dbclient(1) General Commands Manual dbclient(1)
NAME
dbclient - lightweight SSH client
SYNOPSIS
dbclient [flag arguments] [-p port] [-i id] [-L l:h:p] [-R l:h:p] [-l
user] host [more flags] [command]
dbclient [args] [user1]@host1[^port1],[user2]@host2[^port2],...
DESCRIPTION
dbclient is the client part of Dropbear SSH
OPTIONS
command
A command to run on the remote host. This will normally be run by
the remote host using the user's shell. The command begins at the
first hyphen argument after the host argument. If no command is
specified an interactive terminal will be opened (see -t and -T).
-p port
Connect to port on the remote host. Alternatively a port can be
specified as hostname^port. Default is 22.
-i idfile
Identity file. Read the identity key from file idfile (multiple
allowed). This file is created with dropbearkey(1) or converted
from OpenSSH with dropbearconvert(1). The default path
~/.ssh/id_dropbear is used
-L [listenaddress]:listenport:host:port
Local port forwarding. Forward listenport on the local host
through the SSH connection to port on host.
-R [listenaddress]:listenport:host:port
Remote port forwarding. Forward listenport on the remote host
through the SSH connection to port on host.
-l user
Username. Login as user on the remote host. An alternative is to
specify user@host.
-t Allocate a PTY. This is the default when no command is given, it
gives a full interactive remote session. The main effect is that
keystrokes are sent remotely immediately as opposed to local
line-based editing.
-T Don't allocate a PTY. This is the default when a command is
given. See -t.
-N Don't request a remote shell or run any commands. Any command ar-
guments are ignored.
-f Fork into the background after authentication. A command argument
(or -N) is required. This is useful when using password authen-
tication.
-g Allow non-local hosts to connect to forwarded ports. Applies to
-L and -R forwarded ports, though remote connections to -R for-
warded ports may be limited by the ssh server.
-y Always accept hostkeys if they are unknown. If a hostkey mismatch
occurs the connection will abort as normal. If specified a second
time no host key checking is performed at all, this is usually
undesirable.
-A Forward agent connections to the remote host. dbclient will use
any OpenSSH-style agent program if available ($SSH_AUTH_SOCK will
be set) for public key authentication. Forwarding is only en-
abled if -A is specified.
Beware that a forwarded agent connection will allow the remote
server to have the same authentication credentials as you have
used locally. A compromised remote server could use that to log
in to other servers.
In many situations Dropbear's multi-hop mode is a better and more
secure alternative to agent forwarding, avoiding having to trust
the intermediate server.
If the SSH agent program is set to prompt when a key is used, the
-o DisableTrivialAuth option can prevent UI confusion.
-W windowsize
Specify the per-channel receive window buffer size. Increasing
this may improve network performance at the expense of memory
use. Use -h to see the default buffer size.
-K timeout_seconds
Ensure that traffic is transmitted at a certain interval in sec-
onds. This is useful for working around firewalls or routers that
drop connections after a certain period of inactivity. The trade-
off is that a session may be closed if there is a temporary lapse
of network connectivity. A setting if 0 disables keepalives. If
no response is received for 3 consecutive keepalives the connec-
tion will be closed.
-I idle_timeout
Disconnect the session if no traffic is transmitted or received
for idle_timeout seconds.
-z By default Dropbear will send network traffic with the AF21 set-
ting for QoS, letting network devices give it higher priority.
Some devices may have problems with that, -z can be used to dis-
able it.
-J proxy_command
-J &fd
Use the standard input/output of the program proxy_command rather
than using a normal TCP connection. A hostname should be still be
provided, as this is used for comparing saved hostkeys. This com-
mand will be executed as "exec proxy_command ..." with the de-
fault shell.
The second form &fd will make dbclient use the numeric file de-
scriptor as a socket. This can be used for more complex tun-
nelling scenarios. Example usage with socat is
socat EXEC:'dbclient -J &38 ev',fdin=38,fdout=38 TCP4:host.exam-
ple.com:22
-B endhost:endport
"Netcat-alike" mode, where Dropbear will connect to the given
host, then create a forwarded connection to endhost. This will
then be presented as dbclient's standard input/output.
-c cipherlist
Specify a comma separated list of ciphers to enable. Use -c help
to list possibilities.
-m MAClist
Specify a comma separated list of authentication MACs to enable.
Use -m help to list possibilities.
-o option
Can be used to give options in the format used by OpenSSH config
file. This is useful for specifying options for which there is no
separate command-line flag. For full details of the options
listed below, and their possible values, see ssh_config(5). The
following options have currently been implemented:
BatchMode
Disable interactive prompts e.g. password prompts and host
key confirmation. The argument must be "yes" or "no" (the
default).
BindAddress
Specify address and port on the local machine as the
source address of the connection.
DisableTrivialAuth
Disallow a server immediately giving successful authenti-
cation (without presenting any password/pubkey prompt).
This avoids a UI confusion issue where it may appear that
the user is accepting a SSH agent prompt from their local
machine, but are actually accepting a prompt sent immedi-
ately by the remote server.
ExitOnForwardFailure
Specifies whether dbclient should terminate the connection
if it cannot set up all requested local and remote port
forwardings. The argument must be "yes" or "no" (the de-
fault).
ForwardAgent
Forward the authentication agent to the remote machine.
The argument must be "yes" or "no" (the default).
GatewayPorts
Allow to remote host to connect to local forwarded ports.
The argument must be "yes" or "no" (the default).
IdentityFile
Specify an authentication identity file path.
PasswordAuthentication
Allow to prompt a user for a password. If the DROP-
BEAR_PASSWORD env is specified then it still will be used.
The argument must be "yes" (the default) or "no".
Port Specify a listening port, like the -p argument.
ProxyCommand
Specify the proxy command to use to connect to the server.
ServerAliveInterval
Sets a timeout interval in seconds between keep-alive mes-
sages through the encrypted channel. The default is 0 e.g.
disabled.
StrictHostKeyChecking
Use "yes" to refuse connection to hosts where the host key
is not already correct in known_hosts. Entries must be
added to known_hosts manually.
Use "no" to skip the known_hosts key checking.
Use "accept-new" to add new host keys to the known_hosts
and refuse to connect if the host key has changed.
"ask" is the default.
UseSyslog
Send dbclient log messages to syslog in addition to
stderr.
-s The specified command will be requested as a subsystem, used for
sftp. Dropbear doesn't implement sftp itself but the OpenSSH sftp
client can be used eg sftp -S dbclient user@host
-b [address][:port]
Bind to a specific local address when connecting to the remote
host. This can be used to choose from multiple outgoing inter-
faces. Either address or port (or both) can be given.
-V Print the version
MULTI-HOP
Dropbear will also allow multiple "hops" to be specified, separated by
commas. In this case a connection will be made to the first host, then a
TCP forwarded connection will be made through that to the second host,
and so on. Hosts other than the final destination will not see anything
other than the encrypted SSH stream. A port for a host can be specified
with a caret (eg matt@martello^44 ). This syntax can also be used with
scp or rsync (specifying dbclient as the ssh/rsh command). A file can be
"bounced" through multiple SSH hops, eg
scp -S dbclient matt@martello,root@wrt,canyons:/tmp/dump .
Note that hostnames are resolved by the prior hop (so "canyons" would be
resolved by the host "wrt") in the example above, the same way as other
-L TCP forwarded hosts are. Host keys are checked locally based on the
given hostname.
ESCAPE CHARACTERS
Typing a newline followed by the key sequence ~. (tilde, dot) will ter-
minate a connection. The sequence ~^Z (tilde, ctrl-z) will background
the connection. This behaviour only applies when a PTY is used.
~R will perform a key re-exchange of ephemeral session keys.
ENVIRONMENT
DROPBEAR_PASSWORD
A password to use for remote authentication can be specified in
the environment variable DROPBEAR_PASSWORD. Care should be taken
that the password is not exposed to other users on a multi-user
system, or stored in accessible files.
SSH_ASKPASS
dbclient can use an external program to request a password from a
user. SSH_ASKPASS should be set to the path of a program that
will return a password on standard output. This program will only
be used if either DISPLAY is set and standard input is not a TTY,
or the environment variable SSH_ASKPASS_ALWAYS is set.
FILES
~/.ssh/dropbear_config
This is the per user configuration file. A very limited subset of the
keywords for ssh_config(5) is supported, and none of the advanced fea-
tures. The file contains key value pairs on a single line separated with
space or '='. Empty lines are ignored. Text starting with '#' is a com-
ment, and also ignored.
The file is not considered if multi-hop connection is used. Values on
the command line override the respective values in the file.
The recognized keywords are as follows. Keywords are case insensitive
and values are case insensitive.
Host Defines the options that would be applied if this value matches
the host specified on the command line. The next Host entry or
EOF determine the list of applicable options.
HostName
Specifies the actual host name to connect to. Can be DNS name or
IP address.
Port Specifies the port number to use to connect to the remote host.
User Specifies the user name to login in as.
IdentityFile
Specifies the file with the private key used for public key au-
thentication with the remote host. The file must be in the Drop-
bear format. See dropbearkey(1) to generate one. A '~/' at the
start of the path will expanded to the executing user's home di-
rectory. A path that does not start with '/' will be treated rel-
ative to this configuration file's directory. Otherwise the path
will be used as is.
Because this file contains a secret it must have strict permis-
sions to prevent abuse attempts - read/write for the executing
user, and no access to anyone else.
NOTES
If compiled with zlib support and if the server supports it, dbclient
will always use compression.
AUTHOR
Matt Johnston (matt@ucc.asn.au).
Mihnea Stoenescu wrote initial Dropbear client support
Gerrit Pape (pape@smarden.org) wrote this manual page.
SEE ALSO
dropbear(8), dropbearkey(1)
https://matt.ucc.asn.au/dropbear/dropbear.html
2023-02-01 dbclient(1)
Generated by dwww version 1.16 on Tue Dec 16 06:32:01 CET 2025.