Unix & Linux Asked by n0542344 on January 12, 2021
I’d like to use dropbear
as an alternative, minimal ssh-server and -client. dropbear
allows the use of private-public-keys for ssh-access, although the keys are not identical to the ones used by openssh
and have to be converted using the dropbearconvert
-command (which is easy to do).
The issue I’m having is that dropbear
doesn’t natively support encrypted private keys. But leaving unencrypted ssh-keys on my laptop is something I’d like to avoid out of principle.
Therefore my question: does anyone have any good ideas on how to circumvent that issue and have a method (script?) that:
gnupg
) and loads them into memory,dbclient
-binary (the dropbear
-client-application), andIn addition I’d like to know if an alternative to the ssh
-config option (especially the ones for Host
) exists for dropbear (and therefore if it is possible to create a host-specific config file for dropbear where I can specify e.g. the IP-address, the port and other details).
It appears that dbclient
is entirely willing to read the private key from a named pipe or FIFO.
So with bash's process substitution, you can write:
dbclient -i <(cat .ssh/id_dropbear) user@server
So if you have a GPG encrypted .ssh/id_dropbear.gpg
, you can write it as:
dbclient -i <(gpg --decrypt .ssh/id_dropbear.gpg) user@server
And after entering your decryption password, dbclient
logs in using your GPG encrypted private key. So that part works fine.
The main issue here is that if you already stored .ssh/id_dropbear
unencrypted before that, it could be recovered forensically. To encrypt a key on the fly from dropbearconvert
, you can apply the same principle:
$ dropbearconvert openssh dropbear
.ssh/id_openssh >(gpg --symmetric --output .ssh/id_dropbear.gpg)
Key is a ssh-rsa key
Wrote key to '/dev/fd/63'
But it does not seem to be too useful in practice, since dropbearconvert
also offers only very limited support for OpenSSH's encrypted private keys. For this example I had to specially create an OpenSSH key that dropbearconvert
understands...
Unfortunately, this trick does not seem to work at all for the dropbearkey
command, which for some reason insists on writing to a temporary file and renaming it, circumventing the pipe entirely.
Thus it appears you have no choice but to generate the private key in tmpfs
first (like in /dev/shm
or from a live cd), and encrypt it from there.
Correct answer by frostschutz on January 12, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP