Got dropbear working in all cases-finally!

Delbert Franz ddf at
Fri Oct 12 20:34:56 EDT 2012

I have switched back to dropbear from openssh.  I had given up on 
dropbear for some time because I could not get some things to work.  
Well, now I have sorted out what went wrong: 

1. On the Nanonotes, I used 

dropbearkey -t rsa -f /root/.ssh/id_rsa > nn_pub_key

to generate the keys for ssh.  In the first attempt, I had just used 
the keys generated by openssh and could not get dropbear to work.  
However, I may have had other errors in my usage.  We need to redirect 
the output from the command to a file because "dropbearkey" writes the 
public key to standard output.  If you goof that up somehow, 
dropbearkey can create the public key from the private key, which I 
placed in /root/.ssh/id_rsa, the place that openssh uses.  Just run: 

dropbearkey -y -f /root/.ssh/id_rsa | grep "^ssh-rsa" > nn_pub_key

Then set up copies of "authorized_keys" on each machine as needed.  
Please consult the Web for how to do that-lots of info exits for that 
setup on the web.  I searched for the individual words: "public 
private ssh key password" and got lots of hits:) Pick the one that 
makes sense in your case and perhaps for your desktop Linux 
distribution or even some MSW strain.  

2.  One important item: dropbear does not look for the authorized_keys 
file where openssh places it.  Openssh looks for it in /root/.ssh.  
Dropbear looks for it in /etc/dropbear.  So what I do is place a link 
in /etc/dropbear to /root/.ssh/authorized_keys.  Execute in 

ln -s /root/.ssh/authorized_keys authorized_keys

and both openssh and dropbear will be happy:)

3.  A copy of the public key from every machine on your LAN should be 
placed in the authorized_keys file, given that you might want to use 
scp or ssh on or to each machine.  Once this is done, ssh and scp from 
openssh will work.  Both look in the home directory under .ssh for the 
copy of authorized_keys and for the private key.  However, dropbear 
DOES NOT do that.  You must give the location of the private key in 
the command line every time, or create a script that does it for you!  
It took quite some searching to find this.  OpenWRT is used on 
routers.  Almost every web page gave good information on what had to 
be done to ssh, using openssh, TO the router running OpenWRT.  
However, my problems were using ssh from dropbear FROM the "router", 
my Nanonote.  Every time I used ssh or scp on a Nanonote to go 
elsewhere, I got a request for the password on the destination 
machine!  I finally found

which solved the problem and told me that dropbear does not have a 
default location for the private key.  

So to ssh to some other machine from one of my Nanonotes on my LAN I 

ssh -i /root/.ssh/id_rsa  i7

if I want to ssh to my desktop.  More typically I would be doing scp 
from the Nanonote since there is little point in sshing to my desktop 
because the desktop has a much better keyboard than does the tiny 
Nanonote:) To do a copy of the file,, from the Nanonote to i7, 
I use: 

scp -i /root/.ssh/id_rsa i7:/root

and I don't have to type i7's eight-character password on the tiny 
keys of the Nanonote!  

Using ssh with rsync, which I have implemented to back up my Nanonotes 
to my desktop machine, requires using a special format.  See the above 
referenced web page for more information.  The same goes for using
git.  One must always tell ssh or scp from dropbear where to find the
private key of the source machine, that is, the one on which the ssh or 
scp command is issued. 

Dropbear, with these changes then works well on the Nanonote.  It is 
really unclear, but I think dropbear has about half the memory 
footprint of openssh.  As always, assigning memory to a process under 
Linux is a bit of a challenge.  On one test of a transfer of a large 
ASCII file, I found that dropbear is also about 30% slower than 
openssh.  However, given the small memory on the Nanonote, I have 
opted for smaller memory, at least for now. In time, dropbear may 
get faster, because it appears to be "young" compared to openssh:) 

Hope this helps someone else--I spent hours solving what turned out to 
have a simple solution.  Happens a lot in the land of hardware and 
software, doesn't it?  


More information about the discussion mailing list