view dropbear.8 @ 1659:d32bcb5c557d

Add Ed25519 support (#91) * Add support for Ed25519 as a public key type Ed25519 is a elliptic curve signature scheme that offers better security than ECDSA and DSA and good performance. It may be used for both user and host keys. OpenSSH key import and fuzzer are not supported yet. Initially inspired by Peter Szabo. * Add curve25519 and ed25519 fuzzers * Add import and export of Ed25519 keys
author Vladislav Grishenko <>
date Wed, 11 Mar 2020 21:09:45 +0500
parents 2e9b6d9c7e7d
children 94323a20e572
line wrap: on
line source
.TH dropbear 8
dropbear \- lightweight SSH server
.B dropbear
[\fIflag arguments\fR] [\-b
.I banner\fR] 
.I hostkeyfile\fR] [\-p [\fIaddress\fR:]\fIport\fR]
.B dropbear
is a small SSH server 
.B \-b \fIbanner
Display the contents of the file
.I banner
before user login (default: none).
.B \-r \fIhostkey
Use the contents of the file
.I hostkey
for the SSH hostkey.
This file is generated with
.BR dropbearkey (1) 
or automatically with the '-R' option. See "Host Key Files" below.
.B \-R
Generate hostkeys automatically. See "Host Key Files" below.
.B \-F
Don't fork into background.
.B \-E
Log to standard error rather than syslog.
.B \-m
Don't display the message of the day on login.
.B \-w
Disallow root logins.
.B \-s
Disable password logins.
.B \-g
Disable password logins for root.
.B \-j
Disable local port forwarding.
.B \-k
Disable remote port forwarding.
.B \-p\fR [\fIaddress\fR:]\fIport
Listen on specified 
.I address
and TCP
.I port.
If just a port is given listen
on all addresses.
up to 10 can be specified (default 22 if none specified).
.B \-i
Service program mode.
Use this option to run
.B dropbear
under TCP/IP servers like inetd, tcpsvd, or tcpserver.
In program mode the \-F option is implied, and \-p options are ignored.
.B \-P \fIpidfile
Specify a pidfile to create when running as a daemon. If not specified, the 
default is /var/run/
.B \-a
Allow remote hosts to connect to forwarded ports.
.B \-W \fIwindowsize
Specify the per-channel receive window buffer size. Increasing this 
may improve network performance at the expense of memory use. Use -h to see the
default buffer size.
.B \-K \fItimeout_seconds
Ensure that traffic is transmitted at a certain interval in seconds. This is
useful for working around firewalls or routers that drop connections after
a certain period of inactivity. The trade-off is that a session may be
closed if there is a temporary lapse of network connectivity. A setting
if 0 disables keepalives. If no response is received for 3 consecutive keepalives the connection will be closed.
.B \-I \fIidle_timeout
Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
.B \-T \fImax_authentication_attempts
Set the number of authentication attempts allowed per connection. If unspecified the default is 10 (MAX_AUTH_TRIES)
.B \-c \fIforced_command
Disregard the command provided by the user and always run \fIforced_command\fR. This also
overrides any authorized_keys command= option.
.B \-V
Print the version


Authorized Keys

~/.ssh/authorized_keys can be set up to allow remote login with a RSA,
ECDSA, Ed25519 or DSS
key. Each line is of the form
[restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]

and can be extracted from a Dropbear private host key with "dropbearkey -y". This is the same format as used by OpenSSH, though the restrictions are a subset (keys with unknown restrictions are ignored).
Restrictions are comma separated, with double quotes around spaces in arguments.
Available restrictions are:

.B no-port-forwarding
Don't allow port forwarding for this connection

.B no-agent-forwarding
Don't allow agent forwarding for this connection

.B no-X11-forwarding
Don't allow X11 forwarding for this connection

.B no-pty
Disable PTY allocation. Note that a user can still obtain most of the
same functionality with other means even if no-pty is set.

.B command=\fR"\fIforced_command\fR"
Disregard the command provided by the user and always run \fIforced_command\fR.
The -c command line option overrides this.

The authorized_keys file and its containing ~/.ssh directory must only be
writable by the user, otherwise Dropbear will not allow a login using public
key authentication.

Host Key Files

Host key files are read at startup from a standard location, by default
/etc/dropbear/dropbear_dss_host_key, /etc/dropbear/dropbear_rsa_host_key,
/etc/dropbear/dropbear_ecdsa_host_key and /etc/dropbear/dropbear_ed25519_host_key

If the -r command line option is specified the default files are not loaded.
Host key files are of the form generated by dropbearkey. 
The -R option can be used to automatically generate keys
in the default location - keys will be generated after startup when the first
connection is established. This had the benefit that the system /dev/urandom
random number source has a better chance of being securely seeded.

Message Of The Day

By default the file /etc/motd will be printed for any login shell (unless 
disabled at compile-time). This can also be disabled per-user
by creating a file ~/.hushlogin .

Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH, and TERM.

The variables below are set for sessions as appropriate. 

This is set to the allocated TTY if a PTY was used.

Contains "<remote_ip> <remote_port> <local_ip> <local_port>".

Set X11 forwarding is used.

If a 'command=' authorized_keys option was used, the original command is specified
in this variable. If a shell was requested this is set to an empty value.

Set to a forwarded ssh-agent connection.

Dropbear only supports SSH protocol version 2.

Matt Johnston ([email protected]).
Gerrit Pape ([email protected]) wrote this manual page.
dropbearkey(1), dbclient(1), dropbearconvert(1)