Re: Dropbear SSH
My customer is using dropbear. It is easy to compile and use. We did connected to it from SSH client and also tried reverse SSH. It seem to be very stable. As for security I don't have enough experience to comment. -- Ori Idan On Thu, Jul 17, 2008 at 1:42 PM, Oleg Goldshmidt [EMAIL PROTECTED] wrote: Hi everybody, Does anyone have experience with DropBear SSH server/client (http://matt.ucc.asn.au/dropbear/dropbear.html)? The context is an embedded product with AMCC PPC460, Linux (say, 2.6.25 or later), and busybox (1.10 or later) as the base, being defined/designed now. The target audience is top tier customers, such as governments, Fortune-whatever companies, major financial institutions, etc. SSH access is essential (need ssh client, sshd, ssh-keygen, scp, whatever dependencies there are). Busybox does not provide SSH functionality by itself, and recommends Dropbear (http://busybox.net/tinyutils.html). I would like to be quite sure that DropBear has the functionality and the security that the target market requires. So far, what I see in the docs is as follows: * Judging by Changelog, Dropbear is in version 0.51, and the development is not very active. This may be because it is very stable and very secure, or may be because there are not many development resources. * Uses LibTomCrypt rather than SSL - can anyone comment on security/functionality? I see my choces as DropBear vs. OpenSSH, compiled and linked for busybox. I am not particularly concerned about CPU or RAM, but I have a rather serious shortage of (flash) storage in the system. In our estimate, OpenSSH will take at least 10 times more storage than DropBear (between 1.2 and 1.5M rather than 110K Dropbear claims). What I am interested to know is whether DropBear is a good substitute for OpenSSH in terms of: * functionality * full compatibility * security * stability * etc. Any comments/experiences? Thanks a lot in advance, -- Oleg Goldshmidt | [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] -- ספרים וסיפורים שכתבתי: http://www.thestories.org
Re: Dropbear SSH
Hi, Some 2 cents == I am not affiliated with Mocana nor do I gain anything from writing this == Not sure if it helps, but another alternative is Mocana, I seen quite a few people/companies use it (Israeli), RAD is one of the names to comes to mind. Mocana is a complete package - i.e. gives you everything you need, SSL, SSH, etc, but the down side is it costs money. --- Regarding DropBear, a few vulnerabilities have been discovered in dropbear over the years: Dropbear SSH Server DoS http://www.securiteam.com/securitynews/5YP012AI0A.html Dropbear SSH Server Format String Vulnerability http://www.securiteam.com/unixfocus/5VP0E2AAUS.html Dropbear SSH Server svr_ses.childpidsize Buffer Overflow http://www.securiteam.com/unixfocus/6A00M0AEUQ.html But nothing since 2006 :) So I guess its ok, for the time being. I am not trying to say it is less/or more secure, but not having any public vulnerabilities in a product makes me jitter with fear :D, what is unknown scares me :) On Thursday 17 July 2008 13:42:25 Oleg Goldshmidt wrote: Hi everybody, Does anyone have experience with DropBear SSH server/client (http://matt.ucc.asn.au/dropbear/dropbear.html)? The context is an embedded product with AMCC PPC460, Linux (say, 2.6.25 or later), and busybox (1.10 or later) as the base, being defined/designed now. The target audience is top tier customers, such as governments, Fortune-whatever companies, major financial institutions, etc. SSH access is essential (need ssh client, sshd, ssh-keygen, scp, whatever dependencies there are). Busybox does not provide SSH functionality by itself, and recommends Dropbear (http://busybox.net/tinyutils.html). I would like to be quite sure that DropBear has the functionality and the security that the target market requires. So far, what I see in the docs is as follows: * Judging by Changelog, Dropbear is in version 0.51, and the development is not very active. This may be because it is very stable and very secure, or may be because there are not many development resources. * Uses LibTomCrypt rather than SSL - can anyone comment on security/functionality? I see my choces as DropBear vs. OpenSSH, compiled and linked for busybox. I am not particularly concerned about CPU or RAM, but I have a rather serious shortage of (flash) storage in the system. In our estimate, OpenSSH will take at least 10 times more storage than DropBear (between 1.2 and 1.5M rather than 110K Dropbear claims). What I am interested to know is whether DropBear is a good substitute for OpenSSH in terms of: * functionality * full compatibility * security * stability * etc. Any comments/experiences? Thanks a lot in advance, -- Noam Rathaus CTO [EMAIL PROTECTED] http://www.beyondsecurity.com Know that you are safe. Beyond Security Finalist for the Red Herring 100 Global Awards 2007 = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
RE: Dropbear SSH
Hi Oleg, No experience with Dropbear, but I've used LibTomCrypt in a couple of projects, and it rocks. You can configure it to the level of paranoia you're comfortable with, e.g., scrubbing memory that contains keying material, etc. - the typical security/performance and time/space tradeoffs. Of course, having a solid crypto library is a necessary but *not* sufficient condition for a secure application, as it's trivial to misuse crypto in a way that leaves you totally insecure. HTH, Rony -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oleg Goldshmidt Sent: Thursday, July 17, 2008 1:42 PM To: Linux-IL Subject: Dropbear SSH Hi everybody, Does anyone have experience with DropBear SSH server/client (http://matt.ucc.asn.au/dropbear/dropbear.html)? The context is an embedded product with AMCC PPC460, Linux (say, 2.6.25 or later), and busybox (1.10 or later) as the base, being defined/designed now. The target audience is top tier customers, such as governments, Fortune-whatever companies, major financial institutions, etc. SSH access is essential (need ssh client, sshd, ssh-keygen, scp, whatever dependencies there are). Busybox does not provide SSH functionality by itself, and recommends Dropbear (http://busybox.net/tinyutils.html). I would like to be quite sure that DropBear has the functionality and the security that the target market requires. So far, what I see in the docs is as follows: * Judging by Changelog, Dropbear is in version 0.51, and the development is not very active. This may be because it is very stable and very secure, or may be because there are not many development resources. * Uses LibTomCrypt rather than SSL - can anyone comment on security/functionality? I see my choces as DropBear vs. OpenSSH, compiled and linked for busybox. I am not particularly concerned about CPU or RAM, but I have a rather serious shortage of (flash) storage in the system. In our estimate, OpenSSH will take at least 10 times more storage than DropBear (between 1.2 and 1.5M rather than 110K Dropbear claims). What I am interested to know is whether DropBear is a good substitute for OpenSSH in terms of: * functionality * full compatibility * security * stability * etc. Any comments/experiences? Thanks a lot in advance, -- Oleg Goldshmidt | [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Dropbear SSH
On Thu, Jul 17, 2008 at 3:29 PM, Noam Rathaus [EMAIL PROTECTED] wrote: Hi, Some 2 cents == I am not affiliated with Mocana nor do I gain anything from writing this == Not sure if it helps, but another alternative is Mocana, I seen quite a few people/companies use it (Israeli), RAD is one of the names to comes to mind. Mocana is a complete package - i.e. gives you everything you need, SSL, SSH, etc, but the down side is it costs money. Hi Noam, And lean on storage, too. I am not sure it helps, for logistical reasons, but thanks for the pointer. But nothing since 2006 :) So I guess its ok, for the time being. I am not trying to say it is less/or more secure, but not having any public vulnerabilities in a product makes me jitter with fear :D, what is unknown scares me :) Is it really secure or just not used enough? ;-) Has DropBear (or LibTomCrypt) ever been audited? I'd think that you would be one of those in the know... ;-) -- Oleg Goldshmidt | [EMAIL PROTECTED] = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
Re: Dropbear SSH
Hi, On Thursday 17 July 2008 19:42:54 Oleg Goldshmidt wrote: On Thu, Jul 17, 2008 at 3:29 PM, Noam Rathaus [EMAIL PROTECTED] wrote: Hi, Some 2 cents == I am not affiliated with Mocana nor do I gain anything from writing this == Not sure if it helps, but another alternative is Mocana, I seen quite a few people/companies use it (Israeli), RAD is one of the names to comes to mind. Mocana is a complete package - i.e. gives you everything you need, SSL, SSH, etc, but the down side is it costs money. Hi Noam, And lean on storage, too. I am not sure it helps, for logistical reasons, but thanks for the pointer. But nothing since 2006 :) So I guess its ok, for the time being. I am not trying to say it is less/or more secure, but not having any public vulnerabilities in a product makes me jitter with fear :D, what is unknown scares me :) Is it really secure or just not used enough? ;-) Has DropBear (or LibTomCrypt) ever been audited? I'd think that you would be one of those in the know... ;-) I know OpenSSH has been extensively audited - and in turn found to be vulnerable - where as DropBear and libTomCrypt are less common, and in such less audited - however their code base is a lot smaller, making it harder for issues to hide in it. What I usually tell my customers, don't rely on obscurity to protect you, rely on response time - if an issue (security) arises address it as soon as possible with a patch, a firmware upgrade, etc, don't expect software developers to be flawless :) -- Noam Rathaus CTO [EMAIL PROTECTED] http://www.beyondsecurity.com Know that you are safe. Beyond Security Finalist for the Red Herring 100 Global Awards 2007 = To unsubscribe, send mail to [EMAIL PROTECTED] with the word unsubscribe in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]