Home

Use Dropbear SSH to save memory

Tagged in
Posted on June 26, 2006 - 1:50pm

In this blog post I will be looking at cutting down the memory used by the Secure Shell daemon running on your VPS, by replacing it with a lite-version that does 90% of what OpenSSH can do — Dropbear.

Introduction

I have noticed that I have been blogging more and more about my experience with virtual private server hosting, as it is a much economical option for software developers who are looking at hosting. You have root access to install and control whatever software you want, yet an unmanaged service is much cheaper than a dedicated server. Don’t like shared hosting? Can’t afford a dedicated server for your tiny project? Go VPS!

However, since you only get a small slice of a physical server, VPS is also constrained by the CPU, memory, disk storage and bandwidth. For low traffic sites, CPU, disk space and bandwidth are not that important. However in order to bootstrap the whole framework, be that LAMP, RoR behind Lighty or anything strikes your fancy, you’ll need memory.

There are many ways to get more memory. You either (1) buy more from your host (2) reduce memory usage of your components (3) reduce memory usage of other components. Paying for more memory is always an option (and often the easiest), but you won’t get the most fun from the exercise :) With increasing number of providers selling memory-limited VPS for pennies a month, I think I will blog about ways to actually reduce the memory usage of a typical Linux VPS setup, so that it is possible to run more core-business applications from limited memory allocation.

Dropbear — Low-Memory Replacement for OpenSSH

Today I will be looking at sshd — the Secure Shell Daemon. When your VE is set up (on VPSLink at least), SSH is the only way that you can use to access your VPS. It allows you to get a shell prompt through an encrypted channel, and you can also use it to create tunnels to access services on your VPS securely. Moreover, many useful utilities depend on SSH (rsync for example). It is one of the most important piece of software on your VE, and traditionally all Linux distributions use OpenSSH. For more info on Secure Shell, check its Wikipedia page.

Dropbear, developed by Matt Johnson, is an alternative SSH client/server implementation that uses smaller amount of memory than OpenSSH. From its feature list, it can:

Features

  • A small memory footprint suitable for memory-constrained environments - Dropbear can compile to a 110kB statically linked binary with uClibc on x86 (only minimal options selected)
  • Dropbear server implements X11 forwarding, and authentication-agent forwarding for OpenSSH clients
  • Can run from inetd or standalone
  • Compatible with OpenSSH ~/.ssh/authorized_keys public key authentication
  • The server, client, keygen, and key converter can be compiled into a single binary (ala busybox)
  • Features can easily be disabled when compiling to save space
  • TCP forwarding support

Basically it can do almost everything OpenSSH can do — but with smaller memory foot print. If you do not have a complicated sshd_config, or are still using the stock one that came with the Linux distribution, then Dropbear will be a good replacement for your memory-constrained VE.

Installation

Install Dropbear on Gentoo is straight forward.

~ # emerge -av dropbear

It installs a init script in /etc/init.d/dropbear which you can run to start the SSH server. Make sure you stops your OpenSSH server before starting up Dropbear for it to bind on port 22. On the first bootstrap it will generate both RSA and DSS host keys. They are in binary format but not sure whether you can just use SSH’s host keys — so you’ll get a warning message next time when you try to connect.

Usage

No special instruction. Just connect with your regular SSH client. Your authorized_keys continue to work. X11 forwarding and tunneling works as well.

Memory Consumption

On my VE it consumes 1,788kb VSZ or 604kb RSS — around 30% less than OpenSSH. Moreover for each SSH connection it forks only one instance of dropbear instead of 2 processes of sshd. Not bad for virtually no lost in functionality.

Integrate with xinetd

Like OpenSSH, you can also start Dropbear from xinetd so you don’t need to run a daemon — useful if you are already using xinetd for other services. Moreover, xinetd offers comprehensive configuration in handling incoming connection, which Dropbear lacks.

Unfortunately Gentoo does not come with xinetd configuration file for Dropbear. This is the script I use, just drop it in /etc/xinet.d/dropbear and restart xinetd.

service ssh
{
    socket_type     = stream
    only_from       = 0.0.0.0
    wait            = no
    user            = root
    protocol        = tcp
    server          = /usr/sbin/dropbear
    server_args     = -i -g
    disable         = no
}

Use -i to indicate that the service will start from (x)inetd, and -g to disable root login with password (public key only).

Conclusion

So far I am pretty happy with Dropbear on all my VPS. In my case there is 0 functionality lost in this transition, yet I’ve got extra meg or two to play around. There are many other programs that were designed and written to replace complicated counter-parts — especially when many people are only using parts of their functionalities. Hopefully I will be covering them later on HostingFu.

»

Related Stories


Comments

Gravatar
kurtk on November 10, 2006 - 6:55am.

Thanks for the helpful article. If you want to use Filezilla to connect using sftp, does dropbear need openssh server?

I installed dropbear. I kept NO_START=0 in /etc/default/dropbear. I removed the init script for openssh:
update-rc.d -f ssh remove. I installed xinetd, and created an xinetd configuration file similar to yours in /etc/xinetd.d/dropbear. Both putty and Filezilla worked fine — until I decided to remove openssh server, thinking I no longer needed it. But then Filezilla could no longer connect using sftp.

—kurt

»
Gravatar
scotty on November 10, 2006 - 8:57am.

Kurt,

SFTP is a special module that belongs to OpenSSH. You’ll find that in /usr/lib/misc/sftp-server (at least on my Gentoo boxes). Dropbear does not support SFTP by itself, but has reported to work with OpenSSH installed.

Alternatively you can use the SCP protocol to copy files. WinSCP supports SCP natively, and gives you a similar explorer-like interface.

»
Gravatar
kurtk on November 10, 2006 - 11:20am.

Thanks for the feedback! WinSCP works with SFTP. I can successfully transfer files from my Windows pc to my Linux/OpenVZ VPS. Excellent!

Here is what happens with Filezilla, using Servertype of SFTP using SSH2. I have logonsuccess = HOST PID in /etc/xinetd.conf. I do see a new entry written to /var/log/syslog when Filezilla starts of START: ssh pid=15663 from=76.165.209. And ps aux shows a second instance of dropbear -i (in addition to the instance for Putty). And usr/lib/sftp-server is now shown to also be running.

But when I start a file transfer within Filezilla, another new entry is written to the /etc/log/syslog of START: ssh pid=3946 from=76.165.209, and doing ps aux now shows another, third instance of dropbear -i and a new, second instance of usr/lib/sftp-server.

I guess I’ll stick with WinSCP.

»
Joey (not verified) on December 1, 2006 - 3:31am.

A lot of FTP clients open a second connection for file transfers, in addition to the one for the file listing. Some clients allow you to change this behavior. I’m fairly certain that with SmartFTP you can do it either way.

»
Gravatar
orvtech (not verified) on November 6, 2007 - 2:02am.

is there a way to have a custom log besides /var/log/messages ? i do not have /dev/log and syslog, metalog wont start so i would like dropbear to log to /var/log/dropbear.

regards.

»
Gravatar
scotty on November 6, 2007 - 8:19am.

Use -E to log into stderr instead of syslog.

»

Post new comment

The content of this field is kept private and will not be shown publicly.

More information about formatting options