Skip to main content
The CM5 image embeds a Dropbear SSH server in the initramfs via dracut. This gives you remote shell access during the early boot phase — before the Btrfs root subvolume is mounted — which is essential for headless rescue, boot diagnostics, and pre-mount filesystem operations.

How it works

When the CM5 boots, dracut starts the network module (DHCP on eth0) and the dropbear module, which launches a minimal SSH daemon on port 222. You can connect and interact with the system before the root filesystem is available. The kernel cmdline parameter ip=dhcp (set in dracut.conf.d/rpi5.conf) instructs dracut to configure the network interface automatically.

Setting up authorized_keys

Early SSH authentication is key-only — no passwords. You must inject your SSH public key before building the image. Option 1: Set the environment variable before running cm5-setup.sh 
DROPBEAR_AUTHKEYS=/home/user/.ssh/id_ed25519.pub sudo bash scripts/cm5-setup.sh
Option 2: Copy after flashing (enter chroot) 
sudo cp ~/.ssh/id_ed25519.pub /mnt/rpi5-root/etc/dropbear/authorized_keys
sudo chmod 600 /mnt/rpi5-root/etc/dropbear/authorized_keys
If authorized_keys is empty, the Dropbear daemon starts but you cannot connect. Always set the authorized key before the first headless boot.

Connecting

Once the CM5 is powered on and DHCP has assigned an IP, connect on port 222: 
ssh -p 222 root@<device-ip>
Find the device IP from your router’s DHCP lease table, or use a serial console to read it from the boot log (ttyAMA0 @ 115200).
Add the following to ~/.ssh/config on your workstation for convenience:
Host cm5-rescue
    HostName <device-ip>
    Port 222
    User root
    IdentityFile ~/.ssh/id_ed25519
    StrictHostKeyChecking no
Then connect with ssh cm5-rescue.

What you can do over early SSH

Once connected in the initramfs environment you have a minimal shell. Common rescue tasks: Check what dracut has mounted: 
cat /proc/mounts
ls /sysroot
Manually mount the root subvolume if dracut failed: 
mkdir -p /sysroot
mount -o compress=zstd,space_cache=v2,noatime,subvol=@ \
    UUID=<ROOT_UUID> /sysroot
Run fsck on the Btrfs filesystem: 
btrfs check --readonly /dev/mmcblk0p2
Drop to the full system by switching root: 
switch_root /sysroot /sbin/init
Exit early SSH and continue boot: 
# Signal dracut to continue
> /tmp/dracut-emergency-exit

Host key locations

The Dropbear host keys are generated during cm5-setup.sh and stored at:
KeyPath
RSA 4096-bit/etc/dropbear/dropbear_rsa_host_key
ECDSA/etc/dropbear/dropbear_ecdsa_host_key
These are embedded in the initramfs by the dracut dropbear module configuration: 
dropbear_rsa_key="/etc/dropbear/dropbear_rsa_host_key"
dropbear_ecdsa_key="/etc/dropbear/dropbear_ecdsa_host_key"
dropbear_acl="/etc/dropbear/authorized_keys"

Build docs developers (and LLMs) love

Get started for freeTalk to us