| eCos Dropbear Port | ||
|---|---|---|
 | Part XLIX. eCosPro-SecureShell |  |
Name
CYGPKG_NET_DROPBEAR
— provide ssh support
Description
![[Note]](pix/note.png) | Note |
|---|---|
The eCosPro-SecureShell package is the formal product name of the eCos Dropbear Port and the two can be used interchangeably to refer to this package. |
CYGPKG_NET_DROPBEAR is a port to eCos of some of
the ssh functionality of the dropbear
code. It supports the following:
- Server support. This allows remote clients to log in to an eCos system and run commands. Of course eCos does not have a full-blown shell and the ability to run arbitrary commands loaded from disk. Instead the ssh connection is passed on to functions within the application code which can read the data coming from the remote ssh client and take appropriate action. The package ships with two examples: a simple shell-like application and an interactive game.
- Client support. This allows the eCos application to establish a secure connection to a remote server, for example a PC running Linux and openssh, run a command on that server, and interact with that command.
- Client-side scp support. This builds on the generic client support. It allows eCos applications to read and write files on a remote server over a secure connection.
The port only provides a core subset of the standard dropbear functionality. For example more advanced features like agent forwarding and X11 forwarding are not supported because those would add significantly to the overhead and complexity of the code, and would rarely be used in practice.
Ssh secure communication comes at a price. Depending on the architecture it will typically add 100-200K to the application's code size. The data requirements are considerable, including a need for 32K data buffers and multiple threads. The code will require a lot of cpu cycles. A typical embedded processor running eCos is much slower than the typical cpu of a desktop PC, and the dropbear code will take correspondingly longer to perform a given operation. Establishing an ssh connection is especially expensive and may take some seconds or even tens of seconds of cpu time. Once the connection has been established the cpu overheads are lower, but still significant. Finally the dropbear code makes extensive demands on the lower-level TCP/IP and I/O layers and various configuration options in those layers may need adjusting, as described below.
Configuration
The eCos dropbear port is intended to work in conjunction with the
full BSD TCP/IP package and has numerous dependencies. Most of these
can be satisfied simply by creating the eCos configuration using the
net template. The dropbear package has additional dependencies on the
LibTomMath multi-precision arithmetic package
CYGPKG_MATH_LIBTOMMATH and the LibTomCrypt
cryptography library CYGPKG_CRYPT_LIBTOMCRYPT, so
those packages will have to be added explicitly to the configuration
alongside CYGPKG_NET_DROPBEAR.
Usually the dropbear code depends on the presence of a file system for holding public and private keys and other data. In the eCos port this dependency has been eliminated and no file system is required. Instead all the required data is embedded directly in the eCos application and passed to the dropbear code as function arguments.
Ssh connections impose considerable demands on the lower-level TCP/IP
and I/O layers, and various configuration options in those layers may
need adjusting from their small default values. For example each
outgoing ssh connection involves five sockets, plus one
statically allocated socket shared between all connections. By default
the file I/O package only supports 16 open file descriptors, three of
which are used for stdin/stdout/stderr and some of the remainder may be
used by other packages like DNS. That should leave enough free file
descriptors for one or two ssh connections, but only if the
application does not use them for other networking or file I/O
activities. Increasing the configuration options
CYGNUM_FILEIO_NFD and
CYGNUM_FILEIO_NFILE would avoid problems in this
area.
When it comes to the TCP/IP stack, the first option to consider is
CYGPKG_NET_MAXSOCKETS. Closing down a network
connection does not immediately free all resources associated with
that connection because it is necessary to synchronize with the other
end and make sure that that will not send any more packets. Hence if
the application attempts multiple ssh connections in quick succession
then the TCP/IP stack may run out socket resources. Increasing
CYGPKG_NET_MAXSOCKETS avoids this problem. If the
connections involve large amount of data then it may also be necessary
to increase CYGPKG_NET_MEMPOOL_SIZE.
Port
Porting dropbear to eCos involved non-trivial modifications to the
source code. The package's src
subdirectory corresponds to the contents of a standard dropbear
tarball. New files ecosmain.c,
ecos.h and
config.h have
been added, and various existing files have had to be modified. A CDL
script, documentation and an example application have been added to
the appropriate package subdirectories, and a new header
dropbear.h
has been written to export
the API provided by the eCos port. Two example server-side
applications can be found in the package's
misc subdirectory,
and testcases can be
found in the tests
subdirectory.
| |  | |
| Part XLIX. eCosPro-SecureShell |  | Dropbear Ssh Daemon |
| 2024-03-18 | eCosPro License |