comparison default_options.h @ 1861:2b3a8026a6ce

Add re-exec for server This allows ASLR to re-randomize the address space for every connection, preventing some vulnerabilities from being exploitable by repeated probing. Overhead (memory and time) is yet to be confirmed. At present this is only enabled on Linux. Other BSD platforms with fexecve() would probably also work though have not been tested.
author Matt Johnston <matt@ucc.asn.au>
date Sun, 30 Jan 2022 10:14:56 +0800
parents 35d504d59c05
children 40f8468ad4d4
comparison
equal deleted inserted replaced
1860:5001e9c5641f 1861:2b3a8026a6ce
35 * Both of these flags can be defined at once, don't compile without at least 35 * Both of these flags can be defined at once, don't compile without at least
36 * one of them. */ 36 * one of them. */
37 #define NON_INETD_MODE 1 37 #define NON_INETD_MODE 1
38 #define INETD_MODE 1 38 #define INETD_MODE 1
39 39
40 /* Include verbose debug output, enabled with -v at runtime. 40 /* By default Dropbear will re-execute itself for each incoming connection so
41 that memory layout may be re-randomised (ASLR) - exploiting
42 vulnerabilities becomes harder. Re-exec causes slightly more memory use
43 per connection.
44 This option is ignored on non-Linux platforms at present */
45 #define DROPBEAR_REEXEC 1
46
47 /* Include verbose debug output, enabled with -v at runtime.
41 * This will add a reasonable amount to your executable size. */ 48 * This will add a reasonable amount to your executable size. */
42 #define DEBUG_TRACE 0 49 #define DEBUG_TRACE 0
43 50
44 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save 51 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
45 * several kB in binary size however will make the symmetrical ciphers and hashes 52 * several kB in binary size however will make the symmetrical ciphers and hashes