Using Public Keys With Dropbear SSH Client

I ran into a little bit of a hiccup getting my OpenWRT NSLU2 device to automatically rsync to a remote host. It turns out that the dropbear ssh client works a bit differently when attempting to use key based authentication. In order to rsync files from a remote host using a cron script, this is critical. I found plenty of examples on setting up key based authentication using dropbear as the HOST, but not as the CLIENT. Here’s how I did it:

This assumes that the OpenWRT device is named ‘nas’ and the remote machine is ‘webhost’. The goal is to allow ‘nas’ to authenticate to ‘webhost’ using a key instead of a password.

First, generate your identity key on ‘nas’

dropbearkey -t rsa -f ~/.ssh/id_rsa

Since dropbear stores its keys in different format, it needs to be converted for a standard SSH server:

dropbearkey -y -f ~/.ssh/id_rsa | grep “^ssh-rsa ” >> authorized_keys

Now copy or (concatenate) ‘authorized_keys’ to ~/.ssh on ‘webhost’. Ensure that permissions on this file are set to 600.
You should now be able to ssh without a password.

root@nas:~# ssh user@webhost -i ~/.ssh/id_rsa

Notice that you need to explicitly specify the identity file on the command line. Dropbear does not automatically look for it like OpenSSH does.

Now that ssh works, I can easily perform an automated rsync:

rsync -avz -e “ssh -i /root/.ssh/id_rsa” user@webhost:some-file-there.txt some-file-here.txt

Hope that helps!

This entry was posted in Networking. Bookmark the permalink.

19 Responses to Using Public Keys With Dropbear SSH Client

  1. Anthony Kamau says:

    Interesting article; I learnt a whole lot from it.

    However, I’d like to suggest that you replace ‘ssh’ with ‘dbclient’ being that ESXi does not have the ‘ssh’ command. It could be that you have created a symbolic link to ‘dbclient’ named ‘ssh’ but for completeness, best to specify the default executable used by ESXi.

    Cheers,
    Anthony.

  2. Christian Meißner says:

    Nice tutorial. This was the ONLY article explaining the use of dropbear as a client i found via Google. Thanks Guy!

  3. btammaster says:

    Worked on the first try – I am using an Android smart phone to SSH via wireless into a server.
    Thank you thank you!

  4. Pingback: SSH and GIT on Android with Terminal IDE

  5. Allen says:

    “explicitly specify the identity file on the command line” nice tip. was scratching my head on this one for some time before finding your article.

  6. Delbert says:

    Thanks for this post! I was lost with ssh and rsync FROM my OpenWRT computer to the
    outside world. Everything else I found only talked about going TO the OpenWRT computer
    from the outside world:) Dropbear is supposed to take less memory but it is a bit of a pain
    in that it is an incomplete clone of OpenSSH. Small details are often when hangs us up,
    not the big picture:-)

  7. Boozeman says:

    Nice tutorial! This is the yet only one that explains use of dropbear as a client.

  8. Pingback: Kian Ryan » SSH on Android

  9. Guest says:

    This really helped!!!

  10. Pingback: Finally got a keyboard case for the Galaxy Tab 10.1 « alaya:techne

  11. bazoo says:

    Thank you works great on dreambox 500s 🙂

  12. Pingback: Owncloud upload via rsync from openwrt – Sprinternet Blog

  13. Robert says:

    I needed this to automatically copy files from my vu+ linux reciever. Works great! Thank you!

  14. km65 says:

    Really nice tutorial! Thanks.
    The only thing on DD-WRT is that the created id_rsa key will be deleted on every reboot of dd-wrt router, because the .ssh dir is on tmp dir.
    Is there any solution?
    Thanks so far.

  15. Zsolt Kendi says:

    There I see some naming convention problems. Dropbear does not generate/use openssh private key “id_rsa”. This make many trouble in technical forums. Therefore:

    To generate private key for dropbear:
    dropbearkey -t rsa -f ~/.ssh/dropbear_priv_rsa

    To extract and insert public key to dropbear server:
    dropbearkey -y -f ~/.ssh/dropbear_priv_rsa | grep “^ssh-rsa ” >> authorized_keys

    To connect using ssh key authentication from dropbear client to dropbear server:
    ssh -i ~/.ssh/dropbear_priv_rsa user@webhost

    To produce priivate key for connection from openssh client to dropbear server:
    dropbearconvert dropbear openssh ~/.ssh/dropbear_priv_rsa ~/.ssh/id_rsa.

    To connection from openssh client to dropbear server:
    ssh -i ~/.ssh/id_rsa user@webhost

  16. lazywriter says:

    By the way, if you’re running the dropbear server, it has a forwarding agent that will also automatically use a key. It just isn’t ‘~/.ssh/id_rsa’ by default. If you generate the key into ~/.ssh/id_dropbear (or copy it there) it will automatically use that if not otherwise changed via command line switch.

  17. Angela says:

    Still working eight years after posting. This was really helpful; thanks.
    I am using a Satellite receiver (Dreambox) as my client and found a complication with this line:-

    dropbearkey -y -f ~/.ssh/id_rsa | grep “^ssh-rsa ” >> authorized_keys

    Changing the key format didn’t appear necessary.

    After running:-
    dropbearkey -t rsa -f ~/.ssh/id_rsa

    the display showed the public-key part of the key on the screen.
    I copied this – omitting the finger print line. I then directly placed it as a line in ‘authorized_keys’ on my remote server by hand.
    Everything then worked fine.

  18. Pingback: Resolved: Does Dropbear know what a ~/.ssh/config file is? - Resolved Problem

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s