Replace Dropbear with OpenSSH

I would recommend to replace Dropbear with OpenSSH in LEDE Firmware Images

OpenSSH can be a bit too big for certain routers.
Dropbear has a pretty small footprint

1 Like

why? Is there a special reason?

OpenSSH Supports SFTP and it's a more standard SSH Client/Server
I know that it needs more space too..

You can install the openssh SFTP server package if you need SFTP. Dropbear is compatible with it.

OpenSSH supports Ed25519 and ECDSA keys and ciphersuites. But You could leave Dropbear for password login in LAN and set OpenSSH on WAN for key-only logins.

You can enable DROPBEAR_CURVE25519.

It's not default and You have to compile your own package. And I didn't manage to run dropbear on different interfaces on different ports with different auth mechanisms (i.e. it cannot bind to OpenVPN interface on specific port). OpenSSH is more flexible and if You don't compile your own image easier to install.

Dropbear is perfectly fine for an embedded system with occasional ssh for configuration of a Embedded Router with needs of small footprint binaries, and by default configured to allow connections only from LAN... if someone need to use OpenSSH for SCP (SFTP) support or even have more key/ciphers and allow connections from WAN are free to replace Dropbear with it in their system at anytime...

It would be great to have an spare wheel on a bike like cars do, but just some riders will want to have it.

dropbear can not support sshfs, openssh with sftp can.

yes, @Borromini tell you that supports just do

opkg update
opkg install openssh-sftp-server

and you are done, no configuration, no requirement of instalation of bigger packagers.

see: https://wiki.openwrt.org/doc/howto/sftp.server
and: https://wiki.openwrt.org/inbox/replacingdropbearbyopensshserver

OpenSSH it just too big :wink: , no one will want to replace it by default on LEDE builds, you can build your own images with OpenSSH if you like, but it is the same history if someone wants every build without luci... or with asterisk packages, etc... you are free to make your own fork, LEDE is a flavor for open purposes, no just one. :slight_smile:

No need for a fork, just build your own images, It's not hard.

Limited flash and RAM necessitate compromises in the default config. The Devs have generally made sensible choices that will suit the majority.

1 Like

Hi slh.

This information please me a lot :clap:
New commer on LEDE Project can u help me to declare this curve in dropbear ?

Thx
cyann

You can simply enable it with the following line in .config and re-compiling your own source:

CONFIG_DROPBEAR_CURVE25519=y

Thank you for help phuque99

But by the moment as a new comer i don't really feel comfortable with such a task like re-compiling sources :smirk:

Regards

You dont need to RECOMPILE, you need to REBUILD using precompiled packages... it is very easy and fast to do it.

If you are interested take a look at my notes about: https://gist.github.com/braian87b/4a9048dcc2e2fd244f7d44b8896b7ccc

Sorry, but to get that non-default compile-time option CONFIG_DROPBEAR_CURVE25519 activated in the compiled dropbear package, you DO need to re-compile dropbear.

But you could build your own images with OpenSSH, and remove dropbear...

If you have a Debian server it's not hard. This guide explains how:

See my comment on the bottom. Also note that LuCi (the web server for the GUI) and some other packages aren't selected by default.