dropbear man page

dropbear — lightweight SSH server

Synopsis

dropbear [flag arguments] [-b banner] [-r hostkeyfile] [-p [address:]port]

Description

dropbear is a small SSH server

Options

-b banner

bannerfile. Display the contents of the file banner before user login (default: none).

-r hostkey

Use the contents of the file hostkey for the SSH hostkey. This file is generated with dropbearkey(1) or automatically with the '-R' option. See "Host Key Files" below.

-R

Generate hostkeys automatically. See "Host Key Files" below.

-F

Don't fork into background.

-E

Log to standard error rather than syslog.

-m

Don't display the message of the day on login.

-w

Disallow root logins.

-s

Disable password logins.

-g

Disable password logins for root.

-j

Disable local port forwarding.

-k

Disable remote port forwarding.

-p [address:]port

Listen on specified address and TCP port. If just a port is given listen on all addresses. up to 10 can be specified (default 22 if none specified).

-i

Service program mode. Use this option to run dropbear under TCP/IP servers like inetd, tcpsvd, or tcpserver. In program mode the -F option is implied, and -p options are ignored.

-P pidfile

Specify a pidfile to create when running as a daemon. If not specified, the  default is /var/run/dropbear.pid

-a

Allow remote hosts to connect to forwarded ports.

-W windowsize

Specify the per-channel receive window buffer size. Increasing this  may improve network performance at the expense of memory use. Use -h to see the default buffer size.

-K timeout_seconds

Ensure that traffic is transmitted at a certain interval in seconds. This is useful for working around firewalls or routers that drop connections after a certain period of inactivity. The trade-off is that a session may be closed if there is a temporary lapse of network connectivity. A setting if 0 disables keepalives. If no response is received for 3 consecutive keepalives the connection will be closed.

-I idle_timeout

Disconnect the session if no traffic is transmitted or received for idle_timeout seconds.

-V

Print the version

Files

Authorized Keys

~/.ssh/authorized_keys can be set up to allow remote login with a RSA, ECDSA, or DSS key. Each line is of the form

[restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]

and can be extracted from a Dropbear private host key with "dropbearkey -y". This is the same format as used by OpenSSH, though the restrictions are a subset (keys with unknown restrictions are ignored). Restrictions are comma separated, with double quotes around spaces in arguments. Available restrictions are:

no-port-forwarding

Don't allow port forwarding for this connection

no-agent-forwarding

Don't allow agent forwarding for this connection

no-X11-forwarding

Don't allow X11 forwarding for this connection

no-pty

Disable PTY allocation. Note that a user can still obtain most of the same functionality with other means even if no-pty is set.

command="forced_command"

Disregard the command provided by the user and always run forced_command.

The authorized_keys file and its containing ~/.ssh directory must only be writable by the user, otherwise Dropbear will not allow a login using public key authentication.

Host Key Files

Host key files are read at startup from a standard location, by default /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/dropbear_rsa_host_key, and  /etc/dropbear/dropbear_ecdsa_host_key or specified on the commandline with -r. These are of the form generated by dropbearkey. The -R option can be used to automatically generate keys in the default location - keys will be generated after startup when the first connection is established. This had the benefit that the system /dev/urandom random number source has a better chance of being securely seeded.

Message Of The Day

By default the file /etc/motd will be printed for any login shell (unless  disabled at compile-time). This can also be disabled per-user by creating a file ~/.hushlogin .

Environment Variables

Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH, and TERM.

The variables below are set for sessions as appropriate.

SSH_TTY

This is set to the allocated TTY if a PTY was used.

SSH_CONNECTION

Contains "<remote_ip> <remote_port> <local_ip> <local_port>".

DISPLAY

Set X11 forwarding is used.

SSH_ORIGINAL_COMMAND

If a 'command=' authorized_keys option was used, the original command is specified in this variable. If a shell was requested this is set to an empty value.

SSH_AUTH_SOCK

Set to a forwarded ssh-agent connection.

Notes

Dropbear only supports SSH protocol version 2.

Author

Matt Johnston (matt@ucc.asn.au).
Gerrit Pape (pape@smarden.org) wrote this manual page.

See Also

dropbearkey(1), dbclient(1), dropbearconvert(1)

https://matt.ucc.asn.au/dropbear/dropbear.html

Referenced By

dbclient(1), dropbearkey(1).