| blob | 71200d9054c84ab6403a5c48734740dca950afff |
1 .TH dropbear 8
2 .SH NAME
3 dropbear \- lightweight SSH server
4 .SH SYNOPSIS
5 .B dropbear
6 [\fIflag arguments\fR] [\-b
7 .I banner\fR]
8 [\-r
9 .I hostkeyfile\fR] [\-p [\fIaddress\fR:]\fIport\fR]
10 .SH DESCRIPTION
11 .B dropbear
12 is a small SSH server
13 .SH OPTIONS
14 .TP
15 .B \-b \fIbanner
16 bannerfile.
17 Display the contents of the file
18 .I banner
19 before user login (default: none).
20 .TP
21 .B \-r \fIhostkey
22 Use the contents of the file
23 .I hostkey
24 for the SSH hostkey.
25 This file is generated with
26 .BR dropbearkey (1)
27 or automatically with the '-R' option. See "Host Key Files" below.
28 .TP
29 .B \-R
30 Generate hostkeys automatically. See "Host Key Files" below.
31 .TP
32 .B \-F
33 Don't fork into background.
34 .TP
35 .B \-E
36 Log to standard error rather than syslog.
37 .TP
38 .B \-m
39 Don't display the message of the day on login.
40 .TP
41 .B \-w
42 Disallow root logins.
43 .TP
44 .B \-s
45 Disable password logins.
46 .TP
47 .B \-g
48 Disable password logins for root.
49 .TP
50 .B \-j
51 Disable local port forwarding.
52 .TP
53 .B \-k
54 Disable remote port forwarding.
55 .TP
56 .B \-p\fR [\fIaddress\fR:]\fIport
57 Listen on specified
58 .I address
59 and TCP
60 .I port.
61 If just a port is given listen
62 on all addresses.
63 up to 10 can be specified (default 22 if none specified).
64 .TP
65 .B \-i
66 Service program mode.
67 Use this option to run
68 .B dropbear
69 under TCP/IP servers like inetd, tcpsvd, or tcpserver.
70 In program mode the \-F option is implied, and \-p options are ignored.
71 .TP
72 .B \-P \fIpidfile
73 Specify a pidfile to create when running as a daemon. If not specified, the
74 default is /var/run/dropbear.pid
75 .TP
76 .B \-a
77 Allow remote hosts to connect to forwarded ports.
78 .TP
79 .B \-W \fIwindowsize
80 Specify the per-channel receive window buffer size. Increasing this
81 may improve network performance at the expense of memory use. Use -h to see the
82 default buffer size.
83 .TP
84 .B \-K \fItimeout_seconds
85 Ensure that traffic is transmitted at a certain interval in seconds. This is
86 useful for working around firewalls or routers that drop connections after
87 a certain period of inactivity. The trade-off is that a session may be
88 closed if there is a temporary lapse of network connectivity. A setting
89 if 0 disables keepalives. If no response is received for 3 consecutive keepalives the connection will be closed.
90 .TP
91 .B \-I \fIidle_timeout
92 Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
93 .TP
94 .B \-V
95 Print the version
97 .SH FILES
99 .TP
100 Authorized Keys
102 ~/.ssh/authorized_keys can be set up to allow remote login with a RSA,
103 ECDSA, or DSS
104 key. Each line is of the form
105 .TP
106 [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]
108 and can be extracted from a Dropbear private host key with "dropbearkey -y". This is the same format as used by OpenSSH, though the restrictions are a subset (keys with unknown restrictions are ignored).
109 Restrictions are comma separated, with double quotes around spaces in arguments.
110 Available restrictions are:
112 .TP
113 .B no-port-forwarding
114 Don't allow port forwarding for this connection
116 .TP
117 .B no-agent-forwarding
118 Don't allow agent forwarding for this connection
120 .TP
121 .B no-X11-forwarding
122 Don't allow X11 forwarding for this connection
124 .TP
125 .B no-pty
126 Disable PTY allocation. Note that a user can still obtain most of the
127 same functionality with other means even if no-pty is set.
129 .TP
130 .B command=\fR"\fIforced_command\fR"
131 Disregard the command provided by the user and always run \fIforced_command\fR.
133 The authorized_keys file and its containing ~/.ssh directory must only be
134 writable by the user, otherwise Dropbear will not allow a login using public
135 key authentication.
137 .TP
138 Host Key Files
140 Host key files are read at startup from a standard location, by default
141 /etc/dropbear/dropbear_dss_host_key, /etc/dropbear/dropbear_rsa_host_key, and
142 /etc/dropbear/dropbear_ecdsa_host_key
143 or specified on the commandline with -r. These are of the form generated
144 by dropbearkey. The -R option can be used to automatically generate keys
145 in the default location - keys will be generated after startup when the first
146 connection is established. This had the benefit that the system /dev/urandom
147 random number source has a better chance of being securely seeded.
149 .TP
150 Message Of The Day
152 By default the file /etc/motd will be printed for any login shell (unless
153 disabled at compile-time). This can also be disabled per-user
154 by creating a file ~/.hushlogin .
156 .SH ENVIRONMENT VARIABLES
157 Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH, and TERM.
159 The variables below are set for sessions as appropriate.
161 .TP
162 .B SSH_TTY
163 This is set to the allocated TTY if a PTY was used.
165 .TP
166 .B SSH_CONNECTION
167 Contains "<remote_ip> <remote_port> <local_ip> <local_port>".
169 .TP
170 .B DISPLAY
171 Set X11 forwarding is used.
173 .TP
174 .B SSH_ORIGINAL_COMMAND
175 If a 'command=' authorized_keys option was used, the original command is specified
176 in this variable. If a shell was requested this is set to an empty value.
178 .TP
179 .B SSH_AUTH_SOCK
180 Set to a forwarded ssh-agent connection.
182 .SH NOTES
183 Dropbear only supports SSH protocol version 2.
185 .SH AUTHOR
186 Matt Johnston (matt@ucc.asn.au).
187 .br
188 Gerrit Pape (pape@smarden.org) wrote this manual page.
189 .SH SEE ALSO
190 dropbearkey(1), dbclient(1), dropbearconvert(1)
191 .P
192 https://matt.ucc.asn.au/dropbear/dropbear.html