1dropbear(8) System Manager's Manual dropbear(8)
2
3
4
6 dropbear - lightweight SSH server
7
9 dropbear [flag arguments] [-b banner] [-r hostkeyfile] [-p
10 [address:]port]
11
13 dropbear is a small SSH server
14
16 -b banner
17 bannerfile. Display the contents of the file banner before user
18 login (default: none).
19
20 -r hostkey
21 Use the contents of the file hostkey for the SSH hostkey. This
22 file is generated with dropbearkey(1) or automatically with the
23 '-R' option. See "Host Key Files" below.
24
25 -R Generate hostkeys automatically. See "Host Key Files" below.
26
27 -F Don't fork into background.
28
29 -E Log to standard error rather than syslog.
30
31 -m Don't display the message of the day on login.
32
33 -w Disallow root logins.
34
35 -s Disable password logins.
36
37 -g Disable password logins for root.
38
39 -j Disable local port forwarding.
40
41 -k Disable remote port forwarding.
42
43 -p [address:]port
44 Listen on specified address and TCP port. If just a port is
45 given listen on all addresses. up to 10 can be specified
46 (default 22 if none specified).
47
48 -i Service program mode. Use this option to run dropbear under
49 TCP/IP servers like inetd, tcpsvd, or tcpserver. In program
50 mode the -F option is implied, and -p options are ignored.
51
52 -P pidfile
53 Specify a pidfile to create when running as a daemon. If not
54 specified, the default is /var/run/dropbear.pid
55
56 -a Allow remote hosts to connect to forwarded ports.
57
58 -W windowsize
59 Specify the per-channel receive window buffer size. Increasing
60 this may improve network performance at the expense of memory
61 use. Use -h to see the default buffer size.
62
63 -K timeout_seconds
64 Ensure that traffic is transmitted at a certain interval in sec‐
65 onds. This is useful for working around firewalls or routers
66 that drop connections after a certain period of inactivity. The
67 trade-off is that a session may be closed if there is a tempo‐
68 rary lapse of network connectivity. A setting if 0 disables
69 keepalives. If no response is received for 3 consecutive
70 keepalives the connection will be closed.
71
72 -I idle_timeout
73 Disconnect the session if no traffic is transmitted or received
74 for idle_timeout seconds.
75
76 -T max_authentication_attempts
77 Set the number of authentication attempts allowed per connec‐
78 tion. If unspecified the default is 10 (MAX_AUTH_TRIES)
79
80 -c forced_command
81 Disregard the command provided by the user and always run
82 forced_command. This also overrides any authorized_keys command=
83 option.
84
85 -V Print the version
86
87
89 Authorized Keys
90
91 ~/.ssh/authorized_keys can be set up to allow remote login with
92 a RSA, ECDSA, Ed25519 or DSS key. Each line is of the form
93
94 [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]
95
96 and can be extracted from a Dropbear private host key with
97 "dropbearkey -y". This is the same format as used by OpenSSH,
98 though the restrictions are a subset (keys with unknown restric‐
99 tions are ignored). Restrictions are comma separated, with dou‐
100 ble quotes around spaces in arguments. Available restrictions
101 are:
102
103
104 no-port-forwarding
105 Don't allow port forwarding for this connection
106
107
108 no-agent-forwarding
109 Don't allow agent forwarding for this connection
110
111
112 no-X11-forwarding
113 Don't allow X11 forwarding for this connection
114
115
116 no-pty Disable PTY allocation. Note that a user can still obtain most
117 of the same functionality with other means even if no-pty is
118 set.
119
120
121 command="forced_command"
122 Disregard the command provided by the user and always run
123 forced_command. The -c command line option overrides this.
124
125 The authorized_keys file and its containing ~/.ssh directory
126 must only be writable by the user, otherwise Dropbear will not
127 allow a login using public key authentication.
128
129
130 Host Key Files
131
132 Host key files are read at startup from a standard location, by
133 default /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/drop‐
134 bear_rsa_host_key, /etc/dropbear/dropbear_ecdsa_host_key and
135 /etc/dropbear/dropbear_ed25519_host_key
136
137 If the -r command line option is specified the default files are
138 not loaded. Host key files are of the form generated by drop‐
139 bearkey. The -R option can be used to automatically generate
140 keys in the default location - keys will be generated after
141 startup when the first connection is established. This had the
142 benefit that the system /dev/urandom random number source has a
143 better chance of being securely seeded.
144
145
146 Message Of The Day
147
148 By default the file /etc/motd will be printed for any login
149 shell (unless disabled at compile-time). This can also be dis‐
150 abled per-user by creating a file ~/.hushlogin .
151
152
154 Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH,
155 and TERM.
156
157 The variables below are set for sessions as appropriate.
158
159
160 SSH_TTY
161 This is set to the allocated TTY if a PTY was used.
162
163
164 SSH_CONNECTION
165 Contains "<remote_ip> <remote_port> <local_ip> <local_port>".
166
167
168 DISPLAY
169 Set X11 forwarding is used.
170
171
172 SSH_ORIGINAL_COMMAND
173 If a 'command=' authorized_keys option was used, the original
174 command is specified in this variable. If a shell was requested
175 this is set to an empty value.
176
177
178 SSH_AUTH_SOCK
179 Set to a forwarded ssh-agent connection.
180
181
183 Dropbear only supports SSH protocol version 2.
184
185
187 Matt Johnston (matt@ucc.asn.au).
188 Gerrit Pape (pape@smarden.org) wrote this manual page.
189
191 dropbearkey(1), dbclient(1), dropbearconvert(1)
192
193 https://matt.ucc.asn.au/dropbear/dropbear.html
194
195
196
197 dropbear(8)