Man Linux: Main Page and Category List


       dropbear - lightweight SSH2 server


       dropbear [-FEmwsgjki] [-b banner] [-d dsskey] [-r rsakey] [-p port]


       dropbear  is  a  SSH 2 server designed to be small enough to be used in
       small memory environments, while  still  being  functional  and  secure
       enough for general use.


       -b banner
              bannerfile.  Display the contents of the file banner before user
              login (default: none).

       -d dsskey
              dsskeyfile.  Use the contents of the file  dsskey  for  the  DSS
              host  key  (default: /etc/dropbear/dropbear_dss_host_key).  Note
              that some SSH implementations use the  term  "DSA"  rather  than
              "DSS",  they  mean  the same thing.  This file is generated with

       -r rsakey
              rsakeyfile.  Use the contents of the file  rsakey  for  the  rsa
              host  key  (default: /etc/dropbear/dropbear_rsa_host_key).  This
              file is generated with dropbearkey(8).

       -F     Don’t fork into background.

       -E     Log to standard error rather than syslog.

       -m     Don’t display the message of the day on login.

       -w     Disallow root logins.

       -s     Disable password logins.

       -g     Disable password logins for root.

       -j     Disable local port forwarding.

       -k     Disable remote port forwarding.

       -p [address:]port
              Listen on specified address and TCP port.  If  just  a  port  is
              given  listen  on  all  addresses.   up  to  10 can be specified
              (default 22 if none specified).

       -i     Service program mode.  Use this option  to  run  dropbear  under
              TCP/IP  servers  like  inetd,  tcpsvd, or tcpserver.  In program
              mode the -F option is implied, and -p options are ignored.

       -P pidfile
              Specify a pidfile to create when running as  a  daemon.  If  not
              specified, the default is /var/run/

       -a     Allow remote hosts to connect to forwarded ports.

       -W windowsize
              Specify  the  per-channel receive window buffer size. Increasing
              this may improve network performance at the  expense  of  memory
              use. Use -h to see the default buffer size.

       -K timeout_seconds
              Ensure  that  traffic  is  transmitted  at a certain interval in
              seconds. This is useful for working around firewalls or  routers
              that  drop connections after a certain period of inactivity. The
              trade-off is that  a  session  may  be  closed  if  there  is  a
              temporary lapse of network connectivity. A setting if 0 disables

       -I idle_timeout
              Disconnect the session if no traffic is transmitted or  received
              for idle_timeout seconds.


       Authorized Keys

              ~/.ssh/authorized_keys  can be set up to allow remote login with
              a RSA or DSS key. Each line is of the form

       [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]

              and can be extracted from  a  Dropbear  private  host  key  with
              "dropbearkey  -y".  This  is the same format as used by OpenSSH,
              though  the  restrictions  are  a  subset  (keys  with   unknown
              restrictions  are  ignored).   Restrictions are comma separated,
              with  double  quotes  around  spaces  in  arguments.   Available
              restrictions are:

              Don’t allow port forwarding for this connection

              Don’t allow agent forwarding for this connection

              Don’t allow X11 forwarding for this connection

       no-pty Disable  PTY  allocation. Note that a user can still obtain most
              of the same functionality with other means  even  if  no-pty  is

              Disregard  the  command  provided  by  the  user  and always run

              The authorized_keys file and  its  containing  ~/.ssh  directory
              must  only  be writable by the user, otherwise Dropbear will not
              allow a login using public key authentication.

       Host Key Files

              Host key files are read at startup from a standard location,  by
              default          /etc/dropbear/dropbear_dss_host_key         and
              /etc/dropbear/dropbear_rsa_host_key   or   specified   on    the
              commandline  with  -d  or -r. These are of the form generated by

       Message Of The Day

              By default the file /etc/motd will  be  printed  for  any  login
              shell  (unless  disabled  at  compile-time).  This  can  also be
              disabled per-user by creating a file ~/.hushlogin .


       Matt Johnston (
       Gerrit Pape ( wrote this manual page.


       dropbearkey(8), dbclient(1)