User Tools

Site Tools


Dropbear Configuration


The ssh configuration is handled by the dropbear subsystem of uci and the configuration file is located in /etc/config/dropbear.
If the subsystem name wasn't obvious enough, the default daemon responsible of the SSH service in LEDE is dropbear.
Each dropbear SSH server instance uses a single section of the configuration file, and you can have multiple instances.


The dropbear configuration contains settings for the dropbear SSH server in a single section.


The dropbear section contains these settings:

Name Type Required Default Description
enable boolean no 1 Set to 0 to disable starting dropbear at system boot.
verbose boolean no 0 Set to 1 to enable verbose output by the start script.
BannerFile string no (none) Name of a file to be printed before the user has authenticated successfully.
PasswordAuth boolean no 1 Set to 0 to disable authenticating with passwords.
Port integer no 22 Port number to listen on.
RootPasswordAuth boolean no 1 Set to 0 to disable authenticating as root with passwords.
RootLogin boolean no 1 Set to 0 to disable SSH logins as root.
GatewayPorts boolean no 0 Set to 1 to allow remote hosts to connect to forwarded ports.
Interface string no (none) Tells dropbear to listen only on the specified interface. (e.g. lan, wan, wan6)
rsakeyfile file no (none) Path to RSA file
dsskeyfile file no (none) Path to DSS/DSA file
SSHKeepAlive integer no 300 Keep Alive
IdleTimeout integer no 0 Idle Timeout
mdns integer no 1 Whether to annouce the service via mDNS
MaxAuthTries integer no 3 Amount of times you can retry writing the password when logging in before the SSH server closes the connection from this commit

Default configuration

This is the default configuration:

# uci show dropbear

Multiple dropbear instances

Add a second instance of dropbear listening on port 2022.

uci add dropbear dropbear
uci set dropbear.@dropbear[-1].RootPasswordAuth='on'
uci set dropbear.@dropbear[-1].PasswordAuth='off'
uci set dropbear.@dropbear[-1].Port='2022'
uci commit dropbear
service dropbear restart

Use interface binding fix if you experience DoS due to a startup timing issue.

cat << "EOF" > /etc/hotplug.d/iface/40-dropbear
if [ "$INTERFACE" = "wan" ] && [ "$ACTION" = "ifup" -o "$ACTION" = "ifupdate" ]
        /etc/init.d/dropbear restart

Security considerations

Security considerations are beyond the scope of this document, but:

  • You should never allow SSH access on the WAN area. Please use a VPN instead to access your router.
  • Avoid connecting using passwords and use SSH keys mechanisms.

Disable password authentication:

uci set dropbear.@dropbear[0].PasswordAuth="off"
uci commit dropbear
service dropbear restart

Set up public key authentication.

SFTP functionality

While the dropbear package provides SCP functionality, it does not contain anything for SFTP. Please install openssh-sftp-server if you want to use SFTP.

Window title

Fix window title to display correct user@host information when connected via SSH.

mkdir -p /etc/profile.d
cat << "EOF" > /etc/profile.d/
echo -e -n "\033];${USER}@${HOSTNAME}\007"
docs/guide-user/base-system/dropbear.txt · Last modified: 2019/04/08 02:51 by vgaetera