Unlike OpenSSH which uses authorized_keys in user directories, Dropbear employs a different mechanism for key-based authentication. The primary location for Dropbear's authorized keys is:

/etc/dropbear/authorized_keys

This is a system-wide file where you'll need to place public keys for all users who require passwordless login. The format remains compatible with OpenSSH's authorized_keys file.

To enable key-based authentication in Dropbear:

1. Generate SSH keys (if you haven't already):

   ssh-keygen -t rsa -b 4096 -f ~/.ssh/dropbear_key

2. Copy the public key to Dropbear's authorized keys file:

   cat ~/.ssh/dropbear_key.pub | sudo tee -a /etc/dropbear/authorized_keys

3. Set proper permissions:

   sudo chmod 600 /etc/dropbear/authorized_keys
   sudo chown root:root /etc/dropbear/authorized_keys

While Dropbear primarily uses the system-wide file, you can also configure per-user keys:

# Create user-specific authorized_keys
mkdir -p ~/.ssh
chmod 700 ~/.ssh
cat ~/.ssh/dropbear_key.pub >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Note that this requires Dropbear to be compiled with ENABLE_SVR_PUBKEY_AUTH option enabled.

Ensure these options are set in /etc/dropbear/dropbear.conf:

# Enable public key authentication
DROPBEAR_PUBKEY_AUTH=1

# Optional: Disable password authentication
DROPBEAR_PASSWORD_AUTH=0

After making changes, restart Dropbear and test your connection:

sudo service dropbear restart
ssh -i ~/.ssh/dropbear_key user@hostname

If key authentication fails:

• Verify file permissions (600 for keys, 700 for .ssh directory)
• Check Dropbear logs (/var/log/auth.log or journalctl -u dropbear)
• Confirm the public key format matches OpenSSH standard
• Ensure the key isn't protected by a passphrase if you want fully automated login

Dropbear supports various key types. Here's how to generate and use them:

# Ed25519 key (recommended)
ssh-keygen -t ed25519 -f ~/.ssh/dropbear_ed25519

# ECDSA key
ssh-keygen -t ecdsa -b 521 -f ~/.ssh/dropbear_ecdsa

Remember to add the corresponding public keys to /etc/dropbear/authorized_keys or user's authorized_keys file.

---

While OpenSSH uses /etc/ssh/keys-root/authorized_keys for storing authentication keys, Dropbear employs a simpler but equally effective approach. For Dropbear SSH, the authorized keys file should be placed at:

~/.ssh/authorized_keys

This follows the same convention as OpenSSH's per-user key storage, but with some important implementation differences.

Dropbear supports the standard OpenSSH public key format, but with stricter requirements:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ... user@host
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... comment

Each key must:

• Be on a single line
• Start with the key type (ssh-rsa, ssh-ed25519, etc.)
• Include the base64-encoded key
• Optionally end with a comment

For system-wide access (similar to OpenSSH's /etc/ssh/keys-root/), Dropbear can be configured to use a different location:

# Edit /etc/default/dropbear or similar configuration file
DROPBEAR_EXTRA_ARGS="-a /etc/dropbear/authorized_keys"

Then create the directory and file:

mkdir -p /etc/dropbear
touch /etc/dropbear/authorized_keys
chmod 600 /etc/dropbear/authorized_keys

If you're migrating from OpenSSH, existing keys can be used directly:

# Copy user keys
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

# Or for root user
mkdir -p /root/.ssh
cp ~/.ssh/id_rsa.pub /root/.ssh/authorized_keys

To troubleshoot key authentication issues, run Dropbear in debug mode:

dropbear -F -E -a -p 2222

Then attempt connection while monitoring output:

ssh -v -p 2222 user@localhost

Dropbear supports OpenSSH-style key options in authorized_keys:

command="/bin/special-app",no-port-forwarding ssh-rsa AAAAB3... key1
from="192.168.1.*",no-pty ssh-ed25519 AAAAC3... key2

Common restrictions include:

• command: Limit to specific command
• from: Restrict source IPs
• no-port-forwarding: Disable tunneling
• no-pty: Prevent terminal allocation

Important differences from OpenSSH:

• Dropbear doesn't support AuthorizedKeysFile directive in config
• Key permissions are strictly enforced (600 for authorized_keys)
• ~/.ssh directory must exist and have correct permissions (700)
• Dropbear doesn't support SSH agent forwarding by default