eCos Dropbear Port

Name

CYGPKG_NET_DROPBEAR -- provide ssh support

Description

Note: The eCosPro-SecureShell package is the formal product name of the eCos Dropbear Port and the two can be used interchangeably to refer to this package.

CYGPKG_NET_DROPBEAR is a port to eCos of some of the ssh functionality of the dropbear code. It supports the following:

  1. Server support. This allows remote clients to log in to an eCos system and run commands. Of course eCos does not have a full-blown shell and the ability to run arbitrary commands loaded from disk. Instead the ssh connection is passed on to functions within the application code which can read the data coming from the remote ssh client and take appropriate action. The package ships with two examples: a simple shell-like application and an interactive game.

  2. Client support. This allows the eCos application to establish a secure connection to a remote server, for example a PC running Linux and openssh, run a command on that server, and interact with that command.

  3. Client-side scp support. This builds on the generic client support. It allows eCos applications to read and write files on a remote server over a secure connection.

The port only provides a core subset of the standard dropbear functionality. For example more advanced features like agent forwarding and X11 forwarding are not supported because those would add significantly to the overhead and complexity of the code, and would rarely be used in practice.

Ssh secure communication comes at a price. Depending on the architecture it will typically add 100-200K to the application's code size. The data requirements are considerable, including a need for 32K data buffers and multiple threads. The code will require a lot of cpu cycles. A typical embedded processor running eCos is much slower than the typical cpu of a desktop PC, and the dropbear code will take correspondingly longer to perform a given operation. Establishing an ssh connection is especially expensive and may take some seconds or even tens of seconds of cpu time. Once the connection has been established the cpu overheads are lower, but still significant. Finally the dropbear code makes extensive demands on the lower-level TCP/IP and I/O layers and various configuration options in those layers may need adjusting, as described below.

Configuration

The eCos dropbear port is intended to work in conjunction with the full BSD TCP/IP package and has numerous dependencies. Most of these can be satisfied simply by creating the eCos configuration using the net template. The dropbear package has additional dependencies on the LibTomMath multi-precision arithmetic package CYGPKG_MATH_LIBTOMMATH and the LibTomCrypt cryptography library CYGPKG_CRYPT_LIBTOMCRYPT, so those packages will have to be added explicitly to the configuration alongside CYGPKG_NET_DROPBEAR.

Usually the dropbear code depends on the presence of a file system for holding public and private keys and other data. In the eCos port this dependency has been eliminated and no file system is required. Instead all the required data is embedded directly in the eCos application and passed to the dropbear code as function arguments.

Ssh connections impose considerable demands on the lower-level TCP/IP and I/O layers, and various configuration options in those layers may need adjusting from their small default values. For example each outgoing ssh connection involves five sockets, plus one statically allocated socket shared between all connections. By default the file I/O package only supports 16 open file descriptors, three of which are used for stdin/stdout/stderr and some of the remainder may be used by other packages like DNS. That should leave enough free file descriptors for one or two ssh connections, but only if the application does not use them for other networking or file I/O activities. Increasing the configuration options CYGNUM_FILEIO_NFD and CYGNUM_FILEIO_NFILE would avoid problems in this area.

When it comes to the TCP/IP stack, the first option to consider is CYGPKG_NET_MAXSOCKETS. Closing down a network connection does not immediately free all resources associated with that connection because it is necessary to synchronize with the other end and make sure that that will not send any more packets. Hence if the application attempts multiple ssh connections in quick succession then the TCP/IP stack may run out socket resources. Increasing CYGPKG_NET_MAXSOCKETS avoids this problem. If the connections involve large amount of data then it may also be necessary to increase CYGPKG_NET_MEMPOOL_SIZE.

Port

Porting dropbear to eCos involved non-trivial modifications to the source code. The package's src subdirectory corresponds to the contents of a standard dropbear tarball. New files ecosmain.c, ecos.h and config.h have been added, and various existing files have had to be modified. A CDL script, documentation and an example application have been added to the appropriate package subdirectories, and a new header dropbear.h has been written to export the API provided by the eCos port. Two example server-side applications can be found in the package's misc subdirectory, and testcases can be found in the tests subdirectory.

2017-02-09
Documentation license for this page: eCosPro License