dropbear - lightweight SSH2 server
dropbear [-FEmwsgjki] [-b banner] [-d dsskey] [-r rsakey] [-p port]
dropbear is a SSH 2 server designed to be small enough to be used in
small memory environments, while still being functional and secure
enough for general use.
bannerfile. Display the contents of the file banner before user
login (default: none).
dsskeyfile. Use the contents of the file dsskey for the DSS
host key (default: /etc/dropbear/dropbear_dss_host_key). Note
that some SSH implementations use the term "DSA" rather than
"DSS", they mean the same thing. This file is generated with
rsakeyfile. Use the contents of the file rsakey for the rsa
host key (default: /etc/dropbear/dropbear_rsa_host_key). This
file is generated with dropbearkey(8).
-F Don’t fork into background.
-E Log to standard error rather than syslog.
-m Don’t display the message of the day on login.
-w Disallow root logins.
-s Disable password logins.
-g Disable password logins for root.
-j Disable local port forwarding.
-k Disable remote port forwarding.
Listen on specified address and TCP port. If just a port is
given listen on all addresses. up to 10 can be specified
(default 22 if none specified).
-i Service program mode. Use this option to run dropbear under
TCP/IP servers like inetd, tcpsvd, or tcpserver. In program
mode the -F option is implied, and -p options are ignored.
Specify a pidfile to create when running as a daemon. If not
specified, the default is /var/run/dropbear.pid
-a Allow remote hosts to connect to forwarded ports.
Specify the per-channel receive window buffer size. Increasing
this may improve network performance at the expense of memory
use. Use -h to see the default buffer size.
Ensure that traffic is transmitted at a certain interval in
seconds. This is useful for working around firewalls or routers
that drop connections after a certain period of inactivity. The
trade-off is that a session may be closed if there is a
temporary lapse of network connectivity. A setting if 0 disables
Disconnect the session if no traffic is transmitted or received
for idle_timeout seconds.
~/.ssh/authorized_keys can be set up to allow remote login with
a RSA or DSS key. Each line is of the form
[restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]
and can be extracted from a Dropbear private host key with
"dropbearkey -y". This is the same format as used by OpenSSH,
though the restrictions are a subset (keys with unknown
restrictions are ignored). Restrictions are comma separated,
with double quotes around spaces in arguments. Available
Don’t allow port forwarding for this connection
Don’t allow agent forwarding for this connection
Don’t allow X11 forwarding for this connection
no-pty Disable PTY allocation. Note that a user can still obtain most
of the same functionality with other means even if no-pty is
Disregard the command provided by the user and always run
The authorized_keys file and its containing ~/.ssh directory
must only be writable by the user, otherwise Dropbear will not
allow a login using public key authentication.
Host Key Files
Host key files are read at startup from a standard location, by
default /etc/dropbear/dropbear_dss_host_key and
/etc/dropbear/dropbear_rsa_host_key or specified on the
commandline with -d or -r. These are of the form generated by
Message Of The Day
By default the file /etc/motd will be printed for any login
shell (unless disabled at compile-time). This can also be
disabled per-user by creating a file ~/.hushlogin .
Matt Johnston (firstname.lastname@example.org).
Gerrit Pape (email@example.com) wrote this manual page.