When you are using a low-end server with only 64MB of memory, sometimes you just have to look for alternate software packages with less bloat to leave more memory for your (often more bloated) applications. OpenSSH is the essential application on a Linux/xBSD server, however I think it is eating up one or two more megabytes of memory than it should, and it can be easily replaced by a lighter weight SSH server like Dropbear.
On a Ubuntu 7.10 x86 server running OpenSSH:
$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 2052 0.0 0.2 5288 996 ? Ss Mar25 0:00 /usr/sbin/sshd root 21819 0.2 0.7 8168 2700 ? Ss 10:28 0:00 sshd: user@pts/0 user 21836 0.0 0.4 8044 1748 ? S 10:29 0:00 sshd: user@pts/0 ...
On a Debian 4 x86 server running Dropbear:
$ ps aux USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND root 1344 0.0 1.3 2648 864 ? Ss 10:28 0:00 /usr/sbin/xinetd root 1347 0.2 1.8 4216 1220 ? Ss 10:29 0:00 dropbear -i -g ...
As you can see it is quite a bit of saving, especially if you operates a shell service where lots of people logging in (or use sftp/scp) at the same time. Also note that:
- While Dropbear can be used as a standalone server, I am using it with xinetd so it uses even less memory (I am also running xinetd for a few other services).
- If you log in as a non-root user, OpenSSH spawns two processes but Dropbear spawns only one.
Dropbear does have a few issues (terrible performance with SftpDrive, fewer features and options, etc), but it feels as good as OpenSSH for server administration but uses half amount of memory.
- 5 Reasons Why You Want a Low End Box - May 26, 2021
- Dead Pool January 2012 - February 2, 2012
- exit(0); - January 19, 2012
Cool article.
Though I still prefer OpenSSH. OpenSSH is default on most systems. And thought I can live without sftp or sshfs, sometimes I do feel it’s convient if sshfs is available. I also heard that OpenSSH has better support for agent forwarding.
But anyway, thanks for your article. Sometimes you just don’t have choice. Limited resources answer the question for you.
@weakish — with OpenSSH installed, you can also get sftp and sshfs on Dropbear. Just that from my experience it is significantly slower than OpenSSH over a local area network. However if it is over the Internet then the bottleneck could have been the end-to-end bandwidth instead of Dropbear.
OpenSSH has much richer feature set though. For example tun support so you can build a cheap VPN.
Thanks again for your detailed information.
Are you sure sshfs works with dropbear?
For me I have an error like this trying to mount a directory on my openwrt box:
root@warsaw /home/zoobab/mov [2]# sshfs root@192.168.100.1:/mnt /mnt
root@192.168.100.1’s password:
remote host has disconnected
If you have a solution, please mail me at zoobab-at-gmail.com
Dropbear is mothballed. You’re using a dead project to save 3 megabytes of memory, with less features, no security updates and worse performance?
I’m all for tweaking every last bit of performance but I won’t do it at the expense of other more important factors, especially not for 3MB. You can run OpenSSH behind xinetd just fine.
P.S. those memory statistics are pointless anyway. Dropbear and OpenSSH are both invoked only when necessary if you are running them behind xinetd. The only reason they appear in ps is because you’re already logged in via SSH. Who cares if their server uses 3 extra MB of memory for a few minutes while logged into SSH?
P.P.S your low end script is dangerously insecure and utterly terrible. You should probably avoid convincing noobs to use it. I’ve seen various morons pop into the Nginx channel on freenode asking how to install it.
Definitely a case of the blind leading the blind.
Can you give more detail about your statement?
If a software doesn’t have updates, that implies the software has security faults? Damn… ¬¬
Dropbear isn’t so old…
http://viewmtn.angrygoats.net/branch/changes/au.asn.ucc.matt.dropbear
http://www.google.com.mx/search?hl=es&q=dropbear+exploit|vulnerability|+0.52&aq=f&aqi=&aql=&oq=
And yes, Can you give more detail about your statement?
@Ryan,
True. Not with today’s “low end” offers starting at minimum 256MB of memory. 3 years ago (when this article was written) the low packages are typically 64MB Xen/OpenVZ boxes, and it does add up when multiple SSH connections are opened. Oh by the way, you did notice that you are commenting on a post that’s almost 3 year old, right?
First of all, it is not my fault when morons cannot install some piece of software that has already been streamlined for them in a shell script :)
Secondly, it is hosted on github so free for everyone to read it, understand it, branch it and modify it to their own needs. I guess my initial assumption on the readership here is wrong — I thought most people are competent Linux users able to read and modify shell scripts. Little did I know how many n00bs there are attempting to dive into unmanaged VPS when a cPanel shared hosting probably suits them better :)
And security? Feel free to contact me or even comment here. I don’t hang around freenode.
The 2.5 year release hiatus seems to have ended. Dropbear 0.53 came out end of last month, with a 0.53.1 bugfix a week later. Most interesting to me is the promise of support for SSH_ORIGINAL_COMMAND, which I think is all that was stopping dropbear from being used for a gitolite/gitosis server. There’s also a handful of other new features and the promise of “Various performance/memory use improvements”.
It’s not all great news though, there doesn’t seem to be any pre-compiled debian packages like for the other versions, and the Makefile forgets to link to libcrypto, which you have to specify manually (“LIBS=-lcrypto make”). The download site was also a little wonky the other day, only working via IPv6, but it seems to be back up.
I have compiled it without any problem o_O
Dropbear 1.4 uses a few % less RAM on a 128meg box. On Debian:
cp /usr/lib/openssh/sftp-server /usr/lib/openssh/sftp-server.bak
cp /usr/lib/sftp-server /usr/lib/sftp-server
& move them back after removing OpenSSH & SFTP will still work.
Thanks for your article. But I think is not still usable.
thanks for this fluent and useful post.