Mercurial > dropbear

comparison default_options.h.in @ 1511:5916af64acd4 fuzz

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
merge from main
author Matt Johnston <matt@ucc.asn.au>
date Sat, 17 Feb 2018 19:29:51 +0800
parents 2d450c1056e3
children 6c16a05023aa
comparison
equal deleted inserted replaced
1457:32f990cc96b1 1511:5916af64acd4
1 #ifndef DROPBEAR_DEFAULT_OPTIONS_H_ 1 #ifndef DROPBEAR_DEFAULT_OPTIONS_H_
2 #define DROPBEAR_DEFAULT_OPTIONS_H_ 2 #define DROPBEAR_DEFAULT_OPTIONS_H_
3 /* 3 /*
4 > > > Read This < < < 4 > > > Read This < < <
5 5
6 default_options.h.in (this file) documents compile-time options, and provides 6 default_options.h.in documents compile-time options, and provides default values.
7 default values.
8 7
9 Local customisation should be added to localoptions.h which is 8 Local customisation should be added to localoptions.h which is
10 used if it exists. Options defined there will override any options in this 9 used if it exists. Options defined there will override any options in this
11 file (#ifndef guards added by ifndef_wrapper.sh). 10 file.
12 11
13 Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS 12 Options can also be defined with -DDROPBEAR_XXX in Makefile CFLAGS
14 13
15 IMPORTANT: Many options will require "make clean" after changes */ 14 IMPORTANT: Many options will require "make clean" after changes */
16 15
35 * Both of these flags can be defined at once, don't compile without at least 34 * Both of these flags can be defined at once, don't compile without at least
36 * one of them. */ 35 * one of them. */
37 #define NON_INETD_MODE 1 36 #define NON_INETD_MODE 1
38 #define INETD_MODE 1 37 #define INETD_MODE 1
39 38
40 /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is 39 #if !(NON_INETD_MODE || INETD_MODE)
41 * perhaps 20% slower for pubkey operations (it is probably worth experimenting 40 #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled."
42 * if you want to use this) */ 41 #endif
43 /*#define NO_FAST_EXPTMOD*/
44 42
45 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save 43 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
46 several kB in binary size however will make the symmetrical ciphers and hashes 44 several kB in binary size however will make the symmetrical ciphers and hashes
47 slower, perhaps by 50%. Recommended for small systems that aren't doing 45 slower, perhaps by 50%. Recommended for small systems that aren't doing
48 much traffic. */ 46 much traffic. */
76 /* Enable "Netcat mode" option. This will forward standard input/output 74 /* Enable "Netcat mode" option. This will forward standard input/output
77 * to a remote TCP-forwarded connection */ 75 * to a remote TCP-forwarded connection */
78 #define DROPBEAR_CLI_NETCAT 1 76 #define DROPBEAR_CLI_NETCAT 1
79 77
80 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ 78 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
81 #define ENABLE_USER_ALGO_LIST 1 79 #define DROPBEAR_USER_ALGO_LIST 1
82 80
83 /* Encryption - at least one required. 81 /* Encryption - at least one required.
84 * Protocol RFC requires 3DES and recommends AES128 for interoperability. 82 * Protocol RFC requires 3DES and recommends AES128 for interoperability.
85 * Including multiple keysize variants the same cipher 83 * Including multiple keysize variants the same cipher
86 * (eg AES256 as well as AES128) will result in a minimal size increase.*/ 84 * (eg AES256 as well as AES128) will result in a minimal size increase.*/
87 #define DROPBEAR_AES128 1 85 #define DROPBEAR_AES128 1
88 #define DROPBEAR_3DES 1 86 #define DROPBEAR_3DES 1
89 #define DROPBEAR_AES256 1 87 #define DROPBEAR_AES256 1
90 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
91 /*#define DROPBEAR_BLOWFISH*/
92 #define DROPBEAR_TWOFISH256 1 88 #define DROPBEAR_TWOFISH256 1
93 #define DROPBEAR_TWOFISH128 1 89 #define DROPBEAR_TWOFISH128 1
90 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
91 #define DROPBEAR_BLOWFISH 0
92
93 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
94 || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128)
95 #error "At least one encryption algorithm must be enabled; 3DES and AES128 are recommended."
96 #endif
94 97
95 /* Enable CBC mode for ciphers. This has security issues though 98 /* Enable CBC mode for ciphers. This has security issues though
96 * is the most compatible with older SSH implementations */ 99 * is the most compatible with older SSH implementations */
97 #define DROPBEAR_ENABLE_CBC_MODE 1 100 #define DROPBEAR_ENABLE_CBC_MODE 1
98 101
127 #define DROPBEAR_DSS 1 130 #define DROPBEAR_DSS 1
128 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC 131 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
129 * code (either ECDSA or ECDH) increases binary size - around 30kB 132 * code (either ECDSA or ECDH) increases binary size - around 30kB
130 * on x86-64 */ 133 * on x86-64 */
131 #define DROPBEAR_ECDSA 1 134 #define DROPBEAR_ECDSA 1
135
136 #if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA)
137 #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
138 #endif
132 139
133 /* RSA must be >=1024 */ 140 /* RSA must be >=1024 */
134 #define DROPBEAR_DEFAULT_RSA_SIZE 2048 141 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
135 /* DSS is always 1024 */ 142 /* DSS is always 1024 */
136 /* ECDSA defaults to largest size configured, usually 521 */ 143 /* ECDSA defaults to largest size configured, usually 521 */
192 * It's useful for systems like OS X where standard password crypts don't work 199 * It's useful for systems like OS X where standard password crypts don't work
193 * but there's an interface via a PAM module. It won't work for more complex 200 * but there's an interface via a PAM module. It won't work for more complex
194 * PAM challenge/response. 201 * PAM challenge/response.
195 * You can't enable both PASSWORD and PAM. */ 202 * You can't enable both PASSWORD and PAM. */
196 203
204 /* PAM requires ./configure --enable-pam */
205 #if defined(HAVE_LIBPAM) && !DROPBEAR_SVR_PASSWORD_AUTH
206 #define DROPBEAR_SVR_PAM_AUTH 1
207 #else
208 #define DROPBEAR_SVR_PAM_AUTH 0
209 #endif
210
197 /* This requires crypt() */ 211 /* This requires crypt() */
198 #ifdef HAVE_CRYPT 212 #if defined(HAVE_CRYPT) && !DROPBEAR_SVR_PAM_AUTH
199 #define DROPBEAR_SVR_PASSWORD_AUTH 1 213 #define DROPBEAR_SVR_PASSWORD_AUTH 1
200 #else 214 #else
201 #define DROPBEAR_SVR_PASSWORD_AUTH 0 215 #define DROPBEAR_SVR_PASSWORD_AUTH 0
202 #endif 216 #endif
203 /* PAM requires ./configure --enable-pam */ 217
204 #define DROPBEAR_SVR_PAM_AUTH 0
205 #define DROPBEAR_SVR_PUBKEY_AUTH 1 218 #define DROPBEAR_SVR_PUBKEY_AUTH 1
219
220 #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
221 #error "At least one server authentication type must be enabled; PUBKEY and PASSWORD are recommended."
222 #endif
223
224 #if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
225 #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
226 #endif
227
228 #if DROPBEAR_SVR_PAM_AUTH
229 #if DISABLE_PAM
230 #error "DROPBEAR_SVR_PAM_AUTH requires 'configure --enable-pam' to succeed."
231 #endif
232 #if DROPBEAR_SVR_PASSWORD_AUTH
233 #error "DROPBEAR_SVR_PASSWORD_AUTH cannot be enabled at the same time as DROPBEAR_SVR_PAM_AUTH."
234 #endif
235 #endif
206 236
207 /* Whether to take public key options in 237 /* Whether to take public key options in
208 * authorized_keys file into account */ 238 * authorized_keys file into account */
209 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1 239 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
210 240
211 /* This requires getpass. */ 241 /* This requires getpass. */
212 #ifdef HAVE_GETPASS 242 #ifdef HAVE_GETPASS
213 #define DROPBEAR_CLI_PASSWORD_AUTH 1 243 #define DROPBEAR_CLI_PASSWORD_AUTH 1
214 #define DROPBEAR_CLI_INTERACT_AUTH 1 244 #define DROPBEAR_CLI_INTERACT_AUTH 1
245 #else
246 #define DROPBEAR_CLI_PASSWORD_AUTH 0
247 #define DROPBEAR_CLI_INTERACT_AUTH 0
215 #endif 248 #endif
216 #define DROPBEAR_CLI_PUBKEY_AUTH 1 249 #define DROPBEAR_CLI_PUBKEY_AUTH 1
250
251 #if !(DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_PUBKEY_AUTH)
252 #error "At least one client authentication type must be enabled; PUBKEY and PASSWORD are recommended."
253 #endif
217 254
218 /* A default argument for dbclient -i <privatekey>. 255 /* A default argument for dbclient -i <privatekey>.
219 Homedir is prepended unless path begins with / */ 256 Homedir is prepended unless path begins with / */
220 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" 257 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
221 258
223 * authentication on the commandline. Beware of platforms 260 * authentication on the commandline. Beware of platforms
224 * that don't protect environment variables of processes etc. Also 261 * that don't protect environment variables of processes etc. Also
225 * note that it will be provided for all "hidden" client-interactive 262 * note that it will be provided for all "hidden" client-interactive
226 * style prompts - if you want something more sophisticated, use 263 * style prompts - if you want something more sophisticated, use
227 * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/ 264 * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
228 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD" 265 #define DROPBEAR_USE_DROPBEAR_PASSWORD 1
229 266
230 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of 267 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
231 * a helper program for the ssh client. The helper program should be 268 * a helper program for the ssh client. The helper program should be
232 * specified in the SSH_ASKPASS environment variable, and dbclient 269 * specified in the SSH_ASKPASS environment variable, and dbclient
233 * should be run with DISPLAY set and no tty. The program should 270 * should be run with DISPLAY set and no tty. The program should
234 * return the password on standard output */ 271 * return the password on standard output */
235 #define DROPBEAR_CLI_ASKPASS_HELPER 0 272 #define DROPBEAR_CLI_ASKPASS_HELPER 0
236 273
274 #if DROPBEAR_CLI_ASKPASS_HELPER
275 #define DROPBEAR_CLI_PASSWORD_AUTH 1
276 #endif
277
237 /* Save a network roundtrip by sendng a real auth request immediately after 278 /* Save a network roundtrip by sendng a real auth request immediately after
238 * sending a query for the available methods. It is at the expense of < 100 279 * sending a query for the available methods. It is at the expense of < 100
239 * bytes of extra network traffic. This is not yet enabled by default since it 280 * bytes of extra network traffic. This is not yet enabled by default since it
240 * could cause problems with non-compliant servers */ 281 * could cause problems with non-compliant servers */
241 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0 282 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
244 * connection without blocking. In addition /dev/random is used for seeding 285 * connection without blocking. In addition /dev/random is used for seeding
245 * rsa/dss key generation */ 286 * rsa/dss key generation */
246 #define DROPBEAR_URANDOM_DEV "/dev/urandom" 287 #define DROPBEAR_URANDOM_DEV "/dev/urandom"
247 288
248 /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */ 289 /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
249 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/ 290 #define DROPBEAR_USE_PRNGD 0
250 291 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
251 292
252 /* Specify the number of clients we will allow to be connected but 293 /* Specify the number of clients we will allow to be connected but
253 * not yet authenticated. After this limit, connections are rejected */ 294 * not yet authenticated. After this limit, connections are rejected */
254 /* The first setting is per-IP, to avoid denial of service */ 295 /* The first setting is per-IP, to avoid denial of service */
255 #define MAX_UNAUTH_PER_IP 5 296 #define MAX_UNAUTH_PER_IP 5
267 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid" 308 #define DROPBEAR_PIDFILE "/var/run/dropbear.pid"
268 309
269 /* The command to invoke for xauth when using X11 forwarding. 310 /* The command to invoke for xauth when using X11 forwarding.
270 * "-q" for quiet */ 311 * "-q" for quiet */
271 #define XAUTH_COMMAND "/usr/bin/xauth -q" 312 #define XAUTH_COMMAND "/usr/bin/xauth -q"
313
314 #define DROPBEAR_SFTPSERVER 1
272 315
273 /* if you want to enable running an sftp server (such as the one included with 316 /* if you want to enable running an sftp server (such as the one included with
274 * OpenSSH), set the path below. If the path isn't defined, sftp will not 317 * OpenSSH), set the path below. If the path isn't defined, sftp will not
275 * be enabled */ 318 * be enabled */
276 #define SFTPSERVER_PATH "/usr/libexec/sftp-server" 319 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
313 #define DEFAULT_IDLE_TIMEOUT 0 356 #define DEFAULT_IDLE_TIMEOUT 0
314 357
315 /* The default path. This will often get replaced by the shell */ 358 /* The default path. This will often get replaced by the shell */
316 #define DEFAULT_PATH "/usr/bin:/bin" 359 #define DEFAULT_PATH "/usr/bin:/bin"
317 360
361 /* Include verbose debug output, enabled with -v at runtime.
362 * This will add a reasonable amount to your executable size. */
363 #define DEBUG_TRACE 0
364
318 #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */ 365 #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */