients that can reach the IP of this interface. So for example the LAN IP of the interface can only be seen from clients in the LAN network, but not from the WAN in the default firewall configuration. It's used in dropbear's -p option that does the following: “Listen on specified address and TCP port. If just a port is given listen on all addresses. up to 10 can be specified (default 22 if none specified). ”
keyfile list of files no (none) Path to host key file.
rsakeyfile file no (none) Path to RSA host key file. Deprecated. See keyfile.
SSHKeepAlive integer no 300 Keep Alive
IdleTimeout integer no 0 Idle Timeout
mdns integer no 1 Whether to announce the service via mDNS
MaxAuthTries integer no 3 Amount of times you can retry writing the password when logging in before the SSH server closes the connection.
RecvWindowSize integer no 24576 Specify the per-channel receive window buffer size. Increasing this may improve network performance at the expense of memory use.

This is the default configuration:

# uci show dropbear
dropbear.@dropbear[0]=dropbear
dropbear.@dropbear[0].RootPasswordAuth='on'
dropbear.@dropbear[0].PasswordAuth='on'
dropbear.@dropbear[0].Port='22'

Add a second instance of dropbear listening on port 2022.

uci add dropbear dropbear
uci set dropbear.@dropbear[-1].RootPasswordAuth="on"
uci set dropbear.@dropbear[-1].PasswordAuth="off"
uci set dropbear.@dropbear[-1].Port="2022"
uci commit dropbear
service dropbear restart

If you want to connect from internet you need to allow the 2022 port on WAN interface.

Dropbear does not support SFTP by itself. Meanwhile OpenSSH client uses SFTP by default. Use scp -O for the legacy SCP protocol if necessary.

If you do have enough space you can install the SFTP:

opkg update
opkg install openssh-sftp-server
  • Set up public key authentication and disable password authentication if possible.
  • Set up a VPN to avoid exposing SSH to the internet as a single critical vulnerability may be enough for a remote attacker to gain root access.

Problems facing with a public SSH:

  • No normal group for users and no normal user.
  • No facility to ban IPs with many failed login attempts.
  • File system permissions are very lax on default OpenWrt.
  • Preventing normal users from exploiting BusyBox to gain access to root only commands due to missing permissions for symlinks.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/12/29 08:14
  • by stokito