DOKK / manpages / debian 12 / dropbear-bin / dbclient.1.en
dbclient(1) General Commands Manual dbclient(1)

dbclient - lightweight SSH client

dbclient [flag arguments] [-p port] [-i id] [-L l:h:p] [-R l:h:p] [-l user] host [more flags] [command]

dbclient [args] [user1]@host1[^port1],[user2]@host2[^port2],...

dbclient is the client part of Dropbear SSH

A command to run on the remote host. This will normally be run by the remote host using the user's shell. The command begins at the first hyphen argument after the host argument. If no command is specified an interactive terminal will be opened (see -t and -T).
Connect to port on the remote host. Alternatively a port can be specified as hostname^port. Default is 22.
Identity file. Read the identity key from file idfile (multiple allowed). This file is created with dropbearkey(1) or converted from OpenSSH with dropbearconvert(1). The default path ~/.ssh/id_dropbear is used
Local port forwarding. Forward listenport on the local host through the SSH connection to port on host.
Remote port forwarding. Forward listenport on the remote host through the SSH connection to port on host.
Username. Login as user on the remote host. An alternative is to specify user@host.
Allocate a PTY. This is the default when no command is given, it gives a full interactive remote session. The main effect is that keystrokes are sent remotely immediately as opposed to local line-based editing.
Don't allocate a PTY. This is the default when a command is given. See -t.
Don't request a remote shell or run any commands. Any command arguments are ignored.
Fork into the background after authentication. A command argument (or -N) is required. This is useful when using password authentication.
Allow non-local hosts to connect to forwarded ports. Applies to -L and -R forwarded ports, though remote connections to -R forwarded ports may be limited by the ssh server.
Always accept hostkeys if they are unknown. If a hostkey mismatch occurs the connection will abort as normal. If specified a second time no host key checking is performed at all, this is usually undesirable.
Forward agent connections to the remote host. dbclient will use any OpenSSH-style agent program if available ($SSH_AUTH_SOCK will be set) for public key authentication. Forwarding is only enabled if -A is specified.

Beware that a forwarded agent connection will allow the remote server to have the same authentication credentials as you have used locally. A compromised remote server could use that to log in to other servers.

In many situations Dropbear's multi-hop mode is a better and more secure alternative to agent forwarding, avoiding having to trust the intermediate server.

If the SSH agent program is set to prompt when a key is used, the -o DisableTrivialAuth option can prevent UI confusion.

Specify the per-channel receive window buffer size. Increasing this may improve network performance at the expense of memory use. Use -h to see the default buffer size.
Ensure that traffic is transmitted at a certain interval in seconds. This is useful for working around firewalls or routers that drop connections after a certain period of inactivity. The trade-off is that a session may be closed if there is a temporary lapse of network connectivity. A setting if 0 disables keepalives. If no response is received for 3 consecutive keepalives the connection will be closed.
Disconnect the session if no traffic is transmitted or received for idle_timeout seconds.
By default Dropbear will send network traffic with the AF21 setting for QoS, letting network devices give it higher priority. Some devices may have problems with that, -z can be used to disable it.

Use the standard input/output of the program proxy_command rather than using a normal TCP connection. A hostname should be still be provided, as this is used for comparing saved hostkeys. This command will be executed as "exec proxy_command ..." with the default shell.

The second form &fd will make dbclient use the numeric file descriptor as a socket. This can be used for more complex tunnelling scenarios. Example usage with socat is

socat EXEC:'dbclient -J &38 ev',fdin=38,fdout=38 TCP4:host.example.com:22

"Netcat-alike" mode, where Dropbear will connect to the given host, then create a forwarded connection to endhost. This will then be presented as dbclient's standard input/output.
Specify a comma separated list of ciphers to enable. Use -c help to list possibilities.
Specify a comma separated list of authentication MACs to enable. Use -m help to list possibilities.
Can be used to give options in the format used by OpenSSH config file. This is useful for specifying options for which there is no separate command-line flag. For full details of the options listed below, and their possible values, see ssh_config(5). The following options have currently been implemented:

Specifies whether dbclient should terminate the connection if it cannot set up all requested local and remote port forwardings. The argument must be "yes" or "no". The default is "no".
Send dbclient log messages to syslog in addition to stderr.
Specify a listening port, like the -p argument.
Disallow a server immediately giving successful authentication (without presenting any password/pubkey prompt). This avoids a UI confusion issue where it may appear that the user is accepting a SSH agent prompt from their local machine, but are actually accepting a prompt sent immediately by the remote server.
The specified command will be requested as a subsystem, used for sftp. Dropbear doesn't implement sftp itself but the OpenSSH sftp client can be used eg sftp -S dbclient user@host
Bind to a specific local address when connecting to the remote host. This can be used to choose from multiple outgoing interfaces. Either address or port (or both) can be given.
Print the version

Dropbear will also allow multiple "hops" to be specified, separated by commas. In this case a connection will be made to the first host, then a TCP forwarded connection will be made through that to the second host, and so on. Hosts other than the final destination will not see anything other than the encrypted SSH stream. A port for a host can be specified with a caret (eg matt@martello^44 ). This syntax can also be used with scp or rsync (specifying dbclient as the ssh/rsh command). A file can be "bounced" through multiple SSH hops, eg

scp -S dbclient matt@martello,root@wrt,canyons:/tmp/dump .

Note that hostnames are resolved by the prior hop (so "canyons" would be resolved by the host "wrt") in the example above, the same way as other -L TCP forwarded hosts are. Host keys are checked locally based on the given hostname.

Typing a newline followed by the key sequence ~. (tilde, dot) will terminate a connection. The sequence ~^Z (tilde, ctrl-z) will background the connection. This behaviour only applies when a PTY is used.

A password to use for remote authentication can be specified in the environment variable DROPBEAR_PASSWORD. Care should be taken that the password is not exposed to other users on a multi-user system, or stored in accessible files.
dbclient can use an external program to request a password from a user. SSH_ASKPASS should be set to the path of a program that will return a password on standard output. This program will only be used if either DISPLAY is set and standard input is not a TTY, or the environment variable SSH_ASKPASS_ALWAYS is set.

If compiled with zlib support and if the server supports it, dbclient will always use compression.

Matt Johnston (matt@ucc.asn.au).
Mihnea Stoenescu wrote initial Dropbear client support
Gerrit Pape (pape@smarden.org) wrote this manual page.

dropbear(8), dropbearkey(1)

https://matt.ucc.asn.au/dropbear/dropbear.html