--- categories: ['OpenWRT','System'] date: 2020-09-20T12:02:05+02:00 description: "Install OpenSSH to replace Dropbear, on OpenWRT" draft: false tags: ['OpenWRT','OpenSSH','SSH'] title: "OpenWRT: OpenSSH instead of Dropbear" translationKey: "openwrt-openssh" --- ## Description In fact, Dropbear is the SSH server on OpenWRT. Even if this lightweight server use only SSH Protocol v2, it has some gaps: * A partial support of SFTP protocol; you need to add the package **openssh-sftp-server** * No user privilege separation * No official support for cryptographic modules, approved by approved by the **FIPS 140-2**. *(although in our particular context, it is not a necessity)* * Since version **2020.79**, Dropbear seems to manage the Elliptic curve algorithms — *which is not the case for the previous versions, included before OpenWRT 19.07.4* ­—: * hostkey **ed25519** * chiffer **chacha20-poly1305** * or even the key signatures **rsa-sha2** ## Installation ```ash # /etc/init.d/sshd enable # /etc/init.d/sshd start ``` {{< note info >}} The **openssh-moduli** package is not stritcly necessary. As a reminder, the `/etc/ssh/moduli` file is a file containing the prime numbers and generators to be used by the SSH server in the {{< abbr DH "Diffie-Hellman" >}} group key exchange method. Prefer to install it… {{}} ## Configuration ### Dropbear configuration Let's the default port on Dropbear However, you can configure it, either through the LUCI interface, or in CLI, like as: ```ash # uci set dropbear.@dropbear[0].Port=xxx # uci commit dropbear # /etc/init.d/dropbear restart ``` - *xxx*: the port number segun your choice. and connect you on this port… ### OpenSSH Configuration * Configuration file: `/etc/ssh/sshd_config` --- Apply ABSOLUTELY this following recommandations: * Use **only** the v2 protocol, * **Do not connect with root account** * disable the **PasswordAuthentication** option * use **only** the **PubkeyAuthentication** option --- Now, we harden the configuration: * {{< inside2 a="recreate-host-keys" l="sec/ssh/sshd-harden" t="recreate the host keys" >}}, and allow **only** the **Ed25519** algorithm. {{< note info >}} When OpenSSH starts, it will recreate the **ECDSA** keys. {{}} * auth **only**: * strong {{< inside2 a="ciphers" l="sec/ssh/sshd-harden" t="encryption" >}} * the following algorithms: * {{< inside2 a="KeyExchange" l="sec/ssh/sshd-harden" t="key exchange" >}} * {{< inside2 a="HostKeyAlgorithms" l="sec/ssh/sshd-harden" t="host keys" >}} * {{< inside2 a="MACs" l="sec/ssh/sshd-harden" t="message authentication codes" >}} {{< note warning >}} The **sk-ssh-ed25519@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com** host keys algorithms not seem to be recognized; **do not use!** {{}} #### moduli If you installed the **openssh-moduli** package, prefer accept only {{< abbr DH "Diffie-Hellman" >}} key exchange greater than or equal to 3072 bits. Let's save the file, before, in case of… ```ash # cp /etc/ssh/moduli /etc/ssh/moduli.bckp # chmod 0400 /etc/ssh/moduli.bckp ``` Then, you need to {{< inside2 a="moduli--linux" l="sec/ssh/sshd-harden" t="recreate" >}} {{< note tip >}} If you have correctly configured a user with {{< inside2 l="sys/openwrt/sudo" t="sudo" >}} rights: ```ash # sudo awk '$5 >= 3071' /etc/ssh/moduli | sudo tee /etc/ssh/moduli.safe # mv /etc/ssh/moduli.safe /etc/ssh/moduli ``` {{}} #### TL;DR Here a minimalist example of the configuration file: ```cfg HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_ed25519_key Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org, HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com PermitRootLogin no MaxAuthTries 3 PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys PasswordAuthentication no PermitEmptyPasswords no Subsystem sftp /usr/lib/sftp-server ``` {{< note warning >}} Have you set the **ListenAddress** option?
Forget or you win a {{< anchor "race condition" "race condition" >}}! {{}} --- ## Service management ### OpenSSH Service Voila, now, connect you… but, after testing the configuration and start the service: `# sshd -t` If the configuration is valid: ```ash # /etc/init.d/sshd enable # /etc/init.d/sshd start ``` ### Dropbear Service Now, it's possible to stop and disable the dropbear service: ```ash # /etc/init.d/dropbear stop # /etc/init.d/dropbear disable ``` --- ## Backup system Normally, the `/etc/ssh` directory and its contents are included in the backup system maded by the `sysupgrade` tool. To check: `# sysupgrade -l | grep ssh` If it's not case, edit the `/etc/sysupgrade.conf` file to add this folder. ## Troubleshooting ### Race condition ⇒ Not possible to connect after reboot: Have you set the `ListenAdress` option on the configuration file? If yes, {{< color red >}}comment the corresponding line{{}}. OpenSSH can not start due to race condition. When you specify this option, OpenSSH will run when you start on the CLI. But, during the (re)boot, OpenSSH will fail because the network interface(s) is|are not ready! Then, do not specify this option and configure you firewall to auth only your LAN network interface. *[source](https://forum.openwrt.org/t/luci-https-not-working-after-upgrade-to-19-7-4/74352/16)* ## Documentation ### Wikipedia - {{< wp "Comparison_of_SSH_servers" en >}}, {{< wp "FIPS_140-2" en >}} - {{< wp "Race_condition" en >}} ---