Chrooted Drop Bear HowTo

This tutorial is being written to help you install Drop Bear to a chroot environment. It covers the below sections:

* Installation of Drop Bear
* Setup Drop Bear
* Setup Chroot Enviroment
* Debug Chrooted Drop Bear


Drop Bear

Dropbear is a relatively small SSH 2 server and client. It is an alternative lightweight program for  openssh and it is designed for environments with low memory and processor resources, such as embedded systems.




wget -c



tar jxf dropbear-0.52.tar.bz2



In our installation we choose: /chroot/dropbear as the root path of our chroot environment. And for educational purposes only, we change the default TCP port of ssh to 2222:

cd dropbear-0.52
./configure --prefix=/chroot/dropbear
sed -i 's/22/2222/g' options.h



Simple as that:




The default installation process:

make install



The next step is to create dss & rsa keys for dropbear ssh server.

We must create the dropbear's key folder first:

mkdir -pv /chroot/dropbear/etc/dropbear

And then:

/chroot/dropbear/bin/dropbearkey -t dss -f /chroot/dropbear/etc/dropbear/dropbear.dss
/chroot/dropbear/bin/dropbearkey -t rsa -s 4096 -f /chroot/dropbear/etc/dropbear/dropbear.rsa

As you can see, we used the chroot environment path without the need of our distribution path hierarchy. The Drop Bear's keys are already installed to our chroot environment at once.


Shared Libraries

We now have to check all the necessary shared libraries that dropbear needs to run inside a chroot environment:

ldd /chroot/dropbear/sbin/dropbear


Chroot Environment


cd /chroot/dropbear/
mkdir -pv dev/pts proc etc lib usr/lib var/run var/log



cp /lib/ lib/
cp /usr/lib/ usr/lib/
cp /lib/ lib
cp /lib/ lib/
cp /lib/ lib/


Extra Libraries

This libraries are mostly for the authentication process.

cp /lib/ lib/
cp /lib/ lib/



Copy necessaries files from root to chroot:

cp /etc/localtime etc/
cp /etc/nsswitch.conf etc/
cp /etc/resolv.conf etc/
cp /etc/host.conf etc/
cp /etc/hosts etc/
touch var/log/lastlog
touch var/run/utmp
touch var/log/wtmp



We now must be very careful with the next step of our process. We have to create all the necessary devices for dropbear to run.

(Remember, we are always on the chroot path – eg. /chroot/dropbear.)

mknod dev/urandom c 1 9
chmod 0666 dev/urandom
mknod dev/ptmx c 5 2
chmod 0666 dev/ptmx
mknod dev/tty c 5 0
chmod 0666 dev/tty



Of course we need to add users to our chroot dropbear setup. You can choose to add an existing user or you can create a new one. I prefer to add an existing user (eg. ebal):

grep ^ebal /etc/passwd > etc/passwd
grep ^ebal /etc/group > etc/group
grep ^ebal /etc/shadow > etc/shadow
mkdir home/ebal
chown ebal.ebal !$



Every user needs a shell! But we don't need to install bash, we can simply use busybox. Busybox is a lightweight shell and combines a lot of common unix utils into a small executable binary file.

cp /etc/shells etc/
sed -i 's/bash/sh/' etc/passwd
cd bin
wget -c
mv busybox-i686 busybox
chmod 0755 busybox
ln -s busybox sh
cd ../


Mount Points

This is the most important thing that we (you) have to do properly. The new environment needs access to terminals (this is necessary for a user to login) and to proc filesystem.

mount -o bind /dev/pts dev/pts/
mount -o bind /proc proc/



Finally we are ready to run Drop Bear from a chroot enviroment:

chroot /chroot/dropbear/ \
/sbin/dropbear \
-b /etc/dropbear/dropbear.banner \
-d /etc/dropbear/dropbear.dss \
-r /etc/dropbear/dropbear.rsa \
-m -w -g



But if something goes wrong, we can always debug the running process with strace:

strace -f chroot /chroot/dropbear/ \
/sbin/dropbear \
-b /etc/dropbear/dropbear.banner \
-d /etc/dropbear/dropbear.dss \
-r /etc/dropbear/dropbear.rsa \
-F -E -m -w -g

Share this page:

2 Comment(s)

Add comment


From: Olivier

Why not use Jailkit? It can automate much of this work?

From: weakish

1, In section users, when creating the user home directory, we need to add the -p option, since we haven't create the home directory before. That is, instead of

mkdir home/ebal
mkdir -p home/ebal
2, In the same section: Use "." to distinguish user and group is deprecated. In recent versions of chown, you should use this syntax user:group.