Use Dropbear SSH to save memory

In this blog post I will be looking at cutting down the memory used by the Secure Shell daemon running on your VPS, by replacing it with a lite-version that does 90% of what OpenSSH can do — Dropbear.

Introduction

I have noticed that I have been blogging more and more about my experience with virtual private server hosting, as it is a much economical option for software developers who are looking at hosting. You have root access to install and control whatever software you want, yet an unmanaged service is much cheaper than a dedicated server. Don’t like shared hosting? Can’t afford a dedicated server for your tiny project? Go VPS!

However, since you only get a small slice of a physical server, VPS is also constrained by the CPU, memory, disk storage and bandwidth. For low traffic sites, CPU, disk space and bandwidth are not that important. However in order to bootstrap the whole framework, be that LAMP, RoR behind Lighty or anything strikes your fancy, you’ll need memory.

There are many ways to get more memory. You either (1) buy more from your host (2) reduce memory usage of your components (3) reduce memory usage of other components. Paying for more memory is always an option (and often the easiest), but you won’t get the most fun from the exercise 🙂 With increasing number of providers selling memory-limited VPS for pennies a month, I think I will blog about ways to actually reduce the memory usage of a typical Linux VPS setup, so that it is possible to run more core-business applications from limited memory allocation.

Dropbear — Low-Memory Replacement for OpenSSH

Today I will be looking at sshd — the Secure Shell Daemon. When your VE is set up (on VPSLink at least), SSH is the only way that you can use to access your VPS. It allows you to get a shell prompt through an encrypted channel, and you can also use it to create tunnels to access services on your VPS securely. Moreover, many useful utilities depend on SSH (rsync for example). It is one of the most important piece of software on your VE, and traditionally all Linux distributions use OpenSSH. For more info on Secure Shell, check its Wikipedia page.

Dropbear, developed by Matt Johnson, is an alternative SSH client/server implementation that uses smaller amount of memory than OpenSSH. From its feature list, it can:

Features

  • A small memory footprint suitable for memory-constrained environments – Dropbear can compile to a 110kB statically linked binary with uClibc on x86 (only minimal options selected)
  • Dropbear server implements X11 forwarding, and authentication-agent forwarding for OpenSSH clients
  • Can run from inetd or standalone
  • Compatible with OpenSSH ~/.ssh/authorized_keys public key authentication
  • The server, client, keygen, and key converter can be compiled into a single binary (ala busybox)
  • Features can easily be disabled when compiling to save space
  • TCP forwarding support

Basically it can do almost everything OpenSSH can do — but with smaller memory foot print. If you do not have a complicated sshd_config, or are still using the stock one that came with the Linux distribution, then Dropbear will be a good replacement for your memory-constrained VE.

Installation

Install Dropbear on Gentoo is straight forward.

~ # emerge -av dropbear

It installs a init script in /etc/init.d/dropbear which you can run to start the SSH server. Make sure you stops your OpenSSH server before starting up Dropbear for it to bind on port 22. On the first bootstrap it will generate both RSA and DSS host keys. They are in binary format but not sure whether you can just use SSH’s host keys — so you’ll get a warning message next time when you try to connect.

Usage

No special instruction. Just connect with your regular SSH client. Your authorized_keys continue to work. X11 forwarding and tunneling works as well.

Memory Consumption

On my VE it consumes 1,788kb VSZ or 604kb RSS — around 30% less than OpenSSH. Moreover for each SSH connection it forks only one instance of dropbear instead of 2 processes of sshd. Not bad for virtually no lost in functionality.

Integrate with xinetd

Like OpenSSH, you can also start Dropbear from xinetd so you don’t need to run a daemon — useful if you are already using xinetd for other services. Moreover, xinetd offers comprehensive configuration in handling incoming connection, which Dropbear lacks.

Unfortunately Gentoo does not come with xinetd configuration file for Dropbear. This is the script I use, just drop it in /etc/xinet.d/dropbear and restart xinetd.

service ssh
{
    socket_type     = stream
    only_from       = 0.0.0.0
    wait            = no
    user            = root
    protocol        = tcp
    server          = /usr/sbin/dropbear
    server_args     = -i -g
    disable         = no
}

Use -i to indicate that the service will start from (x)inetd, and -g to disable root login with password (public key only).

Conclusion

So far I am pretty happy with Dropbear on all my VPS. In my case there is 0 functionality lost in this transition, yet I’ve got extra meg or two to play around. There are many other programs that were designed and written to replace complicated counter-parts — especially when many people are only using parts of their functionalities. Hopefully I will be covering them later on HostingFu.