【安全與加密】dropbear

dropbear

dropbear可以代替我們系統中的openssh服務

dropbear編譯安裝和文件完整性檢查

因爲系統自帶的ssh是來自於openssh

有些地方不會使用openssh，或者我們需要自己製作一個小型ssh系統

對於這方面需求dropbear是個不錯的選擇

dropbear官網

下載：

wget https://matt.ucc.asn.au/dropbear/releases/dropbear-2019.78.tar.bz2

解壓縮：

tar xvf dropbear-2019.78.tar.bz2

安裝必要組件：

# gcc

查看README：

cat README 

...

To run the server, you need to generate server keys, this is one-off:
./dropbearkey -t rsa -f dropbear_rsa_host_key
./dropbearkey -t dss -f dropbear_dss_host_key
./dropbearkey -t ecdsa -f dropbear_ecdsa_host_key

...
# 編譯完了記得生成key

查看INSTALL：

cat INSTALL
...
- Configure for your system:
  ./configure     (optionally with --disable-zlib or --disable-syslog,
                  or --help for other options)

- Compile:

  make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp"

- Optionally install, or copy the binaries another way

  make install (/usr/local/bin is usual default):

  or

  make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install # 之後要用到

# 安裝方法

查看安裝路徑用./configure --help 來實現：

./configure --help

...
Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local] # 默認是安裝在/usr/local下，我們要將其安裝在/app/dropbeaar
                         
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc] # 指定配置文件安裝路徑
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]

指定安裝路徑、配置文件路徑：

[root@localhost dropbear-2019.78]#./configure --prefix=/app/dropbear --sysconfdir=/etc/dropbear 

# 安裝路徑爲/app/dropbear;配置文件路徑爲/etc/dropbear

查看是否安裝成功：

[root@localhost dropbear-2019.78]#echo $?
0
# 成功

執行make編譯(之前在INSATLL處有make安裝方法) gcc會將它編譯：

 make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install
 
 
 # 再次 make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install 將配置文件複製到我們指定的目錄
 
 [root@localhost dropbear-2019.78]# make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" install
install -d /app/dropbear/sbin
install dropbear /app/dropbear/sbin
install -d /app/dropbear/share/man/man8
install -m 644 ./dropbear.8 /app/dropbear/share/man/man8/dropbear.8
install -d /app/dropbear/bin
install dbclient /app/dropbear/bin
install -d /app/dropbear/share/man/man1
if test -e dbclient.1; then install -m 644 dbclient.1 /app/dropbear/share/man/man1/dbclient.1; fi
install -d /app/dropbear/bin
install dropbearkey /app/dropbear/bin
install -d /app/dropbear/share/man/man1
if test -e dropbearkey.1; then install -m 644 dropbearkey.1 /app/dropbear/share/man/man1/dropbearkey.1; fi
install -d /app/dropbear/bin
install dropbearconvert /app/dropbear/bin
install -d /app/dropbear/share/man/man1
if test -e dropbearconvert.1; then install -m 644 dropbearconvert.1 /app/dropbear/share/man/man1/dropbearconvert.1; fi
install -d /app/dropbear/bin
install scp /app/dropbear/bin
install -d /app/dropbear/share/man/man1
if test -e scp.1; then install -m 644 scp.1 /app/dropbear/share/man/man1/scp.1; fi

查看是否成功：

[root@localhost dropbear-2019.78]#tree /app/dropbear/
/app/dropbear/
├── bin # 客戶端程序
│   ├── dbclient
│   ├── dropbearconvert
│   ├── dropbearkey
│   └── scp
├── sbin	# 服務器程序
│   └── dropbear
└── share
    └── man
        ├── man1
        │   ├── dbclient.1
        │   ├── dropbearconvert.1
        │   └── dropbearkey.1
        └── man8
            └── dropbear.8

6 directories, 9 files

添加一下PATH變量，再生成KEY：

[root@localhost dropbear-2019.78]#vim /etc/profile.d/dropbear.sh

  PATH=/app/dropbear/bin:/app/dropbear/sbin:$PATH

# 執行一遍
[root@localhost dropbear-2019.78]#. /etc/profile.d/dropbear.sh
# 檢查是否添加成功
[root@localhost dropbear-2019.78]#echo $PATH 
/app/dropbear/bin:/app/dropbear/sbin:/apps/httpd24/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin
# 成功

KEY執行後放在配置文件中：

# 配置文件位置在/etc/dropbear
# 此時還沒用自動創建該文件，我們手動創建一下

# 更改下目錄位置
./dropbearkey -t rsa -f /etc/dropbear/dropbear_rsa_host_key
./dropbearkey -t dss -f /etc/dropbear/dropbear_dss_host_key
./dropbearkey -t ecdsa -f /etc/dropbear/dropbear_ecdsa_host_key


# 查看
[root@localhost dropbear-2019.78]#ls /etc/dropbear/
dropbear_dss_host_key  dropbear_ecdsa_host_key  dropbear_rsa_host_key
# 成功

更改dropbear監聽端口(因爲默認是端口是22，而22是ssh監聽的端口會衝突，所有我們另設端口)：

[root@localhost dropbear]#dropbear -p 9527

# 檢查是否監聽成功
[root@localhost dropbear]#ss -nlt
State      Recv-Q Send-Q        Local Address:Port		Peer Address:Port   
LISTEN     0      128                       *:22		*:*                  
LISTEN     0      128                    [::]:9527		[::]:*  

[root@localhost dropbear]#ss -nltp
LISTEN     0      128                    [::]:9527		[::]:*	users：(("dropbear",pid=25109,fd=4))


[root@localhost dropbear]#ssh 192.168.33.128 -p 9527
The authenticity of host '[192.168.33.128]:9527 ([192.168.33.128]:9527)' can't be established.
ECDSA key fingerprint is SHA256:fPJ/3EruwjWxFv6VYdB85t7+Q9CX3bL8qqaCU4xJPyk.
ECDSA key fingerprint is MD5:87:d2:6d:75:e4:4f:9f:ef:1c:73:a6:49:85:be:1f:6d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.33.128]:9527' (ECDSA) to the list of known hosts.
[email protected]'s password: 

scp命令失敗解決方案：

[root@localhost ~]#scp /etc/fstab 192.168.33.129:/data
/usr/bin/dbclient: No such file or directory
lost connection
# 查看信息可以知道，scp命令默認是去/usr/bin/下找dbclient

# 解決方案可以製作個軟鏈接，指向/app/dropbear/bin/dbclient

[root@localhost ~]#ln -s /app/dropbear/bin/dbclient /usr/bin/dbclient

# 檢查
[root@localhost bin]#ll /usr/bin/dbclient
lrwxrwxrwx 1 root root 26 May 22 15:59 /usr/bin/dbclient -> /app/dropbear/bin/dbclient

# 重新傳
[root@localhost bin]#scp /etc/fstab 192.168.33.129:/data
[email protected]'s password:
# 成功

dropbear的刪除步驟：

[root@localhost bin]#pwd
/app/dropbear/bin
[root@localhost bin]#rm -rf /app/dropbear/
[root@localhost bin]#ll /usr/bin/dbclient
lrwxrwxrwx 1 root root 26 May 22 15:59 /usr/bin/dbclient -> /app/dropbear/bin/dbclient
[root@localhost bin]#rm -f /usr/bin/dbclient 
[root@localhost bin]#cd /etc/dropbear/
[root@localhost dropbear]#ls
dropbear_dss_host_key  dropbear_ecdsa_host_key  dropbear_rsa_host_key
[root@localhost dropbear]#rm -rf /etc/dropbear/
[root@localhost dropbear]#rm -rf /etc/profile.d/dropbear.sh 
[root@localhost dropbear]#cd /data/
[root@localhost data]#ls
app.csr  dropbear-2019.78  dropbear-2019.78.tar.bz2  httpd-2.4.39  httpd-2.4.39.tar.gz  my_pub_key
[root@localhost data]#rm -rf dropbear*

刪除後scp後的緩存路徑錯誤：

[root@localhost data]#scp /etc/passwd 192.168.33.129:/data
-bash: /app/dropbear/bin/scp: No such file or directory
# scp 命令記住的路徑仍然是原來的dropbear下

[root@localhost data]#which scp
/usr/bin/scp
# 但其指向信息無誤

# 原因是出在內存中，內存中記錄的路徑存在
[root@localhost data]#hash
hits	command
   5	/usr/bin/rm
   1	/usr/bin/ln
   3	/app/dropbear/bin/scp
   7	/usr/bin/ls
# 刪除緩存中該路徑，執行的外部命令就在緩存中，從連接中退出hash文件會自動刪除，但我們也可以自己手動改
[root@localhost data]#hash -d scp
[root@localhost data]#hash
hits	command
   5	/usr/bin/rm
   1	/usr/bin/ln
   7	/usr/bin/ls
# 測試
[root@localhost data]#scp /etc/passwd 192.168.33.129:/data
[email protected]'s password: 

# 成功