Mercurial > dropbear

annotate default_options.h @ 1790:42745af83b7d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Introduce extra delay before closing unauthenticated sessions To make it harder for attackers, introduce a delay to keep an unauthenticated session open a bit longer, thus blocking a connection slot until after the delay. Without this, while there is a limit on the amount of attempts an attacker can make at the same time (MAX_UNAUTH_PER_IP), the time taken by dropbear to handle one attempt is still short and thus for each of the allowed parallel attempts many attempts can be chained one after the other. The attempt rate is then: "MAX_UNAUTH_PER_IP / <process time of one attempt>". With the delay, this rate becomes: "MAX_UNAUTH_PER_IP / UNAUTH_CLOSE_DELAY".
author Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
date Wed, 15 Feb 2017 13:53:04 +0100
parents c0f12eaf95c9
children ed20d805b332
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
1 #ifndef DROPBEAR_DEFAULT_OPTIONS_H_
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
2 #define DROPBEAR_DEFAULT_OPTIONS_H_
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
3 /*
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
4 > > > Read This < < <
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
5
1521
198e2ee0f4b1 - Fix dependencies and remove old default_options.h from version control
Matt Johnston <matt@ucc.asn.au>
parents: 1517
diff changeset
6 default_options.h documents compile-time options, and provides default values.
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
7
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
8 Local customisation should be added to localoptions.h which is
1614
03df3b9f6048 mention localoptions.h being build directory, fix underscore in CHANGES
Matt Johnston <matt@ucc.asn.au>
parents: 1544
diff changeset
9 used if it exists in the build directory. Options defined there will override
03df3b9f6048 mention localoptions.h being build directory, fix underscore in CHANGES
Matt Johnston <matt@ucc.asn.au>
parents: 1544
diff changeset
10 any options in this file.
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
11
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
12 Options can also be defined with -DDROPBEAR_XXX=[0,1] in Makefile CFLAGS
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
13
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
14 IMPORTANT: Some options will require "make clean" after changes */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
15
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
16 #define DROPBEAR_DEFPORT "22"
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
17
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
18 /* Listen on all interfaces */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
19 #define DROPBEAR_DEFADDRESS ""
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
20
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
21 /* Default hostkey paths - these can be specified on the command line */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
22 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key"
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
23 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key"
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
24 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key"
1659
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1634
diff changeset
25 #define ED25519_PRIV_FILENAME "/etc/dropbear/dropbear_ed25519_host_key"
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
26
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
27 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
28 * on chosen ports and keeps accepting connections. This is the default.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
29 *
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
30 * Set INETD_MODE if you want to be able to run Dropbear with inetd (or
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
31 * similar), where it will use stdin/stdout for connections, and each process
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
32 * lasts for a single connection. Dropbear should be invoked with the -i flag
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
33 * for inetd, and can only accept IPv4 connections.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
34 *
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
35 * Both of these flags can be defined at once, don't compile without at least
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
36 * one of them. */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
37 #define NON_INETD_MODE 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
38 #define INETD_MODE 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
39
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
40 /* Include verbose debug output, enabled with -v at runtime.
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
41 * This will add a reasonable amount to your executable size. */
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
42 #define DEBUG_TRACE 0
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
43
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
44 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
45 * several kB in binary size however will make the symmetrical ciphers and hashes
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
46 * slower, perhaps by 50%. Recommended for small systems that aren't doing
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
47 * much traffic. */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
48 #define DROPBEAR_SMALL_CODE 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
49
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
50 /* Enable X11 Forwarding - server only */
1714
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
51 #define DROPBEAR_X11FWD 0
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
52
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
53 /* Enable TCP Fowarding */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
54 /* 'Local' is "-L" style (client listening port forwarded via server)
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
55 * 'Remote' is "-R" style (server listening port forwarded via client) */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
56 #define DROPBEAR_CLI_LOCALTCPFWD 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
57 #define DROPBEAR_CLI_REMOTETCPFWD 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
58
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
59 #define DROPBEAR_SVR_LOCALTCPFWD 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
60 #define DROPBEAR_SVR_REMOTETCPFWD 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
61
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
62 /* Enable Authentication Agent Forwarding */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
63 #define DROPBEAR_SVR_AGENTFWD 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
64 #define DROPBEAR_CLI_AGENTFWD 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
65
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
66 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
67 * allow multihop dbclient connections */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
68
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
69 /* Allow using -J <proxycommand> to run the connection through a
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
70 pipe to a program, rather the normal TCP connection */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
71 #define DROPBEAR_CLI_PROXYCMD 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
72
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
73 /* Enable "Netcat mode" option. This will forward standard input/output
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
74 * to a remote TCP-forwarded connection */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
75 #define DROPBEAR_CLI_NETCAT 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
76
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
77 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
1499
2d450c1056e3 options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents: 1494
diff changeset
78 #define DROPBEAR_USER_ALGO_LIST 1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
79
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
80 /* Encryption - at least one required.
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
81 * AES128 should be enabled, some very old implementations might only
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
82 * support 3DES.
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
83 * Including both AES keysize variants (128 and 256) will result in
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
84 * a minimal size increase */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
85 #define DROPBEAR_AES128 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
86 #define DROPBEAR_AES256 1
1714
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
87 #define DROPBEAR_3DES 0
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
88 #define DROPBEAR_TWOFISH256 0
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
89 #define DROPBEAR_TWOFISH128 0
1499
2d450c1056e3 options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents: 1494
diff changeset
90
1714
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
91 /* Enable Chacha20-Poly1305 authenticated encryption mode. This is
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
92 * generally faster than AES256 on CPU w/o dedicated AES instructions,
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
93 * having the same key size. Recommended.
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
94 * Compiling in will add ~5,5kB to binary size on x86-64 */
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
95 #define DROPBEAR_CHACHA20POLY1305 1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
96
1714
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
97 /* Enable "Counter Mode" for ciphers. Recommended. */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
98 #define DROPBEAR_ENABLE_CTR_MODE 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
99
1714
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
100 /* Enable CBC mode for ciphers. This has security issues though
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
101 may be required for compatibility with old implementations */
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
102 #define DROPBEAR_ENABLE_CBC_MODE 0
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
103
1672
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1660
diff changeset
104 /* Enable "Galois/Counter Mode" for ciphers. This authenticated
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1660
diff changeset
105 * encryption mode is combination of CTR mode and GHASH. Recommended
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1660
diff changeset
106 * for security and forwards compatibility, but slower than CTR on
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1660
diff changeset
107 * CPU w/o dedicated AES/GHASH instructions.
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1660
diff changeset
108 * Compiling in will add ~6kB to binary size on x86-64 */
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1660
diff changeset
109 #define DROPBEAR_ENABLE_GCM_MODE 0
3a97f14c0235 Add Chacha20-Poly1305, AES128-GCM and AES256-GCM support (#93)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1660
diff changeset
110
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
111 /* Message integrity. sha2-256 is recommended as a default,
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
112 sha1 for compatibility */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
113 #define DROPBEAR_SHA1_HMAC 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
114 #define DROPBEAR_SHA2_256_HMAC 1
1714
c0f12eaf95c9 Disable by default 3des, cbc, hmac-sha1-96, x11 forwarding
Matt Johnston <matt@ucc.asn.au>
parents: 1713
diff changeset
115 #define DROPBEAR_SHA1_96_HMAC 0
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
116
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
117 /* Hostkey/public key algorithms - at least one required, these are used
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
118 * for hostkey as well as for verifying signatures with pubkey auth.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
119 * Removing either of these won't save very much space.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
120 * RSA is recommended
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
121 * DSS may be necessary to connect to some systems though
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
122 is not recommended for new keys */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
123 #define DROPBEAR_RSA 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
124 #define DROPBEAR_DSS 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
125 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
126 * code (either ECDSA or ECDH) increases binary size - around 30kB
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
127 * on x86-64 */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
128 #define DROPBEAR_ECDSA 1
1659
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1634
diff changeset
129 /* Ed25519 is faster than ECDSA. Compiling in Ed25519 code increases
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1634
diff changeset
130 binary size - around 7,5kB on x86-64 */
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1634
diff changeset
131 #define DROPBEAR_ED25519 1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
132
1438
4f8eb331174f add configuration option for default RSA size.
Matt Johnston <matt@ucc.asn.au>
parents: 1295
diff changeset
133 /* RSA must be >=1024 */
4f8eb331174f add configuration option for default RSA size.
Matt Johnston <matt@ucc.asn.au>
parents: 1295
diff changeset
134 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
4f8eb331174f add configuration option for default RSA size.
Matt Johnston <matt@ucc.asn.au>
parents: 1295
diff changeset
135 /* DSS is always 1024 */
4f8eb331174f add configuration option for default RSA size.
Matt Johnston <matt@ucc.asn.au>
parents: 1295
diff changeset
136 /* ECDSA defaults to largest size configured, usually 521 */
1659
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1634
diff changeset
137 /* Ed25519 is always 256 */
1438
4f8eb331174f add configuration option for default RSA size.
Matt Johnston <matt@ucc.asn.au>
parents: 1295
diff changeset
138
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
139 /* Add runtime flag "-R" to generate hostkeys as-needed when the first
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
140 connection using that key type occurs.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
141 This avoids the need to otherwise run "dropbearkey" and avoids some problems
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
142 with badly seeded /dev/urandom when systems first boot. */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
143 #define DROPBEAR_DELAY_HOSTKEY 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
144
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
145
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
146 /* Key exchange algorithm.
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
147
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
148 * group14_sha1 - 2048 bit, sha1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
149 * group14_sha256 - 2048 bit, sha2-256
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
150 * group16 - 4096 bit, sha2-512
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
151 * group1 - 1024 bit, sha1
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
152 * curve25519 - elliptic curve DH
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
153 * ecdh - NIST elliptic curve DH (256, 384, 521)
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
154 *
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
155 * group1 is too small for security though is necessary if you need
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
156 compatibility with some implementations such as Dropbear versions < 0.53
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
157 * group14 is supported by most implementations.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
158 * group16 provides a greater strength level but is slower and increases binary size
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
159 * curve25519 and ecdh algorithms are faster than non-elliptic curve methods
1659
d32bcb5c557d Add Ed25519 support (#91)
Vladislav Grishenko <themiron@users.noreply.github.com>
parents: 1634
diff changeset
160 * curve25519 increases binary size by ~2,5kB on x86-64
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
161 * including either ECDH or ECDSA increases binary size by ~30kB on x86-64
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
162
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
163 * Small systems should generally include either curve25519 or ecdh for performance.
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
164 * curve25519 is less widely supported but is faster
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
165 */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
166 #define DROPBEAR_DH_GROUP14_SHA1 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
167 #define DROPBEAR_DH_GROUP14_SHA256 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
168 #define DROPBEAR_DH_GROUP16 0
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
169 #define DROPBEAR_CURVE25519 1
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
170 #define DROPBEAR_ECDH 1
1544
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1542
diff changeset
171 #define DROPBEAR_DH_GROUP1 1
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1542
diff changeset
172
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1542
diff changeset
173 /* When group1 is enabled it will only be allowed by Dropbear client
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1542
diff changeset
174 not as a server, due to concerns over its strength. Set to 0 to allow
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1542
diff changeset
175 group1 in Dropbear server too */
d1a8a05216ff make group1 client-only
Matt Johnston <matt@ucc.asn.au>
parents: 1542
diff changeset
176 #define DROPBEAR_DH_GROUP1_CLIENTONLY 1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
177
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
178 /* Control the memory/performance/compression tradeoff for zlib.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
179 * Set windowBits=8 for least memory usage, see your system's
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
180 * zlib.h for full details.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
181 * Default settings (windowBits=15) will use 256kB for compression
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
182 * windowBits=8 will use 129kB for compression.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
183 * Both modes will use ~35kB for decompression (using windowBits=15 for
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
184 * interoperability) */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
185 #define DROPBEAR_ZLIB_WINDOW_BITS 15
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
186
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
187 /* Whether to do reverse DNS lookups. */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
188 #define DO_HOST_LOOKUP 0
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
189
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
190 /* Whether to print the message of the day (MOTD). */
1660
26e07f7f682a MOTD enabled by default as the manpage says (#87)
zciendor <37557036+zciendor@users.noreply.github.com>
parents: 1659
diff changeset
191 #define DO_MOTD 1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
192 #define MOTD_FILENAME "/etc/motd"
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
193
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
194 /* Authentication Types - at least one required.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
195 RFC Draft requires pubkey auth, and recommends password */
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
196 #define DROPBEAR_SVR_PASSWORD_AUTH 1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
197
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
198 /* Note: PAM auth is quite simple and only works for PAM modules which just do
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
199 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
200 * It's useful for systems like OS X where standard password crypts don't work
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
201 * but there's an interface via a PAM module. It won't work for more complex
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
202 * PAM challenge/response.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
203 * You can't enable both PASSWORD and PAM. */
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
204 #define DROPBEAR_SVR_PAM_AUTH 0
1499
2d450c1056e3 options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents: 1494
diff changeset
205
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
206 /* ~/.ssh/authorized_keys authentication */
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
207 #define DROPBEAR_SVR_PUBKEY_AUTH 1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
208
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
209 /* Whether to take public key options in
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
210 * authorized_keys file into account */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
211 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
212
1634
aabde6f57fce Add a sanity check for DROPBEAR_SVR_MULTIUSER==0 mode
Matt Johnston <matt@ucc.asn.au>
parents: 1633
diff changeset
213 /* Set this to 0 if your system does not have multiple user support.
aabde6f57fce Add a sanity check for DROPBEAR_SVR_MULTIUSER==0 mode
Matt Johnston <matt@ucc.asn.au>
parents: 1633
diff changeset
214 (Linux kernel CONFIG_MULTIUSER option)
aabde6f57fce Add a sanity check for DROPBEAR_SVR_MULTIUSER==0 mode
Matt Johnston <matt@ucc.asn.au>
parents: 1633
diff changeset
215 The resulting binary will not run on a normal system. */
1633
592a18dac250 Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents: 1617
diff changeset
216 #define DROPBEAR_SVR_MULTIUSER 1
592a18dac250 Support servers without multiple user support (#76)
Patrick Stewart <patstew@gmail.com>
parents: 1617
diff changeset
217
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
218 /* Client authentication options */
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
219 #define DROPBEAR_CLI_PASSWORD_AUTH 1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
220 #define DROPBEAR_CLI_PUBKEY_AUTH 1
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
221
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
222 /* A default argument for dbclient -i <privatekey>.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
223 Homedir is prepended unless path begins with / */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
224 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
225
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
226 /* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
227 * environment variable. */
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
228 #define DROPBEAR_USE_PASSWORD_ENV 1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
229
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
230 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
231 * a helper program for the ssh client. The helper program should be
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
232 * specified in the SSH_ASKPASS environment variable, and dbclient
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
233 * should be run with DISPLAY set and no tty. The program should
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
234 * return the password on standard output */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
235 #define DROPBEAR_CLI_ASKPASS_HELPER 0
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
236
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
237 /* Save a network roundtrip by sendng a real auth request immediately after
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
238 * sending a query for the available methods. This is not yet enabled by default
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
239 since it could cause problems with non-compliant servers */
1517
7c7c5326ad73 clean up some default options
Matt Johnston <matt@ucc.asn.au>
parents: 1514
diff changeset
240 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
1499
2d450c1056e3 options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents: 1494
diff changeset
241
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
242 /* Set this to use PRNGD or EGD instead of /dev/urandom */
1499
2d450c1056e3 options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents: 1494
diff changeset
243 #define DROPBEAR_USE_PRNGD 0
2d450c1056e3 options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents: 1494
diff changeset
244 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
245
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
246 /* Specify the number of clients we will allow to be connected but
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
247 * not yet authenticated. After this limit, connections are rejected */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
248 /* The first setting is per-IP, to avoid denial of service */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
249 #define MAX_UNAUTH_PER_IP 5
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
250
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
251 /* And then a global limit to avoid chewing memory if connections
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
252 * come from many IPs */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
253 #define MAX_UNAUTH_CLIENTS 30
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
254
1445
a3a96dbf9a58 Use MAX_AUTH_TRIES rather than DEFAULT_AUTH_TRIES, don't limit argument range
Matt Johnston <matt@ucc.asn.au>
parents: 1442
diff changeset
255 /* Default maximum number of failed authentication tries (server option) */
a3a96dbf9a58 Use MAX_AUTH_TRIES rather than DEFAULT_AUTH_TRIES, don't limit argument range
Matt Johnston <matt@ucc.asn.au>
parents: 1442
diff changeset
256 /* -T server option overrides */
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
257 #define MAX_AUTH_TRIES 10
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
258
1790
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1714
diff changeset
259 /* Delay introduced before closing an unauthenticated session (seconds) */
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1714
diff changeset
260 #define UNAUTH_CLOSE_DELAY 30
42745af83b7d Introduce extra delay before closing unauthenticated sessions
Thomas De Schampheleire <thomas.de_schampheleire@nokia.com>
parents: 1714
diff changeset
261
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
262 /* The default file to store the daemon's process ID, for shutdown
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
263 scripts etc. This can be overridden with the -P flag */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
264 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
265
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
266 /* The command to invoke for xauth when using X11 forwarding.
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
267 * "-q" for quiet */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
268 #define XAUTH_COMMAND "/usr/bin/xauth -q"
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
269
1499
2d450c1056e3 options: Complete the transition to numeric toggles (`#if')
Michael Witten <mfwitten@gmail.com>
parents: 1494
diff changeset
270
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
271 /* if you want to enable running an sftp server (such as the one included with
1514
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
272 * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER.
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
273 * The sftp-server program is not provided by Dropbear itself */
6c16a05023aa rename some options and move some to sysoptions.h
Matt Johnston <matt@ucc.asn.au>
parents: 1499
diff changeset
274 #define DROPBEAR_SFTPSERVER 1
1295
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
275 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
276
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
277 /* This is used by the scp binary when used as a client binary. If you're
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
278 * not using the Dropbear client, you'll need to change it */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
279 #define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
280
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
281 /* Whether to log commands executed by a client. This only logs the
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
282 * (single) command sent to the server, not what a user did in a
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
283 * shell/sftp session etc. */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
284 #define LOG_COMMANDS 0
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
285
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
286 /* Window size limits. These tend to be a trade-off between memory
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
287 usage and network performance: */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
288 /* Size of the network receive window. This amount of memory is allocated
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
289 as a per-channel receive buffer. Increasing this value can make a
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
290 significant difference to network performance. 24kB was empirically
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
291 chosen for a 100mbit ethernet network. The value can be altered at
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
292 runtime with the -W argument. */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
293 #define DEFAULT_RECV_WINDOW 24576
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
294 /* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
295 in order to interoperate with other implementations */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
296 #define RECV_MAX_PAYLOAD_LEN 32768
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
297 /* Maximum size of a transmitted data packet - this can be any value,
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
298 though increasing it may not make a significant difference. */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
299 #define TRANS_MAX_PAYLOAD_LEN 16384
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
300
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
301 /* Ensure that data is transmitted every KEEPALIVE seconds. This can
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
302 be overridden at runtime with -K. 0 disables keepalives */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
303 #define DEFAULT_KEEPALIVE 0
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
304
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
305 /* If this many KEEPALIVES are sent with no packets received from the
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
306 other side, exit. Not run-time configurable - if you have a need
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
307 for runtime configuration please mail the Dropbear list */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
308 #define DEFAULT_KEEPALIVE_LIMIT 3
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
309
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
310 /* Ensure that data is received within IDLE_TIMEOUT seconds. This can
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
311 be overridden at runtime with -I. 0 disables idle timeouts */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
312 #define DEFAULT_IDLE_TIMEOUT 0
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
313
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
314 /* The default path. This will often get replaced by the shell */
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
315 #define DEFAULT_PATH "/usr/bin:/bin"
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
316
750ec4ec4cbe Convert #ifdef to #if, other build changes
Matt Johnston <matt@ucc.asn.au>
parents:
diff changeset
317 #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */