Mercurial > dropbear
annotate options.h @ 1340:5c9207ceedae
Added tag DROPBEAR_2017.75 for changeset c31276613181
author | Matt Johnston <matt@ucc.asn.au> |
---|---|
date | Thu, 18 May 2017 22:58:14 +0800 |
parents | 739b3909c499 |
children | dc8f7997f10f |
rev | line source |
---|---|
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
84
diff
changeset
|
1 /* Dropbear SSH |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
2 * Copyright (c) 2002,2003 Matt Johnston |
90
c2ac796b130e
merge of 00b67a11e33c3ed390556805ed6d1078528bee70
Matt Johnston <matt@ucc.asn.au>
parents:
84
diff
changeset
|
3 * All rights reserved. See LICENSE for the license. */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
4 |
1036
deed0571cacc
DROPBEAR_ prefix for include guards to avoid collisions
Thorsten Horstmann <thorsten.horstmann@web.de>
parents:
1013
diff
changeset
|
5 #ifndef DROPBEAR_OPTIONS_H_ |
deed0571cacc
DROPBEAR_ prefix for include guards to avoid collisions
Thorsten Horstmann <thorsten.horstmann@web.de>
parents:
1013
diff
changeset
|
6 #define DROPBEAR_OPTIONS_H_ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
7 |
761
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
755
diff
changeset
|
8 /* Define compile-time options below - the "#ifndef DROPBEAR_XXX .... #endif" |
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
755
diff
changeset
|
9 * parts are to allow for commandline -DDROPBEAR_XXX options etc. */ |
ac2158e3e403
ecc kind of works, needs fixing/testing
Matt Johnston <matt@ucc.asn.au>
parents:
755
diff
changeset
|
10 |
847
f4bb964c8678
Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents:
846
diff
changeset
|
11 /* IMPORTANT: Many options will require "make clean" after changes */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
12 |
112 | 13 #ifndef DROPBEAR_DEFPORT |
104
298098b2a61e
Default port is now set as a string
Matt Johnston <matt@ucc.asn.au>
parents:
90
diff
changeset
|
14 #define DROPBEAR_DEFPORT "22" |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
15 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
16 |
434
0aaaf68e97dc
Add -p [address:]port option for binding to addresses, patch from
Matt Johnston <matt@ucc.asn.au>
parents:
291
diff
changeset
|
17 #ifndef DROPBEAR_DEFADDRESS |
0aaaf68e97dc
Add -p [address:]port option for binding to addresses, patch from
Matt Johnston <matt@ucc.asn.au>
parents:
291
diff
changeset
|
18 /* Listen on all interfaces */ |
0aaaf68e97dc
Add -p [address:]port option for binding to addresses, patch from
Matt Johnston <matt@ucc.asn.au>
parents:
291
diff
changeset
|
19 #define DROPBEAR_DEFADDRESS "" |
0aaaf68e97dc
Add -p [address:]port option for binding to addresses, patch from
Matt Johnston <matt@ucc.asn.au>
parents:
291
diff
changeset
|
20 #endif |
0aaaf68e97dc
Add -p [address:]port option for binding to addresses, patch from
Matt Johnston <matt@ucc.asn.au>
parents:
291
diff
changeset
|
21 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
22 /* Default hostkey paths - these can be specified on the command line */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
23 #ifndef DSS_PRIV_FILENAME |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
24 #define DSS_PRIV_FILENAME "/etc/dropbear/dropbear_dss_host_key" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
25 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
26 #ifndef RSA_PRIV_FILENAME |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
27 #define RSA_PRIV_FILENAME "/etc/dropbear/dropbear_rsa_host_key" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
28 #endif |
795 | 29 #ifndef ECDSA_PRIV_FILENAME |
30 #define ECDSA_PRIV_FILENAME "/etc/dropbear/dropbear_ecdsa_host_key" | |
31 #endif | |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
32 |
71
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
33 /* Set NON_INETD_MODE if you require daemon functionality (ie Dropbear listens |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
34 * on chosen ports and keeps accepting connections. This is the default. |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
35 * |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
36 * Set INETD_MODE if you want to be able to run Dropbear with inetd (or |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
37 * similar), where it will use stdin/stdout for connections, and each process |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
38 * lasts for a single connection. Dropbear should be invoked with the -i flag |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
39 * for inetd, and can only accept IPv4 connections. |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
40 * |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
41 * Both of these flags can be defined at once, don't compile without at least |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
42 * one of them. */ |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
43 #define NON_INETD_MODE |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
44 #define INETD_MODE |
ac96bc733e71
adding inetd mode back from 0.43
Matt Johnston <matt@ucc.asn.au>
parents:
70
diff
changeset
|
45 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
46 /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
47 * perhaps 20% slower for pubkey operations (it is probably worth experimenting |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
48 * if you want to use this) */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
49 /*#define NO_FAST_EXPTMOD*/ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
50 |
70
b0316ce64e4b
Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
51 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save |
536
1037aabf701b
- Turn DROPBEAR_SMALL_CODE off by default
Matt Johnston <matt@ucc.asn.au>
parents:
517
diff
changeset
|
52 several kB in binary size however will make the symmetrical ciphers and hashes |
1037aabf701b
- Turn DROPBEAR_SMALL_CODE off by default
Matt Johnston <matt@ucc.asn.au>
parents:
517
diff
changeset
|
53 slower, perhaps by 50%. Recommended for small systems that aren't doing |
1037aabf701b
- Turn DROPBEAR_SMALL_CODE off by default
Matt Johnston <matt@ucc.asn.au>
parents:
517
diff
changeset
|
54 much traffic. */ |
804
34b73c9d8aa3
Enable SMALL_CODE by default
Matt Johnston <matt@ucc.asn.au>
parents:
801
diff
changeset
|
55 #define DROPBEAR_SMALL_CODE |
70
b0316ce64e4b
Merging in the changes from 0.41-0.43 main Dropbear tree
Matt Johnston <matt@ucc.asn.au>
parents:
68
diff
changeset
|
56 |
66
38c3146aa23d
Some more sanity-checking of args, and just warn and ignore OpenSSH args
Matt Johnston <matt@ucc.asn.au>
parents:
65
diff
changeset
|
57 /* Enable X11 Forwarding - server only */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
58 #define ENABLE_X11FWD |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
59 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
60 /* Enable TCP Fowarding */ |
66
38c3146aa23d
Some more sanity-checking of args, and just warn and ignore OpenSSH args
Matt Johnston <matt@ucc.asn.au>
parents:
65
diff
changeset
|
61 /* 'Local' is "-L" style (client listening port forwarded via server) |
38c3146aa23d
Some more sanity-checking of args, and just warn and ignore OpenSSH args
Matt Johnston <matt@ucc.asn.au>
parents:
65
diff
changeset
|
62 * 'Remote' is "-R" style (server listening port forwarded via client) */ |
38c3146aa23d
Some more sanity-checking of args, and just warn and ignore OpenSSH args
Matt Johnston <matt@ucc.asn.au>
parents:
65
diff
changeset
|
63 |
64 | 64 #define ENABLE_CLI_LOCALTCPFWD |
65 #define ENABLE_CLI_REMOTETCPFWD | |
66 | |
67 #define ENABLE_SVR_LOCALTCPFWD | |
68 #define ENABLE_SVR_REMOTETCPFWD | |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
69 |
604
810dfc792ca9
Compile fix for when both client and server agent forwarding is disabled
Matt Johnston <matt@ucc.asn.au>
parents:
596
diff
changeset
|
70 /* Enable Authentication Agent Forwarding */ |
225
ca7e76d981d9
- progress towards client agent forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
220
diff
changeset
|
71 #define ENABLE_SVR_AGENTFWD |
ca7e76d981d9
- progress towards client agent forwarding
Matt Johnston <matt@ucc.asn.au>
parents:
220
diff
changeset
|
72 #define ENABLE_CLI_AGENTFWD |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
73 |
508
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
74 |
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
75 /* Note: Both ENABLE_CLI_PROXYCMD and ENABLE_CLI_NETCAT must be set to |
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
76 * allow multihop dbclient connections */ |
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
77 |
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
78 /* Allow using -J <proxycommand> to run the connection through a |
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
79 pipe to a program, rather the normal TCP connection */ |
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
80 #define ENABLE_CLI_PROXYCMD |
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
81 |
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
82 /* Enable "Netcat mode" option. This will forward standard input/output |
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
83 * to a remote TCP-forwarded connection */ |
485
12d845ab7b5f
Rework netcat-alike to be a proper mode, with -B argument.
Matt Johnston <matt@ucc.asn.au>
parents:
473
diff
changeset
|
84 #define ENABLE_CLI_NETCAT |
12d845ab7b5f
Rework netcat-alike to be a proper mode, with -B argument.
Matt Johnston <matt@ucc.asn.au>
parents:
473
diff
changeset
|
85 |
682
4edea9f363d0
Add rough support for choosing ciphers/hashes with "-c" or "-m"
Matt Johnston <matt@ucc.asn.au>
parents:
677
diff
changeset
|
86 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ |
683
63f8d6c469cf
ENABLE_USER_ALGO_LIST should work for the client
Matt Johnston <matt@ucc.asn.au>
parents:
682
diff
changeset
|
87 #define ENABLE_USER_ALGO_LIST |
682
4edea9f363d0
Add rough support for choosing ciphers/hashes with "-c" or "-m"
Matt Johnston <matt@ucc.asn.au>
parents:
677
diff
changeset
|
88 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
89 /* Encryption - at least one required. |
502 | 90 * Protocol RFC requires 3DES and recommends AES128 for interoperability. |
228
5e4110bb753a
- Fixed twofish algorithm naming so it actually works.
Matt Johnston <matt@ucc.asn.au>
parents:
220
diff
changeset
|
91 * Including multiple keysize variants the same cipher |
5e4110bb753a
- Fixed twofish algorithm naming so it actually works.
Matt Johnston <matt@ucc.asn.au>
parents:
220
diff
changeset
|
92 * (eg AES256 as well as AES128) will result in a minimal size increase.*/ |
502 | 93 #define DROPBEAR_AES128 |
94 #define DROPBEAR_3DES | |
95 #define DROPBEAR_AES256 | |
554
1d5a3df28b53
Disable Blowfish by default, it has inefficient key memory use
Matt Johnston <matt@ucc.asn.au>
parents:
536
diff
changeset
|
96 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ |
1d5a3df28b53
Disable Blowfish by default, it has inefficient key memory use
Matt Johnston <matt@ucc.asn.au>
parents:
536
diff
changeset
|
97 /*#define DROPBEAR_BLOWFISH*/ |
1013
a1e79ffa5862
Tighten validation of DH values. Odds of x==0 being generated are
Matt Johnston <matt@ucc.asn.au>
parents:
996
diff
changeset
|
98 #define DROPBEAR_TWOFISH256 |
a1e79ffa5862
Tighten validation of DH values. Odds of x==0 being generated are
Matt Johnston <matt@ucc.asn.au>
parents:
996
diff
changeset
|
99 #define DROPBEAR_TWOFISH128 |
992
731f624af902
Add config option to disable cbc. Disable twofish by default
Matt Johnston <matt@ucc.asn.au>
parents:
988
diff
changeset
|
100 |
731f624af902
Add config option to disable cbc. Disable twofish by default
Matt Johnston <matt@ucc.asn.au>
parents:
988
diff
changeset
|
101 /* Enable CBC mode for ciphers. This has security issues though |
731f624af902
Add config option to disable cbc. Disable twofish by default
Matt Johnston <matt@ucc.asn.au>
parents:
988
diff
changeset
|
102 * is the most compatible with older SSH implementations */ |
731f624af902
Add config option to disable cbc. Disable twofish by default
Matt Johnston <matt@ucc.asn.au>
parents:
988
diff
changeset
|
103 #define DROPBEAR_ENABLE_CBC_MODE |
502 | 104 |
105 /* Enable "Counter Mode" for ciphers. This is more secure than normal | |
1087
1e486f368ec3
Disable twofish-ctr by default, add config option
Matt Johnston <matt@ucc.asn.au>
parents:
1036
diff
changeset
|
106 * CBC mode against certain attacks. It is recommended for security |
1e486f368ec3
Disable twofish-ctr by default, add config option
Matt Johnston <matt@ucc.asn.au>
parents:
1036
diff
changeset
|
107 * and forwards compatibility */ |
502 | 108 #define DROPBEAR_ENABLE_CTR_MODE |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
109 |
1087
1e486f368ec3
Disable twofish-ctr by default, add config option
Matt Johnston <matt@ucc.asn.au>
parents:
1036
diff
changeset
|
110 /* Twofish counter mode is disabled by default because it |
1e486f368ec3
Disable twofish-ctr by default, add config option
Matt Johnston <matt@ucc.asn.au>
parents:
1036
diff
changeset
|
111 has not been tested for interoperability with other SSH implementations. |
1e486f368ec3
Disable twofish-ctr by default, add config option
Matt Johnston <matt@ucc.asn.au>
parents:
1036
diff
changeset
|
112 If you test it please contact the Dropbear author */ |
1e486f368ec3
Disable twofish-ctr by default, add config option
Matt Johnston <matt@ucc.asn.au>
parents:
1036
diff
changeset
|
113 /* #define DROPBEAR_TWOFISH_CTR */ |
1e486f368ec3
Disable twofish-ctr by default, add config option
Matt Johnston <matt@ucc.asn.au>
parents:
1036
diff
changeset
|
114 |
252
29afa62b5450
- a hack for grahame to run dropbear with "none" cipher.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
115 /* You can compile with no encryption if you want. In some circumstances |
681
a4b7627b3157
Update insecure-nocrypto to current head
Matt Johnston <matt@ucc.asn.au>
diff
changeset
|
116 * this could be safe security-wise, though make sure you know what |
252
29afa62b5450
- a hack for grahame to run dropbear with "none" cipher.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
117 * you're doing. Anyone can see everything that goes over the wire, so |
685
5af8993f7529
Add ALLOW_NONE_PASSWORD_AUTH option
Matt Johnston <matt@ucc.asn.au>
parents:
684
diff
changeset
|
118 * the only safe auth method is public key. */ |
713
e22d5f5f6e37
Fix "-c none" so that it allows aes during authentication
Matt Johnston <matt@ucc.asn.au>
parents:
710
diff
changeset
|
119 /* #define DROPBEAR_NONE_CIPHER */ |
512
0129fd8ccc71
Update nocrypto branch to current head
Matt Johnston <matt@ucc.asn.au>
parents:
511
diff
changeset
|
120 |
228
5e4110bb753a
- Fixed twofish algorithm naming so it actually works.
Matt Johnston <matt@ucc.asn.au>
parents:
220
diff
changeset
|
121 /* Message Integrity - at least one required. |
502 | 122 * Protocol RFC requires sha1 and recommends sha1-96. |
670
349fb2dda2dd
Improve comment about sha1-96
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
123 * sha1-96 is of use for slow links as it has a smaller overhead. |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
124 * |
670
349fb2dda2dd
Improve comment about sha1-96
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
125 * There's no reason to disable sha1 or sha1-96 to save space since it's |
349fb2dda2dd
Improve comment about sha1-96
Matt Johnston <matt@ucc.asn.au>
parents:
628
diff
changeset
|
126 * used for the random number generator and public-key cryptography anyway. |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
127 * Disabling it here will just stop it from being used as the integrity portion |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
128 * of the ssh protocol. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
129 * |
228
5e4110bb753a
- Fixed twofish algorithm naming so it actually works.
Matt Johnston <matt@ucc.asn.au>
parents:
220
diff
changeset
|
130 * These hashes are also used for public key fingerprints in logs. |
5e4110bb753a
- Fixed twofish algorithm naming so it actually works.
Matt Johnston <matt@ucc.asn.au>
parents:
220
diff
changeset
|
131 * If you disable MD5, Dropbear will fall back to SHA1 fingerprints, |
5e4110bb753a
- Fixed twofish algorithm naming so it actually works.
Matt Johnston <matt@ucc.asn.au>
parents:
220
diff
changeset
|
132 * which are not the standard form. */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
133 #define DROPBEAR_SHA1_HMAC |
228
5e4110bb753a
- Fixed twofish algorithm naming so it actually works.
Matt Johnston <matt@ucc.asn.au>
parents:
220
diff
changeset
|
134 #define DROPBEAR_SHA1_96_HMAC |
988
6c0fb5428aaa
Enable sha2 HMACs by default, they're required for ecdsa already
Matt Johnston <matt@ucc.asn.au>
parents:
963
diff
changeset
|
135 #define DROPBEAR_SHA2_256_HMAC |
6c0fb5428aaa
Enable sha2 HMACs by default, they're required for ecdsa already
Matt Johnston <matt@ucc.asn.au>
parents:
963
diff
changeset
|
136 #define DROPBEAR_SHA2_512_HMAC |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
137 #define DROPBEAR_MD5_HMAC |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
138 |
252
29afa62b5450
- a hack for grahame to run dropbear with "none" cipher.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
139 /* You can also disable integrity. Don't bother disabling this if you're |
681
a4b7627b3157
Update insecure-nocrypto to current head
Matt Johnston <matt@ucc.asn.au>
diff
changeset
|
140 * still using a cipher, it's relatively cheap. If you disable this it's dead |
847
f4bb964c8678
Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents:
846
diff
changeset
|
141 * simple for an attacker to run arbitrary commands on the remote host. Beware. */ |
713
e22d5f5f6e37
Fix "-c none" so that it allows aes during authentication
Matt Johnston <matt@ucc.asn.au>
parents:
710
diff
changeset
|
142 /* #define DROPBEAR_NONE_INTEGRITY */ |
252
29afa62b5450
- a hack for grahame to run dropbear with "none" cipher.
Matt Johnston <matt@ucc.asn.au>
parents:
249
diff
changeset
|
143 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
144 /* Hostkey/public key algorithms - at least one required, these are used |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
145 * for hostkey as well as for verifying signatures with pubkey auth. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
146 * Removing either of these won't save very much space. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
147 * SSH2 RFC Draft requires dss, recommends rsa */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
148 #define DROPBEAR_RSA |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
149 #define DROPBEAR_DSS |
850
7507b174bba0
- Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents:
849
diff
changeset
|
150 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC |
7507b174bba0
- Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents:
849
diff
changeset
|
151 * code (either ECDSA or ECDH) increases binary size - around 30kB |
7507b174bba0
- Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents:
849
diff
changeset
|
152 * on x86-64 */ |
847
f4bb964c8678
Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents:
846
diff
changeset
|
153 #define DROPBEAR_ECDSA |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
154 |
847
f4bb964c8678
Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents:
846
diff
changeset
|
155 /* Generate hostkeys as-needed when the first connection using that key type occurs. |
f4bb964c8678
Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents:
846
diff
changeset
|
156 This avoids the need to otherwise run "dropbearkey" and avoids some problems |
850
7507b174bba0
- Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents:
849
diff
changeset
|
157 with badly seeded /dev/urandom when systems first boot. |
851
c1c1b43f78c2
comments, turn off debugging options
Matt Johnston <matt@ucc.asn.au>
parents:
850
diff
changeset
|
158 This also requires a runtime flag "-R". This adds ~4kB to binary size (or hardly |
c1c1b43f78c2
comments, turn off debugging options
Matt Johnston <matt@ucc.asn.au>
parents:
850
diff
changeset
|
159 anything if dropbearkey is linked in a "dropbearmulti" binary) */ |
847
f4bb964c8678
Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents:
846
diff
changeset
|
160 #define DROPBEAR_DELAY_HOSTKEY |
755
b07eb3dc23ec
refactor kexdh code a bit, start working on ecdh etc
Matt Johnston <matt@ucc.asn.au>
parents:
713
diff
changeset
|
161 |
850
7507b174bba0
- Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents:
849
diff
changeset
|
162 /* Enable Curve25519 for key exchange. This is another elliptic |
7507b174bba0
- Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents:
849
diff
changeset
|
163 * curve method with good security properties. Increases binary size |
851
c1c1b43f78c2
comments, turn off debugging options
Matt Johnston <matt@ucc.asn.au>
parents:
850
diff
changeset
|
164 * by ~8kB on x86-64 */ |
848 | 165 #define DROPBEAR_CURVE25519 |
166 | |
850
7507b174bba0
- Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents:
849
diff
changeset
|
167 /* Enable elliptic curve Diffie Hellman key exchange, see note about |
7507b174bba0
- Make curve25519 work after fixing a typo, interoperates with OpenSSH
Matt Johnston <matt@ucc.asn.au>
parents:
849
diff
changeset
|
168 * ECDSA above */ |
847
f4bb964c8678
Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents:
846
diff
changeset
|
169 #define DROPBEAR_ECDH |
f4bb964c8678
Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents:
846
diff
changeset
|
170 |
1248
739b3909c499
Get rid of group15, move group16 to sha512.
Matt Johnston <matt@ucc.asn.au>
parents:
1225
diff
changeset
|
171 /* Group14 (2048 bit) is recommended. Group1 is less secure (1024 bit) though |
739b3909c499
Get rid of group15, move group16 to sha512.
Matt Johnston <matt@ucc.asn.au>
parents:
1225
diff
changeset
|
172 is the only option for interoperability with some older SSH programs */ |
739b3909c499
Get rid of group15, move group16 to sha512.
Matt Johnston <matt@ucc.asn.au>
parents:
1225
diff
changeset
|
173 #define DROPBEAR_DH_GROUP1 1 |
739b3909c499
Get rid of group15, move group16 to sha512.
Matt Johnston <matt@ucc.asn.au>
parents:
1225
diff
changeset
|
174 #define DROPBEAR_DH_GROUP14 1 |
739b3909c499
Get rid of group15, move group16 to sha512.
Matt Johnston <matt@ucc.asn.au>
parents:
1225
diff
changeset
|
175 |
555
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
176 /* Control the memory/performance/compression tradeoff for zlib. |
605
53c21d4ec98a
- Don't allow setting memLevel since that doesn't work properly
Matt Johnston <matt@ucc.asn.au>
parents:
596
diff
changeset
|
177 * Set windowBits=8 for least memory usage, see your system's |
555
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
178 * zlib.h for full details. |
605
53c21d4ec98a
- Don't allow setting memLevel since that doesn't work properly
Matt Johnston <matt@ucc.asn.au>
parents:
596
diff
changeset
|
179 * Default settings (windowBits=15) will use 256kB for compression |
53c21d4ec98a
- Don't allow setting memLevel since that doesn't work properly
Matt Johnston <matt@ucc.asn.au>
parents:
596
diff
changeset
|
180 * windowBits=8 will use 129kB for compression. |
53c21d4ec98a
- Don't allow setting memLevel since that doesn't work properly
Matt Johnston <matt@ucc.asn.au>
parents:
596
diff
changeset
|
181 * Both modes will use ~35kB for decompression (using windowBits=15 for |
53c21d4ec98a
- Don't allow setting memLevel since that doesn't work properly
Matt Johnston <matt@ucc.asn.au>
parents:
596
diff
changeset
|
182 * interoperability) */ |
555
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
183 #ifndef DROPBEAR_ZLIB_WINDOW_BITS |
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
184 #define DROPBEAR_ZLIB_WINDOW_BITS 15 |
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
185 #endif |
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
186 |
996
47643024fc90
Disable non-delayed zlib for server
Matt Johnston <matt@ucc.asn.au>
parents:
995
diff
changeset
|
187 /* Server won't allow zlib compression until after authentication. Prevents |
47643024fc90
Disable non-delayed zlib for server
Matt Johnston <matt@ucc.asn.au>
parents:
995
diff
changeset
|
188 flaws in the zlib library being unauthenticated exploitable flaws. |
47643024fc90
Disable non-delayed zlib for server
Matt Johnston <matt@ucc.asn.au>
parents:
995
diff
changeset
|
189 Some old ssh clients may not support the alternative [email protected] method */ |
47643024fc90
Disable non-delayed zlib for server
Matt Johnston <matt@ucc.asn.au>
parents:
995
diff
changeset
|
190 #define DROPBEAR_SERVER_DELAY_ZLIB 1 |
47643024fc90
Disable non-delayed zlib for server
Matt Johnston <matt@ucc.asn.au>
parents:
995
diff
changeset
|
191 |
172
3e49d8d18005
* respect DO_HOST_LOOKUP config option
Matt Johnston <matt@ucc.asn.au>
parents:
161
diff
changeset
|
192 /* Whether to do reverse DNS lookups. */ |
857 | 193 /*#define DO_HOST_LOOKUP */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
194 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
195 /* Whether to print the message of the day (MOTD). This doesn't add much code |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
196 * size */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
197 #define DO_MOTD |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
198 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
199 /* The MOTD file path */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
200 #ifndef MOTD_FILENAME |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
201 #define MOTD_FILENAME "/etc/motd" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
202 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
203 |
121 | 204 /* Authentication Types - at least one required. |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
205 RFC Draft requires pubkey auth, and recommends password */ |
121 | 206 |
628
d40f3cc47aed
- Add ALLOW_BLANK_PASSWORD option
Matt Johnston <matt@ucc.asn.au>
parents:
606
diff
changeset
|
207 /* Note: PAM auth is quite simple and only works for PAM modules which just do |
176 | 208 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). |
628
d40f3cc47aed
- Add ALLOW_BLANK_PASSWORD option
Matt Johnston <matt@ucc.asn.au>
parents:
606
diff
changeset
|
209 * It's useful for systems like OS X where standard password crypts don't work |
d40f3cc47aed
- Add ALLOW_BLANK_PASSWORD option
Matt Johnston <matt@ucc.asn.au>
parents:
606
diff
changeset
|
210 * but there's an interface via a PAM module. It won't work for more complex |
d40f3cc47aed
- Add ALLOW_BLANK_PASSWORD option
Matt Johnston <matt@ucc.asn.au>
parents:
606
diff
changeset
|
211 * PAM challenge/response. |
176 | 212 * You can't enable both PASSWORD and PAM. */ |
121 | 213 |
1159
f567a4152c14
Test for crypt() rather than crypt.h
Matt Johnston <matt@ucc.asn.au>
parents:
1158
diff
changeset
|
214 /* This requires crypt() */ |
f567a4152c14
Test for crypt() rather than crypt.h
Matt Johnston <matt@ucc.asn.au>
parents:
1158
diff
changeset
|
215 #ifdef HAVE_CRYPT |
847
f4bb964c8678
Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents:
846
diff
changeset
|
216 #define ENABLE_SVR_PASSWORD_AUTH |
1157
14854ea32d2c
fix default build when crypt() is unavailable
Mike Frysinger <vapier@gentoo.org>
parents:
1134
diff
changeset
|
217 #endif |
499
f3ca5ebc319a
Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
496
diff
changeset
|
218 /* PAM requires ./configure --enable-pam */ |
847
f4bb964c8678
Add '-R' for delayed hostkey option
Matt Johnston <matt@ucc.asn.au>
parents:
846
diff
changeset
|
219 /*#define ENABLE_SVR_PAM_AUTH */ |
68
eee77ac31ccc
cleaning up the pubkey defines
Matt Johnston <matt@ucc.asn.au>
parents:
66
diff
changeset
|
220 #define ENABLE_SVR_PUBKEY_AUTH |
66
38c3146aa23d
Some more sanity-checking of args, and just warn and ignore OpenSSH args
Matt Johnston <matt@ucc.asn.au>
parents:
65
diff
changeset
|
221 |
566
b321aeb57c64
- set $SSH_ORIGINAL_COMMAND if a command is forced, and log it
Matt Johnston <matt@ucc.asn.au>
parents:
561
diff
changeset
|
222 /* Whether to take public key options in |
b321aeb57c64
- set $SSH_ORIGINAL_COMMAND if a command is forced, and log it
Matt Johnston <matt@ucc.asn.au>
parents:
561
diff
changeset
|
223 * authorized_keys file into account */ |
475
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
473
diff
changeset
|
224 #ifdef ENABLE_SVR_PUBKEY_AUTH |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
473
diff
changeset
|
225 #define ENABLE_SVR_PUBKEY_OPTIONS |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
473
diff
changeset
|
226 #endif |
52a644e7b8e1
* Patch from Frédéric Moulins adding options to authorized_keys.
Matt Johnston <matt@ucc.asn.au>
parents:
473
diff
changeset
|
227 |
1158
ef67b57fe438
fix default build when getpass() is unavailable
Mike Frysinger <vapier@gentoo.org>
parents:
1157
diff
changeset
|
228 /* This requires getpass. */ |
ef67b57fe438
fix default build when getpass() is unavailable
Mike Frysinger <vapier@gentoo.org>
parents:
1157
diff
changeset
|
229 #ifdef HAVE_GETPASS |
68
eee77ac31ccc
cleaning up the pubkey defines
Matt Johnston <matt@ucc.asn.au>
parents:
66
diff
changeset
|
230 #define ENABLE_CLI_PASSWORD_AUTH |
1158
ef67b57fe438
fix default build when getpass() is unavailable
Mike Frysinger <vapier@gentoo.org>
parents:
1157
diff
changeset
|
231 #define ENABLE_CLI_INTERACT_AUTH |
ef67b57fe438
fix default build when getpass() is unavailable
Mike Frysinger <vapier@gentoo.org>
parents:
1157
diff
changeset
|
232 #endif |
68
eee77ac31ccc
cleaning up the pubkey defines
Matt Johnston <matt@ucc.asn.au>
parents:
66
diff
changeset
|
233 #define ENABLE_CLI_PUBKEY_AUTH |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
234 |
995
6fb4c010c448
Default client key path ~/.ssh/id_dropbear
Matt Johnston <matt@ucc.asn.au>
parents:
992
diff
changeset
|
235 /* A default argument for dbclient -i <privatekey>. |
1134
36557295418e
change DROPBEAR_DEFAULT_CLI_AUTHKEY to just prepend homedir
Matt Johnston <matt@ucc.asn.au>
parents:
1087
diff
changeset
|
236 Homedir is prepended unless path begins with / */ |
36557295418e
change DROPBEAR_DEFAULT_CLI_AUTHKEY to just prepend homedir
Matt Johnston <matt@ucc.asn.au>
parents:
1087
diff
changeset
|
237 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" |
995
6fb4c010c448
Default client key path ~/.ssh/id_dropbear
Matt Johnston <matt@ucc.asn.au>
parents:
992
diff
changeset
|
238 |
441
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
437
diff
changeset
|
239 /* This variable can be used to set a password for client |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
437
diff
changeset
|
240 * authentication on the commandline. Beware of platforms |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
437
diff
changeset
|
241 * that don't protect environment variables of processes etc. Also |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
437
diff
changeset
|
242 * note that it will be provided for all "hidden" client-interactive |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
437
diff
changeset
|
243 * style prompts - if you want something more sophisticated, use |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
437
diff
changeset
|
244 * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
437
diff
changeset
|
245 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" |
fdf06a5a54e4
Allow reading dbclient password from an environment var
Matt Johnston <matt@ucc.asn.au>
parents:
437
diff
changeset
|
246 |
173
257f09a63dab
* add SSH_ASKPASS support (based on patch from Paul Whittaker
Matt Johnston <matt@ucc.asn.au>
parents:
172
diff
changeset
|
247 /* Define this (as well as ENABLE_CLI_PASSWORD_AUTH) to allow the use of |
257f09a63dab
* add SSH_ASKPASS support (based on patch from Paul Whittaker
Matt Johnston <matt@ucc.asn.au>
parents:
172
diff
changeset
|
248 * a helper program for the ssh client. The helper program should be |
257f09a63dab
* add SSH_ASKPASS support (based on patch from Paul Whittaker
Matt Johnston <matt@ucc.asn.au>
parents:
172
diff
changeset
|
249 * specified in the SSH_ASKPASS environment variable, and dbclient |
257f09a63dab
* add SSH_ASKPASS support (based on patch from Paul Whittaker
Matt Johnston <matt@ucc.asn.au>
parents:
172
diff
changeset
|
250 * should be run with DISPLAY set and no tty. The program should |
257f09a63dab
* add SSH_ASKPASS support (based on patch from Paul Whittaker
Matt Johnston <matt@ucc.asn.au>
parents:
172
diff
changeset
|
251 * return the password on standard output */ |
257f09a63dab
* add SSH_ASKPASS support (based on patch from Paul Whittaker
Matt Johnston <matt@ucc.asn.au>
parents:
172
diff
changeset
|
252 /*#define ENABLE_CLI_ASKPASS_HELPER*/ |
257f09a63dab
* add SSH_ASKPASS support (based on patch from Paul Whittaker
Matt Johnston <matt@ucc.asn.au>
parents:
172
diff
changeset
|
253 |
900 | 254 /* Save a network roundtrip by sendng a real auth request immediately after |
255 * sending a query for the available methods. It is at the expense of < 100 | |
256 * bytes of extra network traffic. This is not yet enabled by default since it | |
257 * could cause problems with non-compliant servers */ | |
258 /* #define DROPBEAR_CLI_IMMEDIATE_AUTH */ | |
259 | |
687 | 260 /* Source for randomness. This must be able to provide hundreds of bytes per SSH |
261 * connection without blocking. In addition /dev/random is used for seeding | |
262 * rsa/dss key generation */ | |
263 #define DROPBEAR_URANDOM_DEV "/dev/urandom" | |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
264 |
687 | 265 /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */ |
266 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ | |
442
d82a2a44c684
Add -u option to specify /dev/urandom instead
Matt Johnston <matt@ucc.asn.au>
parents:
441
diff
changeset
|
267 |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
268 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
269 /* Specify the number of clients we will allow to be connected but |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
270 * not yet authenticated. After this limit, connections are rejected */ |
277
044bc108b9b3
* Per-IP connection unauthed connection limits
Matt Johnston <matt@ucc.asn.au>
parents:
266
diff
changeset
|
271 /* The first setting is per-IP, to avoid denial of service */ |
044bc108b9b3
* Per-IP connection unauthed connection limits
Matt Johnston <matt@ucc.asn.au>
parents:
266
diff
changeset
|
272 #ifndef MAX_UNAUTH_PER_IP |
044bc108b9b3
* Per-IP connection unauthed connection limits
Matt Johnston <matt@ucc.asn.au>
parents:
266
diff
changeset
|
273 #define MAX_UNAUTH_PER_IP 5 |
044bc108b9b3
* Per-IP connection unauthed connection limits
Matt Johnston <matt@ucc.asn.au>
parents:
266
diff
changeset
|
274 #endif |
044bc108b9b3
* Per-IP connection unauthed connection limits
Matt Johnston <matt@ucc.asn.au>
parents:
266
diff
changeset
|
275 |
044bc108b9b3
* Per-IP connection unauthed connection limits
Matt Johnston <matt@ucc.asn.au>
parents:
266
diff
changeset
|
276 /* And then a global limit to avoid chewing memory if connections |
044bc108b9b3
* Per-IP connection unauthed connection limits
Matt Johnston <matt@ucc.asn.au>
parents:
266
diff
changeset
|
277 * come from many IPs */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
278 #ifndef MAX_UNAUTH_CLIENTS |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
279 #define MAX_UNAUTH_CLIENTS 30 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
280 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
281 |
66
38c3146aa23d
Some more sanity-checking of args, and just warn and ignore OpenSSH args
Matt Johnston <matt@ucc.asn.au>
parents:
65
diff
changeset
|
282 /* Maximum number of failed authentication tries (server option) */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
283 #ifndef MAX_AUTH_TRIES |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
284 #define MAX_AUTH_TRIES 10 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
285 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
286 |
437 | 287 /* The default file to store the daemon's process ID, for shutdown |
288 scripts etc. This can be overridden with the -P flag */ | |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
289 #ifndef DROPBEAR_PIDFILE |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
290 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
291 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
292 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
293 /* The command to invoke for xauth when using X11 forwarding. |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
294 * "-q" for quiet */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
295 #ifndef XAUTH_COMMAND |
963 | 296 #define XAUTH_COMMAND "/usr/bin/xauth -q" |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
297 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
298 |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
299 /* if you want to enable running an sftp server (such as the one included with |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
300 * OpenSSH), set the path below. If the path isn't defined, sftp will not |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
301 * be enabled */ |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
302 #ifndef SFTPSERVER_PATH |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
303 #define SFTPSERVER_PATH "/usr/libexec/sftp-server" |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
304 #endif |
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
305 |
66
38c3146aa23d
Some more sanity-checking of args, and just warn and ignore OpenSSH args
Matt Johnston <matt@ucc.asn.au>
parents:
65
diff
changeset
|
306 /* This is used by the scp binary when used as a client binary. If you're |
38c3146aa23d
Some more sanity-checking of args, and just warn and ignore OpenSSH args
Matt Johnston <matt@ucc.asn.au>
parents:
65
diff
changeset
|
307 * not using the Dropbear client, you'll need to change it */ |
1036
deed0571cacc
DROPBEAR_ prefix for include guards to avoid collisions
Thorsten Horstmann <thorsten.horstmann@web.de>
parents:
1013
diff
changeset
|
308 #define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient" |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
309 |
349
dba106bf6b34
Add (disabled by default) LOG_COMMANDS option to log the commands executed
Matt Johnston <matt@ucc.asn.au>
parents:
291
diff
changeset
|
310 /* Whether to log commands executed by a client. This only logs the |
dba106bf6b34
Add (disabled by default) LOG_COMMANDS option to log the commands executed
Matt Johnston <matt@ucc.asn.au>
parents:
291
diff
changeset
|
311 * (single) command sent to the server, not what a user did in a |
dba106bf6b34
Add (disabled by default) LOG_COMMANDS option to log the commands executed
Matt Johnston <matt@ucc.asn.au>
parents:
291
diff
changeset
|
312 * shell/sftp session etc. */ |
dba106bf6b34
Add (disabled by default) LOG_COMMANDS option to log the commands executed
Matt Johnston <matt@ucc.asn.au>
parents:
291
diff
changeset
|
313 /* #define LOG_COMMANDS */ |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
314 |
448
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
315 /* Window size limits. These tend to be a trade-off between memory |
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
316 usage and network performance: */ |
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
317 /* Size of the network receive window. This amount of memory is allocated |
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
318 as a per-channel receive buffer. Increasing this value can make a |
449
3e6c536bc023
Add -W <windowsize> argument and document it.
Matt Johnston <matt@ucc.asn.au>
parents:
448
diff
changeset
|
319 significant difference to network performance. 24kB was empirically |
3e6c536bc023
Add -W <windowsize> argument and document it.
Matt Johnston <matt@ucc.asn.au>
parents:
448
diff
changeset
|
320 chosen for a 100mbit ethernet network. The value can be altered at |
3e6c536bc023
Add -W <windowsize> argument and document it.
Matt Johnston <matt@ucc.asn.au>
parents:
448
diff
changeset
|
321 runtime with the -W argument. */ |
555
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
322 #ifndef DEFAULT_RECV_WINDOW |
449
3e6c536bc023
Add -W <windowsize> argument and document it.
Matt Johnston <matt@ucc.asn.au>
parents:
448
diff
changeset
|
323 #define DEFAULT_RECV_WINDOW 24576 |
555
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
324 #endif |
448
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
325 /* Maximum size of a received SSH data packet - this _MUST_ be >= 32768 |
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
326 in order to interoperate with other implementations */ |
555
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
327 #ifndef RECV_MAX_PAYLOAD_LEN |
448
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
328 #define RECV_MAX_PAYLOAD_LEN 32768 |
555
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
329 #endif |
448
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
330 /* Maximum size of a transmitted data packet - this can be any value, |
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
331 though increasing it may not make a significant difference. */ |
555
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
332 #ifndef TRANS_MAX_PAYLOAD_LEN |
448
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
333 #define TRANS_MAX_PAYLOAD_LEN 16384 |
555
daf52f813328
- Add option to change zlib windowBits/memLevel
Matt Johnston <matt@ucc.asn.au>
parents:
554
diff
changeset
|
334 #endif |
448
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
335 |
454
7e43f5e473b9
- Add -K keepalive flag for dropbear and dbclient
Matt Johnston <matt@ucc.asn.au>
parents:
449
diff
changeset
|
336 /* Ensure that data is transmitted every KEEPALIVE seconds. This can |
7e43f5e473b9
- Add -K keepalive flag for dropbear and dbclient
Matt Johnston <matt@ucc.asn.au>
parents:
449
diff
changeset
|
337 be overridden at runtime with -K. 0 disables keepalives */ |
7e43f5e473b9
- Add -K keepalive flag for dropbear and dbclient
Matt Johnston <matt@ucc.asn.au>
parents:
449
diff
changeset
|
338 #define DEFAULT_KEEPALIVE 0 |
448
9c61e7af0156
Rearrange the channel buffer sizes into three neat use-editable values in
Matt Johnston <matt@ucc.asn.au>
parents:
446
diff
changeset
|
339 |
939
a0819ecfee0b
Make -K keepalive behave like OpenSSH's ServerAliveInterval
Matt Johnston <matt@ucc.asn.au>
parents:
900
diff
changeset
|
340 /* If this many KEEPALIVES are sent with no packets received from the |
a0819ecfee0b
Make -K keepalive behave like OpenSSH's ServerAliveInterval
Matt Johnston <matt@ucc.asn.au>
parents:
900
diff
changeset
|
341 other side, exit. Not run-time configurable - if you have a need |
a0819ecfee0b
Make -K keepalive behave like OpenSSH's ServerAliveInterval
Matt Johnston <matt@ucc.asn.au>
parents:
900
diff
changeset
|
342 for runtime configuration please mail the Dropbear list */ |
a0819ecfee0b
Make -K keepalive behave like OpenSSH's ServerAliveInterval
Matt Johnston <matt@ucc.asn.au>
parents:
900
diff
changeset
|
343 #define DEFAULT_KEEPALIVE_LIMIT 3 |
a0819ecfee0b
Make -K keepalive behave like OpenSSH's ServerAliveInterval
Matt Johnston <matt@ucc.asn.au>
parents:
900
diff
changeset
|
344 |
513
a3748e54273c
Idle timeout patch from Farrell Aultman. Needs testing, unsure if server
Matt Johnston <matt@ucc.asn.au>
parents:
510
diff
changeset
|
345 /* Ensure that data is received within IDLE_TIMEOUT seconds. This can |
a3748e54273c
Idle timeout patch from Farrell Aultman. Needs testing, unsure if server
Matt Johnston <matt@ucc.asn.au>
parents:
510
diff
changeset
|
346 be overridden at runtime with -I. 0 disables idle timeouts */ |
a3748e54273c
Idle timeout patch from Farrell Aultman. Needs testing, unsure if server
Matt Johnston <matt@ucc.asn.au>
parents:
510
diff
changeset
|
347 #define DEFAULT_IDLE_TIMEOUT 0 |
a3748e54273c
Idle timeout patch from Farrell Aultman. Needs testing, unsure if server
Matt Johnston <matt@ucc.asn.au>
parents:
510
diff
changeset
|
348 |
508
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
349 /* The default path. This will often get replaced by the shell */ |
510
b85507ade010
- Update manuals, include section on authorized_keys
Matt Johnston <matt@ucc.asn.au>
parents:
508
diff
changeset
|
350 #define DEFAULT_PATH "/usr/bin:/bin" |
508
d4bbc0039008
- Set a default path, since bash won't export one otherwise (though it will set
Matt Johnston <matt@ucc.asn.au>
parents:
503
diff
changeset
|
351 |
499
f3ca5ebc319a
Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
496
diff
changeset
|
352 /* Some other defines (that mostly should be left alone) are defined |
f3ca5ebc319a
Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
496
diff
changeset
|
353 * in sysoptions.h */ |
f3ca5ebc319a
Split options.h out into sysoptions.h for options that aren't usually
Matt Johnston <matt@ucc.asn.au>
parents:
496
diff
changeset
|
354 #include "sysoptions.h" |
4
fe6bca95afa7
Makefile.in contains updated files required
Matt Johnston <matt@ucc.asn.au>
parents:
diff
changeset
|
355 |
1036
deed0571cacc
DROPBEAR_ prefix for include guards to avoid collisions
Thorsten Horstmann <thorsten.horstmann@web.de>
parents:
1013
diff
changeset
|
356 #endif /* DROPBEAR_OPTIONS_H_ */ |