Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
dbclient(1)		    General Commands Manual		   dbclient(1)

NAME
       dbclient	- lightweight SSH client

SYNOPSIS
       dbclient	 [flag	arguments] [-p port] [-i id] [-L l:h:p]	[-R l:h:p] [-l
       user] host [more	flags] [command]

       dbclient	[args] [user1]@host1[^port1],[user2]@host2[^port2],...

DESCRIPTION
       dbclient	is the client part of Dropbear SSH

OPTIONS
       command
	      A	command	to run on the remote host. This	will normally  be  run
	      by the remote host using the user's shell. The command begins at
	      the first	hyphen argument	after the host argument. If no command
	      is  specified an interactive terminal will be opened (see	-t and
	      -T).

       -p port
	      Connect to port on the remote host. Alternatively	a port can  be
	      specified	as hostname^port.  Default is 22.

       -i idfile
	      Identity file.  Read the identity	key from file idfile (multiple
	      allowed).	 This file is created with dropbearkey(1) or converted
	      from  OpenSSH  with   dropbearconvert(1).	  The	default	  path
	      ~/.ssh/id_dropbear is used

       -L [listenaddress]:listenport:host:port
	      Local  port  forwarding.	 Forward  listenport on	the local host
	      through the SSH connection to port on host.

       -R [listenaddress]:listenport:host:port
	      Remote port forwarding.  Forward listenport on the  remote  host
	      through the SSH connection to port on host.

       -l user
	      Username.	  Login	 as user on the	remote host. An	alternative is
	      to specify user@host.

       -t     Allocate a PTY. This is the default when no command is given, it
	      gives a full interactive remote session. The main	effect is that
	      keystrokes are sent remotely immediately	as  opposed  to	 local
	      line-based editing.

       -T     Don't  allocate  a  PTY.	This  is the default when a command is
	      given. See -t.

       -N     Don't request a remote shell or run any  commands.  Any  command
	      arguments	are ignored.

       -f     Fork  into  the background after authentication. A command argu-
	      ment (or -N) is required.	 This is useful	 when  using  password
	      authentication.

       -g     Allow  non-local hosts to	connect	to forwarded ports. Applies to
	      -L and -R	forwarded ports, though	remote connections to -R  for-
	      warded ports may be limited by the ssh server.

       -y     Always  accept  hostkeys	if they	are unknown. If	a hostkey mis-
	      match occurs the connection will abort as	normal.	If specified a
	      second time no host key checking is performed at	all,  this  is
	      usually undesirable.

       -A     Forward  agent connections to the	remote host. dbclient will use
	      any OpenSSH-style	agent  program	if  available  ($SSH_AUTH_SOCK
	      will  be set) for	public key authentication.  Forwarding is only
	      enabled if -A is specified.

	      Beware that a forwarded agent connection will allow  the	remote
	      server  to  have the same	authentication credentials as you have
	      used locally. A compromised remote server	could use that to  log
	      in to other servers.

	      In  many	situations  Dropbear's	multi-hop mode is a better and
	      more secure alternative to agent forwarding, avoiding having  to
	      trust the	intermediate server.

	      If  the  SSH  agent program is set to prompt when	a key is used,
	      the -o DisableTrivialAuth	option can prevent UI confusion.

       -W windowsize
	      Specify the per-channel receive window buffer  size.  Increasing
	      this  may	 improve  network performance at the expense of	memory
	      use. Use -h to see the default buffer size.

       -K timeout_seconds
	      Ensure that traffic is transmitted at a certain interval in sec-
	      onds. This is useful for working	around	firewalls  or  routers
	      that  drop connections after a certain period of inactivity. The
	      trade-off	is that	a session may be closed	if there is  a	tempo-
	      rary  lapse  of  network	connectivity.  A setting if 0 disables
	      keepalives.  If  no  response  is	 received  for	3  consecutive
	      keepalives the connection	will be	closed.

       -I idle_timeout
	      Disconnect  the session if no traffic is transmitted or received
	      for idle_timeout seconds.

       -z     By default Dropbear will send network traffic with the AF21 set-
	      ting for QoS, letting network devices give it  higher  priority.
	      Some devices may have problems with that,	-z can be used to dis-
	      able it.

       -J proxy_command

       -J &fd
	      Use  the	standard  input/output	of  the	 program proxy_command
	      rather than using	a normal TCP connection. A hostname should  be
	      still be provided, as this is used for comparing saved hostkeys.
	      This  command  will be executed as "exec proxy_command ..." with
	      the default shell.

	      The second form &fd will make dbclient use the numeric file  de-
	      scriptor	as  a  socket.	This can be used for more complex tun-
	      nelling scenarios. Example usage with socat is

	      socat EXEC:'dbclient -J &38 ev',fdin=38,fdout=38 TCP4:host.exam-
	      ple.com:22

       -B endhost:endport
	      "Netcat-alike" mode, where Dropbear will connect	to  the	 given
	      host,  then  create a forwarded connection to endhost. This will
	      then be presented	as dbclient's standard input/output.

       -c cipherlist
	      Specify a	comma separated	list of	ciphers	to enable. Use -c help
	      to list possibilities.

       -m MAClist
	      Specify a	comma separated	list of	authentication MACs to enable.
	      Use -m help to list possibilities.

       -o option
	      Can be used to give options in the format	used by	OpenSSH	config
	      file. This is useful for specifying options for which  there  is
	      no  separate command-line	flag.  For full	details	of the options
	      listed below, and	their possible values, see ssh_config(5).  The
	      following	options	have currently been implemented:

	      BatchMode
		     Disable interactive prompts  e.g.	password  prompts  and
		     host key confirmation. The	argument must be "yes" or "no"
		     (the default).

	      BindAddress
		     Specify  address  and  port  on  the local	machine	as the
		     source address of the connection.

	      DisableTrivialAuth
		     Disallow a	server immediately giving successful authenti-
		     cation (without presenting	any  password/pubkey  prompt).
		     This avoids a UI confusion	issue where it may appear that
		     the user is accepting a SSH agent prompt from their local
		     machine, but are actually accepting a prompt sent immedi-
		     ately by the remote server.

	      ExitOnForwardFailure
		     Specifies	whether	 dbclient should terminate the connec-
		     tion if it	cannot set up all requested local  and	remote
		     port forwardings. The argument must be "yes" or "no" (the
		     default).

	      ForwardAgent
		     Forward  the  authentication agent	to the remote machine.
		     The argument must be "yes"	or "no"	(the default).

	      GatewayPorts
		     Allow to remote host to connect to	local forwarded	ports.
		     The argument must be "yes"	or "no"	(the default).

	      IdentityFile
		     Specify an	authentication identity	file path.

	      PasswordAuthentication
		     Allow to prompt a user  for  a  password.	If  the	 DROP-
		     BEAR_PASSWORD  env	 is  specified	then  it still will be
		     used. The argument	must be	"yes" (the default) or "no".

	      Port   Specify a listening port, like the	-p argument.

	      ProxyCommand
		     Specify the proxy	command	 to  use  to  connect  to  the
		     server.

	      ServerAliveInterval
		     Sets  a  timeout  interval	 in seconds between keep-alive
		     messages through the encrypted channel. The default is  0
		     e.g. disabled.

	      StrictHostKeyChecking
		     Use  "yes"	 to  refuse connection to hosts	where the host
		     key is not	already	correct	in known_hosts.	 Entries  must
		     be	added to known_hosts manually.

		     Use "no" to skip the known_hosts key checking.

		     Use  "accept-new" to add new host keys to the known_hosts
		     and refuse	to connect if the host key has changed.

		     "ask" is the default.

	      UseSyslog
		     Send dbclient log	messages  to  syslog  in  addition  to
		     stderr.

       -s     The specified command will be requested as a subsystem, used for
	      sftp.  Dropbear  doesn't	implement  sftp	itself but the OpenSSH
	      sftp client can be used eg sftp -S dbclient user@host

       -b [address][:port]
	      Bind to a	specific local address when connecting to  the	remote
	      host.  This  can be used to choose from multiple outgoing	inter-
	      faces. Either address or port (or	both) can be given.

       -V     Print the	version

MULTI-HOP
       Dropbear	will also allow	multiple "hops"	to be specified, separated  by
       commas.	In this	case a connection will be made to the first host, then
       a TCP forwarded connection will be made	through	 that  to  the	second
       host,  and  so  on. Hosts other than the	final destination will not see
       anything	other than the encrypted SSH stream.  A	port for a host	can be
       specified with a	caret (eg matt@martello^44 ).  This syntax can also be
       used with scp or	rsync (specifying dbclient as the ssh/rsh command).  A
       file can	be "bounced" through multiple SSH hops,	eg

       scp -S dbclient matt@martello,root@wrt,canyons:/tmp/dump	.

       Note  that  hostnames are resolved by the prior hop (so "canyons" would
       be resolved by the host "wrt") in the example above, the	 same  way  as
       other  -L  TCP forwarded	hosts are. Host	keys are checked locally based
       on the given hostname.

ESCAPE CHARACTERS
       Typing a	newline	followed by the	 key sequence  ~.  (tilde,  dot)  will
       terminate  a  connection.   The sequence	~^Z (tilde, ctrl-z) will back-
       ground the connection. This behaviour only applies when a PTY is	used.

ENVIRONMENT
       DROPBEAR_PASSWORD
	      A	password to use	for remote authentication can be specified  in
	      the environment variable DROPBEAR_PASSWORD. Care should be taken
	      that  the	password is not	exposed	to other users on a multi-user
	      system, or stored	in accessible files.

       SSH_ASKPASS
	      dbclient can use an external program to request a	password  from
	      a	user.  SSH_ASKPASS should be set to the	path of	a program that
	      will  return  a  password	 on standard output. This program will
	      only be used if either DISPLAY is	set and	standard input is  not
	      a	TTY, or	the environment	variable SSH_ASKPASS_ALWAYS is set.

FILES
       ~/.ssh/dropbear_config

       This  is	 the per user configuration file. A very limited subset	of the
       keywords	for ssh_config(5) is supported,	and none of the	advanced  fea-
       tures.  The  file  contains  key	value pairs on a single	line separated
       with space or '='. Empty	lines are ignored.  Text starting with '#'  is
       a comment, and also ignored.

       The  file  is not considered if multi-hop connection is used. Values on
       the command line	override the respective	values in the file.

       The recognized keywords are as follows. Keywords	are  case  insensitive
       and values are case insensitive.

       Host   Defines  the options that	would be applied if this value matches
	      the host specified on the	command	line. The next Host  entry  or
	      EOF determine the	list of	applicable options.

       HostName
	      Specifies	the actual host	name to	connect	to. Can	be DNS name or
	      IP address.

       Port   Specifies	the port number	to use to connect to the remote	host.

       User   Specifies	the user name to login in as.

       IdentityFile
	      Specifies	 the file with the private key used for	public key au-
	      thentication with	the remote host. The file must be in the Drop-
	      bear format. See dropbearkey(1) to generate one. A '~/'  at  the
	      start of the path	will expanded to the executing user's home di-
	      rectory.	A  path	 that  does not	start with '/' will be treated
	      relative to this configuration file's directory.	Otherwise  the
	      path will	be used	as is.

	      Because  this file contains a secret it must have	strict permis-
	      sions to prevent abuse attempts -	read/write for	the  executing
	      user, and	no access to anyone else.

NOTES
       If  compiled  with zlib support and if the server supports it, dbclient
       will always use compression.

AUTHOR
       Matt Johnston (matt@ucc.asn.au).
       Mihnea Stoenescu	wrote initial Dropbear client support
       Gerrit Pape (pape@smarden.org) wrote this manual	page.

SEE ALSO
       dropbear(8), dropbearkey(1)

       https://matt.ucc.asn.au/dropbear/dropbear.html

				  2023-02-01			   dbclient(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=dbclient&sektion=1&manpath=FreeBSD+Ports+14.3.quarterly>

home | help