LowEndBox

Hosting Websites on Bare Minimum VPS/Dedicated Servers

Replacing OpenSSH with Dropbear

Tags: , Date/Time: March 30, 2008 @ 11:48 pm, by LowEndAdmin

When you are using a low-end server with only 64MB of memory, sometimes you just have to look for alternate software packages with less bloat to leave more memory for your (often more bloated) applications. OpenSSH is the essential application on a Linux/xBSD server, however I think it is eating up one or two more megabytes of memory than it should, and it can be easily replaced by a lighter weight SSH server like Dropbear.

On a Ubuntu 7.10 x86 server running OpenSSH:

$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      2052  0.0  0.2   5288   996 ?        Ss   Mar25   0:00 /usr/sbin/sshd
root     21819  0.2  0.7   8168  2700 ?        Ss   10:28   0:00 sshd: user@pts/0
user     21836  0.0  0.4   8044  1748 ?        S    10:29   0:00 sshd: user@pts/0
...

On a Debian 4 x86 server running Dropbear:

$ ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root      1344  0.0  1.3   2648   864 ?        Ss   10:28   0:00 /usr/sbin/xinetd
root      1347  0.2  1.8   4216  1220 ?        Ss   10:29   0:00 dropbear -i -g
...

As you can see it is quite a bit of saving, especially if you operates a shell service where lots of people logging in (or use sftp/scp) at the same time. Also note that:

  • While Dropbear can be used as a standalone server, I am using it with xinetd so it uses even less memory (I am also running xinetd for a few other services).
  • If you log in as a non-root user, OpenSSH spawns two processes but Dropbear spawns only one.

Dropbear does have a few issues (terrible performance with SftpDrive, fewer features and options, etc), but it feels as good as OpenSSH for server administration but uses half amount of memory.

12 Comments

  1. Cool article.

    Though I still prefer OpenSSH. OpenSSH is default on most systems. And thought I can live without sftp or sshfs, sometimes I do feel it’s convient if sshfs is available. I also heard that OpenSSH has better support for agent forwarding.

    But anyway, thanks for your article. Sometimes you just don’t have choice. Limited resources answer the question for you.

    April 14, 2008 @ 9:48 am | Reply
  2. @weakish — with OpenSSH installed, you can also get sftp and sshfs on Dropbear. Just that from my experience it is significantly slower than OpenSSH over a local area network. However if it is over the Internet then the bottleneck could have been the end-to-end bandwidth instead of Dropbear.

    OpenSSH has much richer feature set though. For example tun support so you can build a cheap VPN.

    April 14, 2008 @ 10:35 am | Reply
  3. Thanks again for your detailed information.

    April 14, 2008 @ 3:42 pm | Reply
  4. zoobab:

    Are you sure sshfs works with dropbear?

    For me I have an error like this trying to mount a directory on my openwrt box:

    root@warsaw /home/zoobab/mov [2]# sshfs root@192.168.100.1:/mnt /mnt
    root@192.168.100.1’s password:
    remote host has disconnected

    If you have a solution, please mail me at zoobab-at-gmail.com

    November 25, 2008 @ 2:43 pm | Reply
  5. Ryan:

    Dropbear is mothballed. You’re using a dead project to save 3 megabytes of memory, with less features, no security updates and worse performance?

    I’m all for tweaking every last bit of performance but I won’t do it at the expense of other more important factors, especially not for 3MB. You can run OpenSSH behind xinetd just fine.

    January 15, 2011 @ 1:22 am | Reply
  6. Ryan:

    P.S. those memory statistics are pointless anyway. Dropbear and OpenSSH are both invoked only when necessary if you are running them behind xinetd. The only reason they appear in ps is because you’re already logged in via SSH. Who cares if their server uses 3 extra MB of memory for a few minutes while logged into SSH?

    P.P.S your low end script is dangerously insecure and utterly terrible. You should probably avoid convincing noobs to use it. I’ve seen various morons pop into the Nginx channel on freenode asking how to install it.

    Definitely a case of the blind leading the blind.

    January 15, 2011 @ 1:39 am | Reply
    • P.P.S your low end script is dangerously insecure and utterly terrible. You should probably avoid convincing noobs to use it. I’ve seen various morons pop into the Nginx channel on freenode asking how to install it.

      Can you give more detail about your statement?

      January 15, 2011 @ 5:33 am | Reply
    • If a software doesn’t have updates, that implies the software has security faults? Damn… ¬¬

      Dropbear isn’t so old…

      http://viewmtn.angrygoats.net/branch/changes/au.asn.ucc.matt.dropbear

      http://www.google.com.mx/search?hl=es&q=dropbear+exploit|vulnerability|+0.52&aq=f&aqi=&aql=&oq=

      And yes, Can you give more detail about your statement?

      January 15, 2011 @ 6:03 am | Reply
    • @Ryan,

      Who cares if their server uses 3 extra MB of memory for a few minutes while logged into SSH?

      True. Not with today’s “low end” offers starting at minimum 256MB of memory. 3 years ago (when this article was written) the low packages are typically 64MB Xen/OpenVZ boxes, and it does add up when multiple SSH connections are opened. Oh by the way, you did notice that you are commenting on a post that’s almost 3 year old, right?

      your low end script is dangerously insecure and utterly terrible… various morons pop into the Nginx channel on freenode asking how to install it.

      First of all, it is not my fault when morons cannot install some piece of software that has already been streamlined for them in a shell script :)

      Secondly, it is hosted on github so free for everyone to read it, understand it, branch it and modify it to their own needs. I guess my initial assumption on the readership here is wrong — I thought most people are competent Linux users able to read and modify shell scripts. Little did I know how many n00bs there are attempting to dive into unmanaged VPS when a cPanel shared hosting probably suits them better :)

      And security? Feel free to contact me or even comment here. I don’t hang around freenode.

      January 15, 2011 @ 7:41 am | Reply
  7. fanovpn:

    The 2.5 year release hiatus seems to have ended. Dropbear 0.53 came out end of last month, with a 0.53.1 bugfix a week later. Most interesting to me is the promise of support for SSH_ORIGINAL_COMMAND, which I think is all that was stopping dropbear from being used for a gitolite/gitosis server. There’s also a handful of other new features and the promise of “Various performance/memory use improvements”.

    It’s not all great news though, there doesn’t seem to be any pre-compiled debian packages like for the other versions, and the Makefile forgets to link to libcrypto, which you have to specify manually (“LIBS=-lcrypto make”). The download site was also a little wonky the other day, only working via IPv6, but it seems to be back up.

    March 28, 2011 @ 12:18 am | Reply
  8. Stuart:

    Dropbear 1.4 uses a few % less RAM on a 128meg box. On Debian:

    cp /usr/lib/openssh/sftp-server /usr/lib/openssh/sftp-server.bak
    cp /usr/lib/sftp-server /usr/lib/sftp-server

    & move them back after removing OpenSSH & SFTP will still work.

    October 4, 2013 @ 3:06 am | Reply

Leave a Reply

Some notes on commenting on LowEndBox:

  • Do not use LowEndBox for support issues. Go to your hosting provider and issue a ticket there. Coming here saying "my VPS is down, what do I do?!" will only have your comments removed.
  • Akismet is used for spam detection. Quoting webhostingtalk.com URL seems to get binned consistently here, but I do peek into the spam box frequently to publish those comments.
  • Use <pre>...</pre> to quote the output from your terminal/console, or consider using a pastebin service.

Your email address will not be published. Required fields are marked *