【安全与加密】dropbear

dropbear

dropbear可以代替我们系统中的openssh服务

dropbear编译安装和文件完整性检查

因为系统自带的ssh是来自于openssh

有些地方不会使用openssh，或者我们需要自己制作一个小型ssh系统

对于这方面需求dropbear是个不错的选择

dropbear官网

下载：

wget https://matt.ucc.asn.au/dropbear/releases/dropbear-2019.78.tar.bz2

解压缩：

tar xvf dropbear-2019.78.tar.bz2

安装必要组件：

# gcc

查看README：

cat README 

...

To run the server, you need to generate server keys, this is one-off:
./dropbearkey -t rsa -f dropbear_rsa_host_key
./dropbearkey -t dss -f dropbear_dss_host_key
./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key

...
# 编译完了记得生成key

查看INSTALL：

cat INSTALL
...
- Configure for your system:
  ./configure     (optionally with --disable-zlib or --disable-syslog,
                  or --help for other options)

- Compile:

  make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp"

- Optionally install, or copy the binaries another way

  make install (/usr/local/bin is usual default):

  or

  make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install # 之后要用到

# 安装方法

查看安装路径用./configure --help 来实现：

./configure --help

...
Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local] # 默认是安装在/usr/local下，我们要将其安装在/app/dropbeaar
                         
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc] # 指定配置文件安装路径
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]

指定安装路径、配置文件路径：

[root@localhost dropbear-2019.78]#./configure --prefix=/app/dropbear --sysconfdir=/etc/dropbear 

# 安装路径为/app/dropbear;配置文件路径为/etc/dropbear

查看是否安装成功：

[root@localhost dropbear-2019.78]#echo $?
0
# 成功

执行make编译(之前在INSATLL处有make安装方法) gcc会将它编译：

 make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install
 
 
 # 再次 make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install 将配置文件复制到我们指定的目录
 
 [root@localhost dropbear-2019.78]# make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install
install -d /app/dropbear/sbin
install dropbear /app/dropbear/sbin
install -d /app/dropbear/share/man/man8
install -m 644 ./dropbear.8 /app/dropbear/share/man/man8/dropbear.8
install -d /app/dropbear/bin
install dbclient /app/dropbear/bin
install -d /app/dropbear/share/man/man1
if test -e dbclient.1; then install -m 644 dbclient.1 /app/dropbear/share/man/man1/dbclient.1; fi
install -d /app/dropbear/bin
install dropbearkey /app/dropbear/bin
install -d /app/dropbear/share/man/man1
if test -e dropbearkey.1; then install -m 644 dropbearkey.1 /app/dropbear/share/man/man1/dropbearkey.1; fi
install -d /app/dropbear/bin
install dropbearconvert /app/dropbear/bin
install -d /app/dropbear/share/man/man1
if test -e dropbearconvert.1; then install -m 644 dropbearconvert.1 /app/dropbear/share/man/man1/dropbearconvert.1; fi
install -d /app/dropbear/bin
install scp /app/dropbear/bin
install -d /app/dropbear/share/man/man1
if test -e scp.1; then install -m 644 scp.1 /app/dropbear/share/man/man1/scp.1; fi

查看是否成功：

[root@localhost dropbear-2019.78]#tree /app/dropbear/
/app/dropbear/
├── bin # 客户端程序
│   ├── dbclient
│   ├── dropbearconvert
│   ├── dropbearkey
│   └── scp
├── sbin	# 服务器程序
│   └── dropbear
└── share
    └── man
        ├── man1
        │   ├── dbclient.1
        │   ├── dropbearconvert.1
        │   └── dropbearkey.1
        └── man8
            └── dropbear.8

6 directories, 9 files

添加一下PATH变量，再生成KEY：

[root@localhost dropbear-2019.78]#vim /etc/profile.d/dropbear.sh

  PATH=/app/dropbear/bin:/app/dropbear/sbin:$PATH

# 执行一遍
[root@localhost dropbear-2019.78]#. /etc/profile.d/dropbear.sh
# 检查是否添加成功
[root@localhost dropbear-2019.78]#echo $PATH 
/app/dropbear/bin:/app/dropbear/sbin:/apps/httpd24/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
# 成功

KEY执行后放在配置文件中：

# 配置文件位置在/etc/dropbear
# 此时还没用自动创建该文件，我们手动创建一下

# 更改下目录位置
./dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
./dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
./dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key


# 查看
[root@localhost dropbear-2019.78]#ls /etc/dropbear/
dropbear_dss_host_key  dropbear_ecdsa_host_key  dropbear_rsa_host_key
# 成功

更改dropbear监听端口(因为默认是端口是22，而22是ssh监听的端口会冲突，所有我们另设端口)：

[root@localhost dropbear]#dropbear -p 9527

# 检查是否监听成功
[root@localhost dropbear]#ss -nlt
State      Recv-Q Send-Q        Local Address:Port		Peer Address:Port   
LISTEN     0      128                       *:22		*:*                  
LISTEN     0      128                    [::]:9527		[::]:*  

[root@localhost dropbear]#ss -nltp
LISTEN     0      128                    [::]:9527		[::]:*	users：(("dropbear",pid=25109,fd=4))


[root@localhost dropbear]#ssh 192.168.33.128 -p 9527
The authenticity of host '[192.168.33.128]:9527 ([192.168.33.128]:9527)' can't be established.
ECDSA key fingerprint is SHA256:fPJ/3EruwjWxFv6VYdB85t7+Q9CX3bL8qqaCU4xJPyk.
ECDSA key fingerprint is MD5:87:d2:6d:75:e4:4f:9f:ef:1c:73:a6:49:85:be:1f:6d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.33.128]:9527' (ECDSA) to the list of known hosts.
[email protected]'s password: 

scp命令失败解决方案：

[root@localhost ~]#scp /etc/fstab 192.168.33.129:/data
/usr/bin/dbclient: No such file or directory
lost connection
# 查看信息可以知道，scp命令默认是去/usr/bin/下找dbclient

# 解决方案可以制作个软链接，指向/app/dropbear/bin/dbclient

[root@localhost ~]#ln -s /app/dropbear/bin/dbclient /usr/bin/dbclient

# 检查
[root@localhost bin]#ll /usr/bin/dbclient
lrwxrwxrwx 1 root root 26 May 22 15:59 /usr/bin/dbclient -> /app/dropbear/bin/dbclient

# 重新传
[root@localhost bin]#scp /etc/fstab 192.168.33.129:/data
[email protected]'s password:
# 成功

dropbear的删除步骤：

[root@localhost bin]#pwd
/app/dropbear/bin
[root@localhost bin]#rm -rf /app/dropbear/
[root@localhost bin]#ll /usr/bin/dbclient
lrwxrwxrwx 1 root root 26 May 22 15:59 /usr/bin/dbclient -> /app/dropbear/bin/dbclient
[root@localhost bin]#rm -f /usr/bin/dbclient 
[root@localhost bin]#cd /etc/dropbear/
[root@localhost dropbear]#ls
dropbear_dss_host_key  dropbear_ecdsa_host_key  dropbear_rsa_host_key
[root@localhost dropbear]#rm -rf /etc/dropbear/
[root@localhost dropbear]#rm -rf /etc/profile.d/dropbear.sh 
[root@localhost dropbear]#cd /data/
[root@localhost data]#ls
app.csr  dropbear-2019.78  dropbear-2019.78.tar.bz2  httpd-2.4.39  httpd-2.4.39.tar.gz  my_pub_key
[root@localhost data]#rm -rf dropbear*

删除后scp后的缓存路径错误：

[root@localhost data]#scp /etc/passwd 192.168.33.129:/data
-bash: /app/dropbear/bin/scp: No such file or directory
# scp 命令记住的路径仍然是原来的dropbear下

[root@localhost data]#which scp
/usr/bin/scp
# 但其指向信息无误

# 原因是出在内存中，内存中记录的路径存在
[root@localhost data]#hash
hits	command
   5	/usr/bin/rm
   1	/usr/bin/ln
   3	/app/dropbear/bin/scp
   7	/usr/bin/ls
# 删除缓存中该路径，执行的外部命令就在缓存中，从连接中退出hash文件会自动删除，但我们也可以自己手动改
[root@localhost data]#hash -d scp
[root@localhost data]#hash
hits	command
   5	/usr/bin/rm
   1	/usr/bin/ln
   7	/usr/bin/ls
# 测试
[root@localhost data]#scp /etc/passwd 192.168.33.129:/data
[email protected]'s password: 

# 成功