Build and configure dropbear for using only ssh-ed25519 host key type

Hi everyone.
I've builded dropbear with curve25519 and all options, that belongs to it (Eliptic curve cryptography, full support).
Burn this firmware to router, test ssh at https://www.sshaudit.com/ and see, that dropbear only supports "ecdsa-sha2-nistp256" and "ssh-rsa (2048-bit)" host key types. How I can configure dropbear for using only "ssh-ed25519" host key type?

1 Like

Can you post the full error and where it came from ? Uci? Web luci interface ? My guess is the service script for dropbear might need changing:

https://github.com/openwrt/openwrt/blob/a017773a92d624142a78452bc0c00e6bc6523967/package/network/services/dropbear/files/dropbear.init#L69

I have not any error, I'm concerned that according to ssh audit my dropbear ssh server supports only this Host Key Types (which may have security problems):

ecdsa-sha2-nistp256
ssh-rsa (2048-bit)

And I can't figure out how to enable
ssh-ed25519
host key type?

Re-reading the dropbear init script again, you might just need to generate the 25519 host key file, and reload/restart dropbear.

If that’s what it is, /usr/bin/dropbearkey with some switches/flags should be able to create that for you..

Did you manage to get this working?

Hi.
No, i couldn't.

root@OpenWrt:~# /usr/bin/dropbearkey -t ed25519 -f /tmp/dropbear_hostkey_ed25519
Unknown key type 'ed25519'
I couldn't generate host key type ed25519 with dropbearkey. I heard, that I can generate host key outside the openwrt, convert it to dropbear format and copy it to the router. Is it correct? How I can do that?

Your thread got my interest and I tried and got the same error with dropbearkey as well.

There looks to be active development on the github project https://github.com/mkj/dropbear/pull/91 , once that gets merged, and filters through to next openwrt build would definitely be worth a try.