1dropbear(8) System Manager's Manual dropbear(8)
2
6 dropbear - lightweight SSH server
7
9 dropbear [flag arguments] [-b banner] [-r hostkeyfile] [-p [ad‐
10 dress:]port]
11
13 dropbear is a small SSH server
14
16 -b banner
17 bannerfile. Display the contents of the file banner before user
18 login (default: none).
19 -r hostkey
21 Use the contents of the file hostkey for the SSH hostkey. This
22 file is generated with dropbearkey(1) or automatically with the
23 '-R' option. See "Host Key Files" below.
24 -R Generate hostkeys automatically. See "Host Key Files" below.
26 -F Don't fork into background.
28 -E Log to standard error rather than syslog.
30 -e Pass on the server environment to all child processes. This is
32 required, for example, if Dropbear is launched on the fly from a
33 SLURM workload manager. The environment is not passed by de‐
34 fault. Note that this could expose secrets in environment vari‐
35 ables from the calling process - use with caution.
36 -m Don't display the message of the day on login.
38 -w Disallow root logins.
40 -s Disable password logins.
42 -g Disable password logins for root.
44 -j Disable local port forwarding.
46 -k Disable remote port forwarding.
48 -p [address:]port
50 Listen on specified address and TCP port. If just a port is
51 given listen on all addresses. Up to 10 can be specified (de‐
52 fault 22 if none specified).
53 -i Service program mode. Use this option to run dropbear under
55 TCP/IP servers like inetd, tcpsvd, or tcpserver. In program
56 mode the -F option is implied, and -p options are ignored.
57 -P pidfile
59 Specify a pidfile to create when running as a daemon. If not
60 specified, the default is /var/run/dropbear.pid
61 -a Allow remote hosts to connect to forwarded ports.
63 -W windowsize
65 Specify the per-channel receive window buffer size. Increasing
66 this may improve network performance at the expense of memory
67 use. Use -h to see the default buffer size.
68 -K timeout_seconds
70 Ensure that traffic is transmitted at a certain interval in sec‐
71 onds. This is useful for working around firewalls or routers
72 that drop connections after a certain period of inactivity. The
73 trade-off is that a session may be closed if there is a tempo‐
74 rary lapse of network connectivity. A setting of 0 disables
75 keepalives. If no response is received for 3 consecutive
76 keepalives the connection will be closed.
77 -I idle_timeout
79 Disconnect the session if no traffic is transmitted or received
80 for idle_timeout seconds.
81 -T max_authentication_attempts
83 Set the number of authentication attempts allowed per connec‐
84 tion. If unspecified the default is 10 (MAX_AUTH_TRIES)
85 -c forced_command
87 Disregard the command provided by the user and always run
88 forced_command. This also overrides any authorized_keys command=
89 option. The original command is saved in the SSH_ORIGINAL_COM‐
90 MAND environment variable (see below).
91 -V Print the version
93
96 Authorized Keys
97 ~/.ssh/authorized_keys can be set up to allow remote login with
99 a RSA, ECDSA, Ed25519 or DSS key. Each line is of the form
100 [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]
102 and can be extracted from a Dropbear private host key with
104 "dropbearkey -y". This is the same format as used by OpenSSH,
105 though the restrictions are a subset (keys with unknown restric‐
106 tions are ignored). Restrictions are comma separated, with dou‐
107 ble quotes around spaces in arguments. Available restrictions
108 are:
109 no-port-forwarding
112 Don't allow port forwarding for this connection
113 no-agent-forwarding
116 Don't allow agent forwarding for this connection
117 no-X11-forwarding
120 Don't allow X11 forwarding for this connection
121 no-pty Disable PTY allocation. Note that a user can still obtain most
124 of the same functionality with other means even if no-pty is
125 set.
126 restrict
129 Applies all the no- restrictions listed above.
130 command="forced_command"
133 Disregard the command provided by the user and always run
134 forced_command. The -c command line option overrides this.
135 The authorized_keys file and its containing ~/.ssh directory
137 must only be writable by the user, otherwise Dropbear will not
138 allow a login using public key authentication.
139 Host Key Files
142 Host key files are read at startup from a standard location, by
144 default /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/drop‐
145 bear_rsa_host_key, /etc/dropbear/dropbear_ecdsa_host_key and
146 /etc/dropbear/dropbear_ed25519_host_key
147 If the -r command line option is specified the default files are
149 not loaded. Host key files are of the form generated by drop‐
150 bearkey. The -R option can be used to automatically generate
151 keys in the default location - keys will be generated after
152 startup when the first connection is established. This had the
153 benefit that the system /dev/urandom random number source has a
154 better chance of being securely seeded.
155 Message Of The Day
158 By default the file /etc/motd will be printed for any login
160 shell (unless disabled at compile-time). This can also be dis‐
161 abled per-user by creating a file ~/.hushlogin .
162
165 Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH,
166 and TERM.
167 The variables below are set for sessions as appropriate.
169 SSH_TTY
172 This is set to the allocated TTY if a PTY was used.
173 SSH_CONNECTION
176 Contains "<remote_ip> <remote_port> <local_ip> <local_port>".
177 DISPLAY
180 Set X11 forwarding is used.
181 SSH_ORIGINAL_COMMAND
184 If a 'command=' authorized_keys option was used, the original
185 command is specified in this variable. If a shell was requested
186 this is set to an empty value.
187 SSH_AUTH_SOCK
190 Set to a forwarded ssh-agent connection.
191
194 Dropbear only supports SSH protocol version 2.
195
198 Matt Johnston (matt@ucc.asn.au).
199 Gerrit Pape (pape@smarden.org) wrote this manual page.
200
202 dropbearkey(1), dbclient(1), dropbearconvert(1)
203 https://matt.ucc.asn.au/dropbear/dropbear.html
205 dropbear(8)