dropbear - lightweight SSH server
dropbear [flag arguments] [-b banner] [-r
hostkeyfile] [-p [address:]port]
dropbear is a small SSH server
- -b banner
- bannerfile. Display the contents of the file banner before user
login (default: none).
- -r hostkey
- Use the contents of the file hostkey for the SSH hostkey. This file
is generated with dropbearkey(1) or automatically with the '-R'
option. See "Host Key Files" below.
- -R
- Generate hostkeys automatically. See "Host Key Files"
below.
- -F
- Don't fork into background.
- -E
- Log to standard error rather than syslog.
- -e
- Pass on the server environment to all child processes. This is required,
for example, if Dropbear is launched on the fly from a SLURM workload
manager. The environment is not passed by default. Note that this could
expose secrets in environment variables from the calling process - use
with caution.
- -m
- Don't display the message of the day on login.
- -w
- Disallow root logins.
- -s
- Disable password logins.
- -g
- Disable password logins for root.
- -t
- Enable two-factor authentication. Both password login and public key
authentication are required. Should not be used with the '-s' option.
- -j
- Disable local port forwarding. This includes unix stream forwards.
- -k
- Disable remote port forwarding.
- -p
[address:]port
- Listen on specified address and TCP port. If just a port is
given listen on all addresses. Up to 10 can be specified (default 22 if
none specified).
- -l interface
- Listen on the specified interface
- -i
- Service program mode. Use this option to run dropbear under TCP/IP
servers like inetd, tcpsvd, or tcpserver. In program mode the -F option is
implied, and -p options are ignored.
- -P pidfile
- Specify a pidfile to create when running as a daemon. If not specified,
the default is /var/run/dropbear.pid
- -a
- Allow remote hosts to connect to forwarded ports.
- -W windowsize
- Specify the per-channel receive window buffer size. Increasing this may
improve network performance at the expense of memory use. Use -h to see
the default buffer size.
- -K
timeout_seconds
- Ensure that traffic is transmitted at a certain interval in seconds. This
is useful for working around firewalls or routers that drop connections
after a certain period of inactivity. The trade-off is that a session may
be closed if there is a temporary lapse of network connectivity. A setting
of 0 disables keepalives. If no response is received for 3 consecutive
keepalives the connection will be closed.
- -I
idle_timeout
- Disconnect the session if no traffic is transmitted or received for
idle_timeout seconds.
- -z
- By default Dropbear will send network traffic with the AF21 setting
for QoS, letting network devices give it higher priority. Some devices may
have problems with that, -z can be used to disable it.
- -T
max_authentication_attempts
- Set the number of authentication attempts allowed per connection. If
unspecified the default is 10 (MAX_AUTH_TRIES)
- -c
forced_command
- Disregard the command provided by the user and always run
forced_command. This also overrides any authorized_keys command=
option. The original command is saved in the SSH_ORIGINAL_COMMAND
environment variable (see below).
- -V
- Print the version
- Authorized
Keys
-
~/.ssh/authorized_keys can be set up to allow remote login
with a RSA, ECDSA, Ed25519 or DSS key. Each line is of the form
- [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]
-
and can be extracted from a Dropbear private host key with
"dropbearkey -y". This is the same format as used by OpenSSH,
though the restrictions are a subset (keys with unknown restrictions are
ignored). Restrictions are comma separated, with double quotes around
spaces in arguments. Available restrictions are:
- no-port-forwarding
- Don't allow port forwarding for this connection, including unix streams.
- no-agent-forwarding
- Don't allow agent forwarding for this connection
- no-X11-forwarding
- Don't allow X11 forwarding for this connection
- no-pty
- Disable PTY allocation. Note that a user can still obtain most of the same
functionality with other means even if no-pty is set.
- restrict
- Applies all the no- restrictions listed above.
- permitopen="host:port"
- Restrict local port forwarding so that connection is allowed only to the
specified host and port. Multiple permitopen options separated by commas
can be set in authorized_keys. Wildcard character ('*') may be used in
port specification for matching any port. Hosts must be literal domain
names or IP addresses.
- command="forced_command"
- Disregard the command provided by the user and always run
forced_command. The -c command line option overrides this.
The authorized_keys file and its containing ~/.ssh directory
must only be writable by the user, otherwise Dropbear will not allow a
login using public key authentication.
- Host Key Files
-
Host key files are read at startup from a standard location,
by default /etc/dropbear/dropbear_dss_host_key,
/etc/dropbear/dropbear_rsa_host_key,
/etc/dropbear/dropbear_ecdsa_host_key and
/etc/dropbear/dropbear_ed25519_host_key
If the -r command line option is specified the default files
are not loaded. Host key files are of the form generated by dropbearkey.
The -R option can be used to automatically generate keys in the default
location - keys will be generated after startup when the first
connection is established. This had the benefit that the system
/dev/urandom random number source has a better chance of being securely
seeded.
- Message Of The
Day
-
By default the file /etc/motd will be printed for any login
shell (unless disabled at compile-time). This can also be disabled
per-user by creating a file ~/.hushlogin .
Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL,
PATH, and TERM.
The variables below are set for sessions as appropriate.
- SSH_TTY
- This is set to the allocated TTY if a PTY was used.
- SSH_CONNECTION
- Contains "<remote_ip> <remote_port> <local_ip>
<local_port>".
- DISPLAY
- Set X11 forwarding is used.
- SSH_ORIGINAL_COMMAND
- If a 'command=' authorized_keys option was used, the original command is
specified in this variable. If a shell was requested this is set to an
empty value.
- SSH_AUTH_SOCK
- Set to a forwarded ssh-agent connection.
Dropbear only supports SSH protocol version 2.
Matt Johnston (matt@ucc.asn.au).
Gerrit Pape (pape@smarden.org) wrote this manual page.
dropbearkey(1), dbclient(1), dropbearconvert(1)
https://matt.ucc.asn.au/dropbear/dropbear.html