1dropbear(8) System Manager's Manual dropbear(8)
2
6 dropbear - lightweight SSH server
7
9 dropbear [flag arguments] [-b banner] [-r hostkeyfile] [-p
10 [address:]port]
11
13 dropbear is a small SSH server
14
16 -b banner
17 bannerfile. Display the contents of the file banner before user
18 login (default: none).
19 -r hostkey
21 Use the contents of the file hostkey for the SSH hostkey. This
22 file is generated with dropbearkey(1) or automatically with the
23 '-R' option. See "Host Key Files" below.
24 -R Generate hostkeys automatically. See "Host Key Files" below.
26 -F Don't fork into background.
28 -E Log to standard error rather than syslog.
30 -m Don't display the message of the day on login.
32 -w Disallow root logins.
34 -s Disable password logins.
36 -g Disable password logins for root.
38 -j Disable local port forwarding.
40 -k Disable remote port forwarding.
42 -p [address:]port
44 Listen on specified address and TCP port. If just a port is
45 given listen on all addresses. up to 10 can be specified
46 (default 22 if none specified).
47 -i Service program mode. Use this option to run dropbear under
49 TCP/IP servers like inetd, tcpsvd, or tcpserver. In program
50 mode the -F option is implied, and -p options are ignored.
51 -P pidfile
53 Specify a pidfile to create when running as a daemon. If not
54 specified, the default is /var/run/dropbear.pid
55 -a Allow remote hosts to connect to forwarded ports.
57 -W windowsize
59 Specify the per-channel receive window buffer size. Increasing
60 this may improve network performance at the expense of memory
61 use. Use -h to see the default buffer size.
62 -K timeout_seconds
64 Ensure that traffic is transmitted at a certain interval in sec‐
65 onds. This is useful for working around firewalls or routers
66 that drop connections after a certain period of inactivity. The
67 trade-off is that a session may be closed if there is a tempo‐
68 rary lapse of network connectivity. A setting if 0 disables
69 keepalives. If no response is received for 3 consecutive
70 keepalives the connection will be closed.
71 -I idle_timeout
73 Disconnect the session if no traffic is transmitted or received
74 for idle_timeout seconds.
75 -T max_authentication_attempts
77 Set the number of authentication attempts allowed per connec‐
78 tion. If unspecified the default is 10 (MAX_AUTH_TRIES)
79 -c forced_command
81 Disregard the command provided by the user and always run
82 forced_command. This also overrides any authorized_keys command=
83 option.
84 -V Print the version
86
89 Authorized Keys
90 ~/.ssh/authorized_keys can be set up to allow remote login with
92 a RSA, ECDSA, or DSS key. Each line is of the form
93 [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]
95 and can be extracted from a Dropbear private host key with
97 "dropbearkey -y". This is the same format as used by OpenSSH,
98 though the restrictions are a subset (keys with unknown restric‐
99 tions are ignored). Restrictions are comma separated, with dou‐
100 ble quotes around spaces in arguments. Available restrictions
101 are:
102 no-port-forwarding
105 Don't allow port forwarding for this connection
106 no-agent-forwarding
109 Don't allow agent forwarding for this connection
110 no-X11-forwarding
113 Don't allow X11 forwarding for this connection
114 no-pty Disable PTY allocation. Note that a user can still obtain most
117 of the same functionality with other means even if no-pty is
118 set.
119 command="forced_command"
122 Disregard the command provided by the user and always run
123 forced_command. The -c command line option overrides this.
124 The authorized_keys file and its containing ~/.ssh directory
126 must only be writable by the user, otherwise Dropbear will not
127 allow a login using public key authentication.
128 Host Key Files
131 Host key files are read at startup from a standard location, by
133 default /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/drop‐
134 bear_rsa_host_key, and /etc/dropbear/dropbear_ecdsa_host_key
135 If the -r command line option is specified the default files are
137 not loaded. Host key files are of the form generated by drop‐
138 bearkey. The -R option can be used to automatically generate
139 keys in the default location - keys will be generated after
140 startup when the first connection is established. This had the
141 benefit that the system /dev/urandom random number source has a
142 better chance of being securely seeded.
143 Message Of The Day
146 By default the file /etc/motd will be printed for any login
148 shell (unless disabled at compile-time). This can also be dis‐
149 abled per-user by creating a file ~/.hushlogin .
150
153 Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH,
154 and TERM.
155 The variables below are set for sessions as appropriate.
157 SSH_TTY
160 This is set to the allocated TTY if a PTY was used.
161 SSH_CONNECTION
164 Contains "<remote_ip> <remote_port> <local_ip> <local_port>".
165 DISPLAY
168 Set X11 forwarding is used.
169 SSH_ORIGINAL_COMMAND
172 If a 'command=' authorized_keys option was used, the original
173 command is specified in this variable. If a shell was requested
174 this is set to an empty value.
175 SSH_AUTH_SOCK
178 Set to a forwarded ssh-agent connection.
179
182 Dropbear only supports SSH protocol version 2.
183
186 Matt Johnston (matt@ucc.asn.au).
187 Gerrit Pape (pape@smarden.org) wrote this manual page.
188
190 dropbearkey(1), dbclient(1), dropbearconvert(1)
191 https://matt.ucc.asn.au/dropbear/dropbear.html
193 dropbear(8)