diff options
author | Matt Johnston <matt@ucc.asn.au> | 2023-03-06 21:50:51 +0800 |
---|---|---|
committer | Matt Johnston <matt@ucc.asn.au> | 2023-03-06 21:50:51 +0800 |
commit | 9ddedcc53ca1c00b94c7de1ea1edf7a5e34297b2 (patch) | |
tree | 5796a1a4348b925bef0b0807a1203593589ae279 /manpages/dropbear.8 | |
parent | 3292b8c6f1e5fcc405fa0f7a20e90a60f74037b2 (diff) | |
parent | a992d3f0be411e0ba2b93e744df07e2189c7af0d (diff) | |
download | dropbear-9ddedcc53ca1c00b94c7de1ea1edf7a5e34297b2.tar.gz |
Merge branch 'build/folder-reorg' of github.com:tjkolev/dropbear
Diffstat (limited to 'manpages/dropbear.8')
-rw-r--r-- | manpages/dropbear.8 | 228 |
1 files changed, 228 insertions, 0 deletions
diff --git a/manpages/dropbear.8 b/manpages/dropbear.8 new file mode 100644 index 0000000..d9bbfc2 --- /dev/null +++ b/manpages/dropbear.8 @@ -0,0 +1,228 @@ +.TH dropbear 8 +.SH NAME +dropbear \- lightweight SSH server +.SH SYNOPSIS +.B dropbear +[\fIflag arguments\fR] [\-b +.I banner\fR] +[\-r +.I hostkeyfile\fR] [\-p [\fIaddress\fR:]\fIport\fR] +.SH DESCRIPTION +.B dropbear +is a small SSH server +.SH OPTIONS +.TP +.B \-b \fIbanner +bannerfile. +Display the contents of the file +.I banner +before user login (default: none). +.TP +.B \-r \fIhostkey +Use the contents of the file +.I hostkey +for the SSH hostkey. +This file is generated with +.BR dropbearkey (1) +or automatically with the '-R' option. See "Host Key Files" below. +.TP +.B \-R +Generate hostkeys automatically. See "Host Key Files" below. +.TP +.B \-F +Don't fork into background. +.TP +.B \-E +Log to standard error rather than syslog. +.TP +.B \-e +Pass on the server environment to all child processes. This is required, for example, +if Dropbear is launched on the fly from a SLURM workload manager. The environment is not +passed by default. Note that this could expose secrets in environment variables from +the calling process - use with caution. +.TP +.B \-m +Don't display the message of the day on login. +.TP +.B \-w +Disallow root logins. +.TP +.B \-s +Disable password logins. +.TP +.B \-g +Disable password logins for root. +.TP +.B \-t +Enable two-factor authentication. Both password login and public key authentication are +required. Should not be used with the '-s' option. +.TP +.B \-j +Disable local port forwarding. +.TP +.B \-k +Disable remote port forwarding. +.TP +.B \-p\fR [\fIaddress\fR:]\fIport +Listen on specified +.I address +and TCP +.I port. +If just a port is given listen +on all addresses. +Up to 10 can be specified (default 22 if none specified). +.TP +.B \-i +Service program mode. +Use this option to run +.B dropbear +under TCP/IP servers like inetd, tcpsvd, or tcpserver. +In program mode the \-F option is implied, and \-p options are ignored. +.TP +.B \-P \fIpidfile +Specify a pidfile to create when running as a daemon. If not specified, the +default is /var/run/dropbear.pid +.TP +.B \-a +Allow remote hosts to connect to forwarded ports. +.TP +.B \-W \fIwindowsize +Specify the per-channel receive window buffer size. Increasing this +may improve network performance at the expense of memory use. Use -h to see the +default buffer size. +.TP +.B \-K \fItimeout_seconds +Ensure that traffic is transmitted at a certain interval in seconds. This is +useful for working around firewalls or routers that drop connections after +a certain period of inactivity. The trade-off is that a session may be +closed if there is a temporary lapse of network connectivity. A setting +of 0 disables keepalives. If no response is received for 3 consecutive keepalives the connection will be closed. +.TP +.B \-I \fIidle_timeout +Disconnect the session if no traffic is transmitted or received for \fIidle_timeout\fR seconds. +.TP +.B \-z +By default Dropbear will send network traffic with the \fBAF21\fR setting for QoS, letting network devices give it higher priority. Some devices may have problems with that, \fI-z\fR can be used to disable it. +.TP +.B \-T \fImax_authentication_attempts +Set the number of authentication attempts allowed per connection. If unspecified the default is 10 (MAX_AUTH_TRIES) +.TP +.B \-c \fIforced_command +Disregard the command provided by the user and always run \fIforced_command\fR. This also +overrides any authorized_keys command= option. The original command is saved in the +SSH_ORIGINAL_COMMAND environment variable (see below). +.TP +.B \-V +Print the version + +.SH FILES + +.TP +Authorized Keys + +~/.ssh/authorized_keys can be set up to allow remote login with a RSA, +ECDSA, Ed25519 or DSS +key. Each line is of the form +.TP +[restrictions] ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIgAsp... [comment] + +and can be extracted from a Dropbear private host key with "dropbearkey -y". This is the same format as used by OpenSSH, though the restrictions are a subset (keys with unknown restrictions are ignored). +Restrictions are comma separated, with double quotes around spaces in arguments. +Available restrictions are: + +.TP +.B no-port-forwarding +Don't allow port forwarding for this connection + +.TP +.B no-agent-forwarding +Don't allow agent forwarding for this connection + +.TP +.B no-X11-forwarding +Don't allow X11 forwarding for this connection + +.TP +.B no-pty +Disable PTY allocation. Note that a user can still obtain most of the +same functionality with other means even if no-pty is set. + +.TP +.B restrict +Applies all the no- restrictions listed above. + +.TP +.B permitopen=\fR"\fIhost:port\fR" +Restrict local port forwarding so that connection is allowed only to the +specified host and port. Multiple permitopen options separated by commas +can be set in authorized_keys. Wildcard character ('*') may be used in +port specification for matching any port. Hosts must be literal domain names or +IP addresses. + +.TP +.B command=\fR"\fIforced_command\fR" +Disregard the command provided by the user and always run \fIforced_command\fR. +The -c command line option overrides this. + +The authorized_keys file and its containing ~/.ssh directory must only be +writable by the user, otherwise Dropbear will not allow a login using public +key authentication. + +.TP +Host Key Files + +Host key files are read at startup from a standard location, by default +/etc/dropbear/dropbear_dss_host_key, /etc/dropbear/dropbear_rsa_host_key, +/etc/dropbear/dropbear_ecdsa_host_key and /etc/dropbear/dropbear_ed25519_host_key + +If the -r command line option is specified the default files are not loaded. +Host key files are of the form generated by dropbearkey. +The -R option can be used to automatically generate keys +in the default location - keys will be generated after startup when the first +connection is established. This had the benefit that the system /dev/urandom +random number source has a better chance of being securely seeded. + +.TP +Message Of The Day + +By default the file /etc/motd will be printed for any login shell (unless +disabled at compile-time). This can also be disabled per-user +by creating a file ~/.hushlogin . + +.SH ENVIRONMENT VARIABLES +Dropbear sets the standard variables USER, LOGNAME, HOME, SHELL, PATH, and TERM. + +The variables below are set for sessions as appropriate. + +.TP +.B SSH_TTY +This is set to the allocated TTY if a PTY was used. + +.TP +.B SSH_CONNECTION +Contains "<remote_ip> <remote_port> <local_ip> <local_port>". + +.TP +.B DISPLAY +Set X11 forwarding is used. + +.TP +.B SSH_ORIGINAL_COMMAND +If a 'command=' authorized_keys option was used, the original command is specified +in this variable. If a shell was requested this is set to an empty value. + +.TP +.B SSH_AUTH_SOCK +Set to a forwarded ssh-agent connection. + +.SH NOTES +Dropbear only supports SSH protocol version 2. + +.SH AUTHOR +Matt Johnston (matt@ucc.asn.au). +.br +Gerrit Pape (pape@smarden.org) wrote this manual page. +.SH SEE ALSO +dropbearkey(1), dbclient(1), dropbearconvert(1) +.P +https://matt.ucc.asn.au/dropbear/dropbear.html |