Provided by: dropbear-bin_2022.83-4_amd64 bug

NAME
       dropbear - lightweight SSH server


SYNOPSIS
       dropbear [flag arguments] [-b banner] [-r hostkeyfile] [-p [address:]port]


DESCRIPTION
       dropbear is a small SSH server


OPTIONS
       -b banner
              bannerfile.  Display the contents of the file banner before user login (default: none).

       -r hostkey
              Use  the  contents  of  the  file  hostkey  for  the  SSH  hostkey.   This  file is generated with
              dropbearkey(1) or automatically with the '-R' option. See "Host Key Files" below.

       -R     Generate hostkeys automatically. See "Host Key Files" below.

       -F     Don't fork into background.

       -E     Log to standard error rather than syslog.

       -e     Pass on the server environment to all child processes. This is required, for example, if  Dropbear
              is  launched  on  the fly from a SLURM workload manager. The environment is not passed by default.
              Note that this could expose secrets in environment variables from the calling process -  use  with
              caution.

       -m     Don't display the message of the day on login.

       -w     Disallow root logins.

       -s     Disable password logins.

       -g     Disable password logins for root.

       -t     Enable  two-factor authentication. Both password login and public key authentication are required.
              Should not be used with the '-s' option.

       -j     Disable local port forwarding.

       -k     Disable remote port forwarding.

       -p [address:]port
              Listen on specified address and TCP port.  If just a port is given listen on all addresses.  Up to
              10 can be specified (default 22 if none specified).

       -i     Service program mode.  Use this option to run dropbear under TCP/IP servers like inetd, tcpsvd, or
              tcpserver.  In program mode the -F option is implied, and -p options are ignored.

       -P pidfile
              Specify a pidfile to  create  when  running  as  a  daemon.  If  not  specified,  the  default  is
              /var/run/dropbear.pid

       -a     Allow remote hosts to connect to forwarded ports.

       -W windowsize
              Specify  the  per-channel  receive  window  buffer  size.  Increasing  this  may  improve  network
              performance at the expense of memory use. Use -h to see the default buffer size.

       -K timeout_seconds
              Ensure that traffic is transmitted at a certain interval in seconds. This is  useful  for  working
              around firewalls or routers that drop connections after a certain period of inactivity. The trade-
              off  is  that  a  session  may  be closed if there is a temporary lapse of network connectivity. A
              setting of 0 disables keepalives. If no response is received  for  3  consecutive  keepalives  the
              connection will be closed.

       -I idle_timeout
              Disconnect the session if no traffic is transmitted or received for idle_timeout seconds.

       -z     By  default  Dropbear  will  send  network  traffic with the AF21 setting for QoS, letting network
              devices give it higher priority. Some devices may have problems with  that,  -z  can  be  used  to
              disable it.

       -T max_authentication_attempts
              Set the number of authentication attempts allowed per connection. If unspecified the default is 10
              (MAX_AUTH_TRIES)

       -c forced_command
              Disregard  the command provided by the user and always run forced_command. This also overrides any
              authorized_keys command= option.  The  original  command  is  saved  in  the  SSH_ORIGINAL_COMMAND
              environment variable (see below).

       -V     Print the version


FILES
       Authorized Keys

              ~/.ssh/authorized_keys  can be set up to allow remote login with a RSA, ECDSA, Ed25519 or DSS key.
              Each line is of the form

       [restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]

              and can be extracted from a Dropbear private host key with "dropbearkey  -y".  This  is  the  same
              format  as  used  by OpenSSH, though the restrictions are a subset (keys with unknown restrictions
              are ignored).  Restrictions are comma separated, with double quotes around  spaces  in  arguments.
              Available restrictions are:

       no-port-forwarding
              Don't allow port forwarding for this connection

       no-agent-forwarding
              Don't allow agent forwarding for this connection

       no-X11-forwarding
              Don't allow X11 forwarding for this connection

       no-pty Disable  PTY  allocation.  Note  that  a user can still obtain most of the same functionality with
              other means even if no-pty is set.

       restrict
              Applies all the no- restrictions listed above.

       permitopen="host:port"
              Restrict local port forwarding so that connection is allowed only to the specified host and  port.
              Multiple  permitopen options separated by commas can be set in authorized_keys. Wildcard character
              ('*') may be used in port specification for matching any port. Hosts must be literal domain  names
              or IP addresses.

       command="forced_command"
              Disregard  the  command  provided  by the user and always run forced_command.  The -c command line
              option overrides this.

              The authorized_keys file and its containing ~/.ssh directory must only be writable  by  the  user,
              otherwise Dropbear will not allow a login using public key authentication.

       Host Key Files

              Host    key    files    are   read   at   startup   from   a   standard   location,   by   default
              /etc/dropbear/dropbear_dss_host_key,                          /etc/dropbear/dropbear_rsa_host_key,
              /etc/dropbear/dropbear_ecdsa_host_key and /etc/dropbear/dropbear_ed25519_host_key

              If  the  -r command line option is specified the default files are not loaded.  Host key files are
              of the form generated by dropbearkey.  The -R option can be used to automatically generate keys in
              the default location - keys  will  be  generated  after  startup  when  the  first  connection  is
              established.  This  had the benefit that the system /dev/urandom random number source has a better
              chance of being securely seeded.

       Message Of The Day

              By default the file /etc/motd will be printed for any login shell  (unless  disabled  at  compile-
              time). This can also be disabled per-user by creating a file ~/.hushlogin .


ENVIRONMENT VARIABLES
       Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH, and TERM.

       The variables below are set for sessions as appropriate.

       SSH_TTY
              This is set to the allocated TTY if a PTY was used.

       SSH_CONNECTION
              Contains "<remote_ip> <remote_port> <local_ip> <local_port>".

       DISPLAY
              Set X11 forwarding is used.

       SSH_ORIGINAL_COMMAND
              If  a  'command='  authorized_keys  option  was  used,  the  original command is specified in this
              variable. If a shell was requested this is set to an empty value.

       SSH_AUTH_SOCK
              Set to a forwarded ssh-agent connection.


NOTES
       Dropbear only supports SSH protocol version 2.


AUTHOR
       Matt Johnston (matt@ucc.asn.au).
       Gerrit Pape (pape@smarden.org) wrote this manual page.


SEE ALSO
       dropbearkey(1), dbclient(1), dropbearconvert(1)

       https://matt.ucc.asn.au/dropbear/dropbear.html

                                                                                                     dropbear(8)