Your company here — click to reach over 10,000 unique daily visitors

dropbear - Man Page

lightweight SSH server


dropbear [flag arguments] [-b banner] [-r hostkeyfile] [-p [address:]port]


dropbear is a small SSH server


-b banner

bannerfile. Display the contents of the file banner before user login (default: none).

-r hostkey

Use the contents of the file hostkey for the SSH hostkey. This file is generated with dropbearkey(1) or automatically with the '-R' option. See "Host Key Files" below.


Generate hostkeys automatically. See "Host Key Files" below.


Don't fork into background.


Log to standard error rather than syslog.


Pass on the server environment to all child processes. This is required, for example, if Dropbear is launched on the fly from a SLURM workload manager. The environment is not passed by default. Note that this could expose secrets in environment variables from  the calling process - use with caution.


Don't display the message of the day on login.


Disallow root logins.


Disable password logins.


Disable password logins for root.


Enable two-factor authentication. Both password login and public key authentication are required. Should not be used with the '-s' option.


Disable local port forwarding. This includes unix stream forwards.


Disable remote port forwarding.

-p [address:]port

Listen on specified address and TCP port. If just a port is given listen on all addresses. Up to 10 can be specified (default 22 if none specified).

-l interface

Listen on the specified interface


Service program mode. Use this option to run dropbear under TCP/IP servers like inetd, tcpsvd, or tcpserver. In program mode the -F option is implied, and -p options are ignored.

-P pidfile

Specify a pidfile to create when running as a daemon. If not specified, the  default is /var/run/dropbear.pid


Allow remote hosts to connect to forwarded ports.

-W windowsize

Specify the per-channel receive window buffer size. Increasing this  may improve network performance at the expense of memory use. Use -h to see the default buffer size.

-K timeout_seconds

Ensure that traffic is transmitted at a certain interval in seconds. This is useful for working around firewalls or routers that drop connections after a certain period of inactivity. The trade-off is that a session may be closed if there is a temporary lapse of network connectivity. A setting of 0 disables keepalives. If no response is received for 3 consecutive keepalives the connection will be closed.

-I idle_timeout

Disconnect the session if no traffic is transmitted or received for idle_timeout seconds.


By default Dropbear will send network traffic with the AF21 setting for QoS, letting network devices give it higher priority. Some devices may have problems with that, -z can be used to disable it.

-T max_authentication_attempts

Set the number of authentication attempts allowed per connection. If unspecified the default is 10 (MAX_AUTH_TRIES)

-c forced_command

Disregard the command provided by the user and always run forced_command. This also overrides any authorized_keys command= option. The original command is saved in the  SSH_ORIGINAL_COMMAND environment variable (see below).


Print the version


Authorized Keys

~/.ssh/authorized_keys can be set up to allow remote login with a RSA, ECDSA, Ed25519 or DSS key. Each line is of the form

[restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]

and can be extracted from a Dropbear private host key with "dropbearkey -y". This is the same format as used by OpenSSH, though the restrictions are a subset (keys with unknown restrictions are ignored). Restrictions are comma separated, with double quotes around spaces in arguments. Available restrictions are:


Don't allow port forwarding for this connection, including unix streams.


Don't allow agent forwarding for this connection


Don't allow X11 forwarding for this connection


Disable PTY allocation. Note that a user can still obtain most of the same functionality with other means even if no-pty is set.


Applies all the no- restrictions listed above.


Restrict local port forwarding so that connection is allowed only to the specified host and port. Multiple permitopen options separated by commas can be set in authorized_keys. Wildcard character ('*') may be used in port specification for matching any port. Hosts must be literal domain names or IP addresses.


Disregard the command provided by the user and always run forced_command. The -c command line option overrides this.

The authorized_keys file and its containing ~/.ssh directory must only be writable by the user, otherwise Dropbear will not allow a login using public key authentication.

Host Key Files

Host key files are read at startup from a standard location, by default /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/dropbear_rsa_host_key, /etc/dropbear/dropbear_ecdsa_host_key and /etc/dropbear/dropbear_ed25519_host_key

If the -r command line option is specified the default files are not loaded. Host key files are of the form generated by dropbearkey.  The -R option can be used to automatically generate keys in the default location - keys will be generated after startup when the first connection is established. This had the benefit that the system /dev/urandom random number source has a better chance of being securely seeded.

Message Of The Day

By default the file /etc/motd will be printed for any login shell (unless  disabled at compile-time). This can also be disabled per-user by creating a file ~/.hushlogin .

Environment Variables

Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH, and TERM.

The variables below are set for sessions as appropriate.


This is set to the allocated TTY if a PTY was used.


Contains "<remote_ip> <remote_port> <local_ip> <local_port>".


Set X11 forwarding is used.


If a 'command=' authorized_keys option was used, the original command is specified in this variable. If a shell was requested this is set to an empty value.


Set to a forwarded ssh-agent connection.


Dropbear only supports SSH protocol version 2.


Matt Johnston (matt@ucc.asn.au).
Gerrit Pape (pape@smarden.org) wrote this manual page.

See Also

dropbearkey(1), dbclient(1), dropbearconvert(1)


Referenced By

dbclient(1), dropbearkey(1).