dbclient - lightweight SSH client

Author

       Matt Johnston (matt@ucc.asn.au).
       Mihnea Stoenescu wrote initial Dropbear client support
       Gerrit Pape (pape@smarden.org) wrote this manual page.

Description

dbclient is the client part of Dropbear SSH

Environment

DROPBEAR_PASSWORD
              A password to use  for  remote  authentication  can  be  specified  in  the  environment  variable
              DROPBEAR_PASSWORD.  Care  should  be  taken  that  the password is not exposed to other users on a
              multi-user system, or stored in accessible files.

       SSH_ASKPASS
              dbclient can use an external program to request a password from a user.  SSH_ASKPASS should be set
              to the path of a program that will return a password on standard output. This program will only be
              used if either DISPLAY is set and standard input  is  not  a  TTY,  or  the  environment  variable
              SSH_ASKPASS_ALWAYS is set.

Escape Characters

       Typing a newline followed by the  key sequence ~. (tilde, dot) will terminate a connection.  The sequence
       ~^Z (tilde, ctrl-z) will background the connection. This behaviour only applies when a PTY is used.

Files

~/.ssh/dropbear_config

       This  is  the  per  user  configuration  file. A very limited subset of the keywords for ssh_config(5) is
       supported, and none of the advanced features. The  file  contains  key  value  pairs  on  a  single  line
       separated  with  space  or  '='.  Empty lines are ignored.  Text starting with '#' is a comment, and also
       ignored.

       The file is not considered if multi-hop connection is used. Values  on  the  command  line  override  the
       respective values in the file.

       The recognized keywords are as follows. Keywords are case insensitive and values are case insensitive.

       Host   Defines  the options that would be applied if this value matches the host specified on the command
              line. The next Host entry or EOF determine the list of applicable options.

       HostName
              Specifies the actual host name to connect to. Can be DNS name or IP address.

       Port   Specifies the port number to use to connect to the remote host.

       User   Specifies the user name to login in as.

       IdentityFile
              Specifies the file with the private key used for public key authentication with the  remote  host.
              The  file  must be in the Dropbear format. See dropbearkey(1) to generate one. A '~/' at the start
              of the path will expanded to the executing user's home directory. A path that does not start  with
              '/'  will  be  treated relative to this configuration file's directory. Otherwise the path will be
              used as is.

              Because this file contains a secret it must have strict permissions to prevent  abuse  attempts  -
              read/write for the executing user, and no access to anyone else.

Multi-Hop

       Dropbear  will also allow multiple "hops" to be specified, separated by commas. In this case a connection
       will be made to the first host, then a TCP forwarded connection will be made through that to  the  second
       host,  and  so  on. Hosts other than the final destination will not see anything other than the encrypted
       SSH stream.  A port for a host can be specified with a caret (eg matt@martello^44  ).   This  syntax  can
       also  be  used  with  scp  or rsync (specifying dbclient as the ssh/rsh command). A file can be "bounced"
       through multiple SSH hops, eg

       scp -S dbclient matt@martello,root@wrt,canyons:/tmp/dump .

       Note that hostnames are resolved by the prior hop (so "canyons" would be resolved by the host  "wrt")  in
       the  example above, the same way as other -L TCP forwarded hosts are. Host keys are checked locally based
       on the given hostname.

Name

       dbclient - lightweight SSH client

Notes

       If compiled with zlib support and if the server supports it, dbclient will always use compression.

Options

command
A command to run on the remote host. This will normally be run by the remote host using the user's
shell. The command begins at the first hyphen argument after the host argument. If no command is
specified an interactive terminal will be opened (see -t and -T).

-pport
Connect to port on the remote host. Alternatively a port can be specified as hostname^port.
Default is 22.

-iidfile
Identity file. Read the identity key from file idfile (multiple allowed). This file is created
with dropbearkey(1) or converted from OpenSSH with dropbearconvert(1). The default path
~/.ssh/id_dropbear is used

-L [listenaddress]:listenport:host:port
Local port forwarding. Forward listenport on the local host through the SSH connection to port on
host.

-R [listenaddress]:listenport:host:port
Remote port forwarding. Forward listenport on the remote host through the SSH connection to port
on host.

-luser
Username. Login as user on the remote host. An alternative is to specify user@host.

-t Allocate a PTY. This is the default when no command is given, it gives a full interactive remote
session. The main effect is that keystrokes are sent remotely immediately as opposed to local
line-based editing.

-T Don't allocate a PTY. This is the default when a command is given. See -t.

-N Don't request a remote shell or run any commands. Any command arguments are ignored.

-f Fork into the background after authentication. A command argument (or -N) is required. This is
useful when using password authentication.

-g Allow non-local hosts to connect to forwarded ports. Applies to -L and -R forwarded ports, though
remote connections to -R forwarded ports may be limited by the ssh server.

-y Always accept hostkeys if they are unknown. If a hostkey mismatch occurs the connection will abort
as normal. If specified a second time no host key checking is performed at all, this is usually
undesirable.

-A Forward agent connections to the remote host. dbclient will use any OpenSSH-style agent program if
available ($SSH_AUTH_SOCK will be set) for public key authentication. Forwarding is only enabled
if -A is specified.

Beware that a forwarded agent connection will allow the remote server to have the same
authentication credentials as you have used locally. A compromised remote server could use that to
log in to other servers.

In many situations Dropbear's multi-hop mode is a better and more secure alternative to agent
forwarding, avoiding having to trust the intermediate server.

If the SSH agent program is set to prompt when a key is used, the -oDisableTrivialAuth option can
prevent UI confusion.

-Wwindowsize
Specify the per-channel receive window buffer size. Increasing this may improve network
performance at the expense of memory use. Use -h to see the default buffer size.

-Ktimeout_seconds
Ensure that traffic is transmitted at a certain interval in seconds. This is useful for working
around firewalls or routers that drop connections after a certain period of inactivity. The trade-
off is that a session may be closed if there is a temporary lapse of network connectivity. A
setting if 0 disables keepalives. If no response is received for 3 consecutive keepalives the
connection will be closed.

-Iidle_timeout
Disconnect the session if no traffic is transmitted or received for idle_timeout seconds.

-z By default Dropbear will send network traffic with the AF21 setting for QoS, letting network
devices give it higher priority. Some devices may have problems with that, -z can be used to
disable it.

-Jproxy_command-J&fd
Use the standard input/output of the program proxy_command rather than using a normal TCP
connection. A hostname should be still be provided, as this is used for comparing saved hostkeys.
This command will be executed as "exec proxy_command ..." with the default shell.

The second form &fd will make dbclient use the numeric file descriptor as a socket. This can be
used for more complex tunnelling scenarios. Example usage with socat is

socat EXEC:'dbclient -J &38 ev',fdin=38,fdout=38 TCP4:host.example.com:22

-Bendhost:endport
"Netcat-alike" mode, where Dropbear will connect to the given host, then create a forwarded
connection to endhost. This will then be presented as dbclient's standard input/output.

-ccipherlist
Specify a comma separated list of ciphers to enable. Use -chelp to list possibilities.

-mMAClist
Specify a comma separated list of authentication MACs to enable. Use -mhelp to list
possibilities.

-ooption
Can be used to give options in the format used by OpenSSH config file. This is useful for
specifying options for which there is no separate command-line flag. For full details of the
options listed below, and their possible values, see ssh_config(5). The following options have
currently been implemented:

BatchMode
Disable interactive prompts e.g. password prompts and host key confirmation. The argument
must be "yes" or "no" (the default).

BindAddress
Specify address and port on the local machine as the source address of the connection.

DisableTrivialAuth
Disallow a server immediately giving successful authentication (without presenting any
password/pubkey prompt). This avoids a UI confusion issue where it may appear that the
user is accepting a SSH agent prompt from their local machine, but are actually accepting a
prompt sent immediately by the remote server.

ExitOnForwardFailure
Specifies whether dbclient should terminate the connection if it cannot set up all
requested local and remote port forwardings. The argument must be "yes" or "no" (the
default).

ForwardAgent
Forward the authentication agent to the remote machine. The argument must be "yes" or "no"
(the default).

GatewayPorts
Allow to remote host to connect to local forwarded ports. The argument must be "yes" or
"no" (the default).

IdentityFile
Specify an authentication identity file path.

PasswordAuthentication
Allow to prompt a user for a password. If the DROPBEAR_PASSWORD env is specified then it
still will be used. The argument must be "yes" (the default) or "no".

Port Specify a listening port, like the -p argument.

ProxyCommand
Specify the proxy command to use to connect to the server.

ServerAliveInterval
Sets a timeout interval in seconds between keep-alive messages through the encrypted
channel. The default is 0 e.g. disabled.

StrictHostKeyChecking
Use "yes" to refuse connection to hosts where the host key is not already correct in
known_hosts. Entries must be added to known_hosts manually.

Use "no" to skip the known_hosts key checking.

Use "accept-new" to add new host keys to the known_hosts and refuse to connect if the host
key has changed.

"ask" is the default.

UseSyslog
Send dbclient log messages to syslog in addition to stderr.

-s The specified command will be requested as a subsystem, used for sftp. Dropbear doesn't implement
sftp itself but the OpenSSH sftp client can be used eg sftp-Sdbclientuser@host-b[address][:port]
Bind to a specific local address when connecting to the remote host. This can be used to choose
from multiple outgoing interfaces. Either address or port (or both) can be given.

-V Print the version

Synopsis

dbclient [flagarguments] [-p port] [-i id] [-L l:h:p] [-R l:h:p] [-l user] host [moreflags] [command]

       dbclient [args] [user1]@host1[^port1],[user2]@host2[^port2],...