1dropbear(8) System Manager's Manual dropbear(8)
2
3
4
6 dropbear - lightweight SSH server
7
9 dropbear [flag arguments] [-b banner] [-r hostkeyfile] [-p
10 [address:]port]
11
13 dropbear is a small SSH server
14
16 -b banner
17 bannerfile. Display the contents of the file banner before user
18 login (default: none).
19
20 -r hostkey
21 Use the contents of the file hostkey for the SSH hostkey. This
22 file is generated with dropbearkey(1) or automatically with the
23 '-R' option. See "Host Key Files" below.
24
25 -R Generate hostkeys automatically. See "Host Key Files" below.
26
27 -F Don't fork into background.
28
29 -E Log to standard error rather than syslog.
30
31 -m Don't display the message of the day on login.
32
33 -w Disallow root logins.
34
35 -s Disable password logins.
36
37 -g Disable password logins for root.
38
39 -j Disable local port forwarding.
40
41 -k Disable remote port forwarding.
42
43 -p [address:]port
44 Listen on specified address and TCP port. If just a port is
45 given listen on all addresses. up to 10 can be specified
46 (default 22 if none specified).
47
48 -i Service program mode. Use this option to run dropbear under
49 TCP/IP servers like inetd, tcpsvd, or tcpserver. In program
50 mode the -F option is implied, and -p options are ignored.
51
52 -P pidfile
53 Specify a pidfile to create when running as a daemon. If not
54 specified, the default is /var/run/dropbear.pid
55
56 -a Allow remote hosts to connect to forwarded ports.
57
58 -W windowsize
59 Specify the per-channel receive window buffer size. Increasing
60 this may improve network performance at the expense of memory
61 use. Use -h to see the default buffer size.
62
63 -K timeout_seconds
64 Ensure that traffic is transmitted at a certain interval in sec‐
65 onds. This is useful for working around firewalls or routers
66 that drop connections after a certain period of inactivity. The
67 trade-off is that a session may be closed if there is a tempo‐
68 rary lapse of network connectivity. A setting if 0 disables
69 keepalives. If no response is received for 3 consecutive
70 keepalives the connection will be closed.
71
72 -I idle_timeout
73 Disconnect the session if no traffic is transmitted or received
74 for idle_timeout seconds.
75
76 -T max_authentication_attempts
77 Set the number of authentication attempts allowed per connec‐
78 tion. If unspecified the default is 10 (MAX_AUTH_TRIES)
79
80 -c forced_command
81 Disregard the command provided by the user and always run
82 forced_command. This also overrides any authorized_keys command=
83 option.
84
85 -V Print the version
86
87
89 Authorized Keys
90
91 ~/.ssh/authorized_keys can be set up to allow remote login with
92 a RSA, ECDSA, or DSS key. Each line is of the form
93
94 [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]
95
96 and can be extracted from a Dropbear private host key with
97 "dropbearkey -y". This is the same format as used by OpenSSH,
98 though the restrictions are a subset (keys with unknown restric‐
99 tions are ignored). Restrictions are comma separated, with dou‐
100 ble quotes around spaces in arguments. Available restrictions
101 are:
102
103
104 no-port-forwarding
105 Don't allow port forwarding for this connection
106
107
108 no-agent-forwarding
109 Don't allow agent forwarding for this connection
110
111
112 no-X11-forwarding
113 Don't allow X11 forwarding for this connection
114
115
116 no-pty Disable PTY allocation. Note that a user can still obtain most
117 of the same functionality with other means even if no-pty is
118 set.
119
120
121 command="forced_command"
122 Disregard the command provided by the user and always run
123 forced_command. The -c command line option overrides this.
124
125 The authorized_keys file and its containing ~/.ssh directory
126 must only be writable by the user, otherwise Dropbear will not
127 allow a login using public key authentication.
128
129
130 Host Key Files
131
132 Host key files are read at startup from a standard location, by
133 default /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/drop‐
134 bear_rsa_host_key, and /etc/dropbear/dropbear_ecdsa_host_key
135
136 If the -r command line option is specified the default files are
137 not loaded. Host key files are of the form generated by drop‐
138 bearkey. The -R option can be used to automatically generate
139 keys in the default location - keys will be generated after
140 startup when the first connection is established. This had the
141 benefit that the system /dev/urandom random number source has a
142 better chance of being securely seeded.
143
144
145 Message Of The Day
146
147 By default the file /etc/motd will be printed for any login
148 shell (unless disabled at compile-time). This can also be dis‐
149 abled per-user by creating a file ~/.hushlogin .
150
151
153 Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH,
154 and TERM.
155
156 The variables below are set for sessions as appropriate.
157
158
159 SSH_TTY
160 This is set to the allocated TTY if a PTY was used.
161
162
163 SSH_CONNECTION
164 Contains "<remote_ip> <remote_port> <local_ip> <local_port>".
165
166
167 DISPLAY
168 Set X11 forwarding is used.
169
170
171 SSH_ORIGINAL_COMMAND
172 If a 'command=' authorized_keys option was used, the original
173 command is specified in this variable. If a shell was requested
174 this is set to an empty value.
175
176
177 SSH_AUTH_SOCK
178 Set to a forwarded ssh-agent connection.
179
180
182 Dropbear only supports SSH protocol version 2.
183
184
186 Matt Johnston (matt@ucc.asn.au).
187 Gerrit Pape (pape@smarden.org) wrote this manual page.
188
190 dropbearkey(1), dbclient(1), dropbearconvert(1)
191
192 https://matt.ucc.asn.au/dropbear/dropbear.html
193
194
195
196 dropbear(8)