encrypt private keys for dropbear ssh-access

Unix & Linux Asked by n0542344 on January 12, 2021

I’d like to use dropbear as an alternative, minimal ssh-server and -client. dropbear allows the use of private-public-keys for ssh-access, although the keys are not identical to the ones used by openssh and have to be converted using the dropbearconvert-command (which is easy to do).

The issue I’m having is that dropbear doesn’t natively support encrypted private keys. But leaving unencrypted ssh-keys on my laptop is something I’d like to avoid out of principle.

Therefore my question: does anyone have any good ideas on how to circumvent that issue and have a method (script?) that:

  • decrypts the keys I use for dropbear (e.g. using gnupg) and loads them into memory,
  • passes them to the dbclient-binary (the dropbear-client-application), and
  • starts the ssh-connection

In addition I’d like to know if an alternative to the ssh-config option (especially the ones for Host) exists for dropbear (and therefore if it is possible to create a host-specific config file for dropbear where I can specify e.g. the IP-address, the port and other details).

One Answer

It appears that dbclient is entirely willing to read the private key from a named pipe or FIFO.

So with bash's process substitution, you can write:

dbclient -i <(cat .ssh/id_dropbear) [email protected]

So if you have a GPG encrypted .ssh/id_dropbear.gpg, you can write it as:

dbclient -i <(gpg --decrypt .ssh/id_dropbear.gpg) [email protected]

And after entering your decryption password, dbclient logs in using your GPG encrypted private key. So that part works fine.

The main issue here is that if you already stored .ssh/id_dropbear unencrypted before that, it could be recovered forensically. To encrypt a key on the fly from dropbearconvert, you can apply the same principle:

$ dropbearconvert openssh dropbear 
    .ssh/id_openssh >(gpg --symmetric --output .ssh/id_dropbear.gpg)
Key is a ssh-rsa key
Wrote key to '/dev/fd/63'

But it does not seem to be too useful in practice, since dropbearconvert also offers only very limited support for OpenSSH's encrypted private keys. For this example I had to specially create an OpenSSH key that dropbearconvert understands...

Unfortunately, this trick does not seem to work at all for the dropbearkey command, which for some reason insists on writing to a temporary file and renaming it, circumventing the pipe entirely.

Thus it appears you have no choice but to generate the private key in tmpfs first (like in /dev/shm or from a live cd), and encrypt it from there.

Correct answer by frostschutz on January 12, 2021

Add your own answers!

Related Questions

.vnc folder becoming too large

0  Asked on December 13, 2020 by hardcorehenry


TTY size with dual monitors

0  Asked on December 12, 2020 by user66554


run a script in multiple folders in parallel

5  Asked on December 11, 2020 by user233520


Fill missing fields with values from the line below

4  Asked on December 10, 2020 by joni


How to batch convert bitmaps to SVGs?

5  Asked on December 10, 2020 by village


xRDP sound redirection ubuntu 20.04

0  Asked on December 9, 2020 by hlderlin


bash script not running at startup

3  Asked on December 9, 2020 by hexodus


find’s prune’s -path is not taking wildcards

2  Asked on December 8, 2020 by pompy


Taking an integer and creating a date format

1  Asked on December 7, 2020 by alar-yldz


GPU Offloading using wayland and x11

1  Asked on December 6, 2020 by hjahre


File Creating with read permission for root user alone

0  Asked on December 6, 2020 by mpsimham


Ask a Question

Get help from others!

© 2022 All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir