Mercurial > dropbear

comparison options.h @ 641:2b1bb792cd4d dropbear-tfm

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
- Update tfm changes to current default tip
author Matt Johnston <matt@ucc.asn.au>
date Mon, 21 Nov 2011 19:52:28 +0800
parents 76097ec1a29a d40f3cc47aed
children
comparison
equal deleted inserted replaced
640:76097ec1a29a 641:2b1bb792cd4d
44 * perhaps 20% slower for pubkey operations (it is probably worth experimenting 44 * perhaps 20% slower for pubkey operations (it is probably worth experimenting
45 * if you want to use this) */ 45 * if you want to use this) */
46 /*#define NO_FAST_EXPTMOD*/ 46 /*#define NO_FAST_EXPTMOD*/
47 47
48 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save 48 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
49 several kB in binary size, however will make the symmetrical ciphers (AES, DES 49 several kB in binary size however will make the symmetrical ciphers and hashes
50 etc) slower (perhaps by 50%). Recommended for most small systems. */ 50 slower, perhaps by 50%. Recommended for small systems that aren't doing
51 #define DROPBEAR_SMALL_CODE 51 much traffic. */
52 /*#define DROPBEAR_SMALL_CODE*/
52 53
53 /* Enable X11 Forwarding - server only */ 54 /* Enable X11 Forwarding - server only */
54 /* #define ENABLE_X11FWD */ 55 /* #define ENABLE_X11FWD */
55 56
56 /* Enable TCP Fowarding */ 57 /* Enable TCP Fowarding */
61 #define ENABLE_CLI_REMOTETCPFWD 62 #define ENABLE_CLI_REMOTETCPFWD
62 63
63 #define ENABLE_SVR_LOCALTCPFWD 64 #define ENABLE_SVR_LOCALTCPFWD
64 #define ENABLE_SVR_REMOTETCPFWD 65 #define ENABLE_SVR_REMOTETCPFWD
65 66
66 /* Enable Authentication Agent Forwarding - server only for now */ 67 /* Enable Authentication Agent Forwarding */
67 #define ENABLE_AGENTFWD 68 #define ENABLE_SVR_AGENTFWD
69 #define ENABLE_CLI_AGENTFWD
68 70
69 71
70 /* Note: Both ENABLE_CLI_PROXYCMD and ENABLE_CLI_NETCAT must be set to 72 /* Note: Both ENABLE_CLI_PROXYCMD and ENABLE_CLI_NETCAT must be set to
71 * allow multihop dbclient connections */ 73 * allow multihop dbclient connections */
72 74
83 * Including multiple keysize variants the same cipher 85 * Including multiple keysize variants the same cipher
84 * (eg AES256 as well as AES128) will result in a minimal size increase.*/ 86 * (eg AES256 as well as AES128) will result in a minimal size increase.*/
85 #define DROPBEAR_AES128 87 #define DROPBEAR_AES128
86 #define DROPBEAR_3DES 88 #define DROPBEAR_3DES
87 #define DROPBEAR_AES256 89 #define DROPBEAR_AES256
88 #define DROPBEAR_BLOWFISH 90 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
91 /*#define DROPBEAR_BLOWFISH*/
89 #define DROPBEAR_TWOFISH256 92 #define DROPBEAR_TWOFISH256
90 #define DROPBEAR_TWOFISH128 93 #define DROPBEAR_TWOFISH128
91 94
92 /* Enable "Counter Mode" for ciphers. This is more secure than normal 95 /* Enable "Counter Mode" for ciphers. This is more secure than normal
93 * CBC mode against certain attacks. This adds around 1kB to binary 96 * CBC mode against certain attacks. This adds around 1kB to binary
123 #define RSA_BLINDING 126 #define RSA_BLINDING
124 127
125 /* Define DSS_PROTOK to use PuTTY's method of generating the value k for dss, 128 /* Define DSS_PROTOK to use PuTTY's method of generating the value k for dss,
126 * rather than just from the random byte source. Undefining this will save you 129 * rather than just from the random byte source. Undefining this will save you
127 * ~4k in binary size with static uclibc, but your DSS hostkey could be exposed 130 * ~4k in binary size with static uclibc, but your DSS hostkey could be exposed
128 * if the random number source isn't good. In general this isn't required */ 131 * if the random number source isn't good. It happened to Sony.
132 * On systems with a decent random source this isn't required. */
129 /* #define DSS_PROTOK */ 133 /* #define DSS_PROTOK */
134
135 /* Control the memory/performance/compression tradeoff for zlib.
136 * Set windowBits=8 for least memory usage, see your system's
137 * zlib.h for full details.
138 * Default settings (windowBits=15) will use 256kB for compression
139 * windowBits=8 will use 129kB for compression.
140 * Both modes will use ~35kB for decompression (using windowBits=15 for
141 * interoperability) */
142 #ifndef DROPBEAR_ZLIB_WINDOW_BITS
143 #define DROPBEAR_ZLIB_WINDOW_BITS 15
144 #endif
130 145
131 /* Whether to do reverse DNS lookups. */ 146 /* Whether to do reverse DNS lookups. */
132 #define DO_HOST_LOOKUP 147 #define DO_HOST_LOOKUP
133 148
134 /* Whether to print the message of the day (MOTD). This doesn't add much code 149 /* Whether to print the message of the day (MOTD). This doesn't add much code
141 #endif 156 #endif
142 157
143 /* Authentication Types - at least one required. 158 /* Authentication Types - at least one required.
144 RFC Draft requires pubkey auth, and recommends password */ 159 RFC Draft requires pubkey auth, and recommends password */
145 160
146 /* Note: PAM auth is quite simple, and only works for PAM modules which just do 161 /* Note: PAM auth is quite simple and only works for PAM modules which just do
147 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). 162 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
148 * It's useful for systems like OS X where standard password crypts don't work, 163 * It's useful for systems like OS X where standard password crypts don't work
149 * but there's an interface via a PAM module - don't bother using it otherwise. 164 * but there's an interface via a PAM module. It won't work for more complex
165 * PAM challenge/response.
150 * You can't enable both PASSWORD and PAM. */ 166 * You can't enable both PASSWORD and PAM. */
151 167
152 #define ENABLE_SVR_PASSWORD_AUTH 168 #define ENABLE_SVR_PASSWORD_AUTH
153 /* PAM requires ./configure --enable-pam */ 169 /* PAM requires ./configure --enable-pam */
154 /*#define ENABLE_SVR_PAM_AUTH*/ 170 /*#define ENABLE_SVR_PAM_AUTH*/
155 #define ENABLE_SVR_PUBKEY_AUTH 171 #define ENABLE_SVR_PUBKEY_AUTH
156 172
157 /* Wether to ake public key options in authorized_keys file into account */ 173 /* Whether to take public key options in
174 * authorized_keys file into account */
158 #ifdef ENABLE_SVR_PUBKEY_AUTH 175 #ifdef ENABLE_SVR_PUBKEY_AUTH
159 #define ENABLE_SVR_PUBKEY_OPTIONS 176 #define ENABLE_SVR_PUBKEY_OPTIONS
160 #endif 177 #endif
178
179 /* Define this to allow logging in to accounts that have no password specified.
180 * Public key logins are allowed for blank-password accounts regardless of this
181 * setting. PAM is not affected by this setting, it uses the normal pam.d
182 * settings ('nullok' option) */
183 /* #define ALLOW_BLANK_PASSWORD */
161 184
162 #define ENABLE_CLI_PASSWORD_AUTH 185 #define ENABLE_CLI_PASSWORD_AUTH
163 #define ENABLE_CLI_PUBKEY_AUTH 186 #define ENABLE_CLI_PUBKEY_AUTH
164 #define ENABLE_CLI_INTERACT_AUTH 187 #define ENABLE_CLI_INTERACT_AUTH
165 188
218 #endif 241 #endif
219 242
220 /* The command to invoke for xauth when using X11 forwarding. 243 /* The command to invoke for xauth when using X11 forwarding.
221 * "-q" for quiet */ 244 * "-q" for quiet */
222 #ifndef XAUTH_COMMAND 245 #ifndef XAUTH_COMMAND
223 #define XAUTH_COMMAND "/usr/X11R6/bin/xauth -q" 246 #define XAUTH_COMMAND "/usr/bin/X11/xauth -q"
224 #endif 247 #endif
225 248
226 /* if you want to enable running an sftp server (such as the one included with 249 /* if you want to enable running an sftp server (such as the one included with
227 * OpenSSH), set the path below. If the path isn't defined, sftp will not 250 * OpenSSH), set the path below. If the path isn't defined, sftp will not
228 * be enabled */ 251 * be enabled */
244 /* Size of the network receive window. This amount of memory is allocated 267 /* Size of the network receive window. This amount of memory is allocated
245 as a per-channel receive buffer. Increasing this value can make a 268 as a per-channel receive buffer. Increasing this value can make a
246 significant difference to network performance. 24kB was empirically 269 significant difference to network performance. 24kB was empirically
247 chosen for a 100mbit ethernet network. The value can be altered at 270 chosen for a 100mbit ethernet network. The value can be altered at
248 runtime with the -W argument. */ 271 runtime with the -W argument. */
272 #ifndef DEFAULT_RECV_WINDOW
249 #define DEFAULT_RECV_WINDOW 24576 273 #define DEFAULT_RECV_WINDOW 24576
274 #endif
250 /* Maximum size of a received SSH data packet - this _MUST_ be >= 32768 275 /* Maximum size of a received SSH data packet - this _MUST_ be >= 32768
251 in order to interoperate with other implementations */ 276 in order to interoperate with other implementations */
277 #ifndef RECV_MAX_PAYLOAD_LEN
252 #define RECV_MAX_PAYLOAD_LEN 32768 278 #define RECV_MAX_PAYLOAD_LEN 32768
279 #endif
253 /* Maximum size of a transmitted data packet - this can be any value, 280 /* Maximum size of a transmitted data packet - this can be any value,
254 though increasing it may not make a significant difference. */ 281 though increasing it may not make a significant difference. */
282 #ifndef TRANS_MAX_PAYLOAD_LEN
255 #define TRANS_MAX_PAYLOAD_LEN 16384 283 #define TRANS_MAX_PAYLOAD_LEN 16384
284 #endif
256 285
257 /* Ensure that data is transmitted every KEEPALIVE seconds. This can 286 /* Ensure that data is transmitted every KEEPALIVE seconds. This can
258 be overridden at runtime with -K. 0 disables keepalives */ 287 be overridden at runtime with -K. 0 disables keepalives */
259 #define DEFAULT_KEEPALIVE 0 288 #define DEFAULT_KEEPALIVE 0
260 289