Provided by: dropbear-bin_2022.83-4_amd64 bug

NAME

       dropbear - lightweight SSH server

SYNOPSIS

       dropbear [flag arguments] [-b banner] [-r hostkeyfile] [-p [address:]port]

DESCRIPTION

       dropbear is a small SSH server

OPTIONS

       -b banner
              bannerfile.   Display  the  contents of the file banner before user login (default:
              none).

       -r hostkey
              Use the contents of the file hostkey for the SSH hostkey.  This file  is  generated
              with  dropbearkey(1)  or  automatically  with the '-R' option. See "Host Key Files"
              below.

       -R     Generate hostkeys automatically. See "Host Key Files" below.

       -F     Don't fork into background.

       -E     Log to standard error rather than syslog.

       -e     Pass on the server environment to  all  child  processes.  This  is  required,  for
              example,  if  Dropbear  is  launched  on the fly from a SLURM workload manager. The
              environment is not passed by default.  Note  that  this  could  expose  secrets  in
              environment variables from the calling process - use with caution.

       -m     Don't display the message of the day on login.

       -w     Disallow root logins.

       -s     Disable password logins.

       -g     Disable password logins for root.

       -t     Enable two-factor authentication. Both password login and public key authentication
              are required. Should not be used with the '-s' option.

       -j     Disable local port forwarding.

       -k     Disable remote port forwarding.

       -p [address:]port
              Listen on specified address and TCP port.  If just a port is given  listen  on  all
              addresses.  Up to 10 can be specified (default 22 if none specified).

       -i     Service  program  mode.   Use this option to run dropbear under TCP/IP servers like
              inetd, tcpsvd, or tcpserver.  In program mode the -F  option  is  implied,  and  -p
              options are ignored.

       -P pidfile
              Specify a pidfile to create when running as a daemon. If not specified, the default
              is /var/run/dropbear.pid

       -a     Allow remote hosts to connect to forwarded ports.

       -W windowsize
              Specify the per-channel receive window buffer size.  Increasing  this  may  improve
              network  performance at the expense of memory use. Use -h to see the default buffer
              size.

       -K timeout_seconds
              Ensure that traffic is transmitted at a certain interval in seconds. This is useful
              for  working  around  firewalls  or  routers  that drop connections after a certain
              period of inactivity. The trade-off is that a session may be closed if there  is  a
              temporary  lapse of network connectivity. A setting of 0 disables keepalives. If no
              response is received for 3 consecutive keepalives the connection will be closed.

       -I idle_timeout
              Disconnect the session if no traffic is transmitted or  received  for  idle_timeout
              seconds.

       -z     By  default  Dropbear  will  send  network  traffic  with the AF21 setting for QoS,
              letting network devices give it higher priority. Some  devices  may  have  problems
              with that, -z can be used to disable it.

       -T max_authentication_attempts
              Set  the  number  of authentication attempts allowed per connection. If unspecified
              the default is 10 (MAX_AUTH_TRIES)

       -c forced_command
              Disregard the command provided by the user and always run forced_command. This also
              overrides any authorized_keys command= option. The original command is saved in the
              SSH_ORIGINAL_COMMAND environment variable (see below).

       -V     Print the version

FILES

       Authorized Keys

              ~/.ssh/authorized_keys can be set up to allow  remote  login  with  a  RSA,  ECDSA,
              Ed25519 or DSS key. Each line is of the form

       [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]

              and  can  be extracted from a Dropbear private host key with "dropbearkey -y". This
              is the same format as used by OpenSSH, though the restrictions are a  subset  (keys
              with  unknown  restrictions  are  ignored).  Restrictions are comma separated, with
              double quotes around spaces in arguments.  Available restrictions are:

       no-port-forwarding
              Don't allow port forwarding for this connection

       no-agent-forwarding
              Don't allow agent forwarding for this connection

       no-X11-forwarding
              Don't allow X11 forwarding for this connection

       no-pty Disable PTY allocation. Note that  a  user  can  still  obtain  most  of  the  same
              functionality with other means even if no-pty is set.

       restrict
              Applies all the no- restrictions listed above.

       permitopen="host:port"
              Restrict  local port forwarding so that connection is allowed only to the specified
              host and port. Multiple permitopen options  separated  by  commas  can  be  set  in
              authorized_keys.  Wildcard  character  ('*')  may be used in port specification for
              matching any port. Hosts must be literal domain names or IP addresses.

       command="forced_command"
              Disregard the command provided by the user and always run forced_command.   The  -c
              command line option overrides this.

              The  authorized_keys file and its containing ~/.ssh directory must only be writable
              by  the  user,  otherwise  Dropbear  will  not  allow  a  login  using  public  key
              authentication.

       Host Key Files

              Host  key  files  are  read  at  startup  from  a  standard  location,  by  default
              /etc/dropbear/dropbear_dss_host_key,           /etc/dropbear/dropbear_rsa_host_key,
              /etc/dropbear/dropbear_ecdsa_host_key and /etc/dropbear/dropbear_ed25519_host_key

              If  the -r command line option is specified the default files are not loaded.  Host
              key files are of the form generated by dropbearkey.  The -R option can be  used  to
              automatically  generate keys in the default location - keys will be generated after
              startup when the first connection is established. This had  the  benefit  that  the
              system  /dev/urandom  random  number  source  has a better chance of being securely
              seeded.

       Message Of The Day

              By default the file /etc/motd will be printed for any login shell (unless  disabled
              at   compile-time).  This  can  also  be  disabled  per-user  by  creating  a  file
              ~/.hushlogin .

ENVIRONMENT VARIABLES

       Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH, and TERM.

       The variables below are set for sessions as appropriate.

       SSH_TTY
              This is set to the allocated TTY if a PTY was used.

       SSH_CONNECTION
              Contains "<remote_ip> <remote_port> <local_ip> <local_port>".

       DISPLAY
              Set X11 forwarding is used.

       SSH_ORIGINAL_COMMAND
              If a 'command=' authorized_keys option was used, the original command is  specified
              in this variable. If a shell was requested this is set to an empty value.

       SSH_AUTH_SOCK
              Set to a forwarded ssh-agent connection.

NOTES

       Dropbear only supports SSH protocol version 2.

AUTHOR

       Matt Johnston (matt@ucc.asn.au).
       Gerrit Pape (pape@smarden.org) wrote this manual page.

SEE ALSO

       dropbearkey(1), dbclient(1), dropbearconvert(1)

       https://matt.ucc.asn.au/dropbear/dropbear.html

                                                                                      dropbear(8)