--- runopts.h
+++ runopts.h
@@ -101,6 +101,9 @@
 	gid_t restrict_group_gid;
 #endif
 
+	/* FRITZ!box */
+	int rootonlylogin;
+
 	int noauthpass;
 	int norootpass;
 	int allowblankpass;
--- svr-runopts.c
+++ svr-runopts.c
@@ -73,6 +73,7 @@
 					"-m		Don't display the motd on login\n"
 #endif
 					"-w		Disallow root logins\n"
+					"-0		Allow only root logins\n"
 #ifdef HAVE_GETGROUPLIST
 					"-G		Restrict logins to members of specified group\n"
 #endif
@@ -150,6 +151,7 @@
 	svr_opts.forced_command = NULL;
 	svr_opts.forkbg = 1;
 	svr_opts.norootlogin = 0;
+	svr_opts.rootonlylogin = 0;
 #ifdef HAVE_GETGROUPLIST
 	svr_opts.restrict_group = NULL;
 	svr_opts.restrict_group_gid = 0;
@@ -256,6 +258,9 @@
 				case 'w':
 					svr_opts.norootlogin = 1;
 					break;
+				case '0':
+					svr_opts.rootonlylogin = 1;
+					break;
 #ifdef HAVE_GETGROUPLIST
 				case 'G':
 					next = &svr_opts.restrict_group;
--- svr-auth.c
+++ svr-auth.c
@@ -304,6 +304,14 @@
 	}
 #endif /* HAVE_GETGROUPLIST */
 
+	/* FRITZBOX PATCH: only allow root user */
+	if (svr_opts.rootonlylogin && ses.authstate.pw_uid != 0) {
+		TRACE(("leave checkusername: non-root login disabled"))
+		dropbear_log(LOG_WARNING, "non-root login rejected");
+		send_msg_userauth_failure(0, 1);
+		return DROPBEAR_FAILURE;
+	}
+
 	TRACE(("shell is %s", ses.authstate.pw_shell))
 
 	/* check that the shell is set */