dropbear(8) System Manager's Manual dropbear(8)
NAME
dropbear - lightweight SSH server
SYNOPSIS
dropbear [flag arguments] [-b banner] [-r hostkeyfile] [-p [ad-
dress:]port]
DESCRIPTION
dropbear is a small SSH server
OPTIONS
-b banner
bannerfile. Display the contents of the file banner before user
login (default: none).
-r hostkey
Use the contents of the file hostkey for the SSH hostkey. This
file is generated with dropbearkey(1) or automatically with the
'-R' option. See "Host Key Files" below.
-R Generate hostkeys automatically. See "Host Key Files" below.
-F Don't fork into background.
-E Log to standard error rather than syslog.
-e Pass on the server environment to all child processes. This is
required, for example, if Dropbear is launched on the fly from a
SLURM workload manager. The environment is not passed by default.
Note that this could expose secrets in environment variables from
the calling process - use with caution.
-m Don't display the message of the day on login.
-w Disallow root logins.
-s Disable password logins.
-g Disable password logins for root.
-t Enable two-factor authentication. Both password login and public
key authentication are required. Should not be used with the '-s'
option.
-j Disable local port forwarding. This includes unix stream for-
wards.
-k Disable remote port forwarding.
-p [address:]port
Listen on specified address and TCP port. If just a port is
given listen on all addresses. Up to 10 can be specified (de-
fault 22 if none specified).
-l interface
Listen on the specified interface
-i Service program mode. Use this option to run dropbear under
TCP/IP servers like inetd, tcpsvd, or tcpserver. In program mode
the -F option is implied, and -p options are ignored.
-P pidfile
Specify a pidfile to create when running as a daemon. If not
specified, the default is /var/run/dropbear.pid
-a Allow remote hosts to connect to forwarded ports.
-W windowsize
Specify the per-channel receive window buffer size. Increasing
this may improve network performance at the expense of memory
use. Use -h to see the default buffer size.
-K timeout_seconds
Ensure that traffic is transmitted at a certain interval in sec-
onds. This is useful for working around firewalls or routers that
drop connections after a certain period of inactivity. The trade-
off is that a session may be closed if there is a temporary lapse
of network connectivity. A setting of 0 disables keepalives. If
no response is received for 3 consecutive keepalives the connec-
tion will be closed.
-I idle_timeout
Disconnect the session if no traffic is transmitted or received
for idle_timeout seconds.
-z By default Dropbear will send network traffic with the AF21 set-
ting for QoS, letting network devices give it higher priority.
Some devices may have problems with that, -z can be used to dis-
able it.
-T max_authentication_attempts
Set the number of authentication attempts allowed per connection.
If unspecified the default is 10 (MAX_AUTH_TRIES)
-c forced_command
Disregard the command provided by the user and always run
forced_command. This also overrides any authorized_keys command=
option. The original command is saved in the SSH_ORIGINAL_COMMAND
environment variable (see below).
-D authorized_keys_dir
Specify the directory to use for authorized_keys files. The de-
fault is ~/.ssh , paths with a leading ~/ will be home directory
expanded.
-V Print the version
FILES
Authorized Keys
~/.ssh/authorized_keys can be set up to allow remote login with a
RSA, ECDSA, Ed25519 or DSS key. Each line is of the form
[restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]
and can be extracted from a Dropbear private host key with "drop-
bearkey -y". This is the same format as used by OpenSSH, though
the restrictions are a subset (keys with unknown restrictions are
ignored). Restrictions are comma separated, with double quotes
around spaces in arguments. Available restrictions are:
no-port-forwarding
Don't allow port forwarding for this connection, including unix
streams.
no-agent-forwarding
Don't allow agent forwarding for this connection
no-X11-forwarding
Don't allow X11 forwarding for this connection
no-pty Disable PTY allocation. Note that a user can still obtain most of
the same functionality with other means even if no-pty is set.
restrict
Applies all the no- restrictions listed above.
permitopen="host:port"
Restrict local port forwarding so that connection is allowed only
to the specified host and port. Multiple permitopen options sepa-
rated by commas can be set in authorized_keys. Wildcard character
('*') may be used in port specification for matching any port.
Hosts must be literal domain names or IP addresses.
command="forced_command"
Disregard the command provided by the user and always run
forced_command. The -c command line option overrides this.
The authorized_keys file and its containing ~/.ssh directory must
only be writable by the user, otherwise Dropbear will not allow a
login using public key authentication.
Host Key Files
Host key files are read at startup from a standard location, by
default /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/drop-
bear_rsa_host_key, /etc/dropbear/dropbear_ecdsa_host_key and
/etc/dropbear/dropbear_ed25519_host_key
If the -r command line option is specified the default files are
not loaded. Host key files are of the form generated by drop-
bearkey. The -R option can be used to automatically generate
keys in the default location - keys will be generated after
startup when the first connection is established. This had the
benefit that the system /dev/urandom random number source has a
better chance of being securely seeded.
Message Of The Day
By default the file /etc/motd will be printed for any login shell
(unless disabled at compile-time). This can also be disabled per-
user by creating a file ~/.hushlogin .
ENVIRONMENT VARIABLES
Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH,
and TERM.
The variables below are set for sessions as appropriate.
SSH_TTY
This is set to the allocated TTY if a PTY was used.
SSH_CONNECTION
Contains "<remote_ip> <remote_port> <local_ip> <local_port>".
DISPLAY
Set X11 forwarding is used.
SSH_ORIGINAL_COMMAND
If a 'command=' authorized_keys option was used, the original
command is specified in this variable. If a shell was requested
this is set to an empty value.
SSH_AUTH_SOCK
Set to a forwarded ssh-agent connection.
NOTES
Dropbear only supports SSH protocol version 2.
AUTHOR
Matt Johnston (matt@ucc.asn.au).
Gerrit Pape (pape@smarden.org) wrote this manual page.
SEE ALSO
dropbearkey(1), dbclient(1), dropbearconvert(1)
https://matt.ucc.asn.au/dropbear/dropbear.html
dropbear(8)
Generated by dwww version 1.16 on Mon Dec 15 11:00:28 CET 2025.