Mercurial > dropbear

comparison default_options.h @ 1514:6c16a05023aa

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
rename some options and move some to sysoptions.h
author Matt Johnston <matt@ucc.asn.au>
date Sun, 18 Feb 2018 00:29:17 +0800
parents 1ea92dd2ca5f
children 2f4d52b1334e
comparison
equal deleted inserted replaced
1513:c7675aa88880 1514:6c16a05023aa
55 #endif 55 #endif
56 #ifndef INETD_MODE 56 #ifndef INETD_MODE
57 #define INETD_MODE 1 57 #define INETD_MODE 1
58 #endif 58 #endif
59 59
60 /* Setting this disables the fast exptmod bignum code. It saves ~5kB, but is 60 /* Include verbose debug output, enabled with -v at runtime.
61 * perhaps 20% slower for pubkey operations (it is probably worth experimenting 61 * This will add a reasonable amount to your executable size. */
62 * if you want to use this) */ 62 #ifndef DEBUG_TRACE
63 /*#define NO_FAST_EXPTMOD*/ 63 #define DEBUG_TRACE 0
64 #endif
64 65
65 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save 66 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
66 several kB in binary size however will make the symmetrical ciphers and hashes 67 several kB in binary size however will make the symmetrical ciphers and hashes
67 slower, perhaps by 50%. Recommended for small systems that aren't doing 68 slower, perhaps by 50%. Recommended for small systems that aren't doing
68 much traffic. */ 69 much traffic. */
99 #endif 100 #endif
100 #ifndef DROPBEAR_CLI_AGENTFWD 101 #ifndef DROPBEAR_CLI_AGENTFWD
101 #define DROPBEAR_CLI_AGENTFWD 1 102 #define DROPBEAR_CLI_AGENTFWD 1
102 #endif 103 #endif
103 104
104
105 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to 105 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
106 * allow multihop dbclient connections */ 106 * allow multihop dbclient connections */
107 107
108 /* Allow using -J <proxycommand> to run the connection through a 108 /* Allow using -J <proxycommand> to run the connection through a
109 pipe to a program, rather the normal TCP connection */ 109 pipe to a program, rather the normal TCP connection */
116 #ifndef DROPBEAR_CLI_NETCAT 116 #ifndef DROPBEAR_CLI_NETCAT
117 #define DROPBEAR_CLI_NETCAT 1 117 #define DROPBEAR_CLI_NETCAT 1
118 #endif 118 #endif
119 119
120 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ 120 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
121 #ifndef ENABLE_USER_ALGO_LIST 121 #ifndef DROPBEAR_USER_ALGO_LIST
122 #define ENABLE_USER_ALGO_LIST 1 122 #define DROPBEAR_USER_ALGO_LIST 1
123 #endif 123 #endif
124 124
125 /* Encryption - at least one required. 125 /* Encryption - at least one required.
126 * Protocol RFC requires 3DES and recommends AES128 for interoperability. 126 * AES128 should be enabled, some very old implementations might only
127 * Including multiple keysize variants the same cipher 127 * support 3DES.
128 * (eg AES256 as well as AES128) will result in a minimal size increase.*/ 128 * Including both AES keysize variants (128 and 256) will result in
129 * a minimal size increase */
129 #ifndef DROPBEAR_AES128 130 #ifndef DROPBEAR_AES128
130 #define DROPBEAR_AES128 1 131 #define DROPBEAR_AES128 1
131 #endif 132 #endif
132 #ifndef DROPBEAR_3DES 133 #ifndef DROPBEAR_3DES
133 #define DROPBEAR_3DES 1 134 #define DROPBEAR_3DES 1
134 #endif 135 #endif
135 #ifndef DROPBEAR_AES256 136 #ifndef DROPBEAR_AES256
136 #define DROPBEAR_AES256 1 137 #define DROPBEAR_AES256 1
137 #endif 138 #endif
138 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
139 /*#define DROPBEAR_BLOWFISH*/
140 #ifndef DROPBEAR_TWOFISH256 139 #ifndef DROPBEAR_TWOFISH256
141 #define DROPBEAR_TWOFISH256 1 140 #define DROPBEAR_TWOFISH256 1
142 #endif 141 #endif
143 #ifndef DROPBEAR_TWOFISH128 142 #ifndef DROPBEAR_TWOFISH128
144 #define DROPBEAR_TWOFISH128 1 143 #define DROPBEAR_TWOFISH128 1
144 #endif
145 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
146 #ifndef DROPBEAR_BLOWFISH
147 #define DROPBEAR_BLOWFISH 0
145 #endif 148 #endif
146 149
147 /* Enable CBC mode for ciphers. This has security issues though 150 /* Enable CBC mode for ciphers. This has security issues though
148 * is the most compatible with older SSH implementations */ 151 * is the most compatible with older SSH implementations */
149 #ifndef DROPBEAR_ENABLE_CBC_MODE 152 #ifndef DROPBEAR_ENABLE_CBC_MODE
150 #define DROPBEAR_ENABLE_CBC_MODE 1 153 #define DROPBEAR_ENABLE_CBC_MODE 1
151 #endif 154 #endif
152 155
153 /* Enable "Counter Mode" for ciphers. This is more secure than normal 156 /* Enable "Counter Mode" for ciphers. This is more secure than
154 * CBC mode against certain attacks. It is recommended for security 157 * CBC mode against certain attacks. It is recommended for security
155 * and forwards compatibility */ 158 * and forwards compatibility */
156 #ifndef DROPBEAR_ENABLE_CTR_MODE 159 #ifndef DROPBEAR_ENABLE_CTR_MODE
157 #define DROPBEAR_ENABLE_CTR_MODE 1 160 #define DROPBEAR_ENABLE_CTR_MODE 1
158 #endif 161 #endif
173 #define DROPBEAR_SHA1_96_HMAC 1 176 #define DROPBEAR_SHA1_96_HMAC 1
174 #endif 177 #endif
175 #ifndef DROPBEAR_SHA2_256_HMAC 178 #ifndef DROPBEAR_SHA2_256_HMAC
176 #define DROPBEAR_SHA2_256_HMAC 1 179 #define DROPBEAR_SHA2_256_HMAC 1
177 #endif 180 #endif
178 /* Default is to include it is sha512 is being compiled in for ECDSA */ 181 /* Default is to include it if sha512 is being compiled in for ECDSA */
179 #ifndef DROPBEAR_SHA2_512_HMAC 182 #ifndef DROPBEAR_SHA2_512_HMAC
180 #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA) 183 #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
181 #endif 184 #endif
182 185
183 /* XXX needed for fingerprints */ 186 /* XXX needed for fingerprints */
282 #define MOTD_FILENAME "/etc/motd" 285 #define MOTD_FILENAME "/etc/motd"
283 #endif 286 #endif
284 287
285 /* Authentication Types - at least one required. 288 /* Authentication Types - at least one required.
286 RFC Draft requires pubkey auth, and recommends password */ 289 RFC Draft requires pubkey auth, and recommends password */
290 #ifndef DROPBEAR_SVR_PASSWORD_AUTH
291 #define DROPBEAR_SVR_PASSWORD_AUTH 1
292 #endif
287 293
288 /* Note: PAM auth is quite simple and only works for PAM modules which just do 294 /* Note: PAM auth is quite simple and only works for PAM modules which just do
289 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). 295 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
290 * It's useful for systems like OS X where standard password crypts don't work 296 * It's useful for systems like OS X where standard password crypts don't work
291 * but there's an interface via a PAM module. It won't work for more complex 297 * but there's an interface via a PAM module. It won't work for more complex
292 * PAM challenge/response. 298 * PAM challenge/response.
293 * You can't enable both PASSWORD and PAM. */ 299 * You can't enable both PASSWORD and PAM. */
294
295 /* This requires crypt() */
296 #ifdef HAVE_CRYPT
297 #ifndef DROPBEAR_SVR_PASSWORD_AUTH
298 #define DROPBEAR_SVR_PASSWORD_AUTH 1
299 #endif
300 #else
301 #ifndef DROPBEAR_SVR_PASSWORD_AUTH
302 #define DROPBEAR_SVR_PASSWORD_AUTH 0
303 #endif
304 #endif
305 /* PAM requires ./configure --enable-pam */
306 #ifndef DROPBEAR_SVR_PAM_AUTH 300 #ifndef DROPBEAR_SVR_PAM_AUTH
307 #define DROPBEAR_SVR_PAM_AUTH 0 301 #define DROPBEAR_SVR_PAM_AUTH 0
308 #endif 302 #endif
303
304 /* ~/.ssh/authorized_keys authentication */
309 #ifndef DROPBEAR_SVR_PUBKEY_AUTH 305 #ifndef DROPBEAR_SVR_PUBKEY_AUTH
310 #define DROPBEAR_SVR_PUBKEY_AUTH 1 306 #define DROPBEAR_SVR_PUBKEY_AUTH 1
311 #endif 307 #endif
312 308
313 /* Whether to take public key options in 309 /* Whether to take public key options in
314 * authorized_keys file into account */ 310 * authorized_keys file into account */
315 #ifndef DROPBEAR_SVR_PUBKEY_OPTIONS 311 #ifndef DROPBEAR_SVR_PUBKEY_OPTIONS
316 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1 312 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
317 #endif 313 #endif
318 314
319 /* This requires getpass. */ 315 /* Client authentication options */
320 #ifdef HAVE_GETPASS
321 #ifndef DROPBEAR_CLI_PASSWORD_AUTH 316 #ifndef DROPBEAR_CLI_PASSWORD_AUTH
322 #define DROPBEAR_CLI_PASSWORD_AUTH 1 317 #define DROPBEAR_CLI_PASSWORD_AUTH 1
323 #endif
324 #ifndef DROPBEAR_CLI_INTERACT_AUTH
325 #define DROPBEAR_CLI_INTERACT_AUTH 1
326 #endif
327 #endif 318 #endif
328 #ifndef DROPBEAR_CLI_PUBKEY_AUTH 319 #ifndef DROPBEAR_CLI_PUBKEY_AUTH
329 #define DROPBEAR_CLI_PUBKEY_AUTH 1 320 #define DROPBEAR_CLI_PUBKEY_AUTH 1
330 #endif 321 #endif
331 322
333 Homedir is prepended unless path begins with / */ 324 Homedir is prepended unless path begins with / */
334 #ifndef DROPBEAR_DEFAULT_CLI_AUTHKEY 325 #ifndef DROPBEAR_DEFAULT_CLI_AUTHKEY
335 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" 326 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
336 #endif 327 #endif
337 328
338 /* This variable can be used to set a password for client 329 /* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
339 * authentication on the commandline. Beware of platforms 330 * environment variable. */
340 * that don't protect environment variables of processes etc. Also 331 #ifndef DROPBEAR_USE_PASSWORD_ENV
341 * note that it will be provided for all "hidden" client-interactive 332 #define DROPBEAR_USE_PASSWORD_ENV 1
342 * style prompts - if you want something more sophisticated, use
343 * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
344 #ifndef DROPBEAR_PASSWORD_ENV
345 #define DROPBEAR_PASSWORD_ENV "DROPBEAR_PASSWORD"
346 #endif 333 #endif
347 334
348 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of 335 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
349 * a helper program for the ssh client. The helper program should be 336 * a helper program for the ssh client. The helper program should be
350 * specified in the SSH_ASKPASS environment variable, and dbclient 337 * specified in the SSH_ASKPASS environment variable, and dbclient
353 #ifndef DROPBEAR_CLI_ASKPASS_HELPER 340 #ifndef DROPBEAR_CLI_ASKPASS_HELPER
354 #define DROPBEAR_CLI_ASKPASS_HELPER 0 341 #define DROPBEAR_CLI_ASKPASS_HELPER 0
355 #endif 342 #endif
356 343
357 /* Save a network roundtrip by sendng a real auth request immediately after 344 /* Save a network roundtrip by sendng a real auth request immediately after
358 * sending a query for the available methods. It is at the expense of < 100 345 * sending a query for the available methods. This is not yet enabled by default
359 * bytes of extra network traffic. This is not yet enabled by default since it 346 since it could cause problems with non-compliant servers */
360 * could cause problems with non-compliant servers */ 347 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
361 #ifndef DROPBEAR_CLI_IMMEDIATE_AUTH 348
362 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0 349 /* Set this to use PRNGD or EGD instead of /dev/urandom */
363 #endif 350 #ifndef DROPBEAR_USE_PRNGD
364 351 #define DROPBEAR_USE_PRNGD 0
365 /* Source for randomness. This must be able to provide hundreds of bytes per SSH 352 #endif
366 * connection without blocking. In addition /dev/random is used for seeding 353 #ifndef DROPBEAR_PRNGD_SOCKET
367 * rsa/dss key generation */ 354 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
368 #ifndef DROPBEAR_URANDOM_DEV 355 #endif
369 #define DROPBEAR_URANDOM_DEV "/dev/urandom"
370 #endif
371
372 /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
373 /*#define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"*/
374
375 356
376 /* Specify the number of clients we will allow to be connected but 357 /* Specify the number of clients we will allow to be connected but
377 * not yet authenticated. After this limit, connections are rejected */ 358 * not yet authenticated. After this limit, connections are rejected */
378 /* The first setting is per-IP, to avoid denial of service */ 359 /* The first setting is per-IP, to avoid denial of service */
379 #ifndef MAX_UNAUTH_PER_IP 360 #ifndef MAX_UNAUTH_PER_IP
402 * "-q" for quiet */ 383 * "-q" for quiet */
403 #ifndef XAUTH_COMMAND 384 #ifndef XAUTH_COMMAND
404 #define XAUTH_COMMAND "/usr/bin/xauth -q" 385 #define XAUTH_COMMAND "/usr/bin/xauth -q"
405 #endif 386 #endif
406 387
388
407 /* if you want to enable running an sftp server (such as the one included with 389 /* if you want to enable running an sftp server (such as the one included with
408 * OpenSSH), set the path below. If the path isn't defined, sftp will not 390 * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER.
409 * be enabled */ 391 * The sftp-server program is not provided by Dropbear itself */
392 #ifndef DROPBEAR_SFTPSERVER
393 #define DROPBEAR_SFTPSERVER 1
394 #endif
410 #ifndef SFTPSERVER_PATH 395 #ifndef SFTPSERVER_PATH
411 #define SFTPSERVER_PATH "/usr/libexec/sftp-server" 396 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
412 #endif 397 #endif
413 398
414 /* This is used by the scp binary when used as a client binary. If you're 399 /* This is used by the scp binary when used as a client binary. If you're