Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time
pts-dropbear: Dropbear SSH tools with ed25519 and other improvements by pts
pts-dropbear is a C source tree of the Dropbear embedded SSH server, client
and tools for Unix, with modifications by pts.

Based on: dropbear-2017.75.tar.bz2

The most important improvements in pts-dropbear:

* Added ssh-ed25519 crypto for server host keys and user keys. The
  implementation is based on TweetNaCl v20140427.
* Added environment variable propagation (similar to OpenSSH AcceptEnv,
  command-line flag -A) to Dropbear sshd.
* Added autodetection and loading of OpenSSH hostkeys to Dropbear
  sshd (with `make OPENSSHHOSTKEYLOAD=1').
* Added flag to dropbearkey to generate private keys in OpenSSH format
  directly (dropbearkey -Z openssh, with `make WRITEOPENSSHKEYS=1').
* Improved some command-line flags (e.g. dropbear -E is always available).
* Added compilation instructions for pts-xstatic (statically linked i386 Linux
  binary). Binary size is 350456 bytes.
* Added option to compile without loading any system hostkeys (e.g. from
  /etc/dropbear) (with `make NOSYSHOSTKEYLOAD=1').
* Made dropbearkey behavior  more compatible with ssh-keygen in OpenSSH:
** dropbearkey now creates a .pub file.
** -b bits flag.
** -C comment flag. (The comment will be added only to the public key file, and
   not to the private key file.)
** -P passphrase flag. Only the empty passhprase is allowed.
** -N passphrase flag. Only the empty passhprase is allowed.
* Added autodection of the input private key file format, as
  `dropbearconvert any'.

How to compile:

* To compile regularly with the system gcc, run this (without the leading
  `$' signs):

    $ sudo apt-get install gcc make
    $ ./configure
    $ make PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp" MULTI=1 STATIC=1 SCPPROGRESS=1 NOSYSHOSTKEYLOAD=1 OPENSSHHOSTKEYLOAD=1 WRITEOPENSSHKEYS=1
    $ ls -l dropbearmulti

* To compile with pts-xstatic to get a statically linked Linux i386
  executable binary, run this (without the leading `$' signs) on a Linux
  i386 or amd64 system:

    $ sudo apt-get install gcc make
    $ sudo apt-get install gcc-multilib  # On an amd64 system.
    $ wget
    $ chmod u+x pts-xstatic-latest.sfx.7z
    $ ./pts-xstatic-latest.sfx.7z -y
    $ XSTATIC=pts-xstatic/bin/xstatic ./
    (creates drobpearmulti)

How to generate an ssh-ed25519 server host key:

* Use this command:

    $ dropbearkey -Z openssh -t ed25519 -f dropbear_hostkey_ed25519

  Please note that `-Z openssh' is optional. By default it creates the
  private key file in the OpenSSH format, for improved interoperability. The
  alternative is `-Z dropbear'.

* Alternatively, this command works if you have OpenSSH:

    $ ssh-keygen -N "" -t ed25519 -f dropbear_hostkey_ed25519

* Alternatively, you can use this Python script:

  Example invocation:

    $ ./ -t ed25519 -Z openssh -f dropbear_hostkey_ed25519


* Send patches to upstream Dropbear.
* Add cipher (for feature parity with
* Add querying an ssh-agent to dbclient. (No need to write an ssh-agent,
  the Gnome, gpg and OpenSSH ssh-agent implementations are fine.)
* refactor: split keywrite.c (import_write(...)) out keyimport.c, to make
  the dropbear (not dropbearmulti) binary smaller.
* --disable-wtmp in Add at least a command-line flag. Is the stock
  Ubuntu 14.04 /var/log/wtmp compatible with xstatic uClibc wtmp format?


* dropbearconvert (and import_read) ignores comments in keys.
* dropbearkey creates private keys without comments (only public keys have comments).
* OpenSSH `ssh -i' ignores comments in the private key file. Good.
* dropbear doesn't support user or host key passphrases.
* dbclient cannot authenticate with an ssh-agent.
* dropbear doesn't try to be smart and slow, e.g. by doing DNS lookups on
  the client IP address.
* Dropbear binary size is smaller (353 kB for dropbearmulti linked with
  xstatic, containing dropbear, dbclient, dropbearkey, dropbearconvert, scp)
  than OpenSSH (836 kB for sshd, 791 kB, 380 kB for ssh-agent for ssh linked
  with xstatic, 7.3p1 without OpenSSL).
* OpenSSH crypto operations are faster than in Dropbear. (Is this true?
* Dropbear 2017.75 supports these ciphers (with the default compiation flags):
  aes128-ctr, aes256-ctr, aes128-cbc, aes256-cbc, twofish256-cbc,
  twofish128-cbc, 3des-ctr, 3des-cbc, 3des.
  blowfish can also be enabled, but twofish is more efficient.
* OpenSSH_5.3p1 supports these ciphers: (twofish is missing.)
  aes128-ctr, aes192-ctr, aes256-ctr, arcfour256, arcfour128, aes128-cbc,
  3des-cbc, blowfish-cbc, cast128-cbc, aes192-cbc, aes256-cbc, arcfour,
* OpenSSH_7.2p2 in Ubuntu 14.04 supports these ciphers: (twofish is missing.)
  3des-cbc, aes128-cbc, aes128-ctr,, aes192-cbc
  aes192-ctr, aes256-cbc, aes256-ctr,, arcfour,
  arcfour128 arcfour256,,
* OpenSSH_7.3p1 compiled without OpenSSL supports these ciphers:
  aes128-ctr, aes192-ctr, aes256-ctr,
* tinyssh 20161101 (and the latest github on 2017-10-01)
  supports these ciphers: aes256-str,



Dropbear SSH tools with ed25519 and other improvements by pts







No packages published