4

I'd like to use dropbear as an alternative, minimal ssh-server and -client. dropbear allows the use of private-public-keys for ssh-access, although the keys are not identical to the ones used by openssh and have to be converted using the dropbearconvert-command (which is easy to do).

The issue I'm having is that dropbear doesn't natively support encrypted private keys. But leaving unencrypted ssh-keys on my laptop is something I'd like to avoid out of principle.

Therefore my question: does anyone have any good ideas on how to circumvent that issue and have a method (script?) that:

  • decrypts the keys I use for dropbear (e.g. using gnupg) and loads them into memory,
  • passes them to the dbclient-binary (the dropbear-client-application), and
  • starts the ssh-connection

In addition I'd like to know if an alternative to the ssh-config option (especially the ones for Host) exists for dropbear (and therefore if it is possible to create a host-specific config file for dropbear where I can specify e.g. the IP-address, the port and other details).

Improve this question

1 Answer 1

Reset to default
3

It appears that dbclient is entirely willing to read the private key from a named pipe or FIFO.

So with bash's process substitution, you can write:

dbclient -i <(cat .ssh/id_dropbear) user@server

So if you have a GPG encrypted .ssh/id_dropbear.gpg, you can write it as:

dbclient -i <(gpg --decrypt .ssh/id_dropbear.gpg) user@server

And after entering your decryption password, dbclient logs in using your GPG encrypted private key. So that part works fine.

The main issue here is that if you already stored .ssh/id_dropbear unencrypted before that, it could be recovered forensically. To encrypt a key on the fly from dropbearconvert, you can apply the same principle:

$ dropbearconvert openssh dropbear \
    .ssh/id_openssh >(gpg --symmetric --output .ssh/id_dropbear.gpg)
Key is a ssh-rsa key
Wrote key to '/dev/fd/63'

But it does not seem to be too useful in practice, since dropbearconvert also offers only very limited support for OpenSSH's encrypted private keys. For this example I had to specially create an OpenSSH key that dropbearconvert understands...

Unfortunately, this trick does not seem to work at all for the dropbearkey command, which for some reason insists on writing to a temporary file and renaming it, circumventing the pipe entirely.

Thus it appears you have no choice but to generate the private key in tmpfs first (like in /dev/shm or from a live cd), and encrypt it from there.

Improve this answer
2
  • thanks for your answer, that works great! Just one thing: for process substitution it's necessary to set +o posix since otherwise this will result in the following error message: -bash: syntax error near unexpected token `('. Commented Oct 4, 2020 at 20:11
  • There is also a nice answer on the topic of Sensitive data in process substitution so this approach can still be considered somewhat less secure than what openssh client does internally. Commented Oct 4, 2020 at 20:18

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.