Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
dropbear(8)		    System Manager's Manual		   dropbear(8)

       dropbear	- lightweight SSH server

       dropbear	 [flag	arguments]  [-b	 banner]  [-r  hostkeyfile]  [-p  [ad-

       dropbear	is a small SSH server

       -b banner
	      bannerfile.  Display the contents	of the file banner before user
	      login (default: none).

       -r hostkey
	      Use  the contents	of the file hostkey for	the SSH	hostkey.  This
	      file is generated	with dropbearkey(1) or automatically with  the
	      '-R' option. See "Host Key Files"	below.

       -R     Generate hostkeys	automatically. See "Host Key Files" below.

       -F     Don't fork into background.

       -E     Log to standard error rather than	syslog.

       -m     Don't display the	message	of the day on login.

       -w     Disallow root logins.

       -s     Disable password logins.

       -g     Disable password logins for root.

       -j     Disable local port forwarding.

       -k     Disable remote port forwarding.

       -p [address:]port
	      Listen  on  specified  address  and TCP port.  If	just a port is
	      given listen on all addresses.  up to 10 can be  specified  (de-
	      fault 22 if none specified).

       -i     Service  program	mode.	Use  this option to run	dropbear under
	      TCP/IP servers like inetd, tcpsvd,  or  tcpserver.   In  program
	      mode the -F option is implied, and -p options are	ignored.

       -P pidfile
	      Specify  a  pidfile  to  create when running as a	daemon.	If not
	      specified, the default is	/var/run/

       -a     Allow remote hosts to connect to forwarded ports.

       -W windowsize
	      Specify the per-channel receive window buffer  size.  Increasing
	      this  may	 improve  network performance at the expense of	memory
	      use. Use -h to see the default buffer size.

       -K timeout_seconds
	      Ensure that traffic is transmitted at a certain interval in sec-
	      onds.  This  is  useful  for working around firewalls or routers
	      that drop	connections after a certain period of inactivity.  The
	      trade-off	 is  that a session may	be closed if there is a	tempo-
	      rary lapse of network connectivity.  A  setting  if  0  disables
	      keepalives.  If  no  response  is	 received  for	3  consecutive
	      keepalives the connection	will be	closed.

       -I idle_timeout
	      Disconnect the session if	no traffic is transmitted or  received
	      for idle_timeout seconds.

       -T max_authentication_attempts
	      Set  the	number	of authentication attempts allowed per connec-
	      tion. If unspecified the default is 10 (MAX_AUTH_TRIES)

       -c forced_command
	      Disregard	the command  provided  by  the	user  and  always  run
	      forced_command. This also	overrides any authorized_keys command=

       -V     Print the	version

       Authorized Keys

	      ~/.ssh/authorized_keys can be set	up to allow remote login  with
	      a	RSA, ECDSA, Ed25519 or DSS key.	Each line is of	the form

       [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp...	[comment]

	      and  can	be  extracted  from  a	Dropbear private host key with
	      "dropbearkey -y".	This is	the same format	as  used  by  OpenSSH,
	      though the restrictions are a subset (keys with unknown restric-
	      tions are	ignored).  Restrictions	are comma separated, with dou-
	      ble  quotes  around spaces in arguments.	Available restrictions

	      Don't allow port forwarding for this connection

	      Don't allow agent	forwarding for this connection

	      Don't allow X11 forwarding for this connection

       no-pty Disable PTY allocation. Note that	a user can still  obtain  most
	      of  the  same  functionality  with other means even if no-pty is

	      Disregard	the command  provided  by  the	user  and  always  run
	      forced_command.  The -c command line option overrides this.

	      The  authorized_keys  file  and  its containing ~/.ssh directory
	      must only	be writable by the user, otherwise Dropbear  will  not
	      allow a login using public key authentication.

       Host Key	Files

	      Host  key	files are read at startup from a standard location, by
	      default /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/drop-
	      bear_rsa_host_key,   /etc/dropbear/dropbear_ecdsa_host_key   and

	      If the -r	command	line option is specified the default files are
	      not  loaded.   Host key files are	of the form generated by drop-
	      bearkey.	The -R option can be used  to  automatically  generate
	      keys  in	the  default  location	- keys will be generated after
	      startup when the first connection	is established.	This  had  the
	      benefit  that the	system /dev/urandom random number source has a
	      better chance of being securely seeded.

       Message Of The Day

	      By default the file /etc/motd will  be  printed  for  any	 login
	      shell  (unless  disabled at compile-time). This can also be dis-
	      abled per-user by	creating a file	~/.hushlogin .

       Dropbear	sets the standard variables USER, LOGNAME, HOME, SHELL,	 PATH,
       and TERM.

       The variables below are set for sessions	as appropriate.

	      This is set to the allocated TTY if a PTY	was used.

	      Contains "<remote_ip> <remote_port> <local_ip> <local_port>".

	      Set X11 forwarding is used.

	      If  a  'command='	 authorized_keys option	was used, the original
	      command is specified in this variable. If	a shell	was  requested
	      this is set to an	empty value.

	      Set to a forwarded ssh-agent connection.

       Dropbear	only supports SSH protocol version 2.

       Matt Johnston (
       Gerrit Pape ( wrote this manual	page.

       dropbearkey(1), dbclient(1), dropbearconvert(1)



Want to link to this manual page? Use this URL:

home | help