SSH Server Choices¶
Overview¶
How do I run DietPi-Software and install optimised software items?
To install any of the DietPi optimised software items listed below run from the command line:
dietpi-software
Choose Browse Software and select one or more items. Finally select Install
.
DietPi will do all the necessary steps to install and start these software items.
To see all the DietPi configurations options, review the DietPi Tools section.
Return to the Optimised Software list
Dropbear¶
Dropbear is a lightweight SSH server, installed by default on DietPi systems.
Remark: You can swap or change your SSH server at any time using DietPi-Software.
The SSH server can be connected directly from Unix with the ssh
command line program or other SSH client programs:
- Address = Your IP address (e.g.: 192.168.0.100)
- Port = 22
- Username =
root
- Password =
dietpi
Root logins via Dropbear can be restricted from first boot on with the SOFTWARE_DISABLE_SSH_PASSWORD_LOGINS
setting in the dietpi.txt
file. Valid options are:
0
: Allow password logins for all users, including root (default case)root
: Disable password login for root user only1
: Disable password logins for all users (assure that you have a valid SSH key applied!)
The first boot scripts apply them via DROPBEAR_EXTRA_ARGS
setting in /etc/default/dropbear
, before the SSH server starts and before the network is set up.
Later on (after the first installation run has completed), these options can be changed by the command
/boot/dietpi/func/dietpi-set_software disable_ssh_password_logins <option>
If <option>
is skipped/empty, the one from /boot/dietpi.txt
will be reapplied to /etc/default/dropbear
.
Public SSH authentication keys for the users root
and dietpi
can be added from first boot on with the AUTO_SETUP_SSH_PUBKEY
setting in the dietpi.txt
file. The first boot procedure apply them to ~/.ssh/authorized_keys
of both users, before the SSH server starts and before the network is set up.
If multiple keys are used in dietpi.txt
, each key will be added to both users root and dietpi. Multiple keys can be relevant in case multiple SSH clients which each have their on key pair(s) are used.
A key pair can be generated with most SSH clients, e.g. with OpenSSH or Dropbear from the console (dropbearkey
is only available if Dropbear is selected as the SSH server option):
# OpenSSH client:
ssh-keygen -t ed25519
# Dropbear client:
dropbearkey -t ed25519 -f ~/.ssh/id_dropbear
An example output or ~/.ssh/id_ed25519.pub
content (for the AUTO_SETUP_SSH_PUBKEY
setting in dietpi.txt
) could be
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcoZfa+8uivetL4FTstsMl1MsnkjM1ssYW9wQh77xaS root@dietpi
Other key types are supported, but we suggest Ed25519, a modern scheme which provides best security with a small key size.
The commands generate a public key with an additional key comment at the end of the generated line, root@dietpi
in the above example. This comment has generally no function, but is shown by SSH clients when performing a key authentication, and can be used to understand the entry better. It can be set or omitted in dietpi.txt
for the users convenience.
ssh-keygen
asks for an optional passphrase and file path, where we suggest to use the default ~/.ssh/id_ed25519
, where the client will be able to use it OOTB. The file id_ed25519.pub
holds the public key to be used within /boot/dietpi.txt
. See the comments in /boot/dietpi.txt
and man ssh-keygen
for further details.
dropbearkey
prints the public key portion to the console instead. The command can also be extended with the option -C <key comment>
. See man dropbearkey
for further details.
Website: https://matt.ucc.asn.au/dropbear/dropbear.html
Wikipedia: https://wikipedia.org/wiki/Dropbear_(software)
OpenSSH¶
OpenSSH offers a feature rich SSH server with SFTP/SCP support.
Remark: You can swap or change your SSH server at any time using DietPi-Software.
The SSH server can be connected directly from Unix with the ssh
command line program or other SSH client programs:
- Address = Your IP address (e.g.: 192.168.0.100)
- Username =
root
- Password =
dietpi
- Port = 22
Root logins via Dropbear can be restricted from first boot on with the SOFTWARE_DISABLE_SSH_PASSWORD_LOGINS
setting in the dietpi.txt
file. Valid options are:
0
: Allow password logins for all users, including root (default case)root
: Disable password login for root user only1
: Disable password logins for all users (assure that you have a valid SSH key applied!)
The options will lead in changes of the file /etc/ssh/sshd_config
(values PubkeyAuthentication
, PasswordAuthentication
and PermitRootLogin
) and can be set by the configuration option SOFTWARE_DISABLE_SSH_PASSWORD_LOGINS
in the file /boot/dietpi.txt
to be examined during the initial first boot sequence.
Later on (after the first installation run has completed), these options can be changed by the command
/boot/dietpi/func/dietpi-set_software disable_ssh_password_logins <option>
If <option>
is skipped/empty, the one from /boot/dietpi.txt
will be reapplied to /etc/default/dropbear
.
Public SSH authentication keys for the users root
and dietpi
can be added from first boot on with the AUTO_SETUP_SSH_PUBKEY
setting in the dietpi.txt
file. The first boot procedure apply them to ~/.ssh/authorized_keys
of both users, before the SSH server starts and before the network is set up.
If multiple keys are used in dietpi.txt
, each key will be added to both users root and dietpi. Multiple keys can be relevant in case multiple SSH clients which each have their on key pair(s) are used.
A key pair can be generated with most SSH clients, e.g. with OpenSSH or Dropbear from the console (dropbearkey
is only available if Dropbear is selected as the SSH server option):
# OpenSSH client:
ssh-keygen -t ed25519
# Dropbear client:
dropbearkey -t ed25519 -f ~/.ssh/id_dropbear
An example output or ~/.ssh/id_ed25519.pub
content (for the AUTO_SETUP_SSH_PUBKEY
setting in dietpi.txt
) could be
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcoZfa+8uivetL4FTstsMl1MsnkjM1ssYW9wQh77xaS root@dietpi
Other key types are supported, but we suggest Ed25519, a modern scheme which provides best security with a small key size.
The commands generate a public key with an additional key comment at the end of the generated line, root@dietpi
in the above example. This comment has generally no function, but is shown by SSH clients when performing a key authentication, and can be used to understand the entry better. It can be set or omitted in dietpi.txt
for the users convenience.
ssh-keygen
asks for an optional passphrase and file path, where we suggest to use the default ~/.ssh/id_ed25519
, where the client will be able to use it OOTB. The file id_ed25519.pub
holds the public key to be used within /boot/dietpi.txt
. See the comments in /boot/dietpi.txt
and man ssh-keygen
for further details.
dropbearkey
prints the public key portion to the console instead. The command can also be extended with the option -C <key comment>
. See man dropbearkey
for further details.
WinSCP will allow you to transfer files and folders on your DietPi device (WinSCP downloads page).
Website: https://www.openssh.com
Wikipedia: https://wikipedia.org/wiki/OpenSSH