In my case, I generated a new ecdsa key with ssh-keygen -t ecdsa which dropbear supports fine, and is more secure.īecause ed25519 is purportedly more secure than ecdsa (but not supported by my dropbear version, apparently), I also generated ssh-keygen -t ed25519įor both of these keys, I used the exact same passphrase as my id_rsa key, so I can add them all to ssh-agent with one password. If your server name is legacy_or_, for instance, then:Ī more secure and right option, though, is to generate new keys. Or if you don't have an entry for that host yet, make one. I believe there is both an easy way and a right way to solve this.Īn easy but less-than-secure workaround: add the following to your legacy host(s) in ~/.ssh/config: PubkeyAcceptedKeyTypes=ssh-rsa Turns out this is due to new crypto policies in Fedora 33. Legacy OpenSSH servers might exhibit this problem as well. When I passed the -v flag to the ssh client to get more verbosity, I read send_pubkey_test: no mutual signature algorithm in response to my public key. Spent a few days this week trying to figure out why I could no longer ssh into one of my servers without a password, using my normal 3072-bit RSA id_rsa.pub.
This subreddit is not affiliated with or endorsed by the Fedora Project. The progress meter isn't compiled in to save space, you can enable it byĪdding 'SCPPROGRESS=1' to the make commandline.A community for users, developers and people interested in the Fedora Project and news and information about it. Of the ssh binary, specified by _PATH_SSH_PROGRAM in options.h.
You can compile it with "make scp", you may want to change the path The Dropbear distribution includes a standalone version of OpenSSH's scp Shadow passwords will also be unusable as non-root. Pty, and you cannot login as any user other than that running the daemon If the server is run as non-root, you most likely won't be able to allocate a etc/dropbear/ exists and then pass '-R' to the dropbear server. This is preferable to generating keys when the system boots. You can also get Dropbear to create keys when the first connection is made. dropbearconvert openssh dropbear /etc/ssh/ssh_host_dsa_key dropbear_dss_host_key Or alternatively convert OpenSSH keys to Dropbear: dropbearkey -t ecdsa -f dropbear_ecdsa_host_key dropbearkey -t dss -f dropbear_dss_host_key dropbearkey -t rsa -f dropbear_rsa_host_key To run the server, you need to generate server keys, this is one-off: If you want to get the public-key portion of a Dropbear private key, look at If you have an OpenSSH-style private key ~/.ssh/id_rsa, you need to do:ĭropbearconvert openssh dropbear ~/.ssh/id_rsa ~/.ssh/id_rsa.dbĭropbear does not support encrypted hostkeys though can connect to ssh-agent. OpenSSH style keys to Dropbear format, or use dropbearkey to create them. Beware of editors that split the key into multiple lines.ĭropbear supports some options for authorized_keys entries, see the manpage.ĭropbear can do public key auth as a client, but you will have to convert Ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAwVa6M6cGVmUcLl2cFzk圎oJd06Ub4bVDsYrWvXhvUV+ZAM9uGuewZBDoAqNKJxoIn0Hyd0Nk/yU99UVv6NWV/5YSHtnf35LKds56j7cuzoQpFIdjNwdxAN0PCET/MG8qyskG/2IE2DPNIaJ3Wy+Ws4IZEgdJgPlTYUBWWtCWOGc= must make sure that ~/.ssh, and the key file, are only writable by the You can use ~/.ssh/authorized_keys in the same way as with OpenSSH, just put Matt the absence of detailed documentation, some notes follow: Please contact me if you have any questions/bugs found/features/ideas/comments etc :) SMALL has some tips on creating small binaries.
Which performs multiple tasks, to save disk space) MULTI has instructions on making a multi-purpose binary (ie a single binary This is Dropbear, a smallish SSH server and client.