Mercurial > dropbear

comparison default_options.h.in @ 1499:2d450c1056e3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
options: Complete the transition to numeric toggles (`#if') For the sake of review, this commit alters only the code; the affiliated comments within the source files also need to be updated, but doing so now would obscure the operational changes that have been made here. * All on/off options have been switched to the numeric `#if' variant; that is the only way to make this `default_options.h.in' thing work in a reasonable manner. * There is now some very minor compile-time checking of the user's choice of options. * NO_FAST_EXPTMOD doesn't seem to be used, so it has been removed. * ENABLE_USER_ALGO_LIST was supposed to be renamed DROPBEAR_USER_ALGO_LIST, and this commit completes that work. * DROPBEAR_FUZZ seems to be a relatively new, as-yet undocumented option, which was added by the following commit: commit 6e0b539e9ca0b5628c6c5a3d118ad6a2e79e8039 Author: Matt Johnston <[email protected]> Date: Tue May 23 22:29:21 2017 +0800 split out checkpubkey_line() separately It has now been added to `sysoptions.h' and defined as `0' by default. * The configuration option `DROPBEAR_PASSWORD_ENV' is no longer listed in `default_options.h.in'; it is no longer meant to be set by the user, and is instead left to be defined in `sysoptions.h' (where it was already being defined) as merely the name of the environment variable in question: DROPBEAR_PASSWORD To enable or disable use of that environment variable, the user must now toggle `DROPBEAR_USE_DROPBEAR_PASSWORD'. * The sFTP support is now toggled by setting `DROPBEAR_SFTPSERVER', and the path of the sFTP server program is set independently through the usual SFTPSERVER_PATH.
author Michael Witten <mfwitten@gmail.com>
date Thu, 20 Jul 2017 19:38:26 +0000
parents da095983a60b
children 6c16a05023aa
comparison
equal deleted inserted replaced
1497:bf9c06b8dad9 1499:2d450c1056e3
34 * Both of these flags can be defined at once, don't compile without at least 34 * Both of these flags can be defined at once, don't compile without at least
35 * one of them. */ 35 * one of them. */
36 #define NON_INETD_MODE 1 36 #define NON_INETD_MODE 1
37 #define INETD_MODE 1 37 #define INETD_MODE 1
38 38
39 /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is 39 #if !(NON_INETD_MODE || INETD_MODE)
40 * perhaps 20% slower for pubkey operations (it is probably worth experimenting 40 #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled."
41 * if you want to use this) */ 41 #endif
42 /*#define NO_FAST_EXPTMOD*/
43 42
44 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save 43 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
45 several kB in binary size however will make the symmetrical ciphers and hashes 44 several kB in binary size however will make the symmetrical ciphers and hashes
46 slower, perhaps by 50%. Recommended for small systems that aren't doing 45 slower, perhaps by 50%. Recommended for small systems that aren't doing
47 much traffic. */ 46 much traffic. */
75 /* Enable "Netcat mode" option. This will forward standard input/output 74 /* Enable "Netcat mode" option. This will forward standard input/output
76 * to a remote TCP-forwarded connection */ 75 * to a remote TCP-forwarded connection */
77 #define DROPBEAR_CLI_NETCAT 1 76 #define DROPBEAR_CLI_NETCAT 1
78 77
79 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ 78 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
80 #define ENABLE_USER_ALGO_LIST 1 79 #define DROPBEAR_USER_ALGO_LIST 1
81 80
82 /* Encryption - at least one required. 81 /* Encryption - at least one required.
83 * Protocol RFC requires 3DES and recommends AES128 for interoperability. 82 * Protocol RFC requires 3DES and recommends AES128 for interoperability.
84 * Including multiple keysize variants the same cipher 83 * Including multiple keysize variants the same cipher
85 * (eg AES256 as well as AES128) will result in a minimal size increase.*/ 84 * (eg AES256 as well as AES128) will result in a minimal size increase.*/
86 #define DROPBEAR_AES128 1 85 #define DROPBEAR_AES128 1
87 #define DROPBEAR_3DES 1 86 #define DROPBEAR_3DES 1
88 #define DROPBEAR_AES256 1 87 #define DROPBEAR_AES256 1
89 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
90 /*#define DROPBEAR_BLOWFISH*/
91 #define DROPBEAR_TWOFISH256 1 88 #define DROPBEAR_TWOFISH256 1
92 #define DROPBEAR_TWOFISH128 1 89 #define DROPBEAR_TWOFISH128 1
90 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
91 #define DROPBEAR_BLOWFISH 0
92
93 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
94 || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128)
95 #error "At least one encryption algorithm must be enabled; 3DES and AES128 are recommended."
96 #endif
93 97
94 /* Enable CBC mode for ciphers. This has security issues though 98 /* Enable CBC mode for ciphers. This has security issues though
95 * is the most compatible with older SSH implementations */ 99 * is the most compatible with older SSH implementations */
96 #define DROPBEAR_ENABLE_CBC_MODE 1 100 #define DROPBEAR_ENABLE_CBC_MODE 1
97 101
126 #define DROPBEAR_DSS 1 130 #define DROPBEAR_DSS 1
127 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC 131 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
128 * code (either ECDSA or ECDH) increases binary size - around 30kB 132 * code (either ECDSA or ECDH) increases binary size - around 30kB
129 * on x86-64 */ 133 * on x86-64 */
130 #define DROPBEAR_ECDSA 1 134 #define DROPBEAR_ECDSA 1
135
136 #if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA)
137 #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
138 #endif
131 139
132 /* RSA must be >=1024 */ 140 /* RSA must be >=1024 */
133 #define DROPBEAR_DEFAULT_RSA_SIZE 2048 141 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
134 /* DSS is always 1024 */ 142 /* DSS is always 1024 */
135 /* ECDSA defaults to largest size configured, usually 521 */ 143 /* ECDSA defaults to largest size configured, usually 521 */
191 * It's useful for systems like OS X where standard password crypts don't work 199 * It's useful for systems like OS X where standard password crypts don't work
192 * but there's an interface via a PAM module. It won't work for more complex 200 * but there's an interface via a PAM module. It won't work for more complex
193 * PAM challenge/response. 201 * PAM challenge/response.
194 * You can't enable both PASSWORD and PAM. */ 202 * You can't enable both PASSWORD and PAM. */
195 203
204 /* PAM requires ./configure --enable-pam */
205 #if defined(HAVE_LIBPAM) && !DROPBEAR_SVR_PASSWORD_AUTH
206 #define DROPBEAR_SVR_PAM_AUTH 1
207 #else
208 #define DROPBEAR_SVR_PAM_AUTH 0
209 #endif
210
196 /* This requires crypt() */ 211 /* This requires crypt() */
197 #ifdef HAVE_CRYPT 212 #if defined(HAVE_CRYPT) && !DROPBEAR_SVR_PAM_AUTH
198 #define DROPBEAR_SVR_PASSWORD_AUTH 1 213 #define DROPBEAR_SVR_PASSWORD_AUTH 1
199 #else 214 #else
200 #define DROPBEAR_SVR_PASSWORD_AUTH 0 215 #define DROPBEAR_SVR_PASSWORD_AUTH 0
201 #endif 216 #endif
202 /* PAM requires ./configure --enable-pam */ 217
203 #define DROPBEAR_SVR_PAM_AUTH 0
204 #define DROPBEAR_SVR_PUBKEY_AUTH 1 218 #define DROPBEAR_SVR_PUBKEY_AUTH 1
219
220 #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
221 #error "At least one server authentication type must be enabled; PUBKEY and PASSWORD are recommended."
222 #endif
223
224 #if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
225 #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
226 #endif
227
228 #if DROPBEAR_SVR_PAM_AUTH
229 #if DISABLE_PAM
230 #error "DROPBEAR_SVR_PAM_AUTH requires 'configure --enable-pam' to succeed."
231 #endif
232 #if DROPBEAR_SVR_PASSWORD_AUTH
233 #error "DROPBEAR_SVR_PASSWORD_AUTH cannot be enabled at the same time as DROPBEAR_SVR_PAM_AUTH."
234 #endif
235 #endif
205 236
206 /* Whether to take public key options in 237 /* Whether to take public key options in
207 * authorized_keys file into account */ 238 * authorized_keys file into account */
208 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1 239 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
209 240
210 /* This requires getpass. */ 241 /* This requires getpass. */
211 #ifdef HAVE_GETPASS 242 #ifdef HAVE_GETPASS
212 #define DROPBEAR_CLI_PASSWORD_AUTH 1 243 #define DROPBEAR_CLI_PASSWORD_AUTH 1
213 #define DROPBEAR_CLI_INTERACT_AUTH 1 244 #define DROPBEAR_CLI_INTERACT_AUTH 1
245 #else
246 #define DROPBEAR_CLI_PASSWORD_AUTH 0
247 #define DROPBEAR_CLI_INTERACT_AUTH 0
214 #endif 248 #endif
215 #define DROPBEAR_CLI_PUBKEY_AUTH 1 249 #define DROPBEAR_CLI_PUBKEY_AUTH 1
250
251 #if !(DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_PUBKEY_AUTH)
252 #error "At least one client authentication type must be enabled; PUBKEY and PASSWORD are recommended."
253 #endif
216 254
217 /* A default argument for dbclient -i <privatekey>. 255 /* A default argument for dbclient -i <privatekey>.
218 Homedir is prepended unless path begins with / */ 256 Homedir is prepended unless path begins with / */
219 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" 257 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
220 258
222 * authentication on the commandline. Beware of platforms 260 * authentication on the commandline. Beware of platforms
223 * that don't protect environment variables of processes etc. Also 261 * that don't protect environment variables of processes etc. Also
224 * note that it will be provided for all "hidden" client-interactive 262 * note that it will be provided for all "hidden" client-interactive
225 * style prompts - if you want something more sophisticated, use 263 * style prompts - if you want something more sophisticated, use
226 * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ 264 * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
227 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" 265 #define DROPBEAR_USE_DROPBEAR_PASSWORD 1
228 266
229 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of 267 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
230 * a helper program for the ssh client. The helper program should be 268 * a helper program for the ssh client. The helper program should be
231 * specified in the SSH_ASKPASS environment variable, and dbclient 269 * specified in the SSH_ASKPASS environment variable, and dbclient
232 * should be run with DISPLAY set and no tty. The program should 270 * should be run with DISPLAY set and no tty. The program should
233 * return the password on standard output */ 271 * return the password on standard output */
234 #define DROPBEAR_CLI_ASKPASS_HELPER 0 272 #define DROPBEAR_CLI_ASKPASS_HELPER 0
235 273
274 #if DROPBEAR_CLI_ASKPASS_HELPER
275 #define DROPBEAR_CLI_PASSWORD_AUTH 1
276 #endif
277
236 /* Save a network roundtrip by sendng a real auth request immediately after 278 /* Save a network roundtrip by sendng a real auth request immediately after
237 * sending a query for the available methods. It is at the expense of < 100 279 * sending a query for the available methods. It is at the expense of < 100
238 * bytes of extra network traffic. This is not yet enabled by default since it 280 * bytes of extra network traffic. This is not yet enabled by default since it
239 * could cause problems with non-compliant servers */ 281 * could cause problems with non-compliant servers */
240 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0 282 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
243 * connection without blocking. In addition /dev/random is used for seeding 285 * connection without blocking. In addition /dev/random is used for seeding
244 * rsa/dss key generation */ 286 * rsa/dss key generation */
245 #define DROPBEAR_URANDOM_DEV "/dev/urandom" 287 #define DROPBEAR_URANDOM_DEV "/dev/urandom"
246 288
247 /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */ 289 /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
248 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ 290 #define DROPBEAR_USE_PRNGD 0
249 291 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
250 292
251 /* Specify the number of clients we will allow to be connected but 293 /* Specify the number of clients we will allow to be connected but
252 * not yet authenticated. After this limit, connections are rejected */ 294 * not yet authenticated. After this limit, connections are rejected */
253 /* The first setting is per-IP, to avoid denial of service */ 295 /* The first setting is per-IP, to avoid denial of service */
254 #define MAX_UNAUTH_PER_IP 5 296 #define MAX_UNAUTH_PER_IP 5
266 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid" 308 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
267 309
268 /* The command to invoke for xauth when using X11 forwarding. 310 /* The command to invoke for xauth when using X11 forwarding.
269 * "-q" for quiet */ 311 * "-q" for quiet */
270 #define XAUTH_COMMAND "/usr/bin/xauth -q" 312 #define XAUTH_COMMAND "/usr/bin/xauth -q"
313
314 #define DROPBEAR_SFTPSERVER 1
271 315
272 /* if you want to enable running an sftp server (such as the one included with 316 /* if you want to enable running an sftp server (such as the one included with
273 * OpenSSH), set the path below. If the path isn't defined, sftp will not 317 * OpenSSH), set the path below. If the path isn't defined, sftp will not
274 * be enabled */ 318 * be enabled */
275 #define SFTPSERVER_PATH "/usr/libexec/sftp-server" 319 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"