193 lines
4.9 KiB
Groff
193 lines
4.9 KiB
Groff
.TH dropbear 8
|
|
.SH NAME
|
|
dropbear \- lightweight SSH2 server
|
|
.SH SYNOPSIS
|
|
.B dropbear
|
|
[\-FEmwsgjki] [\-b
|
|
.I banner\fR] [\-d
|
|
.I dsskey\fR] [\-r
|
|
.I rsakey\fR] [\-p
|
|
.IR [address:]port ]
|
|
.SH DESCRIPTION
|
|
.B dropbear
|
|
is a SSH 2 server designed to be small enough to be used in small memory
|
|
environments, while still being functional and secure enough for general use.
|
|
.SH OPTIONS
|
|
.TP
|
|
.B \-b \fIbanner
|
|
bannerfile.
|
|
Display the contents of the file
|
|
.I banner
|
|
before user login (default: none).
|
|
.TP
|
|
.B \-d \fIdsskey
|
|
dsskeyfile.
|
|
Use the contents of the file
|
|
.I dsskey
|
|
for the DSS host key (default: /etc/dropbear/dropbear_dss_host_key).
|
|
Note that
|
|
some SSH implementations
|
|
use the term "DSA" rather than "DSS", they mean the same thing.
|
|
This file is generated with
|
|
.BR dropbearkey (8).
|
|
.TP
|
|
.B \-r \fIrsakey
|
|
rsakeyfile.
|
|
Use the contents of the file
|
|
.I rsakey
|
|
for the rsa host key (default: /etc/dropbear/dropbear_rsa_host_key).
|
|
This file is generated with
|
|
.BR dropbearkey (8).
|
|
.TP
|
|
.B \-F
|
|
Don't fork into background.
|
|
.TP
|
|
.B \-E
|
|
Log to standard error rather than syslog.
|
|
.TP
|
|
.B \-m
|
|
Don't display the message of the day on login.
|
|
.TP
|
|
.B \-w
|
|
Disallow root logins.
|
|
.TP
|
|
.B \-s
|
|
Disable password logins.
|
|
.TP
|
|
.B \-g
|
|
Disable password logins for root.
|
|
.TP
|
|
.B \-j
|
|
Disable local port forwarding.
|
|
.TP
|
|
.B \-k
|
|
Disable remote port forwarding.
|
|
.TP
|
|
.B \-p \fI[address:]port
|
|
Listen on specified
|
|
.I address
|
|
and TCP
|
|
.I port.
|
|
If just a port is given listen
|
|
on all addresses.
|
|
up to 10 can be specified (default 22 if none specified).
|
|
.TP
|
|
.B \-i
|
|
Service program mode.
|
|
Use this option to run
|
|
.B dropbear
|
|
under TCP/IP servers like inetd, tcpsvd, or tcpserver.
|
|
In program mode the \-F option is implied, and \-p options are ignored.
|
|
.TP
|
|
.B \-P \fIpidfile
|
|
Specify a pidfile to create when running as a daemon. If not specified, the
|
|
default is /var/run/dropbear.pid
|
|
.TP
|
|
.B \-a
|
|
Allow remote hosts to connect to forwarded ports.
|
|
.TP
|
|
.B \-W \fIwindowsize
|
|
Specify the per-channel receive window buffer size. Increasing this
|
|
may improve network performance at the expense of memory use. Use -h to see the
|
|
default buffer size.
|
|
.TP
|
|
.B \-K \fItimeout_seconds
|
|
Ensure that traffic is transmitted at a certain interval in seconds. This is
|
|
useful for working around firewalls or routers that drop connections after
|
|
a certain period of inactivity. The trade-off is that a session may be
|
|
closed if there is a temporary lapse of network connectivity. A setting
|
|
if 0 disables keepalives.
|
|
.TP
|
|
.B \-I \fIidle_timeout
|
|
Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds.
|
|
.SH FILES
|
|
|
|
.TP
|
|
Authorized Keys
|
|
|
|
~/.ssh/authorized_keys can be set up to allow remote login with a RSA or DSS
|
|
key. Each line is of the form
|
|
.TP
|
|
[restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment]
|
|
|
|
and can be extracted from a Dropbear private host key with "dropbearkey -y". This is the same format as used by OpenSSH, though the restrictions are a subset (keys with unknown restrictions are ignored).
|
|
Restrictions are comma separated, with double quotes around spaces in arguments.
|
|
Available restrictions are:
|
|
|
|
.TP
|
|
.B no-port-forwarding
|
|
Don't allow port forwarding for this connection
|
|
|
|
.TP
|
|
.B no-agent-forwarding
|
|
Don't allow agent forwarding for this connection
|
|
|
|
.TP
|
|
.B no-X11-forwarding
|
|
Don't allow X11 forwarding for this connection
|
|
|
|
.TP
|
|
.B no-pty
|
|
Disable PTY allocation. Note that a user can still obtain most of the
|
|
same functionality with other means even if no-pty is set.
|
|
|
|
.TP
|
|
.B command="\fIforced_command\fR"
|
|
Disregard the command provided by the user and always run \fIforced_command\fR.
|
|
|
|
The authorized_keys file and its containing ~/.ssh directory must only be
|
|
writable by the user, otherwise Dropbear will not allow a login using public
|
|
key authentication.
|
|
|
|
.TP
|
|
Host Key Files
|
|
|
|
Host key files are read at startup from a standard location, by default
|
|
/etc/dropbear/dropbear_dss_host_key and /etc/dropbear/dropbear_rsa_host_key
|
|
or specified on the commandline with -d or -r. These are of the form generated
|
|
by dropbearkey.
|
|
|
|
.TP
|
|
Message Of The Day
|
|
|
|
By default the file /etc/motd will be printed for any login shell (unless
|
|
disabled at compile-time). This can also be disabled per-user
|
|
by creating a file ~/.hushlogin .
|
|
|
|
.SH ENVIRONMENT VARIABLES
|
|
Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH, and TERM.
|
|
|
|
The variables below are set for sessions as appropriate.
|
|
|
|
.TP
|
|
.B SSH_TTY
|
|
This is set to the allocated TTY if a PTY was used.
|
|
|
|
.TP
|
|
.B SSH_CONNECTION
|
|
Contains "<remote_ip> <remote_port> <local_ip> <local_port>".
|
|
|
|
.TP
|
|
.B DISPLAY
|
|
Set X11 forwarding is used.
|
|
|
|
.TP
|
|
.B SSH_ORIGINAL_COMMAND
|
|
If a 'command=' authorized_keys option was used, the original command is specified
|
|
in this variable. If a shell was requested this is set to an empty value.
|
|
|
|
.TP
|
|
.B SSH_AUTH_SOCK
|
|
Set to a forwarded ssh-agent connection.
|
|
|
|
|
|
|
|
.SH AUTHOR
|
|
Matt Johnston (matt@ucc.asn.au).
|
|
.br
|
|
Gerrit Pape (pape@smarden.org) wrote this manual page.
|
|
.SH SEE ALSO
|
|
dropbearkey(8), dbclient(1)
|
|
.P
|
|
http://matt.ucc.asn.au/dropbear/dropbear.html
|