comparison default_options.h.in @ 1514:6c16a05023aa

rename some options and move some to sysoptions.h
author Matt Johnston <matt@ucc.asn.au>
date Sun, 18 Feb 2018 00:29:17 +0800
parents 2d450c1056e3
children 7c7c5326ad73
comparison
equal deleted inserted replaced
1513:c7675aa88880 1514:6c16a05023aa
34 * Both of these flags can be defined at once, don't compile without at least 34 * Both of these flags can be defined at once, don't compile without at least
35 * one of them. */ 35 * one of them. */
36 #define NON_INETD_MODE 1 36 #define NON_INETD_MODE 1
37 #define INETD_MODE 1 37 #define INETD_MODE 1
38 38
39 #if !(NON_INETD_MODE || INETD_MODE) 39 /* Include verbose debug output, enabled with -v at runtime.
40 #error "NON_INETD_MODE or INETD_MODE (or both) must be enabled." 40 * This will add a reasonable amount to your executable size. */
41 #endif 41 #define DEBUG_TRACE 0
42 42
43 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save 43 /* Set this if you want to use the DROPBEAR_SMALL_CODE option. This can save
44 several kB in binary size however will make the symmetrical ciphers and hashes 44 several kB in binary size however will make the symmetrical ciphers and hashes
45 slower, perhaps by 50%. Recommended for small systems that aren't doing 45 slower, perhaps by 50%. Recommended for small systems that aren't doing
46 much traffic. */ 46 much traffic. */
61 61
62 /* Enable Authentication Agent Forwarding */ 62 /* Enable Authentication Agent Forwarding */
63 #define DROPBEAR_SVR_AGENTFWD 1 63 #define DROPBEAR_SVR_AGENTFWD 1
64 #define DROPBEAR_CLI_AGENTFWD 1 64 #define DROPBEAR_CLI_AGENTFWD 1
65 65
66
67 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to 66 /* Note: Both DROPBEAR_CLI_PROXYCMD and DROPBEAR_CLI_NETCAT must be set to
68 * allow multihop dbclient connections */ 67 * allow multihop dbclient connections */
69 68
70 /* Allow using -J <proxycommand> to run the connection through a 69 /* Allow using -J <proxycommand> to run the connection through a
71 pipe to a program, rather the normal TCP connection */ 70 pipe to a program, rather the normal TCP connection */
77 76
78 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */ 77 /* Whether to support "-c" and "-m" flags to choose ciphers/MACs at runtime */
79 #define DROPBEAR_USER_ALGO_LIST 1 78 #define DROPBEAR_USER_ALGO_LIST 1
80 79
81 /* Encryption - at least one required. 80 /* Encryption - at least one required.
82 * Protocol RFC requires 3DES and recommends AES128 for interoperability. 81 * AES128 should be enabled, some very old implementations might only
83 * Including multiple keysize variants the same cipher 82 * support 3DES.
84 * (eg AES256 as well as AES128) will result in a minimal size increase.*/ 83 * Including both AES keysize variants (128 and 256) will result in
84 * a minimal size increase */
85 #define DROPBEAR_AES128 1 85 #define DROPBEAR_AES128 1
86 #define DROPBEAR_3DES 1 86 #define DROPBEAR_3DES 1
87 #define DROPBEAR_AES256 1 87 #define DROPBEAR_AES256 1
88 #define DROPBEAR_TWOFISH256 1 88 #define DROPBEAR_TWOFISH256 1
89 #define DROPBEAR_TWOFISH128 1 89 #define DROPBEAR_TWOFISH128 1
90 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */ 90 /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
91 #define DROPBEAR_BLOWFISH 0 91 #define DROPBEAR_BLOWFISH 0
92 92
93 #if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
94 || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128)
95 #error "At least one encryption algorithm must be enabled; 3DES and AES128 are recommended."
96 #endif
97
98 /* Enable CBC mode for ciphers. This has security issues though 93 /* Enable CBC mode for ciphers. This has security issues though
99 * is the most compatible with older SSH implementations */ 94 * is the most compatible with older SSH implementations */
100 #define DROPBEAR_ENABLE_CBC_MODE 1 95 #define DROPBEAR_ENABLE_CBC_MODE 1
101 96
102 /* Enable "Counter Mode" for ciphers. This is more secure than normal 97 /* Enable "Counter Mode" for ciphers. This is more secure than
103 * CBC mode against certain attacks. It is recommended for security 98 * CBC mode against certain attacks. It is recommended for security
104 * and forwards compatibility */ 99 * and forwards compatibility */
105 #define DROPBEAR_ENABLE_CTR_MODE 1 100 #define DROPBEAR_ENABLE_CTR_MODE 1
106 101
107 /* Twofish counter mode is disabled by default because it 102 /* Twofish counter mode is disabled by default because it
112 /* Message integrity. sha2-256 is recommended as a default, 107 /* Message integrity. sha2-256 is recommended as a default,
113 sha1 for compatibility */ 108 sha1 for compatibility */
114 #define DROPBEAR_SHA1_HMAC 1 109 #define DROPBEAR_SHA1_HMAC 1
115 #define DROPBEAR_SHA1_96_HMAC 1 110 #define DROPBEAR_SHA1_96_HMAC 1
116 #define DROPBEAR_SHA2_256_HMAC 1 111 #define DROPBEAR_SHA2_256_HMAC 1
117 /* Default is to include it is sha512 is being compiled in for ECDSA */ 112 /* Default is to include it if sha512 is being compiled in for ECDSA */
118 #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA) 113 #define DROPBEAR_SHA2_512_HMAC (DROPBEAR_ECDSA)
119 114
120 /* XXX needed for fingerprints */ 115 /* XXX needed for fingerprints */
121 #define DROPBEAR_MD5_HMAC 0 116 #define DROPBEAR_MD5_HMAC 0
122 117
130 #define DROPBEAR_DSS 1 125 #define DROPBEAR_DSS 1
131 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC 126 /* ECDSA is significantly faster than RSA or DSS. Compiling in ECC
132 * code (either ECDSA or ECDH) increases binary size - around 30kB 127 * code (either ECDSA or ECDH) increases binary size - around 30kB
133 * on x86-64 */ 128 * on x86-64 */
134 #define DROPBEAR_ECDSA 1 129 #define DROPBEAR_ECDSA 1
135
136 #if !(DROPBEAR_RSA || DROPBEAR_DSS || DROPBEAR_ECDSA)
137 #error "At least one hostkey or public-key algorithm must be enabled; RSA is recommended."
138 #endif
139 130
140 /* RSA must be >=1024 */ 131 /* RSA must be >=1024 */
141 #define DROPBEAR_DEFAULT_RSA_SIZE 2048 132 #define DROPBEAR_DEFAULT_RSA_SIZE 2048
142 /* DSS is always 1024 */ 133 /* DSS is always 1024 */
143 /* ECDSA defaults to largest size configured, usually 521 */ 134 /* ECDSA defaults to largest size configured, usually 521 */
191 /* The MOTD file path */ 182 /* The MOTD file path */
192 #define MOTD_FILENAME "/etc/motd" 183 #define MOTD_FILENAME "/etc/motd"
193 184
194 /* Authentication Types - at least one required. 185 /* Authentication Types - at least one required.
195 RFC Draft requires pubkey auth, and recommends password */ 186 RFC Draft requires pubkey auth, and recommends password */
187 #define DROPBEAR_SVR_PASSWORD_AUTH 1
196 188
197 /* Note: PAM auth is quite simple and only works for PAM modules which just do 189 /* Note: PAM auth is quite simple and only works for PAM modules which just do
198 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c). 190 * a simple "Login: " "Password: " (you can edit the strings in svr-authpam.c).
199 * It's useful for systems like OS X where standard password crypts don't work 191 * It's useful for systems like OS X where standard password crypts don't work
200 * but there's an interface via a PAM module. It won't work for more complex 192 * but there's an interface via a PAM module. It won't work for more complex
201 * PAM challenge/response. 193 * PAM challenge/response.
202 * You can't enable both PASSWORD and PAM. */ 194 * You can't enable both PASSWORD and PAM. */
203 195 #define DROPBEAR_SVR_PAM_AUTH 0
204 /* PAM requires ./configure --enable-pam */ 196
205 #if defined(HAVE_LIBPAM) && !DROPBEAR_SVR_PASSWORD_AUTH 197 /* ~/.ssh/authorized_keys authentication */
206 #define DROPBEAR_SVR_PAM_AUTH 1
207 #else
208 #define DROPBEAR_SVR_PAM_AUTH 0
209 #endif
210
211 /* This requires crypt() */
212 #if defined(HAVE_CRYPT) && !DROPBEAR_SVR_PAM_AUTH
213 #define DROPBEAR_SVR_PASSWORD_AUTH 1
214 #else
215 #define DROPBEAR_SVR_PASSWORD_AUTH 0
216 #endif
217
218 #define DROPBEAR_SVR_PUBKEY_AUTH 1 198 #define DROPBEAR_SVR_PUBKEY_AUTH 1
219
220 #if !(DROPBEAR_SVR_PASSWORD_AUTH || DROPBEAR_SVR_PAM_AUTH || DROPBEAR_SVR_PUBKEY_AUTH)
221 #error "At least one server authentication type must be enabled; PUBKEY and PASSWORD are recommended."
222 #endif
223
224 #if DROPBEAR_SVR_PASSWORD_AUTH && !HAVE_CRYPT
225 #error "DROPBEAR_SVR_PASSWORD_AUTH requires `crypt()'."
226 #endif
227
228 #if DROPBEAR_SVR_PAM_AUTH
229 #if DISABLE_PAM
230 #error "DROPBEAR_SVR_PAM_AUTH requires 'configure --enable-pam' to succeed."
231 #endif
232 #if DROPBEAR_SVR_PASSWORD_AUTH
233 #error "DROPBEAR_SVR_PASSWORD_AUTH cannot be enabled at the same time as DROPBEAR_SVR_PAM_AUTH."
234 #endif
235 #endif
236 199
237 /* Whether to take public key options in 200 /* Whether to take public key options in
238 * authorized_keys file into account */ 201 * authorized_keys file into account */
239 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1 202 #define DROPBEAR_SVR_PUBKEY_OPTIONS 1
240 203
241 /* This requires getpass. */ 204 /* Client authentication options */
242 #ifdef HAVE_GETPASS 205 #define DROPBEAR_CLI_PASSWORD_AUTH 1
243 #define DROPBEAR_CLI_PASSWORD_AUTH 1
244 #define DROPBEAR_CLI_INTERACT_AUTH 1
245 #else
246 #define DROPBEAR_CLI_PASSWORD_AUTH 0
247 #define DROPBEAR_CLI_INTERACT_AUTH 0
248 #endif
249 #define DROPBEAR_CLI_PUBKEY_AUTH 1 206 #define DROPBEAR_CLI_PUBKEY_AUTH 1
250
251 #if !(DROPBEAR_CLI_PASSWORD_AUTH || DROPBEAR_CLI_PUBKEY_AUTH)
252 #error "At least one client authentication type must be enabled; PUBKEY and PASSWORD are recommended."
253 #endif
254 207
255 /* A default argument for dbclient -i <privatekey>. 208 /* A default argument for dbclient -i <privatekey>.
256 Homedir is prepended unless path begins with / */ 209 Homedir is prepended unless path begins with / */
257 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear" 210 #define DROPBEAR_DEFAULT_CLI_AUTHKEY ".ssh/id_dropbear"
258 211
259 /* This variable can be used to set a password for client 212 /* Allow specifying the password for dbclient via the DROPBEAR_PASSWORD
260 * authentication on the commandline. Beware of platforms 213 * environment variable. */
261 * that don't protect environment variables of processes etc. Also 214 #define DROPBEAR_USE_PASSWORD_ENV 1
262 * note that it will be provided for all "hidden" client-interactive
263 * style prompts - if you want something more sophisticated, use
264 * SSH_ASKPASS instead. Comment out this var to remove this functionality.*/
265 #define DROPBEAR_USE_DROPBEAR_PASSWORD 1
266 215
267 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of 216 /* Define this (as well as DROPBEAR_CLI_PASSWORD_AUTH) to allow the use of
268 * a helper program for the ssh client. The helper program should be 217 * a helper program for the ssh client. The helper program should be
269 * specified in the SSH_ASKPASS environment variable, and dbclient 218 * specified in the SSH_ASKPASS environment variable, and dbclient
270 * should be run with DISPLAY set and no tty. The program should 219 * should be run with DISPLAY set and no tty. The program should
271 * return the password on standard output */ 220 * return the password on standard output */
272 #define DROPBEAR_CLI_ASKPASS_HELPER 0 221 #define DROPBEAR_CLI_ASKPASS_HELPER 0
273 222
274 #if DROPBEAR_CLI_ASKPASS_HELPER
275 #define DROPBEAR_CLI_PASSWORD_AUTH 1
276 #endif
277
278 /* Save a network roundtrip by sendng a real auth request immediately after 223 /* Save a network roundtrip by sendng a real auth request immediately after
279 * sending a query for the available methods. It is at the expense of < 100 224 * sending a query for the available methods. This is not yet enabled by default
280 * bytes of extra network traffic. This is not yet enabled by default since it 225 since it could cause problems with non-compliant servers */
281 * could cause problems with non-compliant servers */ 226 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0
282 #define DROPBEAR_CLI_IMMEDIATE_AUTH 0 227
283 228 /* Set this to use PRNGD or EGD instead of /dev/urandom */
284 /* Source for randomness. This must be able to provide hundreds of bytes per SSH
285 * connection without blocking. In addition /dev/random is used for seeding
286 * rsa/dss key generation */
287 #define DROPBEAR_URANDOM_DEV "/dev/urandom"
288
289 /* Set this to use PRNGD or EGD instead of /dev/urandom or /dev/random */
290 #define DROPBEAR_USE_PRNGD 0 229 #define DROPBEAR_USE_PRNGD 0
291 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng" 230 #define DROPBEAR_PRNGD_SOCKET "/var/run/dropbear-rng"
292 231
293 /* Specify the number of clients we will allow to be connected but 232 /* Specify the number of clients we will allow to be connected but
294 * not yet authenticated. After this limit, connections are rejected */ 233 * not yet authenticated. After this limit, connections are rejected */
309 248
310 /* The command to invoke for xauth when using X11 forwarding. 249 /* The command to invoke for xauth when using X11 forwarding.
311 * "-q" for quiet */ 250 * "-q" for quiet */
312 #define XAUTH_COMMAND "/usr/bin/xauth -q" 251 #define XAUTH_COMMAND "/usr/bin/xauth -q"
313 252
253
254 /* if you want to enable running an sftp server (such as the one included with
255 * OpenSSH), set the path below and set DROPBEAR_SFTPSERVER.
256 * The sftp-server program is not provided by Dropbear itself */
314 #define DROPBEAR_SFTPSERVER 1 257 #define DROPBEAR_SFTPSERVER 1
315
316 /* if you want to enable running an sftp server (such as the one included with
317 * OpenSSH), set the path below. If the path isn't defined, sftp will not
318 * be enabled */
319 #define SFTPSERVER_PATH "/usr/libexec/sftp-server" 258 #define SFTPSERVER_PATH "/usr/libexec/sftp-server"
320 259
321 /* This is used by the scp binary when used as a client binary. If you're 260 /* This is used by the scp binary when used as a client binary. If you're
322 * not using the Dropbear client, you'll need to change it */ 261 * not using the Dropbear client, you'll need to change it */
323 #define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient" 262 #define DROPBEAR_PATH_SSH_PROGRAM "/usr/bin/dbclient"
356 #define DEFAULT_IDLE_TIMEOUT 0 295 #define DEFAULT_IDLE_TIMEOUT 0
357 296
358 /* The default path. This will often get replaced by the shell */ 297 /* The default path. This will often get replaced by the shell */
359 #define DEFAULT_PATH "/usr/bin:/bin" 298 #define DEFAULT_PATH "/usr/bin:/bin"
360 299
361 /* Include verbose debug output, enabled with -v at runtime.
362 * This will add a reasonable amount to your executable size. */
363 #define DEBUG_TRACE 0
364
365 #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */ 300 #endif /* DROPBEAR_DEFAULT_OPTIONS_H_ */