Mercurial > dropbear
annotate default_options.h @ 1861:2b3a8026a6ce
Add re-exec for server
This allows ASLR to re-randomize the address
space for every connection, preventing some
vulnerabilities from being exploitable by
repeated probing.
Overhead (memory and time) is yet to be confirmed.
At present this is only enabled on Linux. Other BSD platforms
with fexecve() would probably also work though have not been tested.
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Sun, 30 Jan 2022 10:14:56 +0800 |
| parents | 35d504d59c05 |
| children | 40f8468ad4d4 |
| rev | line source |
|---|---|
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
1 #ifndef DROPBEAR_DEFAULT_OPTIONS_H_ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
2 #define DROPBEAR_DEFAULT_OPTIONS_H_ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
3 /* |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 > > > Read This < < < |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
5 |
|
1521
198e2ee0f4b1
- Fix dependencies and remove old default_options.h from version control
Matt Johnston <matt@ucc.asn.au>
parents:
1517
diff
changeset
|
6 default_options.h documents compile-time options, and provides default values. |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
8 Local customisation should be added to localoptions.h which is |
|
1614
03df3b9f6048
mention localoptions.h being build directory, fix underscore in CHANGES
Matt Johnston <matt@ucc.asn.au>
parents:
1544
diff
changeset
|
9 used if it exists in the build directory. Options defined there will override |
|
03df3b9f6048
mention localoptions.h being build directory, fix underscore in CHANGES
Matt Johnston <matt@ucc.asn.au>
parents:
1544
diff
changeset
|
10 any options in this file. |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
11 |
|
1517
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
12 Options can also be defined with -DDROPBEAR_XXX=[0,1] in Makefile CFLAGS |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
13 |
|
1517
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
14 IMPORTANT: Some options will require "make clean" after changes */ |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
16 #define DROPBEAR_DEFPORT "22" |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
17 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
18 /* Listen on all interfaces */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
19 #define DROPBEAR_DEFADDRESS "" |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
20 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
21 /* Default hostkey paths - these can be specified on the command line */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
22 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
23 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
24 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" |
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1634
diff
changeset
|
25 #define ED25519_PRIV_FILENAME "/etc/dropbear/dropbear_ed25519_host_key" |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
26 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
27 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
28 * on chosen ports and keeps accepting connections. This is the default. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
29 * |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
30 * Set INETD_MODE if you want to be able to run Dropbear with inetd (or |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
31 * similar), where it will use stdin/stdout for connections, and each process |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
32 * lasts for a single connection. Dropbear should be invoked with the -i flag |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
33 * for inetd, and can only accept IPv4 connections. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
34 * |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
35 * Both of these flags can be defined at once, don't compile without at least |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
36 * one of them. */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
37 #define NON_INETD_MODE 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
38 #define INETD_MODE 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
39 |
| 1861 | 40 /* By default Dropbear will re-execute itself for each incoming connection so |
| 41 that memory layout may be re-randomised (ASLR) - exploiting | |
| 42 vulnerabilities becomes harder. Re-exec causes slightly more memory use | |
| 43 per connection. | |
| 44 This option is ignored on non-Linux platforms at present */ | |
| 45 #define DROPBEAR_REEXEC 1 | |
| 46 | |
| 47 /* Include verbose debug output, enabled with -v at runtime. | |
|
1514
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
48 * This will add a reasonable amount to your executable size. */ |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
49 #define DEBUG_TRACE 0 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
50 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
51 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save |
|
1517
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
52 * several kB in binary size however will make the symmetrical ciphers and hashes |
|
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
53 * slower, perhaps by 50%. Recommended for small systems that aren't doing |
|
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
54 * much traffic. */ |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
55 #define DROPBEAR_SMALL_CODE 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
56 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
57 /* Enable X11 Forwarding - server only */ |
|
1714
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
58 #define DROPBEAR_X11FWD 0 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
59 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
60 /* Enable TCP Fowarding */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
61 /* 'Local' is "-L" style (client listening port forwarded via server) |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
62 * 'Remote' is "-R" style (server listening port forwarded via client) */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
63 #define DROPBEAR_CLI_LOCALTCPFWD 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
64 #define DROPBEAR_CLI_REMOTETCPFWD 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
65 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
66 #define DROPBEAR_SVR_LOCALTCPFWD 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
67 #define DROPBEAR_SVR_REMOTETCPFWD 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
68 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
69 /* Enable Authentication Agent Forwarding */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
70 #define DROPBEAR_SVR_AGENTFWD 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
71 #define DROPBEAR_CLI_AGENTFWD 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
72 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
73 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
74 * allow multihop dbclient connections */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
75 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
76 /* Allow using -J <proxycommand> to run the connection through a |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
77 pipe to a program, rather the normal TCP connection */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
78 #define DROPBEAR_CLI_PROXYCMD 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
79 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
80 /* Enable "Netcat mode" option. This will forward standard input/output |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
81 * to a remote TCP-forwarded connection */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
82 #define DROPBEAR_CLI_NETCAT 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
83 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
84 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ |
|
1499
2d450c1056e3
options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents:
1494
diff
changeset
|
85 #define DROPBEAR_USER_ALGO_LIST 1 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
86 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
87 /* Encryption - at least one required. |
|
1514
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
88 * AES128 should be enabled, some very old implementations might only |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
89 * support 3DES. |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
90 * Including both AES keysize variants (128 and 256) will result in |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
91 * a minimal size increase */ |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
92 #define DROPBEAR_AES128 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
93 #define DROPBEAR_AES256 1 |
|
1714
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
94 #define DROPBEAR_3DES 0 |
|
1517
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
95 #define DROPBEAR_TWOFISH256 0 |
|
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
96 #define DROPBEAR_TWOFISH128 0 |
|
1499
2d450c1056e3
options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents:
1494
diff
changeset
|
97 |
|
1714
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
98 /* Enable Chacha20-Poly1305 authenticated encryption mode. This is |
|
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
99 * generally faster than AES256 on CPU w/o dedicated AES instructions, |
|
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
100 * having the same key size. Recommended. |
|
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
101 * Compiling in will add ~5,5kB to binary size on x86-64 */ |
|
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
102 #define DROPBEAR_CHACHA20POLY1305 1 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
103 |
|
1714
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
104 /* Enable "Counter Mode" for ciphers. Recommended. */ |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
105 #define DROPBEAR_ENABLE_CTR_MODE 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
106 |
|
1714
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
107 /* Enable CBC mode for ciphers. This has security issues though |
|
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
108 may be required for compatibility with old implementations */ |
|
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
109 #define DROPBEAR_ENABLE_CBC_MODE 0 |
|
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
110 |
|
1672
3a97f14c0235
Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1660
diff
changeset
|
111 /* Enable "Galois/Counter Mode" for ciphers. This authenticated |
|
3a97f14c0235
Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1660
diff
changeset
|
112 * encryption mode is combination of CTR mode and GHASH. Recommended |
|
3a97f14c0235
Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1660
diff
changeset
|
113 * for security and forwards compatibility, but slower than CTR on |
|
3a97f14c0235
Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1660
diff
changeset
|
114 * CPU w/o dedicated AES/GHASH instructions. |
|
3a97f14c0235
Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1660
diff
changeset
|
115 * Compiling in will add ~6kB to binary size on x86-64 */ |
|
3a97f14c0235
Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1660
diff
changeset
|
116 #define DROPBEAR_ENABLE_GCM_MODE 0 |
|
3a97f14c0235
Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1660
diff
changeset
|
117 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
118 /* Message integrity. sha2-256 is recommended as a default, |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
119 sha1 for compatibility */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
120 #define DROPBEAR_SHA1_HMAC 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
121 #define DROPBEAR_SHA2_256_HMAC 1 |
|
1714
c0f12eaf95c9
Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
1713
diff
changeset
|
122 #define DROPBEAR_SHA1_96_HMAC 0 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
123 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
124 /* Hostkey/public key algorithms - at least one required, these are used |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
125 * for hostkey as well as for verifying signatures with pubkey auth. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
126 * Removing either of these won't save very much space. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
127 * RSA is recommended |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
128 * DSS may be necessary to connect to some systems though |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
129 is not recommended for new keys */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
130 #define DROPBEAR_RSA 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
131 #define DROPBEAR_DSS 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
132 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
133 * code (either ECDSA or ECDH) increases binary size - around 30kB |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
134 * on x86-64 */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
135 #define DROPBEAR_ECDSA 1 |
|
1855
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
1794
diff
changeset
|
136 #define DROPBEAR_SK_ECDSA 1 |
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1634
diff
changeset
|
137 /* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1634
diff
changeset
|
138 binary size - around 7,5kB on x86-64 */ |
|
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1634
diff
changeset
|
139 #define DROPBEAR_ED25519 1 |
|
1855
35d504d59c05
Implement server-side support for sk-ecdsa U2F-backed keys (#142)
egor-duda <egor-duda@users.noreply.github.com>
parents:
1794
diff
changeset
|
140 #define DROPBEAR_SK_ED25519 1 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
141 |
|
1438
4f8eb331174f
add configuration option for default RSA size.
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
142 /* RSA must be >=1024 */ |
|
4f8eb331174f
add configuration option for default RSA size.
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
143 #define DROPBEAR_DEFAULT_RSA_SIZE 2048 |
|
4f8eb331174f
add configuration option for default RSA size.
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
144 /* DSS is always 1024 */ |
|
4f8eb331174f
add configuration option for default RSA size.
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
145 /* ECDSA defaults to largest size configured, usually 521 */ |
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1634
diff
changeset
|
146 /* Ed25519 is always 256 */ |
|
1438
4f8eb331174f
add configuration option for default RSA size.
Matt Johnston <matt@ucc.asn.au>
parents:
1295
diff
changeset
|
147 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
148 /* Add runtime flag "-R" to generate hostkeys as-needed when the first |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
149 connection using that key type occurs. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
150 This avoids the need to otherwise run "dropbearkey" and avoids some problems |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
151 with badly seeded /dev/urandom when systems first boot. */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
152 #define DROPBEAR_DELAY_HOSTKEY 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
153 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
154 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
155 /* Key exchange algorithm. |
|
1517
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
156 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
157 * group14_sha1 - 2048 bit, sha1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
158 * group14_sha256 - 2048 bit, sha2-256 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
159 * group16 - 4096 bit, sha2-512 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
160 * group1 - 1024 bit, sha1 |
|
1517
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
161 * curve25519 - elliptic curve DH |
|
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
162 * ecdh - NIST elliptic curve DH (256, 384, 521) |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
163 * |
|
1517
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
164 * group1 is too small for security though is necessary if you need |
|
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
165 compatibility with some implementations such as Dropbear versions < 0.53 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
166 * group14 is supported by most implementations. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
167 * group16 provides a greater strength level but is slower and increases binary size |
|
1517
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
168 * curve25519 and ecdh algorithms are faster than non-elliptic curve methods |
|
1659
d32bcb5c557d
Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents:
1634
diff
changeset
|
169 * curve25519 increases binary size by ~2,5kB on x86-64 |
|
1517
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
170 * including either ECDH or ECDSA increases binary size by ~30kB on x86-64 |
|
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
171 |
|
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
172 * Small systems should generally include either curve25519 or ecdh for performance. |
|
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
173 * curve25519 is less widely supported but is faster |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
174 */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
175 #define DROPBEAR_DH_GROUP14_SHA1 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
176 #define DROPBEAR_DH_GROUP14_SHA256 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
177 #define DROPBEAR_DH_GROUP16 0 |
|
1517
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
178 #define DROPBEAR_CURVE25519 1 |
|
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
179 #define DROPBEAR_ECDH 1 |
| 1544 | 180 #define DROPBEAR_DH_GROUP1 1 |
| 181 | |
| 182 /* When group1 is enabled it will only be allowed by Dropbear client | |
| 183 not as a server, due to concerns over its strength. Set to 0 to allow | |
| 184 group1 in Dropbear server too */ | |
| 185 #define DROPBEAR_DH_GROUP1_CLIENTONLY 1 | |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
186 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
187 /* Control the memory/performance/compression tradeoff for zlib. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
188 * Set windowBits=8 for least memory usage, see your system's |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
189 * zlib.h for full details. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
190 * Default settings (windowBits=15) will use 256kB for compression |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
191 * windowBits=8 will use 129kB for compression. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
192 * Both modes will use ~35kB for decompression (using windowBits=15 for |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
193 * interoperability) */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
194 #define DROPBEAR_ZLIB_WINDOW_BITS 15 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
195 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
196 /* Whether to do reverse DNS lookups. */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
197 #define DO_HOST_LOOKUP 0 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
198 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
199 /* Whether to print the message of the day (MOTD). */ |
|
1660
26e07f7f682a
MOTD enabled by default as the manpage says (#87)
zciendor <37557036+zciendor@users.noreply.github.com>
parents:
1659
diff
changeset
|
200 #define DO_MOTD 1 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
201 #define MOTD_FILENAME "/etc/motd" |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
202 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
203 /* Authentication Types - at least one required. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
204 RFC Draft requires pubkey auth, and recommends password */ |
|
1514
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
205 #define DROPBEAR_SVR_PASSWORD_AUTH 1 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
206 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
207 /* Note: PAM auth is quite simple and only works for PAM modules which just do |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
208 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
209 * It's useful for systems like OS X where standard password crypts don't work |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
210 * but there's an interface via a PAM module. It won't work for more complex |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
211 * PAM challenge/response. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
212 * You can't enable both PASSWORD and PAM. */ |
|
1514
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
213 #define DROPBEAR_SVR_PAM_AUTH 0 |
|
1499
2d450c1056e3
options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents:
1494
diff
changeset
|
214 |
|
1514
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
215 /* ~/.ssh/authorized_keys authentication */ |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
216 #define DROPBEAR_SVR_PUBKEY_AUTH 1 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
217 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
218 /* Whether to take public key options in |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
219 * authorized_keys file into account */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
220 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
221 |
|
1634
aabde6f57fce
Add a sanity check for DROPBEAR_SVR_MULTIUSER==0 mode
Matt Johnston <matt@ucc.asn.au>
parents:
1633
diff
changeset
|
222 /* Set this to 0 if your system does not have multiple user support. |
|
aabde6f57fce
Add a sanity check for DROPBEAR_SVR_MULTIUSER==0 mode
Matt Johnston <matt@ucc.asn.au>
parents:
1633
diff
changeset
|
223 (Linux kernel CONFIG_MULTIUSER option) |
|
aabde6f57fce
Add a sanity check for DROPBEAR_SVR_MULTIUSER==0 mode
Matt Johnston <matt@ucc.asn.au>
parents:
1633
diff
changeset
|
224 The resulting binary will not run on a normal system. */ |
|
1633
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1617
diff
changeset
|
225 #define DROPBEAR_SVR_MULTIUSER 1 |
|
592a18dac250
Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents:
1617
diff
changeset
|
226 |
|
1514
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
227 /* Client authentication options */ |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
228 #define DROPBEAR_CLI_PASSWORD_AUTH 1 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
229 #define DROPBEAR_CLI_PUBKEY_AUTH 1 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
230 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
231 /* A default argument for dbclient -i <privatekey>. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
232 Homedir is prepended unless path begins with / */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
233 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
234 |
|
1514
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
235 /* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
236 * environment variable. */ |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
237 #define DROPBEAR_USE_PASSWORD_ENV 1 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
238 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
239 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
240 * a helper program for the ssh client. The helper program should be |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
241 * specified in the SSH_ASKPASS environment variable, and dbclient |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
242 * should be run with DISPLAY set and no tty. The program should |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
243 * return the password on standard output */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
244 #define DROPBEAR_CLI_ASKPASS_HELPER 0 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
245 |
|
1514
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
246 /* Save a network roundtrip by sendng a real auth request immediately after |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
247 * sending a query for the available methods. This is not yet enabled by default |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
248 since it could cause problems with non-compliant servers */ |
|
1517
7c7c5326ad73
clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents:
1514
diff
changeset
|
249 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0 |
|
1499
2d450c1056e3
options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents:
1494
diff
changeset
|
250 |
|
1514
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
251 /* Set this to use PRNGD or EGD instead of /dev/urandom */ |
|
1499
2d450c1056e3
options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents:
1494
diff
changeset
|
252 #define DROPBEAR_USE_PRNGD 0 |
|
2d450c1056e3
options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents:
1494
diff
changeset
|
253 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
254 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
255 /* Specify the number of clients we will allow to be connected but |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
256 * not yet authenticated. After this limit, connections are rejected */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
257 /* The first setting is per-IP, to avoid denial of service */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
258 #define MAX_UNAUTH_PER_IP 5 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
259 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
260 /* And then a global limit to avoid chewing memory if connections |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
261 * come from many IPs */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
262 #define MAX_UNAUTH_CLIENTS 30 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
263 |
|
1445
a3a96dbf9a58
Use MAX_AUTH_TRIES rather than DEFAULT_AUTH_TRIES, don't limit argument range
Matt Johnston <matt@ucc.asn.au>
parents:
1442
diff
changeset
|
264 /* Default maximum number of failed authentication tries (server option) */ |
|
a3a96dbf9a58
Use MAX_AUTH_TRIES rather than DEFAULT_AUTH_TRIES, don't limit argument range
Matt Johnston <matt@ucc.asn.au>
parents:
1442
diff
changeset
|
265 /* -T server option overrides */ |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
266 #define MAX_AUTH_TRIES 10 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
267 |
|
1794
ed20d805b332
Disable UNAUTH_CLOSE_DELAY by default
Matt Johnston <matt@ucc.asn.au>
parents:
1790
diff
changeset
|
268 /* Delay introduced before closing an unauthenticated session (seconds). |
|
ed20d805b332
Disable UNAUTH_CLOSE_DELAY by default
Matt Johnston <matt@ucc.asn.au>
parents:
1790
diff
changeset
|
269 Disabled by default, can be set to say 30 seconds to reduce the speed |
|
ed20d805b332
Disable UNAUTH_CLOSE_DELAY by default
Matt Johnston <matt@ucc.asn.au>
parents:
1790
diff
changeset
|
270 of password brute forcing. Note that there is a risk of denial of |
|
ed20d805b332
Disable UNAUTH_CLOSE_DELAY by default
Matt Johnston <matt@ucc.asn.au>
parents:
1790
diff
changeset
|
271 service by setting this */ |
|
ed20d805b332
Disable UNAUTH_CLOSE_DELAY by default
Matt Johnston <matt@ucc.asn.au>
parents:
1790
diff
changeset
|
272 #define UNAUTH_CLOSE_DELAY 0 |
|
1790
42745af83b7d
Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents:
1714
diff
changeset
|
273 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
274 /* The default file to store the daemon's process ID, for shutdown |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
275 scripts etc. This can be overridden with the -P flag */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
276 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid" |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
277 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
278 /* The command to invoke for xauth when using X11 forwarding. |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
279 * "-q" for quiet */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
280 #define XAUTH_COMMAND "/usr/bin/xauth -q" |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
281 |
|
1499
2d450c1056e3
options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents:
1494
diff
changeset
|
282 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
283 /* if you want to enable running an sftp server (such as the one included with |
|
1514
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
284 * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER. |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
285 * The sftp-server program is not provided by Dropbear itself */ |
|
6c16a05023aa
rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents:
1499
diff
changeset
|
286 #define DROPBEAR_SFTPSERVER 1 |
|
1295
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
287 #define SFTPSERVER_PATH "/usr/libexec/sftp-server" |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
288 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
289 /* This is used by the scp binary when used as a client binary. If you're |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
290 * not using the Dropbear client, you'll need to change it */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
291 #define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient" |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
292 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
293 /* Whether to log commands executed by a client. This only logs the |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
294 * (single) command sent to the server, not what a user did in a |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
295 * shell/sftp session etc. */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
296 #define LOG_COMMANDS 0 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
297 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
298 /* Window size limits. These tend to be a trade-off between memory |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
299 usage and network performance: */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
300 /* Size of the network receive window. This amount of memory is allocated |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
301 as a per-channel receive buffer. Increasing this value can make a |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
302 significant difference to network performance. 24kB was empirically |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
303 chosen for a 100mbit ethernet network. The value can be altered at |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
304 runtime with the -W argument. */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
305 #define DEFAULT_RECV_WINDOW 24576 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
306 /* Maximum size of a received SSH data packet - this _MUST_ be >= 32768 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
307 in order to interoperate with other implementations */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
308 #define RECV_MAX_PAYLOAD_LEN 32768 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
309 /* Maximum size of a transmitted data packet - this can be any value, |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
310 though increasing it may not make a significant difference. */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
311 #define TRANS_MAX_PAYLOAD_LEN 16384 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
312 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
313 /* Ensure that data is transmitted every KEEPALIVE seconds. This can |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
314 be overridden at runtime with -K. 0 disables keepalives */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
315 #define DEFAULT_KEEPALIVE 0 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
316 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
317 /* If this many KEEPALIVES are sent with no packets received from the |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
318 other side, exit. Not run-time configurable - if you have a need |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
319 for runtime configuration please mail the Dropbear list */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
320 #define DEFAULT_KEEPALIVE_LIMIT 3 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
321 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
322 /* Ensure that data is received within IDLE_TIMEOUT seconds. This can |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
323 be overridden at runtime with -I. 0 disables idle timeouts */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
324 #define DEFAULT_IDLE_TIMEOUT 0 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
325 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
326 /* The default path. This will often get replaced by the shell */ |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
327 #define DEFAULT_PATH "/usr/bin:/bin" |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
328 |
|
750ec4ec4cbe
Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
329 #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */ |